CN109302283A - Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond - Google Patents
Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond Download PDFInfo
- Publication number
- CN109302283A CN109302283A CN201811101347.XA CN201811101347A CN109302283A CN 109302283 A CN109302283 A CN 109302283A CN 201811101347 A CN201811101347 A CN 201811101347A CN 109302283 A CN109302283 A CN 109302283A
- Authority
- CN
- China
- Prior art keywords
- key
- file
- public
- random number
- true random
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Abstract
The present invention relates to the anti-quantum calculations based on public asymmetric key pond to act on behalf of cloud storage method and system, the data file encrypted using file key is uploaded to server by key pool device by user terminal, the file key true random number that server is received and stored with public key encryption, public key is generated by public-key cryptographic keys true random number, user terminal sends read request to key pool device, the file key true random number of key pool device downloading encryption, public-key cryptographic keys true random number and the data file for utilizing encryption, and file key is obtained in conjunction with private key private key, and then obtain data file, data file encryption is reached user terminal by the key pool device, and then it completes server file and reads.Server end can not contact user terminal key and data file, using only to public key disclosed in quantum key card to file key encryption, the possibility for being stolen key by malice malicious operation is reduced, while quantum computer is unable to get client public key, reduces the risk cracked by quantum computer.
Description
Technical field
The present invention relates to cloud storage fields, more particularly to a kind of method of cloud storage security control based on public keys pond
And system.
Background technique
With the development of science and technology, cloud storage has increasingly becomed a kind of trend, various cloud storage technologies emerge one after another, and are
Guarantee the safety of cloud storage data, it will usually guarantee the safety of data using various encryption methods, for example, can pass through
Asymmetric-key encryption guarantees the safeties of data, asymmetric-key encryption need to be respectively completed using different keys plus
Close and decryption oprerations, one publishes, i.e. public key, another is saved by user oneself is secret, i.e. private key.Information transmitter is used
Public key goes to encrypt, and information receiver goes to decrypt with private key.
Due to mostly using shared storage in cloud storage, this makes service provider need to control private key, leads to private key
Safety is lower.Publication No. CN103236934A, the invention of entitled " a kind of method of cloud storage security control " are special
Sharp document discloses a kind of for solving the problems, such as the lower method of private key safety.The invention uses two different encryptions
Mode encrypts the private key of user and stores respectively.
As most people is understood, quantum computer has great potential in password cracking.Mainstream is non-now
Symmetrically (public key) Encryption Algorithm, such as RSA cryptographic algorithms, it is most of to be all based in factorization or the finite field of big integer
The two difficult math questions of the calculating of discrete logarithm.Their difficulty that cracks also is dependent on the efficiency solved these problems.Tradition
On computer, it is desirable that solve the two difficult math questions, the cost time is the exponential time (to crack the time with the growth of public key length
Increased with exponential), this is unacceptable in practical applications.It and is that your elegant algorithm for making to measure of quantum computer can be with
In polynomial time (time is cracked as the growth of public key length is increased with the speed of k power, wherein k is long with public key
Spend unrelated constant) carry out integer factorization or discrete logarithm and calculate, thus for RSA, discrete logarithm Encryption Algorithm it is broken
Solution provides may.
There are the demand of cloud in data in current enterprise or public institution sometimes, and public cloud is generally not susceptible to these units letter
Appoint, is considered the possible problematic or key of information security and is easy to be obtained and cracked by hacker, therefore cause public cloud visitor
There is trouble and worry at family to cloud in data.
Problem of the existing technology:
(1) carrying out key storage on the server has certain risk.Public cloud client looks back it to cloud in data
Sorrow.
(2) invention of Publication No. CN103236934A, entitled " a kind of method of cloud storage security control " are special
Sharp document encrypts file key using client public key, due to quantum calculation function obtain quickly through public key it is corresponding
Private key, therefore the program is easy to be cracked by quantum computer.
Summary of the invention
Based on this, it is necessary in view of the above-mentioned problems, providing a kind of anti-quantum calculation generation based on public asymmetric key pond
Cloud storage method is managed, including user terminal uploads data file to key pool device, the key pool device will utilize file key
The data file of encryption is uploaded to server, and the user terminal and the key pool device are each equipped with quantum key card, described
File key is the file key true random number generation generated in the quantum key card being furnished with using the key pool device, and
The file key true random number is uploaded to the server by the key pool device in an encrypted form;
The cipher mode of the file key true random number is close using the public key encryption file in the key pool device
Key true random number obtains personal key and obtains data key using file characteristic value encryption file key true random number;
Wherein, the public key utilizes public-key cryptographic keys true random number caused by the quantum key card in the key pool device
It generates;The personal key, the data key and public-key cryptographic keys true random number are uploaded the clothes by the key pool device
Business device.
Currently there are many storage cloud services, including many public clouds.Hereinafter, the server i.e. cloud service of cloud is stored
End is referred to as server, and the cloud user terminal in cloud user terminal group is referred to as user terminal.
User terminal is the equipment of access storage cloud in the present invention, can be mobile terminal, or be fixed terminal.Terminal is equipped with
There is key card.Key card stores the public key of user and private key and a root key, the registration that key card also has client are stepped on
Remember information, be built-in with identity authentication protocol, includes at least key schedule and verification function or other and authentication phase
The algorithm of pass.Randomizer is also had in key card.Wherein, the generation of file key and data file are encrypted in quantum
It is completed in key card, guarantees user terminal encipheror performing environment safety, the file key true random number in quantum key card is raw
At file key, guarantees the truly random property of file key, greatly improve the safety of file code key, while quantum key card is only
Vertical hardware isolated equipment, a possibility that stealing key by Malware or malicious operation, substantially reduce, and true random number is to encrypt
Form is uploaded to server, rather than file key stores, and solves the risk that key storage is stolen on the server.
Optionally, the key pool device includes:
Public keys pond, for generating the file key;
Unsymmetrical key pond, in the unsymmetrical key pond in storage cluster all user terminals public key, it is described asymmetric
Pool of keys extracts public key in conjunction with the public-key cryptographic keys true random number.
Optionally, the user terminal has one or more, and the key pool device memory is contained for the access of each user terminal
Public keys pond, the user terminal and the key pool device communicate to connect, and the user terminal for uploading data file utilizes the public affairs
Pool of keys generates file key with data file encryption altogether, and the user terminal of downloading data file is combined using the public keys pond
True random number from server generates file key accordingly to decrypt data file.
In the present embodiment, the matched key card side of issuing of each user terminal institute for belonging to a user terminal group is key card
Supervisor side, the generally administrative department of certain enterprise or public institution;The key card side of being awarded is the supervisor Fang Suoguan of key card
The employees at different levels of the member of reason, generally certain enterprise or public institution carry out cloud data access using storage cloud user terminal,
Hereafter being referred to as storage cloud user terminal used in member is user terminal.Supervisor side's application that user terminal arrives key card first is opened an account.
After user terminal carries out registering granted, key card will be obtained (there is unique ID).
Each user terminal possesses the public keys pond being stored in the key pool device, it can be achieved that a plurality of clients file is total
It enjoys, while the setting of pool of keys, so that the user terminal of downloading data file need to utilize the true random number combination institute from server
It states public keys pond and accordingly generates file key, it, can not obtaining true random number in the case where not obtaining pool of keys yet
The file key of encryption file is obtained, the safety of file key is further increased.
Optionally, the file key generation method includes: by the file key true random number combination file key kind
Sub- pointer function obtains file key seed pointer, is extracted from the key pool device using this document key seed pointer pair
The file key seed for the encryption answered, and decrypt to obtain file key kind using the true random number that the key pool device generates
Son, this document key seed combination file key function obtain the file key;The key pool device is also by the file
The ID of key seed pointer function ID and file key function is sent to the server.
Optionally, the public key generation method includes: that the public-key cryptographic keys true random number combination public key pointer function obtains
Public key pointer extracts corresponding public key from corresponding quantum key card using the public key pointer;When quantum key card is user terminal
Match sometimes, which extracts corresponding public key from the public-key cryptographic keys pond in corresponding quantum key card;When quantum key card
By key pool device with sometimes, which extracts corresponding from the unsymmetrical key pond in corresponding quantum key card
Public key.
Optionally, the file key seed pointer function ID and file key function ID as the server whether into
The mark of row duplicate removal.
Optionally, the user terminal will be uploaded to the key pool device after true random number and data file encryption, encryption
Mode is to encrypt the data file using true random number to obtain ciphertext, and use the public key encryption of the key pool device true
Random number obtains true random number ciphertext;The key pool device using private key decrypt the true random number ciphertext obtain it is truly random
Number, and decrypt the ciphertext using the true random number and obtain the data file.
Cloud storage method is acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond, including server is received and deposited
The data file that file key encryption is utilized from key pool device is stored up, the file key is to utilize the key pool device institute
The file key true random number generated in the quantum key card being furnished with generates, and institute's server is also received and stored from the key
Personal key, data key and the public-key cryptographic keys true random number of pool device, the personal key and the data key are by institute
The encryption of file key true random number is stated to obtain;
The cipher mode of the file key true random number is to obtain individual using public key encryption file key true random number
Key, and data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum
Public-key cryptographic keys true random number caused by key card generates.
Optionally, the server also receives and stores close with the generation file from the key pool device
Whether key relevant function ID, two of them function ID carry out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server is close to user terminal transmission data
Key;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with generation
The relevant function ID of the file key.
Cloud storage system, including server, pool of keys are acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond
Device and user terminal, user terminal upload data file to key pool device, and the key pool device will be encrypted using file key
Data file be uploaded to the server, the user terminal and the key pool device have quantum key card, the file
Key is the file key true random number generation generated in the quantum key card being furnished with using the key pool device, and described
The file key true random number is also uploaded to the server by key pool device in an encrypted form;
The cipher mode of the file key true random number is to obtain individual using public key encryption file key true random number
Key and data key is obtained using file characteristic value encryption file key true random number, wherein the public key is using described close
Public-key cryptographic keys true random number caused by quantum key card generates in key pool device, and it is close that the key pool device uploads the individual
Key, the data key and public-key cryptographic keys true random number are to the server;
The server receive and store personal key from the key pool device, public-key cryptographic keys true random number and
Data file;
User terminal sends read request to key pool device, and key pool device downloads personal key, public-key cryptographic keys true random number
And the data file using file key encryption, the key pool device decrypt the personal key using private key and obtain file
Key true random number generates file key in turn, is decrypted using the file key and is obtained using the data file that file key encrypts
Data file is obtained, data file encryption is reached the random number generated using itself and user terminal public key by the key pool device
User terminal, and then complete server file and read.
Cloud storage method and system is acted on behalf of in the above-mentioned anti-quantum calculation based on public asymmetric key pond, including server,
The data file encrypted using file key is uploaded to service by key pool device by key pool device and user terminal, user terminal
Device, user terminal and key pool device have quantum key card, and file key is the quantum key being furnished with using key pool device
The file key true random number generated in card generates, and key pool device is also by file key true random number with public key and use
File characteristic value encrypted form is uploaded to the server, wherein the public key utilizes quantum key card in the key pool device
Generated public-key cryptographic keys true random number generates, and key pool device uploads public-key cryptographic keys true random number to server;Server connects
The related data parameter from the key pool device is received and stores, user terminal sends read request to key pool device, pool of keys
File key true random number, public-key cryptographic keys true random number and the data file using encryption of device downloading encryption, pool of keys
Device generates file key in turn using the file key true random number of private key decryption encryption, utilizes file key decryption encryption
Data file obtains data file, and the key pool device is literary by data by the random number generated using itself and user terminal public key
Part encryption reaches user terminal, and then completes server file and read.Server end can not touch all kinds of keys of user terminal and
Data file, while using only being encrypted to public key disclosed in quantum key card to file key, since quantum key card is
Independent hardware isolated equipment substantially reduces a possibility that stealing key by Malware or malicious operation, while quantum calculation
Machine is unable to get client public key, is then also unable to get corresponding private key, therefore reduces the risk cracked by quantum computer.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of storage system provided in an embodiment of the present invention;
Fig. 2 is the structural schematic diagram of public keys pool device;
Fig. 3 is the cipher mode schematic diagram for the random number that randomizer generates;
Fig. 4 is file key product process figure provided in an embodiment of the present invention;
Fig. 5 is public key storage mode flow chart provided in an embodiment of the present invention;
Fig. 6 is public key reading manner flow chart provided in an embodiment of the present invention;
Fig. 7 is the timing diagram of storage method provided in an embodiment of the present invention;
Fig. 8 is the timing diagram of read method provided in an embodiment of the present invention;
Fig. 9 is the flow chart for the storage method that the embodiment of the present invention 1 provides;
Figure 10 is the flow chart for the read method that the embodiment of the present invention 2 provides.
Specific embodiment
Fig. 1 is that cloud storage system is acted on behalf of in the anti-quantum calculation provided in an embodiment of the present invention based on public asymmetric key pond
Structural schematic diagram, public keys pool device is connected to the network respectively with user terminal group CC and cloud storage CS.Wherein user terminal
Group CC is made of a plurality of clients.Each user terminal has oneself matched key card, each key card storage inside use
The private key KA at family end and public-key cryptographic keys pond have the public key of all members in pool of keys.The user is also stored in key card
The public key pointer random number at end, KRA/KA refers to public key pointer random number/private key of A in Fig. 1.The public affairs of user terminal A external disclosure
Key KRA, i.e. the pointer random number of public key.Other members in user terminal group are similarly.
The storage mode of public key is as shown in figure 5, verbal description is as follows: taking public key pointer random number at random to some user
Rk obtains public key pointer rkp in conjunction with specific public key pointer function frkp and from the correspondence position in corresponding unsymmetrical key pond
Set the public key krk for being stored in the user.
The structural schematic diagram of public keys pool device P is as shown in Fig. 2, public keys pool device P has quantum key card, dress
P is set with root key area, root key KR can be taken out.Key pool device P also has tandom number generator, the tandom number generator
Preferably quantum random number generator, can produce key of the true random number as key, and the key of the key is known as KKP.KP refers to
The public keys pond that user terminal group CC is possessed, is stored in P device.KP capacity is huge, such as can be from 1G~4096G not
Deng, it is true random number, preferably quantum random number.P can store multiple KP, and P is stored with the region 1~M total M KP in figure.KP
The KKP encryption generated with the tandom number generator in key pool device, the cipher mode of KKP is as shown in figure 3, with KR and each
User terminal A, B ... public key KAP, KBP of N ... KNP is encrypted respectively.
In addition to being also used for the unsymmetrical key pond of storage of public keys containing public keys pond KP in public keys pool device P,
Unsymmetrical key pond is expressed as KPP.Wherein public key area possesses this public key for organizing all users and public keys pool device P.
The public key of public keys pool device P external disclosure is KRP, i.e. the public key pointer random number of public keys pool device.
In file key product process shown in Fig. 4, file key seed pointer function frfp and file key function fkf
For public keys pond, supervisor can be customized, usually consistent with the supervisor side of user terminal group.
File key seed pointer function frfp is that modulus after certain numerical transformation, such as frfp (r) are carried out to random number
=(r+d) %s,
Wherein r is input variable (being herein random number), and d is offset, and % is modulo operation, and s is pool of keys total size.
Certainly according to the design needs, file key seed pointer function frfp is without being limited thereto, refers to as long as file key seed can be obtained
Needle rfp.
File key function fkf is that modulus after certain numerical transformation, such as fkf (x)=(ax+ are carried out to input data
B) %2len,
Wherein x is input variable, and a, b are transformation parameter, and % is modulo operation, and len is that the key length that user specifies is (single
Position: bit).Certainly according to the design needs, file key function fkf is without being limited thereto, as long as file key kf can be generated.
In the present embodiment, so the file key seed pointer function frfp and file key function fkf of all users
All.Certainly according to the design needs, the file key seed pointer function frfp and file key function of each user terminal
Fkf can not be identical.
It operates in many places that each user terminal is related to, is all carried out in matched key card.It is related in public keys pond more
Place's operation, all carries out in matched quantum key card.
The user terminal has one or more, and the key pool device memory contains the public keys for the access of each user terminal
Pond, the user terminal and the key pool device communicate to connect, and the user terminal for uploading data file utilizes the public keys pond
File key is generated with data file encryption, the user terminal of downloading data file is combined using the public keys pond from service
The true random number of device generates file key accordingly to decrypt data file.
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.
Embodiment 1
Fig. 7 is the timing diagram of storage method provided in an embodiment of the present invention.Fig. 9 is that one kind provided in an embodiment of the present invention is deposited
The flow chart of method for storing.Cloud storage method is acted on behalf of in anti-quantum calculation based on public asymmetric key pond, the specific steps are as follows:
Step 1.1: user terminal encryption file cocurrent is sent to key pool device.
The true random number R data file encryption that user terminal is generated using randomizer obtains ciphertext M1, and uses P's
This two parts is sent to key pool device P by public key encryption true random number R.The public key that P is extracted from public-key cryptographic keys pond, by P's
Public key pointer random number obtains the process of public key as shown in fig. 6, being described as follows:
Using public key pointer random number rk combine specific public key pointer function frkp obtain public key pointer rkp, then from
Corresponding position in corresponding public-key cryptographic keys pond takes out public key krk.
Step 1.2: key pool device decrypts file: key pool device P decrypts to obtain true random number using the private key of oneself
R obtains the data file of plaintext version using R decryption ciphertext M1.
Step 1.3: the hash value of data file and each algorithm ID are uploaded to server by key pool device: pool of keys dress
It sets before uploading data file, first calculates the hash value of data file, and the hash value is uploaded to server.It uploads simultaneously
There are also each algorithm ID (including file key seed pointer function frfp and file key function fkf, hereafter similarly).
Server will carry out ciphertext duplicate removal to file to mitigate storage pressure, i.e. identification duplicate file.
Step 1.4: server identifies duplicate file: server integrates the hash value of file and each algorithm ID
Consider to recognize if the ID of two parts of files hash value having the same and frfp and fkf are identical respectively to identify duplicate file
To there is identical data file to need duplicate removal.If server judgement does not need duplicate removal, server saves this hash value received
And each algorithm ID, and execute step step 1.5.If desired duplicate removal, server execute step step 1.6.
It will be understood by those skilled in the art that in some cases, same user may successively upload same data text
Part, then server is if it is determined that the number when the user expects to have uploaded data file again with identical frfp, fkf
According to document source and same user, any operation will not be executed.
Step 1.5: if server does not need duplicate removal:
Step 1.5.1: server notice user terminal generates random number: server saves the hash value and algorithm ID received
Afterwards, the information with same data file is not present in server and is sent to key pool device P.
Step 1.5.2: key pool device processing information simultaneously will need the content stored on the server to be sent to server:
Key pool device receives server there is no after the information of data file having the same, and key pool device is matched true according to institute
Randomizer generates file key random number rf and further obtains file key kf, and specific steps are as shown in figure 4, specific
It is as follows that steps are as follows:
File key random number rf is generated according to matched quantum key card, rf combines specific file key seed pointer
Function frfp obtain file key seed pointer rfp and extracted from pool of keys the file key seed encrypted accordingly i.e. plus
Close krf is decrypted key using KKP to obtain file key seed krf;It is generated then in conjunction with file key function fkf
File key kf.
After obtaining file key kf, key pool device obtains ciphertext kff using file key data file encryption, and encryption is calculated
Method can be symmetric encipherment algorithm;
Key pool device P is gone out by using the public key pointer random number KRP of oneself in public-key cryptographic keys pond, that is, KPP extracted region
The public key of oneself, extraction process is as shown in fig. 6, specific steps and consistent above.Then key pool device P uses the public key of oneself
Encryption file key random number rf obtains personal key.
Key pool device P generates file characteristic value, and is counted using file characteristic value encryption file key random number rf
According to key;The calculation method of file characteristic value be predefined algorithm, can be but not limited to Hash calculate, compressing file or its
His file characteristic computational algorithm;
Ciphertext, algorithm ID, personal key and data key are sent to server by key pool device P.
Step 1.5.3: server saves corresponding information: server is by the ciphertext received, algorithm ID, personal key and number
It is saved according to key.
Step 1.6: if server needs duplicate removal:
Step 1.6.1: server sends data key to key pool device: server sends the data key of this document
Give key pool device.
Step 1.6.1: key pool device processing information simultaneously will need the content stored on the server to be sent to server:
After key pool device receives data key, number is decrypted according to the file characteristic value of Generating Data File, and using file characteristic value
File key random number rf is obtained according to key.
Key pool device is using the public key pointer random number KRP of oneself in public-key cryptographic keys pond, that is, KPP extracted region oneself
Public key, extraction process is as shown in fig. 6, specific steps and consistent above.
Key pool device obtains personal key using the public key encryption file key random number rf extracted, and will be personal close
Key is sent to server.
Step 1.6.1: server saves corresponding information: server is saved after receiving the personal key.
Embodiment 2
Fig. 8 is the timing diagram of read method provided in an embodiment of the present invention.Figure 10 is one kind provided in an embodiment of the present invention
The flow chart of file reading.The reading of the file in cloud storage method is acted on behalf of in anti-quantum calculation based on public asymmetric key pond
Take method, the specific steps are as follows:
Step 2.1: step 2.1: user terminal initiates to read file request.
User terminal using the hash value of the file of desired reading as one request, using randomizer generate it is true with
Machine number R encrypts this request, and using the public key encryption true random number R of P, this two parts is sent to key pool device P.
Step 2.2: key pool device decrypts file.
Key pool device P decrypts to obtain true random number R using the private key of oneself, obtains file using R decoding request
Hash value.
Step 2.3: key pool device sends the request to server.
Key pool device is uploaded to server using as the file hash value and each algorithm ID for reading file request.
Step 2.4: server returns to corresponding information.
After server receives file hash value and algorithm ID, information corresponding with the hash value and algorithm ID is found, it will be close
Text, personal key are sent to key pool device.
Step 2.5: key pool device obtains file key.
Key pool device obtains file key random number rf using private key decryption personal key, and it is close further to obtain file
Key kf, specific steps are as shown in Figure 4.Key pool device obtains the data text of plaintext version after decrypting ciphertext using file key
Part generates a new true random number R ' using randomizer and is encrypted to obtain ciphertext M ' to data file, from public key
The public key encryption true random number R ' that corresponding user terminal is extracted in pool of keys, is sent to user terminal together with ciphertext M '.
Step 2.6: user terminal obtains data file: user terminal is decrypted to obtain R ' using the private key of oneself, and R ' is used to decrypt
Ciphertext M ' obtains data file, completes the reading to server file.
Quantum key card is developed from smart card techniques, is combined with quantum physics technology and (it is random to be carried quantum
In the case where number generator), cryptological technique, the authentication of hardware security isolation technology and encryption and decryption product.Quantum key
The embedded chip and operating system of card can provide the functions such as secure storage and the cryptographic algorithm of key.Since it is with independent
Data-handling capacity and good safety, quantum key card become the safety barrier of private key and pool of keys.Each quantum is close
Key card has the protection of hardware PIN code, and PIN code and hardware constitute two necessary factors that user uses quantum key card.That is institute
It calls " double factor authentication ", user only has while obtaining the quantum key card and user's PIN code that save relevant authentication information, just may be used
With login system.Even if the PIN code of user is leaked, as long as the quantum key card that user holds is not stolen, legitimate user's
Identity would not be counterfeit;If the quantum key card of user is lost, the person of picking up can not also imitate due to not knowing user's PIN code
Emit the identity of legitimate user.
In cloud storage overall process of the present invention, server end can not all touch user terminal all kinds of keys (public key, private key, text
Part key etc.) and plaintext data file.Moreover, the personal key stored on server is using different from data key
The random number of method encryption, the random number combine specific key selection algorithm that a pointer can be obtained.The pointer is directed toward key
The specific region of some in pond, in the case where not obtaining pool of keys, nothing having cracked personal key or data key
Method obtains the file key of encryption file.It uses and public key disclosed in quantum key card encrypts file key simultaneously only,
And quantum key card storage of public keys is used, quantum key card is independent hardware isolated equipment, by Malware or malicious operation
A possibility that stealing key substantially reduces.Since quantum computer is unable to get client public key, then also it is unable to get corresponding
Private key, therefore the program is not easy to be cracked by quantum computer.
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art
It says, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to protection of the invention
Range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (10)
1. cloud storage method is acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond, including user terminal uploads data text
The data file encrypted using file key is uploaded to server, feature by part to key pool device, the key pool device
It is, the user terminal and the key pool device are each equipped with quantum key card, and the file key is to utilize the key
The file key true random number that generates in the quantum key card that pool device is furnished with generates, and the key pool device is by the text
Part key true random number is uploaded to the server in an encrypted form;
The cipher mode of the file key true random number is true using the public key encryption file key in the key pool device
Random number obtains personal key and obtains data key using file characteristic value encryption file key true random number;
Wherein, the public key is raw using public-key cryptographic keys true random number caused by the quantum key card in the key pool device
At;The personal key, the data key and public-key cryptographic keys true random number are uploaded the service by the key pool device
Device.
2. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 1 based on public asymmetric key pond, special
Sign is that the key pool device includes:
Public keys pond, for generating the file key;
Unsymmetrical key pond, in the unsymmetrical key pond in storage cluster all user terminals public key, the unsymmetrical key
Pond extracts public key in conjunction with the public-key cryptographic keys true random number.
3. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 2 based on public asymmetric key pond, special
Sign is that the user terminal has one or more, and the key pool device memory contains the public keys for the access of each user terminal
Pond, the user terminal and the key pool device communicate to connect, and the user terminal for uploading data file utilizes the public keys pond
File key is generated with data file encryption, the user terminal of downloading data file is combined using the public keys pond from service
The true random number of device generates file key accordingly to decrypt data file.
4. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 3 based on public asymmetric key pond, special
Sign is that the file key generation method includes: by the file key true random number combination file key seed pointer letter
Number obtains file key seed pointer, extracts corresponding encryption from the key pool device using this document key seed pointer
File key seed, and using the key pool device generate true random number decrypt to obtain file key seed, this document
Key seed combination file key function obtains the file key;The key pool device also refers to the file key seed
The ID of needle function ID and file key function is sent to the server.
5. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 3 based on public asymmetric key pond, special
Sign is that the public key generation method includes: that the public-key cryptographic keys true random number combination public key pointer function obtains public key pointer,
Corresponding public key is extracted from corresponding quantum key card using the public key pointer;When quantum key card by user terminal with sometimes,
The public key pointer extracts corresponding public key from the public-key cryptographic keys pond in corresponding quantum key card;When quantum key card is pool of keys dress
It sets and matches sometimes, which extracts corresponding public key from the unsymmetrical key pond in corresponding quantum key card.
6. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 4 based on public asymmetric key pond, special
Sign is, whether the file key seed pointer function ID and file key function ID carry out duplicate removal as the server
Mark.
7. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 5 based on public asymmetric key pond, special
Sign is that the user terminal will be uploaded to the key pool device after true random number and data file encryption, and cipher mode is to make
The data file is encrypted with true random number and obtains ciphertext, and is obtained using the public key encryption true random number of the key pool device
To true random number ciphertext;The key pool device decrypts the true random number ciphertext using private key and obtains true random number, and makes
The ciphertext, which is decrypted, with the true random number obtains the data file.
8. cloud storage method is acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond, including server receives and stores
The data file of file key encryption is utilized from key pool device, the file key is matched using the key pool device
The file key true random number generated in some quantum key cards generates, which is characterized in that institute's server, which also receives and stores, to be come
From the personal key, data key and public-key cryptographic keys true random number of the key pool device, the personal key and the number
It is encrypted and is obtained by the file key true random number according to key;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number,
And data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum key card
Generated public-key cryptographic keys true random number generates.
9. cloud storage method is acted on behalf of in the anti-quantum calculation according to claim 8 based on public asymmetric key pond, special
Sign is that the server also receives and stores relevant to the file key is generated from the key pool device
Whether function ID, two of them function ID carry out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server sends data key to the user terminal;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with described in generation
The relevant function ID of file key.
10. cloud storage system, including server, pool of keys dress are acted on behalf of in a kind of anti-quantum calculation based on public asymmetric key pond
It sets and user terminal, which is characterized in that
User terminal uploads the data file that data file will be encrypted to key pool device, the key pool device using file key
It is uploaded to the server, the user terminal and the key pool device have quantum key card, and the file key is to utilize
The file key true random number generated in the quantum key card that the key pool device is furnished with generates, and the key pool device
The file key true random number is also uploaded to the server in an encrypted form;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number
And data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes the pool of keys
Public-key cryptographic keys true random number caused by quantum key card generates in device, the key pool device upload the personal key,
The data key and public-key cryptographic keys true random number are to the server;
The server receives and stores personal key, public-key cryptographic keys true random number and data from the key pool device
File;
User terminal sends read request to key pool device, key pool device download personal key, public-key cryptographic keys true random number and
The data file encrypted using file key, the key pool device are decrypted the personal key using private key and obtain file key
True random number generates file key in turn, obtains number using the data file of file key encryption using file key decryption
According to file, data file encryption is reached user by the random number generated using itself and user terminal public key by the key pool device
End, and then complete server file and read.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811101347.XA CN109302283B (en) | 2018-09-20 | 2018-09-20 | Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811101347.XA CN109302283B (en) | 2018-09-20 | 2018-09-20 | Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109302283A true CN109302283A (en) | 2019-02-01 |
CN109302283B CN109302283B (en) | 2020-09-08 |
Family
ID=65163904
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811101347.XA Active CN109302283B (en) | 2018-09-20 | 2018-09-20 | Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109302283B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109981255A (en) * | 2019-04-02 | 2019-07-05 | 如般量子科技有限公司 | The update method and system of pool of keys |
CN117792795A (en) * | 2024-02-23 | 2024-03-29 | 河北赛克普泰计算机咨询服务有限公司 | Data encryption method and real-time network security monitoring system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090175452A1 (en) * | 2006-04-18 | 2009-07-09 | Robert Gelfond | Key Management and User Authentication for Quantum Cryptography Networks |
CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
CN104158880A (en) * | 2014-08-19 | 2014-11-19 | 济南伟利迅半导体有限公司 | User-end cloud data sharing solution |
CN108173649A (en) * | 2018-01-10 | 2018-06-15 | 如般量子科技有限公司 | A kind of message authentication method and system based on quantum key card |
-
2018
- 2018-09-20 CN CN201811101347.XA patent/CN109302283B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090175452A1 (en) * | 2006-04-18 | 2009-07-09 | Robert Gelfond | Key Management and User Authentication for Quantum Cryptography Networks |
CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
CN104158880A (en) * | 2014-08-19 | 2014-11-19 | 济南伟利迅半导体有限公司 | User-end cloud data sharing solution |
CN108173649A (en) * | 2018-01-10 | 2018-06-15 | 如般量子科技有限公司 | A kind of message authentication method and system based on quantum key card |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109981255A (en) * | 2019-04-02 | 2019-07-05 | 如般量子科技有限公司 | The update method and system of pool of keys |
CN117792795A (en) * | 2024-02-23 | 2024-03-29 | 河北赛克普泰计算机咨询服务有限公司 | Data encryption method and real-time network security monitoring system |
Also Published As
Publication number | Publication date |
---|---|
CN109302283B (en) | 2020-09-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109151053A (en) | Anti- quantum calculation cloud storage method and system based on public asymmetric key pond | |
CN109150519A (en) | Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond | |
US20210111877A1 (en) | Systems and methods for generating signatures | |
CN109104276A (en) | A kind of cloud storage method of controlling security and system based on pool of keys | |
CN108985099B (en) | Proxy cloud storage security control method and system based on public key pool | |
CN103124269B (en) | Based on the Bidirectional identity authentication method of dynamic password and biological characteristic under cloud environment | |
CN104753917B (en) | Key management system and method based on ID | |
CN108989033B (en) | Cloud storage security control method and system based on public key pool | |
US20110145576A1 (en) | Secure method of data transmission and encryption and decryption system allowing such transmission | |
US20060256961A1 (en) | System and method for authentication seed distribution | |
CN107465665A (en) | A kind of file encryption-decryption method based on fingerprint identification technology | |
CN109347923A (en) | Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond | |
CN109495251A (en) | Anti- quantum calculation wired home cloud storage method and system based on key card | |
CN108462575A (en) | Upload data ciphering method based on no trusted party thresholding Hybrid Encryption | |
CN110771190A (en) | Controlling access to data | |
CN109495244A (en) | Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys | |
CN109787747B (en) | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools | |
CN109299618B (en) | Quantum-resistant computing cloud storage method and system based on quantum key card | |
CN108540486A (en) | The generation of cloud key and application method | |
CN109302283A (en) | Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond | |
CN109412788A (en) | Cloud storage method of controlling security and system are acted on behalf of in anti-quantum calculation based on public keys pond | |
CN109687960B (en) | Anti-quantum computing proxy cloud storage method and system based on multiple public asymmetric key pools | |
JPH10177341A (en) | Method and system for depositing secret key for ras cipher | |
CN110138547B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and serial number | |
CN110086627B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |