CN106936579A - Cloud storage data storage and read method based on trusted third party agency - Google Patents
Cloud storage data storage and read method based on trusted third party agency Download PDFInfo
- Publication number
- CN106936579A CN106936579A CN201511025233.8A CN201511025233A CN106936579A CN 106936579 A CN106936579 A CN 106936579A CN 201511025233 A CN201511025233 A CN 201511025233A CN 106936579 A CN106936579 A CN 106936579A
- Authority
- CN
- China
- Prior art keywords
- data
- file
- trusted
- cloud storage
- subscription client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000013500 data storage Methods 0.000 title claims abstract description 20
- 230000004044 response Effects 0.000 claims abstract description 14
- 238000001629 sign test Methods 0.000 claims description 21
- 238000004891 communication Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000002360 preparation method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the communications field, a kind of cloud storage data storage based on trusted third party agency and read method are disclosed.Wherein, the cloud storage date storage method based on trusted third party agency includes:Trusted third party agency receives file encryption storage request from subscription client;Stored in response to the file encryption and asked, be the file allocation identification ID and return to the subscription client;File data and SM4 keys are received from the subscription client;The file data for being received is encrypted using the SM4 keys;And in cloud storage platform response after the data storage request checking user identity of the subscription client, the trusted third party agency sends to the cloud storage platform storage file data of encryption and the mark ID.By above-mentioned technical proposal, it is encrypted using SM4 key-pair file data by third-party agent, it is ensured that the security that data are stored in cloud storage platform, while improve data encryption speed.
Description
Technical field
The present invention relates to the communications field, in particular it relates to a kind of cloud storage based on trusted third party agency
Data storage and read method.
Background technology
Cloud storage platform can be with three classes.One class is publicly-owned cloud storage, the icloud of such as apple, Baidu.com
Disk, 360 cloud disks etc..The type cloud storage typically uses distributed storage technology, based on price
Cheap memory node cluster builds, and can provide the user data isolation, the visit of simple encryption certification
The service of asking.Equations of The Second Kind is private cloud storage, predominantly the self-built cloud of each enterprise or research institution inside
Storage system, it is privately owned and safe that the type cloud storage mainly focuses on data, and publicly-owned because scale is smaller
Cloud storage is contrasted, and relatively costly, security is preferable.An also class is mixing cloud storage, such application master
If the data for different level of securitys set up cloud storage in corporate intranet, at the same Partial security rank compared with
Low data storage sets up corresponding network company in public cloud between Intranet cloud storage and total cloud
Connect and interface.
Although with cheap, the conveniently current extensive use of cloud storage service, its roll-over protective structure
Structure is still not well established.Meanwhile, cloud storage platform service is mainly used in storing individual or the enterprise of magnanimity
Data, this also results in cloud storage platform and is easier to turn into the intrusion target of hacker.Therefore, how to ensure
Secure user data is current cloud storage platform problem in the urgent need to address in cloud storage.
The security of data includes three aspects of confidentiality, integrity, and availability.For these three aspects
Substantial amounts of research is carried out both at home and abroad.Wherein data encryption is a kind of conventional method.Complete data
After encryption, as long as user ensures that the key of oneself is not revealed, no matter data are in cloud storage still local equal
Cannot be acquired.
Current general cloud storage Technology On Data Encryption includes following several classes.
1) access control:Access control is to realize user data confidentiality and carry out the important of secret protection
One of means.Currently, there are simple access control technology in all kinds of cloud storage service providers, but it is pacified
On the basis of full property is mainly reflected in service provider to its server cluster management and control, for a user
It is that black box is accessed, it is impossible to be apparent from its internal mechanism.
2) multi-duplicate technology:By in different servers, different frames not even with computer room logarithm
The reliability and redundancy of data are improved according to multiple copies are preserved.
3) key strategy:Because cloud storage service is not transparent enough for user, user cannot know certainly
Where is oneself data presence, how to store.Therefore user key encryption data is a kind of elimination user misgivings
A kind of important means, the key of user management oneself, it is ensured that oneself data safety, other people nothings
Method is accessed.
It is the one of guarantee data safety using efficient encryption mechanism for the problem of data safety of cloud storage
Plant appropriately selected.Attack Research currently for the most widely used RSA, AES encryption algorithm is got over
Come more, such as heavy attack of limit key, Statistical Analysis Attacks, mathematical analysis is attacked.While with
The application of cloud computing, high-performance computer, efficiency is cracked and is greatly improved, also result in and use
The security of such AES is further reduced.
User can be first with the key of oneself by data encryption, so when data are stored in into cloud storage platform
After store data into cloud platform.When user needs to read data, then encryption data is read into user
Operation is decrypted under the running environment of oneself and with the key of oneself.This can greatly strengthen user data
It is stored in the security of cloud storage platform.But there are two aspects.First, user is every time
Needs oneself carry out corresponding encryption and decryption operation and could read data, and this does not meet the mesh that cloud storage is used
, i.e., the data of oneself are checked whenever and wherever possible;Second, demand cannot be met in performance, if user
Data volume is larger, and the client of user oneself cannot meet the performance requirement of encryption and decryption, and efficiency can become pole
Its is low.
Regarding to the issue above, good solution is there is no in the prior art.
The content of the invention
It is an object of the invention to provide a kind of cloud storage data storage based on trusted third party agency and reading
Method is taken, the method can guarantee data security while data storage convenience is provided a user with.
To achieve these goals, the present invention provides a kind of cloud storage data based on trusted third party agency
Storage method, the method includes:Trusted third party agency receives file encryption storage from subscription client please
Ask;Stored in response to the file encryption and asked, be the file allocation identification ID and return to the use
Family client;File data and SM4 keys are received from the subscription client;It is close using the SM4
File data encryption of the key to being received;And in cloud storage platform response in the number of the subscription client
After storage requests verification user identity, the trusted third party is acted on behalf of the file data encrypted and institute
Mark ID is stated to send to cloud storage platform storage.
Further, the method also includes:The trusted third party agency receives from the subscription client
Digital certificate based on SM2;According to the digital certificate authentication user identity;And to the use
Family authentication is responded after passing through to file encryption storage request.
Further, the file data is that the subscription client uses the digital certificate based on SM2
To the file data generated after the file signature.
Further, it is described that the file signature is included:When the file is less than predetermined amount of data,
The file is integrally signed;And when the file is more than the predetermined amount of data, to the file
In be equal to the subscription data amount part sign.
Further, sent to the storage of cloud storage platform by the file data of encryption and the mark ID
Afterwards, the method also includes:The trusted third party agency deletes the institute received from the subscription client
State file data and the SM4 keys.
Another aspect of the present invention, there is provided a kind of cloud storage data based on trusted third party agency are read
Method is taken, the method includes:Verified in the data read request of subscription client in cloud storage platform response
After user identity, trusted third party agency receives file read request from the subscription client;Response
In the file read request, the file data and mark ID encrypted are received from the cloud storage platform
And according to the SM4 keys received from the subscription client to the file data decryption encrypted;
And send to the subscription client file data of decryption and the mark ID.
Further, the method also includes:The trusted third party agency receives from the subscription client
Digital certificate based on SM2;User identity is verified according to the digital certificate;And right
The subscriber authentication is responded after passing through to the file read request.
Further, after the subscription client receives the file data of the decryption, using being based on
File data sign test of the digital certificate of SM2 to the decryption;And determine number when sign test result is consistent
According to correct.
Further, the file data sign test to the decryption includes:When the file data of the decryption is small
When predetermined amount of data, to the file data entirety sign test of the decryption;And when the file of the decryption
When data are more than the predetermined amount of data, to being equal to the subscription data amount in the file data of the decryption
Part sign test.
Further, sent to the subscription client by the file data of decryption and the mark ID
Afterwards, the method also includes:The trusted third party agency deletes the institute received from the subscription client
State the file data of SM4 keys and the decryption.
By above-mentioned technical proposal, added using SM4 key-pair file data by third-party agent
It is close, it is ensured that the security that data are stored in cloud storage platform, while improve data encryption speed.
Other features and advantages of the present invention will be described in detail in subsequent specific embodiment part.
Brief description of the drawings
Accompanying drawing is, for providing a further understanding of the present invention, and to constitute the part of specification, with
Following specific embodiment is used to explain the present invention together, but is not construed as limiting the invention.
In accompanying drawing:
Fig. 1 is the cloud storage data storage side based on trusted third party agency that embodiment of the present invention is provided
Method flow chart;
Fig. 2 is the cloud storage digital independent side based on trusted third party agency that embodiment of the present invention is provided
Method flow chart;
Fig. 3 is the cloud storage data storage product based on trusted third party agency that embodiment of the present invention is provided
The system structure diagram that read method can be implemented;
Fig. 4 is that the cloud storage data based on trusted third party agency that example embodiment of the present invention is provided are deposited
Method for storing flow chart.
Fig. 5 is that the cloud storage data based on trusted third party agency that example embodiment of the present invention is provided are read
Take method flow diagram.
Specific embodiment
Specific embodiment of the invention is described in detail below in conjunction with accompanying drawing.It should be appreciated that
Specific embodiment described herein is merely to illustrate and explain the present invention, and is not limited to this hair
It is bright.
Because there is unsafe defect in existing commercial key algorithm, therefore for reply is current international
The safety problem that commercial key algorithm occurs, China national Password Management office is proposed safer commercialization
Cryptographic algorithm, including packet symmetric key algorithm SM4 and asymmetric key algorithm SM2, wherein SM2
The encryption rate and key strength of algorithm are superior to traditional RSA Algorithm.In embodiments of the present invention
SM2 and SM4 algorithms will be quoted, will be explained herein.
Fig. 1 is the cloud storage data storage side based on trusted third party agency that embodiment of the present invention is provided
Method flow chart.As shown in figure 1, the cloud based on trusted third party agency that embodiment of the present invention is provided is deposited
Storage date storage method is comprised the following steps:
Step 101:Trusted third party agency receives file encryption storage request from subscription client;
Step 102:In response to the file encryption store ask, be the file allocation identification ID simultaneously
Return to the subscription client;
Step 103:File data and SM4 keys are received from the subscription client;
Step 104:The file data for being received is encrypted using the SM4 keys;And
Step 105:Verified in the data storage request of the subscription client in cloud storage platform response and used
After the identity of family, trusted third party agency by the file data of encryption and the mark ID send to
The cloud storage platform storage.
By above-mentioned technical proposal, added using SM4 key-pair file data by third-party agent
It is close, it is ensured that the security that data are stored in cloud storage platform, while improve data encryption speed.
In order to improve security that system uses, it is necessary to be verified to the identity of user.In the present invention
Implementation method in, identity that can be at third-party agent and at cloud storage platform to user is tested
Card.In embodiments, the above method can also include:Trusted third party is acted on behalf of from the user client
End receives the digital certificate based on SM2;According to the digital certificate authentication user identity;And right
The subscriber authentication is responded after passing through to file encryption storage request.In interchangeable reality
Apply in mode, the above method can also include:Cloud storage platform is received from the subscription client and is based on
The digital certificate of SM2;According to the digital certificate authentication user identity;And to the user identity
File encryption storage request is responded after being verified.Above-mentioned file data can be the use
Family client uses file data of the digital certificate to generation after the file signature for being based on SM2.
In embodiments, the operation signed to file can be carried out in subscription client.User visitor
Family end may not have the ability signed to large-data documents, therefore, it can sign needs
The data volume of name is configured.For example, can include to the file signature:When the file is less than pre-
When determining data volume (for example, 2M), the file is integrally signed;And when the file is more than institute
When stating predetermined amount of data, the part in the file equal to the subscription data amount is signed.
In embodiments, in order to ensure the security of data or SM4 keys, the 3rd should preferably be made
Square agent platform deletes these data and SM4 keys after the treatment to file data has been carried out.Cause
This, in embodiments, sends to cloud storage platform by the file data of encryption and the mark ID
After storage, the method also includes:The trusted third party agency deletes and is received from the subscription client
The file data and the SM4 keys.
Fig. 2 is the cloud storage digital independent side based on trusted third party agency that embodiment of the present invention is provided
Method flow chart.As shown in Fig. 2 relative with the cloud storage date storage method acted on behalf of based on trusted third party
Should, present invention also offers a kind of cloud storage method for reading data based on trusted third party agency, the party
Method may comprise steps of:
Step 201:In cloud storage platform response user's body is verified in the data read request of subscription client
After part, trusted third party agency receives file read request from the subscription client;
Step 202:In response to the file read request, receive what is encrypted from the cloud storage platform
The SM4 keys that file data and mark ID and basis are received from the subscription client have been encrypted to described
File data decryption;And
Step 203:The file data of decryption and the mark ID are sent to the subscription client.
By above-mentioned technical proposal, the file data of SM4 key pair encryptions is utilized by third-party agent
It is decrypted, it is ensured that the security that data are stored in cloud storage platform, while improve data deciphering
Speed.
It is in embodiments, corresponding with the cloud storage date storage method acted on behalf of based on trusted third party,
In order to improve security that system uses, it is necessary to be verified to the identity of user.The above method may be used also
To include:The trusted third party agency receives the digital certificate based on SM2 from the subscription client;
User identity is verified according to the digital certificate;And after passing through to the subscriber authentication
The file read request is responded.In embodiments, the above method can also include:It is described
Cloud storage platform receives the digital certificate based on SM2 from the subscription client;According to the numeral card
Book is verified to user identity;And the file is read after passing through to the subscriber authentication
Request is responded.
In embodiments, corresponding to signature process, in reading process, when subscription client is received
After the file data of the decryption, using the digital certificate based on SM2 to the file data of the decryption
Sign test;And determine that data are correct when sign test result is consistent.Correspondingly, to the number of files of the decryption
Include according to sign test:It is right when the file data of the decryption is less than predetermined amount of data (for example, 2M)
The file data entirety sign test of the decryption;And when the file data of the decryption is more than the predetermined number
During according to amount, to the part sign test in the file data of the decryption equal to the subscription data amount.
In embodiments, sent to user visitor by the file data of decryption and the mark ID
After the end of family, the method also includes:The trusted third party agency deletes and is received from the subscription client
The SM4 keys and the decryption file data.
Present invention is generally directed to the ease for use and data safety issue of cloud storage, it is proposed that one kind is based on can
Believe the cloud storage data guard method of third-party agent encryption and decryption, the method passes through user, trusted third party
The security of data is ensured with the mode of cloud storage platform tripartite cooperation, while not reducing user uses cloud
The convenience of storage.
Fig. 3 is the cloud storage data storage product based on trusted third party agency that embodiment of the present invention is provided
The system structure diagram that read method can be implemented.As shown in figure 3, the method that the present invention is provided can be with
The system of implementation can include subscription client 301, trusted third party 302, cloud storage platform 303 3
Individual part.Wherein subscription client 301 is used to initiate the read-write requests of user data, while user client
End 301 stores the digital certificate and SM4 keys based on the close algorithm of SM2 states of user.Trusted third party
302 are responsible for encrypting and decrypting user data operation using user SM4 keys, complete to add every time
After decryption oprerations, user key is destroyed immediately by trusted third party 302, itself do not store any data or
Person's key.Cloud storage platform 303 is responsible for the data after storage user encryption, and it only knows user's storage
Filename and the corresponding encryption data of file name, itself cannot check user data content.
When user prepares in cloud storage 303 data storage of platform, subscription client 301 needs right first
Data are signed, to verify whether data are tampered in subsequent read data.Secondly user needs
Using the SM2 digital certificates for indicating user identity come with trusted third party 302, cloud storage platform 303
Authentication is carried out, authenticating user identification is ensured, while user is led to using certificate with trusted third party 302
Letter sends the SM4 keys for data encrypting and deciphering, prevents key data to be monitored in transmitting procedure and steals
Take.And, it is necessary to generate an ID for unique mark to user data in the system of trusted third party 302
Number, by No. ID and data names associate, and No. ID and data name are sent to by subscription client 301
Cloud storage platform 303, while trusted third party 302 needs to obtain the SM4 of user by encrypted tunnel
Key, and user data is encrypted based on the key, and encryption data is sent to cloud storage platform
303, last trusted third party 302 needs thoroughly to destroy user SM4 keys and user data, does not carry out
Any storage.For cloud storage platform 303, it is also required to user's SM2 digital certificates first
Verified, confirmed user identity.Under the premise of this, 303, cloud storage platform is responsible for storage number of users
According to title and corresponding encryption data.
When user prepares to read data from cloud storage platform 303, subscription client 301 needs to be based on
SM2 digital certificates carry out authentication with trusted third party 302, cloud storage platform 303, ensure user
Authentication.After user identity is confirmed, user is communicated with sending with trusted third party 302 using certificate and used
In the SM4 keys of data encrypting and deciphering, prevent key data to be monitored in transmitting procedure and steal, and
After user receives the data to be read, user also needs to carry out sign test operation to data, prevents data from existing
Illegally distorted in trusted third party 302 or cloud storage platform 303.And in trusted third party 302
In system, it is needed by receiving SM4 keys and cloud storage platform hair that subscription client 301 sends
The user data and data ID for sending, are then decrypted operation using SM4 data keys, then will
Ciphertext data and data ID are sent to subscription client 301 in the lump, and last trusted third party 302 needs
User SM4 keys and user data are thoroughly destroyed, any storage is not carried out.For cloud storage platform
For 303, it is also required to verify user's SM2 digital certificates first, confirms user identity.So
Data ID and corresponding encryption data are sent to trusted third party 302 by cloud storage platform 303 afterwards,
Follow-up data deciphering is carried out by trusted third party 302 and transmission is operated.In whole process, Yong Huke
It is not related to specific user data transmission between family end 301 and cloud storage platform 303, but via credible
Third party 302 completes the transmission of user data.
Below in conjunction with Fig. 4 and specific embodiment to using the method for providing of the invention by data storage
Process to cloud storage platform is illustrated, and the process may comprise steps of:
Step 401:Whether subscription client preparation request, including checking client has the SM2 of user
Digital certificate, SM4 keys and user prepare the data for uploading;
Step 402:Subscription client is signed according to the data file size to be uploaded to data.
When data file is less than 2MB, whole file is signed, on the contrary 2MB before being extracted to data file
Data are signed;
Step 403:Subscription client is initiated using the customer digital certificate based on SM2 to trusted third party
Authentication and data encryption storage request;
Step 404:After trusted third party's checking user identity authority, if user has permission, with user
Client sets up encrypted tunnel, is that the data file distribution unique ID number of user's request storage is identified,
And return to subscription client by No. ID.If conversely, user's lack of competence, terminates this data storage
Flow;
Step 405:Subscription client is initiated using the customer digital certificate based on SM2 to cloud storage platform
Authentication and data encryption storage request;
Step 406:It is anti-to user if user has permission after cloud storage platform validation user identity authority
Feedback allows the information that user operates.If conversely, user's lack of competence, terminates this data storage flow;
Step 407:Filename that subscription client will be stored and No. ID are sent to cloud storage platform;
Step 408:Subscription client sends the SM4 keys of data and user to trusted third party;
Step 409:Trusted third party carries out data encryption computing based on user SM4 keys;
Step 410:After trusted third party completes data encryption operation, by encryption data and data ID
It is sent to cloud storage platform;
Step 411:User SM4 keys and corresponding use are destroyed after the data transfer is complete by trusted third party
User data;
Step 412:Cloud storage platform is according to No. ID storage user data of data;
Step 413:Cloud storage platform informs user's successful information of its data storage;
Step 414:Complete a user storage data flow.
It is flat from cloud storage to the method provided using the present invention below in conjunction with Fig. 5 and specific embodiment
The process that platform reads data is illustrated, and the process may comprise steps of:
Step 501:Whether subscription client preparation request, including checking client has the SM2 of user
Digital certificate, SM4 keys and user prepare the data name for obtaining;
Step 502:Subscription client sends data read request to cloud storage platform, and using based on SM2
Digital certificate indicate user identity;
Step 503:After cloud storage platform validation user identity authority, if user has permission, cloud storage
Data name and data ID are sent to subscription client by platform according to user's request.If conversely, with
Family lack of competence, then terminate this digital independent flow;
Step 504:Subscription client sends file read request to trusted third party, and using based on SM2
Digital certificate indicate user identity;
Step 505:After trusted third party's checking user identity authority, if user has permission, with user
Client sets up encrypted tunnel, to inform that user right is verified information.If conversely, user's lack of competence,
Then terminate this digital independent flow;
Step 506:Subscription client sends data No. ID and SM4 using encrypted tunnel to trusted third party
Key;
Step 507:Subscription client notifies that cloud storage platform sends user data to trusted third party;
Step 508:Cloud storage platform transmits data to trusted third party for No. ID according to data;
Step 509:Trusted third party carries out data deciphering based on user SM4 keys;
Step 510:After trusted third party's ciphertext data, data and data ID are sent to user visitor
Family end;
Step 511:User SM4 keys and corresponding use are destroyed after the data transfer is complete by trusted third party
User data;
Step 512:After subscription client receives the data to be read, sign test behaviour is carried out to receiving data
Make.When data file is less than 2MB, sign test is carried out to whole file, otherwise data file is extracted
Preceding 2MB data carry out sign test operation;
Step 513:If sign test result is errorless, show that the data that user reads are correct, be not tampered with;
Otherwise, it means that user data is tampered, this event is fed back into cloud storage platform and trusted third party,
Find out event and send reason.
Step 514:Terminate this digital independent flow.
By above-mentioned implementation method, it can be seen that the cloud based on trusted third party agency that the present invention is provided is deposited
Storage data storage and read method have advantages below:
Carry out the encryption and decryption computing of user data by introducing trusted third party, it is to avoid to user data
Encrypt and bring huge workload to subscription client, reduce to a certain extent and user is deposited using cloud
Store up the influence of platform convenience.
Encipherment protection work for user data is completed by trusted third party, will not be deposited to existing cloud
The normal operation for storing up platform produces any influence, while the technology can be integrated very well into what is runed
Cloud storage platform, it is not necessary to transform existing cloud storage platform.
Identity is carried out in trusted third party and cloud storage platform using the SM2 digital certificates of user to test
Card and cipher key delivery, significantly enhance the security of system.
User carries out signature sign test using the digital certificate of the close algorithm of SM2 states to data, can effectively prevent
Only data are illegally distorted, and ensure secure user data.Carried out based on SM4 data keys simultaneously
Encryption and decryption, improves the confidentiality of user data.
The preferred embodiment of the present invention is described in detail above in association with accompanying drawing, but, the present invention is not limited
Detail in above-mentioned implementation method, in range of the technology design of the invention, can be to the present invention
Technical scheme carry out various simple variants, these simple variants belong to protection scope of the present invention.
It is further to note that each particular technique described in above-mentioned specific embodiment is special
Levy, in the case of reconcilable, can be combined by any suitable means.In order to avoid need not
The repetition wanted, the present invention is no longer separately illustrated to various possible combinations.
Additionally, can also be combined between a variety of implementation methods of the invention, as long as its
Without prejudice to thought of the invention, it should equally be considered as content disclosed in this invention.
Claims (10)
1. it is a kind of based on trusted third party agency cloud storage date storage method, it is characterised in that should
Method includes:
Trusted third party agency receives file encryption storage request from subscription client;
Stored in response to the file encryption and asked, be the file allocation identification ID and return to the use
Family client;
File data and SM4 keys are received from the subscription client;
The file data for being received is encrypted using the SM4 keys;And
Cloud storage platform response in the subscription client data storage request checking user identity it
Afterwards, the file data of encryption and the mark ID are sent to the cloud and deposited by the trusted third party agency
Storage platform storage.
2. method according to claim 1, it is characterised in that the method also includes:
The trusted third party agency receives the digital certificate based on SM2 from the subscription client;
According to the digital certificate authentication user identity;And
File encryption storage request is responded after passing through to the subscriber authentication.
3. method according to claim 1, it is characterised in that the file data is the use
Family client uses file data of the digital certificate to generation after the file signature for being based on SM2.
4. method according to claim 3, it is characterised in that described to the file signature bag
Include:
When the file is less than predetermined amount of data, the file is integrally signed;And
When the file is more than the predetermined amount of data, to being equal to the subscription data amount in the file
Part signature.
5. method according to claim 1, it is characterised in that in the file data that will be encrypted and
The mark ID is sent to the storage of cloud storage platform, and the method also includes:
The trusted third party agency deletes the file data and institute received from the subscription client
State SM4 keys.
6. it is a kind of based on trusted third party agency cloud storage method for reading data, it is characterised in that should
Method includes:
In cloud storage platform response after the data read request checking user identity of subscription client, can
Letter third-party agent receives file read request from the subscription client;
In response to the file read request, received from the cloud storage platform file data encrypted and
Mark ID is simultaneously according to the SM4 keys received from the subscription client to the file data encrypted
Decryption;And
The file data of decryption and the mark ID are sent to the subscription client.
7. method according to claim 6, it is characterised in that the method also includes:
The trusted third party agency receives the digital certificate based on SM2 from the subscription client;
User identity is verified according to the digital certificate;And
The file read request is responded after passing through to the subscriber authentication.
8. method according to claim 6, it is characterised in that the subscription client is received
After the file data of the decryption, using the digital certificate based on SM2 to the file data of the decryption
Sign test;And
Determine that data are correct when sign test result is consistent.
9. method according to claim 8, it is characterised in that to the file data of the decryption
Sign test includes:
When the file data of the decryption is less than predetermined amount of data, to the file data entirety of the decryption
Sign test;And
When the file data of the decryption is more than the predetermined amount of data, to the file data of the decryption
In be equal to the subscription data amount part sign test.
10. method according to claim 9, it is characterised in that in the file data that will be decrypted and
The mark ID is sent to the subscription client, and the method also includes:
The trusted third party agency deletes the SM4 keys and institute received from the subscription client
State the file data of decryption.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511025233.8A CN106936579A (en) | 2015-12-30 | 2015-12-30 | Cloud storage data storage and read method based on trusted third party agency |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511025233.8A CN106936579A (en) | 2015-12-30 | 2015-12-30 | Cloud storage data storage and read method based on trusted third party agency |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106936579A true CN106936579A (en) | 2017-07-07 |
Family
ID=59441962
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511025233.8A Pending CN106936579A (en) | 2015-12-30 | 2015-12-30 | Cloud storage data storage and read method based on trusted third party agency |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106936579A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110263556A (en) * | 2019-05-22 | 2019-09-20 | 广东安创信息科技开发有限公司 | A kind of encryption and decryption method and system of OA system data |
| CN110807210A (en) * | 2019-11-04 | 2020-02-18 | 北京联想协同科技有限公司 | Information processing method, platform, system and computer storage medium |
| CN111143870A (en) * | 2019-12-30 | 2020-05-12 | 兴唐通信科技有限公司 | Distributed encryption storage device, system and encryption and decryption method |
| CN111314385A (en) * | 2020-03-23 | 2020-06-19 | 郑州悉知信息科技股份有限公司 | Data access method and device |
| CN112069474A (en) * | 2020-09-01 | 2020-12-11 | 中国联合网络通信集团有限公司 | User data using and forgetting method and third-party trusted server |
| CN112115495A (en) * | 2020-09-25 | 2020-12-22 | 平安国际智慧城市科技股份有限公司 | Offline cloud data storage method and system, computer equipment and storage medium |
| CN113190878A (en) * | 2021-05-12 | 2021-07-30 | 广东康宝莱智慧水务有限公司 | National secret encryption algorithm and water affair internet of things acquisition system |
| CN113672403A (en) * | 2021-07-30 | 2021-11-19 | 北京数码大方科技股份有限公司 | Interface calling method and interface calling device in information system and management information system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010135412A2 (en) * | 2009-05-19 | 2010-11-25 | Security First Corp. | Systems and methods for securing data in the cloud |
| US20110119481A1 (en) * | 2009-11-16 | 2011-05-19 | Microsoft Corporation | Containerless data for trustworthy computing and data services |
| CN102821096A (en) * | 2012-07-17 | 2012-12-12 | 华中科技大学 | Distributed storage system and file sharing method thereof |
| CN103107995A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Cloud computing environmental data secure storage system and method |
| CN103312690A (en) * | 2013-04-19 | 2013-09-18 | 无锡成电科大科技发展有限公司 | System and method for key management of cloud computing platform |
| CN103457733A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Data sharing method and system under cloud computing environment |
| CN103731395A (en) * | 2012-10-10 | 2014-04-16 | 中兴通讯股份有限公司 | Processing method and system for files |
| CN103763319A (en) * | 2014-01-13 | 2014-04-30 | 华中科技大学 | Method for safely sharing mobile cloud storage light-level data |
| CN104717297A (en) * | 2015-03-30 | 2015-06-17 | 上海交通大学 | Safety cloud storage method and system |
| CN104935576A (en) * | 2015-04-28 | 2015-09-23 | 广州大学 | Data security sharing and designated user sharing system |
| CN105025041A (en) * | 2015-08-25 | 2015-11-04 | 北京百度网讯科技有限公司 | File upload method, file upload apparatus and system |
-
2015
- 2015-12-30 CN CN201511025233.8A patent/CN106936579A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010135412A2 (en) * | 2009-05-19 | 2010-11-25 | Security First Corp. | Systems and methods for securing data in the cloud |
| US20110119481A1 (en) * | 2009-11-16 | 2011-05-19 | Microsoft Corporation | Containerless data for trustworthy computing and data services |
| CN102821096A (en) * | 2012-07-17 | 2012-12-12 | 华中科技大学 | Distributed storage system and file sharing method thereof |
| CN103731395A (en) * | 2012-10-10 | 2014-04-16 | 中兴通讯股份有限公司 | Processing method and system for files |
| CN103107995A (en) * | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Cloud computing environmental data secure storage system and method |
| CN103312690A (en) * | 2013-04-19 | 2013-09-18 | 无锡成电科大科技发展有限公司 | System and method for key management of cloud computing platform |
| CN103457733A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Data sharing method and system under cloud computing environment |
| CN103763319A (en) * | 2014-01-13 | 2014-04-30 | 华中科技大学 | Method for safely sharing mobile cloud storage light-level data |
| CN104717297A (en) * | 2015-03-30 | 2015-06-17 | 上海交通大学 | Safety cloud storage method and system |
| CN104935576A (en) * | 2015-04-28 | 2015-09-23 | 广州大学 | Data security sharing and designated user sharing system |
| CN105025041A (en) * | 2015-08-25 | 2015-11-04 | 北京百度网讯科技有限公司 | File upload method, file upload apparatus and system |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110263556A (en) * | 2019-05-22 | 2019-09-20 | 广东安创信息科技开发有限公司 | A kind of encryption and decryption method and system of OA system data |
| CN110807210A (en) * | 2019-11-04 | 2020-02-18 | 北京联想协同科技有限公司 | Information processing method, platform, system and computer storage medium |
| CN111143870A (en) * | 2019-12-30 | 2020-05-12 | 兴唐通信科技有限公司 | Distributed encryption storage device, system and encryption and decryption method |
| CN111143870B (en) * | 2019-12-30 | 2022-05-13 | 兴唐通信科技有限公司 | Distributed encryption storage device, system and encryption and decryption method |
| CN111314385A (en) * | 2020-03-23 | 2020-06-19 | 郑州悉知信息科技股份有限公司 | Data access method and device |
| CN112069474A (en) * | 2020-09-01 | 2020-12-11 | 中国联合网络通信集团有限公司 | User data using and forgetting method and third-party trusted server |
| CN112069474B (en) * | 2020-09-01 | 2023-05-19 | 中国联合网络通信集团有限公司 | Method for using and forgetting user data and third-party trusted server |
| CN112115495A (en) * | 2020-09-25 | 2020-12-22 | 平安国际智慧城市科技股份有限公司 | Offline cloud data storage method and system, computer equipment and storage medium |
| CN113190878A (en) * | 2021-05-12 | 2021-07-30 | 广东康宝莱智慧水务有限公司 | National secret encryption algorithm and water affair internet of things acquisition system |
| CN113672403A (en) * | 2021-07-30 | 2021-11-19 | 北京数码大方科技股份有限公司 | Interface calling method and interface calling device in information system and management information system |
| CN113672403B (en) * | 2021-07-30 | 2024-03-29 | 北京数码大方科技股份有限公司 | Interface calling method and device in information system and management information system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12395472B1 (en) | Key rotation techniques | |
| EP3585032B1 (en) | Data security service | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| CN103609059B (en) | Systems and methods for secure data sharing | |
| CN103124269B (en) | Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment | |
| Chen et al. | Security enhancement on an improvement on two remote user authentication schemes using smart cards | |
| CA2899027C (en) | Data security service | |
| CN106936579A (en) | Cloud storage data storage and read method based on trusted third party agency | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| CN111130757A (en) | A multi-cloud CP-ABE access control method based on blockchain | |
| KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| CN102025503B (en) | Data security implementation method in cluster environment and high-security cluster | |
| CN105939191A (en) | Client secure deduplication method of ciphertext data in cloud storage | |
| CN103229165A (en) | Systems and methods for secure remote storage | |
| CN103636160A (en) | Secure file sharing method and system | |
| CN101605137A (en) | Safe distribution file system | |
| CN103475474B (en) | Method for providing and acquiring shared enciphered data and identity authentication equipment | |
| CN107359998A (en) | A kind of foundation of portable intelligent password management system and operating method | |
| CN103929434A (en) | File sharing method based on encryption and permission system | |
| CN103780609A (en) | Cloud data processing method and device and cloud data security gateway | |
| Chattaraj et al. | HEAP: an efficient and fault-tolerant authentication and key exchange protocol for Hadoop-assisted big data platform | |
| US20140237239A1 (en) | Techniques for validating cryptographic applications | |
| CN110365472B (en) | Quantum communication service station digital signature method and system based on asymmetric key pool pair | |
| CN109347923B (en) | Anti-quantum computing cloud storage method and system based on asymmetric key pool | |
| CN104184736B (en) | A kind of method and system realizing secure cloud and calculate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170707 |
|
| RJ01 | Rejection of invention patent application after publication |