CN119129001A - Data integrity verification method and device, electronic device and storage medium - Google Patents
Data integrity verification method and device, electronic device and storage medium Download PDFInfo
- Publication number
- CN119129001A CN119129001A CN202411363511.XA CN202411363511A CN119129001A CN 119129001 A CN119129001 A CN 119129001A CN 202411363511 A CN202411363511 A CN 202411363511A CN 119129001 A CN119129001 A CN 119129001A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- verification
- user group
- encrypted data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data integrity checking method and a device, electronic equipment and a storage medium thereof, and relates to the technical field of information security, wherein the method comprises the steps of receiving a data checking request and selecting an index code of a target encrypted data block; the method comprises the steps of randomly generating a first prime number and a second prime number, constructing challenge information based on the first prime number, the second prime number, an index code and system parameters, and sending the challenge information to a cloud storage server, wherein the cloud storage server acquires N encrypted data blocks stored by a user terminal based on the index code, substitutes a first check parameter and a second check parameter returned by the cloud storage server into a check equation, and acquires a data integrity check result based on a calculation result of the check equation. The invention solves the technical problem that in the related technology, the data integrity is verified through the interaction between the user terminal and the third party audit terminal, and the data of the user terminal has potential safety hazard because the third party audit terminal is not completely trusted.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a data integrity verification method and apparatus, an electronic device, and a storage medium.
Background
In recent years, with the rapid development of information technology and network technology, user data has shown explosive growth, and in civil aviation industry systems, due to the wide popularization of mobile end applications, airlines increasingly rely on digital systems to manage services. Airlines use electronic reservation systems, ticket sales platforms, mobile applications, etc. to process and manage large volumes of flight, passenger, and ticketing data, but industry internal data integrity is challenging due to the exponentially increasing trend in data volume.
Because of the huge data volume which cannot be stored locally, the cloud storage technology is generated, and as a novel storage technology, the cloud storage has the characteristics of large storage capacity, flexible storage mode, convenient access and the like, and is gradually replacing the local storage technology. In a public cloud storage environment of civil aviation, users of cloud storage may be individuals, companies or organizations, generally, large data users such as a company, an organization or an organization may form a user group, members in the company, the organization or the organization are called group users, the group users in the user group commonly manage data files of the company/organization, the data files managed by a user side are stored in a cloud storage server, the data size of the data files of the user group is large, and in some cases, the cloud storage server may clean the data files without knowledge of the user side in order to save memory, so that the data of the user side is incomplete.
In the related art, a Third Party Auditor (TPA) is often introduced to verify the integrity of data, and the integrity of the data file stored in the cloud storage server is verified based on the interaction between the user side and the third party auditor as well as the cloud storage server, but the third party auditor is not completely trusted to the user, and may send the same request to the cloud storage server for spoofing the user at an irregular period, and acquire personal data of the user, so that potential safety hazards exist in the data of the user side.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a data integrity verification method and device, electronic equipment and storage medium, which at least solve the technical problem that in the related art, the data integrity of a user side is verified through interaction between the user side and a third party audit side, and the data of the user side has potential safety hazards because the third party audit side is not completely credible.
According to one aspect of the embodiment of the invention, the data integrity verification method is applied to a third party audit terminal and comprises the steps of receiving a data verification request sent by a user group management terminal and selecting index codes of target encrypted data blocks based on the data verification request, wherein the user group management terminal is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user terminal, N is a positive integer, two prime numbers are randomly generated to obtain a first prime number and a second prime number, challenge information is built based on the first prime number, the second prime number, the index codes and system parameters which are generated in advance, the challenge information is sent to a cloud storage server, the cloud storage server obtains N encrypted data blocks stored by the user terminal based on the index codes, calculates first verification parameters and second verification parameters based on the N encrypted data blocks, the first prime number and the second prime number, the encrypted data blocks are based on a private key of the user and the second prime number, and returns a second verification equation to the cloud storage server to obtain a second verification result based on the second verification parameters, and the second verification parameters are sent to the cloud storage server to obtain the second verification parameters.
Optionally, the expression of the check equation is: wherein e is a bilinear function, A hash value representing the encrypted data block of the user side, l representing the first data block of the user side,And representing the encrypted data block of the user side, wherein ω represents the second checking parameter, pi represents the first checking parameter, u represents the first prime number, and v represents the second prime number.
Optionally, the step of obtaining the data integrity check result based on the calculation result of the check equation comprises the steps of determining that the data of the user terminal is incomplete to obtain a data incomplete check result and sending the data incomplete check result to the user group management terminal when the calculation result of the check equation indicates that the check equation is satisfied, or determining that the data of the user terminal is complete to obtain a data complete check result and returning the data complete check result to the user terminal when the calculation result of the check equation indicates that the check equation is satisfied.
Optionally, before receiving a data verification request sent by a user group management end, the method further comprises the steps that the user group management end receives the data integrity verification request sent by the user end, obtains a user identification of the user end based on the data integrity verification request, verifies the user end based on the user identification to obtain a verification result, obtains index codes of S encrypted data blocks of the user end based on the user identification under the condition that the verification result indicates that the user end passes the verification, wherein S is a positive integer and is greater than or equal to N, generates the data verification request based on the index codes, and sends the data verification request to a third party audit end.
Optionally, before receiving the data verification request sent by the user group management end, the method further comprises the steps that the user end sends a key generation request to the key management end and receives a user key returned by the key management end, wherein the user key comprises a user public key and a user private key, the user end sends the user public key to the user group management end, the user group management end builds a user group key based on the user public keys of M user ends in the user group, the user group key comprises a user group public key and the user group private key, M is a positive integer, and the user group management end returns the user group private key to the M user ends in the user group.
Optionally, before receiving the data verification request sent by the user group management end, the method further comprises the steps that the user end encrypts S data blocks based on the user private key to obtain initial encrypted data blocks, the user end encrypts the initial encrypted data blocks based on the user group private key to obtain encrypted data blocks, calculates data labels based on the encrypted data blocks and user identifiers of the user end, and sends the encrypted data blocks, the data labels and the user public key to the user group management end.
Optionally, after the user terminal sends the encrypted data, the data tag and the user public key to the user group management terminal, the method further comprises the steps that the user group management terminal performs identity verification on the user terminal based on a user identifier of the user terminal, in the case that the user terminal passes the identity verification, the user group management terminal defines a position to be stored in a cloud storage server for an encrypted data block of the user terminal and obtains an index code according to the position to be stored of the encrypted data block of the user terminal, the user group management terminal stores the index code and the data tag of the encrypted data block of the user terminal in a double-line chain table, and sends the encrypted data block and the data tag of the user terminal to the cloud storage server and sends a data clearing notification to the user terminal after receiving response information returned by the cloud storage server and successfully stored.
According to another aspect of the embodiment of the invention, the data integrity verification device is applied to a third party audit terminal and comprises a receiving unit, a construction unit and a verification unit, wherein the receiving unit is used for receiving a data verification request sent by a user group management terminal and selecting index codes of target encrypted data blocks based on the data verification request, the user group management terminal is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user terminal, N is a positive integer, the generation unit is used for randomly generating two prime numbers to obtain a first prime number and a second prime number, the construction unit is used for constructing challenge information based on the first prime number, the second prime number and system parameters which are generated in advance, and sending the challenge information to a cloud storage server, the cloud storage server obtains N encrypted data blocks stored by the user terminal based on the index codes, calculates a first verification parameter and a second prime number based on the N encrypted data blocks, and the first verification parameter, and the second verification parameter, the construction unit is used for calculating the first verification parameter and the second verification parameter and sending the second verification parameter to the cloud storage server based on the first verification parameter and the second verification parameter, and the second verification parameter is used for sending the challenge information to the cloud storage server.
Optionally, the expression of the check equation is: wherein e is a bilinear function, A hash value representing the encrypted data block of the user side, l representing the first data block of the user side,And representing the encrypted data block of the user side, wherein ω represents the second checking parameter, pi represents the first checking parameter, u represents the first prime number, and v represents the second prime number.
Optionally, the verification unit comprises a first determination module, a second determination module and a second determination module, wherein the first determination module is used for determining that the data of the user terminal is incomplete to obtain a data incomplete verification result and sending the data incomplete verification result to the user group management terminal when the calculation result of the verification equation indicates that the verification equation is satisfied, and the second determination module is used for determining that the data of the user terminal is complete to obtain a data complete verification result and returning the data complete verification result to the user terminal when the calculation result of the verification equation indicates that the verification equation is satisfied.
Optionally, the data integrity verification device further comprises a first receiving module, a first verification module and a first obtaining module, wherein the first receiving module is used for receiving a data integrity verification request sent by the user side by the user group management side, obtaining a user identification of the user side based on the data integrity verification request, the first verification module is used for verifying the user side based on the user identification to obtain a verification result, the first obtaining module is used for obtaining index codes of S encrypted data blocks of the user side based on the user identification under the condition that the verification result indicates that the user side passes the verification, S is a positive integer, S is greater than or equal to N, and the first generating module is used for generating the data verification request based on the index codes and sending the data verification request to a third party audit side.
Optionally, the data integrity verification device further comprises a second receiving module, a first sending module and a first constructing module, wherein the second receiving module is used for sending a key generation request to a key management end by the user end and receiving a user key returned by the key management end, the user key comprises a user public key and a user private key, the first sending module is used for sending the user public key to the user group management end by the user end, the first constructing module is used for constructing a user group key by the user group management end based on M user public keys of the user ends in the user group, the user group key comprises a user group public key and the user group private key, M is a positive integer, and the first returning module is used for returning the user group private key to the M user ends in the user group by the user group management end.
Optionally, the data integrity verification device further comprises a first encryption module, a second encryption module and a second transmission module, wherein the first encryption module is used for encrypting S data blocks based on the user private key by the user side to obtain initial encrypted data blocks, the second encryption module is used for conducting secondary encryption on the initial encrypted data blocks based on the user group private key by the user side to obtain encrypted data blocks and calculating a data tag based on the encrypted data blocks and the user identification of the user side, and the second transmission module is used for transmitting the encrypted data blocks, the data tag and the user public key to the user group management side by the user side.
Optionally, the data integrity verification device further comprises a second verification module, a first determination module and a first storage module, wherein the second verification module is used for verifying the identity of the user terminal based on the user identifier of the user terminal, the first determination module is used for defining a to-be-stored position of an encrypted data block of the user terminal in a cloud storage server for the user terminal under the condition that the user terminal passes the identity verification, and acquiring an index code according to the to-be-stored position of the encrypted data block of the user terminal, the first storage module is used for storing the index and the data tag of the encrypted data block of the user terminal into a double-line linked list by the user terminal, and the third transmission module is used for transmitting the encrypted data block and the data tag of the user terminal to the cloud storage server and transmitting a data clearing notification to the user terminal after receiving response information returned by the cloud storage server and successfully stored by the user terminal.
According to another aspect of the embodiment of the present invention, there is further provided a computer readable storage medium, where the computer readable storage medium includes a stored computer program, and when the computer program runs, the device where the computer readable storage medium is controlled to execute any one of the above-mentioned data integrity verification methods.
According to another aspect of the embodiments of the present invention, there is further provided an electronic device, including one or more processors and a memory, where the memory is configured to store one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement any one of the data integrity checking methods described above.
The method comprises the steps of firstly receiving a data verification request sent by a user group management end, selecting an index code of a target encrypted data block based on the data verification request, wherein the user group management end is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user end, two prime numbers are randomly generated to obtain a first prime number and a second prime number, challenge information is built based on the first prime number, the second prime number, the index code and a system parameter which is generated in advance, the challenge information is sent to a cloud storage server, the cloud storage server obtains N encrypted data blocks stored by the user end based on the index code, calculates a first verification parameter and a second verification parameter based on the N encrypted data blocks, the first prime number and the second prime number, the encrypted data in the encrypted data blocks are data which are encrypted for the second time based on a user private key and a user group private key, finally, the first verification parameter and the second verification parameter returned by the cloud storage server are received, the first verification parameter and the second verification parameter are calculated to be substituted into a verification equation, and the integrity verification result is obtained based on the calculation equation.
In the application, the user group management end is introduced, and the user group management end interacts with the third party audit end, so that the user information is prevented from being directly exposed to the third party audit end, the protection of the user privacy is enhanced, meanwhile, the data stored in the cloud storage server by the user end is subjected to double encryption of the user private key and the user group private key, the safety and the user privacy of the data of the user end are ensured, in the process of checking the data integrity, the challenge information is constructed based on the first prime number, the second prime number, the index code and the system parameter, the parameter for checking the data integrity can be randomly and effectively generated, and the accuracy of the data integrity checking result is ensured. And further, the technical problem that in the related technology, the data integrity is verified through the interaction between the user terminal and the third party audit terminal, and the data of the user terminal has potential safety hazards because the third party audit terminal is not completely trusted is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an alternative data integrity verification method in accordance with an embodiment of the present invention;
FIG. 2 is an architecture diagram of an alternative data integrity verification system in accordance with an embodiment of the invention;
FIG. 3 is a schematic diagram of an alternative user group management side data store in accordance with an embodiment of the present invention;
FIG. 4 is a schematic diagram of an alternative data integrity verification device in accordance with an embodiment of the invention;
fig. 5 is a block diagram of a hardware structure of an electronic device (or mobile device) for a data integrity checking method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the data integrity checking method and the device thereof in the present application can be used in the information security technical field under the condition of checking the data integrity, and also can be used in any field except the information security technical field under the condition of checking the data integrity, and the application field of the data integrity checking method and the device thereof in the present application is not limited.
It should be noted that, related information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) related to the present application are information and data authorized by a user or sufficiently authorized by each party, and the related data are collected, stored, used, processed, transmitted, provided, disclosed, applied, etc. processed, all in compliance with related laws and regulations and standards of related areas, necessary security measures are taken, no prejudice to public order and custom are provided with corresponding operation entries for the user to select authorization or rejection. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
In the application, when customer information is collected and analyzed, a corresponding operation entrance is provided for a user to select to agree or reject an automatic decision result, and if the user selects to reject, an expert decision flow is entered.
The following embodiments of the present invention are applicable to a variety of data integrity verification systems/applications/devices. The invention provides a method for verifying data integrity based on a mobile terminal user group. First, due to the unreliability of the third party audit end to the mobile end user, the third party audit end may have a data information record that uploads user information with it, exposing user privacy. The invention generates the group key pair for the whole user group in a multi-linear mapping mode, encrypts the user data through the group key pair, and interacts with the third party audit terminal through the trusted management terminal to shield the users in the user group, so that the third party audit terminal audits the integrity of the data on the cloud storage server on the basis of not knowing the user information in the user group.
Secondly, user data in the user group is managed by a user group management end through the data encrypted by using the user private key and the group key, the user group management end carries out one-to-one correspondence on the user and the user data, the user data and the user data are stored in a double-line linked list, and the availability of the file is ensured through executing a series of modification operations of the user.
And finally, the users in the user group are managed by the trusted management end, the trusted management end has the right to prohibit all operations of the group users, the group users can execute all operations by agreeing with each other through the trusted management end, if the group users want to execute any operation, the operations can be executed after the trusted management end confirms the identity of the users, the stolen users are prevented from executing all operations damaging the uploaded file, and the data security is ensured.
