CN108989033B - Cloud storage security control method and system based on public key pool - Google Patents

Cloud storage security control method and system based on public key pool Download PDF

Info

Publication number
CN108989033B
CN108989033B CN201810856927.3A CN201810856927A CN108989033B CN 108989033 B CN108989033 B CN 108989033B CN 201810856927 A CN201810856927 A CN 201810856927A CN 108989033 B CN108989033 B CN 108989033B
Authority
CN
China
Prior art keywords
key
random number
true random
file
user side
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810856927.3A
Other languages
Chinese (zh)
Other versions
CN108989033A (en
Inventor
富尧
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201810856927.3A priority Critical patent/CN108989033B/en
Publication of CN108989033A publication Critical patent/CN108989033A/en
Application granted granted Critical
Publication of CN108989033B publication Critical patent/CN108989033B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud storage security control method and a system based on a public key pool.A user side uploads a data file encrypted by using a file key to a server, the user side is configured with a quantum key fob, the file key is generated by combining a true random number generated by the quantum key fob and a key pool device, and the user side uploads the true random number to the server; the server receives and stores the data file and the true random number from the user side; and the user side downloads the true random number and the data file encrypted by using the file key, generates a file key by combining the true random number and the key pool device, and decrypts to obtain the data file. In the cloud storage process, the server side cannot contact the file key and the decrypted data file, the worry of the user side on the safety of cloud storage data is solved, the true random number generated by the quantum key card is used for generating the file key with true randomness, the safety of the key is improved, and meanwhile the safety of the execution environment of the user side encryption program is guaranteed.

Description

Cloud storage security control method and system based on public key pool
Technical Field
The invention relates to the field of cloud storage, in particular to a cloud storage security control method and system based on a public key pool.
Background
With the development of science and technology, cloud storage has become a trend more and more, various cloud storage technologies are endless, and in order to ensure the security of cloud storage data, various encryption methods are generally used to ensure the security of the data, for example, the security of the data can be ensured by asymmetric key encryption, where the asymmetric key encryption needs to use different keys to respectively complete encryption and decryption operations, one is publicly issued, i.e., a public key, and the other is secretly stored by a user, i.e., a private key. The sender of the message uses the public key to decrypt and the recipient of the message uses the private key to decrypt.
Shared storage is adopted in the cloud storage, so that a service provider needs to control the private key, and the security of the private key is low. The invention patent document with the publication number of CN103236934A entitled "a method for cloud storage security control" discloses a method for solving the problem of low security of a private key. The invention uses two different encryption modes to encrypt and respectively store the private keys of the users.
At present, enterprises or business units have the requirement of data cloud, but public clouds are generally not easy to be trusted by the units, and the information security is considered to be possibly problematic, or keys are easy to be obtained and cracked by hackers, so that public cloud customers worry about the data cloud.
The problems existing in the prior art are as follows:
(1) and storing a certain risk in the key on the cloud server. Public cloud customers have worries about cloud-up on data.
(2) If the file key is a pseudorandom key, the true randomness of the key cannot be realized, and the key may be predicted, so that the security is insufficient.
(3) The execution environment of the encryption program at the user end is not safe enough, and if a virus trojan exists, the secret key in the memory can be monitored.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a cloud storage security control method and system based on a public key pool.
A cloud storage security control method based on a public key pool comprises the steps that a user side uploads a data file encrypted by a file key to a server, the user side is configured with a quantum key fob, the file key is generated by combining a true random number generated by the quantum key fob and a key pool device, and the user side uploads the true random number to the server.
There are currently many storage cloud services, including many public clouds. In the invention, the server for storing the cloud is simply referred to as the server.
The user side is equipment accessed to the storage cloud, and can be a mobile terminal or a fixed terminal. The terminals are all provided with quantum key cards UKey, a true random number generator is also arranged in the UKey, and the true random number generator generates a true random number which is combined with the key pool device to generate a file key. The file key is generated by using the true random number in the quantum key fob, the true randomness of the file key is ensured, the security of the file key is greatly improved, meanwhile, the quantum key fob is an independent hardware isolation device, the possibility of stealing the key by malicious software or malicious operation is greatly reduced, the true random number is uploaded to a server instead of storing the file key, and the danger that the key is stolen on the server is solved.
Optionally, there are one or more user sides, a public key pool for each user side to access is stored in the key pool device, the user sides are in communication connection with the key pool device, the user side uploading the data files uses the public key pool to extract the storage key and correspondingly generates a file key to encrypt the data files, and the user side downloading the data files uses the public key pool to correspondingly generate a file key in combination with the true random number from the server to decrypt the data files.
In the invention, a UKey issuing party matched with each cloud client belonging to a cloud client group is a UKey master managing party, generally a management department of a certain enterprise or a public institution; the issued party of the UKey is a member managed by a master administrator of the UKey, generally an employee at each level of a certain enterprise or a public institution, and the member uses a storage cloud client to access cloud data, and hereinafter, the storage cloud client used by the member is collectively referred to as a user side. The user side firstly applies for opening an account to a supervisor side of the UKey. When the user side performs registration and approval, the UKey (with the unique ID) is obtained. The UKey stores a public key and a private key of a client, registration information of the client and an identity authentication protocol at least comprising a key generation algorithm and an authentication function or other algorithms related to identity authentication.
Each user side is provided with a public key pool stored in the key pool device, file sharing of a plurality of user sides can be achieved, meanwhile, the key pool is set, so that the user side downloading the data files needs to combine true random numbers from the server with the public key pool to correspondingly generate file keys, the file keys of the encrypted files cannot be obtained even if the true random numbers are obtained under the condition that the key pool is not obtained, and the safety of the file keys is further improved.
Optionally, the file key generation method includes: combining the true random number with a key selection algorithm specified in a key pool device to obtain a pointer, and extracting a corresponding encryption key and an encrypted KKP from the key pool device by using the pointer, wherein the KKP is the true random number generated by the key pool device and is used for decrypting the encryption key to obtain a storage key, and the storage key is combined with a key generation algorithm to obtain the file key.
The file key is obtained through calculation according to the storage key, calculation methods used by different departments in an organization are different, cloud storage information of other departments cannot be obtained and decrypted, and information isolation among the departments is achieved.
Optionally, the user side is in communication connection with the key pool device, encrypts the true random number and uploads the encrypted true random number to the key pool device, and the encryption mode is to encrypt the true random number by using a public key to obtain a true random number ciphertext; the secret key pool device decrypts the true random number ciphertext by using a private key to obtain a true random number; the key pool device extracts and transmits the encryption key and the encrypted KKP to the user side by using the true random number, and the user side decrypts the encrypted KKP to obtain a storage key.
Optionally, the user side encrypts the true random number and uploads the encrypted true random number to the server, wherein the encryption mode is to encrypt the true random number by using a public key to obtain a personal key and encrypt the true random number by using a file characteristic value to obtain a data key; and the user side sends the personal key, the data key, the ID of the key selection algorithm and the ID of the key generation algorithm to the server.
The invention adopts an asymmetric encryption algorithm to obtain the personal key, and in the subsequent access, the user only needs to use the personal key to decrypt the personal key, so that the true random number can be obtained, and the file key can be further obtained.
Optionally, the key generation algorithm includes:
a primary key generation algorithm for generating a primary file key in combination with the storage key;
a discretionary key generation algorithm for generating the file key in combination with the primary file key;
and selecting a key generation algorithm ID as an identifier for judging whether the server performs deduplication or not.
Wherein, the self-selection key generation algorithm is a private function, and when the ID of the self-selection key generation algorithm is ff0, the server needs to perform deduplication judgment. And (4) duplicate removal judgment, and identification of duplicate files effectively relieves storage pressure.
A cloud storage security control method based on a public key pool comprises the steps that a server receives and stores a data file encrypted by a file key from a user side, and also receives and stores a true random number from the user side, wherein the true random number is used for the user side to download and generate the file key for decryption.
The server stores the true random number instead of the file key, so that the danger that the key is stolen when being stored on the server is solved. Optionally, the true random number is in a ciphertext form, and includes a personal key obtained by the user side encrypting the true random number using the public key, and a data key obtained by the user side encrypting the true random number using the file feature value.
Optionally, the server further receives and stores an algorithm ID from the user side, where the algorithm ID is associated with generation of the file key, and one of the algorithm IDs is used as an indicator for determining whether the server performs deduplication processing;
when the server performs duplicate removal judgment according to the indication identifier, the server performs duplicate removal judgment before receiving the data file of the user side;
and when the server does not perform duplicate removal judgment according to the indication identifier, receiving and storing an algorithm ID (identity) which is from the user side and is related to the generation of the file key.
A cloud storage system based on a public key pool comprises a user side, a key pool device and a server, wherein the user side uploads a data file encrypted by a file key to the server, the user side is provided with a quantum key fob, the file key is generated by combining a true random number generated by the quantum key fob and the key pool device, and the user side uploads the true random number to the server;
the server receives and stores the data file and the true random number from the user side;
and the user side downloads the true random number and the data file encrypted by using the file key, generates a file key by combining the true random number and the key pool device, and decrypts to obtain the data file.
According to the cloud storage security control method and system based on the public key pool, a user side uploads a data file encrypted by using a file key to a server, the user side is configured with a quantum key fob, the file key is generated by combining a true random number generated by the quantum key fob and a key pool device, and the user side uploads the true random number to the server; the server receives and stores the data file and the true random number from the user side; and the user side downloads the true random number and the data file encrypted by using the file key, generates a file key by combining the true random number and the key pool device, and decrypts to obtain the data file. In the cloud storage process, the server side cannot contact the file key and the decrypted data file, the worry of the user side on the safety of cloud storage data is solved, the true random number generated by the quantum key card is used for generating the file key with true randomness, the safety of the key is improved, and meanwhile the safety of the execution environment of the user side encryption program is guaranteed.
Drawings
FIG. 1 is a schematic structural diagram of a storage system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a public key pool device;
FIG. 3 is a schematic diagram of the encryption of true random numbers generated by a random number generator;
FIG. 4 is a flowchart of file key generation according to an embodiment of the present invention;
FIG. 5 is a timing diagram illustrating a storage method according to an embodiment of the present invention;
FIG. 6 is a timing diagram illustrating a reading method according to an embodiment of the present invention;
fig. 7 is a flowchart of a storage method according to embodiment 1 of the present invention;
fig. 8 is a flowchart of a storage method according to embodiment 2 of the present invention.
Fig. 9 is a flowchart of a reading method according to embodiment 3 of the present invention.
Detailed Description
Fig. 1 is a schematic structural diagram of a storage system according to an embodiment of the present invention, in which a cloud client group CC is respectively connected to a key pool device and a cloud storage CS through a network. Wherein the cloud client group CC is composed of a plurality of cloud clients. In this embodiment, a server storing the cloud, that is, a cloud storage, is simply referred to as a server, and a cloud client is simply referred to as a user side. The cloud storage system based on the public key pool comprises user sides, a key pool device and a server, wherein each user side stores a private key and a public key of the user side. KA/KAP in FIG. 1 refers to the private/public key of A. The user side is provided with a quantum key card UKey which is used for storing a private key of the user side and carrying out cryptology calculation, and a true random number generator is arranged in the UKey according to design requirements.
Fig. 2 shows a schematic structural diagram of the key pool device P, which includes:
a root key area for taking out a root key KR;
the random number generator is used for generating a true random number as a key of a key, the key of the key is called KKP, and in the embodiment, the random number generator is preferably a quantum random number generator;
a public key pool KP owned by the cloud client group CC.
The public key pool KP has a large capacity, which may vary from 1G to 4096G, and is a true random number, preferably a quantum random number. The key pool device P can store a plurality of KPs, and in the figure, P stores M KP areas of 1 to M. KP is encrypted by KKP generated by a random number generator in the key pool device, and KKP is encrypted by KR and public keys KAP, KBP, … … KNP of respective cloud clients A, B, … … N, as shown in fig. 3.
The file key generation method, as shown in fig. 4, combines a true random number with a key selection algorithm fp specified in a key pool device to obtain a pointer kp, and extracts a corresponding encryption key and an encrypted KKP from the key pool device by using the pointer kp, where the KKP is the true random number generated by the key pool device and is used to decrypt the encryption key to obtain a storage key ks, and the storage key ks combines with a key generation algorithm to obtain the file key kf.
Specifically, the user side is in communication connection with the key pool device, encrypts the true random number and uploads the encrypted true random number to the key pool device, and the encryption mode is to encrypt the true random number by using a public key to obtain a true random number ciphertext; the secret key pool device decrypts the true random number ciphertext by using a private key to obtain a true random number; and the key pool device extracts and transmits the encryption key and the encrypted KKP to the user side by using the true random number, and the user side decrypts the encrypted KKP to further obtain a storage key ks.
Wherein the key generation algorithm comprises:
a primary key generation algorithm fg for generating a primary file key kg in combination with the storage key ks;
a discretionary key generation algorithm ff for generating the file key kf in combination with the primary file key kg;
in this embodiment, the issuer of the UKey matched with each cloud client belonging to a cloud client group is the master administrator of the UKey; the issued party of the UKey is a member managed by a master of the UKey, and a key selection algorithm fp and a primary key generation algorithm fg are customized for the master of the public key pool and are generally consistent with the master of the cloud client group client. At least one of fp and fg is different in different departments or organizations under the main management, so as to ensure the isolation of the cloud storage information among different organizations.
The specified key selection algorithm fp is a mathematical transformation of the true random number, for example fp (r)% s,
where r is the input variable (here a true random number), d is the offset,% is the modulo operation, and s is the total size of the key pool. Of course, the particular key selection algorithm fp is not limited thereto as long as key selection can be achieved, depending on design requirements.
The primary key generation algorithm fg is a mathematical transformation of the input data, for example fg (x)% 2len
Wherein x is an input variable, a and b are transformation parameters,% is a modular operation, len is a key length (unit: bit) specified by a user, and the algorithm of the primary key generation algorithm fg is not limited to this, as long as the combination of the storage key ks and the primary key generation algorithm fg can be realized to generate the primary file key kg, according to the design requirement.
The optional key generation algorithm ff is a private function, is similar to the primary key generation algorithm fg, and takes the output of the primary key generation algorithm fg as an input, and if the privacy securing function belonging only to an individual is not required, ff (x) may be set to x.
The key selection algorithm fp, the primary key generation algorithm fg and the self-selection key generation algorithm ff all have respective IDs, and all the IDs are different from each other; specifically, the discretionary key generation algorithm ID is used as an identifier for determining whether the server performs deduplication, and when the setting function ff (x) is set as the ID of x, ff0 is a determination flag that the server needs deduplication and is known to all members.
The user side encrypts the true random number and uploads the encrypted true random number to the server, and the encryption mode is that a public key is used for encrypting the true random number to obtain a personal key and a file characteristic value is used for encrypting the true random number to obtain a data key; and the user side sends the personal key, the data key, the ID of the key selection algorithm and the ID of the key generation algorithm to the server. Certainly, according to design requirements, the user side can directly upload the true random number to the server, and under the condition that a key pool is not obtained, the file key of the encrypted file cannot be obtained even if the true random number is stolen.
The system comprises a server, a key pool device, a plurality of user sides and a plurality of user sides, wherein the key pool device is internally stored with a public key pool for each user side to access, the user sides are in communication connection with the key pool device, the user sides uploading data files utilize the public key pool to extract storage keys and correspondingly generate file keys to encrypt the data files, and the user sides downloading the data files utilize the public key pool to correspondingly generate file keys by combining true random numbers from the server so as to decrypt the data files. Groups that can share files (e.g., the same department) have the same fp and fg; group-to-group (e.g., department-to-department), at least one of fp and fg being different; ff of each user side is different; under special policies, some privileged clients can belong to different groups at the same time (for example, have rights of different departments at the same time), and this is represented by the combination of multiple sets of fp and fg.
Example 1
Fig. 5 is a timing diagram of a storage method according to an embodiment of the present invention. Fig. 7 is a flowchart of a storage method according to an embodiment of the present invention, where a cloud storage security control method based on a public key pool includes the following specific steps:
step 1.1, the client uploads the Hash value and each algorithm ID of the data file to a server: before uploading the data file, the client calculates the Hash value of the data file and uploads the Hash value to the server. Also uploaded at the same time are the IDs of the various algorithms (including key selection algorithm fp, primary key generation algorithm fg, and discretionary key generation algorithm ff, the same applies below). The self-selection key generation algorithm ff may be specific to the user terminal, or may be selected as ff 0. The present embodiment assumes that ff0 is selected, that is, ff (x) x is selected, which means that the privacy securing function belonging only to an individual is not used. In order to relieve the storage pressure, the server performs ciphertext deduplication on the file with the selection ff0, namely, identifies duplicate files.
Step 1.2, the server identifies the duplicate file: the server comprehensively considers the Hash value of the file and each algorithm ID according to the information of ff0 to identify the duplicate file, namely if two files have the same Hash value and the IDs of fp, fg and ff are respectively the same, the same data file is considered to need to be deduplicated. If the server judges that duplicate removal is not needed, the server stores the received Hash value and each algorithm ID, and executes the step 1.3. If deduplication is required, the server performs step 1.4. The difference between step 1.4 and step 1.3 is that if the server has a file that is consistent with the file that the current user wants to upload, the user can decrypt the data key provided by the server by using the file feature value of the user's own data file to obtain the true random number r, and can obtain the personal key of the user by using the public key to encrypt r and upload the personal key to the server for storage. During subsequent access, the user can obtain the true random number r and further obtain a file key by only decrypting the personal key by using the private key of the user, and the data plaintext is obtained by using the file key. The specific flow of file reading is shown in example 3. Therefore, repeated storage of the data files at the cloud end is prevented, and the fact that the cloud storage service provider (internal staff) cannot acquire the plaintext of the data contents is guaranteed.
As will be understood by those skilled in the art, in some cases, the same user may upload the same data file one after another, and then when the user expects to upload the uploaded data file again at the same fp, fg, and ff, the server side does not perform any operation if it is determined that the data file originates from the same user.
Step 1.3. if the server does not need to remove the duplicate:
step 1.3.1 the server informs the user end of generating the true random number: and after storing the received Hash value and the algorithm ID, the server sends the information that the server does not have the same data file to the user side.
Step 1.3.2 user side processes information: the user end uses the random number generator to generate a true random number r, uses the public key of the key pool device P to encrypt the true random number r and then sends the true random number r to the key pool device P.
Step 1.3.3 the key pool device decrypts the file: the key pool device P uses the private key of the device P to decrypt and obtain the true random number r, uses the true random number r to combine with a specific key selection algorithm fp to obtain a pointer kp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to the user side.
Step 1.3.4 the client gets the file key: after receiving the encryption key and the encrypted KKP, the client obtains the KKP by using a private key of the client, and then decrypts the encryption key by using the KKP to obtain a storage key ks; then generating a primary file key kg according to ks by combining a primary key generation algorithm fg; then, a file key kf is generated according to kg in combination with a discretionary key generation algorithm ff. In this embodiment, ff (x) is x.
After the file key kf is obtained, the user side encrypts the data file by using the file key to obtain a ciphertext M2, wherein the encryption algorithm can be a symmetric encryption algorithm;
the user side encrypts the true random number r by using the public key to obtain a personal key;
a user side generates a file characteristic value, and encrypts a true random number r by using the file characteristic value to obtain a data key; the calculation method of the file characteristic value is a predefined algorithm, and can be but is not limited to Hash calculation, file compression or other file characteristic calculation algorithms;
and the user side sends the ciphertext M2, the algorithm ID, the personal key and the data key to the cloud service side.
Step 1.3.5, the cloud server stores corresponding information: and the cloud server stores the received ciphertext, the algorithm ID, the personal key and the data key.
Step 1.4, if the cloud server needs to remove the duplicate:
step 1.4.1 the cloud server sends a data key to the key pool device: and the cloud server sends the data key of the file to the user side.
Step 1.4.2, the user side processes information and sends content to be stored on the cloud service side to the cloud service side: and after receiving the data key, the user side generates a file characteristic value according to the data file, and decrypts the data key by using the file characteristic value to obtain the true random number r.
The user side uses the public key to encrypt the true random number r to obtain the personal key of the user and sends the personal key to the cloud service side.
Step 1.4.3, the cloud server stores corresponding information: and the cloud server receives the personal key and then stores the personal key.
Example 2
Fig. 8 is a flowchart of a storage method provided in this embodiment. A timing chart of the storage method of this embodiment is consistent with that of embodiment 1, and a cloud storage security control method based on a public key pool includes the following specific steps:
step 2.1, the user side uploads the Hash value and each algorithm ID of the data file to the cloud server side: before uploading the data file, the client calculates the Hash value of the data file and uploads the Hash value to the cloud server. And the IDs of the algorithms are uploaded at the same time. Wherein, the self-selection key generation algorithm ff selects the user-specific key and not selects ff0, i.e. selects ff (x) ≠ x, which means that the privacy function belonging to the individual only is used, and the file is unique to the user and does not participate in ciphertext deduplication.
Step 2.2, the cloud server side stores the Hash value and each algorithm ID: and the cloud server stores the received Hash value in a place different from the Hash value of the file participating in identifying the repeated file according to the information of the ff. Also stored are the respective algorithm IDs.
Step 2.3, the user side generates true random numbers and sends the true random numbers to the key pool device: the user end uses the true random number r generated by the random number generator, encrypts the true random number r by using the public key of the key pool device P and then sends the true random number r to the key pool device P.
Step 2.4, the key pool device decrypts the file: the key pool device P uses the private key of the device P to decrypt and obtain the true random number r, uses the true random number r to combine with a specific key selection algorithm fp to obtain a pointer kp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to the user side.
Step 2.5, the user end obtains the file key and sends the content to be stored in the server to the server: after receiving the encryption key and the encrypted KKP, the user side uses a private key of the user side to obtain the KKP, and then uses the KKP to decrypt the encryption key to obtain a storage key ks; then generating a primary file key kg according to ks by combining a primary key generation algorithm fg; then, a file key kf is generated according to kg in combination with a discretionary key generation algorithm ff.
After the file key kf is obtained, the user side encrypts the data file by using the file key to obtain a ciphertext, wherein the encryption algorithm can be a symmetric encryption algorithm;
the user side encrypts the true random number r by using the public key to obtain a personal key;
and the user side sends the ciphertext and the personal key to the server.
Step 2.6, the server stores corresponding information: the server stores the received cipher text and the personal key.
Example 3
Fig. 6 is a timing diagram of a storage method according to an embodiment of the present invention. Fig. 9 is a flowchart of a file reading method according to an embodiment of the present invention, and a cloud storage security control method based on a public key pool, where based on the above embodiment, a specific step of a user reading a file is as follows:
step 3.1, the user side initiates a file reading request: and the user side sends the Hash value of the file to be read and each algorithm ID to the server.
Step 3.2, the server sends corresponding information to the user side: and after receiving the Hash value and the algorithm ID of the file, the server finds out the information corresponding to the Hash value and the algorithm ID and sends the ciphertext and the personal key to the user side.
Step 3.3, the user side obtains the file key: the user side decrypts the personal key by using the private key to obtain the true random number r. The method comprises the steps that a public key of the P is used for encrypting a true random number r and sending the true random number r to a key pool device P, the key pool device P uses a private key of the P for decryption to obtain the true random number r, the true random number r is used for combining with a specific key selection algorithm fp to obtain a pointer kp, a corresponding encryption key and an encrypted KKP are extracted from a key pool, and the true random number r and the encrypted KKP are sent to a user side. The user side obtains KKP by using its own private key, and further obtains the file key kf, and the specific steps are as shown in fig. 4.
Step 3.4, the user side obtains the data file: and the user side decrypts the ciphertext obtained from the server by using the file key to obtain a data file, and finishes reading the server file.
In the cloud storage system based on the public key pool, the server cannot contact the private key of the user side and the decrypted plaintext data file. Furthermore, the personal key and the data key stored on the server are true random numbers r encrypted using different methods, which in combination with a specific key selection algorithm can result in a pointer. The file key of the encrypted file cannot be obtained even if the individual key or the data key is cracked. The file key is obtained through calculation according to the storage key, calculation methods used by different departments in an organization are different, cloud storage information of other departments cannot be obtained and decrypted, and information isolation among the departments is achieved. In particular, a self-selection key generation algorithm can be further arranged, and complete privativeness of cloud storage information is achieved. The storage key used by the invention is a quantum key, is a true random number generated according to quantum characteristics, and the next bit of the quantum key cannot be predicted, so that the defect of a pseudo-random number is effectively overcome. The UKey is used for storing the user side key instead of the user side memory, the UKey is independent hardware equipment, and the possibility of stealing the key by malicious software or malicious operation is greatly reduced.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (8)

1. A cloud storage security control method based on a public key pool comprises the steps that a user side uploading data files uploads the data files encrypted by a file key to a server, and a user side downloading the data downloads the encrypted data files from the server and decrypts the data files to obtain the data files;
the key pool device P decrypts by using a private key of the key pool device P to obtain a true random number r, obtains a pointer kp by using the true random number r in combination with a specific key selection algorithm fp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to a user side, wherein the encryption key is a storage key ks encrypted by using KKP, and the encrypted KKP is a true random number generated by the key pool device encrypted by using a public key of the user side;
after receiving the encryption key and the encrypted KKP, the user side uses a private key of the user side to obtain the KKP, then uses the KKP to decrypt the encryption key to obtain a storage key ks, and uses the storage key ks in combination with a key generation algorithm to obtain a file key kf;
the user side uploads the true random number r and the data file encrypted by the file key to a server;
the server receives and stores the encrypted data file and the true random number r;
the user terminal downloading the data downloads the true random number and the data file encrypted by the file key from the server, and the user terminal encrypts the true random number r by using the public key of the key pool device P and sends the true random number r to the key pool device P;
the key pool device P uses a private key thereof to decrypt to obtain a true random number r, uses the true random number r in combination with a specific key selection algorithm fp to obtain a pointer kp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to a user side;
the user side obtains KKP by using a private key of the user side, then decrypts the encryption key by using the KKP to obtain a storage key ks, obtains a file key kf by using the storage key ks in combination with a key generation algorithm, and decrypts the encrypted data file by using the file key kf to obtain the data file.
2. The public key pool-based cloud storage security control method according to claim 1, wherein there are one or more clients uploading data files, the key pool device stores therein a public key pool for each client to access, and the clients are communicatively connected to the key pool device.
3. The cloud storage security control method based on the public key pool as claimed in claim 2, wherein the user side uploading the data file uploads the true random number to the server after encrypting the true random number, and the encryption method is to use a public key to encrypt the true random number to obtain a personal key and use a file characteristic value to encrypt the true random number to obtain a data key; and the user side sends the personal key, the data key, the ID of the key selection algorithm and the ID of the key generation algorithm to the server.
4. The public key pool-based cloud storage security control method of claim 3, wherein the key generation algorithm comprises:
a primary key generation algorithm for generating a primary file key in combination with the storage key;
a discretionary key generation algorithm for generating the file key in combination with the primary file key;
and selecting a key generation algorithm ID as an identifier for judging whether the server performs deduplication or not.
5. A cloud storage security control method based on a public key pool comprises a server receiving and storing a data file encrypted by a file key from a user side uploading the data file, and is characterized in that,
a user side is configured with a quantum key fob, a true random number generator is arranged in the quantum key fob, the user side uploading a data file generates a true random number r by using the true random number generator, encrypts the true random number r by using a public key of a key pool device P and then sends the encrypted true random number r to the key pool device P;
the key pool device P decrypts by using a private key of the key pool device P to obtain a true random number r, obtains a pointer kp by using the true random number r in combination with a specific key selection algorithm fp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to a user side, wherein the encryption key is a storage key ks encrypted by using KKP, and the encrypted KKP is a true random number generated by the key pool device encrypted by using a public key of the user side;
after receiving the encryption key and the encrypted KKP, the user side uses a private key of the user side to obtain the KKP, then uses the KKP to decrypt the encryption key to obtain a storage key ks, and uses the storage key ks in combination with a key generation algorithm to obtain a file key kf;
the user side uploads the true random number r and the data file encrypted by the file key to a server;
the server receives and stores the encrypted data file and the true random number r;
the user terminal downloading the data downloads the true random number and the data file encrypted by the file key from the server, and the user terminal encrypts the true random number r by using the public key of the key pool device P and sends the true random number r to the key pool device P;
the key pool device P uses a private key thereof to decrypt to obtain a true random number r, uses the true random number r in combination with a specific key selection algorithm fp to obtain a pointer kp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to a user side;
the user side obtains KKP by using a private key of the user side, then decrypts the encryption key by using the KKP to obtain a storage key ks, obtains a file key kf by using the storage key ks in combination with a key generation algorithm, and decrypts the encrypted data file by using the file key kf to obtain the data file.
6. The public key pool-based cloud storage security control method of claim 5, wherein the true random number is in a ciphertext form, and comprises a personal key obtained by encrypting the true random number by using a public key at the user side for uploading the data file, and a data key obtained by encrypting the true random number by using a file feature value at the user side.
7. The public key pool-based cloud storage security control method according to claim 6, wherein the server further receives and stores an algorithm ID associated with the file key generation from the client that uploads the data file, wherein an algorithm ID is used as an indicator of whether the server performs deduplication determination;
when the server performs duplicate removal judgment according to the indication identifier, the server performs duplicate removal judgment before receiving the data file of the user side;
and when the server does not perform duplicate removal judgment according to the indication identifier, receiving and storing an algorithm ID (identity) which is from the user side and is related to the generation of the file key.
8. A cloud storage system based on a public key pool comprises a user side, a key pool device and a server, and is characterized in that the user side is provided with a quantum key fob, the quantum key fob is internally provided with a true random number generator, the user side uploading data files generates a true random number r by using the true random number generator, encrypts the true random number r by using a public key of the key pool device P and then sends the r to the key pool device P;
the key pool device P decrypts by using a private key of the key pool device P to obtain a true random number r, obtains a pointer kp by using the true random number r in combination with a specific key selection algorithm fp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to a user side, wherein the encryption key is a storage key ks encrypted by using KKP, and the encrypted KKP is a true random number generated by the key pool device encrypted by using a public key of the user side;
after receiving the encryption key and the encrypted KKP, the user side uses a private key of the user side to obtain the KKP, then uses the KKP to decrypt the encryption key to obtain a storage key ks, and uses the storage key ks in combination with a key generation algorithm to obtain a file key kf;
the user side uploads the true random number r and the data file encrypted by the file key to a server;
the server receives and stores the encrypted data file and the true random number r;
the user terminal downloading the data downloads the true random number and the data file encrypted by the file key from the server, and the user terminal encrypts the true random number r by using the public key of the key pool device P and sends the true random number r to the key pool device P;
the key pool device P uses a private key thereof to decrypt to obtain a true random number r, uses the true random number r in combination with a specific key selection algorithm fp to obtain a pointer kp, extracts a corresponding encryption key and an encrypted KKP from the key pool, and sends the two parts to a user side;
the user side obtains KKP by using a private key of the user side, then decrypts the encryption key by using the KKP to obtain a storage key ks, obtains a file key kf by using the storage key ks in combination with a key generation algorithm, and decrypts the encrypted data file by using the file key kf to obtain the data file.
CN201810856927.3A 2018-07-31 2018-07-31 Cloud storage security control method and system based on public key pool Active CN108989033B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810856927.3A CN108989033B (en) 2018-07-31 2018-07-31 Cloud storage security control method and system based on public key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810856927.3A CN108989033B (en) 2018-07-31 2018-07-31 Cloud storage security control method and system based on public key pool

Publications (2)

Publication Number Publication Date
CN108989033A CN108989033A (en) 2018-12-11
CN108989033B true CN108989033B (en) 2021-10-22

Family

ID=64552110

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810856927.3A Active CN108989033B (en) 2018-07-31 2018-07-31 Cloud storage security control method and system based on public key pool

Country Status (1)

Country Link
CN (1) CN108989033B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547461A (en) * 2018-12-13 2019-03-29 如般量子科技有限公司 Anti- quantum calculation block chain secure transactions system and method based on P2P pool of symmetric keys
CN109672521B (en) * 2018-12-26 2022-11-29 贵州华芯通半导体技术有限公司 Security storage system and method based on national encryption engine
CN109587170B (en) * 2018-12-29 2020-11-17 如般量子科技有限公司 Anti-quantum computing cloud storage method and system based on multiple public asymmetric key pools
CN109687960B (en) * 2018-12-29 2021-08-10 如般量子科技有限公司 Anti-quantum computing proxy cloud storage method and system based on multiple public asymmetric key pools
CN109787965B (en) * 2018-12-29 2021-02-02 如般量子科技有限公司 Quantum computing resistant cloud storage method and system based on multiple asymmetric key pools
CN109787747B (en) * 2018-12-29 2022-06-14 如般量子科技有限公司 Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools
CN109919609A (en) * 2019-01-14 2019-06-21 如般量子科技有限公司 Anti- quantum calculation block chain secure transactions method and system based on public key pond
CN109919610A (en) * 2019-01-14 2019-06-21 如般量子科技有限公司 Anti- quantum calculation block chain secure transactions method and system based on P2P public key pond
CN109905229B (en) * 2019-01-17 2023-05-05 如般量子科技有限公司 Anti-quantum computing Elgamal encryption and decryption method and system based on group asymmetric key pool
CN112242899B (en) * 2019-07-17 2022-09-09 科大国盾量子技术股份有限公司 NAS storage system and method for encrypting and decrypting storage file by using quantum key
CN111865891B (en) * 2019-12-31 2023-08-15 北京嘀嘀无限科技发展有限公司 Data transmission method, user terminal, electronic equipment and readable storage medium
CN111953676B (en) * 2020-08-10 2022-07-15 四川阵风科技有限公司 File encryption method based on hardware equipment grade

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105024807A (en) * 2014-04-30 2015-11-04 宇龙计算机通信科技(深圳)有限公司 Data processing method and system
CN105763331A (en) * 2014-12-19 2016-07-13 北大方正集团有限公司 Data encryption method, device, data decryption method and device
CN108270561B (en) * 2017-01-04 2021-08-13 阿里巴巴集团控股有限公司 Data sending method and device and key index generating method and device

Also Published As

Publication number Publication date
CN108989033A (en) 2018-12-11

Similar Documents

Publication Publication Date Title
CN108989033B (en) Cloud storage security control method and system based on public key pool
CN108985099B (en) Proxy cloud storage security control method and system based on public key pool
CN109104276B (en) Cloud storage security control method and system based on key pool
CN109151053B (en) Anti-quantum computing cloud storage method and system based on public asymmetric key pool
CN109150519B (en) Anti-quantum computing cloud storage security control method and system based on public key pool
TWI748853B (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
CN109981255B (en) Method and system for updating key pool
EP2984781A1 (en) Secure backup and recovery system for private sensitive data
JP2009103774A (en) Secret sharing system
CN109495251B (en) Anti-quantum-computation intelligent home cloud storage method and system based on key fob
CN103237040A (en) Storage method, storage server and storage client
CN109347923B (en) Anti-quantum computing cloud storage method and system based on asymmetric key pool
US20210112039A1 (en) Sharing of encrypted files without decryption
CN109299618B (en) Quantum-resistant computing cloud storage method and system based on quantum key card
CN109787747B (en) Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools
CN115001681A (en) Key recovery method, device, system, storage medium and electronic device
CN109412788B (en) Anti-quantum computing agent cloud storage security control method and system based on public key pool
CN109302283B (en) Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool
CN109687960B (en) Anti-quantum computing proxy cloud storage method and system based on multiple public asymmetric key pools
JP5605452B2 (en) Communication device
Salim et al. An efficient public auditing scheme for cloud storage with secure access control and resistance against DOS attack by iniquitous TPA
Emdad et al. A standard data security model using AES algorithm in cloud computing
CN109587170B (en) Anti-quantum computing cloud storage method and system based on multiple public asymmetric key pools
CN109787965B (en) Quantum computing resistant cloud storage method and system based on multiple asymmetric key pools

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant