CN108600163B - Cloud environment distributed hash chain architecture and cloud data integrity verification method - Google Patents

Cloud environment distributed hash chain architecture and cloud data integrity verification method Download PDF

Info

Publication number
CN108600163B
CN108600163B CN201810203557.3A CN201810203557A CN108600163B CN 108600163 B CN108600163 B CN 108600163B CN 201810203557 A CN201810203557 A CN 201810203557A CN 108600163 B CN108600163 B CN 108600163B
Authority
CN
China
Prior art keywords
data
virtual machine
machine agent
challenged
cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810203557.3A
Other languages
Chinese (zh)
Other versions
CN108600163A (en
Inventor
徐小龙
刘广沛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN201810203557.3A priority Critical patent/CN108600163B/en
Publication of CN108600163A publication Critical patent/CN108600163A/en
Application granted granted Critical
Publication of CN108600163B publication Critical patent/CN108600163B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Abstract

The invention discloses a cloud environment distributed hash chain architecture and a cloud data integrity verification method.A user virtual machine is expanded to obtain a virtual machine agent model, so that the whole design system has flexibility, cross-platform and expansibility, then a distributed hash chain is created in combination with the environment with the characteristics of multiple users at the cloud end, and a behavior agreement consensus is achieved through information exchange among the multiple users to complete the trusted integrity verification; the invention also relates to a data integrity monitoring and verifying method based on the cloud environment distributed hash chain architecture, which is characterized in that the distributed hash chain is maintained by adopting a virtual machine agent technology based on the cloud environment, the data is monitored in real time, the integrity of the data is effectively ensured, and the safety and the efficiency of actual work are improved.

Description

Cloud environment distributed hash chain architecture and cloud data integrity verification method
Technical Field
The invention relates to a cloud environment distributed hash chain architecture and a cloud data integrity verification method, and belongs to the technical field of cloud computing and information security.
Background
Cloud computing is a computing model that provides users with pay-as-needed access to a shared pool of resources (e.g., computing facilities, storage devices, applications, etc.) quickly, on-demand, and anytime anywhere using the internet. The cloud storage is a cloud computing system taking data storage and management as a core, and a user can access cloud data at any time and any place through any internet-connected device. However, a specific centralized storage mode of cloud data causes separation of user ownership and management right, and potential security risks of data stealing and destruction are brought.
Cloud data integrity issues have been the focus of research. On one hand, a cloud service provider may delete user data privately, or intentionally conceal unexpected data destruction, tampering for its reputation; on the other hand, the cloud data center may be attacked maliciously, which results in data destruction and sensitive data loss, and brings serious consequences to users or companies. The integrity of the cloud data can be guaranteed to be stored in the cloud system completely and unmistakably, and when the data is illegally tampered, a warning can be given out immediately, so that loss is reduced.
Aiming at the problem of cloud data integrity, the existing protection mechanism mostly depends on a trusted third-party auditing mechanism, the threat of data leakage to a third party is increased, and the threat of collusion between a cloud service provider and a third-party mechanism cannot be avoided. Therefore, the integrity of cloud data is still one of the important issues that needs to be solved urgently in the future development of cloud computing.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the cloud environment distributed hash chain architecture is constructed, and meanwhile, cloud data integrity monitoring and verification are carried out based on the architecture, so that the integrity of data is effectively guaranteed.
The invention adopts the following technical scheme for solving the technical problems:
a cloud environment distributed hash chain architecture is characterized in that each user corresponds to a virtual machine agent node, each virtual machine agent node corresponds to a distributed storage system cluster formed by a plurality of storage nodes, and deployment of a virtual machine agent model is completed; the virtual machine agent node comprises a file preprocessing module, a monitoring module, a verification module and a storage module; combining a plurality of users, interacting virtual machine agent nodes corresponding to the users, preprocessing the data file by a file preprocessing module when a certain user submits a data file storage task, generating a transaction and putting the transaction into a buffer pool, inquiring whether the buffer pool has an unconfirmed transaction by the virtual machine agent nodes of other users in turn, if so, performing legality confirmation on the transaction, packaging the transaction as one node of a distributed hash chain after the legality confirmation is completed, and completing the construction of a cloud environment distributed hash chain architecture;
defining: the virtual machine agent node is an agent node of a user, is logically unique and is responsible for acting the user to execute various tasks; the virtual machine agent node is used for preprocessing the data file to be stored after a user submits a data file storage task, selecting one storage node in the distributed storage system cluster corresponding to the virtual machine agent node to store the data file, and returning a result to the user by the virtual machine agent node after all the data files are stored; the storage nodes are used as data file storage nodes of users and used for storing data files of the users, and the storage nodes of all the users form a distributed storage system cluster.
The cloud data integrity verification method based on the cloud environment distributed hash chain architecture is used for the target user to realize integrity monitoring and verification aiming at the cloud data stored in the cloud environment, and comprises the following steps:
step A, deploying a virtual machine agent model, constructing a cloud environment distributed hash chain according to the virtual machine agent model, and establishing connection with a target user through virtual machine agent nodes to complete data integrity preprocessing;
step B, the target user establishes communication with the cloud service providing server through the virtual machine proxy node to complete data integrity monitoring;
and step C, the target user communicates with the cloud service providing server through the virtual machine proxy node to verify the integrity of the stored cloud data.
As a preferable scheme of the method, the step A comprises the following steps:
step A01, deploying a virtual machine agent model, constructing a cloud environment distributed hash chain according to the virtual machine agent model, sending a request to connect a corresponding virtual machine agent node by a target user, verifying whether the target user request is legal or not after the virtual machine agent node receives the target user request, starting the virtual machine agent node if the target user request is legal, and returning a connection refusing response if the target user request is legal;
step A02, taking prime p, ZpIs a domain on p, let G1,G2Is a multiplicative cyclic group of prime numbers p, g1Is G1G is a generator of2Is G2Of (2) there is a bilinear mapping
Figure BDA0001595218930000034
:G1×G1→G2Randomly selecting a to Zp、x∈ZpThe target user locally generates a key pair { SK ═ { a, x }, PK ═ g }1U, v), where x is the private key and v is the public key,
Figure BDA0001595218930000031
step A03, the target user uploads a data file F to be stored to a virtual machine proxy node, the virtual machine proxy node initializes F, and the F is partitioned into blocks F ═ m1,…,mi,…,mnI is more than or equal to 1 and less than or equal to n, n is the total number of all data blocks divided by the data file F to be stored, and m is respectively pointed to each blockiCarry out segmentation mi={mi1,…,mij,…,mikJ is more than or equal to 1 and less than or equal to k, k is the number of all sections divided by each data block, and each block is numbered biGenerating time stamps t simultaneouslyiFor each data block m, using a label generation algorithmiGenerating a tag sigmaiWill label σiStoring the data into a database of the virtual machine agent node;
step A04, the virtual machine agent node uploads the data file F to be stored to the corresponding distributed storage system cluster, and the storage address F _ Id is obtained.
As a preferred variant of the process according to the invention, the label σ of step A03iThe calculation formula of (a) is as follows:
Figure BDA0001595218930000032
h, h are hash functions: h: {0,1}*→G1,h:{0,1}*→ZpI is more than or equal to 1 and less than or equal to n, j is more than or equal to 1 and less than or equal to k, n is the total number of all data blocks divided by the data file F to be stored, k is the number of all segments divided by each data block, biIs a number, tiIs a time stamp, g1Is G1A generator of (1), G1Is a multiplication loop group of prime numbers p, aj∈Zp,x∈Zp,ZpIs a field on the prime number p,
Figure BDA0001595218930000033
mijfor the ith data block miThe jth segment of (1).
As a preferable scheme of the method, the step B comprises the following steps:
step B01, compiling a data monitoring contract protocol code and compiling the code into a binary code, deploying the compiled contract protocol to a network where a cloud environment distributed hash chain is located, and obtaining an address and a binary interface of the distributed hash chain of the contract protocol;
step B02, after the virtual machine agent node finishes the data integrity preprocessing, the label sigma obtained in the step A03 is obtainediGenerating a root hash value of the data file to be stored according to the Mercker hash tree, wherein i is more than or equal to 1 and less than or equal to n, and n is the total number of all data blocks divided by the data file F to be stored;
step B03, calling the contract protocol through the address and binary interface of the distributed hash chain of the contract protocol, and saving the storage address F _ Id and the root hash value obtained in the step A into the data structure of Map as a key value pair;
and step B04, the data integrity is monitored by monitoring the root hash value of the data file to be stored.
As a preferred scheme of the method of the invention, the step C comprises the following steps:
step C01, the target user sends a data integrity verification request of the data file to be detected to the virtual machine proxy node aiming at the stored data file to be challenged, wherein the data integrity verification request comprises: selecting a data block set IDX ═ IDX to be challenged from a data file to be challengedsL 1 is less than or equal to s is less than or equal to c, c is less than or equal to n, and corresponding random number set R is { R {s|s∈IDX,rs∈ZpC is the total number of the data blocks to be challenged, n is the total number of all the data blocks into which the data file to be challenged is divided, and ZpIs a domain on a prime number p, idxsFor the s-th block of data to be challenged, rsIs a random number;
step C02, the virtual machine agent node inquires the storage address F _ Id of the data file to be challenged from the distributed storage system cluster according to the verification request;
step C03, the virtual machine agent node obtains the data block to be challenged at the storage node according to the storage address F _ Id of the data file to be challenged
Figure BDA0001595218930000041
Returning to the virtual machine agent node, and calculating a total data block:
Figure BDA0001595218930000042
and calculating a total data block label value by using a label generation algorithm according to u stored in the virtual machine agent node:
Figure BDA0001595218930000043
wherein D is the total data block tag value, h is the hash function: h: {0,1}*→Zp,ZpIs a field on a prime number p, msjFor the s-th data block m to be challengedsJ is the data block m to be challengedsThe number of all the segments into which the IDX is to be challenged is the set of data blocks to be challenged,
Figure BDA0001595218930000044
g1is G1A generator of (1), G1Is a multiplication loop group of prime numbers p, aj∈Zp,ZpIs a field on a prime number p;
step C04, the virtual machine agent node reads the tag value of the data block to be challenged from the database of the virtual machine agent node to calculate T, and simultaneously calculates the hash value B of the corresponding number of the data block to be challenged:
Figure BDA0001595218930000045
generating evidence proof of { D, B, T }, and calculating:
Figure BDA0001595218930000051
wherein σsFor the s-th data block m to be challengedsA tag value of rsFor random numbers, H is the hash function: h: {0,1}*→G1,G1Is a multiplication loop group of prime numbers p, bs、tsRespectively as data blocks m to be challengedsV is a public key, g2Is G2A generator of (1), G2Is a multiplicative cyclic group of prime numbers p;
and step C05, acquiring a root hash value of the file to be challenged according to the storage address F _ Id, generating a new root hash value of the Mercker hash tree according to the data block to be challenged, if the two root hash values are the same and the definition formula of the step C04 is established, determining that the verification result is credible, and transmitting the verification result to the user through the virtual machine agent node.
Compared with the prior art, the invention adopting the technical scheme has the following technical effects:
1. the cloud environment distributed hash chain architecture is designed, integrity verification is completed through the virtual machine proxy nodes, and data are prevented from being leaked to a third party.
2. The invention ensures the credibility of the data on the chain through the distributed hash chain, thereby ensuring the credibility of the verification result.
3. The invention monitors the whole life cycle of the user data through the distributed hash chain, and ensures that the data is not illegally tampered.
4. The data integrity verification method based on the cloud environment distributed hash chain architecture is based on the cloud environment, adopts the distributed virtual machine agent technology, monitors data in real time, effectively ensures the integrity of the data, and improves the safety and efficiency of actual work.
Drawings
Fig. 1 is a schematic diagram of a cloud user node architecture according to the present invention.
Fig. 2 is a schematic diagram of a cloud environment distributed hash chain architecture according to the present invention.
FIG. 3 is a block diagram of the Mercker hash tree for the DHT designed in this invention.
Fig. 4 is a schematic flow chart of cloud data integrity monitoring designed by the present invention.
Fig. 5 is a schematic flow chart of cloud data integrity verification designed by the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
The invention designs a cloud environment distributed hash chain architecture, and related nodes are functionally divided into two types: after a user submits a storage task, the virtual machine agent node is responsible for preprocessing the file, selecting a proper storage node to store data, and after all storage is finished, the virtual machine agent node returns a result to the user.
In order to be suitable for complex services in a cloud distributed environment and enhance the portability of the model, a special container is operated on a node to prepare the environment for executing tasks divided by a virtual machine agent node, and the virtual machine agent node distributes each subtask divided by the tasks to a proper storage node to execute the subtasks. Fig. 1 is a diagram of a node structure in a public cloud where a user is located.
Defining: the virtual machine agent node and the agent node of the cloud user are logically unique, are responsible for the agent user to execute various tasks and have high computing capacity.
The storage nodes and the data storage nodes of the cloud users are not unique and have low computing capacity, and all the storage nodes form a distributed storage system cluster and are responsible for storing mass data of the users.
After deployment of a virtual machine agent model (fig. 1) is completed, the cloud environment distributed hash chain (fig. 2) is constructed, the chain has a linear structure and non-tamper-proof property, consistency of data among nodes is guaranteed by a certain consensus algorithm, an end-to-end chain structure is formed through a timestamp and a hash value, and the cloud environment distributed hash chain has the characteristics of non-tamper-proof property and verification.
As shown in fig. 2, a plurality of tenants are combined, and the purpose is to achieve action protocol consensus through information exchange among the tenants, and ensure the characteristics of public transparency, non-tampering, traceability and the like of data on a chain. The distributed hash chain constructed by the invention only gives the cloud user the reading authority, so that the consensus process is prevented from being interfered by the outside. In addition, in order to prevent malicious attacks, the transaction is carried out in a point-based mode, each user initially has a certain point, each transaction needs to consume the point, once the transaction packaging right is successfully obtained, a certain point reward is obtained, and the user is motivated to start a virtual machine agent to participate in the consensus process.
The invention introduces a distributed virtual machine agent model to construct a basic cloud data integrity protection framework. When a user submits a storage task, data is uploaded to a virtual machine agent node, a transaction is generated after preprocessing and is placed into a cache pool, and evidence for data integrity verification is stored in the transaction. And polling and inquiring whether the cache pool has an unconfirmed transaction by the virtual machine agent nodes of other users at the cloud end, trying to verify the validity of the transaction once the unconfirmed transaction is found, and packaging a group of transactions to form one node of the distributed hash chain.
The cloud environment distributed hash chain architecture designed by the technical scheme expands the user virtual machine, and creates an environment suitable for each module in the virtual machine agent, so that the whole design system has flexibility, cross-platform performance and expansibility; and the virtual machine agent is dynamically generated and has a certain life cycle, so that the modification and the expansion of the functions of the virtual machine agent are very simple and convenient.
Based on the designed cloud environment distributed hash chain architecture, the invention further designs a data integrity monitoring and verifying method based on the cloud environment distributed hash chain architecture, which is used for the target user to realize integrity verification on the data stored in the cloud environment, and comprises the following steps:
step A, deploying a virtual machine agent model, constructing a cloud environment distributed hash chain architecture, and establishing connection with a target user through virtual machine agent nodes to finish data integrity preprocessing. The method specifically comprises the following steps:
step a01, the cloud service provider constructs a user deployment distributed hash chain architecture according to fig. 1 and fig. 2. And the virtual machine agent node receives the user request, verifies whether the user request is legal, starts the virtual machine agent node if the user request is legal, and returns a connection refusal response if the user request is illegal.
Step A02, taking prime p, ZpIs a domain on p, let G1,G2Is a multiplicative cyclic group of prime numbers p, g1Is G1G is a generator of2Is G2Of (2) there is a bilinear mapping
Figure BDA0001595218930000074
:G1×G1→G2Randomly selecting a and x ∈ Zp
Figure BDA0001595218930000071
The user locally generates a key pair { SK ═ { a, x }, PK ═ g }1U, v } }; x, public key:
Figure BDA0001595218930000072
step a03, the user uploads the file to the virtual machine proxy node, the virtual machine proxy node initializes the data information file F, and the data information file F is blocked into blocks F ═ m1,…,mi,…,mnI is more than or equal to 1 and less than or equal to n, and then aiming at each block miPerforming average segmentation, and dividing into k segments, i.e. mi={mi1,…,mij,…,mikAnd numbered b for each blockiAnd a time stamp tiCalling the tag generation algorithm for each data block miGenerating a tag sigmaiAs follows:
Figure BDA0001595218930000073
where H, h is the hash function: h: {0,1}*→G1,h:{0,1}*→ZpJ is the data segment sequence number: j is more than or equal to 1 and less than or equal to k; Φ { (σ)i) And |1 is more than or equal to i and less than or equal to n } is a label set of the data block of the data information file F, and the label is stored in the virtual machine agent node database.
Step A04, the virtual machine agent uploads the data F to the distributed storage system cluster, and the storage address F _ Id is the only identifier of the data information file F.
And step B, the target user establishes communication with the cloud service providing server through the virtual machine proxy node to complete data integrity monitoring. The method specifically comprises the following steps:
step B01, compiling a data monitoring contract protocol and compiling codes into binary codes; the user consumes a certain point, deploys the compiled contract protocol to the network, and obtains the address of the distributed hash chain of the contract and the Binary Interface (ABI), wherein ABI is the Binary representation of the contract protocol Interface.
Step B02, after the virtual machine agent node carries out integrity verification pretreatment on the file, the acquired label set of the data block is stored in a database, and the root hash value of the file is generated according to the Mercker hash tree; the merkel hash tree is a binary tree, as shown in fig. 3, only the leaf nodes store data tag values, the non-leaf nodes are obtained by hash operation after the values of the left and right child nodes of the non-leaf nodes are calculated and linked, and finally, a root hash value is formed to describe the integrity of all stored data.
And step B03, calling a contract through the contract address and the ABI, and saving the storage address and the root hash value of the Mercker hash tree, which are obtained after file preprocessing, as a key value pair in a data structure of the Map.
Step B04, by monitoring the root hash value of the Mercker hash tree of the file, tampering of any data block of the file can be detected, thereby ensuring the integrity of the file block; when a user verifies a file, the file storage address is used as a key, and a contract is called to obtain the root hash value of the Mercker hash tree of the file for comparison.
In practical application, after the data are uploaded to the cloud end by a user, the control right of the data is handed to the cloud service providing server, so that abnormal tampering can be timely and effectively detected according to the data monitoring requirement. The integrity monitoring mechanism implementation flow is shown in fig. 4, and the process is as follows: the method comprises the steps that a user uploads a file to be preprocessed by a virtual machine agent node, on one hand, the file is divided into blocks, labels are stored in a database, and a Mercker hash tree is generated by data labels of file blocks; and on the other hand, storing the file in the distributed storage system cluster to obtain the address based on the file. The key-value pairs are saved by calling the contracts, at which time the files are monitored for modifications by the contracts.
And step C, the target user communicates with the cloud service providing server through the virtual machine proxy node to verify the integrity of the stored data. The method specifically comprises the following steps:
step C01, the user sends a data integrity verification request of the file to be challenged to the virtual machine agent for the stored file to be challenged, where the data integrity verification request chal includes: data block set IDX ═ IDX { IDX of file to be challengedsL 1 is less than or equal to s is less than or equal to c, c is less than or equal to n and a corresponding random number set R ═ Rs|s∈IDX,rs∈Zp}:
Figure BDA0001595218930000081
Then, the virtual machine agent sends a data integrity verification request of the file to be challenged to the cloud service providing server; wherein c is the total number of the data blocks to be challenged, and n is the total number of the data blocks in the file data block set to be challenged.
And step C02, the cloud service providing server determines the position of the file to be detected according to the data integrity verification request of the file to be challenged, and returns the unique identifier F _ Id of the file to be challenged to the virtual machine proxy node.
Step C03, the virtual machine agent node acquires the corresponding data block of the file to be detected according to the unique identifier F _ Id of the file to be detected, and calculates the total data block M:
Figure BDA0001595218930000091
wherein m issjRepresents the j-th section of data of the s-th data block in the file data block set to be challenged, mi={mi1,…,mij,…,mikData of file to be challengedBlock set IDX ═ { IDXsAnd l 1 is not less than s and not more than c, and c is not less than n, calculating a part D of the tag value of the data block to be challenged according to public information stored in the virtual machine agent node database:
Figure BDA0001595218930000092
calculating a tag value of a file block to be challenged by using a tag generation algorithm, reading a data block tag value of the file to be challenged from a database of a virtual machine agent to calculate T, and simultaneously calculating a hash value B of a data block number of a corresponding file to be challenged:
Figure BDA0001595218930000093
wherein σsA label, r, representing the s-th data block in the set of data blocks of the file to be challengedsA random number representing the s-th data block in the data integrity verification request chal, bs、tsRespectively, the number and the time stamp of the s-th data block. And finally, returning proof of { D, B, T } to the user virtual machine.
Step C04, the user receives the proof returned by the virtual machine proxy node and calculates
Figure BDA0001595218930000094
If the equality is established, the file to be challenged is proved to be complete, and if the equality is not established, the file to be challenged is proved to be incomplete.
The integrity verification phase is shown in fig. 5, and the process is as follows: the method comprises the steps that a user randomly extracts a certain data block, challenges are issued to storage nodes of a cloud service providing server through virtual machine proxy nodes, the position of a file is obtained according to the challenging block, evidence is generated and returned to a virtual machine proxy node (VMA), the VMA calculates whether the evidence is valid through a formula defined in a verification step C04, if the evidence is valid, verification in the second step is carried out, whether the challenging block exists through a Merkel Hash Tree (MHT) is calculated, whether the challenging block is consistent with a root Hash value is judged, if the challenging block is consistent, the file is proved to be complete, and if the challenging block is not.
According to the data integrity verification method based on the cloud environment distributed hash chain architecture, firstly, the user virtual machine is expanded, an environment suitable for cloud data integrity protection is created, and the system has flexibility, cross-platform performance and expansibility. Such as: the monitoring module is responsible for uploading, updating and other operations of the data of the user, so that illegal tampering is prevented, the virtual machine agent and the cloud manager can be timely notified, the environment where the virtual machine agent and the cloud manager are located is warned to be possibly in a dangerous state, corresponding measures such as migration, destruction and the like are taken, and prevention in advance is achieved. And the virtual machine agent is dynamically generated and has a certain life cycle, so that the modification and the expansion of the functions of the virtual machine agent are very simple and convenient. In the design, the virtual machine agent node is in the cloud environment, the interaction information of a user and a cloud service provider can be stored, the non-repudiation information of user data operation in the cloud environment is recorded, and effective and reliable legal evidence obtaining is carried out on problems such as data leakage, so that a perfect accountability mechanism is established, and the evidence obtaining after the fact is achieved.
The above embodiments are only for illustrating the technical idea of the present invention, and the protection scope of the present invention is not limited thereby, and any modifications made on the basis of the technical scheme according to the technical idea of the present invention fall within the protection scope of the present invention.

Claims (3)

1. A cloud data integrity verification method based on a cloud environment distributed hash chain architecture is as follows: each user corresponds to a virtual machine agent node, each virtual machine agent node corresponds to a distributed storage system cluster formed by a plurality of storage nodes, and deployment of a virtual machine agent model is completed; the virtual machine agent node comprises a file preprocessing module, a monitoring module, a verification module and a storage module; combining a plurality of users, interacting virtual machine agent nodes corresponding to the users, preprocessing the data file by a file preprocessing module when a certain user submits a data file storage task, generating a transaction and putting the transaction into a buffer pool, inquiring whether the buffer pool has an unconfirmed transaction by the virtual machine agent nodes of other users in turn, if so, performing legality confirmation on the transaction, packaging the transaction as one node of a distributed hash chain after the legality confirmation is completed, and completing the construction of a cloud environment distributed hash chain architecture;
defining: the virtual machine agent node is an agent node of a user, is logically unique and is responsible for acting the user to execute various tasks; the virtual machine agent node is used for preprocessing the data file to be stored after a user submits a data file storage task, selecting one storage node in the distributed storage system cluster corresponding to the virtual machine agent node to store the data file, and returning a result to the user by the virtual machine agent node after all the data files are stored; the storage nodes are used as data file storage nodes of users and used for storing data files of the users, and are not unique, and all the storage nodes of the users form a distributed storage system cluster;
the cloud data integrity verification method is used for the target user to realize integrity monitoring and verification aiming at the cloud data stored in the cloud environment, and is characterized by comprising the following steps:
step A, deploying a virtual machine agent model, constructing a cloud environment distributed hash chain according to the virtual machine agent model, and establishing connection with a target user through virtual machine agent nodes to complete data integrity preprocessing; the method comprises the following specific steps:
step A01, deploying a virtual machine agent model, constructing a cloud environment distributed hash chain according to the virtual machine agent model, sending a request to connect a corresponding virtual machine agent node by a target user, verifying whether the target user request is legal or not after the virtual machine agent node receives the target user request, starting the virtual machine agent node if the target user request is legal, and returning a connection refusing response if the target user request is legal;
step A02, taking prime p, ZpIs a domain on p, let G1,G2Is a multiplicative cyclic group of prime numbers p, g1Is G1G is a generator of2Is G2G, there is a bilinear mapping l1×G1→G2Randomly selecting a to Zp、x∈ZpThe target user locally generates a key pair { SK ═ { a, x }, PK ═{g1U, v), where x is the private key and v is the public key,
Figure FDA0002708902350000021
step A03, the target user uploads a data file F to be stored to a virtual machine proxy node, the virtual machine proxy node initializes F, and the F is partitioned into blocks F ═ m1,…,mi,…,mnI is more than or equal to 1 and less than or equal to n, n is the total number of all data blocks divided by the data file F to be stored, and m is respectively pointed to each blockiCarry out segmentation mi={mi1,…,mij,…,mikJ is more than or equal to 1 and less than or equal to k, k is the number of all sections divided by each data block, and each block is numbered biGenerating time stamps t simultaneouslyiFor each data block m, using a label generation algorithmiGenerating a tag sigmaiWill label σiStoring the data into a database of the virtual machine agent node;
a04, uploading a data file F to be stored to a corresponding distributed storage system cluster by a virtual machine agent node to obtain a storage address F _ Id;
step B, the target user establishes communication with the cloud service providing server through the virtual machine proxy node to complete data integrity monitoring; the method comprises the following specific steps:
step B01, compiling a data monitoring contract protocol code and compiling the code into a binary code, deploying the compiled contract protocol to a network where a cloud environment distributed hash chain is located, and obtaining an address and a binary interface of the distributed hash chain of the contract protocol;
step B02, after the virtual machine agent node finishes the data integrity preprocessing, the label sigma obtained in the step A03 is obtainediGenerating a root hash value of the data file to be stored according to the Mercker hash tree, wherein i is more than or equal to 1 and less than or equal to n, and n is the total number of all data blocks divided by the data file F to be stored;
step B03, calling the contract protocol through the address and binary interface of the distributed hash chain of the contract protocol, and saving the storage address F _ Id and the root hash value obtained in the step A into the data structure of Map as a key value pair;
step B04, the data integrity is monitored by monitoring the root hash value of the data file to be stored;
and step C, the target user communicates with the cloud service providing server through the virtual machine proxy node to verify the integrity of the stored cloud data.
2. The cloud data integrity verification method of claim 1, wherein step a03 is implemented by using the tag σiThe calculation formula of (a) is as follows:
Figure FDA0002708902350000022
h, h are hash functions: h: {0,1}*→G1,h:{0,1}*→ZpI is more than or equal to 1 and less than or equal to n, j is more than or equal to 1 and less than or equal to k, n is the total number of all data blocks divided by the data file F to be stored, k is the number of all segments divided by each data block, biIs a number, tiIs a time stamp, g1Is G1A generator of (1), G1Is a multiplication loop group of prime numbers p, aj∈Zp,x∈Zp,ZpIs a field on the prime number p,
Figure FDA0002708902350000031
mijfor the ith data block miThe jth segment of (1).
3. The cloud data integrity verification method according to claim 1, wherein the step C comprises the steps of:
step C01, the target user sends a data integrity verification request of the data file to be detected to the virtual machine proxy node aiming at the stored data file to be challenged, wherein the data integrity verification request comprises: selecting a data block set IDX ═ IDX to be challenged from a data file to be challengedsL 1 is less than or equal to s is less than or equal to c, c is less than or equal to n, and corresponding random number set R is { R {s|s∈IDX,rs∈ZpWherein c is to be chosenTotal number of war data blocks, n being total number of all data blocks into which the data file to be challenged is divided, ZpIs a domain on a prime number p, idxsFor the s-th block of data to be challenged, rsIs a random number;
step C02, the virtual machine agent node inquires the storage address F _ Id of the data file to be challenged from the distributed storage system cluster according to the verification request;
step C03, the virtual machine agent node obtains the data block to be challenged at the storage node according to the storage address F _ Id of the data file to be challenged
Figure FDA0002708902350000032
Returning to the virtual machine agent node, and calculating a total data block:
Figure FDA0002708902350000033
and calculating a total data block label value by using a label generation algorithm according to u stored in the virtual machine agent node:
Figure FDA0002708902350000034
wherein D is the total data block tag value, h is the hash function: h: {0,1}*→Zp,ZpIs a field on a prime number p, msjFor the s-th data block m to be challengedsJ is the data block m to be challengedsThe number of all the segments into which the IDX is to be challenged is the set of data blocks to be challenged,
Figure FDA0002708902350000035
g1is G1A generator of (1), G1Is a multiplication loop group of prime numbers p, aj∈Zp,ZpIs a field on a prime number p;
step C04, the virtual machine agent node reads the tag value of the data block to be challenged from the database of the virtual machine agent node to calculate T, and simultaneously calculates the hash value B of the corresponding number of the data block to be challenged:
Figure FDA0002708902350000041
generating evidence proof of { D, B, T }, and calculating:
Figure FDA0002708902350000042
wherein σsFor the s-th data block m to be challengedsA tag value of rsFor random numbers, H is the hash function: h: {0,1}*→G1,G1Is a multiplication loop group of prime numbers p, bs、tsRespectively as data blocks m to be challengedsV is a public key, g2Is G2A generator of (1), G2Is a multiplicative cyclic group of prime numbers p;
and step C05, acquiring a root hash value of the file to be challenged according to the storage address F _ Id, generating a new root hash value of the Mercker hash tree according to the data block to be challenged, if the two root hash values are the same and the definition formula of the step C04 is established, determining that the verification result is credible, and transmitting the verification result to the user through the virtual machine agent node.
CN201810203557.3A 2018-03-13 2018-03-13 Cloud environment distributed hash chain architecture and cloud data integrity verification method Active CN108600163B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810203557.3A CN108600163B (en) 2018-03-13 2018-03-13 Cloud environment distributed hash chain architecture and cloud data integrity verification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810203557.3A CN108600163B (en) 2018-03-13 2018-03-13 Cloud environment distributed hash chain architecture and cloud data integrity verification method

Publications (2)

Publication Number Publication Date
CN108600163A CN108600163A (en) 2018-09-28
CN108600163B true CN108600163B (en) 2020-12-15

Family

ID=63626127

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810203557.3A Active CN108600163B (en) 2018-03-13 2018-03-13 Cloud environment distributed hash chain architecture and cloud data integrity verification method

Country Status (1)

Country Link
CN (1) CN108600163B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109658238B (en) 2018-10-26 2020-06-16 阿里巴巴集团控股有限公司 Data processing method and device
CN109586896B (en) * 2018-11-14 2021-09-03 陕西师范大学 Data integrity verification method based on Hash prefix tree
CN110046992A (en) 2018-12-12 2019-07-23 阿里巴巴集团控股有限公司 A kind of transaction Hash acquisition methods and system based on block chain intelligence contract
CN109889497B (en) * 2019-01-15 2021-09-07 南京邮电大学 Distrust-removing data integrity verification method
CN109872142B (en) * 2019-02-21 2023-04-11 派欧云计算(上海)有限公司 Digital asset transaction method based on trusted third party and storage medium thereof
CN110334175B (en) * 2019-04-29 2021-06-04 山东冰链网络信息科技有限公司 Zero knowledge proof method, system and storage medium for medical document
CN114070594B (en) * 2021-11-08 2023-12-12 四川启睿克科技有限公司 Cloud anti-attack system and method based on log abstract
CN116956364B (en) * 2023-09-21 2024-02-09 中航国际金网(北京)科技有限公司 Virtualized product integrity verification method, device and system and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656974A (en) * 2016-10-17 2017-05-10 江苏通付盾科技有限公司 Block chain grouping consensus method and system
CN106790045A (en) * 2016-12-19 2017-05-31 南京邮电大学 One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method
CN107392611A (en) * 2017-03-24 2017-11-24 阿里巴巴集团控股有限公司 A kind of method and device for sending Transaction Information and common recognition checking
CN107425982A (en) * 2017-07-07 2017-12-01 众安信息技术服务有限公司 A kind of method and block chain for realizing intelligent contract data encryption
CN107729471A (en) * 2017-10-13 2018-02-23 上海策赢网络科技有限公司 A kind of block chain and its generation method and equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10362058B2 (en) * 2016-05-13 2019-07-23 Vmware, Inc Secure and scalable data transfer using a hybrid blockchain-based approach

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656974A (en) * 2016-10-17 2017-05-10 江苏通付盾科技有限公司 Block chain grouping consensus method and system
CN106790045A (en) * 2016-12-19 2017-05-31 南京邮电大学 One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method
CN107392611A (en) * 2017-03-24 2017-11-24 阿里巴巴集团控股有限公司 A kind of method and device for sending Transaction Information and common recognition checking
CN107425982A (en) * 2017-07-07 2017-12-01 众安信息技术服务有限公司 A kind of method and block chain for realizing intelligent contract data encryption
CN107729471A (en) * 2017-10-13 2018-02-23 上海策赢网络科技有限公司 A kind of block chain and its generation method and equipment

Also Published As

Publication number Publication date
CN108600163A (en) 2018-09-28

Similar Documents

Publication Publication Date Title
CN108600163B (en) Cloud environment distributed hash chain architecture and cloud data integrity verification method
Li et al. Auditing cache data integrity in the edge computing environment
CN110915166B (en) Block chain
US20210271764A1 (en) Method for storing data on a storage entity
CN109889497B (en) Distrust-removing data integrity verification method
CN102170440B (en) Method suitable for safely migrating data between storage clouds
KR102152360B1 (en) System and method for providing data reliability based on blockchain for iot services
CN108596627B (en) Big data calculation method and system based on block chain and fog calculation
Shu et al. Blockchain-based decentralized public auditing for cloud storage
CN109600366A (en) The method and device of protection user data privacy based on block chain
Wang et al. A simulation approach for studying behavior and quality of blockchain networks
CN103416021A (en) System for enabling digital signature auditing
CN103605784A (en) Data integrity verifying method under multi-cloud environment
CN110505228B (en) Edge cloud architecture-based big data processing method, system, medium and device
CN110866265A (en) Data storage method, device and storage medium based on block chain
CN111488372A (en) Data processing method, device and storage medium
CN114372296A (en) Block chain-based user behavior data auditing method and system
CN112446046A (en) Data management method and device based on intelligent contract
CN113505260A (en) Face recognition method and device, computer readable medium and electronic equipment
CN111934854B (en) Data determining method and device, storage medium and electronic device
CN110266475A (en) A kind of cloud storage data safety auditing method
CN109905408A (en) Network safety protection method, system, readable storage medium storing program for executing and terminal device
CN116112216A (en) Cloud data verification method and device, electronic equipment and nonvolatile storage medium
Muhtasim et al. Secure data transaction and data analysis of IOT devices using blockchain
CN112988852A (en) Block chain-based data management method, device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 210003 Gulou District, Jiangsu, Nanjing new model road, No. 66

Applicant after: NANJING University OF POSTS AND TELECOMMUNICATIONS

Address before: Yuen Road Qixia District of Nanjing City, Jiangsu Province, No. 9 210023

Applicant before: NANJING University OF POSTS AND TELECOMMUNICATIONS

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant