CN103516523A - Data encryption system structure based on cloud storage - Google Patents
Data encryption system structure based on cloud storage Download PDFInfo
- Publication number
- CN103516523A CN103516523A CN201310494894.XA CN201310494894A CN103516523A CN 103516523 A CN103516523 A CN 103516523A CN 201310494894 A CN201310494894 A CN 201310494894A CN 103516523 A CN103516523 A CN 103516523A
- Authority
- CN
- China
- Prior art keywords
- key
- client
- cloud computing
- symmetric
- private
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to the field of cloud storage systems, and discloses a data encryption system structure based on cloud storage. The data encryption system comprises a cloud computing secret key client, a cloud computing secret key management server, a customer private secret key carrier, a symmetric cryptography server, and a digital certificate center, wherein the customer private secret key carrier comprises a private key to decrypt a symmetric secret key. For a cloud storage provider, the file cannot be decrypted without the private key, so that the system structure improves the security of client data information, can effectively prevent the private information of the customer from being obtained and illegally utilized by other users or the cloud storage provider. The structure faces various cloud computing applications, and can realize uniform and standard secret key management. The file decryption needs to be executed by the customer private key, which effectively protects the security of customer data. The structure further has the advantages of simpleness and expandability.
Description
Technical field
The present invention relates to cloud storage system field, be specifically related to a kind of data encryption Security Architecture based on cloud storage.
Technical background
Along with the extensive promotion and application of cloud computing (Cloud Computing), injected new vitality and power to huge China's Internet Market.The current more well-known application based on cloud computing mode mainly contains: the cloud search of the search engine companies such as Google, Yahoo, Baidu, the cloud storage that the storage scheme such as Amazon, EMC business proposes, the cloud security of the antivirus software manufacturers such as Rising, trend, Kingsoft, and the many cloud services that realize of the online software service such as Salesforce provider.Along with popularizing of cloud computing, enterprise has all been stored in high in the clouds by increasing core business and significant data, yet enterprise is also more and more higher for the worry of data that is stored in high in the clouds, the development and application of cloud computing technology has also caused the worry of people to information security issue.
A lot of research all shows the safety responsibility aspect whom should bear customer data about, has very large difference: supplier sends to responsibility in client's hand, but client disagrees with conventionally between cloud service supplier and client thereof.According to the investigation of Ponemon research institute last year, show that ,Shi Ge cloud service supplier Zhong Youqige supplier gives client by the safety responsibility of customer data, only have 30% client to agree to.This just makes to provide the cloud stores service of data encryption safety more and more welcome, and by enciphered data, client can guarantee that their information is safe, even if there is data leakage accident, and can also maintain secrecy in cloud service supplier.
Analysis shows, the best solution of encryption of cloud storage is those solutions that allow client's control keys or part key, and by control key, client can also control the access to data, even can also prevent cloud service supplier visit data.Professional person represents, if all information is all encrypted, and is that a key of controlling by client carries out, even if cloud keeper can not see key, so just very safe.Enciphered data is not the technology barrier of cloud security service safely, and where the shoe pinches is to find a kind of method to carry out managing keys safely.
Data security is the lifeline of enterprise.Any one cloud service commercial city is declared their service overall safety as possible, compare with traditional storage, a large amount of user kernel data are placed in cloud storage, user does not also know concrete memory location, make unavoidably user cannot set one's mind at ease, any client worries for example photo of personal information, and personal information and technical documentation are revealed or become the communication target that the public browses, and causes information and personal safety hidden danger.Some suppliers are kept at key in the cloud environment that data are identical, so also dangerous; Also have some suppliers key to be contracted out to third party or allow the own managing keys of client, but not being desirable key storage method.
Summary of the invention
The technical problem to be solved in the present invention is: make client guarantee the confidentiality of its data, simplify key management simultaneously, and improve the fail safe of customer data.
In the present invention, relate to two kinds of keys, a kind of is that symmetric key is stored in cloud computing management server, and another private key is used for deciphering symmetric key, is stored in client's private key carrier.
The technical solution adopted in the present invention is: a kind of data encryption architectural framework based on cloud storage, and this system architecture comprises: cloud computing key client, cloud computing key management server, client's private key carrier, symmetric cryptography server, digital certificate center, wherein:
Cloud computing key client is the cryptographic service client residing in cloud computing service, and being responsible for provides cipher key service to the cloud computing application in this cloud computing server, by the IKMP of standard, to Key Management server application key, produces;
Cloud computing key management server is responsible for the generation of key, recovers, and the management services such as renewal, and key is turned back to client; In cloud computing key management server, there is distributed key, needs the private key in client's private key just can be by key full backup;
Required private key when client's private key carrier is responsible for storing digital certificate and distributed key reduction;
Symmetric cryptography server adopts symmetric key to be encrypted to file, and symmetric key need to utilize the PKI in client's private key to be encrypted;
Digital certificate center is responsible for issuing digital certificate to client, for the authentication of digital signature;
Client, by downloading digital signature in client's private key carrier, the digital signature providing, also comprises for cracking the private key of symmetric key in this carrier except digital authenticating center.
When logging in, client needs username and password, and digital certificate is provided, by authentication, log in cloud computing key client, for cloud storage vendor, do not have this private key to be decrypted file, so this invention has improved the fail safe of customer data information.
Client's private key carrier can be presented as the memory device that has certain capacity.
Described client's private key carrier is U shield, facilitates client to carry.
A kind of cloud computing encryption key production process based on above-mentioned framework, comprises following process:
Cloud computing key client generates key request Bao Bingxiang cloud computing management server and sends key request, described key request bag comprises request packet header (REQ Header) action type (GET) and key object (Symmetric Key), identifier (UID); Cloud computing management server is received after key request, according to request content, from symmetric cryptography server, obtain symmetric key, regeneration key is replied bag, comprise and reply packet header (Response Header), key object (Symmetric Key), identifier (UID) and symmetric key (Key Value).
Wherein symmetric cryptography server adopts symmetric key to be encrypted to file, and symmetric key is returned to cloud computing key client by cloud computing key management server, and deciphering symmetric key need to be stored in the private key in client's private key carrier.
This mode has effectively improved the fail safe of customer data.This key mixes the method for preserving, the safety box of somewhat similar bank, and bank holds a key, and the key that client holds another key ,Er bank depends on the key execution decrypting process in client's hand.
Beneficial effect of the present invention is: the present invention proposes a kind of key and mixes the method for preserving, be to have comprised the private key that cracks symmetric key in client's private key carrier, for cloud storage vendor, do not have this private key to be decrypted file, therefore the fail safe that this invention has improved customer data information, can effectively prevent that client's private information from being obtained and illegal utilization by other user or cloud storage vendor.This framework is applied towards various cloud computings, can realize unification, the key management of standard.File decryption needs client private key to carry out, and has effectively protected customer data safety.This framework also has simple and extendible advantage.
Accompanying drawing explanation
Fig. 1 is cloud computing key management framework schematic diagram;
Fig. 2 is that cloud computing encryption key obtains schematic diagram;
Description of reference numerals: 1, cloud computing key client, 2, cloud computing key management server, 3, client's private key carrier, 4, symmetric cryptography server, 5, digital certificate center.
Embodiment
With reference to the accompanying drawings, in conjunction with the embodiments to the detailed description of the invention.
Embodiment 1:
A data encryption architectural framework for cloud storage, this system architecture comprises: cloud computing key client 1, cloud computing key management server 2, client's private key carrier 3, symmetric cryptography server 4, digital certificate center 5, wherein:
Cloud computing key client 1 is the cryptographic service client residing in cloud computing service, and being responsible for provides cipher key service to the cloud computing application in this cloud computing server, by the IKMP of standard, to Key Management server application key, produces;
Cloud computing key management server 2 is responsible for the generation of key, recovers, and the management services such as renewal, and key is turned back to client; In cloud computing key management server, there is distributed key, needs the private key in client's private key just can be by key full backup;
Required private key when client's private key carrier 3 is responsible for storage digital certificate and distributed key reduction;
4 pairs of files of symmetric cryptography server adopt symmetric key to be encrypted, and symmetric key need to utilize the PKI in client's private key to be encrypted;
Digital certificate center 5 is responsible for issuing digital certificate to client, for the authentication of digital signature;
Client, by downloading digital signature in client's private key carrier 3, the digital signature providing, also comprises for cracking the private key of symmetric key in this carrier except digital authenticating center 5.
When logging in, client needs username and password, and digital certificate is provided, by authentication, log in cloud computing key client, for cloud storage vendor, do not have this private key to be decrypted file, so this invention has improved the fail safe of customer data information.
Embodiment 2:
On the basis of embodiment 1, client's private key carrier can be presented as the memory device that has certain capacity described in the present embodiment.
Embodiment 3:
On the basis of embodiment 2, client's private key carrier is U shield described in the present embodiment, facilitates client to carry.
Embodiment 4:
A kind of cloud computing encryption key production process based on above-described embodiment, comprises following process:
Cloud computing key client generates key request Bao Bingxiang cloud computing management server and sends key request, described key request bag comprises request packet header (REQ Header) action type (GET) and key object (Symmetric Key), identifier (UID); Cloud computing management server is received after key request, according to request content, from symmetric cryptography server, obtain symmetric key, regeneration key is replied bag, comprise and reply packet header (Response Header), key object (Symmetric Key), identifier (UID) and symmetric key (Key Value).
Wherein symmetric cryptography server adopts symmetric key to be encrypted to file, and symmetric key is returned to cloud computing key client by cloud computing key management server, and deciphering symmetric key need to be stored in the private key in client's private key carrier.
Claims (4)
1. the data encryption architectural framework based on cloud storage, is characterized in that: this system architecture comprises: cloud computing key client (1), cloud computing key management server (2), client's private key carrier (3), symmetric cryptography server (4), digital certificate center (5), wherein:
Cloud computing key client is the cryptographic service client residing in cloud computing service, and being responsible for provides cipher key service to the cloud computing application in this cloud computing server, by the IKMP of standard, to Key Management server application key, produces;
Cloud computing key management server is responsible for the generation of key, recovers, and the management services such as renewal, and key is turned back to client; In cloud computing key management server, there is distributed key, needs the private key in client's private key just can be by key full backup;
Required private key when client's private key carrier is responsible for storing digital certificate and distributed key reduction;
Symmetric cryptography server adopts symmetric key to be encrypted to file, and symmetric key need to utilize the PKI in client's private key to be encrypted;
Digital certificate center is responsible for issuing digital certificate to client, for the authentication of digital signature;
Client, by downloading digital signature in client's private key carrier, the digital signature providing, also comprises for cracking the private key of symmetric key in this carrier except digital authenticating center;
When client logs in, need username and password, and digital certificate is provided, by authentication, log in cloud computing key client.
2. a kind of data encryption architectural framework based on cloud storage according to claim 1, is characterized in that: described client's private key carrier is the memory device that has certain capacity.
3. a kind of data encryption architectural framework based on cloud storage according to claim 2, is characterized in that: described client's private key carrier is U shield.
4. the cloud computing encryption key production method based on above-mentioned arbitrary claim, is characterized in that: described method comprises following process:
Cloud computing key client generates key request Bao Bingxiang cloud computing management server and sends key request, and described key request bag comprises request packet header action type and key object, identifier; Cloud computing management server is received after key request, according to request content, from symmetric cryptography server, obtains symmetric key, and regeneration key is replied bag, and described key is replied and comprised reply packet header, key object, identifier and symmetric key; Wherein symmetric cryptography server adopts symmetric key to be encrypted to file, and symmetric key is returned to cloud computing key client by cloud computing key management server, and deciphering symmetric key need to be stored in the private key in client's private key carrier.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310494894.XA CN103516523A (en) | 2013-10-22 | 2013-10-22 | Data encryption system structure based on cloud storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310494894.XA CN103516523A (en) | 2013-10-22 | 2013-10-22 | Data encryption system structure based on cloud storage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103516523A true CN103516523A (en) | 2014-01-15 |
Family
ID=49898605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310494894.XA Pending CN103516523A (en) | 2013-10-22 | 2013-10-22 | Data encryption system structure based on cloud storage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103516523A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105208044A (en) * | 2015-10-29 | 2015-12-30 | 成都卫士通信息产业股份有限公司 | Key management method suitable for cloud computing |
| CN106302411A (en) * | 2016-08-03 | 2017-01-04 | 西安邮电大学 | The secure cloud storage method and system of support file encryption based on windows platform |
| CN106341236A (en) * | 2016-09-09 | 2017-01-18 | 深圳大学 | Access control method facing cloud storage service platform and system thereof |
| CN106973070A (en) * | 2017-05-17 | 2017-07-21 | 济南浪潮高新科技投资发展有限公司 | A kind of big data calculates trusteeship service security certification system and method |
| CN107872532A (en) * | 2017-11-27 | 2018-04-03 | 北京天诚安信科技股份有限公司 | A kind of storage of third party cloud storage platform, the method and system downloaded |
| CN109598145A (en) * | 2018-12-07 | 2019-04-09 | 无锡予果科技有限公司 | It is a kind of to prevent the data divulged a secret transmission and method for cloud storage and system |
| CN111064738A (en) * | 2019-12-26 | 2020-04-24 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
| CN112152804A (en) * | 2020-09-16 | 2020-12-29 | 北京奇艺世纪科技有限公司 | Method, device and system for dynamically configuring private key for cloud server |
| CN112422563A (en) * | 2020-11-18 | 2021-02-26 | 深圳市气象局(深圳市气象台) | Weather data encryption and decryption service system based on hybrid cryptography |
| CN114580001A (en) * | 2022-03-11 | 2022-06-03 | 合肥工业大学 | Encryption and decryption algorithm and file protection method for excel file |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562040A (en) * | 2008-04-15 | 2009-10-21 | 航天信息股份有限公司 | High-security mobile memory and data processing method thereof |
| CN103312690A (en) * | 2013-04-19 | 2013-09-18 | 无锡成电科大科技发展有限公司 | System and method for key management of cloud computing platform |
-
2013
- 2013-10-22 CN CN201310494894.XA patent/CN103516523A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101562040A (en) * | 2008-04-15 | 2009-10-21 | 航天信息股份有限公司 | High-security mobile memory and data processing method thereof |
| CN103312690A (en) * | 2013-04-19 | 2013-09-18 | 无锡成电科大科技发展有限公司 | System and method for key management of cloud computing platform |
Non-Patent Citations (2)
| Title |
|---|
| 孙磊,戴紫珊,郭锦娣: "云计算密钥管理框架研究", 《电信科学》 * |
| 郑志勇,朱郑之: "基于密钥分散管理的服务器登录控制", 《信息安全与通信保密》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105208044A (en) * | 2015-10-29 | 2015-12-30 | 成都卫士通信息产业股份有限公司 | Key management method suitable for cloud computing |
| CN106302411A (en) * | 2016-08-03 | 2017-01-04 | 西安邮电大学 | The secure cloud storage method and system of support file encryption based on windows platform |
| CN106341236A (en) * | 2016-09-09 | 2017-01-18 | 深圳大学 | Access control method facing cloud storage service platform and system thereof |
| CN106973070A (en) * | 2017-05-17 | 2017-07-21 | 济南浪潮高新科技投资发展有限公司 | A kind of big data calculates trusteeship service security certification system and method |
| CN107872532A (en) * | 2017-11-27 | 2018-04-03 | 北京天诚安信科技股份有限公司 | A kind of storage of third party cloud storage platform, the method and system downloaded |
| CN107872532B (en) * | 2017-11-27 | 2020-09-25 | 北京天诚安信科技股份有限公司 | Method and system for storing and downloading third-party cloud storage platform |
| CN109598145A (en) * | 2018-12-07 | 2019-04-09 | 无锡予果科技有限公司 | It is a kind of to prevent the data divulged a secret transmission and method for cloud storage and system |
| CN111064738A (en) * | 2019-12-26 | 2020-04-24 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
| CN111064738B (en) * | 2019-12-26 | 2022-09-30 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
| CN112152804A (en) * | 2020-09-16 | 2020-12-29 | 北京奇艺世纪科技有限公司 | Method, device and system for dynamically configuring private key for cloud server |
| CN112422563A (en) * | 2020-11-18 | 2021-02-26 | 深圳市气象局(深圳市气象台) | Weather data encryption and decryption service system based on hybrid cryptography |
| CN114580001A (en) * | 2022-03-11 | 2022-06-03 | 合肥工业大学 | Encryption and decryption algorithm and file protection method for excel file |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Yang et al. | AuthPrivacyChain: A blockchain-based access control framework with privacy protection in cloud | |
| Dong et al. | Secure sensitive data sharing on a big data platform | |
| CN102685148B (en) | Method for realizing secure network backup system under cloud storage environment | |
| CN103516523A (en) | Data encryption system structure based on cloud storage | |
| Zhao et al. | Trusted data sharing over untrusted cloud storage providers | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| CN104079574A (en) | User privacy protection method based on attribute and homomorphism mixed encryption under cloud environment | |
| Pradeep et al. | An efficient framework for sharing a file in a secure manner using asymmetric key distribution management in cloud environment | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| CN105027494A (en) | Trusted data processing in the public cloud | |
| CN106027503A (en) | Cloud storage data encryption method based on TPM | |
| Khan et al. | SSM: Secure-Split-Merge data distribution in cloud infrastructure | |
| Shen et al. | SecDM: Securing data migration between cloud storage systems | |
| Nalinipriya et al. | Extensive medical data storage with prominent symmetric algorithms on cloud-a protected framework | |
| Pawar et al. | Providing security and integrity for data stored in cloud storage | |
| Thilakanathan et al. | Secure multiparty data sharing in the cloud using hardware-based TPM devices | |
| Zhang et al. | Tenant-led ciphertext information flow control for cloud virtual machines | |
| Gajmal et al. | Blockchain-based access control and data sharing mechanism in cloud decentralized storage system | |
| Suthar et al. | EncryScation: A novel framework for cloud iaas, daas security using encryption and obfuscation techniques | |
| Reddy et al. | Secured privacy data using multi key encryption in cloud storage | |
| Khan et al. | A comparative study of trends in security in cloud computing | |
| Jun et al. | Trusted full disk encryption model based on TPM | |
| Gobi et al. | An Approach for Secure Data Storage in Cloud Environment | |
| Abd et al. | A review of cloud security based on cryptographic mechanisms | |
| Yan et al. | Cloud computing security and privacy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140115 |
|
| RJ01 | Rejection of invention patent application after publication |