The content of the invention
It is an object of the invention to provide a kind of storage of third party cloud storage platform, the method and system downloaded, to improve
The security that user passes through third party cloud storage platform data storage.
To achieve the above object, the invention provides following scheme:
A kind of storage method of third party cloud storage platform, the storage method include:
Log in client;
Obtain the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encrypted certificate;
The digital certificate is attached to the client;
File to be stored, the file after being encrypted are encrypted according to the encrypted certificate;
The additional information of the file to be stored is uploaded to the server of user, the clothes according to the signing certificate
Server corresponding to the client that business device uses for the user;Title of the additional information of the file including the file,
Size, signed data, encrypted certificate and summary;
File after the encryption is stored to third party cloud storage platform.
Optionally, the digital certificate of the acquisition CA mechanisms, is specifically included:
To the digital certificate of the domestic algorithm of CA mechanisms application, the digital certificate newly applied is obtained;
When the user is before the digital certificate newly applied is obtained, the excessively described numeral of CA mechanisms application described in warp-wise is demonstrate,proved
Book, when obtaining existing digital certificate, the digital certificate according to corresponding to obtaining the selection of the user;When user selection makes
During with existing digital certificate, the existing digital certificate is obtained;When the user is selected using the digital certificate newly applied
When, the digital certificate of the acquisition new application.
Optionally, it is described that file to be stored is encrypted according to the encrypted certificate, specifically include:
Random symmetrical key is produced according to SM4 algorithms;
The file to be stored is divided into multiple data blocks;
According to the multiple encryption of blocks of data of the symmetrical secret key pair, ciphertext block data is obtained;
File after being encrypted, the file after the encryption include all ciphertext block datas.
Optionally, the clothes that the additional information of the file to be stored is uploaded to user according to the signing certificate
Business device, is specifically included:
The symmetrical key is encrypted according to the encrypted certificate, obtains the ciphertext of symmetrical key;
The summary of the data block is calculated according to SM3 algorithms, obtains the Summary file of the data block;
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, obtains signed data;It is described
N-th of Summary file is last Summary file, and n-th of Summary file is that (n-1)th Summary file splices nth
According to the Summary file after block, the nth data block is last data block;
The additional information of the file to be stored is uploaded to the server of user, the additional information of the file includes
The title of the file, the size of the file, the size of each data block, the signed data, the symmetrical key it is close
Literary, described encrypted certificate and last Summary file.
The present invention also provides a kind of storage system of third party cloud storage platform, and the storage system includes:
Type of Client Log-on Module, for logging in client;
Digital certificate acquisition module, for obtaining the digital certificate of CA mechanisms;The digital certificate include signing certificate and
Encrypted certificate;
Digital certificate installs module, for the digital certificate to be attached into the client;
Encrypting module, for encrypting file to be stored, the file after being encrypted according to the encrypted certificate;
Additional information uploading module, for being uploaded the additional information of the file to be stored according to the signing certificate
To the server of user, server corresponding to the client that the server uses for the user;The additional letter of the file
Breath includes title, size, signed data, encrypted certificate and the summary of the file;
Memory module, for the file after the encryption to be stored to third party cloud storage platform.
Optionally, the digital certificate acquisition module, is specifically included:
Applying digital certificate unit, for the digital certificate of the domestic algorithm of CA mechanisms application, obtaining what is newly applied
Digital certificate;
Digital certificate selecting unit, for when the user is before the digital certificate newly applied is obtained, described in warp-wise
The excessively described digital certificate of CA mechanisms application, when obtaining existing digital certificate, the number according to corresponding to obtaining the selection of the user
Word certificate;When the user is selected using existing digital certificate, the existing digital certificate is obtained;When the user selects
When selecting using the digital certificate newly applied, the digital certificate of the new application is obtained.
Corresponding to the storage method of above-mentioned third party cloud storage platform, present invention also offers another third party cloud to deposit
The method for down loading of platform is stored up, the method for down loading includes:
Obtain the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encrypted certificate;The digital certificate
Client is attached to before user's storage file;
The file of third party cloud storage platform storage is downloaded, obtains the file of download;The third party cloud storage platform is deposited
The file of storage is the file after being encrypted according to the encrypted certificate;
File decryption according to the encrypted certificate to the download, the file after being decrypted;
The additional information of the file after the decryption is verified using signing certificate;The additional information bag of the file
Include title, size, signed data, encrypted certificate and the summary of the file;
Obtain the file after the decryption being verified.
