CN111698203A - Cloud data encryption method - Google Patents
Cloud data encryption method Download PDFInfo
- Publication number
- CN111698203A CN111698203A CN202010352386.8A CN202010352386A CN111698203A CN 111698203 A CN111698203 A CN 111698203A CN 202010352386 A CN202010352386 A CN 202010352386A CN 111698203 A CN111698203 A CN 111698203A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- guest
- master
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012795 verification Methods 0.000 claims abstract description 46
- 238000005516 engineering process Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a cloud data encryption method, which comprises the steps of user identity registration authentication, and registering a master user and a guest user to a cloud server; the master user encrypts the data by adopting an asymmetric encryption algorithm, the master user generates a master public key and a master private key, the guest user generates a guest public key and a guest private key, and the master user encrypts the data through the guest public key and uploads the data to the cloud server; the method comprises the steps that a master user sets access verification on data access, a cloud access request is generated when a guest user accesses data of the master user, an access verification code is randomly generated and sent to a terminal of a pre-designated guest user, the guest user can access cloud data after inputting access verification, and otherwise the cloud data cannot be accessed; and the guest user downloads the data on the cloud server to the local and decrypts the data through the guest private key. The method encrypts by an asymmetric encryption method, the password is not easy to crack, data leakage is effectively avoided by verifying data access, and the method is high in practicability, good in safety and simple to use.
Description
Technical Field
The invention relates to an encryption method, in particular to a cloud data encryption method.
Background
Cloud data is a brand-new service delivery and use mode, and resources required by users, such as required hardware, platforms, software, services and the like, are acquired by using the Internet in an easily-extensible mode according to needs. Cloud data has the following characteristics:
1. and (5) outsourcing data and services. The cloud data fully integrates various computing and storage resources, realizes integration of hardware resources, software resources and service resources, and highly centralizes various resources.
2. Multi-tenant and cross-domain sharing. Massive information processing is provided through the Internet, and users can participate conveniently. The cloud data technology has the network providing characteristic, so that a user can access cloud data resources through a terminal such as a smart phone and a portable computer at any time and any place, and in addition, the cloud data provider can meet application requirements due to the characteristic of network service, and large-scale and intensive processing is realized.
3. And (6) virtualization. The cloud data technology adopts measures such as data multi-copy fault tolerance and isomorphic and interchangeable computing nodes to ensure high reliability of service.
In recent years, cloud data technology is developed vigorously, more enterprises and individuals store data in the cloud, and the storage mode can effectively improve the storage capacity, the fault resistance, the response speed and the like of the database.
The security problem of cloud storage is increasingly prominent while the cloud storage is continuously developed, particularly the security problem and the privacy problem of cloud data, most of existing cloud data confidentiality is provided through cloud service providers, although customers save trouble, the security cannot be guaranteed, particularly the cloud service providers with low credibility are important for cloud data encryption. Because the high-end user has perfect secrecy measures, the data security on the cloud server is high, and the safety measures improved by a cloud service provider are not relied on. But the common user has no perfect security measures, the common user mostly adopts simple password encryption at present, and the data is easy to crack. And the data is easily illegally downloaded under the condition that a security vulnerability exists in the cloud service provider.
Disclosure of Invention
In order to solve the problems, the invention provides a cloud data encryption method which is suitable for common users, has a password which is not easy to crack and reduces the security dependence on cloud service providers, and the specific technical scheme is as follows:
a cloud data encryption method comprises user identity registration authentication, wherein a master user and a guest user are registered in a cloud server, the master user is a data owner, and the guest user is a data user; the method comprises the steps that data are encrypted, the master user encrypts the data by adopting an asymmetric encryption algorithm, the master user generates a master public key and a master private key, the guest user generates a guest public key and a guest private key, the master user and the guest user mutually send the master public key and the guest public key, the master user encrypts the data locally through the guest public key, and the master user uploads the encrypted data to a cloud server; the method comprises the steps that data access verification is set by a master user, a cloud access request is generated when a guest user accesses data of the master user, an access verification code is randomly generated by a cloud server, the access verification code is sent to a terminal of a pre-designated guest user, the guest user inputs the access verification code, the cloud data can be accessed after the access verification is correct, and otherwise the cloud data cannot be accessed; and data decryption, wherein the guest user downloads the data on the cloud server to the local and decrypts the data through a guest private key.
Further, the registration information of the master user and the guest user comprises the MAC address and/or the IMEI identification code of the terminal.
The cloud server detects whether the MAC addresses and/or IMEI identification codes of the main user terminal and the guest user terminal are consistent with the MAC addresses and/or IMEI identification codes provided during registration, if the MAC addresses and/or IMEI identification codes are consistent with the MAC addresses and/or IMEI identification codes provided during registration, the main user is allowed to access data on the cloud server, the guest user generates the verification codes, the data are allowed to be accessed after the verification is passed, and if the detected MAC addresses and/or IMEI identification codes of the guest user are inconsistent with the registered MAC addresses and/or IMEI identification codes, the verification codes are not generated.
The method comprises the steps that a client user accesses data on a cloud server, the client user accesses the data on the cloud server, the access time limit is set by the client user, the access time limit is used for controlling the termination time of data access, and the client user cannot access the data on the cloud server after the access time expires.
The method comprises the steps that a cloud server is connected with a master user, the master user sets data access authority for data on the cloud server, the data access authority is used for displaying data which can be accessed by a guest user, and data which cannot be accessed by the guest user are not displayed.
Further, the registration information of the master user and the guest user also comprises a name, a mailbox and a mobile phone number.
Further, the master public key and the guest public key are not transmitted through the cloud server when the master user and the guest user transmit the master public key and the guest public key to each other.
Further, the validity time of the access verification code is not more than 60 seconds.
Compared with the prior art, the invention has the following beneficial effects:
the cloud data encryption method provided by the invention encrypts through the asymmetric encryption method, the password is not easy to crack, and data leakage is effectively avoided through verifying data access, so that the practicability is high, the safety is good, and the use is simple.
Detailed Description
The present invention will now be further described with reference to examples.
Example one
A cloud data encryption method comprises user identity registration authentication, wherein a master user and a guest user are registered in a cloud server, the master user is a data owner, and the guest user is a data user; the method comprises the steps that data are encrypted, the master user encrypts the data by adopting an asymmetric encryption algorithm, the master user generates a master public key and a master private key, the guest user generates a guest public key and a guest private key, the master user and the guest user mutually send the master public key and the guest public key, the master user encrypts the data locally through the guest public key, and the master user uploads the encrypted data to a cloud server; the method comprises the steps that data access verification is set by a master user, a cloud access request is generated when a guest user accesses data of the master user, an access verification code is randomly generated by a cloud server, the access verification code is sent to a terminal of a pre-designated guest user, the guest user inputs the access verification code, the cloud data can be accessed after the access verification is correct, and otherwise the cloud data cannot be accessed; and data decryption, wherein the guest user downloads the data on the cloud server to the local and decrypts the data through a guest private key.
The method comprises the steps that a client user accesses data on a cloud server, the client user accesses the data on the cloud server, the access time limit is set by the client user, the access time limit is used for controlling the termination time of data access, and the client user cannot access the data on the cloud server after the access time expires. The access time limitation effectively improves the data security and avoids the overdue user from downloading the data.
The cloud server further comprises a data access right, the master user sets the data access right for data on the cloud server, the data access right is used for displaying data which can be accessed by the guest user, and data which cannot be accessed by the guest user are not displayed. The data access authority effectively avoids leakage of all data and guarantees the safety of the whole data.
The registration information of the master user and the guest user also comprises names, mailboxes and mobile phone numbers.
And the master user and the guest user do not pass through the cloud server when sending the master public key and the guest public key to each other. The master public key and the guest public key are not transmitted through the cloud server, so that the risk of cloud server leakage is effectively avoided, the safety of the public keys is ensured, and the public keys can be transmitted through a USB flash disk or an encrypted mail.
The validity time of the access verification code is not more than 60 seconds. The valid time of the verification code can improve the safety and prevent the verification code from becoming a bug.
Specifically, there is only one primary user, and there may be multiple secondary users. The method mainly comprises the steps that a guest user mainly downloads and uses data, the guest user can edit the data, the edited data need to be encrypted and then uploaded to a cloud server, namely the guest user encrypts the edited data locally through a master public key, the encrypted data are uploaded to the cloud server, and a master user downloads the edited data of the guest user, decrypts the data through a master private key and then edits the data. And bidirectional use and editing of data are realized.
Asymmetric encryption is a mature technology in the prior art, so that data is always in a ciphertext state in the transmission process, and any third party cannot obtain plaintext information, the security of data of a common user is ensured, and the user can safely outsource the data to a cloud service provider. The asymmetric encryption algorithm is a secret method of a secret key. Asymmetric encryption algorithms require two keys: public keys (public keys for short) and private keys (private keys for short). The public key and the private key are a pair, and if data is encrypted by the public key, the data can be decrypted only by the corresponding private key. This algorithm is called asymmetric encryption algorithm because two different keys are used for encryption and decryption. The basic process of realizing confidential information exchange by the asymmetric encryption algorithm is as follows: the first party generates a pair of secret keys and discloses the public keys, and other roles (the second party) needing to send information to the first party encrypt the confidential information by using the secret keys (the public keys of the first party) and then send the encrypted confidential information to the first party; the first party decrypts the encrypted information by using the private key of the first party. The method is characterized in that when the party A wants to reply to the party B, the opposite is true, the public key of the party B is used for encrypting data, and similarly, the party B uses the private key of the party B for decrypting. On the other hand, the party A can use the private key of the party A to sign the confidential information and then send the information to the party B; the second party checks the data sent back by the first party by using the public key of the first party. Party a can only decrypt any information encrypted by his public key with his private key. The security of asymmetric cryptographic algorithms is good, eliminating the need for end users to exchange keys.
The asymmetric cryptosystem has the characteristics that: the algorithm is complex in strength and security, depends on the algorithm and the secret key, but the encryption and decryption speed is not as fast as the symmetric encryption and decryption speed due to the complex algorithm. The symmetric cryptosystem has only one kind of key and is not public, and if the key is required to be decrypted, the opposite party can know the key. Therefore, the security of the key is ensured, and the asymmetric key body is provided with two keys, wherein one of the two keys is public, so that the key of the other party does not need to be transmitted like a symmetric cipher. Thus, the security is much greater. Asymmetric encryption improves the security of the data.
The data access verification adopts dynamic password verification, namely, a verification code is sent to the appointed mobile phone number, login is carried out according to the dynamic verification code, the effective time of accessing the verification code is not more than 60 seconds, data leakage caused by security holes of the cloud server is effectively avoided, only the verification code is received, and the data can be accessed by inputting the verification code within the specified time, so that the security is greatly improved, and the data is not easy to leak.
Example two
On the basis of the above embodiment, the registration information of the primary user and the guest user both include the MAC address and/or the IMEI identification code of the terminal.
The cloud server detects whether the MAC addresses and/or IMEI identification codes of the main user terminal and the guest user terminal are consistent with the MAC addresses and/or IMEI identification codes provided during registration, if the MAC addresses and/or IMEI identification codes are consistent with the MAC addresses and/or IMEI identification codes provided during registration, the guest user generates a verification code, the data is allowed to be accessed after the verification is passed, and if the detected MAC addresses and/or IMEI identification codes of the guest user are inconsistent with the MAC addresses and/or IMEI identification codes provided during registration, the verification code is not generated, and the access is denied.
Since the MAC address or IMEI identity is unique, verification is facilitated.
By verifying the MAC address and/or the IMEI identification code, illegal data downloading is effectively prevented, the risk of data leakage is basically eliminated by combining verification code access, and the safety of data is greatly improved. The cloud server only needs to verify the verification code, the MAC address and/or the IMEI identification code, so that the safety requirement on a cloud service provider is greatly reduced, and the safety of data is ensured.
The invention carries out encryption by an asymmetric encryption method, carries out data access after verification by the verification code, the MAC address and/or the IMEI identification code, not only carries out safety verification on a data owner, but also carries out safety verification on a data user, ensures the safety of data in a cloud storage system in an open environment on the premise that a cloud service provider is not trusted, realizes the safety sharing of the data, and reduces the huge calculation expense brought by data management.
Claims (8)
1. A cloud data encryption method is characterized by comprising
The method comprises the steps of user identity registration authentication, wherein a master user and a guest user are registered to a cloud server, the master user is a data owner, and the guest user is a data user;
the method comprises the steps that data are encrypted, the master user encrypts the data by adopting an asymmetric encryption algorithm, the master user generates a master public key and a master private key, the guest user generates a guest public key and a guest private key, the master user and the guest user mutually send the master public key and the guest public key, the master user encrypts the data locally through the guest public key, and the master user uploads the encrypted data to a cloud server;
the method comprises the steps that data access verification is set by a master user, a cloud access request is generated when a guest user accesses data of the master user, an access verification code is randomly generated by a cloud server, the access verification code is sent to a terminal of a pre-designated guest user, the guest user inputs the access verification code, the cloud data can be accessed after the access verification is correct, and otherwise the cloud data cannot be accessed;
and data decryption, wherein the guest user downloads the data on the cloud server to the local and decrypts the data through a guest private key.
2. The cloud data encryption method according to claim 1,
and the registration information of the master user and the guest user comprises the MAC address and/or IMEI identification code of the terminal.
3. The cloud data encryption method of claim 2,
the cloud server detects whether the MAC addresses and/or IMEI identification codes of the main user terminal and the guest user terminal are consistent with the MAC addresses and/or IMEI identification codes provided during registration, if the MAC addresses and/or IMEI identification codes are consistent with the MAC addresses and/or IMEI identification codes provided during registration, the guest user generates a verification code, the data is allowed to be accessed after the verification is passed, and if the detected MAC addresses and/or IMEI identification codes of the guest user are inconsistent with the MAC addresses and/or IMEI identification codes provided during registration, the verification code is not generated, and the access is denied.
4. The cloud data encryption method according to claim 1,
the method comprises the steps that a client user accesses data on a cloud server, the client user accesses the data on the cloud server, the access time limit is set by the client user, the access time limit is used for controlling the termination time of data access, and the client user cannot access the data on the cloud server after the access time expires.
5. The cloud data encryption method according to claim 1,
the cloud server further comprises a data access right, the master user sets the data access right for data on the cloud server, the data access right is used for displaying data which can be accessed by the guest user, and data which cannot be accessed by the guest user are not displayed.
6. The cloud data encryption method according to claim 1,
the registration information of the master user and the guest user also comprises names, mailboxes and mobile phone numbers.
7. The cloud data encryption method according to claim 1,
and the master user and the guest user do not pass through the cloud server when sending the master public key and the guest public key to each other.
8. The cloud data encryption method according to claim 1,
the validity time of the access verification code is not more than 60 seconds.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010352386.8A CN111698203A (en) | 2020-04-28 | 2020-04-28 | Cloud data encryption method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010352386.8A CN111698203A (en) | 2020-04-28 | 2020-04-28 | Cloud data encryption method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111698203A true CN111698203A (en) | 2020-09-22 |
Family
ID=72476739
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010352386.8A Pending CN111698203A (en) | 2020-04-28 | 2020-04-28 | Cloud data encryption method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111698203A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615837A (en) * | 2020-12-10 | 2021-04-06 | 成都新赢科技有限公司 | Intelligent data protection system and use method thereof |
| CN113553573A (en) * | 2021-07-09 | 2021-10-26 | 深圳市高德信通信股份有限公司 | Data security verification method |
-
2020
- 2020-04-28 CN CN202010352386.8A patent/CN111698203A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615837A (en) * | 2020-12-10 | 2021-04-06 | 成都新赢科技有限公司 | Intelligent data protection system and use method thereof |
| CN113553573A (en) * | 2021-07-09 | 2021-10-26 | 深圳市高德信通信股份有限公司 | Data security verification method |
| CN113553573B (en) * | 2021-07-09 | 2024-02-06 | 深圳市高德信通信股份有限公司 | Data security verification method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9847882B2 (en) | Multiple factor authentication in an identity certificate service | |
| US8499156B2 (en) | Method for implementing encryption and transmission of information and system thereof | |
| US20030196084A1 (en) | System and method for secure wireless communications using PKI | |
| CN100574511C (en) | The method and system of opposite end identity validation in a kind of mobile terminal communication | |
| US20030081774A1 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
| WO2015135063A1 (en) | System and method for secure deposit and recovery of secret data | |
| CN103906052B (en) | A kind of mobile terminal authentication method, Operational Visit method and apparatus | |
| US7412059B1 (en) | Public-key encryption system | |
| EP2414983B1 (en) | Secure Data System | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| US7315950B1 (en) | Method of securely sharing information over public networks using untrusted service providers and tightly controlling client accessibility | |
| JP2001186122A (en) | Authentication system and authentication method | |
| JP2024501326A (en) | Access control methods, devices, network equipment, terminals and blockchain nodes | |
| CN118199866A (en) | Method for synchronously distributing quantum key and digital certificate and related equipment | |
| CN114091009A (en) | Method for establishing secure link by using distributed identity | |
| CN111698203A (en) | Cloud data encryption method | |
| US11804969B2 (en) | Establishing trust between two devices for secure peer-to-peer communication | |
| CN120474752A (en) | A method for verifying access security of an Internet of Things device | |
| JP2007525125A (en) | Public key transmission by mobile terminal | |
| CN119583043A (en) | A group message encryption method, system and device based on quantum key distribution | |
| CN113328860A (en) | Block chain-based user privacy data security providing method | |
| CN110532741A (en) | Personal information authorization method, authentication center and service provider | |
| CN111800791B (en) | Authentication method, core network equipment and terminal | |
| CN116709325A (en) | Mobile equipment security authentication method based on high-speed encryption algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200922 |