CN117061126A - System and method for managing encryption and decryption of cloud disk files - Google Patents

Abstract

The invention relates to a system and a method for managing encryption and decryption of cloud disk files, comprising the following steps: cutting a plaintext file; encrypting the plaintext block; constructing a sliced block of the ciphertext file; constructing a file header of the ciphertext file; completing file encryption; dividing ciphertext files; generating a ciphertext fragment block signature; checking the segment block signature; obtaining a plaintext fragment block; and splicing and decrypting the sliced blocks. The invention is encrypted in the transmission process of the data network, so that the data security in the transmission process is ensured; the files stored in the cloud disk server are also encrypted, ensuring that the cloud disk manager cannot read the data either. For the case of file downloading at the user side: firstly, a file is read from a storage medium of a cloud disk server, the file is encrypted at the moment, the file is transmitted to a user side through a network, the user side decrypts the file to obtain a plaintext file, the file is encrypted in a data network transmission process, and data security in the transmission process is ensured.

Description

System and method for managing encryption and decryption of cloud disk files

Technical Field

The invention relates to a system and a method for managing encryption and decryption of cloud disk files, in particular to a system and a method for applying and calculating a network, which are used for network security.

Background

Security of stored data is one of the main issues of public concern, and in particular, security of files is of great importance, in which many confidential information, information which is not easy to disclose and sensitive may be involved, and once the files are stolen, loss caused by the theft is not conceivable, so that storing the files after encryption is an important safeguard. The cloud disc management system has the advantages of convenient use, flexible access and the like, and is widely applied to various industries, and comprises an important use scene: the PC end, the mobile end and the webpage end can access files and synchronous files at any time, and in particular in the use of secret-related units, the security of data is often more concerned, and if a using mode without encryption is used, the following obvious defects exist: the files stored through the cloud disk are all in plaintext storage, and users who can access the storage back end can read data, including a cloud disk manager. Discarding the hard disk may also result in data leakage because the data stored in the hard disk is stored unencrypted. If the encryption algorithm is too simple, it may lead to a risk of data leakage. The cloud disk file has the risk of being stolen in the process of being transmitted through a network. How to implement end-to-end encryption is a problem to be solved.

Disclosure of Invention

In order to overcome the problems in the prior art, the invention provides a system and a method for managing encryption and decryption of cloud disk files. The system and method uses CTR mode to encrypt and decrypt files based on AES-256 encryption algorithm. And before uploading the file to the cloud disk service system, firstly encrypting the uploaded file, then transmitting the encrypted file to a cloud disk server through a network, and finally writing the encrypted file into a storage medium. And downloading the file to the local at the user end, firstly, reading the file from the storage medium by the cloud disk server, then transmitting the file to the user end through a network, and finally decrypting the file to obtain a plaintext file. For the case of uploading files at the user side: firstly, encrypting a file to be uploaded to a cloud disk, then, transmitting the encrypted file to a cloud disk server through a network, and writing the file into a storage medium, wherein the method has the advantages that: the data is encrypted in the transmission process of the data network, so that the data security in the transmission process is ensured; the files stored in the cloud disk server are also encrypted, ensuring that the cloud disk manager cannot read the data either. For the case of file downloading at the user side: firstly, reading a file from a storage medium of a cloud disk server, wherein the file is encrypted, then transmitting the file to a user terminal through a network, and finally, the user terminal decrypts the file to obtain a plaintext file, and the file has the advantages that: the data is encrypted in the transmission process of the data network, so that the data security in the transmission process is ensured; files stored in the cloud disk server are also encrypted, and no processing is carried out on the files; and decrypting the encrypted file when the encrypted file is transmitted to the user.

The purpose of the invention is realized in the following way: a system for managing encryption and decryption of cloud disk files, comprising: the cloud disk server is provided with a storage medium and a file read-write facility, the client is provided with a file encryption and decryption facility, and the file encryption and decryption facility comprises: a private key processing module; a dedicated key processing module; an encrypted file processing module; a decryption private key processing module; a decryption exclusive key processing module; a decryption file processing module;

the private key processing module is used for:

generating salt: deriving a private salt by creating an original SHA256 hash of the user ID;

generating an encryption key: creating an original SHA256-PBKDF2 hash containing salt, 500.000 iterations, and a user password of target size 32 bytes using a hash hmac function, generating an encryption key;

generating an initial vector: randomly generating a 16-byte character string initial vector by using a random function;

encryption private key: based on an AES-256-CTR encryption algorithm, the private key is encrypted through the initial vector and the encryption key, and an encrypted private key is obtained;

Generating an authentication key: deriving an authentication key by creating an original SHA256 hash of the encryption key;

generating a signature: creating a 16-system SHA256-HMAC hash using a hash HMAC function, the hash containing the encrypted private key and the verification key, generating a signature;

forming a key file with an encryption key, an initial vector and an encryption signature;

the exclusive key processing module is used for:

generating a proprietary key: generating a random character string with 32 bytes as a private key by using a random function;

encryption of the private key: using the public key, encrypting the private key to obtain: an encrypted private key and an encrypted package key;

the encryption file processing module is used for:

cutting a plaintext file to be encrypted into file fragments: dividing a plaintext file to be encrypted into a plurality of file fragments with equal length, and marking an initial position;

generating an initial vector: randomly generating a 16-byte character string initial vector for each file fragment block by using a random function, wherein the 16-byte character string initial vector is used as an initial vector with a starting position mark of each file fragment block;

encrypting each file fragment block through the initial vector of each file fragment block and the encrypted exclusive key to obtain an encrypted private key with a starting position mark;

Generating an authentication key: deriving a verification key by creating an original SHA256 hash of the proprietary encryption key and the starting location of the file chunk;

generating a signature: creating a 16-ary SHA256-HMAC hash for each file chunk by using a hash-HMAC function, the hash containing the respective encrypted chunk and the verification key, generating a signature for each file chunk with a starting location tag;

generating a file fragment block, wherein the file block comprises:

an encrypted file block with a start position marker;

an initial vector with a start position marker;

a signature with a start position marker;

combining the partitioned blocks into a file to form an encrypted file;

the decryption private key processing module is used for:

reading the encrypted private key: reading the content from the private key file, and analyzing the file to obtain the following contents:

an encrypted private key;

initializing a vector;

encrypting the signature;

generating salt: deriving a private salt by creating an original SHA256 hash of the user ID;

generating a decryption key: creating an original SHA256-PBKDF2 hash containing a salt, 500.000 iterations, and a 32 byte-targeted password using a hash hmac function, generating a decryption key;

Generating an authentication key: deriving an authentication key by creating an original SHA256 hash of the decryption key;

generating a signature: creating a 16-system SHA256-HMAC hash by using a hash-HMAC function, the hash containing the encrypted private key and the verification key, generating a signature, comparing with the encrypted signature, and continuing decryption if the comparison is equal; if not, the decryption is considered to be failed and the method is exited;

generating a private key: decrypting the private key using an AES-CTR decryption algorithm by initializing the vector and the decryption key;

the decryption exclusive key processing module is used for: decrypting the encrypted private key by using the private key and the package key to obtain a decrypted private key;

the decryption file processing module is used for:

cutting an encrypted file: dividing the encrypted file into a plurality of file blocks with the same size and length; if the file is divided into a plurality of file blocks with the size of 8192 bytes, the following contents are resolved:

an encrypted file block with a start position marker;

an initial vector with a start position marker;

a signature with a start position marker;

generating an authentication key: using the original SHA512 hash to obtain a verification key by a hash function according to the exclusive key and the file fragment starting position;

Generating a signature: creating a 16-system SHA256-HMAC hash by using a hash-HMAC function, wherein the hash comprises an encrypted private key and an authentication key, generating a signature, comparing the signature with the signature obtained when the signature is encrypted, and entering the next step if the signature is equal to the comparison; otherwise, the decryption fails;

decrypting by using an AES-256-CTR algorithm through the initial vector and the exclusive key of each file fragment block to obtain decrypted file fragment blocks;

and fragmenting and blocking each decrypted file to generate a decrypted plaintext file.

A method for managing encryption and decryption of cloud disk files using the above system, the method comprising: the method comprises the following steps of encryption, decryption and sharing:

encryption process:

step 101, plaintext file segmentation: dividing a plaintext file into a plurality of plaintext fragments with the same length, and recording the starting address of each plaintext fragment to form a plaintext fragment sequence;

step 102, encrypting the plaintext block: generating a pair of keys using the RSA algorithm: encrypting each plaintext block by using the file exclusive key and the initial vector of the plaintext block to form a ciphertext block sequence with the same sequence as the plaintext block;

Step 103, constructing a sliced block of the ciphertext file: combining each ciphertext block with each initial vector of the block and the ciphertext block signature to form a block sequence;

the generation of the ciphertext fragment block signature comprises the following substeps:

sub-step 1031, generating an authentication key: obtaining a verification key through a plaintext file exclusive key, a file version and position information of plaintext fragments by using a hash function;

sub-step 1032, constructing a ciphertext fragment block signature: creating a 16-ary SHA256-HMAC hash comprising the encrypted chunk and the authentication key using a hash HMAC function to obtain a ciphertext chunk signature;

step 104, constructing a file header of the ciphertext file: the file header adopts a fixed format comprising an encryption algorithm, and the length of the file header is the same as the length of a single ciphertext fragment block;

step 105, file encryption is completed: sequentially splicing the file header and a plurality of ciphertext fragment blocks to form a ciphertext file;

decryption:

step 201, ciphertext file segmentation: dividing the ciphertext file into equal-sized sliced blocks according to the designated size, analyzing the specific content of each sliced block after being divided according to the designated length and the composition condition of each sliced block, wherein the first sliced block is a file head containing an encryption algorithm, the rest sliced blocks are ciphertext sliced blocks, and the ciphertext sliced blocks comprise: ciphertext block, initial vector of block and ciphertext block signature;

Step 202, generating a ciphertext fragment block signature: generating a ciphertext fragment block signature through a plaintext file exclusive key, a file version and position information of a plaintext fragment block;

step 203, checking the tile block signature: generating a ciphertext block signature through the dedicated key of the plaintext file, the file version and the position information of the plaintext block, comparing the ciphertext block signature with the parsed block signature, and entering the next step if the ciphertext block signature and the parsed block signature are identical, otherwise, decrypting the file fails, and ending the decryption process;

step 204, obtaining a plaintext fragment block: decrypting each ciphertext fragment block through the file exclusive key and the initial vector of the plaintext fragment block to form a plaintext fragment block sequence;

step 205, splicing and decrypting the sliced blocks: and merging the plaintext fragments in sequence to obtain a decrypted plaintext file, and ending the decryption process.

Sharing:

step 301, selecting a sharee: the sharer acquires the information of the sharee;

step 302, selecting a shared file: the sharer prepares a sharing file for the sharee according to the needs of the sharee and the own requirements;

step 303, generating a shared key: the sharer reads the public key of the sharee, encrypts the public key through an encryption algorithm to obtain an encapsulation key, and combines the version information of the shared file with the encrypted encapsulation key to generate a shared key; then the file to be shared and the shared secret key are sent to the shared person together;

Step 304, parse the shared key: after receiving the file to be shared, the sharees analyze the version of the file and the encrypted packaging key through reading the shared key when reading the file;

step 305, reading the shared file: the shared user reads the shared file and informs the sharer;

step 306, decrypt the shared file: decrypting the private key of the shared file through the encrypted packaging key and the private key of the sharer, and executing steps 202-205 to decrypt the shared file;

step 307, performing an operation on the shared file: and the sharer sends the decrypted file to the sharee, and the sharee downloads and modifies the file.

The invention has the advantages and beneficial effects that: the invention uses CTR mode to encrypt and decrypt files based on AES-256 encryption algorithm. For the case of uploading files at the user side: firstly, encrypting a file to be uploaded to a cloud disk, then, transmitting the encrypted file to a cloud disk server through a network, and writing the file into a storage medium, wherein the method has the advantages that: the data is encrypted in the transmission process of the data network, so that the data security in the transmission process is ensured; the files stored in the cloud disk server are also encrypted, ensuring that the cloud disk manager cannot read the data either. For the case of file downloading at the user side: firstly, reading a file from a storage medium of a cloud disk server, wherein the file is encrypted, then transmitting the file to a user terminal through a network, and finally, the user terminal decrypts the file to obtain a plaintext file, and the file has the advantages that: the data is encrypted in the transmission process of the data network, so that the data security in the transmission process is ensured; the files stored in the cloud disk server are encrypted, the files are not processed, the encrypted files are decrypted when transmitted to the user side, and data security is ensured.

Drawings

The invention is further described below with reference to the drawings and examples.

FIG. 1 is a schematic block diagram of a system according to a first embodiment of the invention;

FIG. 2 is a schematic diagram of an exemplary architecture of the private key processing module according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of an exemplary architecture of the private key processing module according to an embodiment of the present invention;

FIG. 4 is a schematic diagram illustrating an exemplary architecture of an encryption file processing module according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an exemplary architecture of the decryption private key processing module according to an embodiment of the invention;

FIG. 6 is a schematic diagram illustrating an exemplary architecture of the decryption-specific key processing module according to an embodiment of the invention;

FIG. 7 is a schematic diagram illustrating an exemplary architecture of a decryption file processing module according to an embodiment of the invention;

FIG. 8 is a flow chart of a method according to a second embodiment of the invention;

fig. 9 is a schematic diagram of an exemplary architecture of file-slicing encryption according to a second embodiment of the invention.

Detailed Description

Embodiment one:

the present embodiment is a system for managing encryption and decryption of cloud disk files, as shown in fig. 1. The embodiment comprises the following steps: the cloud disk server is provided with a storage medium and a file read-write facility, the client is provided with a file encryption and decryption facility, and the file encryption and decryption facility comprises: the system comprises a private key processing module, an encrypted file processing module, a decryption private key processing module and a decryption file processing module.

The private key processing module (one) is used (a typical architecture based on encryption private keys is shown in fig. 2):

1) Generating salt: salt is an important component of the encryption algorithm, deriving the private salt by creating an original SHA256 hash of the user ID.

2) Generating an encryption key: creating an original SHA256-PBKDF2 hash containing salt, 500.000 iterations, and a user password of target size 32 bytes using a hash hmac function, generating an encryption key; the encryption key may be denoted as [ encryptionkey ].

3) Generating an initial vector: randomly generating a 16-byte character string initial vector by using a random function; and is denoted as [ randommiv ].

4) Encryption private key: based on an AES-256-CTR encryption algorithm, the private key is encrypted through an initial vector [ random ] and an encryption key [ encryption key ], so that an encrypted private key based on Base64 coding is obtained; the private key may be denoted as [ encryptedprivatekey ].

5) Generating an authentication key: deriving an authentication key by creating an original SHA256 hash of the encryption key; and is described as [ authentication ].

6) Generating a signature: creating a 16-system SHA256-HMAC hash using a hash HMAC function, the hash containing the encrypted private key and the verification key, generating a signature; and is denoted as [ encryptedprivatekeyysigneature ].

7) Forming a key file with an encryption key, an initial vector and an encryption signature;

finally, the encrypted key, the initial vector and the signature are stored in a private key file [ username_private ], and the content is as follows:

a) An encryption key encryptprivatitekey;

b) An initial vector randomv;

c) The encrypted signature encryptedprivatekeyignature.

The private key processing module (two) is used (a typical architecture based on encrypting the private key is shown in fig. 3):

1) Generating a proprietary key: generating a random character string with 32 bytes as a private key by using a random function; labeled [ ownkey ].

2) Encryption of the private key: using the public key, encrypting the private key to obtain: the encrypted private key is marked as [ encrytedownkey ] and an encrypted encapsulation key; and is denoted as [ encrytedevelopekey ].

The private key is an important component in decrypting the file, so that it needs to be encrypted to ensure security, and how to generate and store the private key is described below.

The encryption file processing module described in (III) is used for (typical architecture based on encryption files is shown in FIG. 4):

1) Cutting a plaintext file to be encrypted into file fragments: dividing a plaintext file to be encrypted into a plurality of file fragments with equal length, and marking an initial position; if the plaintext file is equally divided into a plurality of blocks, each of which has a size of 6072 bytes long, the starting position of each block may be marked as "block position".

2) Generating an initial vector: randomly generating a 16-byte character string initial vector for each file fragment block by using a random function, wherein the 16-byte character string initial vector is used as an initial vector with a starting position mark of each file fragment block; the initial vector with the start position marker can be denoted as [ randomrev [ blockposition ].

3) Based on AES-256-CTR, encrypting each file fragment block through the initial vector of each file fragment block and the encrypted exclusive key to obtain an encrypted private key with a starting position mark based on Base64 coding; each private key with a start position tag may be denoted as [ encrytedfile [ blockposition ].

4) Generating an authentication key: deriving a verification key by creating an original SHA256 hash of the proprietary encryption key and the starting location of the file chunk; this authentication key may be denoted as [ authenticationkey ].

5) Generating a signature: creating a 16-ary SHA256-HMAC hash for each file chunk by using a hash-HMAC function, the hash containing the respective encrypted chunk and the verification key, generating a signature for each file chunk with a starting location tag; this signature with the start position marker can be written as

【encrytedsignature[blockposition]】。

6) Generating a file fragment block, wherein the file block comprises:

a) Each file fragment block is provided with an encrypted file block with a starting position mark; this encrypted file block with the start position marker can be denoted as [ encrytedfile [ blockposition ].

b) Each file fragment block is provided with an initial vector of a starting position mark; can be described as [ random [ blockposition ].

c) Each file fragment block is provided with a signature of a starting position mark; can be recorded as

【encrytedsignature[blockpositio】。

7) Combining the partitioned blocks into a file to form an encrypted file;

the decryption private key processing module described in (four) is used (a typical architecture based on decryption private keys is shown in fig. 5):

the private key is an important component in decryption, which has been subjected to encryption processing in the encryption module, where it needs to be decrypted, described below as the decryption process:

1) Reading the encrypted private key: reading the content from the private key file username_private key, and analyzing the file to obtain the following content:

a) An encrypted private key; encryptedprivatekey.

b) Initializing a vector; randomiv.

c) Encrypting the private signature; the encryptedprivatekeyysignatus.

2) Generating salt: deriving a private salt by creating an original SHA256 hash of the user ID;

3) Generating a decryption key: creating an original SHA256-PBKDF2 hash containing a salt, 500.000 iterations, and a 32 byte-targeted password using a hash hmac function, generating a decryption key; the decryption key may be denoted as [ decryptionkey ].

4) Generating an authentication key: deriving an authentication key by creating an original SHA256 hash of the decryption key; the authentication key may be denoted as [ authenticationkey ].

5) Generating a signature: creating a 16-system SHA256-HMAC hash by using a hash-HMAC function, the hash containing the encrypted private key and the verification key, generating a signature, comparing with the encrypted signature, and continuing decryption if the comparison is equal; if not, the decryption is considered to be failed and the method is exited;

6) Generating a private key: decrypting the private key using an AES-CTR decryption algorithm by initializing the vector and the decryption key; the private key may be denoted as [ private key ].

The decryption-specific key processing module (v) is configured to (a typical architecture based on a decryption-specific key is shown in fig. 6): decrypting the encrypted private key by using the private key and the package key to obtain a decrypted private key; the private key may be denoted as [ ownkey ].

The decryption file processing module (sixth) is configured to (an exemplary architecture based on a decryption file is shown in fig. 7):

1) Cutting an encrypted file: dividing the encrypted file into a plurality of file blocks with the same size and length; if the file is divided into a plurality of file blocks with a size of 8192 bytes, the beginning of each block may be marked as [ block position ], and the following are resolved:

a) Each file fragment block is provided with an encrypted file block with a starting position mark; can be recorded as

【encrytedfile[blockposition】。

b) Each file fragment block is provided with an initial vector of a starting position mark; can be described as [ random [ blockposition ].

c) Each file fragment block is provided with a signature of a starting position mark; can be recorded as

【encrytedsignature[blockpositio】。

2) Generating an authentication key: using the original SHA512 hash to obtain a verification key by a hash function according to the exclusive key and the file fragment starting position; the authentication key may be denoted as [ authenticationkey ].

3) Generating a signature: creating a 16-system SHA256-HMAC hash by using a hash-HMAC function, wherein the hash comprises an encrypted private key and an authentication key, generating a signature, comparing the signature with the signature obtained when the signature is encrypted, and entering the next step if the signature is equal to the comparison; otherwise, the decryption fails;

4) Decrypting by using an AES-256-CTR algorithm through the initial vector and the exclusive key of each file fragment block to obtain decrypted file fragment blocks;

5) And fragmenting and blocking each decrypted file to generate a decrypted plaintext file.

Embodiment two:

a method of managing cloud disk file encryption and decryption using the system of embodiment one, the method comprising: the steps of the method are as follows, and the flow is as shown in fig. 8:

in this embodiment, the encryption method may implement end-to-end encryption and decryption, and the client may transmit the encrypted file to the cloud disk server through the network; and the client reads the file from the cloud disk server to the local and then decrypts the file.

(1) The encryption and decryption algorithm in this embodiment is based on the AES-256 encryption algorithm, and uses the CTR mode to encrypt and decrypt the file.

(2) The private key needs to be encrypted in the encryption process.

(3) When encrypting the file, the file exclusive key is used and is encrypted.

(4) The signature is used in the encryption process, and the validity of the decrypted file can be judged by comparing whether the signatures before and after decryption are the same.

(5) The encryption and decryption operations are both carried out at the user end, so that the data stored by the cloud disk server are encrypted.

(6) The data transmitted by the user side and the cloud disk server network are encrypted.

Encryption process: the file format of the encryption process is shown in fig. 9.

Step 101, plaintext file segmentation: dividing a plaintext file into a plurality of plaintext fragments with the same length, and recording the starting address of each plaintext fragment to form a plaintext fragment sequence;

the plaintext file refers to a file to be encrypted, and specifically can be understood as a file which is not encrypted before a user uploads the file to a cloud disk server through a client side, a Yun Pan webpage side or a mobile side of the cloud disk system, and can be understood as a plaintext file.

In this step, the plaintext file is divided into a plurality of plaintext blocks of the same length according to a predetermined length, and the lengths of the other plaintext blocks should be equal except that the last block may be shorter than the predetermined length.

For convenience of description, the start address of each plaintext block may be referred to as a block position, where the start position of the first plaintext block is 0, and then arranged in order of 1, 2, and … ….

Step 102, encrypting the plaintext block: generating a pair of keys using the RSA algorithm: encrypting each plaintext block by using the file exclusive key and the initial vector of the plaintext block to form a ciphertext block sequence with the same sequence as the plaintext block;

in this step, the plaintext block is encrypted to obtain the ciphertext block. Ciphertext fragment is an important component of fragment block, and is obtained by encrypting plaintext fragment block through file specific key and initial vector of plaintext fragment block. Its encryption algorithm may be based on AES-256, which is encrypted using CTR mode.

In this embodiment, the file-specific key is a randomly generated character string of 32 bytes in length, and this step is temporarily referred to as ownkey for convenience of description. The file-specific key is an important component of the decryption method, and the file-specific key is encrypted for safety.

The initial vector of the block is an important component for encrypting the block, is a randomly generated 16-byte character string, and is temporarily denoted as random for convenience of description, and the initial vector of each file block is temporarily denoted as random [ blockposition ], where blockposition is the starting position of each plaintext block, where the starting position of the first plaintext block is 0, and then arranged in sequence according to 1, 2, … ….

Step 103, constructing a sliced block of the ciphertext file: combining each ciphertext block with each initial vector of the block and the ciphertext block signature to form a block sequence;

in this step, each sliced block is composed of a ciphertext sliced block, a sliced block initial vector, and a ciphertext sliced block signature. The length of each segment is the same.

The tile signature is an important ring for security verification when decrypting tiles, so for security, it is necessary to encrypt the tile signature and put the encrypted tile signature into the tile block. For convenience of description, the ciphertext fragment signature is denoted as encryptedsignature in this step, and the signature of each fragment is denoted as

The encryptedsign [ block position ], wherein the block position is the start position of each tile, the start position of the first tile is 0, and then is arranged in order of 1, 2, … ….

The generation of the ciphertext fragment block signature comprises the following substeps:

sub-step 1031, generating an authentication key: obtaining a verification key through a plaintext file exclusive key, a file version and position information of plaintext fragments by using a hash function;

In this step, the generation of the verification key (plaintext file-specific key) is an important component for obtaining the signature of the fragmented block, by: and using a hash function to obtain the special key of the plaintext file, the version of the file and the position information of the plaintext fragments. The file-specific key is a randomly generated character string of 32 bytes in length, and for convenience of description, this step will refer to the authentication key as ownkey.

The existing cloud disk encryption technology generally does not provide file history version management, but in this embodiment, a file version is used as an important component of a ciphertext block signature to maintain encrypted file version information. By adding version information, the encrypted file has version, and under the cloud disk management system, the file history version management function can be provided for the encrypted file. Moreover, for the verification key, the version is used for preventing file blocks between different versions of the same file from being mutually converted, so that the problem that the encrypted file can provide a history version management function is solved. This step may refer to the version of the file as version.

The position information of the plaintext block is composed of the start position of the block and the end position of the plaintext file. For the authentication key, this serves to prevent transitions between different blocks of the same file. Furthermore, the ending position of the plaintext file is used for verifying the key to prevent the file from being cut off and attacked, so that the safety of the file is ensured.

Sub-step 1032, constructing a ciphertext fragment block signature: creating a 16-ary SHA256-HMAC hash comprising the encrypted chunk and the authentication key using a hash HMAC function to obtain a ciphertext chunk signature;

for convenience of description, this step refers to a block signature as signature [ block position ].

Step 104, constructing a file header of the ciphertext file: the file header adopts a fixed format comprising an encryption algorithm, and the length of the file header is the same as the length of a single ciphertext fragment block;

the header adopts the conventional network transmission header. The file header uses a fixed format, the length of which is the same as the length of a single ciphertext fragment block, and is used for distinguishing and determining the encryption mode of the file. The content of the file header is as follows:

[FINEONE-BEGIN＝AES-256-CTR＝key-format＝hash＝FINEONE-END]$fill

1) Separated by "=";

2) The $ fill represents a plurality of "-", used to populate the header content to a length that is up to the single ciphertext fragment length.

Step 105, file encryption is completed: sequentially splicing the file header and a plurality of ciphertext fragment blocks to form a ciphertext file;

the ciphertext file is obtained by sequentially splicing a file header and a plurality of ciphertext fragment blocks, and the encryption process is ended.

Decryption:

Step 201, ciphertext file segmentation: dividing the ciphertext file into equal-sized sliced blocks according to the designated size, analyzing the specific content of each sliced block after being divided according to the designated length and the composition condition of each sliced block, wherein the first sliced block is a file head containing an encryption algorithm, the rest sliced blocks are ciphertext sliced blocks, and the ciphertext sliced blocks comprise: ciphertext block, initial vector of block and ciphertext block signature;

the ciphertext file is an encrypted file, and the file is transmitted to the user side through the network, and the user side decrypts the encrypted file. Before decryption, the file needs to be split into blocks with equal size according to the designated size, wherein the first block is a file header, contains information such as an encryption algorithm and the like, and the rest blocks are ciphertext fragment blocks. Each ciphertext block consists of a ciphertext block, a block initial vector and a ciphertext block signature, as shown in fig. 4.

Step 202, generating a ciphertext fragment block signature: generating a ciphertext fragment block signature through a plaintext file exclusive key, a file version and position information of a plaintext fragment block;

the specific process of generating the ciphertext block signature is the same as the process of generating the ciphertext block signature in the file encryption process.

Step 203, checking the tile block signature: generating a ciphertext block signature through the dedicated key of the plaintext file, the file version and the position information of the plaintext block, comparing the ciphertext block signature with the parsed block signature, and entering the next step if the ciphertext block signature and the parsed block signature are identical, otherwise, decrypting the file fails, and ending the decryption process;

that is, during decryption, the generated ciphertext fragment block signature must be the same as the ciphertext fragment block signature during encryption to pass the inspection, otherwise the decryption process cannot be continued.

Step 204, obtaining a plaintext fragment block: decrypting each ciphertext fragment block through the file exclusive key and the initial vector of the plaintext fragment block to form a plaintext fragment block sequence;

the process of obtaining the plaintext block is the reverse process of encrypting the plaintext file, and the ciphertext block, the initial vector of the block and the ciphertext block signature obtained from each block are needed, and the ciphertext block is decrypted by using the information to obtain each plaintext block.

Step 205, splicing and decrypting the sliced blocks: and merging the plaintext fragments in sequence to obtain a decrypted plaintext file, and ending the decryption process.

Sharing:

By sharing the encrypted file to the user in the cloud disk system, the user can operate on the shared encrypted file, such as downloading, modifying, and the like. In order to enable other users to access the encrypted files of the sharer, a sharing key is generated for each user corresponding to each shared file, and the users can operate the files through the sharing keys.

Step 301, selecting a sharee: the sharer acquires the information of the sharee;

the sharer is the current user, and the sharee is other users under the same cloud disk management system as the user (sharer).

Step 302, selecting a shared file: the sharer prepares a sharing file for the sharee according to the needs of the sharee and the own requirements;

the shared files may be one or more files, or folders, and the selected shared files are encrypted and already stored in the storage medium of the cloud disk server.

Step 303, generating a shared key: the sharer reads the public key of the sharee, encrypts the public key through an encryption algorithm to obtain an encapsulation key, and combines the version information of the shared file with the encrypted encapsulation key to generate a shared key; then the file to be shared and the shared secret key are sent to the shared person together;

The generated shared key may be denoted as sharekey.

The public and private keys of all users of the cloud disk system are generated in pairs, which contain the RSA public key.

Step 304, parse the shared key: after receiving the file to be shared, the sharees analyze the version of the file and the encrypted packaging key through reading the shared key when reading the file;

step 305, reading the shared file: the shared user reads the shared file and informs the sharer;

step 306, decrypt the shared file: and decrypting the private key of the shared file through the encrypted packaging key and the private key of the sharer, and executing steps 202-205 to decrypt the shared file.

Step 307, performing an operation on the shared file: the sharer sends the encrypted file to the sharee, and the sharee can download and modify the file after decrypting the encrypted file through the shared key.

Finally, it should be noted that the foregoing is merely illustrative of the technical solution of the present invention and not limiting, and although the present invention has been described in detail with reference to the preferred arrangement, it will be understood by those skilled in the art that modifications and equivalent substitutions may be made to the technical solution of the present invention (such as the use environment of the network, the construction method of the modules, the sequence of steps, etc.) without departing from the spirit and scope of the technical solution of the present invention.

Claims (2)

1. A system for managing encryption and decryption of cloud disk files, comprising: the cloud disk server is provided with a storage medium and a file read-write facility, and the client is provided with a file encryption and decryption facility, and the cloud disk server is characterized in that the file encryption and decryption facility comprises: a private key processing module; a dedicated key processing module; an encrypted file processing module; a decryption private key processing module; a decryption exclusive key processing module; a decryption file processing module;

the private key processing module is used for:

generating salt: deriving a private salt by creating an original SHA256 hash of the user ID;

generating an encryption key: creating an original SHA256-PBKDF2 hash containing salt, 500.000 iterations, and a user password of target size 32 bytes using a hash hmac function, generating an encryption key;

generating an initial vector: randomly generating a 16-byte character string initial vector by using a random function;

encryption private key: based on an AES-256-CTR encryption algorithm, the private key is encrypted through the initial vector and the encryption key, and an encrypted private key is obtained;

Generating an authentication key: deriving an authentication key by creating an original SHA256 hash of the encryption key;

generating a signature: creating a 16-system SHA256-HMAC hash using a hash HMAC function, the hash containing the encrypted private key and the verification key, generating a signature;

forming a key file with an encryption key, an initial vector and an encryption signature;

the exclusive key processing module is used for:

generating a proprietary key: generating a random character string with 32 bytes as a private key by using a random function;

encryption of the private key: using the public key, encrypting the private key to obtain: an encrypted private key and an encrypted package key;

the encryption file processing module is used for:

cutting a plaintext file to be encrypted into file fragments: dividing a plaintext file to be encrypted into a plurality of file fragments with equal length, and marking an initial position;

generating an initial vector: randomly generating a 16-byte character string initial vector for each file fragment block by using a random function, wherein the 16-byte character string initial vector is used as an initial vector with a starting position mark of each file fragment block;

encrypting each file fragment block through the initial vector of each file fragment block and the encrypted exclusive key to obtain an encrypted private key with a starting position mark;

Generating an authentication key: deriving a verification key by creating an original SHA256 hash of the proprietary encryption key and the starting location of the file chunk;

generating a signature: creating a 16-ary SHA256-HMAC hash for each file chunk by using a hash-HMAC function, the hash containing the respective encrypted chunk and the verification key, generating a signature for each file chunk with a starting location tag;

generating a file fragment block, wherein the file block comprises:

an encrypted file block with a start position marker;

an initial vector with a start position marker;

a signature with a start position marker;

combining the partitioned blocks into a file to form an encrypted file;

the decryption private key processing module is used for:

reading the encrypted private key: reading the content from the private key file, and analyzing the file to obtain the following contents:

an encrypted private key;

initializing a vector;

encrypting the signature;

generating salt: deriving a private salt by creating an original SHA256 hash of the user ID;

generating a decryption key: creating an original SHA256-PBKDF2 hash containing a salt, 500.000 iterations, and a 32 byte-targeted password using a hash hmac function, generating a decryption key;

Generating an authentication key: deriving an authentication key by creating an original SHA256 hash of the decryption key;

generating a signature: creating a 16-system SHA256-HMAC hash by using a hash-HMAC function, the hash containing the encrypted private key and the verification key, generating a signature, comparing with the encrypted signature, and continuing decryption if the comparison is equal; if not, the decryption is considered to be failed and the method is exited;

generating a private key: decrypting the private key using an AES-CTR decryption algorithm by initializing the vector and the decryption key;

the decryption exclusive key processing module is used for: decrypting the encrypted private key by using the private key and the package key to obtain a decrypted private key;

the decryption file processing module is used for:

cutting an encrypted file: dividing the encrypted file into a plurality of file blocks with the same size and length; if the file is divided into a plurality of file blocks with the size of 8192 bytes, the following contents are resolved:

an encrypted file block with a start position marker;

an initial vector with a start position marker;

a signature with a start position marker;

generating an authentication key: using the original SHA512 hash to obtain a verification key by a hash function according to the exclusive key and the file fragment starting position;

Generating a signature: creating a 16-system SHA256-HMAC hash by using a hash-HMAC function, wherein the hash comprises an encrypted private key and an authentication key, generating a signature, comparing the signature with the signature obtained when the signature is encrypted, and entering the next step if the signature is equal to the comparison; otherwise, the decryption fails;

decrypting by using an AES-256-CTR algorithm through the initial vector and the exclusive key of each file fragment block to obtain decrypted file fragment blocks;

and fragmenting and blocking each decrypted file to generate a decrypted plaintext file.

2. A method of managing cloud disk file encryption and decryption using the system of claim 1, the method comprising: the encryption process, the decryption process and the sharing process are characterized in that the method comprises the following steps:

encryption process:

step 101, plaintext file segmentation: dividing a plaintext file into a plurality of plaintext fragments with the same length, and recording the starting address of each plaintext fragment to form a plaintext fragment sequence;

step 102, encrypting the plaintext block: generating a pair of keys using the RSA algorithm: encrypting each plaintext block by using the file exclusive key and the initial vector of the plaintext block to form a ciphertext block sequence with the same sequence as the plaintext block;

Step 103, constructing a sliced block of the ciphertext file: combining each ciphertext block with each initial vector of the block and the ciphertext block signature to form a block sequence;

the generation of the ciphertext fragment block signature comprises the following substeps:

sub-step 1031, generating an authentication key: obtaining a verification key through a plaintext file exclusive key, a file version and position information of plaintext fragments by using a hash function;

sub-step 1032, constructing a ciphertext fragment block signature: creating a 16-ary SHA256-HMAC hash comprising the encrypted chunk and the authentication key using a hash HMAC function to obtain a ciphertext chunk signature;

step 104, constructing a file header of the ciphertext file: the file header adopts a fixed format comprising an encryption algorithm, and the length of the file header is the same as the length of a single ciphertext fragment block;

step 105, file encryption is completed: sequentially splicing the file header and a plurality of ciphertext fragment blocks to form a ciphertext file;

decryption:

step 201, ciphertext file segmentation: dividing the ciphertext file into equal-sized sliced blocks according to the designated size, analyzing the specific content of each sliced block after being divided according to the designated length and the composition condition of each sliced block, wherein the first sliced block is a file head containing an encryption algorithm, the rest sliced blocks are ciphertext sliced blocks, and the ciphertext sliced blocks comprise: ciphertext block, initial vector of block and ciphertext block signature;

Step 202, generating a ciphertext fragment block signature: generating a ciphertext fragment block signature through a plaintext file exclusive key, a file version and position information of a plaintext fragment block;

step 203, checking the tile block signature: generating a ciphertext block signature through the dedicated key of the plaintext file, the file version and the position information of the plaintext block, comparing the ciphertext block signature with the parsed block signature, and entering the next step if the ciphertext block signature and the parsed block signature are identical, otherwise, decrypting the file fails, and ending the decryption process;

step 204, obtaining a plaintext fragment block: decrypting each ciphertext fragment block through the file exclusive key and the initial vector of the plaintext fragment block to form a plaintext fragment block sequence;

step 205, splicing and decrypting the sliced blocks: merging the plaintext fragments in sequence to obtain a decrypted plaintext file, and ending the decryption process;

sharing:

step 301, selecting a sharee: the sharer acquires the information of the sharee;

step 302, selecting a shared file: the sharer prepares a sharing file for the sharee according to the needs of the sharee and the own requirements;

step 303, generating a shared key: the sharer reads the public key of the sharee, encrypts the public key through an encryption algorithm to obtain an encapsulation key, and combines the version information of the shared file with the encrypted encapsulation key to generate a shared key; then the file to be shared and the shared secret key are sent to the shared person together;

Step 304, parse the shared key: after receiving the file to be shared, the sharees analyze the version of the file and the encrypted packaging key through reading the shared key when reading the file;

step 305, reading the shared file: the shared user reads the shared file and informs the sharer;

step 306, decrypt the shared file: decrypting the private key of the shared file through the encrypted packaging key and the private key of the sharer, and executing steps 202-205 to decrypt the shared file;

step 307, performing an operation on the shared file: and the sharer sends the decrypted file to the sharee, and the sharee downloads and modifies the file.