CN104660720A - Security storage method based on identity authentication - Google Patents
Security storage method based on identity authentication Download PDFInfo
- Publication number
- CN104660720A CN104660720A CN201510131878.3A CN201510131878A CN104660720A CN 104660720 A CN104660720 A CN 104660720A CN 201510131878 A CN201510131878 A CN 201510131878A CN 104660720 A CN104660720 A CN 104660720A
- Authority
- CN
- China
- Prior art keywords
- user
- file
- cloud platform
- group
- users
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a security storage method based on identity authentication. The method comprises the steps of using the self file by a file owner of a cloud platform through a mobile terminal; carrying out ownership authentication on other users before elimination of redundancy; after the user become a file owner, recording the user by the cloud platform, and enabling the file owner to take back the own file; enabling illegal users who do not own files to be unable to acquire user files and user private keys by using the cloud platform; and enabling the file owners to decide whether other users are the owners of the files or not, and eliminating redundancy of the files which are encrypted by the different user private keys through secondary encryption. After the method is used, the illegal users can not acquire the data ownership, and the users can freely select the private keys while redundancy of the encrypted data is eliminated.
Description
Technical field
The present invention relates to cloud security, the method for secure storing of particularly a kind of identity-based certification.
Background technology
Cloud stores service can in real time backup file and whenever and wherever possible synchronously with share file.But cloud stores and is also faced with many challenges.During cloud stores, secure user data is a basic problem.Because cloud storage provider is nature of business, so cloud storage server is not trusted, must ensure that cloud platform can not obtain user data.Existing method data upload was encrypted data before cloud platform user, so only has this user to decipher.And on the other hand, the fast development that cloud stores causes the rapid growth of memory space, storing efficiently is another problem during cloud stores.The de-redundancy technology that major part cloud storage provider all adopts is the effective ways reducing memory space and transmission bandwidth.But, the de-redundancy of data and encrypt seemingly contradiction.Encryption makes data seem random, and on random data, the space saving of de-redundancy is very low.Data encryption is that the identical data allowing user use private key for user to encrypt dissimilates, and de-redundancy technology is the similitude that make use of data, so the de-redundancy problem of enciphered data has to be solved.
Summary of the invention
For solving the problem existing for above-mentioned prior art, the present invention proposes a kind of method for secure storing of identity-based certification, comprising:
The file owners storing the cloud platform of user file uses the file of self by mobile terminal, other users are before carrying out de-redundancy, first verified by ownership, cloud platform only stores a shared file, after user becomes file owners, this user of cloud platform record, makes it fetch the file of oneself; Plaintext document before user is encrypted carries out judgement and the ownership checking of identical data, in the process of de-redundancy, for not gathering around documentary disabled user, cloud platform ensures that the information by received associated subscriber file and private key can not obtain the related content of user file and private key for user; In the ownership checking of file, the judgement that ownership is verified is transferred to validated user, whether other users are owners of this file to only have file owners to determine, after File Ownership checking, the file using superencipher to encrypt at different user private key for user carries out redundancy elimination.
Preferably, when not having file owners online when new user uploads the file existed, once there be user's upload file, then instant storage file, the process that user's execute file creates, two parts of identical file of cloud platform actual storage are shared by one group of user respectively; Merge two groups of users time online two groups of users have while, two groups of merging process are as follows:
1) second group of user proves its File Ownership to first group of user, first group of user challenges to second group of user with leaf node sequence number, second group of user fetches relevant node from cloud platform, and complete proof according to file de-redundancy process, when first group of user completes the checking to second group of user, the key of encryption is sent to cloud platform by first group of user, and cloud platform is transmitted to second group of user;
2) after second group of user receives key, calculate superencipher private key, then send to cloud platform, and second group of user changes this locality storage into new index file;
3) after cloud platform receives information, the superencipher private key of second group of user is modified, the shared file of second group deleted by cloud platform, when in second group, other users are online, superencipher private key is sent to other users in second group by cloud platform, and in second group, other users upgrade cloud platform and the local superencipher private key stored.
The present invention compared to existing technology, has the following advantages:
This invention ensures that disabled user can not obtain the ownership of data, while making to realize enciphered data de-redundancy, user oneself can be allowed to select private key arbitrarily.
Accompanying drawing explanation
Fig. 1 is the flow chart of the method for secure storing of identity-based certification according to the embodiment of the present invention.
Embodiment
Detailed description to one or more embodiment of the present invention is hereafter provided together with the accompanying drawing of the diagram principle of the invention.Describe the present invention in conjunction with such embodiment, but the invention is not restricted to any embodiment.Scope of the present invention is only defined by the claims, and the present invention contain many substitute, amendment and equivalent.Set forth many details in the following description to provide thorough understanding of the present invention.These details are provided for exemplary purposes, and also can realize the present invention according to claims without some in these details or all details.
First the present invention makes user's ownership of first carrying out based on Hash tree before Elimination of Data Redundancy verify, ensure that disabled user can not obtain the ownership of data, after user completes File Ownership checking, use superencipher, while making to realize enciphered data de-redundancy, user oneself can be allowed to select private key arbitrarily.Fig. 1 is the method for secure storing flow chart of the identity-based certification according to the embodiment of the present invention.
Be made up of 3 parts at cloud storage environment: the cloud platform storing user file; The rightful holder of file; Upload data to cloud platform and want to be reduced by de-redundancy the user of memory space and transmission bandwidth.
During cloud stores, file owners can by PC or even whenever and wherever possible all spendable mobile terminal freely use the file of self.If another user wants to carry out de-redundancy, must first be verified by ownership.A user, once successfully pass the process of de-redundancy, does not just need to upload this file again.Cloud platform also only stores this shared file a, after user becomes file owners, supposes this user of cloud platform record, so that user can fetch the file of oneself next time easily.
In cloud storage environment, there is different considerations to cloud platform.For cloud platform, it is one and half trust models, the process that cloud platform can carry on an agreement honestly, but the message that cloud platform also can obtain according to oneself obtains the relevant information of user file and private key for user as much as possible.Therefore, need to ensure that cloud platform can not obtain data content.In order to the safety of protection system, while consideration third party attack, need protection from the attack of cloud platform.
For cloud platform, target is the sensitive data of maintaining secrecy, protecting user ensureing user data.In the process of de-redundancy, cloud platform can receive the information of many associated subscriber files and private key, must ensure that cloud platform can not obtain the related content of user file and private key for user by these information.In addition, if cloud platform can show the honest de-redundancy process that performs of picture and not find by user, so cloud platform can do anything to obtain user file.Therefore, must ensure that cloud platform can not user cheating and not being detected.
For third party user, be divided into two classes: a class does not gather around documentary user, is called disabled user, they attempt the ownership of acquisition file to obtain the content of file.Must ensure to only have and really gather around documentary user just by File Ownership checking, any disabled user can be detected.Another kind of is gather around documentary user, is called validated user, validated user shared file, but other information need not be known, therefore, must ensure the privacy between validated user, any validated user all should not know the information such as the identity of other users and the private key of other users.
The present invention make user by the files passe through private key for user encryption to after cloud platform, if there are other users also to want to upload identical file to cloud platform, in order to ensure the safety of de-redundancy process, need carry out be file ownership checking, be encrypted again after being verified by File Ownership Elimination of Data Redundancy operation.The cryptographic operation of file will make data be distributed in the cryptogram space randomly, and the de-redundancy saving rate in random distribution data is very low.Therefore, in order to ensure high de-redundancy saving rate, be whether that judgement and the ownership checking of identical data is all carried out on plaintext, the enterprising line operate of the file namely before user is encrypted.In the ownership checking of file, the judgement that ownership is verified is transferred to validated user from cloud platform, whether other users are owners of this file to only have file owners to determine, because cloud platform is not trusted, and the right that cloud platform does not determine.Cloud platform is for transmitting the communication information between user, so that hiding identity between user.Ownership checking is mutual and dynamic, and any user not having a whole file is not by this proof.After File Ownership checking, de-redundancy on the file will encrypted at different user private key for user, uses superencipher technology to realize this demand.
Original document Fo is encoded into F by user.Make group G1, the cyclic group of G2 to be rank be prime number p, e:G1 × G1 → G2 is a bilinear map, and g is a generator of crowd G1, and z=e (g, g) ∈ G2, H are hash functions.
(1) document creation
User A has private key a.
1) user A calculates the index part of H (F) as file F, and file F is divided into n block, F=(m
1, m
2..., m
n).
2) user A is at file F=(m
1, m
2..., m
n) on build Hash tree, and calculate the root R of this Hash tree.User A is by index (H (F), R) and block number n be uploaded to cloud platform, cloud platform is according to this index search file, if cloud platform is searched less than this file, so user A can not carry out de-redundancy operation, user A must upload with private key for user encryption whole file to cloud platform, upload procedure is as follows:
1) according to the block number n of the Hash tree of file F, cloud platform Stochastic choice ε leaf node sequence number { l
1, l
2..., l
ε, wherein ε is the predefine security parameter of system, then by { l
1, l
2..., l
εsend to user A.
2) user A provides leaf node { H (m
i) l
1≤ i≤l
εand from the leaf node selected to the brotgher of node { S required root node
i1≤i≤s (wherein s is the number of the required brotgher of node).
3) user A Stochastic choice session private key K, and utilize this private key to carry out encrypt file E by aes algorithm
k(F).Session private key K encodes the element K' on G2 in groups, Stochastic choice k1 with private key for user encryption session private key K', ciphertext encrypted form is C=(Z by user A
ak1, g
ak1, K'Z
k1).
In fact, this ciphertext C comprises two-stage ciphertext, and first order ciphertext is (Z
ak1, K'Z
k1), can only be deciphered by the private key of user A, second level ciphertext is (g
ak1, K'Z
k1), can not only be deciphered by the private key of user A, and the ciphertext of other private key for user encryption can be converted into.
User A only need store in this locality (H (F), R), and uploads (H (F), R), { H (m
i) l
1≤ i≤l
ε, { S
i1≤i≤s, C, EK (F)) in cloud platform.Cloud platform is by { H (m
i) l
1≤ i≤l
ε{ S
i1≤i≤s verifies root node R, if be proved to be successful, proves that user A has this file really.(H (F), R) is used as the index of cryptograph files (C, EK (F)) by cloud platform, and user A is recorded as a file owners of (H (F), R).
(2) file de-redundancy
User B has file F and wants the files passe encrypted with private key for user to cloud platform.If this file exists at cloud platform, user B and cloud platform wish to perform de-redundancy to reduce memory space and transmission bandwidth, and implementation is as follows:
1) the hashed value H (F) of user B (being called certifier) calculation document F and file F=(m
1, m
2..., m
n) the root node R of Hash tree, and (H (F), R) is sent to cloud platform.After cloud platform receives (H (F), R), search in storage index, if find this index, cloud platform notifies an online file owners, is assumed to be user A.
2) user A (being called verifier) is in the Hash tree of file, Stochastic choice ε leaf node sequence number { l
1, l
2..., l
ε, wherein ε is the predefine security parameter of system, then by { l
1, l
2..., l
εsend to user A also by { l
1, l
2..., l
ε|| g
asend to cloud platform, cloud platform is by { l
1, l
2..., l
ε|| g
abe transmitted to user B.
3) user B builds Hash tree on file F, and provides leaf node { H (m
i) l
1≤ i≤l
εand from the leaf node selected to the brotgher of node { S required root node R
i1≤i≤s (wherein s is the number of the required brotgher of node).User B is by { H (m
i) l
1≤ i≤l
ε{ S
ielement { the H'(m that encodes on G2 in groups of 1≤i≤s
i) l
1≤ i≤l
ε{ S
i'1≤i≤s, and send enciphered data g
b|| (g
bk2, { H'(m
i) Z
k2l
1≤ i≤l
ε, { S
i'z
k21≤i≤s) (wherein k2 is Stochastic choice) to cloud platform.The information of reception is transmitted to user A by cloud platform.
4) user B waits for 4t
max(t after time
maxthe maximum delay between user and cloud platform) send g
a/bto cloud platform, cloud platform is transmitted to user A.
5) if from transmission { l
1, l
2..., l
ε|| g
ato receiving gb|| (g
bk2, { H'(m
i) Z
k2l
1≤ i≤l
ε, { S
i'z
k21≤i≤s) interval greater than 4t
max, user A refuses the checking of current ownership.Otherwise, user A re-encryption private key g
a/bdecipher the data { H'(m received
i)=H'(m
i) Z
k2/ [e (g
bk2, g
a/b)]
1/al
1≤ i≤l
ε{ S
i'=S
i'z
k2/ [e (g
bk2, g
a/b)]
1/a1≤i≤s.Then, user A decoding { H'(m
i) l
1≤ i≤l
ε{ Si'}1≤i≤s obtains { H (m
i) l
1≤ i≤l
ε{ S
i1≤i≤s, and in order to verify root node R.If authentication failed, user A denies the ownership checking of user B, otherwise user A is by g
1/belement (the g encoded on G2 in groups
1/a) ', and send (Z
bk3=e (g
b, g
k3), (g
1/a) ' Z
k3) (wherein k3 is Stochastic choice), to cloud platform, cloud platform is transmitted to user B.
6) user B is by calculating (g
1/a) ' Z
k3/ (Z
bk3)
1/b=(g
1/a) ', and by (g
1/a) ' be decoded as g
b/a, thus user B calculates g
b/aand send to cloud platform.User B stores (H (F), R, g in this locality
1/a).So far, user B completes the upload procedure of file, becomes the rightful holder of this file, and can fetch arbitrarily the content of file and authenticating documents.Cloud platform user B is recorded as file F the owner and by g
b/abe recorded as superencipher private key.User B in cloud platform actual storage be g
1/a.Cloud platform can calculate the session private key of user B encrypted private key: C
kB=(e (g
ak1, g
b/a), K'Z
k1)=(Z
bk1, KZ
k1).When user B requires to fetch file, cloud platform is just by this ciphertext C
kBand the encrypt file E of correspondence
k(F) user B is sent to.The deciphering of user B private key for user obtains private key K', and decoding obtains session private key K, and user B utilizes this session private key can decipher the file obtaining oneself.
(3) file erase
When an owner of file F thinks deleted file F, the request of oneself is sent to cloud platform by this user.Once cloud platform receives this information, can not real deleted file because file F backup share by all owners.Cloud platform only deletes corresponding owner record and corresponding superencipher private key.Cloud platform only when all owners of file F require to delete this file, just deleted file F and relevant index information.
There is a condition: have at least a file owners online when new user uploads the file existed, mobile device is always carried with, and basic long-term online.The trend of present mobile device high speed development just in time meets this requirement, but the situation not having file owners online still may occur, and proposed heres following scheme for this reason.
The object that cloud stores saves the memory space of user, makes user without the need to again at local storage file.Once there be user's upload file, need instant storage file, instead of by the time have a file owners online.Therefore, when not having file owners online, the process that execute file creates by user, the file of this new establishment also can be likely shared by many users.In fact cloud platform stores two parts of identical file, and these two parts of files are shared by one group of user respectively.In order to save memory space, merging two groups of users when two groups of users have simultaneously online, supposing that in group A, in a user C and group B, a user D is simultaneously online, they store in this locality respectively (H (F), R, g
1/a) and (H (F), R, g
1/x).Two groups of merging process are as follows:
1) the user D organized in B needs to prove its File Ownership to first group of user.First group of user to the user D in group B with leaf node sequence number { l
1, l
2..., l
εchallenge.User D in group B needs to fetch relevant node from cloud platform, and completes proof according to the step of program file de-redundancy.When first group of user completes the checking of user D in group B, first group of user is by the g of encryption
1/asend to cloud platform, cloud platform is transmitted to the user D in group B.
2) the user D organized in B receives g
1/aafter, calculate superencipher private key g
d/aand g
1/ag
1/x, then by (g
d/a, g
1/ag
1/x) send to cloud platform, and the user D organized in B changes this locality storage into (H (F), R, g
1/a).
3) after cloud platform receives information, cloud platform changes the superencipher private key of user D in group B into g
d/a, and store g
1/ag
1/x.The shared file F of cloud platform deletion group B, when in group B, other users are online, cloud platform sends g
1/ag
1/xto this user.This user calculates g
1/a=g
1/ag
1/x/ g
1/x, and calculate corresponding superencipher private key, cloud platform and the local superencipher private key stored are upgraded simultaneously.
In the above-mentioned situation not having file owners online, the transmission bandwidth of this user can not be reduced.But have user simultaneously online in two groups of users, memory space still can be reduced.
In sum, this invention ensures that disabled user can not obtain the ownership of data, while making to realize enciphered data de-redundancy, user oneself can be allowed to select private key arbitrarily.
Obviously, it should be appreciated by those skilled in the art, above-mentioned of the present invention each module or each step can realize with general computing system, they can concentrate on single computing system, or be distributed on network that multiple computing system forms, alternatively, they can realize with the executable program code of computing system, thus, they can be stored and be performed by computing system within the storage system.Like this, the present invention is not restricted to any specific hardware and software combination.
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.
Claims (2)
1. a method for secure storing for identity-based certification, is characterized in that, comprising:
The file owners storing the cloud platform of user file uses the file of self by mobile terminal, other users are before carrying out de-redundancy, first verified by ownership, cloud platform only stores a shared file, after user becomes file owners, this user of cloud platform record, makes it fetch the file of oneself; Plaintext document before user is encrypted carries out judgement and the ownership checking of identical data, in the process of de-redundancy, for not gathering around documentary disabled user, cloud platform ensures that the information by received associated subscriber file and private key can not obtain the related content of user file and private key for user; In the ownership checking of file, the judgement that ownership is verified is transferred to validated user, whether other users are owners of this file to only have file owners to determine, after File Ownership checking, the file using superencipher to encrypt at different user private key for user carries out redundancy elimination.
2. method according to claim 1, comprises further:
When not having file owners online when new user uploads the file existed, once there be user's upload file, then instant storage file, the process that user's execute file creates, two parts of identical file of cloud platform actual storage are shared by one group of user respectively; Merge two groups of users time online two groups of users have while, two groups of merging process are as follows:
1) second group of user proves its File Ownership to first group of user, first group of user challenges to second group of user with leaf node sequence number, second group of user fetches relevant node from cloud platform, and complete proof according to file de-redundancy process, when first group of user completes the checking to second group of user, the key of encryption is sent to cloud platform by first group of user, and cloud platform is transmitted to second group of user;
2) after second group of user receives key, calculate superencipher private key, then send to cloud platform, and second group of user changes this locality storage into new index file;
3) after cloud platform receives information, the superencipher private key of second group of user is modified, the shared file of second group deleted by cloud platform, when in second group, other users are online, superencipher private key is sent to other users in second group by cloud platform, and in second group, other users upgrade cloud platform and the local superencipher private key stored.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510131878.3A CN104660720A (en) | 2015-03-25 | 2015-03-25 | Security storage method based on identity authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510131878.3A CN104660720A (en) | 2015-03-25 | 2015-03-25 | Security storage method based on identity authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104660720A true CN104660720A (en) | 2015-05-27 |
Family
ID=53251407
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510131878.3A Pending CN104660720A (en) | 2015-03-25 | 2015-03-25 | Security storage method based on identity authentication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104660720A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106412087A (en) * | 2016-10-25 | 2017-02-15 | 福建师范大学 | Method and system for sharing ownership proofs |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103731261A (en) * | 2014-01-09 | 2014-04-16 | 西安电子科技大学 | Secret key distribution method under encrypted repeating data deleted scene |
CN103812927A (en) * | 2012-11-14 | 2014-05-21 | 书生云服务公司 | Storage method |
US20140281486A1 (en) * | 2013-03-13 | 2014-09-18 | Alex Nayshtut | Community-based de-duplication for encrypted data |
US20140344572A1 (en) * | 2011-09-26 | 2014-11-20 | Subhashis Mohanty | Secure cloud storage and synchronization systems and methods |
-
2015
- 2015-03-25 CN CN201510131878.3A patent/CN104660720A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140344572A1 (en) * | 2011-09-26 | 2014-11-20 | Subhashis Mohanty | Secure cloud storage and synchronization systems and methods |
CN103812927A (en) * | 2012-11-14 | 2014-05-21 | 书生云服务公司 | Storage method |
US20140281486A1 (en) * | 2013-03-13 | 2014-09-18 | Alex Nayshtut | Community-based de-duplication for encrypted data |
CN103731261A (en) * | 2014-01-09 | 2014-04-16 | 西安电子科技大学 | Secret key distribution method under encrypted repeating data deleted scene |
Non-Patent Citations (1)
Title |
---|
金学学等: ""云存储中带拥有权证明的加密数据去重复"", 《信息安全与通信保密》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106412087A (en) * | 2016-10-25 | 2017-02-15 | 福建师范大学 | Method and system for sharing ownership proofs |
CN106412087B (en) * | 2016-10-25 | 2019-02-19 | 福建师范大学 | A kind of method and system that tenant in common proves |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111639361B (en) | Block chain key management method, multi-person common signature method and electronic device | |
CN109495274B (en) | Decentralized intelligent lock electronic key distribution method and system | |
CN103763315B (en) | A kind of trust data access control method being applied to mobile device cloud storage | |
CN110049016B (en) | Data query method, device, system, equipment and storage medium of block chain | |
US9767299B2 (en) | Secure cloud data sharing | |
CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
CN105100083B (en) | A kind of secret protection and support user's revocation based on encryption attribute method and system | |
CN103731432A (en) | Multi-user supported searchable encryption system and method | |
CN113067699B (en) | Data sharing method and device based on quantum key and computer equipment | |
CN103763319A (en) | Method for safely sharing mobile cloud storage light-level data | |
CN111274599A (en) | Data sharing method based on block chain and related device | |
CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
US9203610B2 (en) | Systems and methods for secure peer-to-peer communications | |
CN104158827A (en) | Cryptograph data sharing method and device, inquiring server and data uploading client terminal | |
CN109543443A (en) | User data management, device, equipment and storage medium based on block chain | |
CN112131316A (en) | Data processing method and device applied to block chain system | |
CN103634114A (en) | Verifying method and system for intelligent secret key | |
Nirmala et al. | Data confidentiality and integrity verification using user authenticator scheme in cloud | |
CN109525388B (en) | Combined encryption method and system with separated keys | |
WO2020123926A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
CN111970114B (en) | File encryption method, system, server and storage medium | |
CN104967693A (en) | Document similarity calculation method facing cloud storage based on fully homomorphic password technology | |
CN109495251A (en) | Anti- quantum calculation wired home cloud storage method and system based on key card | |
CN104993931A (en) | Multi-user encrypted search method in cloud storage | |
CN102404337A (en) | Data encryption method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150527 |
|
RJ01 | Rejection of invention patent application after publication |