CN107872532A - A kind of storage of third party cloud storage platform, the method and system downloaded - Google Patents

A kind of storage of third party cloud storage platform, the method and system downloaded Download PDF

Info

Publication number
CN107872532A
CN107872532A CN201711206526.5A CN201711206526A CN107872532A CN 107872532 A CN107872532 A CN 107872532A CN 201711206526 A CN201711206526 A CN 201711206526A CN 107872532 A CN107872532 A CN 107872532A
Authority
CN
China
Prior art keywords
file
certificate
digital certificate
encrypted
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711206526.5A
Other languages
Chinese (zh)
Other versions
CN107872532B (en
Inventor
王超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ITRUSCHINA Co.,Ltd.
Original Assignee
Beijing Tiancheng Shun Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tiancheng Shun Polytron Technologies Inc filed Critical Beijing Tiancheng Shun Polytron Technologies Inc
Priority to CN201711206526.5A priority Critical patent/CN107872532B/en
Publication of CN107872532A publication Critical patent/CN107872532A/en
Application granted granted Critical
Publication of CN107872532B publication Critical patent/CN107872532B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention discloses a kind of storage of third party cloud storage platform, the method and system downloaded.Storage method includes:Log in client;Obtain the digital certificate of CA mechanisms;The digital certificate is attached to the client;File to be stored, the file after being encrypted are encrypted according to the encrypted certificate;The additional information of the file to be stored is uploaded to the server of user according to the signing certificate.Method for down loading includes:Obtain the digital certificate of CA mechanisms;The file of third party cloud storage platform storage is downloaded, obtains the file of download;The file of the third party cloud storage platform storage is the file after being encrypted according to the encrypted certificate;File decryption according to the encrypted certificate to the download;The additional information of the file after the decryption is verified using signing certificate;Obtain the file after the decryption being verified.The storage of the present invention, the method and system downloaded, improve user file storage and the security performance downloaded.

Description

A kind of storage of third party cloud storage platform, the method and system downloaded
Technical field
Cloud storage field of the present invention, more particularly to a kind of storage of third party cloud storage platform, the method downloaded and it is System.
Background technology
Third party cloud stores at present, such as Ali's cloud storage, is all that the clear text file used uploads, is adopted in upload procedure With SSL encryption transmission, the secret protection in transmitting procedure is realized, still, the information for being stored in service end still has user The risk divulged a secret in the case of not knowing.Third party cloud, which stores, mainly to be showed the unreliability of storage information privacy protection :
A) third party cloud storage service lacks secrecy safeguards technique or using incomplete information storage secrecy safeguards technique;
B) management of third party cloud storage service operation security, security control are unreliable, the risk divulged a secret by inside be present.
Therefore, there is the internal risk divulged a secret in the data that user is stored by third party cloud storage platform, security is low.
The content of the invention
It is an object of the invention to provide a kind of storage of third party cloud storage platform, the method and system downloaded, to improve The security that user passes through third party cloud storage platform data storage.
To achieve the above object, the invention provides following scheme:
A kind of storage method of third party cloud storage platform, the storage method include:
Log in client;
Obtain the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encrypted certificate;
The digital certificate is attached to the client;
File to be stored, the file after being encrypted are encrypted according to the encrypted certificate;
The additional information of the file to be stored is uploaded to the server of user, the clothes according to the signing certificate Server corresponding to the client that business device uses for the user;Title of the additional information of the file including the file, Size, signed data, encrypted certificate and summary;
File after the encryption is stored to third party cloud storage platform.
Optionally, the digital certificate of the acquisition CA mechanisms, is specifically included:
To the digital certificate of the domestic algorithm of CA mechanisms application, the digital certificate newly applied is obtained;
When the user is before the digital certificate newly applied is obtained, the excessively described numeral of CA mechanisms application described in warp-wise is demonstrate,proved Book, when obtaining existing digital certificate, the digital certificate according to corresponding to obtaining the selection of the user;When user selection makes During with existing digital certificate, the existing digital certificate is obtained;When the user is selected using the digital certificate newly applied When, the digital certificate of the acquisition new application.
Optionally, it is described that file to be stored is encrypted according to the encrypted certificate, specifically include:
Random symmetrical key is produced according to SM4 algorithms;
The file to be stored is divided into multiple data blocks;
According to the multiple encryption of blocks of data of the symmetrical secret key pair, ciphertext block data is obtained;
File after being encrypted, the file after the encryption include all ciphertext block datas.
Optionally, the clothes that the additional information of the file to be stored is uploaded to user according to the signing certificate Business device, is specifically included:
The symmetrical key is encrypted according to the encrypted certificate, obtains the ciphertext of symmetrical key;
The summary of the data block is calculated according to SM3 algorithms, obtains the Summary file of the data block;
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, obtains signed data;It is described N-th of Summary file is last Summary file, and n-th of Summary file is that (n-1)th Summary file splices nth According to the Summary file after block, the nth data block is last data block;
The additional information of the file to be stored is uploaded to the server of user, the additional information of the file includes The title of the file, the size of the file, the size of each data block, the signed data, the symmetrical key it is close Literary, described encrypted certificate and last Summary file.
The present invention also provides a kind of storage system of third party cloud storage platform, and the storage system includes:
Type of Client Log-on Module, for logging in client;
Digital certificate acquisition module, for obtaining the digital certificate of CA mechanisms;The digital certificate include signing certificate and Encrypted certificate;
Digital certificate installs module, for the digital certificate to be attached into the client;
Encrypting module, for encrypting file to be stored, the file after being encrypted according to the encrypted certificate;
Additional information uploading module, for being uploaded the additional information of the file to be stored according to the signing certificate To the server of user, server corresponding to the client that the server uses for the user;The additional letter of the file Breath includes title, size, signed data, encrypted certificate and the summary of the file;
Memory module, for the file after the encryption to be stored to third party cloud storage platform.
Optionally, the digital certificate acquisition module, is specifically included:
Applying digital certificate unit, for the digital certificate of the domestic algorithm of CA mechanisms application, obtaining what is newly applied Digital certificate;
Digital certificate selecting unit, for when the user is before the digital certificate newly applied is obtained, described in warp-wise The excessively described digital certificate of CA mechanisms application, when obtaining existing digital certificate, the number according to corresponding to obtaining the selection of the user Word certificate;When the user is selected using existing digital certificate, the existing digital certificate is obtained;When the user selects When selecting using the digital certificate newly applied, the digital certificate of the new application is obtained.
Corresponding to the storage method of above-mentioned third party cloud storage platform, present invention also offers another third party cloud to deposit The method for down loading of platform is stored up, the method for down loading includes:
Obtain the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encrypted certificate;The digital certificate Client is attached to before user's storage file;
The file of third party cloud storage platform storage is downloaded, obtains the file of download;The third party cloud storage platform is deposited The file of storage is the file after being encrypted according to the encrypted certificate;
File decryption according to the encrypted certificate to the download, the file after being decrypted;
The additional information of the file after the decryption is verified using signing certificate;The additional information bag of the file Include title, size, signed data, encrypted certificate and the summary of the file;
Obtain the file after the decryption being verified.
Optionally, the file decryption according to the encrypted certificate to the download, the file after being decrypted, specifically Including:
The ciphertext of symmetrical key in the file of the download is decrypted according to the private key of the encrypted certificate, is obtained described symmetrical Key;The symmetrical key that the symmetrical key randomly generates before being stored for the file of the download according to SM4 algorithms, it is described symmetrical The ciphertext of key is that the ciphertext of symmetrical key is obtained after the symmetrical key is encrypted according to the encrypted certificate;
The ciphertext block data in the file of the download is decrypted according to the symmetrical key, obtains plaintext data block;It is described It is divided into multiple data blocks before the file storage of download, the ciphertext block data is according to the multiple data of the symmetrical secret key pair The ciphertext block data that block encryption obtains;
File after being decrypted, the file after the decryption include all ciphertext block datas.
Optionally, it is described that the additional information of the file after the decryption is verified using signing certificate, specifically include:
Obtain the additional information of the file before the file storage of the download;The file of the download stores the attached of preceding document Information is added to be stored in the server of user;
The summary of the plaintext data block is calculated according to SM3 algorithms, obtains the Summary file of the plaintext data block;
Whether matched with signed data according to Summary file described in the signing certificate public key verifications;The signed data is According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, the signed data of acquisition;The download It is divided into n data block before file storage, n-th of Summary file is last Summary file, n-th of Summary file Splice the Summary file after nth data block for (n-1)th Summary file.
The present invention also provides a kind of download system of third party cloud storage platform, and the download system includes:
Digital certificate acquisition module, for obtaining the digital certificate of CA mechanisms;The digital certificate include signing certificate and Encrypted certificate;The digital certificate is attached to client before user's storage file;
Download module, for downloading the file of third party cloud storage platform storage, obtain the file of download;The third party The file of cloud storage platform storage is the file after being encrypted according to the encrypted certificate;
Deciphering module, for the file decryption according to the encrypted certificate to the download, the file after being decrypted;
Authentication module, for being verified using signing certificate to the additional information of the file after the decryption;The text The additional information of part includes title, size, signed data, encrypted certificate and the summary of the file;
File after decryption obtains module, the file after the decryption being verified for acquisition.
According to specific embodiment provided by the invention, the invention discloses following technique effect:
By before file stores, being encrypted using client so that the privacy of data is controlled in client by user oneself, Without any leaking data hidden danger for worrying service end;It is autonomous controllable using domestic AES;Private key is by user oneself Management, third party cloud storage platform can not decrypted user upload file, improve user storage file security performance, enter One step is decrypted using client, verifies whether the file of user's storage is modified, and further increases security performance.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment The accompanying drawing needed to use is briefly described, it should be apparent that, drawings in the following description are only some implementations of the present invention Example, for those of ordinary skill in the art, without having to pay creative labor, can also be according to these accompanying drawings Obtain other accompanying drawings.
Fig. 1 is the schematic flow sheet of the storage method embodiment 1 of third party cloud storage platform of the present invention;
Fig. 2 is the schematic flow sheet of the method for down loading embodiment 1 of third party cloud storage platform of the present invention;
Fig. 3 is the structural representation of the storage system of third party cloud storage platform of the present invention;
Fig. 4 is the structural representation of the download system of third party cloud storage platform of the present invention;
Fig. 5 is the schematic flow sheet of the storage method embodiment 2 of third party cloud storage platform of the present invention;
Fig. 6 is the schematic flow sheet of the method for down loading embodiment 2 of third party cloud storage platform of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made Embodiment, belong to the scope of protection of the invention.
In order to facilitate the understanding of the purposes, features and advantages of the present invention, it is below in conjunction with the accompanying drawings and specific real Applying mode, the present invention is further detailed explanation.
Fig. 1 is the schematic flow sheet of the storage method embodiment 1 of third party cloud storage platform of the present invention.As shown in figure 1, institute Stating storage method includes:
Step 101:Log in client.User is by registration/log in the client of oneself, no longer with traditional browser net The form that page logs in is logged in.
Step 102:Obtain the digital certificate of CA mechanisms.CA full name are CertificateAuthority, and CA mechanisms demonstrate,prove Book authoritative institution, user is by the digital double certificate of the domestic algorithm of third party CA mechanisms application.Digital certificate includes encryption and demonstrate,proved Book and signing certificate.
User obtains the digital certificate newly applied to after the digital certificate of the domestic algorithm of CA mechanisms application;When described User is before the digital certificate newly applied is obtained, and the excessively described digital certificate of CA mechanisms application described in warp-wise, is obtained existing During digital certificate, (user can select to demonstrate,prove using existing numeral digital certificate according to corresponding to obtaining the selection of the user The digital certificate that book and use are newly applied);When the user is selected using existing digital certificate, the existing number is obtained Word certificate;When the user is selected using the digital certificate newly applied, the digital certificate of the new application is obtained.
Step 103:Digital certificate is attached to client.
Step 104:File to be stored is encrypted according to encrypted certificate.File to be stored is encrypted using encrypted certificate, is had Body process is:
Random symmetrical key is produced according to SM4 algorithms;
The file to be stored is divided into multiple data blocks;
According to the multiple encryption of blocks of data of the symmetrical secret key pair, ciphertext block data is obtained;
File after being encrypted, the file after the encryption include all ciphertext block datas.
Step 105:The additional information of file to be stored is uploaded onto the server according to signing certificate.Detailed process is:
The symmetrical key is encrypted according to the encrypted certificate, obtains the ciphertext of symmetrical key;
The summary of the data block is calculated according to SM3 algorithms, obtains the Summary file of the data block;
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, obtains signed data;It is described N-th of Summary file is last Summary file, and n-th of Summary file is that (n-1)th Summary file splices nth According to the Summary file after block, the nth data block is last data block;
The additional information of the file to be stored is uploaded to the server of user, the additional information of the file includes The title of the file, the size of the file, the size of each data block, the signed data, the symmetrical key it is close Literary, described encrypted certificate and last Summary file.
Step 106:File after encryption is stored to third party cloud storage platform.So store flat to third party cloud storage The file of platform is the file after encryption, will not be revealed by third party cloud storage platform, safe.
User stores the file after encryption to third party cloud storage platform, can check what is uploaded by client Listed files, selection specified file is downloaded in the listed files of upload that can be shown when user needs by client, Corresponding to Fig. 1 storage method, Fig. 2 is the schematic flow sheet of the method for down loading embodiment 1 of third party cloud storage platform of the present invention, As shown in Fig. 2 the method for down loading includes:
Step 201:Obtain the digital certificate of CA mechanisms.The digital certificate that this step obtains is peace before user's storage file It is filled to the digital certificate of client, the i.e. digital certificate of step 102-103 installations.
Step 202:Download the file of third party cloud storage platform storage.Due to the file of third party cloud storage platform storage For the file after being encrypted according to encrypted certificate, therefore, the file of the download now obtained for encryption file.
Step 203:File decryption according to encrypted certificate to download.Process corresponding to step 104 to file encryption, root It is to the file decryption process of download according to encrypted certificate:
The ciphertext of symmetrical key, obtains the symmetrical key in the file downloaded according to the decryption of the private key of encrypted certificate;Institute The symmetrical key randomly generated before the file storage that symmetrical key is the download according to SM4 algorithms is stated, the symmetrical key Ciphertext is that the ciphertext of symmetrical key is obtained after the symmetrical key is encrypted according to the encrypted certificate;
The ciphertext block data in the file of the download is decrypted according to the symmetrical key, obtains plaintext data block;It is described It is divided into multiple data blocks before the file storage of download, the ciphertext block data is according to the multiple data of the symmetrical secret key pair The ciphertext block data that block encryption obtains;
File after being decrypted, the file after the decryption include all ciphertext block datas.
Step 204:The additional information of the file after decryption is verified using signing certificate.Specifically verification process is:
Obtain the additional information of the file before the file storage of the download;The file of the download stores the attached of preceding document Information is added to be stored in the server of user;
The summary of the plaintext data block is calculated according to SM3 algorithms, obtains the Summary file of the plaintext data block;
Whether matched with signed data according to Summary file described in the signing certificate public key verifications;The signed data is According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, the signed data of acquisition;The download It is divided into n data block before file storage, n-th of Summary file is last Summary file, n-th of Summary file Splice the Summary file after nth data block for (n-1)th Summary file.
Step 205:Obtain the file after the decryption being verified.It is verified, illustrates that this document is proved not by the 3rd Square cloud storage platform service was changed, can be with safe to use, and user obtains clear text file.
Fig. 3 is the structural representation of the storage system of third party cloud storage platform of the present invention.As shown in figure 3, the storage System includes:
Type of Client Log-on Module 301, for logging in client.
Digital certificate acquisition module 302, for obtaining the digital certificate of CA mechanisms;The digital certificate includes signing certificate And encrypted certificate.
The digital certificate acquisition module 302, is specifically included:
Applying digital certificate unit, for the digital certificate of the domestic algorithm of CA mechanisms application, obtaining what is newly applied Digital certificate;
Digital certificate selecting unit, for when the user is before the digital certificate newly applied is obtained, described in warp-wise The excessively described digital certificate of CA mechanisms application, when obtaining existing digital certificate, the number according to corresponding to obtaining the selection of the user Word certificate;When the user is selected using existing digital certificate, the existing digital certificate is obtained;When the user selects When selecting using the digital certificate newly applied, the digital certificate of the new application is obtained.
Digital certificate installs module 303, for the digital certificate to be attached into the client.
Encrypting module 304, for encrypting file to be stored, the file after being encrypted according to the encrypted certificate.
Additional information uploading module 305, for according to the signing certificate by the additional information of the file to be stored It is uploaded to the server of user, server corresponding to the client that the server uses for the user;The file it is attached Information is added to include title, size, signed data, encrypted certificate and the summary of the file.
Memory module 306, for the file after the encryption to be stored to third party cloud storage platform.
Fig. 4 is the structural representation of the download system of third party cloud storage platform of the present invention.As shown in figure 4, the download System includes:
Digital certificate acquisition module 401, for obtaining the digital certificate of CA mechanisms;The digital certificate includes signing certificate And encrypted certificate;The digital certificate is attached to client before user's storage file.
Download module 402, for downloading the file of third party cloud storage platform storage, obtain the file of download;Described The file of tripartite's cloud storage platform storage is the file after being encrypted according to the encrypted certificate.
Deciphering module 403, for the file decryption according to the encrypted certificate to the download, the text after being decrypted Part.
Authentication module 404, for being verified using signing certificate to the additional information of the file after the decryption;It is described The additional information of file includes title, size, signed data, encrypted certificate and the summary of the file.
File after decryption obtains module 405, the file after the decryption being verified for acquisition.
The embodiment of the present invention 2, put down with Ali cloud object storage service (ObjectStorageService, OSS) cloud storage Exemplified by platform, storage method of the invention shown in Figure 5 and the method for down loading of the present invention shown in Fig. 6.
When traditional third party cloud storage platform stores, the data using objects encryption keys of user's upload are each The data that part uploads have an independent object encryption key, and all object encryption keys are encrypted by a master key Preserve.And the present invention uses digital certificate double certificate, file data is encrypted using encrypted certificate, uses signing certificate pair File data is signed.Fig. 5 be third party cloud storage platform of the present invention storage method embodiment 2 schematic flow sheet, institute Stating storage method includes:
(1) user's registration/login client;
(2) user configuration Ali OSS accounts;
(3) user to the domestic algorithm double certificate of third party CA mechanisms application and is installed to client;
(4) user is uploaded to the file after encryption on Ali OSS using encrypted certificate encryption file;
(5) user uses signing certificate signature file, and file name, file size, file signature, file encryption are demonstrate,proved Book, file block size, the information such as close SM4 symmetric keys, document have been added to upload to corresponding to our client me Server on;
(6) user can check the listed files uploaded by client.
The details of step (4) and step (5) encryption technology:
1) producing the random symmetrical key p1 of SM4, (16 systems represent to illustrate: 36f33a1cef51e09516385b5bd9fb302f);
2) p1 is encrypted using encrypted certificate and obtains random symmetric key ciphertext mp1;
3) it is encrypted in the form of file block:
A) read the n-th block file data Dn and (n=1,2 ..., read the multiple of minimum dimension of OSS requirements every time (such as nothing It is required that being then defaulted as 1k)):
B) Dn is encrypted using p1, obtains ciphertext block data En (n=1,2 ...);
C) Ali OSSSDK is called to upload En;
D) digest calculations are carried out using SM3 algorithms:Hn=SM3 (Hn-1 | Dn) (| represent splicing), that is, (n-1)th plucked After wanting file splicing nth data block, calculated and made a summary using SM3 algorithms, obtain n-th of Summary file;
E) file has not been read, is gone to a), is otherwise gone to 4);
4) SM2 signatures are carried out to last block summary data Hn using signing certificate, obtains signed data S1;
5) by filename, file size, file block size, mp1, Hn, (last is calculated for the last time Summary data), S1, encrypted certificate local cache preserve, while upload to corresponding to our client on server.
Corresponding, in traditional mode, when user carries out file download, service end will add close storage object to be solved It is close, the data after decryption are returned into user.And the present invention uses digital certificate double certificate, using encrypted certificate to file data It is decrypted, signature verification is carried out to file data using signing certificate, user preserves the file after being verified.Fig. 6 is this The schematic flow sheet of the method for down loading embodiment 2 of invention third party cloud storage platform.As shown in fig. 6, method for down loading includes:
(1) specified file is selected to carry out down in the listed files of upload that can be shown when user needs by client Carry;
(2) the encryption file that client is downloaded using encrypted certificate decryption, file signature is verified using signing certificate.
The detailed process of decryption is:
1) read encryption file local cache summary info, obtain filename, file size, file block size, Mp1, Hn, S1 and encrypted certificate;
2) using encrypted certificate private key decryption mp1, p1 is obtained;
3) encryption file is handled by the way of piecemeal decryption:
A) the n-th block number of encryption file is downloaded according to En (n=1,2 ...) by Ali OSSSDK;
B) the plaintext data block Dn after being decrypted using p1 decryption En;
C) digest calculations are carried out using SM3 algorithms:H ' n=SM3 (Hn-1 | Dn) (| represent splicing);
D) encryption file, which is not downloaded, finishes, and turns a), otherwise turns 5)
4) whether effective signed using signing certificate public key verifications S1, whether checking H ' n match with signed data S1, verify , can be with safe to use by then illustrating that this document proves not changed by third party's storage service;
5) user obtains clear text file.
Wherein, SM4 represents a kind of domestic symmetric key algorithm, and SM3 represents a kind of domestic data summarization algorithm, and SM2 is represented Public key algorithm.
, it is necessary to carry out following operate when using storage method provided by the invention and method for down loading:
First, safety storage client initialization:
1) user is to CA mechanisms application numeral double certificate (signing certificate, an encrypted certificate), if the user it It is preceding to have applied, then can to select:
Use existing digit certificate;
Use new digital certificate.
2) configure client parameter (including but is not limited to third party cloud storage service account) and be synchronized to safe cloud storage It is synchronous from safe storage server to have configured if the user had been configured before on server;
3) from synchronous documents storage summary in cloud security storage service (if any).
The effect of initialization:
It is ready for the double certificate encrypted, signed;The parameter configuration stored to the third party OSS clouds used is completed, this Individual is the necessary condition that can be uploaded to file in third party's OSS cloud storages;From cloud security storage service end, (this is scheme A part, be not belonging to third party) download storage summary, in order to before synchronous (machine may have been changed, reset system Deng) index, the summary info of the file that stored, can be by all files stored of Client browse, and to corresponding File is downloaded operation.
2nd, encryption, signature and upper transmitting file:
1) user is by storing safely transmitting file in client;
2) file is uploaded in third party cloud storage service and with by signing certificate pair after being encrypted certificate block encryption The digital signature attribute of documenting;
3) file is stored summary info (storage access unique mark, encrypted certificate, pair of encryption by safety storage client Claim key etc.) it is synchronized to safe cloud storage service end
3rd, download, decrypt and verify file:
1) the storage summary for the file to be downloaded that client selects according to user judges to decrypt needed for local whether there is Certificate and private key, if it does not exist, then recovering to the application of CA mechanisms, reacquire to decryption certificate and private key;
2) it is locally downloading after file is decrypted;
3) verify whether file is tampered or damages by verifying file digital signature attribute.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be and other The difference of embodiment, between each embodiment identical similar portion mutually referring to.For system disclosed in embodiment For, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is said referring to method part It is bright.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said It is bright to be only intended to help the method and its core concept for understanding the present invention;Meanwhile for those of ordinary skill in the art, foundation The thought of the present invention, in specific embodiments and applications there will be changes.In summary, this specification content is not It is interpreted as limitation of the present invention.

Claims (10)

1. a kind of storage method of third party cloud storage platform, it is characterised in that the storage method includes:
Log in client;
Obtain the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encrypted certificate;
The digital certificate is attached to the client;
File to be stored, the file after being encrypted are encrypted according to the encrypted certificate;
The additional information of the file to be stored is uploaded to the server of user, the server according to the signing certificate Server corresponding to the client used for the user;The title of the additional information of the file including the file, size, Signed data, encrypted certificate and summary;
File after the encryption is stored to third party cloud storage platform.
2. storage method according to claim 1, it is characterised in that the digital certificate of the acquisition CA mechanisms, specific bag Include:
To the digital certificate of the domestic algorithm of CA mechanisms application, the digital certificate newly applied is obtained;
When the user is before the digital certificate newly applied is obtained, the excessively described digital certificate of CA mechanisms application described in warp-wise, When obtaining existing digital certificate, the digital certificate according to corresponding to obtaining the selection of the user;When the user selects to use During existing digital certificate, the existing digital certificate is obtained;When the user is selected using the digital certificate newly applied, Obtain the digital certificate of the new application.
3. storage method according to claim 1, it is characterised in that described to be stored according to encrypted certificate encryption File, specifically include:
Random symmetrical key is produced according to SM4 algorithms;
The file to be stored is divided into multiple data blocks;
According to the multiple encryption of blocks of data of the symmetrical secret key pair, ciphertext block data is obtained;
File after being encrypted, the file after the encryption include all ciphertext block datas.
4. storage method according to claim 3, it is characterised in that it is described will be described to be stored according to the signing certificate The additional information of file be uploaded to the server of user, specifically include:
The symmetrical key is encrypted according to the encrypted certificate, obtains the ciphertext of symmetrical key;
The summary of the data block is calculated according to SM3 algorithms, obtains the Summary file of the data block;
According to the signing certificate, n-th of Summary file is signed using SM2 algorithms, obtains signed data;Described n-th Individual Summary file is last Summary file, and n-th of Summary file is that (n-1)th Summary file splices nth data Summary file after block, the nth data block are last data block;
The additional information of the file to be stored is uploaded to the server of user, the additional information of the file is including described The title of file, the size of the file, the size of each data block, the signed data, the ciphertext of the symmetrical key, institute State encrypted certificate and last Summary file.
5. a kind of storage system of third party cloud storage platform, it is characterised in that the storage system includes:
Type of Client Log-on Module, for logging in client;
Digital certificate acquisition module, for obtaining the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encryption Certificate;
Digital certificate installs module, for the digital certificate to be attached into the client;
Encrypting module, for encrypting file to be stored, the file after being encrypted according to the encrypted certificate;
Additional information uploading module, for the additional information of the file to be stored to be uploaded into use according to the signing certificate The server at family, server corresponding to the client that the server uses for the user;The additional information bag of the file Include title, size, signed data, encrypted certificate and the summary of the file;
Memory module, for the file after the encryption to be stored to third party cloud storage platform.
6. storage system according to claim 5, it is characterised in that the digital certificate acquisition module, specifically include:
Applying digital certificate unit, for the digital certificate of the domestic algorithm of CA mechanisms application, obtaining the numeral newly applied Certificate;
Digital certificate selecting unit, for when the user is before the digital certificate newly applied is obtained, CA machines described in warp-wise The excessively described digital certificate of structure application, when obtaining existing digital certificate, the numeral card according to corresponding to obtaining the selection of the user Book;When the user is selected using existing digital certificate, the existing digital certificate is obtained;When user selection makes During with the digital certificate newly applied, the digital certificate of the new application is obtained.
7. a kind of method for down loading of third party cloud storage platform, it is characterised in that the method for down loading includes:
Obtain the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encrypted certificate;The digital certificate with Client is attached to before the storage file of family;
The file of third party cloud storage platform storage is downloaded, obtains the file of download;The third party cloud storage platform storage File is the file after being encrypted according to the encrypted certificate;
File decryption according to the encrypted certificate to the download, the file after being decrypted;
The additional information of the file after the decryption is verified using signing certificate;The additional information of the file includes institute State title, size, signed data, encrypted certificate and the summary of file;
Obtain the file after the decryption being verified.
8. method for down loading according to claim 7, it is characterised in that it is described according to the encrypted certificate to the download File decryption, the file after being decrypted, is specifically included:
The ciphertext of symmetrical key in the file of the download is decrypted according to the private key of the encrypted certificate, is obtained described symmetrical secret Key;The symmetrical key that the symmetrical key randomly generates before being stored for the file of the download according to SM4 algorithms, it is described symmetrical secret The ciphertext of key is that the ciphertext of symmetrical key is obtained after the symmetrical key is encrypted according to the encrypted certificate;
The ciphertext block data in the file of the download is decrypted according to the symmetrical key, obtains plaintext data block;The download File storage before be divided into multiple data blocks, the ciphertext block data is to be added according to the symmetrical the multiple data block of secret key pair The ciphertext block data of close acquisition;
File after being decrypted, the file after the decryption include all ciphertext block datas.
9. method for down loading according to claim 8, it is characterised in that it is described using signing certificate to the text after the decryption The additional information of part is verified, is specifically included:
Obtain the additional information of the file before the file storage of the download;The additional letter of the file storage preceding document of the download Breath is stored in the server of user;
The summary of the plaintext data block is calculated according to SM3 algorithms, obtains the Summary file of the plaintext data block;
Whether matched with signed data according to Summary file described in the signing certificate public key verifications;According to the signed data The signing certificate, n-th of Summary file is signed using SM2 algorithms, the signed data of acquisition;The file of the download It is divided into n data block before storage, n-th of Summary file is last Summary file, and n-th of Summary file is the Summary file after n-1 Summary file splicing nth data block.
10. a kind of download system of third party cloud storage platform, it is characterised in that the download system includes:
Digital certificate acquisition module, for obtaining the digital certificate of CA mechanisms;The digital certificate includes signing certificate and encryption Certificate;The digital certificate is attached to client before user's storage file;
Download module, for downloading the file of third party cloud storage platform storage, obtain the file of download;The third party cloud is deposited The file for storing up platform storage is the file after being encrypted according to the encrypted certificate;
Deciphering module, for the file decryption according to the encrypted certificate to the download, the file after being decrypted;
Authentication module, for being verified using signing certificate to the additional information of the file after the decryption;The file Additional information includes title, size, signed data, encrypted certificate and the summary of the file;
File after decryption obtains module, the file after the decryption being verified for acquisition.
CN201711206526.5A 2017-11-27 2017-11-27 Method and system for storing and downloading third-party cloud storage platform Active CN107872532B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711206526.5A CN107872532B (en) 2017-11-27 2017-11-27 Method and system for storing and downloading third-party cloud storage platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711206526.5A CN107872532B (en) 2017-11-27 2017-11-27 Method and system for storing and downloading third-party cloud storage platform

Publications (2)

Publication Number Publication Date
CN107872532A true CN107872532A (en) 2018-04-03
CN107872532B CN107872532B (en) 2020-09-25

Family

ID=61754755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711206526.5A Active CN107872532B (en) 2017-11-27 2017-11-27 Method and system for storing and downloading third-party cloud storage platform

Country Status (1)

Country Link
CN (1) CN107872532B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535818A (en) * 2018-05-24 2019-12-03 广东技术师范学院 A kind of information secure transmission method
CN110610105A (en) * 2019-09-25 2019-12-24 郑州轻工业学院 Secret sharing-based authentication method for three-dimensional model file in cloud environment
CN111064738A (en) * 2019-12-26 2020-04-24 山东方寸微电子科技有限公司 TLS (transport layer Security) secure communication method and system
CN111708658A (en) * 2020-06-09 2020-09-25 孟磊 Judicial-assisted case data risk management system and application method thereof
CN113541935A (en) * 2021-06-08 2021-10-22 西安电子科技大学 Encryption cloud storage method, system, equipment and terminal supporting key escrow

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547136A (en) * 2003-12-08 2004-11-17 Data once writing method and database safety management method based on the same method
US8412688B1 (en) * 2009-06-29 2013-04-02 Emc Corporation Delegated reference count base file versioning
CN103179086A (en) * 2011-12-21 2013-06-26 中国电信股份有限公司 Method and system for remote storing processing of data
CN103516523A (en) * 2013-10-22 2014-01-15 浪潮电子信息产业股份有限公司 Data encryption system structure based on cloud storage
CN105516204A (en) * 2016-01-27 2016-04-20 北京理工大学 Method for high-security network data storage

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547136A (en) * 2003-12-08 2004-11-17 Data once writing method and database safety management method based on the same method
US8412688B1 (en) * 2009-06-29 2013-04-02 Emc Corporation Delegated reference count base file versioning
CN103179086A (en) * 2011-12-21 2013-06-26 中国电信股份有限公司 Method and system for remote storing processing of data
CN103516523A (en) * 2013-10-22 2014-01-15 浪潮电子信息产业股份有限公司 Data encryption system structure based on cloud storage
CN105516204A (en) * 2016-01-27 2016-04-20 北京理工大学 Method for high-security network data storage

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535818A (en) * 2018-05-24 2019-12-03 广东技术师范学院 A kind of information secure transmission method
CN110610105A (en) * 2019-09-25 2019-12-24 郑州轻工业学院 Secret sharing-based authentication method for three-dimensional model file in cloud environment
CN110610105B (en) * 2019-09-25 2020-07-24 郑州轻工业学院 Secret sharing-based authentication method for three-dimensional model file in cloud environment
CN111064738A (en) * 2019-12-26 2020-04-24 山东方寸微电子科技有限公司 TLS (transport layer Security) secure communication method and system
CN111064738B (en) * 2019-12-26 2022-09-30 山东方寸微电子科技有限公司 TLS (transport layer Security) secure communication method and system
CN111708658A (en) * 2020-06-09 2020-09-25 孟磊 Judicial-assisted case data risk management system and application method thereof
CN111708658B (en) * 2020-06-09 2024-05-24 孟磊 Judicial auxiliary case data risk management system and application method thereof
CN113541935A (en) * 2021-06-08 2021-10-22 西安电子科技大学 Encryption cloud storage method, system, equipment and terminal supporting key escrow
CN113541935B (en) * 2021-06-08 2022-06-03 西安电子科技大学 Encryption cloud storage method, system, equipment and terminal supporting key escrow

Also Published As

Publication number Publication date
CN107872532B (en) 2020-09-25

Similar Documents

Publication Publication Date Title
CN107872532A (en) A kind of storage of third party cloud storage platform, the method and system downloaded
KR101999188B1 (en) Secure personal devices using elliptic curve cryptography for secret sharing
CN104753917B (en) Key management system and method based on ID
US8930700B2 (en) Remote device secure data file storage system and method
CN102223364B (en) Method and system for accessing e-book data
CN105245328B (en) It is a kind of that management method is generated based on the key of third-party user and file
CN109194466A (en) A kind of cloud data integrity detection method and system based on block chain
CN103179086B (en) Remote storage processing method and the system of data
CN103138939B (en) Based on the key access times management method of credible platform module under cloud memory module
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
US11184168B2 (en) Method for storing data on a storage entity
CN103763355A (en) Cloud data uploading and access control method
Nirmala et al. Data confidentiality and integrity verification using user authenticator scheme in cloud
CN107920052B (en) Encryption method and intelligent device
CN101605137A (en) Safe distribution file system
CN110601855B (en) Root certificate management method and device, electronic equipment and storage medium
CN103414699A (en) Authentication method for client certificate, server and client
WO2020123926A1 (en) Decentralized computing systems and methods for performing actions using stored private data
WO2018030289A1 (en) Ssl communication system, client, server, ssl communication method, and computer program
CN101325483B (en) Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method
CN105072134A (en) Cloud disk system file secure transmission method based on three-level key
CN106685919A (en) Secure cloud storage method with passive dynamic key distribution mechanism
CN108200014A (en) The method, apparatus and system of server are accessed using intelligent key apparatus
CN107172027A (en) Certificate management method, storage device, storage medium and device
CN105516066A (en) Method and device for identifying existence of intermediary

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 401B, building 4, courtyard 7, Shangdi 8th Street, Haidian District, Beijing

Patentee after: Beijing Tiancheng Anxin Technology Co.,Ltd.

Address before: 401B, building 4, courtyard 7, Shangdi 8th Street, Haidian District, Beijing

Patentee before: BEIJING SKYFAITH TECHNOLOGY Co.,Ltd.

CP03 Change of name, title or address
TR01 Transfer of patent right

Effective date of registration: 20210322

Address after: Room 401a, building 4, courtyard 7, Shangdi 8th Street, Haidian District, Beijing

Patentee after: ITRUSCHINA Co.,Ltd.

Address before: 401B, building 4, courtyard 7, Shangdi 8th Street, Haidian District, Beijing

Patentee before: Beijing Tiancheng Anxin Technology Co.,Ltd.

TR01 Transfer of patent right