CN103391187B - A kind of method of cloud storage security control - Google Patents
A kind of method of cloud storage security control Download PDFInfo
- Publication number
- CN103391187B CN103391187B CN201210140964.7A CN201210140964A CN103391187B CN 103391187 B CN103391187 B CN 103391187B CN 201210140964 A CN201210140964 A CN 201210140964A CN 103391187 B CN103391187 B CN 103391187B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- password
- user password
- master
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 230000006870 function Effects 0.000 claims description 3
- 239000000203 mixture Substances 0.000 description 2
- 239000000686 essence Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Abstract
A kind of method that the embodiment of the invention discloses cloud storage security control, to ensure the safety of cloud storage key.The method includes: utilize user password and master key to be encrypted the key being issued to each user respectively, preserves two parts of key ciphertexts;When user password is lost, utilize master key decrypted user key, and utilize new user password encrypted user key;The user key ciphertext utilizing new user password to encrypt updates the user key ciphertext of original user password encryption.
Description
Technical field
The present invention relates to cloud storage field, particularly to a kind of method of cloud storage security control.
Background technology
Along with the development of science and technology, cloud storage has increasingly becomed a kind of trend, and various cloud storage technology emerge in an endless stream, for
Ensure the safety of cloud storage data, it will usually utilize various encryption method ensureing the safety of data, but how to ensure close
The safety of key becomes again a new problem of cloud storage safety.
Summary of the invention
Embodiments provide a kind of cloud storage method of controlling security, to ensure the safety of cloud storage key.
The method of a kind of cloud storage security control that the embodiment of the present invention provides, including:
Utilize user password and master key respectively the key being issued to each user to be encrypted, preserve two parts of keys close
Literary composition;
When user password is lost, utilize master key decrypted user key, and utilize new user password encryption user close
Key;
The user key ciphertext utilizing new user password to encrypt updates the user key ciphertext of original user password encryption.
Utilize the cloud storage security system that the embodiment of the present invention provides, it is ensured that the safety of user key, even if i.e.
It it is the management staff's plaintext that also cannot access user key, it is ensured that the safety of cloud storage.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of cloud storage method of controlling security described in the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that described herein
Specific embodiment is used only for explaining the present invention, is not intended to limit the present invention.
In the cloud storage method of controlling security that the embodiment of the present invention provides, after user registers, a use all can be set
The registered permanent residence makes.What the password file of system or password field stored is the digest value of original user password.When users log on, will
The user password of user's input is converted to digest value, then user is inputted user password digest value and system password file or
The user password digest value of password field storage contrasts.If both are identical, then explanation user password is correct, it is allowed to user
Log in.
After user logs in, for the needs of cloud storage safety, system is bound to distribute key for user, the most public and private
Key pair, in order to ensure the safety of user key, in the method for a kind of cloud storage security control that one embodiment of the invention provides,
As it is shown in figure 1, the method comprises the steps:
Step 101: utilize user password and master key to be encrypted the key being issued to each user respectively, preserves two
Part key ciphertext;
Step 102: when user password is lost, utilizes master key decrypted user key ciphertext, and utilizes and new use the registered permanent residence
Make encrypted user key;
Step 103: the user key ciphertext utilizing new user password to encrypt updates the user of original user password encryption
Key ciphertext.
Utilize the technical scheme that the embodiment of the present invention provides, when the user is not online, service provider backstage personnel also without
Method obtains clear text key.
When users log on, utilizing user password decruption key file, clear text key deciphering obtained is placed on interim slow
Deposit district, or be stored in server memory.When user logs off, or session time-out, delete interim key literary composition
Part.The most both having made user online, because the key of deciphering is only temporarily stored in internal memory, service provider backstage personnel also cannot
Obtain clear text key.
In embodiments of the present invention, the safety of master key is then a kind of key factor of whole system safety.In order to
Ensure the safety of master key, master key is placed in master secret server, except ensureing that master key takes with physical means
Outside the safety of business device, authorized user must not call master secret server.In order to prevent unauthorized user from calling master key
Server, only within the session valid period, user just can call, or user needs again to input its user password
Rear just can access master secret server.
It is evidenced from the above discussion that, master secret server at least has two functions: one is that the user according to a plaintext is close
Key, returns a key ciphertext through master key encryption;Two is that the user password new according to and one are through master key encryption
Key ciphertext, return with new user password encrypt key ciphertext.
If master key leaks in extreme circumstances, then reset master key, and utilize new master key to all users'
Key carries out re-encrypted.
Utilize the cloud storage security system that the embodiment of the present invention provides, it is ensured that the safety of user key, even if after
Platform manager also cannot access the plaintext of user key, it is ensured that the safety of cloud storage.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvement etc. made, should be included within the scope of the present invention.
Claims (5)
1. the method for a cloud storage security control, it is characterised in that including:
Utilize user password and master key respectively the key being issued to each user to be encrypted, preserve two parts of key ciphertexts;
When user password is lost, utilize master key decrypted user key, and utilize new user password encrypted user key;
The user key ciphertext utilizing new user password to encrypt updates the user key ciphertext of original user password encryption;
Described master key is positioned in master secret server, and described master secret server has the user key according to a plaintext,
Return a function through the key ciphertext of master key encryption, and/or;According to a new user password and one through master key
The key ciphertext of encryption, returns the function of the key ciphertext encrypted with new user password.
2. the method for claim 1, it is characterised in that when described master key leaks, described method farther includes:
Reset master key;
Utilize new master key that the key of all users is carried out re-encrypted;
The user key ciphertext of original master key encryption is updated by the user key ciphertext of new master key encryption.
3. the method for claim 1, it is characterised in that farther include:
Password file or the digest value of password field storage user password in system;
When users log on, the user password that user inputs is converted to digest value, then user is inputted user password summary
Value contrasts with the password file of system or the user password digest value of password field storage;
If both are identical, then explanation user password is correct, it is allowed to user logs in.
4. the method as described in claims 1 to 3 is arbitrary, it is characterised in that farther include: when users log on, utilizes and uses
The registered permanent residence makes decruption key file, and clear text key deciphering obtained is placed on temporary buffer, or is stored in server memory.
5. method as claimed in claim 4, it is characterised in that farther include: when user logs off, or session
Time-out, deletes interim key file.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210140964.7A CN103391187B (en) | 2012-05-09 | 2012-05-09 | A kind of method of cloud storage security control |
| PCT/CN2012/075864 WO2013166751A1 (en) | 2012-05-09 | 2012-05-22 | Method for security control of cloud storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210140964.7A CN103391187B (en) | 2012-05-09 | 2012-05-09 | A kind of method of cloud storage security control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103391187A CN103391187A (en) | 2013-11-13 |
| CN103391187B true CN103391187B (en) | 2016-12-14 |
Family
ID=49535352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210140964.7A Active CN103391187B (en) | 2012-05-09 | 2012-05-09 | A kind of method of cloud storage security control |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103391187B (en) |
| WO (1) | WO2013166751A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103236934B (en) * | 2013-05-17 | 2016-09-21 | 天津书生云科技有限公司 | A kind of method of cloud storage security control |
| CN107426223B (en) * | 2017-08-01 | 2020-06-05 | 中国工商银行股份有限公司 | Cloud document encryption and decryption method, cloud document encryption and decryption device and cloud document processing system |
| CN114697007B (en) * | 2020-12-29 | 2024-01-16 | 华为技术有限公司 | Key management method, corresponding device and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1327662A (en) * | 1999-06-02 | 2001-12-19 | 皇家菲利浦电子有限公司 | Method and apparatus for secure distribution of public/private key pairs |
| CN102422590A (en) * | 2009-05-12 | 2012-04-18 | 赛贝斯股份有限公司 | Protection of encryption keys in a database |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465727B (en) * | 2008-12-17 | 2011-02-02 | 成都市华为赛门铁克科技有限公司 | Method for ensuring communication safety, network appliance, device and communication system |
| CN102270182B (en) * | 2011-07-04 | 2014-04-23 | 济南伟利迅半导体有限公司 | Encrypted mobile storage equipment based on synchronous user and host machine authentication |
-
2012
- 2012-05-09 CN CN201210140964.7A patent/CN103391187B/en active Active
- 2012-05-22 WO PCT/CN2012/075864 patent/WO2013166751A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1327662A (en) * | 1999-06-02 | 2001-12-19 | 皇家菲利浦电子有限公司 | Method and apparatus for secure distribution of public/private key pairs |
| CN102422590A (en) * | 2009-05-12 | 2012-04-18 | 赛贝斯股份有限公司 | Protection of encryption keys in a database |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103391187A (en) | 2013-11-13 |
| WO2013166751A1 (en) | 2013-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108768988B (en) | Block chain access control method, block chain access control equipment and computer readable storage medium | |
| Sookhak et al. | Security and privacy of smart cities: a survey, research issues and challenges | |
| CN105103488B (en) | By the policy Enforcement of associated data | |
| CN102664885B (en) | Identity authentication method based on biological feature encryption and homomorphic algorithm | |
| CN105027130B (en) | Delayed data access | |
| CN103457733B (en) | A kind of cloud computing environment data sharing method and system | |
| CN109587101B (en) | Digital certificate management method, device and storage medium | |
| CN103763319B (en) | Method for safely sharing mobile cloud storage light-level data | |
| CN105122265B (en) | Data safety service system | |
| AU2016201462A1 (en) | Methods and systems for distributing cryptographic data to authenticated recipients | |
| CN105103119A (en) | Data security service | |
| CN108701094A (en) | The safely storage and distribution sensitive data in application based on cloud | |
| US20190370483A1 (en) | Data Protection Method and System | |
| CN101938497A (en) | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof | |
| US20190068614A1 (en) | Federated Messaging | |
| CN106992988A (en) | A kind of cross-domain anonymous resource sharing platform and its implementation | |
| US11349659B2 (en) | Transmitting an encrypted communication to a user in a second secure communication network | |
| WO2022148182A1 (en) | Key management method and related device | |
| KR101377352B1 (en) | Digital rights management (drm) method and equipment in small and medium enterprise (sme) and method for providing drm service | |
| CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
| Murala et al. | Secure dynamic groups data sharing with modified revocable attribute-based encryption in cloud | |
| US10791196B2 (en) | Directory lookup for federated messaging with a user from a different secure communication network | |
| US10607025B2 (en) | Access control through data structures | |
| CN103391187B (en) | A kind of method of cloud storage security control | |
| CN102138145B (en) | Cryptographically controlling access to documents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: TIANJIN SHUSHENG CLOUD TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: TIANJIN SHUSHENG INVESTMENT CO., LTD. Effective date: 20150108 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 300308 HEBEI, TIANJIN TO: 300300 DONGLI, TIANJIN |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20150108 Address after: 300300 645DD18, air support center, 1 air way, Tianjin Airport Economic Zone Applicant after: TIANJIN SURDOC Corp. Address before: 300308, two floor, building 9, airport business park, 80 Ring Road North, Tianjin Airport Economic Zone Applicant before: Tianjin Shusheng Investment Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20190523 Granted publication date: 20161214 |
|
| PD01 | Discharge of preservation of patent | ||
| PD01 | Discharge of preservation of patent |
Date of cancellation: 20210523 Granted publication date: 20161214 |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: Room 645dd18, aviation industry support center No.1, Baohang Road, Tianjin Binhai New Area Airport Economic Zone, 300308 Patentee after: Tianjin Zhongcheng Star Technology Co.,Ltd. Address before: Room 645dd18, aviation industry support center, Baohang Route 1, 300300 Tianjin Airport Economic Zone Patentee before: TIANJIN SURDOC Corp. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210715 Address after: 100089 No. 4060, podium, 4th floor, 69 Zizhuyuan Road, Haidian District, Beijing Patentee after: Beijing Shusheng cloud Technology Co.,Ltd. Address before: Room 645dd18, aviation industry support center No.1, Baohang Road, Tianjin Binhai New Area Airport Economic Zone, 300308 Patentee before: Tianjin Zhongcheng Star Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230506 Address after: 1101-13, 11th floor, building 1, courtyard 1, Shangdi 10th Street, Haidian District, Beijing 100085 Patentee after: Beijing Shusheng Information Technology Co.,Ltd. Address before: 100089 No. 4060, podium, 4th floor, 69 Zizhuyuan Road, Haidian District, Beijing Patentee before: Beijing Shusheng cloud Technology Co.,Ltd. |