The present invention will be described in detail with reference to the following examples.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a data integrity checking method, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
FIG. 1 is a flow chart of an alternative data integrity verification method according to an embodiment of the invention, as shown in FIG. 1, comprising the steps of:
Step S101, a data verification request sent by a user group management end is received, and an index code of a target encrypted data block is selected based on the data verification request.
In the embodiment of the invention, the cloud storage of the user group data and the integrity check of the user end data on the cloud server are realized through the interaction among the mobile end user group, the user group management end, the cloud storage server and the third party audit end, the mobile end user group can be a user group formed by members in entities such as a company/enterprise/organization, the members in the user group commonly manage the data files of the entity where the user group is located, the user group management end is a trusted entity configured for the users in the user group and is used for managing the user group, and when the user end in the user group wants to verify the data integrity stored on the cloud storage server, the user end can not directly communicate with the third party audit end, but sends a data check request to the user group management end. After confirming the validity and origin of the request, the subscriber group management terminal will forward the request to the TPA. The request generally includes the identification information of the user group and the index code of the corresponding stored data of the user terminal, but does not include specific user information, so as to protect the privacy of the user.
It should be noted that, the third party audit terminal receives the data verification request sent by the user group management terminal, the data verification request includes index codes of N encrypted data blocks stored in the cloud storage server by the user terminal, N is a positive integer, and can be used for locating the storage position of the user terminal data in the cloud storage server, the third party audit terminal selects the data block stored in the user terminal to verify based on the information carried by the data verification request, locates the storage position of the encrypted data block in the cloud storage server by the index codes of the encrypted data block, the selection process is random, so as to ensure fairness and effectiveness of audit, and the selection of the index codes should cover different parts of the whole data set, so as to improve the comprehensiveness of verification.
Optionally, before receiving the data verification request sent by the user group management end, the method further comprises the steps that the user group management end receives the data integrity verification request sent by the user end and obtains a user identification of the user end based on the data integrity verification request, the user end is verified based on the user identification to obtain a verification result, under the condition that the verification result indicates that the user end passes the verification, index codes of S encrypted data blocks of the user end are obtained based on the user identification, wherein S is a positive integer and S is greater than or equal to N, the data verification request is generated based on the index codes, and the data verification request is sent to a third party audit end.
It should be noted that, in the embodiment of the present invention, the user end in the user group is managed by the user group management end, any request initiated by the user end needs to be verified by the user group management end and can be executed after the verification is passed, so that the potential safety hazard of data caused by the fact that the user identity is stolen is avoided, when the data integrity is in the way, the user end wants to perform integrity verification on the data file managed by itself, and sending an integrity check request to the user group management terminal, wherein the user group management terminal obtains a user identifier of the user terminal based on the integrity check request, the user identifier is unique information for identifying the user terminal and can be a user ID, a user name or other types of unique codes, the user terminal is checked according to the user identifier, and the checking process is used for ensuring that a request initiator is really a legal member of the user group and has the right to initiate data integrity check. The verification result indicates whether the user side passes the verification, the authority, the validity of identity information and the like of the user are checked in the normal verification process, under the condition that the user side passes the verification, information corresponding to the user identification in the doubly linked list is extracted to obtain an index code of the user side stored data, a data verification request is generated based on the index code and sent to a third party audit terminal, and the index codes of the S encrypted data blocks refer to all the encrypted data blocks stored on the cloud storage server by the user side.
Optionally, before receiving the data verification request sent by the user group management end, the method further comprises the steps that the user end sends a key generation request to the key management end and receives a user key returned by the key management end, wherein the user key comprises a user public key and a user private key, the user end sends the user public key to the user group management end, the user group management end builds a user group key based on the user public keys of M user ends in the user group, the user group key comprises a user group public key and a user group private key, M is a positive integer, and the user group management end returns the user group private key to the M user ends in the user group.
It should be noted that, in order to ensure the data security of the user side, the data of the user side needs to be encrypted and then uploaded to the cloud storage server for storage, the user side (i.e. the mobile device or the desktop system, etc.) of the user group needs to send a key generation request to a trusted key management end (PKG), the key management end is an independent and trusted mechanism responsible for key generation and distribution in the whole system, and after receiving the key generation request, the key management end generates a pair of keys for encrypting and decrypting the data of the user side, i.e. a user public key and a user private key, and returns the pair of keys to the requesting user side. The private key of the user is usually transmitted in a secure manner, ensuring that only the user side can receive and use it, while the public key of the user can be disclosed for data encryption.
In the embodiment of the invention, the user key pair is introduced in addition to encrypting the user side data, the data of all user sides in the user group are secondarily encrypted through the group key pair, and the user side sends the user public key to the user group management side after receiving the key, namely the user group management side in the user group. The method comprises the steps of preparing for the subsequent construction of a user group key, ensuring that the data of each user can be subjected to unified secondary encryption through the group key, thereby increasing the security of the data, combining the public keys by utilizing a multi-linear mapping technology after the public keys of all users in the group are received by a user group management terminal, calculating to generate a user group public key and a user group private key, and constructing the user group key. The generation process of the user group key is a key of system safety, and ensures that the specific content of the user side data cannot be deduced through the processed data in an inverse way even if a third party audit side or a cloud storage server is not trusted.
Optionally, before receiving the data verification request sent by the user group management end, the method further comprises the steps that the user end encrypts S data blocks based on a user private key to obtain initial encrypted data blocks, the user end encrypts the initial encrypted data blocks based on the user group private key to obtain encrypted data blocks, calculates a data tag based on the encrypted data blocks and a user identifier of the user end, and sends the encrypted data blocks, the data tag and the user public key to the user group management end.
It should be noted that, the user side in the same user group manages all the data and files of the user group, for the massive data of the user group, the massive data is divided into a plurality of sub-data, the sub-data are divided into the user side in each user group, the sub-data are managed by the user side, the sub-data block managed by the user side can be divided into a plurality of data blocks, for each data block of the user side, the data block is encrypted once by the user private key to obtain initial encrypted data, and the initial encrypted data block is encrypted twice by the user group private key to obtain encrypted data blocks, meanwhile, a data tag is calculated for each encrypted data block, the data tag is convenient for the user group management side to manage the user side data, and the end user side packages the encrypted data block, the data tag and the user public key and sends the encrypted data block, the data tag and the user public key to the user group management side.
Optionally, after the user terminal sends the encrypted data, the data tag and the user public key to the user group management terminal, the method further comprises the steps that the user group management terminal performs identity verification on the user terminal based on a user identifier of the user terminal, the user group management terminal defines a position to be stored in a cloud storage server for an encrypted data block of the user terminal and obtains an index code according to the position to be stored of the encrypted data block of the user terminal under the condition that the user terminal passes the identity verification, the user group management terminal stores the index code and the data tag of the encrypted data block of the user terminal into a double-line linked list, and sends the encrypted data block and the data tag of the user terminal to the cloud storage server and sends a data clearing notification to the user terminal after receiving response information which is returned by the cloud storage server and is successfully stored.
When the user end is used for data storage, the user end does not interact with the cloud storage server directly, but interacts indirectly through the user group management end, so that user privacy can be guaranteed, specifically, the user end sends an encrypted data block encrypted by the user end, a calculated data tag and a user public key to the user group management end, the user group management end performs identity verification on the user end, and after verification is passed, the user group management end can define a position to be stored in the cloud storage server for the encrypted data block of the user end, so that the data block can be stored efficiently and safely. Then, according to the position to be stored of the encrypted data block, a corresponding index code is acquired. The index code can help the cloud storage server to quickly locate and call the encrypted data blocks in the cloud storage server.
For each user terminal, the user group management terminal constructs a double-line linked list based on a plurality of encrypted data blocks of the user terminal, and the data labels and index codes of the encrypted data blocks are sent to the double-line linked list, so that the user and the data are corresponding, and efficient management of the data of the user terminal is realized. Through the double-line linked list, the user group management end can ensure the corresponding relation between the data block and the label of each user in the group, and can track any modification operation of the data block, thereby ensuring the traceability and usability of the data.
And finally, the user group management end sends the encrypted data block and the data tag of the user end to the cloud storage server. After receiving the encrypted data and the tag, the cloud storage server stores the encrypted data and the tag and returns response information of successful storage. After receiving the confirmation response, the user group management end sends a data clearing notification to the user end, so that the user end can safely delete the locally stored data copy, and the data is successfully backed up on the cloud storage server and can be subjected to integrity verification. The mechanism not only reduces the storage pressure of the user side, but also further ensures the safety of the data, because even if the data of the user side is deleted, the data on the cloud storage server can be verified through the data tag, and the integrity and the non-falsification of the data are ensured.
Step S102, two prime numbers are randomly generated, and a first prime number and a second prime number are obtained.
It should be noted that, after receiving the data verification request sent by the user group management end, the third party performs the verification calculation, two prime numbers are randomly generated, and the prime numbers are used for generating the challenge information in the data integrity verification process.
Step S103, challenge information is constructed based on the first prime number, the second prime number, the index code and the pre-generated system parameters, and the challenge information is sent to the cloud storage server.
It should be noted that, the third party audit can construct challenge information according to the first prime number, the second prime number, the index code corresponding to the selected data block and the predefined system parameter, and the challenge information is constructed by using the double prime numbers and the bilinear function, so that the security of the verification process is enhanced, the data is prevented from being tampered in the transmission process, and when the data integrity verification is performed, the third party audit terminal sends the challenge information to the cloud storage server, the challenge information does not relate to user identity information, and the privacy of the user can be ensured.
The system parameters generated in advance includeWherein G 1 and G 2 are two multiplication loop groups with the same prime order of p, G is the generator of the multiplication loop group G 1, pk i represents the user public key of the ith user side,Is a random number, and is a parameter predefined by the user group management end and used for transmission between the user group management end and the third party audit end.
It should be noted that, the cloud storage server may obtain N encrypted data blocks stored by the user side based on the index code in the challenge information, and calculate the first check parameter and the second check parameter based on the N encrypted data blocks, the first prime number and the second prime number, where the encrypted data in the encrypted data block is data that is secondarily encrypted based on the user private key and the user group private key, so that data security is ensured, and the check parameter is not related to specific data received by the third party audit terminal, so that specific data cannot be revealed in the interaction process.
Step S104, receiving the first check parameter and the second check parameter returned by the cloud storage server, substituting the first check parameter and the second check parameter into a check equation, and acquiring a data integrity check result based on the calculation result of the check equation.
It should be noted that, the third party audit terminal verifies the first verification parameter and the second verification parameter returned by the cloud storage server, directly inputs the first verification parameter and the second verification parameter into the verification equation, if the verification equation is satisfied, the data is complete, and if the equation is not satisfied, the data is incomplete.
Optionally, the expression of the check equation is: wherein e is a bilinear function, A hash value representing an encrypted data block at the user side, l representing a first data block at the user side,The encrypted data block of the user side is represented, ω represents the second checking parameter, pi represents the first checking parameter, u represents the first prime number, and v represents the second prime number.
Note that the check equation is specifically expressed as: Pi and ω are the first check parameter and the second check parameter respectively, β= pi l∈LH(idl),H(idl) represents the hash value of the first encrypted data block of the user terminal, the first check parameter and the second check parameter transmitted by the cloud storage server are directly brought into the check equation, the integrity of the data of the user terminal is judged through the calculation result of the check equation, specific data is not involved in the whole check process, and the data security of the user terminal is ensured.
Optionally, the step of obtaining the data integrity check result based on the calculation result of the check equation includes determining that the data of the user terminal is incomplete to obtain a data incomplete check result and sending the data incomplete check result to the user group management terminal when the calculation result of the check equation indicates that the check equation is not satisfied, or determining that the data of the user terminal is complete to obtain a data complete check result and returning the data complete check result to the user terminal when the calculation result of the check equation indicates that the check equation is satisfied.
It should be noted that, the first check parameter and the second check parameter are brought into the check equation, if the check equation is not satisfied, it is indicated that the data stored in the cloud storage server by the user side is incomplete, and is destroyed or maliciously deleted, so as to obtain a data incomplete check result, the data incomplete check result is sent to the user group management side, the user group management side interacts with the cloud storage server, if the check equation is satisfied, it is indicated that the data of the user side is complete, a data complete check result is obtained, and the data complete check result is returned to the user side, so as to complete the check.
Through the steps, firstly, a data verification request sent by a user group management end is received, and an index code of a target encrypted data block is selected based on the data verification request, wherein the user group management end is a trusted entity configured for a user in a user group, the data verification request comprises index codes of N encrypted data blocks of the user end, two prime numbers are randomly generated to obtain a first prime number and a second prime number, challenge information is built based on the first prime number, the second prime number, the index code and a system parameter which is generated in advance, and the challenge information is sent to a cloud storage server, wherein the cloud storage server obtains N encrypted data blocks stored by the user end based on the index codes, calculates a first verification parameter and a second verification parameter based on the N encrypted data blocks, the first prime number and the second prime number, encrypted data in the encrypted data blocks are data which are secondarily encrypted based on a user private key and a user group private key, finally, the first verification parameter and the second verification parameter returned by the cloud storage server are received, the first verification parameter and the second verification parameter are substituted into a verification equation, and the data integrity verification result is obtained based on calculation result of the cloud storage server.
In the embodiment, the user group management end is introduced, interaction is carried out between the user group management end and the third party audit end, so that user information is prevented from being directly exposed to the third party audit end, protection of user privacy is enhanced, meanwhile, data stored in the cloud storage server by the user end is subjected to double encryption of a user private key and a user group private key, safety and user privacy of the data of the user end are guaranteed, challenge information is built based on the first prime number, the second prime number, the index code and system parameters in the data integrity verification process, parameters for verifying data integrity can be randomly and effectively generated, and accuracy of a data integrity verification result is guaranteed. And further, the technical problem that in the related technology, the data integrity is verified through the interaction between the user terminal and the third party audit terminal, and the data of the user terminal has potential safety hazards because the third party audit terminal is not completely trusted is solved.
The following detailed description is directed to alternative embodiments.
Fig. 2 is a schematic diagram of an alternative data integrity verification system according to an embodiment of the present invention, and as shown in fig. 2, the data integrity verification system includes five entities, PKGs (corresponding to the key management end described above), a user group consisting of members in a company, organization or organization, a user group management end, a cloud storage server (CSP), and a third party audit end.
The PKG is a trusted key management mechanism, and is responsible for generating a user key for a user terminal user in the user group, and the PKG sends the generated key pair to the user terminal in the corresponding mobile terminal user group.
The mobile terminal user group is a joint entity which can be outsourced by a large amount of data, can represent various levels of entities of a company/enterprise/organization, and members in the user group are called group users, and the group users commonly manage the whole file data.
The user group management end receives various requests of the user end and returns request responses, and concretely comprises that a group user delivers personal identification, a secret key and the like to the user group management end, the user group management end generates a group secret key in a multi-linear mapping mode and returns the group secret key to the group user, the group secret key encrypts a file and generates a corresponding file label, the encrypted file and the file label are sent to the user group management end, the user group management end performs file uploading and file downloading operations and interacts with a third party audit end to perform data audit, the user group management end sends a data integrity check request to the third party audit end, the third party audit end sends the data check request to the cloud storage server and receives the data check response returned by the cloud storage server, the data stored in the cloud storage server by the user end is subjected to integrity check to obtain a check result, and the check result is returned to the user group management end as an integrity check result response. Meanwhile, the user group management end performs one-to-one correspondence between users and user files, stores the user files in a double-line linked list, guarantees the availability of the files by executing a series of modification operations of the users, sets permission for the group users, and can only be performed after each operation of the group users is agreed by the user group management end, so that each operation such as damage to the stored files is prevented from being executed by the group users.
The cloud storage server (CSP) can provide a large amount of storage and calculation resources for group users, but is not trusted for the group users, so that data verification needs to be requested from the cloud storage server regularly, and the integrity of the stored data of the user side is ensured.
The third party audit Terminal (TPA) is a semi-trusted public data audit entity and can provide data integrity check service.
The data integrity verification method of the embodiment of the invention can be applied to the data integrity verification system, and aims at an application scene that a group of files are managed together by a mobile terminal user group (company/enterprise/organization), and the user terminal transmits the data to a cloud storage server (CSP) for cloud storage and performs data integrity verification through a third party audit terminal.
First, due to the untrustworthiness of the TPA to the mobile-side user (i.e., the user side), the TPA may have a record of the file information uploaded with it, thereby exposing user privacy. The invention generates the group key pair for the whole user group in a multi-linear mapping mode, encrypts the user data through the group key pair, interacts with the TPA through the user group management end, shields the users in the user group, and enables the TPA to audit the integrity of the data on the cloud server on the basis of not knowing the member information in the group. And secondly, the user data in the group is transmitted to a user group management end for management, the user group management end carries out one-to-one correspondence on the user and the user file, the user data in the group are stored in a double-line linked list, and the usability of the file is ensured by executing a series of modification operations of the user. And finally, the user in the group is managed by the user group management end, the user group management end has the right to prohibit all operations of the user end in the group user, the group user can execute all operations by agreeing with the user group management end, and if the user end wants to execute any operation, the operations can be executed after the user identity is confirmed by the user group management end, so that the stolen user can be prevented from executing all operations for damaging the uploaded file.
Step one, a system model is built, and a mechanism is introduced.
The system model comprises five entities, PKG, a user group consisting of members in a company, an organization or an organization, a user group management end, a cloud storage server (CSP), a third party auditor, and communication between the user end in the user group and the user group management end and communication between the user group management end and the third party audit end and the cloud storage server are established.
Step two, parameter setting is carried out for the system
Defining bilinear pair functions
G 1 and G 2 are two multiplication loop groups with the same prime order p, G is the generator of the multiplication loop group G 1, and a bilinear pair is defined as e: G 1×G1→G2, and the following conditions are required to be satisfied:
Bilinear: for Has e (u a,vb)=e(u,v)ab;
Non-degeneracy e (g, g) noteq1;
Calculability-there is an efficient algorithm that can calculate e.
Defining multiple linear pairs
G 1 and G 2 are two multiplication loop groups with the same prime order q, G, G 1 are generator elements of the multiplication loop group G 1, defining a multi-linear pair: the following conditions need to be met:
Multiple linearities for a 1,a2,...,an∈Z,x1,x2,...,xn∈G1, there is
Non-degeneracy e (g, g.. G) +.1;
calculability there is a finite algorithm that can calculate e.
Defining a hash function
H represents the hash function of the map to points {0,1} * → G represents the mapping of {0,1} * into G, H, i.e., the string is mapped into each element of G by the hash function.
Step three, uploading files
File blocking
Assuming that the user group includes k mobile user terminals, dividing the files in the user group into n subfiles, distributing the subfiles to each user terminal, dividing the received data blocks in the subfiles into s data blocks by the user terminal for storage, wherein the data stored by the user terminal can be expressed as:
{mij}(1≤i≤n,1≤j≤s)
Definition of the definition Is a random number used for transmission between the user group management terminal and the TPA, and the credibility and the integrity of the data are ensured by using a random number mode.
User key generation
For each User end User i in the User group, the PKG generates a random number epsilon i∈Zp for each User end, and defines the private key of the User as sk i=εi and the public key as epsilon i Then the user side discloses the public key of the user side, and further generates system parameters based on the predefined parameters
User group key generation
The user terminal in the user group sends the self public key pk i to the user group management terminal, and the user group management terminal calculates all public keys in the user group through multi-linear mapping, namely:
Where e (·) is a bilinear function, pk 1,pk2,...,pkk represents the user public key of each user terminal in the user group. The private key defining the mobile user group is:
Groupsk=H(S)
wherein Group sk is a user Group private key, and H (·) is a hash algorithm.
The public keys of the user group are:
wherein Group pk is a user Group public key, and G is a generator of a predefined multiplication loop Group G1.
Then, the user group management end discloses the public key of the user group.
Data tag computation
For each group user, after generating a private key through PKG, encrypting data managed by the private key by using the private key to generate an initial encrypted data block:
The user Group management end sends the generated Group private key Group sk to the user end, and the user end carries out secondary encryption on the initial encrypted data block by using the Group private key to generate an encrypted data block
Then, the user side performs label calculation on the encrypted data block managed by the user side to obtain a data label, wherein a calculation formula of the data label can be expressed as follows:
Where id k represents a user representation, i.e. the user identifier of the kth user terminal in the user group, and H (id k) represents a hash value of the user identifier.
After the above operations are performed, the user terminal willThe method comprises the steps of packaging and sending the encrypted data blocks to a user group management end, defining storage positions in a cloud storage server for encrypted data blocks of the user end after confirming identity ids k of each user end by the user group management end, acquiring index codes for positioning the storage positions, storing data labels and the index codes corresponding to encrypted data managed by the user end and the user end in a double-line linked list in a one-to-one correspondence mode, storing the double-line linked list in the user group management end, and being capable of tracing the data and facilitating updating operation of subsequent user ends.
And then the user group management end sends the encrypted data block of the user end to the cloud storage server according to the defined storage position, and after receiving response information of successful storage of the cloud storage server, the user end is informed to delete the local file.
Step four, data integrity verification
TPA send request
Suppose that user end 1 within a user group wants to verify the integrity of data stored on a cloud storage server.
The user terminal 1 firstly sends a verification operation request to the user group management terminal, after the user group management terminal confirms the identity of the group user 1, the user group management terminal initiates a data integrity verification request to the TPA, the data integrity verification request carries an Index code of an encrypted data block of the user terminal, the TPA randomly selects the Index code of the encrypted data block corresponding to the user terminal 1, wherein the selected Index code set { Index j } (1 is less than or equal to j is less than or equal to c) is an Index code corresponding to c encrypted data blocks selected from the encrypted data blocks [1, s ], and the Index code set { Index j }, which can be used for positioning the encrypted data blocks L= { r 1,r2,...,rc } stored in the cloud storage server.
Subsequently, the TPA generates two random prime numbers u, v E Z p, namely a first prime number and a second prime number, and calculates through the first prime number and system parameters to obtain an integrity check parameter:
Finally, the TPA sends challenge information to the cloud storage server, and the expression of the challenge information can be expressed as:
CSP response request
After the CSP receives the challenge information, two parameters pi (corresponding to the first verification parameter) and ω (corresponding to the second verification parameter) are generated, and specifically, the calculation formulas of the first verification parameter and the second verification parameter may be expressed as follows:
And then, the cloud storage server packages the first verification parameters and the second verification parameters { pi, omega } and returns the first verification parameters and the second verification parameters { pi, omega } to the third party auditing end.
Third party audit end for checking data integrity
After the third party audit terminal receives the verification parameters sent by the cloud storage server, the third party audit terminal brings the first verification parameters and the second verification parameters into a verification equation to verify the integrity of the request data block, namely:
Judging whether the above equation is satisfied, if so, indicating that the data is complete, otherwise, the data is damaged.
Step five, user group management end data management
Fig. 3 is an optional schematic diagram of data storage at a user group management end according to an embodiment of the present invention, as shown in fig. 3, when a user end sends an encrypted data block to the user group management end, the user group management end establishes, updates and maintains a doubly linked list in real time, and the user and a stored file are in one-to-one correspondence through a data structure of the doubly linked list, for example, a data tag corresponding to a file 1, a file 2, a file 3, a file 4 and an index code corresponding to a storage location are stored in the doubly linked list in fig. 3, a data tag corresponding to a file 1, a file 2, a file 3, a file 4 and an index code corresponding to a storage location of the user 2, a data tag corresponding to a file 1, a file 2, a file 3, a file 4 of the user 3 and an index code corresponding to a storage location of the user 4 are stored in the doubly linked list.
The method is characterized in that a bidirectional linked list mode is used, a linked list head is displayed as an identification serial number of a group user, and linked list contents are index codes corresponding to stored data blocks and data labels calculated by a user side.
When the user terminal in the user group wants to execute the corresponding operation, the user group management terminal needs to confirm the identity information of the user terminal of the group, if the user terminal account is found to be stolen, the user terminal is forbidden to execute any operation, and the user terminal is informed of the corresponding responsible person account failure. After the user group management end confirms the identity of the user end, the user end performs corresponding updating operation on the doubly linked list along with updating of the data stored on the cloud server, so that traceability of the data is conveniently realized.
The embodiment of the invention provides a method for verifying data integrity based on a mobile terminal user group. First, due to the unreliability of the third party audit end to the mobile end user, the third party audit end may have a data information record that uploads user information with it, exposing user privacy. The invention generates the group key pair for the whole user group in a multi-linear mapping mode, encrypts the user data through the group key pair, and interacts with the third party audit terminal through the trusted management terminal to shield the users in the user group, so that the third party audit terminal audits the integrity of the data on the cloud storage server on the basis of not knowing the user information in the user group.
Secondly, user data in the user group is managed by a user group management end through the data encrypted by using the user private key and the group key, the user group management end carries out one-to-one correspondence on the user and the user data, the user data and the user data are stored in a double-line linked list, and the availability of the file is ensured through executing a series of modification operations of the user.
And finally, the users in the user group are managed by the trusted management end, the trusted management end has the right to prohibit all operations of the group users, the group users can execute all operations by agreeing with each other through the trusted management end, if the group users want to execute any operation, the operations can be executed after the trusted management end confirms the identity of the users, the stolen users are prevented from executing all operations damaging the uploaded file, and the data security is ensured.
The following describes in detail another embodiment.
Example two
The data integrity verification device provided in this embodiment includes a plurality of implementation units, where each implementation unit corresponds to each implementation step in the first embodiment, and specific implementation and beneficial effects of each implementation unit may refer to the foregoing method embodiment and will not be described herein.
Fig. 4 is a schematic diagram of an alternative data integrity checking apparatus according to an embodiment of the present invention, which may include, as shown in fig. 4, a receiving unit 41, a generating unit 42, a constructing unit 43, a checking unit 44, wherein,
A receiving unit 41, configured to receive a data verification request sent by a user group management end, and select an index code of a target encrypted data block based on the data verification request, where the user group management end is a trusted entity configured for a user in a user group, and the data verification request includes index codes of N encrypted data blocks of the user end, where N is a positive integer;
A generating unit 42, configured to randomly generate two prime numbers, to obtain a first prime number and a second prime number;
The construction unit 43 is configured to construct challenge information based on the first prime number, the second prime number, the index code and the system parameter generated in advance, and send the challenge information to the cloud storage server, where the cloud storage server obtains N encrypted data blocks stored at the user terminal based on the index code, calculates the first check parameter and the second check parameter based on the N encrypted data blocks, the first prime number and the second prime number, and the encrypted data in the encrypted data blocks is data that is secondarily encrypted based on the user private key and the user group private key;
And the verification unit 44 is configured to receive the first verification parameter and the second verification parameter returned by the cloud storage server, and substitute the first verification parameter and the second verification parameter into a verification equation, and obtain a data integrity verification result based on a calculation result of the verification equation.
The data integrity verification device receives a data verification request sent by a user group management end through a receiving unit 41, and selects an index code of a target encrypted data block based on the data verification request, wherein the user group management end is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user end, two prime numbers are randomly generated through a generating unit 42 to obtain a first prime number and a second prime number, challenge information is built through a building unit 43 based on the first prime number, the second prime number, the index code and a system parameter which is generated in advance, the challenge information is sent to a cloud storage server, the cloud storage server obtains N encrypted data blocks stored by the user end based on the index codes, calculates a first verification parameter and a second verification parameter based on the N encrypted data blocks, the first prime number and the second prime number, encrypted data in the encrypted data blocks are data which are secondarily encrypted based on a user private key and a user group private key, the first verification parameter and the second verification parameter returned by the cloud storage server are received through a verification unit 44, and the first verification parameter and the second verification parameter are substituted into a calculation result based on a calculation result of a complete verification equation.
In the embodiment, the user group management end is introduced, interaction is carried out between the user group management end and the third party audit end, so that user information is prevented from being directly exposed to the third party audit end, protection of user privacy is enhanced, meanwhile, data stored in the cloud storage server by the user end is subjected to double encryption of a user private key and a user group private key, safety and user privacy of the data of the user end are guaranteed, challenge information is built based on the first prime number, the second prime number, the index code and system parameters in the data integrity verification process, parameters for verifying data integrity can be randomly and effectively generated, and accuracy of a data integrity verification result is guaranteed. And further, the technical problem that in the related technology, the data integrity is verified through the interaction between the user terminal and the third party audit terminal, and the data of the user terminal has potential safety hazards because the third party audit terminal is not completely trusted is solved.
Optionally, the expression of the check equation is: wherein e is a bilinear function, A hash value representing an encrypted data block at the user side, l representing a first data block at the user side,The encrypted data block of the user side is represented, ω represents the second checking parameter, pi represents the first checking parameter, u represents the first prime number, and v represents the second prime number.
Optionally, the verification unit 44 includes a first determining module configured to determine that the data of the user terminal is incomplete when the calculation result of the verification equation indicates that the verification equation is not satisfied, obtain a data incomplete verification result, and send the data incomplete verification result to the user group management terminal, and a second determining module configured to determine that the data of the user terminal is complete when the calculation result of the verification equation indicates that the verification equation is satisfied, obtain a data complete verification result, and return the data complete verification result to the user terminal.
The data integrity verification device comprises a first receiving module, a first verification module and a first generation module, wherein the first receiving module is used for receiving a data integrity verification request sent by a user side by a user group management end and obtaining a user identification of the user side based on the data integrity verification request, the first verification module is used for verifying the user side based on the user identification to obtain a verification result, the first acquisition module is used for acquiring index codes of S encrypted data blocks of the user side based on the user identification under the condition that the verification result indicates that the user side passes the verification, S is a positive integer, S is greater than or equal to N, and the first generation module is used for generating the data verification request based on the index codes and sending the data verification request to a third party audit end.
Optionally, the data integrity verification device further comprises a second receiving module, a first sending module and a first constructing module, wherein the second receiving module is used for sending a key generation request to the key management end by the user end and receiving a user key returned by the key management end, the user key comprises a user public key and a user private key, the first sending module is used for sending the user public key to the user group management end by the user end, the first constructing module is used for constructing a user group key by the user group management end based on the user public keys of M user ends in a user group, the user group key comprises the user group public key and the user group private key, M is a positive integer, and the first returning module is used for returning the user group private key to M user ends in the user group by the user group management end.
Optionally, the data integrity verification device further comprises a first encryption module, a second encryption module and a second transmission module, wherein the first encryption module is used for encrypting the S data blocks based on a user private key by the user side to obtain an initial encrypted data block, the second encryption module is used for carrying out secondary encryption on the initial encrypted data block based on a user group private key by the user side to obtain an encrypted data block and calculating a data tag based on the encrypted data block and a user identifier of the user side, and the second transmission module is used for transmitting the encrypted data block, the data tag and the user public key to the user group management side by the user side.
The data integrity verification device comprises a first verification module, a second verification module, a first storage module and a third transmission module, wherein the first verification module is used for verifying the identity of a user terminal based on the user identification of the user terminal, the first verification module is used for defining the to-be-stored position of an encrypted data block of the user terminal in a cloud storage server and obtaining an index code according to the to-be-stored position of the encrypted data block of the user terminal when the user terminal passes the identity verification, the first storage module is used for storing the index and the data label of the encrypted data block of the user terminal in a double-line linked list, and the third transmission module is used for transmitting the encrypted data block and the data label of the user terminal to the cloud storage server and transmitting a data clearing notification to the user terminal after receiving response information returned by the cloud storage server and having successful storage.
The data integrity checking apparatus may further include a processor and a memory, wherein the receiving unit 41, the generating unit 42, the constructing unit 43, the checking unit 44, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to implement the corresponding functions.
The processor includes a kernel, and the kernel fetches a corresponding program unit from the memory. The kernel may be provided with one or more kernel parameters to perform integrity checking on the data.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), which includes at least one memory chip.
According to another aspect of the embodiment of the present invention, there is also provided a computer readable storage medium, where the computer readable storage medium includes a stored computer program, and when the computer program is executed, the device on which the computer readable storage medium is located is controlled to execute any one of the data integrity verification methods described above.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including one or more processors and a memory, where the memory is configured to store one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement any one of the data integrity checking methods described above.
According to another aspect of the embodiments of the present invention, there is also provided a computer program product, the computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements any of the above-mentioned data integrity checking methods.
The application further provides a computer program product which is suitable for executing a program initialized with the following method steps when the computer program is executed on data processing equipment, the computer program is used for receiving a data verification request sent by a user group management end and selecting an index code of a target encrypted data block based on the data verification request, wherein the user group management end is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user end, two prime numbers are randomly generated to obtain a first prime number and a second prime number, challenge information is built based on the first prime number, the second prime number and the index code and a system parameter which is generated in advance, the challenge information is sent to a cloud storage server, the cloud storage server is used for obtaining the N encrypted data blocks stored by the user end based on the index code, calculating a first verification parameter and a second verification parameter based on the N encrypted data blocks, the first prime number and the second prime number, encrypted data in the encrypted data blocks are data which are secondarily encrypted based on a user private key and a user group private key, the first verification parameter and the second verification parameter are returned by the cloud storage server are received, and the first verification parameter are substituted into a complete verification equation based on the complete verification result.
The application also provides a computer program product which, when executed on a data processing apparatus, is further adapted to perform a program initialized with the method steps of: wherein e is a bilinear function, A hash value representing an encrypted data block at the user side, l representing a first data block at the user side,The encrypted data block of the user side is represented, ω represents the second checking parameter, pi represents the first checking parameter, u represents the first prime number, and v represents the second prime number.
The application also provides a computer program product which is suitable for executing a program initialized with the following method steps when being executed on data processing equipment, wherein the step of acquiring the data integrity check result based on the calculation result of the check equation comprises the steps of determining that the data of a user terminal is incomplete to obtain the data incomplete check result and sending the data incomplete check result to a user group management terminal when the calculation result of the check equation indicates that the check equation is not satisfied, or determining that the data of the user terminal is complete to obtain the data complete check result and returning the data complete check result to the user terminal when the calculation result of the check equation indicates that the check equation is satisfied.
The application further provides a computer program product which is suitable for executing a program initialized with the following method steps when the computer program product is executed on data processing equipment, and the computer program product further comprises the steps that before receiving a data verification request sent by a user group management end, the user group management end receives the data integrity verification request sent by the user end, obtains a user identification of the user end based on the data integrity verification request, verifies the user end based on the user identification to obtain a verification result, obtains index codes of S encrypted data blocks of the user end based on the user identification when the verification result indicates that the user end passes the verification, wherein S is a positive integer, S is greater than or equal to N, generates the data verification request based on the index codes, and sends the data verification request to a third party audit end.
The application also provides a computer program product which is suitable for executing a program initialized with the following method steps when being executed on data processing equipment, and the computer program product further comprises the steps that before receiving a data verification request sent by a user group management end, the user end sends a key generation request to a key management end and receives a user key returned by the key management end, wherein the user key comprises a user public key and a user private key, the user end sends the user public key to the user group management end, the user group management end constructs a user group key based on the user public keys of M user ends in a user group, the user group key comprises the user group public key and the user group private key, M is a positive integer, and the user group management end returns the user group private key to the M user ends in the user group.
The application also provides a computer program product which is suitable for executing the program initialized with the following method steps when being executed on data processing equipment, and before receiving a data verification request sent by a user group management end, the computer program product further comprises the steps that the user end encrypts S data blocks based on a user private key to obtain initial encrypted data blocks, the user end conducts secondary encryption on the initial encrypted data blocks based on the user group private key to obtain encrypted data blocks, and calculates a data tag based on the encrypted data blocks and user identification of the user end, and the user end sends the encrypted data blocks, the data tag and a user public key to the user group management end.
The application also provides a computer program product which is suitable for executing the program initialized with the following method steps when being executed on a data processing device, after the user terminal sends the encrypted data, the data tag and the user public key to the user group management terminal, the computer program product further comprises the steps that the user group management terminal performs identity verification on the user terminal based on the user identifier of the user terminal, under the condition that the user terminal passes the identity verification, the user group management terminal defines a position to be stored in a cloud storage server for the encrypted data block of the user terminal and acquires an index code according to the position to be stored of the encrypted data block of the user terminal, the user group management terminal stores the index code and the data tag of the encrypted data block of the user terminal into a double-line chain table, and the user group management terminal sends the encrypted data block and the data tag of the user terminal to the cloud storage server and sends a data clearing notification to the user terminal after receiving response information returned by the cloud storage server and successfully stored.
Fig. 5 is a block diagram of a hardware structure of an electronic device (or mobile device) for a data integrity checking method according to an embodiment of the present invention. As shown in fig. 5, the electronic device may include one or more (502 a, 502b are employed in fig. 5 a.,. The term.,. 502n (processor 502 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA), a memory 504 for storing data. Among other things, a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a keyboard, a power supply, and/or a camera may be included. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 5 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the electronic device may also include more or fewer components than shown in FIG. 5, or have a different configuration than shown in FIG. 5.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a U disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, etc. which can store the program code.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (10)
1. The data integrity checking method is characterized by being applied to a third party audit terminal, and comprises the following steps:
Receiving a data verification request sent by a user group management end, and selecting an index code of a target encrypted data block based on the data verification request, wherein the user group management end is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user end, and N is a positive integer;
randomly generating two prime numbers to obtain a first prime number and a second prime number;
Constructing challenge information based on the first prime number, the second prime number, the index code and a pre-generated system parameter, and sending the challenge information to a cloud storage server, wherein the cloud storage server acquires N encrypted data blocks stored by the user terminal based on the index code, calculates a first check parameter and a second check parameter based on the N encrypted data blocks, the first prime number and the second prime number, and encrypted data in the encrypted data blocks is data secondarily encrypted based on a user private key and a user group private key;
and receiving the first check parameter and the second check parameter returned by the cloud storage server, substituting the first check parameter and the second check parameter into a check equation, and acquiring a data integrity check result based on the calculation result of the check equation.
2. The method of claim 1, wherein the check equation has the expression:
wherein e is a bilinear function,
H (id l) represents the hash value of the encrypted data block at the user side, l represents the first data block at the user side,And representing the encrypted data block of the user side, wherein ω represents the second checking parameter, pi represents the first checking parameter, u represents the first prime number, and v represents the second prime number.
3. The method of claim 1, wherein the step of obtaining a data integrity check result based on the calculation result of the check equation comprises:
under the condition that the calculation result of the check equation indicates that the check equation is not satisfied, determining that the data of the user terminal is incomplete, obtaining a data incomplete check result, and sending the data incomplete check result to the user group management terminal, or
And under the condition that the calculation result of the check equation is satisfied indicates that the check equation is satisfied, determining that the data of the user terminal is complete, obtaining a data complete check result, and returning the data complete check result to the user terminal.
4. The method of claim 1, further comprising, prior to receiving the data verification request sent by the subscriber group management side:
The user group management end receives a data integrity check request sent by the user end and acquires a user identification of the user end based on the data integrity check request;
Checking the user terminal based on the user identifier to obtain a checking result;
under the condition that the verification result indicates that the user side passes the verification, acquiring the index codes of S encrypted data blocks of the user side based on the user identification, wherein S is a positive integer, and S is greater than or equal to N;
and generating the data verification request based on the index code, and sending the data verification request to a third party audit terminal.
5. The method of claim 1, further comprising, prior to receiving the data verification request sent by the subscriber group management side:
The user terminal sends a key generation request to a key management terminal and receives a user key returned by the key management terminal, wherein the user key comprises a user public key and a user private key;
The user sends the user public key to the user group management end;
The user group management end constructs a user group key based on the user public keys of M user ends in the user group, wherein the user group key comprises a user group public key and the user group private key, and M is a positive integer;
And the user group management terminal returns the user group private key to M user terminals in the user group.
6. The method of claim 1, further comprising, prior to receiving the data verification request sent by the subscriber group management side:
the user terminal encrypts S data blocks based on the user private key to obtain initial encrypted data blocks;
The user side carries out secondary encryption on the initial encrypted data block based on the user group private key to obtain an encrypted data block, and calculates a data tag based on the encrypted data block and the user identification of the user side;
And the user sends the encrypted data block, the data tag and the user public key to the user group management end.
7. The method of claim 6, further comprising, after the user terminal sends the encrypted data, the data tag, and the user public key to the user group management terminal:
The user group management end performs identity verification on the user end based on the user identification of the user end;
Under the condition that the user side passes the identity verification, the user group management side defines a position to be stored in a cloud storage server for an encrypted data block of the user side, and acquires an index code according to the position to be stored of the encrypted data block of the user side;
The user group management end stores the index code and the data tag of the encrypted data block of the user end into a double-line linked list;
And the user group management end sends the encrypted data block and the data tag of the user end to the cloud storage server, and sends a data clearing notification to the user end after receiving response information returned by the cloud storage server and successfully stored.
8. The utility model provides a data integrity verifying attachment, its characterized in that is applied to third party audit end, data integrity verifying attachment includes:
The receiving unit is used for receiving a data verification request sent by a user group management end and selecting an index code of a target encrypted data block based on the data verification request, wherein the user group management end is a trusted entity configured for users in a user group, the data verification request comprises index codes of N encrypted data blocks of the user end, and N is a positive integer;
The generating unit is used for randomly generating two prime numbers to obtain a first prime number and a second prime number;
The construction unit is used for constructing challenge information based on the first prime number, the second prime number, the index code and the system parameter which is generated in advance, and sending the challenge information to the cloud storage server, wherein the cloud storage server acquires N encrypted data blocks stored by the user terminal based on the index code, calculates a first check parameter and a second check parameter based on the N encrypted data blocks, the first prime number and the second prime number, and encrypted data in the encrypted data blocks are data which are secondarily encrypted based on a user private key and a user group private key;
And the verification unit is used for receiving the first verification parameter and the second verification parameter returned by the cloud storage server, substituting the first verification parameter and the second verification parameter into a verification equation, and acquiring a data integrity verification result based on the calculation result of the verification equation.
9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored computer program, wherein the computer program, when run, controls a device in which the computer readable storage medium is located to perform the data integrity checking method according to any one of claims 1 to 7.
10. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the data integrity check method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411363511.XA CN119129001A (en) | 2024-09-27 | 2024-09-27 | Data integrity verification method and device, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411363511.XA CN119129001A (en) | 2024-09-27 | 2024-09-27 | Data integrity verification method and device, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119129001A true CN119129001A (en) | 2024-12-13 |
Family
ID=93755464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411363511.XA Pending CN119129001A (en) | 2024-09-27 | 2024-09-27 | Data integrity verification method and device, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119129001A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240333489A1 (en) * | 2023-04-03 | 2024-10-03 | Verai Systems, LLC | Multiple encryption data storage and retrieval system |
-
2024
- 2024-09-27 CN CN202411363511.XA patent/CN119129001A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240333489A1 (en) * | 2023-04-03 | 2024-10-03 | Verai Systems, LLC | Multiple encryption data storage and retrieval system |
| US12494905B2 (en) * | 2023-04-03 | 2025-12-09 | Verai System, LLC | Multiple encryption data storage and retrieval system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11784823B2 (en) | Object signing within a cloud-based architecture | |
| US9674183B2 (en) | System and method for hardware-based trust control management | |
| CN109274652B (en) | Identity information verification system, method and device and computer storage medium | |
| US10305893B2 (en) | System and method for hardware-based trust control management | |
| US20110276490A1 (en) | Security service level agreements with publicly verifiable proofs of compliance | |
| Ali et al. | DaSCE: Data security for cloud environment with semi-trusted third party | |
| CN111914293A (en) | Data access authority verification method and device, computer equipment and storage medium | |
| CN112464212B (en) | Data authority control reconstruction method based on mature complex service system | |
| CN101419686A (en) | A kind of on-line contract signing system based on the internet | |
| CN101473335A (en) | Information processing terminal and status notifying method | |
| CN111769956B (en) | Service processing method, device, equipment and medium | |
| CN113014394B (en) | Method and system for electronic data storage certificate based on alliance chain | |
| CN119129001A (en) | Data integrity verification method and device, electronic device and storage medium | |
| CN104935608A (en) | Identity authentication method in cloud computing network | |
| CN117595996A (en) | Electronic signature processing method and device, electronic equipment and storage medium | |
| CN104935606A (en) | Terminal login method in cloud computing network | |
| Cho et al. | Guaranteeing the integrity and reliability of distributed personal information access records | |
| CN113726515A (en) | UKEY-based key processing method, storage medium and electronic device | |
| CN115514470B (en) | Storage method and system for community correction data security | |
| KR20190027207A (en) | System and method for verifying integrity of personal information | |
| Hande et al. | An analysis on data Accountability and Security in cloud | |
| CN104935607A (en) | Login certification method in cloud computing network | |
| Sun et al. | On the Development of a Protection Profile Module for Encryption Key Management Components | |
| CN114598478A (en) | Data encryption method and device, electronic equipment and storage medium | |
| CN115361229A (en) | Secure sharing method and system for government public data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |