CN109302283A - Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond - Google Patents

Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond Download PDF

Info

Publication number
CN109302283A
CN109302283A CN201811101347.XA CN201811101347A CN109302283A CN 109302283 A CN109302283 A CN 109302283A CN 201811101347 A CN201811101347 A CN 201811101347A CN 109302283 A CN109302283 A CN 109302283A
Authority
CN
China
Prior art keywords
key
file
public
random number
true random
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811101347.XA
Other languages
Chinese (zh)
Other versions
CN109302283B (en
Inventor
富尧
钟民
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201811101347.XA priority Critical patent/CN109302283B/en
Publication of CN109302283A publication Critical patent/CN109302283A/en
Application granted granted Critical
Publication of CN109302283B publication Critical patent/CN109302283B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Abstract

The present invention relates to the anti-quantum calculations based on public asymmetric key pond to act on behalf of cloud storage method and system, the data file encrypted using file key is uploaded to server by key pool device by user terminal, the file key true random number that server is received and stored with public key encryption, public key is generated by public-key cryptographic keys true random number, user terminal sends read request to key pool device, the file key true random number of key pool device downloading encryption, public-key cryptographic keys true random number and the data file for utilizing encryption, and file key is obtained in conjunction with private key private key, and then obtain data file, data file encryption is reached user terminal by the key pool device, and then it completes server file and reads.Server end can not contact user terminal key and data file, using only to public key disclosed in quantum key card to file key encryption, the possibility for being stolen key by malice malicious operation is reduced, while quantum computer is unable to get client public key, reduces the risk cracked by quantum computer.

Description

Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond
Technical field
The present invention relates to cloud storage fields, more particularly to a kind of method of cloud storage security control based on public keys pond And system.
Background technique
With the development of science and technology, cloud storage has increasingly becomed a kind of trend, various cloud storage technologies emerge one after another, and are Guarantee the safety of cloud storage data, it will usually guarantee the safety of data using various encryption methods, for example, can pass through Asymmetric-key encryption guarantees the safeties of data, asymmetric-key encryption need to be respectively completed using different keys plus Close and decryption oprerations, one publishes, i.e. public key, another is saved by user oneself is secret, i.e. private key.Information transmitter is used Public key goes to encrypt, and information receiver goes to decrypt with private key.
Due to mostly using shared storage in cloud storage, this makes service provider need to control private key, leads to private key Safety is lower.Publication No. CN103236934A, the invention of entitled " a kind of method of cloud storage security control " are special Sharp document discloses a kind of for solving the problems, such as the lower method of private key safety.The invention uses two different encryptions Mode encrypts the private key of user and stores respectively.
As most people is understood, quantum computer has great potential in password cracking.Mainstream is non-now Symmetrically (public key) Encryption Algorithm, such as RSA cryptographic algorithms, it is most of to be all based in factorization or the finite field of big integer The two difficult math questions of the calculating of discrete logarithm.Their difficulty that cracks also is dependent on the efficiency solved these problems.Tradition On computer, it is desirable that solve the two difficult math questions, the cost time is the exponential time (to crack the time with the growth of public key length Increased with exponential), this is unacceptable in practical applications.It and is that your elegant algorithm for making to measure of quantum computer can be with In polynomial time (time is cracked as the growth of public key length is increased with the speed of k power, wherein k is long with public key Spend unrelated constant) carry out integer factorization or discrete logarithm and calculate, thus for RSA, discrete logarithm Encryption Algorithm it is broken Solution provides may.
There are the demand of cloud in data in current enterprise or public institution sometimes, and public cloud is generally not susceptible to these units letter Appoint, is considered the possible problematic or key of information security and is easy to be obtained and cracked by hacker, therefore cause public cloud visitor There is trouble and worry at family to cloud in data.
Problem of the existing technology:
(1) carrying out key storage on the server has certain risk.Public cloud client looks back it to cloud in data Sorrow.
(2) invention of Publication No. CN103236934A, entitled " a kind of method of cloud storage security control " are special Sharp document encrypts file key using client public key, due to quantum calculation function obtain quickly through public key it is corresponding Private key, therefore the program is easy to be cracked by quantum computer.
Summary of the invention
Based on this, it is necessary in view of the above-mentioned problems, providing a kind of anti-quantum calculation generation based on public asymmetric key pond Cloud storage method is managed, including user terminal uploads data file to key pool device, the key pool device will utilize file key The data file of encryption is uploaded to server, and the user terminal and the key pool device are each equipped with quantum key card, described File key is the file key true random number generation generated in the quantum key card being furnished with using the key pool device, and The file key true random number is uploaded to the server by the key pool device in an encrypted form;
The cipher mode of the file key true random number is close using the public key encryption file in the key pool device Key true random number obtains personal key and obtains data key using file characteristic value encryption file key true random number;
Wherein, the public key utilizes public-key cryptographic keys true random number caused by the quantum key card in the key pool device It generates;The personal key, the data key and public-key cryptographic keys true random number are uploaded the clothes by the key pool device Business device.
Currently there are many storage cloud services, including many public clouds.Hereinafter, the server i.e. cloud service of cloud is stored End is referred to as server, and the cloud user terminal in cloud user terminal group is referred to as user terminal.
User terminal is the equipment of access storage cloud in the present invention, can be mobile terminal, or be fixed terminal.Terminal is equipped with There is key card.Key card stores the public key of user and private key and a root key, the registration that key card also has client are stepped on Remember information, be built-in with identity authentication protocol, includes at least key schedule and verification function or other and authentication phase The algorithm of pass.Randomizer is also had in key card.Wherein, the generation of file key and data file are encrypted in quantum It is completed in key card, guarantees user terminal encipheror performing environment safety, the file key true random number in quantum key card is raw At file key, guarantees the truly random property of file key, greatly improve the safety of file code key, while quantum key card is only Vertical hardware isolated equipment, a possibility that stealing key by Malware or malicious operation, substantially reduce, and true random number is to encrypt Form is uploaded to server, rather than file key stores, and solves the risk that key storage is stolen on the server.
Optionally, the key pool device includes:
Public keys pond, for generating the file key;
Unsymmetrical key pond, in the unsymmetrical key pond in storage cluster all user terminals public key, it is described asymmetric Pool of keys extracts public key in conjunction with the public-key cryptographic keys true random number.
Optionally, the user terminal has one or more, and the key pool device memory is contained for the access of each user terminal Public keys pond, the user terminal and the key pool device communicate to connect, and the user terminal for uploading data file utilizes the public affairs Pool of keys generates file key with data file encryption altogether, and the user terminal of downloading data file is combined using the public keys pond True random number from server generates file key accordingly to decrypt data file.
In the present embodiment, the matched key card side of issuing of each user terminal institute for belonging to a user terminal group is key card Supervisor side, the generally administrative department of certain enterprise or public institution;The key card side of being awarded is the supervisor Fang Suoguan of key card The employees at different levels of the member of reason, generally certain enterprise or public institution carry out cloud data access using storage cloud user terminal, Hereafter being referred to as storage cloud user terminal used in member is user terminal.Supervisor side's application that user terminal arrives key card first is opened an account. After user terminal carries out registering granted, key card will be obtained (there is unique ID).
Each user terminal possesses the public keys pond being stored in the key pool device, it can be achieved that a plurality of clients file is total It enjoys, while the setting of pool of keys, so that the user terminal of downloading data file need to utilize the true random number combination institute from server It states public keys pond and accordingly generates file key, it, can not obtaining true random number in the case where not obtaining pool of keys yet The file key of encryption file is obtained, the safety of file key is further increased.
Optionally, the file key generation method includes: by the file key true random number combination file key kind Sub- pointer function obtains file key seed pointer, is extracted from the key pool device using this document key seed pointer pair The file key seed for the encryption answered, and decrypt to obtain file key kind using the true random number that the key pool device generates Son, this document key seed combination file key function obtain the file key;The key pool device is also by the file The ID of key seed pointer function ID and file key function is sent to the server.
Optionally, the public key generation method includes: that the public-key cryptographic keys true random number combination public key pointer function obtains Public key pointer extracts corresponding public key from corresponding quantum key card using the public key pointer;When quantum key card is user terminal Match sometimes, which extracts corresponding public key from the public-key cryptographic keys pond in corresponding quantum key card;When quantum key card By key pool device with sometimes, which extracts corresponding from the unsymmetrical key pond in corresponding quantum key card Public key.
Optionally, the file key seed pointer function ID and file key function ID as the server whether into The mark of row duplicate removal.
Optionally, the user terminal will be uploaded to the key pool device after true random number and data file encryption, encryption Mode is to encrypt the data file using true random number to obtain ciphertext, and use the public key encryption of the key pool device true Random number obtains true random number ciphertext;The key pool device using private key decrypt the true random number ciphertext obtain it is truly random Number, and decrypt the ciphertext using the true random number and obtain the data file.
Cloud storage method is acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond, including server is received and deposited The data file that file key encryption is utilized from key pool device is stored up, the file key is to utilize the key pool device institute The file key true random number generated in the quantum key card being furnished with generates, and institute's server is also received and stored from the key Personal key, data key and the public-key cryptographic keys true random number of pool device, the personal key and the data key are by institute The encryption of file key true random number is stated to obtain;
The cipher mode of the file key true random number is to obtain individual using public key encryption file key true random number Key, and data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum Public-key cryptographic keys true random number caused by key card generates.
Optionally, the server also receives and stores close with the generation file from the key pool device Whether key relevant function ID, two of them function ID carry out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server is close to user terminal transmission data Key;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with generation The relevant function ID of the file key.
Cloud storage system, including server, pool of keys are acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond Device and user terminal, user terminal upload data file to key pool device, and the key pool device will be encrypted using file key Data file be uploaded to the server, the user terminal and the key pool device have quantum key card, the file Key is the file key true random number generation generated in the quantum key card being furnished with using the key pool device, and described The file key true random number is also uploaded to the server by key pool device in an encrypted form;
The cipher mode of the file key true random number is to obtain individual using public key encryption file key true random number Key and data key is obtained using file characteristic value encryption file key true random number, wherein the public key is using described close Public-key cryptographic keys true random number caused by quantum key card generates in key pool device, and it is close that the key pool device uploads the individual Key, the data key and public-key cryptographic keys true random number are to the server;
The server receive and store personal key from the key pool device, public-key cryptographic keys true random number and Data file;
User terminal sends read request to key pool device, and key pool device downloads personal key, public-key cryptographic keys true random number And the data file using file key encryption, the key pool device decrypt the personal key using private key and obtain file Key true random number generates file key in turn, is decrypted using the file key and is obtained using the data file that file key encrypts Data file is obtained, data file encryption is reached the random number generated using itself and user terminal public key by the key pool device User terminal, and then complete server file and read.
Cloud storage method and system is acted on behalf of in the above-mentioned anti-quantum calculation based on public asymmetric key pond, including server, The data file encrypted using file key is uploaded to service by key pool device by key pool device and user terminal, user terminal Device, user terminal and key pool device have quantum key card, and file key is the quantum key being furnished with using key pool device The file key true random number generated in card generates, and key pool device is also by file key true random number with public key and use File characteristic value encrypted form is uploaded to the server, wherein the public key utilizes quantum key card in the key pool device Generated public-key cryptographic keys true random number generates, and key pool device uploads public-key cryptographic keys true random number to server;Server connects The related data parameter from the key pool device is received and stores, user terminal sends read request to key pool device, pool of keys File key true random number, public-key cryptographic keys true random number and the data file using encryption of device downloading encryption, pool of keys Device generates file key in turn using the file key true random number of private key decryption encryption, utilizes file key decryption encryption Data file obtains data file, and the key pool device is literary by data by the random number generated using itself and user terminal public key Part encryption reaches user terminal, and then completes server file and read.Server end can not touch all kinds of keys of user terminal and Data file, while using only being encrypted to public key disclosed in quantum key card to file key, since quantum key card is Independent hardware isolated equipment substantially reduces a possibility that stealing key by Malware or malicious operation, while quantum calculation Machine is unable to get client public key, is then also unable to get corresponding private key, therefore reduces the risk cracked by quantum computer.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of storage system provided in an embodiment of the present invention;
Fig. 2 is the structural schematic diagram of public keys pool device;
Fig. 3 is the cipher mode schematic diagram for the random number that randomizer generates;
Fig. 4 is file key product process figure provided in an embodiment of the present invention;
Fig. 5 is public key storage mode flow chart provided in an embodiment of the present invention;
Fig. 6 is public key reading manner flow chart provided in an embodiment of the present invention;
Fig. 7 is the timing diagram of storage method provided in an embodiment of the present invention;
Fig. 8 is the timing diagram of read method provided in an embodiment of the present invention;
Fig. 9 is the flow chart for the storage method that the embodiment of the present invention 1 provides;
Figure 10 is the flow chart for the read method that the embodiment of the present invention 2 provides.
Specific embodiment
Fig. 1 is that cloud storage system is acted on behalf of in the anti-quantum calculation provided in an embodiment of the present invention based on public asymmetric key pond Structural schematic diagram, public keys pool device is connected to the network respectively with user terminal group CC and cloud storage CS.Wherein user terminal Group CC is made of a plurality of clients.Each user terminal has oneself matched key card, each key card storage inside use The private key KA at family end and public-key cryptographic keys pond have the public key of all members in pool of keys.The user is also stored in key card The public key pointer random number at end, KRA/KA refers to public key pointer random number/private key of A in Fig. 1.The public affairs of user terminal A external disclosure Key KRA, i.e. the pointer random number of public key.Other members in user terminal group are similarly.
The storage mode of public key is as shown in figure 5, verbal description is as follows: taking public key pointer random number at random to some user Rk obtains public key pointer rkp in conjunction with specific public key pointer function frkp and from the correspondence position in corresponding unsymmetrical key pond Set the public key krk for being stored in the user.
The structural schematic diagram of public keys pool device P is as shown in Fig. 2, public keys pool device P has quantum key card, dress P is set with root key area, root key KR can be taken out.Key pool device P also has tandom number generator, the tandom number generator Preferably quantum random number generator, can produce key of the true random number as key, and the key of the key is known as KKP.KP refers to The public keys pond that user terminal group CC is possessed, is stored in P device.KP capacity is huge, such as can be from 1G~4096G not Deng, it is true random number, preferably quantum random number.P can store multiple KP, and P is stored with the region 1~M total M KP in figure.KP The KKP encryption generated with the tandom number generator in key pool device, the cipher mode of KKP is as shown in figure 3, with KR and each User terminal A, B ... public key KAP, KBP of N ... KNP is encrypted respectively.
In addition to being also used for the unsymmetrical key pond of storage of public keys containing public keys pond KP in public keys pool device P, Unsymmetrical key pond is expressed as KPP.Wherein public key area possesses this public key for organizing all users and public keys pool device P. The public key of public keys pool device P external disclosure is KRP, i.e. the public key pointer random number of public keys pool device.
In file key product process shown in Fig. 4, file key seed pointer function frfp and file key function fkf For public keys pond, supervisor can be customized, usually consistent with the supervisor side of user terminal group.
File key seed pointer function frfp is that modulus after certain numerical transformation, such as frfp (r) are carried out to random number =(r+d) %s,
Wherein r is input variable (being herein random number), and d is offset, and % is modulo operation, and s is pool of keys total size. Certainly according to the design needs, file key seed pointer function frfp is without being limited thereto, refers to as long as file key seed can be obtained Needle rfp.
File key function fkf is that modulus after certain numerical transformation, such as fkf (x)=(ax+ are carried out to input data B) %2len,
Wherein x is input variable, and a, b are transformation parameter, and % is modulo operation, and len is that the key length that user specifies is (single Position: bit).Certainly according to the design needs, file key function fkf is without being limited thereto, as long as file key kf can be generated.
In the present embodiment, so the file key seed pointer function frfp and file key function fkf of all users All.Certainly according to the design needs, the file key seed pointer function frfp and file key function of each user terminal Fkf can not be identical.
It operates in many places that each user terminal is related to, is all carried out in matched key card.It is related in public keys pond more Place's operation, all carries out in matched quantum key card.
The user terminal has one or more, and the key pool device memory contains the public keys for the access of each user terminal Pond, the user terminal and the key pool device communicate to connect, and the user terminal for uploading data file utilizes the public keys pond File key is generated with data file encryption, the user terminal of downloading data file is combined using the public keys pond from service The true random number of device generates file key accordingly to decrypt data file.
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.
Embodiment 1
Fig. 7 is the timing diagram of storage method provided in an embodiment of the present invention.Fig. 9 is that one kind provided in an embodiment of the present invention is deposited The flow chart of method for storing.Cloud storage method is acted on behalf of in anti-quantum calculation based on public asymmetric key pond, the specific steps are as follows:
Step 1.1: user terminal encryption file cocurrent is sent to key pool device.
The true random number R data file encryption that user terminal is generated using randomizer obtains ciphertext M1, and uses P's This two parts is sent to key pool device P by public key encryption true random number R.The public key that P is extracted from public-key cryptographic keys pond, by P's Public key pointer random number obtains the process of public key as shown in fig. 6, being described as follows:
Using public key pointer random number rk combine specific public key pointer function frkp obtain public key pointer rkp, then from Corresponding position in corresponding public-key cryptographic keys pond takes out public key krk.
Step 1.2: key pool device decrypts file: key pool device P decrypts to obtain true random number using the private key of oneself R obtains the data file of plaintext version using R decryption ciphertext M1.
Step 1.3: the hash value of data file and each algorithm ID are uploaded to server by key pool device: pool of keys dress It sets before uploading data file, first calculates the hash value of data file, and the hash value is uploaded to server.It uploads simultaneously There are also each algorithm ID (including file key seed pointer function frfp and file key function fkf, hereafter similarly). Server will carry out ciphertext duplicate removal to file to mitigate storage pressure, i.e. identification duplicate file.
Step 1.4: server identifies duplicate file: server integrates the hash value of file and each algorithm ID Consider to recognize if the ID of two parts of files hash value having the same and frfp and fkf are identical respectively to identify duplicate file To there is identical data file to need duplicate removal.If server judgement does not need duplicate removal, server saves this hash value received And each algorithm ID, and execute step step 1.5.If desired duplicate removal, server execute step step 1.6.
It will be understood by those skilled in the art that in some cases, same user may successively upload same data text Part, then server is if it is determined that the number when the user expects to have uploaded data file again with identical frfp, fkf According to document source and same user, any operation will not be executed.
Step 1.5: if server does not need duplicate removal:
Step 1.5.1: server notice user terminal generates random number: server saves the hash value and algorithm ID received Afterwards, the information with same data file is not present in server and is sent to key pool device P.
Step 1.5.2: key pool device processing information simultaneously will need the content stored on the server to be sent to server: Key pool device receives server there is no after the information of data file having the same, and key pool device is matched true according to institute Randomizer generates file key random number rf and further obtains file key kf, and specific steps are as shown in figure 4, specific It is as follows that steps are as follows:
File key random number rf is generated according to matched quantum key card, rf combines specific file key seed pointer Function frfp obtain file key seed pointer rfp and extracted from pool of keys the file key seed encrypted accordingly i.e. plus Close krf is decrypted key using KKP to obtain file key seed krf;It is generated then in conjunction with file key function fkf File key kf.
After obtaining file key kf, key pool device obtains ciphertext kff using file key data file encryption, and encryption is calculated Method can be symmetric encipherment algorithm;
Key pool device P is gone out by using the public key pointer random number KRP of oneself in public-key cryptographic keys pond, that is, KPP extracted region The public key of oneself, extraction process is as shown in fig. 6, specific steps and consistent above.Then key pool device P uses the public key of oneself Encryption file key random number rf obtains personal key.
Key pool device P generates file characteristic value, and is counted using file characteristic value encryption file key random number rf According to key;The calculation method of file characteristic value be predefined algorithm, can be but not limited to Hash calculate, compressing file or its His file characteristic computational algorithm;
Ciphertext, algorithm ID, personal key and data key are sent to server by key pool device P.
Step 1.5.3: server saves corresponding information: server is by the ciphertext received, algorithm ID, personal key and number It is saved according to key.
Step 1.6: if server needs duplicate removal:
Step 1.6.1: server sends data key to key pool device: server sends the data key of this document Give key pool device.
Step 1.6.1: key pool device processing information simultaneously will need the content stored on the server to be sent to server: After key pool device receives data key, number is decrypted according to the file characteristic value of Generating Data File, and using file characteristic value File key random number rf is obtained according to key.
Key pool device is using the public key pointer random number KRP of oneself in public-key cryptographic keys pond, that is, KPP extracted region oneself Public key, extraction process is as shown in fig. 6, specific steps and consistent above.
Key pool device obtains personal key using the public key encryption file key random number rf extracted, and will be personal close Key is sent to server.
Step 1.6.1: server saves corresponding information: server is saved after receiving the personal key.
Embodiment 2
Fig. 8 is the timing diagram of read method provided in an embodiment of the present invention.Figure 10 is one kind provided in an embodiment of the present invention The flow chart of file reading.The reading of the file in cloud storage method is acted on behalf of in anti-quantum calculation based on public asymmetric key pond Take method, the specific steps are as follows:
Step 2.1: step 2.1: user terminal initiates to read file request.
User terminal using the hash value of the file of desired reading as one request, using randomizer generate it is true with Machine number R encrypts this request, and using the public key encryption true random number R of P, this two parts is sent to key pool device P.
Step 2.2: key pool device decrypts file.
Key pool device P decrypts to obtain true random number R using the private key of oneself, obtains file using R decoding request Hash value.
Step 2.3: key pool device sends the request to server.
Key pool device is uploaded to server using as the file hash value and each algorithm ID for reading file request.
Step 2.4: server returns to corresponding information.
After server receives file hash value and algorithm ID, information corresponding with the hash value and algorithm ID is found, it will be close Text, personal key are sent to key pool device.
Step 2.5: key pool device obtains file key.
Key pool device obtains file key random number rf using private key decryption personal key, and it is close further to obtain file Key kf, specific steps are as shown in Figure 4.Key pool device obtains the data text of plaintext version after decrypting ciphertext using file key Part generates a new true random number R ' using randomizer and is encrypted to obtain ciphertext M ' to data file, from public key The public key encryption true random number R ' that corresponding user terminal is extracted in pool of keys, is sent to user terminal together with ciphertext M '.
Step 2.6: user terminal obtains data file: user terminal is decrypted to obtain R ' using the private key of oneself, and R ' is used to decrypt Ciphertext M ' obtains data file, completes the reading to server file.
Quantum key card is developed from smart card techniques, is combined with quantum physics technology and (it is random to be carried quantum In the case where number generator), cryptological technique, the authentication of hardware security isolation technology and encryption and decryption product.Quantum key The embedded chip and operating system of card can provide the functions such as secure storage and the cryptographic algorithm of key.Since it is with independent Data-handling capacity and good safety, quantum key card become the safety barrier of private key and pool of keys.Each quantum is close Key card has the protection of hardware PIN code, and PIN code and hardware constitute two necessary factors that user uses quantum key card.That is institute It calls " double factor authentication ", user only has while obtaining the quantum key card and user's PIN code that save relevant authentication information, just may be used With login system.Even if the PIN code of user is leaked, as long as the quantum key card that user holds is not stolen, legitimate user's Identity would not be counterfeit;If the quantum key card of user is lost, the person of picking up can not also imitate due to not knowing user's PIN code Emit the identity of legitimate user.
In cloud storage overall process of the present invention, server end can not all touch user terminal all kinds of keys (public key, private key, text Part key etc.) and plaintext data file.Moreover, the personal key stored on server is using different from data key The random number of method encryption, the random number combine specific key selection algorithm that a pointer can be obtained.The pointer is directed toward key The specific region of some in pond, in the case where not obtaining pool of keys, nothing having cracked personal key or data key Method obtains the file key of encryption file.It uses and public key disclosed in quantum key card encrypts file key simultaneously only, And quantum key card storage of public keys is used, quantum key card is independent hardware isolated equipment, by Malware or malicious operation A possibility that stealing key substantially reduces.Since quantum computer is unable to get client public key, then also it is unable to get corresponding Private key, therefore the program is not easy to be cracked by quantum computer.
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art It says, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to protection of the invention Range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.

Claims (10)

1. cloud storage method is acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond, including user terminal uploads data text The data file encrypted using file key is uploaded to server, feature by part to key pool device, the key pool device It is, the user terminal and the key pool device are each equipped with quantum key card, and the file key is to utilize the key The file key true random number that generates in the quantum key card that pool device is furnished with generates, and the key pool device is by the text Part key true random number is uploaded to the server in an encrypted form;
The cipher mode of the file key true random number is true using the public key encryption file key in the key pool device Random number obtains personal key and obtains data key using file characteristic value encryption file key true random number;
Wherein, the public key is raw using public-key cryptographic keys true random number caused by the quantum key card in the key pool device At;The personal key, the data key and public-key cryptographic keys true random number are uploaded the service by the key pool device Device.
2. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 1 based on public asymmetric key pond, special Sign is that the key pool device includes:
Public keys pond, for generating the file key;
Unsymmetrical key pond, in the unsymmetrical key pond in storage cluster all user terminals public key, the unsymmetrical key Pond extracts public key in conjunction with the public-key cryptographic keys true random number.
3. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 2 based on public asymmetric key pond, special Sign is that the user terminal has one or more, and the key pool device memory contains the public keys for the access of each user terminal Pond, the user terminal and the key pool device communicate to connect, and the user terminal for uploading data file utilizes the public keys pond File key is generated with data file encryption, the user terminal of downloading data file is combined using the public keys pond from service The true random number of device generates file key accordingly to decrypt data file.
4. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 3 based on public asymmetric key pond, special Sign is that the file key generation method includes: by the file key true random number combination file key seed pointer letter Number obtains file key seed pointer, extracts corresponding encryption from the key pool device using this document key seed pointer File key seed, and using the key pool device generate true random number decrypt to obtain file key seed, this document Key seed combination file key function obtains the file key;The key pool device also refers to the file key seed The ID of needle function ID and file key function is sent to the server.
5. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 3 based on public asymmetric key pond, special Sign is that the public key generation method includes: that the public-key cryptographic keys true random number combination public key pointer function obtains public key pointer, Corresponding public key is extracted from corresponding quantum key card using the public key pointer;When quantum key card by user terminal with sometimes, The public key pointer extracts corresponding public key from the public-key cryptographic keys pond in corresponding quantum key card;When quantum key card is pool of keys dress It sets and matches sometimes, which extracts corresponding public key from the unsymmetrical key pond in corresponding quantum key card.
6. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 4 based on public asymmetric key pond, special Sign is, whether the file key seed pointer function ID and file key function ID carry out duplicate removal as the server Mark.
7. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 5 based on public asymmetric key pond, special Sign is that the user terminal will be uploaded to the key pool device after true random number and data file encryption, and cipher mode is to make The data file is encrypted with true random number and obtains ciphertext, and is obtained using the public key encryption true random number of the key pool device To true random number ciphertext;The key pool device decrypts the true random number ciphertext using private key and obtains true random number, and makes The ciphertext, which is decrypted, with the true random number obtains the data file.
8. cloud storage method is acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond, including server receives and stores The data file of file key encryption is utilized from key pool device, the file key is matched using the key pool device The file key true random number generated in some quantum key cards generates, which is characterized in that institute's server, which also receives and stores, to be come From the personal key, data key and public-key cryptographic keys true random number of the key pool device, the personal key and the number It is encrypted and is obtained by the file key true random number according to key;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number, And data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum key card Generated public-key cryptographic keys true random number generates.
9. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 8 based on public asymmetric key pond, special Sign is that the server also receives and stores relevant to the file key is generated from the key pool device Whether function ID, two of them function ID carry out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server sends data key to the user terminal;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with described in generation The relevant function ID of file key.
10. cloud storage system, including server, pool of keys dress are acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond It sets and user terminal, which is characterized in that
User terminal uploads the data file that data file will be encrypted to key pool device, the key pool device using file key It is uploaded to the server, the user terminal and the key pool device have quantum key card, and the file key is to utilize The file key true random number generated in the quantum key card that the key pool device is furnished with generates, and the key pool device The file key true random number is also uploaded to the server in an encrypted form;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number And data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes the pool of keys Public-key cryptographic keys true random number caused by quantum key card generates in device, the key pool device upload the personal key, The data key and public-key cryptographic keys true random number are to the server;
The server receives and stores personal key, public-key cryptographic keys true random number and data from the key pool device File;
User terminal sends read request to key pool device, key pool device download personal key, public-key cryptographic keys true random number and The data file encrypted using file key, the key pool device are decrypted the personal key using private key and obtain file key True random number generates file key in turn, obtains number using the data file of file key encryption using file key decryption According to file, data file encryption is reached user by the random number generated using itself and user terminal public key by the key pool device End, and then complete server file and read.
CN201811101347.XA 2018-09-20 2018-09-20 Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool Active CN109302283B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811101347.XA CN109302283B (en) 2018-09-20 2018-09-20 Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811101347.XA CN109302283B (en) 2018-09-20 2018-09-20 Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool

Publications (2)

Publication Number Publication Date
CN109302283A true CN109302283A (en) 2019-02-01
CN109302283B CN109302283B (en) 2020-09-08

Family

ID=65163904

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811101347.XA Active CN109302283B (en) 2018-09-20 2018-09-20 Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool

Country Status (1)

Country Link
CN (1) CN109302283B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981255A (en) * 2019-04-02 2019-07-05 如般量子科技有限公司 The update method and system of pool of keys
CN117792795A (en) * 2024-02-23 2024-03-29 河北赛克普泰计算机咨询服务有限公司 Data encryption method and real-time network security monitoring system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090175452A1 (en) * 2006-04-18 2009-07-09 Robert Gelfond Key Management and User Authentication for Quantum Cryptography Networks
CN102546181A (en) * 2012-01-09 2012-07-04 西安电子科技大学 Cloud storage encrypting and deciphering method based on secret key pool
CN104158880A (en) * 2014-08-19 2014-11-19 济南伟利迅半导体有限公司 User-end cloud data sharing solution
CN108173649A (en) * 2018-01-10 2018-06-15 如般量子科技有限公司 A kind of message authentication method and system based on quantum key card

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090175452A1 (en) * 2006-04-18 2009-07-09 Robert Gelfond Key Management and User Authentication for Quantum Cryptography Networks
CN102546181A (en) * 2012-01-09 2012-07-04 西安电子科技大学 Cloud storage encrypting and deciphering method based on secret key pool
CN104158880A (en) * 2014-08-19 2014-11-19 济南伟利迅半导体有限公司 User-end cloud data sharing solution
CN108173649A (en) * 2018-01-10 2018-06-15 如般量子科技有限公司 A kind of message authentication method and system based on quantum key card

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109981255A (en) * 2019-04-02 2019-07-05 如般量子科技有限公司 The update method and system of pool of keys
CN117792795A (en) * 2024-02-23 2024-03-29 河北赛克普泰计算机咨询服务有限公司 Data encryption method and real-time network security monitoring system

Also Published As

Publication number Publication date
CN109302283B (en) 2020-09-08

Similar Documents

Publication Publication Date Title
CN109151053A (en) Anti- quantum calculation cloud storage method and system based on public asymmetric key pond
CN109150519A (en) Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond
US20210111877A1 (en) Systems and methods for generating signatures
CN109104276A (en) A kind of cloud storage method of controlling security and system based on pool of keys
CN108985099B (en) Proxy cloud storage security control method and system based on public key pool
CN103124269B (en) Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment
CN104753917B (en) Key management system and method based on ID
CN108989033B (en) Cloud storage security control method and system based on public key pool
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
US20060256961A1 (en) System and method for authentication seed distribution
CN107465665A (en) A kind of file encryption-decryption method based on fingerprint identification technology
CN109347923A (en) Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond
CN109495251A (en) Anti- quantum calculation wired home cloud storage method and system based on key card
CN108462575A (en) Upload data ciphering method based on no trusted party thresholding Hybrid Encryption
CN110771190A (en) Controlling access to data
CN109495244A (en) Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys
CN109787747B (en) Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools
CN109299618B (en) Quantum-resistant computing cloud storage method and system based on quantum key card
CN108540486A (en) The generation of cloud key and application method
CN109302283A (en) Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond
CN109412788A (en) Cloud storage method of controlling security and system are acted on behalf of in anti-quantum calculation based on public keys pond
CN109687960B (en) Anti-quantum computing proxy cloud storage method and system based on multiple public asymmetric key pools
JPH10177341A (en) Method and system for depositing secret key for ras cipher
CN110138547B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and serial number
CN110086627B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant