CN109067868A - A kind of method and system for being stored to cloud data - Google Patents

Abstract

The invention discloses a kind of method and system for storing to cloud data, it include: the position strategy for obtaining the access that management stores cloud data, the position strategy specifies the one or more location rules to be met to access file in cloud data storage, request is received from FTP client FTP to access one or more files in the storage of cloud data, it verifies whether the request meets location rule and therefore meet position strategy, and provides the access to file in the storage of cloud data for FTP client FTP.

Description

A kind of method and system for being stored to cloud data

Technical field

The present invention relates to field of cloud computer technology, in particular to a kind of method for storing to cloud data and are System.

Background technique

An important trend in recent years is data and services the transfer to system based on cloud.Individuals and organizations are increasingly Data storage based on cloud is relied on, even for sensitive data and so.Data storage based on cloud can provide many excellent Point, such as improved data access.Cloud data can be accessed from substantially any position to store and use various calculating equipment.It is many Cloud service provides the data sharing function that can promote to cooperate and communicate.

Unfortunately, the user of cloud data storage service may also abandon certain controls to its data.User may not Know the physical location of the data storage facility of cloud service.Cloud service can move between position in the case where not notifying user Dynamic data from a position are moved to another position with data, and data may belong to various legislation areas, each law There is the law of oneself in administrative area to manage and when must disclose data to government entity.

Cloud storage user can quite trust cloud service provider, i.e. security strategy is abundant and observable.In addition, cloud The accessibility of data storage could also mean that the hacker being located at Anywhere may attempt access data.Managing data can The contract or legal requirement of access property possibly even exclude to use cloud storage completely.Therefore, the disclosure identify and solve to In the demand that is additional and improving system that cloud data are stored with progress location aware access.

Summary of the invention

The invention proposes a kind of method for storing to cloud data, this method is used to carry out location aware access, until Few a part is executed by the calculating equipment including at least one processor, this method comprises:

Obtain the position strategy for the access that management store cloud data, the specified location rule to be accessed of the position strategy with Just the file in the storage of access cloud data, the location rule include the permission data store position that mark is used for the data storage location The location criteria set；Cloud data storage be different from allow access cloud data storage request allow request position；

The request of at least one file in access cloud data storage is received from FTP client FTP；

Whether checking request meets location rule, therefore is located at the data storage location allowed by verifying cloud data storage It is inside tactful to meet position；

Location-based service by being different from the storage of cloud data is provided to FTP client FTP, and is deposited in response to verifying cloud data Storage space is one by the access client system provided to the file in the storage of cloud data and adds in the data storage location of permission Close element；

After providing encryption element to FTP client FTP by location-based service, by FTP client FTP from the storage of cloud data Retrieval file；With

FTP client FTP is decrypted file using cipher component, wherein cryptographic element, which is supplied to FTP client FTP, to be made FTP client FTP directly can download reconciliation ciphertext part from cloud data storage, rather than receive file by location-based service.

The method further includes being initiated by receiving as user authentication the voucher stored to cloud data from user pair The encryption of file in the storage of cloud data.

The method starts the encryption to the file in the storage of cloud data further include: in response to receiving voucher, will use Family authenticates to the storage of cloud data.

The method starts the encryption of the file in the storage of cloud data further include:

Generate the encryption element for encrypting the file in reconciliation Miyun data storage；With

Use the file in encryption aes encryption cloud data storage.

The method, the location-based service are provided by calculating security service provider；Location rule includes:

Identify the location criteria of the permission data storage location of cloud data storage；With

One additional position standard, for identify allow access cloud data storage request allow request position；With

It includes that positional standard and additional position standard all meet that checking request, which meets location rule,.

The method further includes the access for the file that revocation in the following manner is previously provided in the storage of cloud data:

The user stored from the received voucher of user as cloud data is used to carry out authentication；

At least one new encryption element is generated, for encrypting the file in reconciliation Miyun data storage；

Use the file in encryption element decryption cloud data storage；With

Use the file in new encryption element re-encrypted cloud data storage.

The method, the location rule identify the data storage location of the permission using Internet Protocol address； Wherein cryptographic element is a part of asymmetric key pair comprising:

Common encryption key；And private decipherment key；Wherein, using the file in encryption element encryption cloud data storage Including common encryption key is supplied to encryption client to encrypt the file in the storage of cloud data；The wherein password client Including at least one of the following: client；It is stored with cloud data.

The method, the permission data storage location of the cloud data storage include permitting for the cloud data storage Perhaps geographic location area；Wherein the location rule requires the combination using geographic location identifier or following two or more To identify the data storage location of the permission:

Internet protocol address；

Location information in security socket layer certificate；

Hardware attestation-signatures；

Media access control address；

Autonomous system number；With

Border Gateway Protocol information.

A kind of system for storing to cloud data, the system include:

Policy module stored in memory, a part as location-based service obtain what management stored cloud data The position strategy of access, the specified location rule to be met of the position strategy are described to access the file in the storage of cloud data Location rule includes location criteria, and the permission data storage location that cloud data store is identified as and allows to visit by the location criteria That asks the request of cloud data storage allows to request position different；

Communication module stored in memory receives asking for a part as location-based service from FTP client FTP It asks, to access at least one file in the storage of cloud data, location-based service and cloud data storage are different；

Authentication module stored in memory, verifies a part as location-based service, which meets position rule Then, and therefore it is located in the data storage location allowed by verifying cloud data storage and meets position strategy；

Access modules stored in memory, a part as location-based service is supplied to FTP client FTP, and rings The data storage location allowed should be located in verifying cloud data storage, the file in access cloud data storage is by client system System provides encryption element；

FTP client FTP:

After receiving encryption element from location-based service, the retrieval file from the storage of cloud data；With

File is decrypted using encryption element, keeps FTP client FTP straight wherein encryption element is supplied to FTP client FTP It connects from cloud data and stores downloading reconciliation ciphertext part, rather than file is received by location-based service；With

At least one physical processor is used for implementation strategy module, communication module, authentication module and access modules.

Detailed description of the invention

From following description with reference to the accompanying drawings it will be further appreciated that the present invention.Component in figure is not drawn necessarily to scale, But it focuses on and shows in the principle of embodiment.In the figure in different views, identical appended drawing reference is specified to be corresponded to Part.

Fig. 1 is the schematic diagram of the method for storing to cloud data of the invention.

Specific embodiment

In order to enable the objectives, technical solutions, and advantages of the present invention are more clearly understood, below in conjunction with embodiment, to this Invention is further elaborated；It should be appreciated that described herein, the specific embodiments are only for explaining the present invention, and does not have to It is of the invention in limiting.To those skilled in the art, after access is described in detail below, other systems of the present embodiment System, method and/or feature will become obvious.All such additional systems, method, feature and advantage are intended to be included in It in this specification, is included within the scope of the invention, and by the protection of the appended claims.In description described in detail below The other feature of the disclosed embodiments, and these characteristic roots will be apparent according to described in detail below.

As shown in Figure 1, this method is for carrying out position for the invention proposes a kind of methods for storing to cloud data Perception access, at least partially by including the calculating equipment execution of at least one processor, this method comprises:

Obtain the position strategy for the access that management store cloud data, the specified location rule to be accessed of the position strategy with Just the file in the storage of access cloud data, the location rule include the permission data store position that mark is used for the data storage location The location criteria set；Cloud data storage be different from allow access cloud data storage request allow request position；

The request of at least one file in access cloud data storage is received from FTP client FTP；

Whether checking request meets location rule, therefore is located at the data storage location allowed by verifying cloud data storage It is inside tactful to meet position；

Location-based service by being different from the storage of cloud data is provided to FTP client FTP, and is deposited in response to verifying cloud data Storage space is one by the access client system provided to the file in the storage of cloud data and adds in the data storage location of permission Close element；

After providing encryption element to FTP client FTP by location-based service, by FTP client FTP from the storage of cloud data Retrieval file；With

FTP client FTP is decrypted file using cipher component, wherein cryptographic element, which is supplied to FTP client FTP, to be made FTP client FTP directly can download reconciliation ciphertext part from cloud data storage, rather than receive file by location-based service.

The method further includes being initiated by receiving as user authentication the voucher stored to cloud data from user pair The encryption of file in the storage of cloud data.

The method starts the encryption to the file in the storage of cloud data further include: in response to receiving voucher, will use Family authenticates to the storage of cloud data.

The method starts the encryption of the file in the storage of cloud data further include:

Generate the encryption element for encrypting the file in reconciliation Miyun data storage；With

Use the file in encryption aes encryption cloud data storage.

The method, the location-based service are provided by calculating security service provider；Location rule includes:

Identify the location criteria of the permission data storage location of cloud data storage；With

One additional position standard, for identify allow access cloud data storage request allow request position；With

It includes that positional standard and additional position standard all meet that checking request, which meets location rule,.

The method further includes the access for the file that revocation in the following manner is previously provided in the storage of cloud data:

The user stored from the received voucher of user as cloud data is used to carry out authentication；

At least one new encryption element is generated, for encrypting the file in reconciliation Miyun data storage；

Use the file in encryption element decryption cloud data storage；With

Use the file in new encryption element re-encrypted cloud data storage.

The method, the location rule identify the data storage location of the permission using Internet Protocol address； Wherein cryptographic element is a part of asymmetric key pair comprising:

Common encryption key；And private decipherment key；Wherein, using the file in encryption element encryption cloud data storage Including common encryption key is supplied to encryption client to encrypt the file in the storage of cloud data；The wherein password client Including at least one of the following: client；It is stored with cloud data.

The method, the permission data storage location of the cloud data storage include permitting for the cloud data storage Perhaps geographic location area；Wherein the location rule requires the combination using geographic location identifier or following two or more To identify the data storage location of the permission:

Internet protocol address；

Location information in security socket layer certificate；

Hardware attestation-signatures；

Media access control address；

Autonomous system number；With

Border Gateway Protocol information.

A kind of system for storing to cloud data, the system include:

Policy module stored in memory, a part as location-based service obtain what management stored cloud data The position strategy of access, the specified location rule to be met of the position strategy are described to access the file in the storage of cloud data Location rule includes location criteria, and the permission data storage location that cloud data store is identified as and allows to visit by the location criteria That asks the request of cloud data storage allows to request position different；

Communication module stored in memory receives asking for a part as location-based service from FTP client FTP It asks, to access at least one file in the storage of cloud data, location-based service and cloud data storage are different；

Authentication module stored in memory, verifies a part as location-based service, which meets position rule Then, and therefore it is located in the data storage location allowed by verifying cloud data storage and meets position strategy；

Access modules stored in memory, a part as location-based service is supplied to FTP client FTP, and rings The data storage location allowed should be located in verifying cloud data storage, the file in access cloud data storage is by client system System provides encryption element；

FTP client FTP:

After receiving encryption element from location-based service, the retrieval file from the storage of cloud data；With

File is decrypted using encryption element, keeps FTP client FTP straight wherein encryption element is supplied to FTP client FTP It connects from cloud data and stores downloading reconciliation ciphertext part, rather than file is received by location-based service；With

At least one physical processor is used for implementation strategy module, communication module, authentication module and access modules.

Although describing the present invention by reference to various embodiments above, but it is to be understood that of the invention not departing from In the case where range, many changes and modifications can be carried out.Therefore, be intended to foregoing detailed description be considered as it is illustrative and It is unrestricted, and it is to be understood that following following claims (including all equivalents) is intended to limit spirit and model of the invention It encloses.The above embodiment is interpreted as being merely to illustrate the present invention rather than limit the scope of the invention.It is reading After the content of record of the invention, technical staff can be made various changes or modifications the present invention, these equivalence changes and Modification equally falls into the scope of the claims in the present invention.

Claims (9)

1. a kind of method for being stored to cloud data, which is characterized in that this method is for carrying out location aware access, at least one Part is executed by the calculating equipment including at least one processor, this method comprises:

The position strategy for the access that management stores cloud data is obtained, which specifies the location rule to be accessed to visit Ask the file in the storage of cloud data, which includes the permission data store position that mark is used for the data storage location Location criteria；Cloud data storage be different from allow access cloud data storage request allow request position；

The request of at least one file in access cloud data storage is received from FTP client FTP；

Whether checking request meets location rule, thus by verifying cloud data storage be located in the data storage location allowed come Meet position strategy；

Location-based service by being different from the storage of cloud data is provided to FTP client FTP, and stores position in response to verifying cloud data It is an encrypted element by the access client system provided to the file in the storage of cloud data in the data storage location of permission Element；

After providing encryption element to FTP client FTP by location-based service, retrieved from the storage of cloud data by FTP client FTP File；With

FTP client FTP is decrypted file using cipher component, wherein cryptographic element, which is supplied to FTP client FTP, makes client End system directly can download reconciliation ciphertext part from cloud data storage, rather than receive file by location-based service.

2. the method as described in claim 1, which is characterized in that further include by receiving from user as user authentication to cloud number The encryption of the file in storing to cloud data is initiated according to the voucher of storage.

3. method according to claim 2, which is characterized in that start the encryption to the file in the storage of cloud data further include: In response to receiving voucher, the storage of cloud data is authenticated the user to.

4. method as claimed in claim 3, which is characterized in that the encryption of the file in starting cloud data storage further include:

Generate the encryption element for encrypting the file in reconciliation Miyun data storage；With

Use the file in encryption aes encryption cloud data storage.

5. the method as described in claim 1, which is characterized in that the location-based service is provided by calculating security service provider； Location rule includes:

Identify the location criteria of the permission data storage location of cloud data storage；With

One additional position standard, for identify allow access cloud data storage request allow request position；With

It includes that positional standard and additional position standard all meet that checking request, which meets location rule,.

6. method as claimed in claim 4, which is characterized in that further include that revocation in the following manner is previously provided to cloud data The access of file in storage:

The user stored from the received voucher of user as cloud data is used to carry out authentication；

At least one new encryption element is generated, for encrypting the file in reconciliation Miyun data storage；

Use the file in encryption element decryption cloud data storage；With

Use the file in new encryption element re-encrypted cloud data storage.

7. the method as described in claim 1, which is characterized in that the location rule is using described in Internet Protocol address identification The data storage location of permission；Wherein cryptographic element is a part of asymmetric key pair comprising:

Common encryption key；And private decipherment key；Wherein, include using the file in encryption element encryption cloud data storage Common encryption key is supplied to encryption client to encrypt the file in the storage of cloud data；Wherein the password client includes At least one of the following: client；It is stored with cloud data.

8. the method as described in claim 1, which is characterized in that the permission data storage location packet of the cloud data storage Include the permission geographic location area of the cloud data storage；Wherein the location rule require using geographic location identifier or with Under two or more combinations identify the data storage location of the permission:

Internet protocol address；

Location information in security socket layer certificate；

Hardware attestation-signatures；

Media access control address；

Autonomous system number；With

Border Gateway Protocol information.

9. a kind of system for being stored to cloud data, which is characterized in that the system includes:

Policy module stored in memory, a part as location-based service obtain the access that management stores cloud data Position strategy, the position strategy specify the location rule to be met so as to access cloud data storage in file, the position Rule includes location criteria, and the permission data storage location that cloud data store is identified as and allows to access cloud by the location criteria The request of data storage allows to request position different；

Communication module stored in memory receives the request of a part as location-based service from FTP client FTP, with At least one file in the storage of cloud data is accessed, location-based service and cloud data storage are different；

Authentication module stored in memory verifies a part as location-based service, which meets location rule, and Therefore it is located in the data storage location allowed by verifying cloud data storage and meets position strategy；

Access modules stored in memory, a part as location-based service are supplied to FTP client FTP, and in response to It verifies the storage of cloud data and is located at the data storage location allowed, the file in access cloud data storage to FTP client FTP by mentioning For encrypting element；

FTP client FTP:

After receiving encryption element from location-based service, the retrieval file from the storage of cloud data；With

Using encryption element decrypt file, wherein will encryption element be supplied to FTP client FTP enable FTP client FTP directly from Cloud data storage downloading reconciliation ciphertext part, rather than file is received by location-based service；With

At least one physical processor is used for implementation strategy module, communication module, authentication module and access modules.