CN103425941A - Cloud storage data integrity verification method, equipment and server - Google Patents

Abstract

The invention provides a cloud storage data integrity verification method which comprises the steps that an identifier of a file to be stored is generated, and meanwhile the file is encoded to obtain a plurality of module files; each module file is computed through a public secret key and a private secret key of a user to obtain an authentication label of each module file, public authentication data is generated for each authentication label; the identifier, the module files and the authentication labels are submitted to a server; a file integrity query request is generated and is sent to the server, report information of the file is received, the report information is returned by the server and is generated through the user public secret key, the identifier, the module files and the authentication labels corresponding to the module files; the report information is verified through the user public secret key and the public authentication data. The invention further provides corresponding equipment and the verification server, and public verification can be carried out on cloud storage data integrity.

Description

The verification method of cloud integrity of data stored, equipment and server

Technical field

The present invention relates to the cloud technical field of memory, particularly relate to a kind of verification method of cloud integrity of data stored, a kind of Authentication devices of cloud integrity of data stored, and a kind of authentication server of cloud integrity of data stored.

Background technology

The cloud storage is that storage resources is put into to a kind of emerging scheme that supplies people's access on network, with traditional storage mode, compares, and cloud is stored and, in economy, the aspects such as scale and management have the advantage of can not ignore.For example, when a client can't store a large amount of data files because its local storage space is too little, the client does not need the facilities such as hardware of upgrading oneself to solve this problem, only need the rational expense of cost, many unnecessary worries just can be saved in the high in the clouds that the data of these magnanimity are stored into to the cloud storage service provider and provide.Although the facility that the cloud storage brings is apparent, the safety issue thereupon produced but be can not ignore, and for saving resource or consideration economically, the file that the user uploads is likely deleted or revised to server.Therefore, for a careful cloud storage user, the data file that stores high in the clouds into is carried out to integrity verification most important.

Suppose to upload the user and store some data files into high in the clouds, and delete the file that these have stored high in the clouds in this locality, and these files that store high in the clouds into are shared by other user, so now the sharing users of these storage files all can be carried out the integrity verification of file independently.In other words, at some in special sight (as on train or aircraft), upload the data file that the user can't be in person stores high in the clouds into to him and carry out integrity verification.Now this is uploaded the user and has to entrust a trusted party (relatives, friend or subordinate) to carry out the integrity verification of high in the clouds storage file for him.In above-mentioned situation, upload the user and carry out integrity verification for the data file that allows other entities store high in the clouds into to it, and send to other people way obviously to have great potential safety hazard the private key of oneself.Therefore, be necessary to design a storage proof scheme of supporting authentication in open, solve above-mentioned safety problem.

But the people such as Ateniese have provided the definition of open certificate scheme first, and will store the proof problem and formally be described as evincible data and store (PDP) problem.But the authentication in open PDP scheme that they propose is being dissatisfactory aspect the communication of cloud storage server end and counting yield.

Juels and Kaliski have proposed first and have proved the concept of (POR) about returning getting property, and the POR system of safety is described in detail.Briefly, in the POR of safety system, if the inquiry that cloud storage server is sent out it for the user can be returned to correct replying, this user is accepted, user and server in polynomial time, carry out repeatedly mutual after, from these interactive information, the user can recover original data file.The first string that document is mentioned does not have open confirmability (only supporting the private key authentication), and only supports the authentication of predefined constant number of times; Although second scheme can not limit the authentication in open of number of times, but require server to send the individual authentication value of O (l) in authentication reciprocal process.

Shacham and Waters have provided two effective POR schemes equally, and wherein the first string is only supported the private key authentication, and second scheme openly can authenticate, but these two schemes are comparatively high at the calculation cost of user and Cloud Server end.

In addition, utilize the homomorphism cryptographic methods, XuJia has proposed several POR schemes.But these schemes are equally only supported the private key authentication.AlptekinKupcu has proposed first effectively complete dynamically PDP scheme, and the file that the user is stored in high in the clouds to it upgrades operation, and still can carry out the integrated authentication of file.But, when their scheme extension openly can authenticate to support, can produce higher calculating and communication cost.Yuan Jiawei and Yu Shucheng have provided a POR scheme that openly can authenticate equally, utilize the polynomial expression of a safety to promise to undertake scheme, their scheme obtains fixing communication cost, but their scheme but needs server to carry out exponent arithmetic repeatedly.

Summary of the invention

Based on this, the invention provides a kind of verification method, Authentication devices and authentication server of cloud integrity of data stored, the integrality that can store data to cloud is carried out open checking.

A kind of verification method of cloud integrity of data stored, comprise the steps:

Generate the identifier of file to be stored, described file is encoded and obtained a plurality of module files simultaneously;

Utilize user's public-key cryptography and private cipher key each module file to be calculated to the authenticating tag of each module file, each authenticating tag is generated to the authentication in open data;

Described identifier, module file and authenticating tag are submitted to server;

Spanned file integrality inquiry request, send described inquiry request to server, receives that described server returns, the report information of the described file that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate;

Utilize user's public-key cryptography and the described report information of described authentication in open data verification.

A kind of verification method of cloud integrity of data stored, comprise the steps:

Receive identifier, module file and authenticating tag the storage corresponding with module file that user side sends;

Receive the file integrality inquiry request that user side sends, utilize the authenticating tag generation report information that the described file integrality inquiry request of user, public-key cryptography, identifier, module file and module file are corresponding to feed back to described user side, for described user side checking.

A kind of Authentication devices of cloud integrity of data stored comprises:

Coding module, for generating the identifier of file to be stored, carry out module coding to described file simultaneously and obtain a plurality of module files;

Generation module, calculated the authenticating tag of each module file for utilizing user's public-key cryptography and private cipher key to each module file, each authenticating tag is generated to the authentication in open data;

Submit module to, for described identifier, module file and authenticating tag are submitted to server;

Enquiry module, for spanned file integrality inquiry request, send described inquiry request to server, receive that described server returns, the report information of the described file that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate;

Authentication module, for utilizing user's public-key cryptography and the described report information of described authentication in open data verification.

A kind of authentication server of cloud integrity of data stored comprises:

Receiver module, the identifier, module file and authenticating tag the storage corresponding with module file that for receiving user side, send;

Feedback module, the file integrality inquiry request sent for receiving user side, utilize the authenticating tag generation report information that the described file integrality inquiry request of user, public-key cryptography, identifier, module file and module file are corresponding to feed back to described user side, for described user side checking.

The verification method of above-mentioned cloud integrity of data stored, equipment and server, the user carries out the calculating of authenticating tag by the module file to obtaining after coding, regeneration authentication in open data, the authenticating tag of server stores module file and module file, when needs carry out file verification, without the private information that the user is provided, server can utilize user's public-key cryptography to generate report information to module file and the authenticating tag of storage, the verifier, again with user's public-key cryptography checking report information, realizes the authentication in open of cloud integrity of data stored; The present invention allows authority checking person arbitrarily without the private information that obtains the user, and the data file that just can be stored in high in the clouds to the user is carried out integrity verification, and without download file.

The accompanying drawing explanation

The schematic flow sheet of the verification method that Fig. 1 is cloud integrity of data stored of the present invention in embodiment mono-.

The schematic flow sheet of the verification method that Fig. 2 is cloud integrity of data stored of the present invention in embodiment bis-.

The schematic flow sheet of the verification method that Fig. 3 is cloud integrity of data stored of the present invention in embodiment tri-.

The structural representation of the Authentication devices that Fig. 4 is cloud integrity of data stored of the present invention in embodiment tetra-.

The structural representation of the authentication server that Fig. 5 is cloud integrity of data stored of the present invention in embodiment five.

Embodiment

Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited to this.

The present invention program can comprise three class participants: user, Cloud Server and verifier.The user is stored to Cloud Server by some file, and deletes these files in this locality.Cloud Server lays claim to the data file that ability is intactly stored the client.The data file that the verifier has authority to be stored in Cloud Server to the client is carried out integrity verification, and does not need client's private data.

Embodiment mono-

As shown in Figure 1, be the verification method schematic flow sheet in the present embodiment of cloud integrity of data stored of the present invention, take in the present embodiment the treatment scheme of user side as example describes, comprise the steps:

The identifier of S11, generation file to be stored, encode and obtain a plurality of module files described file simultaneously;

S12, utilize user's public-key cryptography and private cipher key each module file to be calculated to the authenticating tag of each module file, each authenticating tag is generated to the authentication in open data;

S13, described identifier, module file and authenticating tag are submitted to server;

S14, spanned file integrality inquiry request, send described inquiry request to server, receives that described server returns, the report information of the described file that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate;

S15, utilize user's public-key cryptography and the described report information of described authentication in open data verification.

In step S11, the user needs file is carried out to pre-service to Cloud Server in upload file, generates the identifier of described file; Again file F to be stored is carried out to module, can adopt rate-ρ algorithm to be processed, the user first arranges systematic parameter ρ ∈ (0,1), and the error correcting code of application rate-ρ is encoded to data file F and generates a plurality of module file (F ₀..., F _N-1), make each module F _i∈ { 0,1} ^{M λ}, and ρ n module F arbitrarily _iAll can recover original data file F, total number that wherein n is described module file.

In the present embodiment, user's public-key cryptography and private cipher key can generate by the RSA key generating algorithm, and concrete generation step is as follows:

Upload the user and choose at random a λ bits RSA modulus N=pq, make

All prime numbers, and p, q has identical bit long;

Order

Wherein

(N) be Euler's function, mean to be not more than N and with the number of the coprime positive integer of N;

From QR _NIn choose at random generator g, wherein a QR _NThe quadratic residue subgroup that means mould N;

Choose at random

Wherein,

Mean with

Coprime and at mould

Under residue class;

From { the PRF of pseudo-random function family _Seed: { 0,1} ^{2 λ}→ Z _{φ (N)}Key space in choose at random a seed seed;

Make g _τ=g ^τ, PKI is pk=(N, g, g _τ), private key is sk=(p, q, τ, seed).

In embodiment, the identifier of described file meets constraint condition id ∈ { 0,1} therein ^λ, wherein, id is described identifier, the bit long that λ is modulus in user's public-key cryptography.

Obtain a plurality of module file F _iAfter, the user need utilize public-key cryptography and private cipher key to calculate the authenticating tag of each module file, then each authenticating tag is generated to the authentication in open data;

The step that the described user's of utilization public-key cryptography and private cipher key are calculated the authenticating tag of each module file to the file of each module can be:

Generate described authenticating tag according to following formula:

Wherein, the numbering that i is module file, F _iBe i module file, σ _iFor authenticating tag corresponding to module file i, τ is the random number in user's private cipher key, PRF _SeedFor pseudo random number corresponding to random seed seed in user's private cipher key, i ∈ [0, n-1], total number that n is described module file, N is the modulus in user's public-key cryptography.

The described step to each authenticating tag generation authentication in open data can be:

Generate each authentication in open data according to following formula:

$g_i=g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}$

Wherein, g _iBe the authentication in open data of i module file, g is the generator in user's public-key cryptography.

After module file is processed, user's upload file is to Cloud Server, and in step S13, the data that the user submits to Cloud Server only need comprise that identifier, module file and corresponding authenticating tag thereof get final product; Be the cloud user can by

Send to server, only in this locality storage (id, n) open

Wherein $g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

After data are submitted to successfully, but verifier's spanned file integrality inquiry request sends inquiry request, the report information that reception server returns to server; Finally verify this report information, the integrality of judgement data;

In embodiment, the step of described spanned file integrality inquiry request can be therein:

Choosing at random a scale is | the subset of C|=l To each i ∈ C, from

In random choose a weight ν _i, described inquiry request is { (i, ν _i): i ∈ C}.；

The step of described checking report information is:

Judge whether following equation is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ _{I ∈ C}ν _iF _iModN, σ=Σ _{I ∈ C}ν _iσ _iModN, the numbering that i is described module file, Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding;

If set up, described file storage is complete; If be false, described file storage is imperfect.

Embodiment bis-

As shown in Figure 2, be the verification method schematic flow sheet in the present embodiment of cloud integrity of data stored of the present invention, take in the present embodiment the treatment scheme of Cloud Server as example describes, comprise the steps:

S22, the identifier that receives the user side transmission, module file and authenticating tag the storage corresponding with module file;

The file integrality inquiry request that S23, reception user side send, utilize the authenticating tag generation report information that the described file integrality inquiry request of user, public-key cryptography, identifier, module file and module file are corresponding to feed back to described user side, for described user side checking.

In embodiment, described file verification request comprises the numbering of module file therein, and random weight corresponding to described numbering;

Described report information is (M, σ), according to following formula, generates described report information:

M＝Σ _i∈Cν _iF _imodN,σ＝Σ _i∈Cν _iσ _imodN

Wherein, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding.

Embodiment tri-

As shown in Figure 3, then set forth treatment scheme of the present invention by a specific embodiment, in the present embodiment, take user side and server two-way interactive to describe as example.

S31, user side generate the identifier of file to be stored, described file are encoded and are obtained a plurality of module files simultaneously;

S32, user side utilize user's public-key cryptography and private cipher key each module file to be calculated to the authenticating tag of each module file, and each authenticating tag is generated to the authentication in open data;

S33, user side are submitted to server by described identifier, module file and authenticating tag;

S34, server receive identifier, module file and authenticating tag the storage corresponding with module file that the user sends;

S35, user side spanned file integrality inquiry request, send described inquiry request to server;

S36, server are when receiving the inquiry request that the user sends, and the report information that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate described file feeds back to user side;

S37, user side receive the report information that described server returns;

S38, user side utilize user's public-key cryptography and the described report information of described authentication in open data verification;

1. key generates ((1 ^λ) → (pk, sk))

A) upload the user and choose at random a λ bits RSA modulus N=pq, make

Be all prime number and p, q has identical bit long;

B) order

Wherein

For Euler's function, mean to be not more than N and with the number of the coprime positive integer of N;

C) from QR _NIn choose at random generator g, wherein a QR _NThe quadratic residue subgroup that means mould N;

D) choose at random

Wherein,

Mean with

Coprime and at mould

Under residue class;

E) from pseudo-random function family

Key space in choose at random a seed seed;

Make g _τ=g ^τ, PKI is pk=(N, g, g _τ), private key is sk=(p, q, τ, seed).

2. encode $(\mathrm{sk},F)\→(\mathrm{id},\stackrel{\‾}{F},n,{\left\{g_i\right\}}_{i=1}^n)$

A) upload the user systematic parameter ρ ∈ (0,1) is set.The error correcting code of application rate-ρ is encoded and spanned file module (F to data file F ₀..., F _N-1), make each module F _i∈ { 0,1} ^{M λ}, and the module F of ρ n arbitrarily _iAll can recover original data file F;

B) select unique identifier id ∈ { 0 a, 1} for file F ^λ

C) be each data file module F _i, i ∈ [0, n-1], calculate an authenticating tag

D) make coded file be Will

Send to the cloud storage server;

E) be each σ _iCalculate a disclosed verify data

Coded file is

The client will

Send to server, only in this locality storage (id, n) open

3. challenge (id, n) → Q

A) verifier chooses at random a scale and is | the subset of C|=l

B) for each i ∈ C, the verifier from

In random choose a weight ν _i

Make Q={ (i, ν _i): i ∈ C};

4. prove $(\mathrm{id},\stackrel{\‾}{F},Q)\→(M,\mathrm{\σ})$

A) (id, the Q) that Cloud Server Receipt Validation person sends;

B) Cloud Server is found out coded file according to identifier id

C) Cloud Server report calculated message (M, σ);

M＝Σ _i∈Cν _iF _imodN,σ＝Σ _i∈Cν _iσ _imodN。

Server sends to the verifier by (M, σ).

5. checking $(\mathrm{pk},{\left\{g_i\right\}}_{i=0}^{n-1},Q,(M,\mathrm{\σ}))\→$ Refusal or acceptance

Utilize PKI pk and corresponding public information sequence { g _i, the verifier verifies whether following equation is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N.$

If this equation is set up, output " acceptance ", mean that file is complete; Otherwise output " refusal ", mean that file is imperfect.

Embodiment tetra-

As shown in Figure 4, be the Authentication devices structural representation in the present embodiment of cloud integrity of data stored of the present invention, with subscriber equipment, describe in the present embodiment, comprising:

Coding module 41, for generating the identifier of file to be stored, encode and obtain a plurality of module files described file simultaneously;

Generation module 42, calculated the authenticating tag of each module file for utilizing user's public-key cryptography and private cipher key to each module file, each authenticating tag is generated to the authentication in open data;

Submit module 43 to, for described identifier, module file and authenticating tag are submitted to server;

Enquiry module 44, for spanned file integrality inquiry request, send described inquiry request to server, receive that described server returns, the report information of the described file that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate;

Authentication module 45, for utilizing user's public-key cryptography and the described report information of described authentication in open data verification.

In embodiment, the described user's public-key cryptography in described generation module 42 and private cipher key generate by the RSA key algorithm therein:

Choose at random a λ bits RSA modulus N=pq, make

All prime numbers, and p, q has identical bit long;

Order

Wherein (N) be Euler's function, mean to be not more than N and with the number of the coprime positive integer of N;

From QR _NIn choose at random generator g, wherein a QR _NThe quadratic residue subgroup that means mould N;

Choose at random

Wherein,

Mean with

Coprime and at mould

Under residue class;

From pseudo-random function family

Key space in choose at random a seed seed;

Make g _τ=g ^τ, described user's public-key cryptography is pk=(N, g, g _τ), described user's private cipher key is sk=(p, q, τ, seed).

In embodiment, the identifier of described file meets constraint condition id ∈ { 0,1} therein ^λ, wherein, id is described identifier, the bit long that λ is modulus in user's public-key cryptography.

Therein in embodiment, described generation module also for:

Generate described authenticating tag according to following formula:

Wherein, the numbering that i is module file, F _iBe i module file, σ _iFor authenticating tag corresponding to module file i, τ is the random number in user's private cipher key, PRF _SeedFor pseudo random number corresponding to random seed seed in user's private cipher key, i ∈ [0, n-1], total number that n is described module file, N is the modulus in user's public-key cryptography.

Therein in embodiment, described generation module also for:

Generate each authentication in open data according to following formula:

$g_i=g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}$

Wherein, g _iBe the authentication in open data of i module file, g is the generator in user's public-key cryptography.

Therein in embodiment, described enquiry module also for:

Choosing at random a scale is | the subset of C|=l

To each i ∈ C, from

In random choose a weight v _iWeigh described inquiry request for { (i, ν _i): i ∈ C}.

Therein in embodiment, described authentication module also for:

Judge whether following equation is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ _{I ∈ C}ν _iF _iModN, σ=Σ _{I ∈ C}ν _iσ _iModN, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding;

If set up, described file storage is complete; If be false, described file storage is imperfect.

Embodiment five

As shown in Figure 5, be the authentication server structural representation in the present embodiment of cloud integrity of data stored of the present invention, take in the present embodiment server as example describes, comprising:

Receiver module 51, the identifier, module file and authenticating tag the storage corresponding with module file that for receiving user side, send;

Feedback module 52, the file integrality inquiry request sent for receiving user side, utilize the authenticating tag generation report information that the described file integrality inquiry request of user, public-key cryptography, identifier, module file and module file are corresponding to feed back to described user side, for described user side checking.

In embodiment, described file verification request comprises the numbering of module file therein, and random weight corresponding to described numbering;

Described report information is (M, σ), and described feedback module is also for generating described report information according to following formula:

M＝Σ _i∈Cν _iF _imodN,σ＝Σ _i∈Cν _iσ _imodN

Wherein, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding.

Next set forth beneficial effect of the present invention.

At first, just like giving a definition:

Definition 1: if (key generates for algorithm defined above, coding, challenge, proof, checking) any output, replying of returning of proof algorithm can make verification algorithm output accept, and this proof procedure do not relate to any private key sk exported by key schedule, and the scheme that these algorithms form is referred to as to disclose evincible data storages (PPDP).

Definition 2: if the Cloud Server of a honesty, when he really intactly storing client's data file and honestly operation proof algorithm generate one while replying, total energy the authenticatee accept, such PPDP scheme is complete.

In order to prove the security of PPDP scheme, need to introduce a safety game here.

Arrange: the challenger moves key schedule and generates a pair of public and private key (pk, sk).The open PKI pk of challenger, only preserve private key sk.

Study: the assailant makes some following inquiries adaptively:

Storing queries: the assailant chooses a data file F and issues the challenger, and the challenger returns

As replying.The last challenger of this step only preserves (id, n), and the assailant can access coded file And corresponding file identifier id and one group of authentication in open information

Revene lookup: the assailant sends a file identifier id to the challenger, if id is produced in the storing queries of previous step by the assailant, the challenger couple file F corresponding with id initiates following authentication challenge to the assailant:

Utilize metadata n, the challenger can select a random challenge Q and send to the assailant.

The inquiry Q sent for the challenger, the assailant can generate one and reply R and return to challenger's (R may be generated by any-mode).

Challenger's runtime verification algorithm is verified R, and output b ∈ { accepts refusal }.

The challenger bit b that will resolve sends to the assailant.In addition, if id generates in the storing queries former by the assailant, not conduct of challenger.

Submit to: the assailant selects a file identifier id* to send to the challenger from the learning process.Make F* mean the data file relevant to id*.

Return and get: the challenger initiates the inferior PPDP revene lookup of polynomial expression to data file F*.Wherein, the challenger serves as the verifier, and the assailant plays the part of the cloud storage server.From these interactive information, the challenger utilizes the recovery algorithms of some PPT, can access a data file module F'.The inquiry of initiating for the challenger, if replying of assailant makes the challenger export acceptance in verification process, the assailant wins in this game; If the file module F' that the challenger obtains equals original file module F*, the challenger wins this game.

From above-mentioned safety game, provide a following definition:

Defining 3: one PPDP schemes is reasonably, if in the safety game of definition, the difference of the probability that the probability that attack is won and challenger win is insignificant.(the inquiry Q initiated for the challenger, when the replying of assailant's output (M ', σ ') can be by authentication, but (M ', σ ') ≠ (M, σ), the probability that this event occurs is insignificant, and (M, σ) means to have the actual response of proof algorithm output here.）

Lemma 1 (completeness of PPDP): above-mentioned PPDP scheme is complete under the description of definition 2.

Proof:

$g^{\mathrm{\σ}}=g^{{\mathrm{\Σ}}_{i\∈C}{v}_i{\mathrm{\σ}}_i}\mathrm{mod}N$

$=g^{{\mathrm{\Σ}}_{i\∈C}{v}_i{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)+{\mathrm{\Σ}}_{i\∈C}{v}_i\mathrm{\τ}{F}_i}\mathrm{mod}N$

$=\underset{i\∈C}{\mathrm{\Π}}{\left(g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}\right)}^{v_i}\·g_{\mathrm{\τ}}^M\mathrm{mod}N$

$=\underset{i\∈C}{\mathrm{\Π}}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Theorem 1: if the PRF of pseudo-random function family in the present invention is safe, and discrete logarithm problem and large Integer Decomposition problem be all insoluble, and PPDP scheme so of the present invention is rational.

Before the above-mentioned conclusion of proof, the lemma below given first.

If the PRF of pseudo-random function family in lemma 2 the present invention is safe, and discrete logarithm problem and large Integer Decomposition problem are all insoluble, the assailant of PPT carries out the mutual probability that can access some useful informations of relevant τ afterwards in the safety game And due to λ ≈ logN ≈ 2+2logp ',

Negligible, φ (N) wherein, p ', q ' is defined in key schedule, and makes p '=min{p ', q ' }.

Proof: because pseudo-random function PRF is safe, so do not exist such PPT assailant can distinguish output and the Z of PRF in the safety game _{φ (N)}In true random number.Therefore, secret τ value is at σ _iMiddle quilt has well been hidden.And, therefore because the DLP problem is difficult to resolve, do not exist equally such PPT assailant can be from PKI pkg _τAny effective information relevant with τ of middle acquisition.So there is not the PPT assailant who obtains any effective information relevant with τ from safety game.

The proof of theorem 1: the hypothesize attack person serve as Cloud Server generate in any way one and effectively reply (M ', σ '), and the challenger is accepted, and the actual response generated by the proof algorithm is (M, σ), obviously for effective response (M ', σ ') with reply really (M, σ) authentication equation and all can set up.So we have

$g^{\mathrm{\σ}}=\underset{i\∈C}{\mathrm{\Π}}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N---\left(1\right)$

$g^{{\mathrm{\σ}}^{\′}}=\underset{i\∈C}{\mathrm{\Π}}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^{M^{\′}}\mathrm{mod}N---\left(2\right)$

By (1) formula, divided by (2) formula, obtain

$\frac{g^{\mathrm{\σ}}}{g^{{\mathrm{\σ}}^{\′}}}=\frac{{\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M}{{\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^{M^{\′}}}\mathrm{mod}N$

$=g^{\mathrm{\σ}-{\mathrm{\σ}}^{\′}}\mathrm{mod}N$

$g_{\mathrm{\τ}}^{M-M^{\′}}\mathrm{mod}N$

$=g^{(M-M^{\′})\mathrm{\τ}}\mathrm{mod}N$

By above-mentioned calculating, the assailant can access following equation

g ^σ-σ′＝g ^(M-M′)τmodN (3)

For (3) formula, consider two kinds of following different situations.

case1：M≠M′。If M and M ' are unequal, the PPT assailant can obtain some effective informations relevant with τ from top (3) formula.But, according to the conclusion of lemma 2, the probability that this situation occurs is insignificant.(otherwise, exist another one assailant β can call above-mentioned assailant and solve the DLP problem with the probability of can not ignore.)

case2：M＝M′。When M=M ' time, mean that the challenger wins the security game.Here M '=Σ _{I ∈ C}ν _iF _i, this is the system of linear equations about coding module, the weight set { ν that its coefficient is the challenger _i} _{I ∈ C}.Therefore, in order to obtain about unknown quantity F _i, l=|C| the linear independence equation of i ∈ C, the challenger need to carry on an agreement l=|C| time to agreeing index set C.By separating a system of linear equations, the challenger just can recover original file module F like this _i, i ∈ C.

By above-mentioned analysis, can access following inference:

Inference 1: the probability that the probability that the assailant wins in the safety game equals the case1 generation adds the probability that case2 occurs.That

The Pr[assailant wins in the safety game]=the Pr[case1 generation]+the Pr[case2 generation]

Because Pr[case1 occurs] be insignificant, and case2 means that the challenger wins security and plays, so theorem 1 is proven.

The present invention allows authority checking person arbitrarily without the secret knowledge that obtains the client, and the data file that just can be stored in high in the clouds to the client is carried out integrity verification, and need not download these all files.

Server of the present invention does not need to carry out any exponent arithmetic, and the many authentication in open schemes than existing aspect counting yield are more effective, have more practicality.

Analysis of complexity: the cloud storage server utilizes these modules MAC that isomorphism inquires about the verifier to (F _i, σ _i) be integrated into a single module, by (the M calculated, σ) and as replying return to the verifier, such operation makes the present invention become very effective in the calculating of communication, server end: user and server both sides are all communication cost and Ο (λ) storage costs of Ο (λ), and λ is the bit long of N here.Each inquiry of sending for the verifier, server returns, and to reply that rule touch be 2 λ bits.And server only needs to carry out the multiplying of 2l time and the additive operation of 2l time generates such a replying, this makes the solution of the present invention be better than on the one hand in many existing authentication in open schemes at this.After receiving the replying of server, the verifier need to carry out exponent arithmetic and the l+1 multiplying of l+2 time and carry out identifying algorithm, and this and those existing authentication in open scheme has comparability equally.Therefore, these all calculation costs all with the inquiry in element number linear.From label σ _i∈ { 0,1} ^λWith F _i∈ { 0,1} ^{M λ}In, the storage cost of known server is But, the stage is being set, the client need to carry out the primary group multiplication for each data module, and primary group addition and a PRF calculate to generate a corresponding label.In addition, the client also needs to carry out the primary group exponent arithmetic and generates public information g _i, and but the equal off-line of these all preprocessing process carries out.Here l=|C| is illustrated in index number selected in verification process.

The above embodiment has only expressed several embodiment of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.

Claims (18)

1. the verification method of a cloud integrity of data stored, is characterized in that, comprises the steps:

Generate the identifier of file to be stored, described file is encoded and obtained a plurality of module files simultaneously;

Utilize user's public-key cryptography and private cipher key each module file to be calculated to the authenticating tag of each module file, each authenticating tag is generated to the authentication in open data;

Described identifier, module file and authenticating tag are submitted to server;

Spanned file integrality inquiry request, send described inquiry request to server, receives that described server returns, the report information of the described file that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate;

Utilize user's public-key cryptography and the described report information of described authentication in open data verification.

2. the verification method of cloud integrity of data stored according to claim 1, is characterized in that, described user's public-key cryptography and private cipher key generate by the RSA key generating algorithm:

Choose at random a λ bits RSA modulus N=pq, make

All prime numbers, and p, q has identical bit long;

Order

Wherein

(N) be Euler's function, mean to be not more than N and with the number of the coprime positive integer of N;

From QR _NIn choose at random generator g, wherein a QR _NThe quadratic residue subgroup that means mould N;

Choose at random

Wherein, Mean with

Coprime and at mould

Under residue class;

From pseudo-random function family

Key space in choose at random a seed seed;

Make g _τ=g ^τ, described user's public-key cryptography is pk=(N, g, g _τ), described user's private cipher key is sk=(p, q, τ, seed).

3. the verification method of cloud integrity of data stored according to claim 2, is characterized in that, the identifier of described file meets constraint condition id ∈ { 0,1} ^λ, wherein, id is described identifier, the bit long that λ is modulus in user's public-key cryptography.

4. the verification method of cloud integrity of data stored according to claim 2, is characterized in that, the step that the described user's of utilization public-key cryptography and private cipher key are calculated the authenticating tag of each module file to the file of each module is:

Calculate described authenticating tag according to following formula:

Wherein, the numbering that i is module file, F _iBe i module file, σ _iFor authenticating tag corresponding to module file i, τ is the random number in user's private cipher key, PRF _SeedFor pseudo random number corresponding to random seed seed in user's private cipher key, i ∈ [0, n-1], total number that n is described module file, N is the modulus in user's public-key cryptography.

5. the verification method of cloud integrity of data stored according to claim 3, is characterized in that, the described step to each authenticating tag generation authentication in open data is:

Generate each authentication in open data according to following formula:

$g_i=g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}$

Wherein, g _iBe the authentication in open data of i module file, g is the generator in user's public-key cryptography.

6. the verification method of cloud integrity of data stored according to claim 2, is characterized in that, the step of described spanned file integrality inquiry request is:

Choosing at random a scale is | the subset of C|=l

To each i ∈ C, from

In choose at random a weight ν _i, described inquiry request is { (i, ν _i): i ∈ C}.

7. the verification method of cloud integrity of data stored according to claim 6, is characterized in that, the step of described checking report information is:

Judge whether following equation is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ _{I ∈ C}ν _iF _iModN, σ=Σ _{I ∈ C}ν _iσ _iModN, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding;

If set up, described file storage is complete; If be false, described file storage is imperfect.

8. the verification method of a cloud integrity of data stored, is characterized in that, comprises the steps:

Receive identifier, module file and authenticating tag the storage corresponding with module file that user side sends;

Receive the file integrality inquiry request that user side sends, utilize the authenticating tag generation report information that the described file integrality inquiry request of user, public-key cryptography, identifier, module file and module file are corresponding to feed back to described user side, for described user side checking.

9. the verification method of cloud storage data according to claim 8, is characterized in that,

Described file verification request comprises the numbering of module file, and random weight corresponding to described numbering;

Described report information is (M, σ), according to following formula, generates described report information:

M＝Σ _i∈Cν _iF _imodN,σ＝Σ _i∈Cν _iσ _imodN

Wherein, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding.

10. the Authentication devices of a cloud integrity of data stored, is characterized in that, comprising:

Coding module, for generating the identifier of file to be stored, encode and obtain a plurality of module files described file simultaneously;

Generation module, calculated the authenticating tag of each module file for utilizing user's public-key cryptography and private cipher key to each module file, each authenticating tag is generated to the authentication in open data;

Submit module to, for described identifier, module file and authenticating tag are submitted to server;

Enquiry module, for spanned file integrality inquiry request, send described inquiry request to server, receive that described server returns, the report information of the described file that utilizes authenticating tag that user's public-key cryptography, identifier, module file and module file are corresponding to generate;

Authentication module, for utilizing user's public-key cryptography and the described report information of described authentication in open data verification.

11. the Authentication devices of cloud integrity of data stored according to claim 10, is characterized in that, described user's public-key cryptography and private cipher key in described generation module generate by the RSA key generating algorithm:

Choose at random a λ bits RSA modulus N=pq, make

All prime numbers, and p, q has identical bit long;

Order

Wherein (N) be Euler's function, mean to be not more than N and with the number of the coprime positive integer of N;

From QR _NIn choose at random generator g, wherein a QR _NThe quadratic residue subgroup that means mould N;

Choose at random Wherein,

Mean with

Coprime and at mould

Under residue class;

From pseudo-random function family

Key space in choose at random a seed seed;

Make g _τ=g ^τ, described user's public-key cryptography is pk=(N, g, g _τ), described user's private cipher key is sk=(p, q, τ, seed).

12. the Authentication devices of cloud integrity of data stored according to claim 11, is characterized in that, the identifier of described file meets constraint condition id ∈ { 0,1} ^λ, wherein, id is described identifier, the bit long that λ is modulus in user's public-key cryptography.

13. the Authentication devices of cloud integrity of data stored according to claim 12, is characterized in that, described generation module also for:

Calculate described authenticating tag according to following formula:

Wherein, the numbering that i is module file, F _iBe i module file, σ _iFor authenticating tag corresponding to module file i, τ is the random number in user's private cipher key, PRF _SeedFor pseudo random number corresponding to random seed seed in user's private cipher key, i ∈ [0, n-1], total number that n is described module file, N is the modulus in user's public-key cryptography.

14. the Authentication devices of cloud integrity of data stored according to claim 12, is characterized in that, described generation module also for:

Generate each authentication in open data according to following formula:

$g_i=g^{{\mathrm{PRF}}_{\mathrm{seed}}\left(\mathrm{id}\right|\left|i\right)}$

Wherein, g _iBe the authentication in open data of i module file, g is the generator in user's public-key cryptography.

15. the Authentication devices of cloud integrity of data stored according to claim 11, is characterized in that, described enquiry module also for:

Choosing at random a scale is | the subset of C|=l

To each i ∈ C, from

In random choose a weight ν _i, described inquiry request is { (i, ν _i): i ∈ C}.

16. the Authentication devices of cloud integrity of data stored according to claim 15, is characterized in that, described authentication module also for:

Judge whether following equation is set up:

$g^{\mathrm{\σ}}={\mathrm{\Π}}_{i\∈C}{\left(g_i\right)}^{v_i}{g}_{\mathrm{\τ}}^M\mathrm{mod}N$

Wherein, described report information is (M, σ), M=Σ _{I ∈ C}ν _iF _iModN, σ=Σ _{I ∈ C}ν _iσ _iModN, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding;

If set up, described file storage is complete; If be false, described file storage is imperfect.

17. the authentication server of a cloud integrity of data stored, is characterized in that, comprising:

Receiver module, the identifier, module file and authenticating tag the storage corresponding with module file that for receiving user side, send;

Feedback module, the file integrality inquiry request sent for receiving user side, utilize the authenticating tag generation report information that the described file integrality inquiry request of user, public-key cryptography, identifier, module file and module file are corresponding to feed back to described user side, for described user side checking.

18. the authentication server of cloud storage data according to claim 17, is characterized in that,

Described file verification request comprises the numbering of module file, and random weight corresponding to described numbering;

Described report information is (M, σ), and described feedback module is also for generating described report information according to following formula:

M＝Σ _i∈Cν _iF _imodN,σ＝Σ _i∈Cν _iσ _imodN

Wherein, the numbering that i is described module file,

Total number that n is described module file, ν _iFor random weight corresponding to numbering i, F _iBe i module file, N is the modulus in user's public-key cryptography, σ _iBe i the authenticating tag that module file is corresponding.

Images