Optionally, the file decryption according to the encrypted certificate to the download, the file after being decrypted, specifically
Including:
The ciphertext of symmetrical key in the file of the download is decrypted according to the private key of the encrypted certificate, is obtained described symmetrical
Key;The symmetrical key that the symmetrical key randomly generates before being stored for the file of the download according to SM4 algorithms, it is described symmetrical
The ciphertext of key is that the ciphertext of symmetrical key is obtained after the symmetrical key is encrypted according to the encrypted certificate;
The ciphertext block data in the file of the download is decrypted according to the symmetrical key, obtains plaintext data block;It is described
It is divided into multiple data blocks before the file storage of download, the ciphertext block data is according to the multiple data of the symmetrical secret key pair
The ciphertext block data that block encryption obtains;
File after being decrypted, the file after the decryption include all ciphertext block datas.
Optionally, it is described that the additional information of the file after the decryption is verified using signing certificate, specifically include:
Obtain the additional information of the file before the file storage of the download;The file of the download stores the attached of preceding document
Information is added to be stored in the server of user;
The summary of the plaintext data block is calculated according to SM3 algorithms, obtains the Summary file of the plaintext data block;
Whether matched with signed data according to Summary file described in the signing certificate public key verifications;The signed data is
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, the signed data of acquisition;The download
It is divided into n data block before file storage, n-th of Summary file is last Summary file, n-th of Summary file
Splice the Summary file after nth data block for (n-1)th Summary file.
The present invention also provides a kind of download system of third party cloud storage platform, and the download system includes:
Digital certificate acquisition module, for obtaining the digital certificate of CA mechanisms;The digital certificate include signing certificate and
Encrypted certificate;The digital certificate is attached to client before user's storage file;
Download module, for downloading the file of third party cloud storage platform storage, obtain the file of download;The third party
The file of cloud storage platform storage is the file after being encrypted according to the encrypted certificate;
Deciphering module, for the file decryption according to the encrypted certificate to the download, the file after being decrypted;
Authentication module, for being verified using signing certificate to the additional information of the file after the decryption;The text
The additional information of part includes title, size, signed data, encrypted certificate and the summary of the file;
File after decryption obtains module, the file after the decryption being verified for acquisition.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
By before file stores, being encrypted using client so that the privacy of data is controlled in client by user oneself,
Without any leaking data hidden danger for worrying service end;It is autonomous controllable using domestic AES;Private key is by user oneself
Management, third party cloud storage platform can not decrypted user upload file, improve user storage file security performance, enter
One step is decrypted using client, verifies whether the file of user's storage is modified, and further increases security performance.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the scope of protection of the invention.
In order to facilitate the understanding of the purposes, features and advantages of the present invention, it is below in conjunction with the accompanying drawings and specific real
Applying mode, the present invention is further detailed explanation.
Fig. 1 is the schematic flow sheet of the storage method embodiment 1 of third party cloud storage platform of the present invention.As shown in figure 1, institute
Stating storage method includes:
Step 101:Log in client.User is by registration/log in the client of oneself, no longer with traditional browser net
The form that page logs in is logged in.
Step 102:Obtain the digital certificate of CA mechanisms.CA full name are CertificateAuthority, and CA mechanisms demonstrate,prove
Book authoritative institution, user is by the digital double certificate of the domestic algorithm of third party CA mechanisms application.Digital certificate includes encryption and demonstrate,proved
Book and signing certificate.
User obtains the digital certificate newly applied to after the digital certificate of the domestic algorithm of CA mechanisms application;When described
User is before the digital certificate newly applied is obtained, and the excessively described digital certificate of CA mechanisms application described in warp-wise, is obtained existing
During digital certificate, (user can select to demonstrate,prove using existing numeral digital certificate according to corresponding to obtaining the selection of the user
The digital certificate that book and use are newly applied);When the user is selected using existing digital certificate, the existing number is obtained
Word certificate;When the user is selected using the digital certificate newly applied, the digital certificate of the new application is obtained.
Step 103:Digital certificate is attached to client.
Step 104:File to be stored is encrypted according to encrypted certificate.File to be stored is encrypted using encrypted certificate, is had
Body process is:
Random symmetrical key is produced according to SM4 algorithms;
The file to be stored is divided into multiple data blocks;
According to the multiple encryption of blocks of data of the symmetrical secret key pair, ciphertext block data is obtained;
File after being encrypted, the file after the encryption include all ciphertext block datas.
Step 105:The additional information of file to be stored is uploaded onto the server according to signing certificate.Detailed process is:
The symmetrical key is encrypted according to the encrypted certificate, obtains the ciphertext of symmetrical key;
The summary of the data block is calculated according to SM3 algorithms, obtains the Summary file of the data block;
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, obtains signed data;It is described
N-th of Summary file is last Summary file, and n-th of Summary file is that (n-1)th Summary file splices nth
According to the Summary file after block, the nth data block is last data block;
The additional information of the file to be stored is uploaded to the server of user, the additional information of the file includes
The title of the file, the size of the file, the size of each data block, the signed data, the symmetrical key it is close
Literary, described encrypted certificate and last Summary file.
Step 106:File after encryption is stored to third party cloud storage platform.So store flat to third party cloud storage
The file of platform is the file after encryption, will not be revealed by third party cloud storage platform, safe.
User stores the file after encryption to third party cloud storage platform, can check what is uploaded by client
Listed files, selection specified file is downloaded in the listed files of upload that can be shown when user needs by client,
Corresponding to Fig. 1 storage method, Fig. 2 is the schematic flow sheet of the method for down loading embodiment 1 of third party cloud storage platform of the present invention,
As shown in Fig. 2 the method for down loading includes:
Step 201:Obtain the digital certificate of CA mechanisms.The digital certificate that this step obtains is peace before user's storage file
It is filled to the digital certificate of client, the i.e. digital certificate of step 102-103 installations.
Step 202:Download the file of third party cloud storage platform storage.Due to the file of third party cloud storage platform storage
For the file after being encrypted according to encrypted certificate, therefore, the file of the download now obtained for encryption file.
Step 203:File decryption according to encrypted certificate to download.Process corresponding to step 104 to file encryption, root
It is to the file decryption process of download according to encrypted certificate:
The ciphertext of symmetrical key, obtains the symmetrical key in the file downloaded according to the decryption of the private key of encrypted certificate;Institute
The symmetrical key randomly generated before the file storage that symmetrical key is the download according to SM4 algorithms is stated, the symmetrical key
Ciphertext is that the ciphertext of symmetrical key is obtained after the symmetrical key is encrypted according to the encrypted certificate;
The ciphertext block data in the file of the download is decrypted according to the symmetrical key, obtains plaintext data block;It is described
It is divided into multiple data blocks before the file storage of download, the ciphertext block data is according to the multiple data of the symmetrical secret key pair
The ciphertext block data that block encryption obtains;
File after being decrypted, the file after the decryption include all ciphertext block datas.
Step 204:The additional information of the file after decryption is verified using signing certificate.Specifically verification process is:
Obtain the additional information of the file before the file storage of the download;The file of the download stores the attached of preceding document
Information is added to be stored in the server of user;
The summary of the plaintext data block is calculated according to SM3 algorithms, obtains the Summary file of the plaintext data block;
Whether matched with signed data according to Summary file described in the signing certificate public key verifications;The signed data is
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, the signed data of acquisition;The download
It is divided into n data block before file storage, n-th of Summary file is last Summary file, n-th of Summary file
Splice the Summary file after nth data block for (n-1)th Summary file.
Step 205:Obtain the file after the decryption being verified.It is verified, illustrates that this document is proved not by the 3rd
Square cloud storage platform service was changed, can be with safe to use, and user obtains clear text file.
Fig. 3 is the structural representation of the storage system of third party cloud storage platform of the present invention.As shown in figure 3, the storage
System includes:
Type of Client Log-on Module 301, for logging in client.
Digital certificate acquisition module 302, for obtaining the digital certificate of CA mechanisms;The digital certificate includes signing certificate
And encrypted certificate.
The digital certificate acquisition module 302, is specifically included:
Applying digital certificate unit, for the digital certificate of the domestic algorithm of CA mechanisms application, obtaining what is newly applied
Digital certificate;
Digital certificate selecting unit, for when the user is before the digital certificate newly applied is obtained, described in warp-wise
The excessively described digital certificate of CA mechanisms application, when obtaining existing digital certificate, the number according to corresponding to obtaining the selection of the user
Word certificate;When the user is selected using existing digital certificate, the existing digital certificate is obtained;When the user selects
When selecting using the digital certificate newly applied, the digital certificate of the new application is obtained.
Digital certificate installs module 303, for the digital certificate to be attached into the client.
Encrypting module 304, for encrypting file to be stored, the file after being encrypted according to the encrypted certificate.
Additional information uploading module 305, for according to the signing certificate by the additional information of the file to be stored
It is uploaded to the server of user, server corresponding to the client that the server uses for the user;The file it is attached
Information is added to include title, size, signed data, encrypted certificate and the summary of the file.
Memory module 306, for the file after the encryption to be stored to third party cloud storage platform.
Fig. 4 is the structural representation of the download system of third party cloud storage platform of the present invention.As shown in figure 4, the download
System includes:
Digital certificate acquisition module 401, for obtaining the digital certificate of CA mechanisms;The digital certificate includes signing certificate
And encrypted certificate;The digital certificate is attached to client before user's storage file.
Download module 402, for downloading the file of third party cloud storage platform storage, obtain the file of download;Described
The file of tripartite's cloud storage platform storage is the file after being encrypted according to the encrypted certificate.
Deciphering module 403, for the file decryption according to the encrypted certificate to the download, the text after being decrypted
Part.
Authentication module 404, for being verified using signing certificate to the additional information of the file after the decryption;It is described
The additional information of file includes title, size, signed data, encrypted certificate and the summary of the file.
File after decryption obtains module 405, the file after the decryption being verified for acquisition.
The embodiment of the present invention 2, put down with Ali cloud object storage service (ObjectStorageService, OSS) cloud storage
Exemplified by platform, storage method of the invention shown in Figure 5 and the method for down loading of the present invention shown in Fig. 6.
When traditional third party cloud storage platform stores, the data using objects encryption keys of user's upload are each
The data that part uploads have an independent object encryption key, and all object encryption keys are encrypted by a master key
Preserve.And the present invention uses digital certificate double certificate, file data is encrypted using encrypted certificate, uses signing certificate pair
File data is signed.Fig. 5 be third party cloud storage platform of the present invention storage method embodiment 2 schematic flow sheet, institute
Stating storage method includes:
(1) user's registration/login client;
(2) user configuration Ali OSS accounts;
(3) user to the domestic algorithm double certificate of third party CA mechanisms application and is installed to client;
(4) user is uploaded to the file after encryption on Ali OSS using encrypted certificate encryption file;
(5) user uses signing certificate signature file, and file name, file size, file signature, file encryption are demonstrate,proved
Book, file block size, the information such as close SM4 symmetric keys, document have been added to upload to corresponding to our client me
Server on;
(6) user can check the listed files uploaded by client.
The details of step (4) and step (5) encryption technology:
1) producing the random symmetrical key p1 of SM4, (16 systems represent to illustrate:
36f33a1cef51e09516385b5bd9fb302f);
2) p1 is encrypted using encrypted certificate and obtains random symmetric key ciphertext mp1;
3) it is encrypted in the form of file block:
A) read the n-th block file data Dn and (n=1,2 ..., read the multiple of minimum dimension of OSS requirements every time (such as nothing
It is required that being then defaulted as 1k)):
B) Dn is encrypted using p1, obtains ciphertext block data En (n=1,2 ...);
C) Ali OSSSDK is called to upload En;
D) digest calculations are carried out using SM3 algorithms:Hn=SM3 (Hn-1 | Dn) (| represent splicing), that is, (n-1)th plucked
After wanting file splicing nth data block, calculated and made a summary using SM3 algorithms, obtain n-th of Summary file;
E) file has not been read, is gone to a), is otherwise gone to 4);
4) SM2 signatures are carried out to last block summary data Hn using signing certificate, obtains signed data S1;
5) by filename, file size, file block size, mp1, Hn, (last is calculated for the last time
Summary data), S1, encrypted certificate local cache preserve, while upload to corresponding to our client on server.
Corresponding, in traditional mode, when user carries out file download, service end will add close storage object to be solved
It is close, the data after decryption are returned into user.And the present invention uses digital certificate double certificate, using encrypted certificate to file data
It is decrypted, signature verification is carried out to file data using signing certificate, user preserves the file after being verified.Fig. 6 is this
The schematic flow sheet of the method for down loading embodiment 2 of invention third party cloud storage platform.As shown in fig. 6, method for down loading includes:
(1) specified file is selected to carry out down in the listed files of upload that can be shown when user needs by client
Carry;
(2) the encryption file that client is downloaded using encrypted certificate decryption, file signature is verified using signing certificate.
The detailed process of decryption is:
1) read encryption file local cache summary info, obtain filename, file size, file block size,
Mp1, Hn, S1 and encrypted certificate;
2) using encrypted certificate private key decryption mp1, p1 is obtained;
3) encryption file is handled by the way of piecemeal decryption:
A) the n-th block number of encryption file is downloaded according to En (n=1,2 ...) by Ali OSSSDK;
B) the plaintext data block Dn after being decrypted using p1 decryption En;
C) digest calculations are carried out using SM3 algorithms:H ' n=SM3 (Hn-1 | Dn) (| represent splicing);
D) encryption file, which is not downloaded, finishes, and turns a), otherwise turns 5)
4) whether effective signed using signing certificate public key verifications S1, whether checking H ' n match with signed data S1, verify
, can be with safe to use by then illustrating that this document proves not changed by third party's storage service;
5) user obtains clear text file.
Wherein, SM4 represents a kind of domestic symmetric key algorithm, and SM3 represents a kind of domestic data summarization algorithm, and SM2 is represented
Public key algorithm.
, it is necessary to carry out following operate when using storage method provided by the invention and method for down loading:
First, safety storage client initialization:
1) user is to CA mechanisms application numeral double certificate (signing certificate, an encrypted certificate), if the user it
It is preceding to have applied, then can to select:
Use existing digit certificate;
Use new digital certificate.
2) configure client parameter (including but is not limited to third party cloud storage service account) and be synchronized to safe cloud storage
It is synchronous from safe storage server to have configured if the user had been configured before on server;
3) from synchronous documents storage summary in cloud security storage service (if any).
The effect of initialization:
It is ready for the double certificate encrypted, signed;The parameter configuration stored to the third party OSS clouds used is completed, this
Individual is the necessary condition that can be uploaded to file in third party's OSS cloud storages;From cloud security storage service end, (this is scheme
A part, be not belonging to third party) download storage summary, in order to before synchronous (machine may have been changed, reset system
Deng) index, the summary info of the file that stored, can be by all files stored of Client browse, and to corresponding
File is downloaded operation.
2nd, encryption, signature and upper transmitting file:
1) user is by storing safely transmitting file in client;
2) file is uploaded in third party cloud storage service and with by signing certificate pair after being encrypted certificate block encryption
The digital signature attribute of documenting;
3) file is stored summary info (storage access unique mark, encrypted certificate, pair of encryption by safety storage client
Claim key etc.) it is synchronized to safe cloud storage service end
3rd, download, decrypt and verify file:
1) the storage summary for the file to be downloaded that client selects according to user judges to decrypt needed for local whether there is
Certificate and private key, if it does not exist, then recovering to the application of CA mechanisms, reacquire to decryption certificate and private key;
2) it is locally downloading after file is decrypted;
3) verify whether file is tampered or damages by verifying file digital signature attribute.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be and other
The difference of embodiment, between each embodiment identical similar portion mutually referring to.For system disclosed in embodiment
For, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is said referring to method part
It is bright.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said
It is bright to be only intended to help the method and its core concept for understanding the present invention;Meanwhile for those of ordinary skill in the art, foundation
The thought of the present invention, in specific embodiments and applications there will be changes.In summary, this specification content is not
It is interpreted as limitation of the present invention.