CN110086795A - Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform - Google Patents

Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform Download PDF

Info

Publication number
CN110086795A
CN110086795A CN201910321880.5A CN201910321880A CN110086795A CN 110086795 A CN110086795 A CN 110086795A CN 201910321880 A CN201910321880 A CN 201910321880A CN 110086795 A CN110086795 A CN 110086795A
Authority
CN
China
Prior art keywords
stream
data
module
flow data
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910321880.5A
Other languages
Chinese (zh)
Inventor
孙奕
陈性元
杜学绘
罗远焱
徐建
张东巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201910321880.5A priority Critical patent/CN110086795A/en
Publication of CN110086795A publication Critical patent/CN110086795A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/48Routing tree calculation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

The invention discloses the stream security exchange systems based on certification tree under certification tree constructing method and cloud platform, stream sends agent subsystem, acquire the data from data source, stream exchange pretreatment and flow data certification are carried out to the collected data from data source, and data are sent to stream secure exchange server subsystem by treated;Secure exchange server subsystem is flowed, receiving stream sends the flow data after treatment that agent subsystem is sent, and constructs and safeguard certification tree after receiving forwarding request according to the flow data received, and flow data is forwarded to stream Receiving Agent subsystem accordingly;Receiving Agent subsystem, the data that receiving stream secure exchange server subsystem is sent are flowed, and flow data verifying and dump are carried out to the data received.The present invention be capable of it is safety, efficient, specific data stream is subjected to cross-domain exchange in real time, while effectively controlling the security risks such as the diffusion of bring malicious code, sensitive information leakage in cross-domain exchange process.

Description

Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform
Technical field
The present invention relates to bases under cyberspace security technology area more particularly to a kind of certification tree constructing method and cloud platform In the stream security exchange system of certification tree.
Background technique
With fast developments such as cloud computing, big data, Internet of Things, smart cities, video monitoring has become pipe with high safety One important means of reason.Currently, all largely being realized in many occasions using video monitoring system to personnel and equipment Security management and control.During actual monitored, the monitoring to sensitive personnel, equipment or scene can be related to unavoidably, to generate Sensitive video data stream, these data flows can not carry out open storage, need safe exchange in Intranet.However one Aspect, Intranet usually carry out insulation blocking with outer net, and on the other hand, data flow, which has, infinitely, continuously, in real time, quickly to be arrived Up to the features such as.
Therefore, how safety, it is efficient, these data flows are exchanged in Intranet in real time, while effectively control is handed over The security risks such as the diffusion of process bring malicious code, sensitive information leakage are changed as urgent problem to be solved.
Summary of the invention
In view of this, the present invention provides the streams based on certification tree under a kind of certification tree constructing method and cloud platform to hand over safely Change system, be capable of safety, it is efficient, specific data stream is subjected to cross-domain exchange in real time, while effectively controlling cross-domain exchange The security risks such as the diffusion of bring malicious code, sensitive information leakage in the process.
The present invention provides a kind of certification tree constructing methods, comprising:
Before data flow generation, the initialisation structures based on hash function and double trapdoor hash function building certification trees;
In the real-time propagation process of data flow, the leaf node of the certification tree is constantly updated, to realize to generation The generation of addition, the update and experimental evidence of real-time stream;
Routing information based on leaf node to root node obtains the verification information of respective nodes, passes through comparison and root node Whether original trapdoor cryptographic Hash unanimously carries out real-time verification.
Stream security exchange system based on certification tree under a kind of cloud platform, comprising: stream sends agent subsystem, stream safety is handed over Change server subsystem and stream Receiving Agent subsystem;Wherein:
The stream sends agent subsystem, for acquiring the data from data source, to collected described from data The data in source carry out stream exchange pretreatment and flow data certification, and data are sent to the stream secure exchange clothes by treated Business device subsystem;
The stream secure exchange server subsystem is handled for receiving the passing through for stream transmission agent subsystem transmission Flow data afterwards, and certification tree is constructed and safeguarded according to the flow data received, after receiving forwarding request, by the flow data It is forwarded to the stream Receiving Agent subsystem;
The stream Receiving Agent subsystem, the data sent for receiving the stream secure exchange server subsystem, and Flow data verifying and dump are carried out to the data received.
Preferably, it includes: security parameter generation module, stream exchange initialization module, stream that the stream, which sends agent subsystem, Data authentication module and flow data sending module;Wherein:
The security parameter generation module, for constructing key, counter, state vector required for stream certification is set;
The stream exchanges initialization module, and the initialization for realizing random flow fragmentation calculates and stream authenticates the initial of tree Change building;
The flow data authentication module calculates and generates verifying for realizing flow data acquisition, fragment, newly-increased flow data Evidence;
Flow data and authentication data are sent to the stream secure exchange service for completing by the flow data sending module Device subsystem.
Preferably, the stream secure exchange server subsystem, comprising: first-class data reception module, stream authentication management Module, stream receive request module, experimental evidence generation module, flow data and experimental evidence forwarding module and system management module; Wherein:
The first-class data reception module sends the flow data and certification that subsystem is sent for receiving the flow data Data;
The stream authentication management module, for the certification tree according to the flow data and authentication data received to server end Information carries out maintenance and management;
The stream receives request module, for the monitoring to the stream Receiving Agent subsystem exchange request;
The experimental evidence generation module, for receive from it is described stream Receiving Agent subsystem exchange request after, be The flow data that need to be verified generates experimental evidence;
The flow data and experimental evidence forwarding module, for the forwarding of flow data and the transmission of experimental evidence;
The system management module carries out system administration for convection current secure exchange server subsystem.
Preferably, the stream Receiving Agent subsystem includes: second data reception module, flow verification processing module and stream Data dump module;Wherein:
The second data reception module, for being requested to stream secure exchange server subsystem initiation exchange, Receiving stream-oriented data and corresponding experimental evidence;
The flow verification processing module, for extracting experimental evidence and verifying switched traffic according to the experimental evidence Integrality;
The flow data dump module, for will relative users or storage to be transmitted to by the flow data verified.
In conclusion, using Hash and double trapdoor Hash, constructing use the invention discloses a kind of certification tree constructing method In the identifiable tree of dynamic of large-scale data stream exchange and real-time verification, when updating verifying without recalculating whole nodes, The read-while-write side verifying to switched traffic can be realized, meet data flowable state and update and fast verification requirement, it is ensured that Stream medium data persistently exchanges the timeliness and stationarity with verifying.The present invention is based on the certification trees of building to additionally provide one kind Stream security exchange system based on certification tree under cloud platform, comprising: stream sends agent subsystem, stream secure exchange server subsystem System and stream Receiving Agent subsystem;Wherein: stream sends agent subsystem, for acquiring the data from data source, to collecting The data from data source carry out stream exchange pretreatment and flow data certification, and will treated data are sent to stream safety Swap server subsystem;Secure exchange server subsystem is flowed, sends the warp that agent subsystem is sent for receiving the stream Flow data of crossing that treated, and constructed according to the flow data received and maintenance certification tree will be described after receiving forwarding request Flow data is forwarded to the stream Receiving Agent subsystem;Receiving Agent subsystem is flowed, for receiving stream secure exchange server The data that system is sent, and flow data verifying and dump are carried out to the data received.The present invention be capable of it is safety, efficient, Specific data stream is subjected to cross-domain exchange in real time, at the same effectively control in cross-domain exchange process the diffusion of bring malicious code, The security risks such as sensitive information leakage.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of flow chart for authenticating tree constructing method embodiment disclosed by the invention;
Fig. 2 is the structure of the stream security exchange system embodiment 1 under a kind of cloud platform disclosed by the invention based on certification tree Schematic diagram;
Fig. 3 is the structure of the stream security exchange system embodiment 2 under a kind of cloud platform disclosed by the invention based on certification tree Schematic diagram;
Fig. 4 is the initialisation structures schematic diagram of certification tree disclosed by the invention;
Fig. 5 is the schematic diagram of certification tree insertion exchange for the first time data disclosed by the invention;
Fig. 6 is data query schematic diagram disclosed by the invention;
Fig. 7 is integrity verification route map disclosed by the invention;
Fig. 8 is the work flow diagram of the stream security exchange system under a kind of cloud platform disclosed by the invention based on certification tree.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, the method can be with for a kind of flow chart for authenticating tree constructing method embodiment disclosed by the invention The following steps are included:
S101, before data flow generation, the initialization based on hash function and double trapdoor hash functions building certification tree Structure;
For the integrality for ensuring continuous, real-time, quick, unpredictable data flow under cloud platform, a kind of verification tree is proposed Construction method.This method comprises: verifying tree initialization construction method, verification tree update method and real-time verification method.
Specifically, referring to and being fallen into based on Hash function with double before data flow generation when to verifying tree initialization building Door Hash function constructs a binary tree, this binary tree is the initialisation structures of verification tree.
S102, in the real-time propagation process of data flow, constantly update it is described certification tree leaf node, with realize to production The generation of addition, the update and experimental evidence of raw real-time stream;
Specifically, verification tree update method refers to, with the real-time growth of data flow, the leaf section of verification tree is constantly updated Point realizes the addition to the real-time stream of generation and the generation of experimental evidence.
S103, routing information based on leaf node to root node obtain the verification information of respective nodes, by compare with Whether the original trapdoor cryptographic Hash of root node unanimously carries out real-time verification.
Specifically, real-time verification method refers to, respective nodes are obtained according to the routing information of leaf node to root node Verification information, eventually by comparing with whether root node original trapdoor cryptographic Hash unanimously determines.
In conclusion a kind of certification tree constructing method disclosed by the invention constructs use using Hash and double trapdoor Hash In the identifiable tree of dynamic of large-scale data stream exchange and real-time verification, when updating verifying without recalculating whole nodes, The read-while-write side verifying to exchange flow data can be realized, meet data flowable state and update and fast verification requirement, it is ensured that Stream medium data persistently exchanges the timeliness and stationarity with verifying.
Certification tree based on building disclosed above, the invention also discloses the streams based on certification tree under a kind of cloud platform to pacify Total exchange system.
Specifically, as shown in Fig. 2, being the stream security exchange system based on certification tree under a kind of cloud platform disclosed by the invention The structural schematic diagram of embodiment 2, the system may include: that stream sends agent subsystem, stream secure exchange server subsystem With stream Receiving Agent subsystem;Wherein:
Stream sends agent subsystem, for acquiring the data from data source, to the collected data from data source Stream exchange pretreatment and flow data certification are carried out, and data are sent to stream secure exchange server subsystem by treated;
Flow secure exchange server subsystem, for receive that the stream sends that agent subsystem sends after treatment Flow data, and certification tree is constructed and safeguarded according to the flow data received, after receiving forwarding request, the flow data is forwarded To the stream Receiving Agent subsystem;
Receiving Agent subsystem is flowed, for the data that receiving stream secure exchange server subsystem is sent, and to receiving Data carry out verifying and dump.
Specifically, in the above-described embodiments, main includes that stream sends agency, stream secure exchange server and stream Receiving Agent Three parts, wherein stream sends agency and is mainly responsible for data source acquisition, addition integrity protection measure and data flow is uploaded to stream Secure exchange server;Stream secure exchange server be mainly responsible for stream data reception and forwarding, verify data management with turn Hair;Stream Receiving Agent is mainly responsible for from stream secure exchange server receiving stream-oriented data and realizes the verifying and forwarding of stream data.
In conclusion the stream security exchange system under cloud platform disclosed in above-described embodiment, safe, efficient, real-time Specific data stream is subjected to cross-domain exchange, while effectively controlling in cross-domain exchange process bring malicious code diffusion, sensitive The security risks such as information leakage.
In order to more clearly describe technical solution disclosed by the invention, further below by taking specific embodiment as an example, It is described in detail.
In order to preferably describe algorithm disclosed by the invention, it is as follows that the present embodiment arranges partial symbols: common hash function H:{0,1}→{0,1}len, double trapdoor hash function T=(trapGen, Th, Col), trapGen is for generating trapdoor hash letter Several public private key pairs, Th is for seeking double trapdoor hash function values, and Col is for seeking trapdoor crashworthness.
Double trapdoor hash functions are a kind of special hash function, the characteristic with hash function impact resistant, in addition, trapdoor Hash function has a trap door key, and the user for possessing trapdoor code key can calculate hash crashworthness, otherwise can not be touched Hit value.More specifically, the trapdoor code key and message m of trapdoor hash function, random number r and the new letter for needing to match collision are inputted Cease m'.There are an algorithms to export one and m', matched random number r', so that Th (m, r)=Th (m', r').(m, r) and (m', r') is known as a pair of of collision.Double trapdoor hash functions are impact resistant, if it is not known that trapdoor tsk, then find two pairs not Same (m, r) and (m', r'), so that Th (m, r)=Th (m', r'), is computationally infeasible.Two-way trapdoor hash function TH=(trapGen, Th, Col) is formed by three algorithms.
trapGen(1λ) → (tpk, tsk): double trapdoor hash key schedules input security parameter 1kIt is deep with indicating to set The integer D of degree.Return to long-term trapdoor/hash key pair (mtk, mhk) ← MKeyGen (1k) and disposable trapdoor/hash key To (α, Y) ← MKeGen (1k).For ease of description, with (αt,Yt) indicate current disposable trapdoor/hash key pair, then (αt-1,Yt-1) trapdoor/hash key pair for indicating last when updating, (αt+1,Yt+1) indicate next time update when trapdoor/ Hash key pair indicates permanent trapdoor/hash key pair of double trapdoor hash functions as t=0.
Th (tpk, m, r) → Th (m): two-way trapdoor hash function cryptographic Hash obtains computational algorithm, inputs trapdoor hash function Public key, message m ∈ { 0,1 }in, random number Col (tsk, m, r, m') → r', unidirectional trapdoor hash function collision calculation calculation Method inputs the private key and message m of unidirectional trapdoor hash function, random number r and the new information m' for needing to match collision.Algorithm output Be one and the matched random number r' of m' so that Th (tpk, m, r)=Th (tpk, m', r').That is (m, r) and (m', r') be A pair of collision.
The cryptographic Hash that two-way trapdoor hash function Th (tpk, m, r) is calculated is equally distributed.With the public key of input Value, the selection of message value, random number are unrelated.Unidirectional trapdoor hash function is impact resistant, if it is not known that trapdoor tsk, then Two couples of different (m, r) and (m', r') are found, so that Th (tpk, m, r)=Th (tpk, m', r'), is computationally infeasible 's.
As shown in figure 3, being the stream security exchange system embodiment 3 based on certification tree under a kind of cloud platform disclosed by the invention Structural schematic diagram, the system may include: stream send agent subsystem, stream secure exchange server subsystem and stream receive Agent subsystem;Wherein, it includes: security parameter generation module, stream exchange initialization module, flow data that stream, which sends agent subsystem, Authentication module and flow data sending module;Flow secure exchange server subsystem, comprising: first-class data reception module, stream are recognized Demonstrate,prove management module, stream receives request module, experimental evidence generation module, flow data and experimental evidence forwarding module and system administration Module;Flowing Receiving Agent subsystem includes: second data reception module, flow verification processing module and flow data dump module; Wherein:
Security parameter generation module, for constructing key, counter, state vector required for stream certification is set;
Specifically, security parameter generation module realizes key, counter, state vector required for building stream certification tree etc. The function of security parameter.Specific implementation procedure is as follows:
(1) double trap door keys are generated.Input security parameter 1kWith the integer D for indicating tree depth, call double trapdoor hash close Key generating algorithm MthKeyGen (1k,D).Generate long-term trapdoor/hash key pair (tpk, tsk) ← MKeyGen (1k) and it is primary Property trapdoor/hash key pair (α, Y) ← MKeGen (1k).For ease of description, with (αt,Yt) the current disposable trapdoor of expression/ Hash key pair, then (αt-1,Yt-1) trapdoor/hash key pair for indicating last when updating, (αt+1,Yt+1) indicate next time more Trapdoor/hash key pair when new indicates permanent trapdoor/hash key pair of double trapdoor hash functions as t=0.
(2) setting certification tree initial parameter.The depth depth of initialization tree is D, generates two random number xρAnd rρ, calculate ρ=Th (xρ,rρ) it is used as root, the internal node in current leaf node and introductory path is initialized, setting counter c remembers Data leaf number amount has been inserted into record, and the capacity capacity for authenticating tree is 0.
(3) quantity of state is set.st←(c,D,xρ,rρ)。
(4) public and private key is generated.It obtains public key pk=(tpk, ρ), private key sk=(tsk, st).
Stream exchange initialization module, the initialization for realizing random flow fragmentation calculates and the initialization structure of stream certification tree It builds;
Specifically, flowing exchange initialization module realizes that the initialization of the first random flow fragmentation calculates and authenticate the initial of tree Change constructing function.Certification tree initialization operation will substantially complete to be inserted into operation when data for the first time, i.e., when counter c is 0 When, building certification tree initial configuration, below as shown in figure 4, with one initialize depth D=4 certification tree construction be Example is illustrated.Its specific implementation procedure is as follows:
(1) trapdoor hash nodal information is calculated.Select random number xh,1,rh,1(h=1 ..., D-2) calculate vh,1←Th (xh,1,rh,1)。
(2) routing information of first node of calculating to root node.According to the data element { l of insertion0,l1, calculate v1,0 =H (l0||l1), according to v1,0And v1,1Calculate v2,0=H (v1,0||v1,1), v is calculated all the way upD-2,0=H (vD-3,0|| vD-3,1) continue up the random number r ' for updating root nodeρ←Col(csk,xρ,rρ,vD-2,0||vD-2,1), first time insert number According to when need to update root node information all the way up (when c=0).
(3) certification tree more new information is generated.Insertion algorithm also needs to calculate the certification path of related leaf node each time (authentication path), certification path is auth=(v when being inserted into for the first time1,1,v2,1,…,vD-2,1),r’ρ), it generates Authenticate the more new information of tree.
Flow data authentication module calculates for realizing flow data acquisition, fragment, newly-increased flow data and experimental evidence is raw At;
Specifically, flow data authentication module realizes that flow data acquisition, fragment, newly-increased flow data calculates and experimental evidence generates Etc. functions.It is cut out the video content of designated time period from one section of video file using the order of codec, and is saved as Independent video segment, to form data flow fragmentation.Certification evidence is calculated for each data stream fragment, concrete operations are such as Under:
Setting Counter Value be c ← 2, update state vector st (c, D, x 'ρ,r’ρ,[x,r],l0,l1) state vector includes Several category informations below, index value c, the depth information D of tree when next node is inserted into, for calculating root node information, and The preimage value [x, r] of puppet's node, for example, structure is { [x in Fig. 41,1,r1,1],[x2,1,r2,1]}。
When subsequent progress data insertion, the exchange data for insertion is needed to generate the update letter of authentication data structure Breath.The specific steps of which are as follows: as shown in figure 5, finding puppet's node v positioned at the bottom first when c is not 0i,j(there is no child The trapdoor hash node of child node), which is stored in the certification path auth that last operation insertion algorithm generates.It connects down Come in vi,jThe structural framing for generating subtree, along vi,jThe position that leftmost path is 1 until height, in each layer height When generate adjacent puppet's node, the preimage value of puppet's node is added in state value st, is inserted data into leaf, from Down upwards along leaf to the related common hash nodal value of root node routing update, until encountering trapdoor hash nodal value in the paths vi,j, update its random number r 'i,j=col (csk, xi,j,ri,j,x’i,j), v at this timei,jNo longer it is puppet's node, and becomes There is the trapdoor hash node of child nodes, deletes [x in the preimage value set of sti,j,ri,j], it is produced to be inserted into the data of leaf node Raw certification pathR is set of random numbers.
Flow data and authentication data are sent to stream secure exchange server for completing by flow data sending module System;
Flow data sending module is mainly completed for flow data and authentication data to be sent to stream secure exchange server subsystem Etc. functions.
Security parameter generation module is called to generate required for building stream certification tree first specifically, stream sends agent subsystem The security parameters such as key, counter, state vector;Stream exchange initialization module is then called to locally select random number, shape At initialization flow fragment to construct the operation such as authentication initialization tree;Then, when data flow generates, flow data is called to authenticate mould Block completes the operations such as data source acquisition, fragment, flow data fragment computations and experimental evidence generation.Finally, by data flow fragmentation sequence Column and certification tree construction more new information issue stream secure exchange server subsystem together.With the continuous growth of data flow, follow Ring calls data authentication module and flow data sending module.
First-class data reception module, the flow data sent for receiving stream-oriented data sending module and authentication data;
Specifically, first-class data reception module mainly completes the reception of flow data reception and authentication information.Stream receives generation The implementation procedure that reason obtains data flow is as follows:
(1) after flow data receiving module receives data flow, experimental evidence is extracted, creation stream receives catalogue and in database The information of stream, such as the title flowed are generated, user receives catalogue etc., after receiving a new fragment, stores to stream and receives Catalogue, and fragment information of number of the more new database about stream;
(2) according to the index list of the traffic flow information dynamic generation stream received;
(3) the certification evidence of extraction is sent to stream authentication management module.
Authentication management module is flowed, for the certification tree information according to the flow data and authentication data received to server end Carry out maintenance and management;
Specifically, stream authentication management module is mainly according to information convective exchange clothes such as the flow datas and certification evidence received Certification tree information in business device subsystem is safeguarded, realizes that addition, inquiry, update of authentication information etc. operate.Module master According to the updating location information of certification path interior joint or to be added to corresponding position in certification tree.Specifically executed Journey is as follows:
(1) the index value index for obtaining leaf node judges whether the value of algorithm input is rope legal in database Draw, then carry out if legal in next step, otherwise algorithm terminates to return to " index value is invalid ".
(2) due to also needing the certification path of returned data in inquiry operation, so being needed during searching from top to bottom Certification path is constructed, when adding node thereto, is only needed if present node is common Hash node in certification path The trapdoor cryptographic Hash of the middle brotgher of node that the node is added needs in certification path if present node is trapdoor Hash node The cryptographic Hash of the brotgher of node and the crashworthness of current trapdoor Hash node are added into certification path simultaneously.
(3) when generating experimental evidence, because certification tree, in its adaptive expansion process, verifying root node is that dynamic is raw At, certification tree construction has multiple verifying root nodes in construction process.
Stream receives request module, for the monitoring to agent subsystem exchange request is received;
Stream receives request module and mainly realizes the monitoring to reception agent subsystem exchange request.
Experimental evidence generation module, after receiving the exchange request from Receiving Agent, for the flow data life that need to be verified At experimental evidence;
Specifically, experimental evidence generation module, after being mainly used for receiving the exchange request from Receiving Agent, to need to verify Flow data generate experimental evidence.After receiving data directory number to be verified, calculated later by calling experimental evidence to generate Method Query (pk, index) generates the verifying card of corresponding data according to the index value and public key information of the leaf node of input According to.Specific step is as follows: first determine whether algorithm input the whether legal 1≤index≤c of index value index, according to index from Root node is searched downwards until leaf node, and search procedure can be completed efficiently using the binary value of index-1, from Binary highest order of index-1 starts, and indicates to search to the left subtree of tree if it is 0, be indicated if if it is 1 to tree Right subtree is searched, until leaf node.
Need the trapdoor hash value of root node and root node into leaf node path institute through celebrating a festival in search procedure The brotgher of node of point is added in certification path AuthPath, when adding node, if present node is common hash node only The unidirectional trapdoor hash value<Th (m)>for needing to be added the brotgher of node of the node in certification path, if present node is unidirectional Trapdoor hash node then needs in certification path while adding the hash value of the brotgher of node and crashworthness < h of present node (m), the random number of r > into certification path.
For example, in structure as shown in FIG. 6, for data l2And l3Obtained certification path auth is { (v1,0,r1,1), v2,2,rρCertification path length be D-1 using obtained certification path auth as the integrity verification evidence π of dataiAnd data Element miOutput result as algorithm.Search algorithm return information is (l2,l3,auth)。
Flow data and experimental evidence forwarding module, for the forwarding of flow data and the transmission of experimental evidence;
Specifically, flow data and experimental evidence forwarding module mainly complete the forwarding of flow data and the transmission of experimental evidence. The data flow request of receiving stream Receiving Agent subsystem is responsible in the forwarding of flow data, the data of buffer pool is read, then by data Circulation is sent to stream Receiving Agent subsystem.The transmission of experimental evidence is responsible for reception checking request and generates and sends experimental evidence to stream Receiving Agent subsystem.
System management module carries out system administration for convection current secure exchange server subsystem;
System management module mainly realizes that convection current secure exchange server subsystem is managed, and may be implemented to user's The functions such as addition, modification, deletion and the log management of convective exchange process.
Second data reception module, for initiating exchange request to the stream secure exchange server subsystem, receiving Flow data and corresponding experimental evidence;
Specifically, second data reception module is mainly completed to initiate stream exchange request to stream secure exchange server, be connect Receive flow data and corresponding experimental evidence.The implementation procedure for flowing Receiving Agent acquisition data flow is as follows:
(1) stream Receiving Agent sends the index value index for needing verify data node, realization pair to stream secure exchange server The request of flow data.
(2) stream secure exchange server subsystem is simultaneously generated from the data leaf according to index value index, inquiry exchange data Child node is sent to stream Receiving Agent subsystem to the routing information of root node together.
(3) stream Receiving Agent subsystem issues receiving stream-oriented data and experimental evidence to stream secure exchange server subsystem Request, and the data of reading data flow buffer pool then call verification algorithm pair according to the request of data experimental evidence of buffer pool Data flow is verified, and is made a response immediately when that can not be proved to be successful.
Flow verification processing module is tested for extracting experimental evidence, then verification algorithm being called to carry out integrality to data stream Card, makes a response immediately when that can not be proved to be successful;
Specifically, the real main completion of flow verification processing module extracts the function of experimental evidence and verifies switched traffic Integrality.It extracts experimental evidence to be mainly used for obtaining evident information π from received information, passes through tune after obtaining experimental evidence The integrality of the content of message m is verified with the integrity verification algorithm TreeVerify (PK, i, m, π) of data and whether is recognized Otherwise i-th of element in card tree exports false if then exporting true, specific implementation procedure is as follows:
(1) the hash value that leaf node is calculated by information m, then according to the node hash value information in certification path, according to Secondary calculating derives its father node hash value, finally obtains the trapdoor hash value of root node for itself and the root node trapdoor in public key pk Hash value compares, if value is equal, is proved to be successful: otherwise, authentication failed.
(2) to verify (the l that generating algorithm returns2,l3, auth={ (v1,0,r1,1),v2,2,rρ) for, verification process As shown in Figure 7, wherein v2,1=Th (v1,2||v1,3, r2,1), v1,0=h (l0||l1), l2, l3For in data integrity evidence Element, first according to the data l of return2And l3With random number r1,1Calculate trapdoor hash node v1,1=Th (l2||l3,r1,1), Then according to the v in certification path1,0With the v calculated1,1V can be calculated2,0=h (v1,0||v1,1), according to certification path In v2,1It can continue to calculate root ρ ,=Th (v2,0||v2,1,rρ), according to the ρ in public key, it is compared if the two is equal Integrity verification passes through.
(3) since the type of the left and right child nodes of certification tree is different, left child is calculated using common hash function Hash value, right child calculate hash value using unidirectional trapdoor hash function.It can be according to institute's calculated value class during verifying The difference of type derives the left-right relation in the path from leaf node to root node, and then is derived from locating for the leaf node Position so that it is determined that whether data true position in double trapdoor hash certification leaf, and can be recognized with verify data m I-th of data in card tree.
Flow data dump module, for will relative users or storage to be transmitted to by the flow data verified.
Flow data dump module, which is realized, to be transmitted to relative users or storage by the flow data verified.
Specifically, stream Receiving Agent subsystem, which calls flow data receiving module to send checking request, gives stream secure exchange service Device subsystem after stream secure exchange server subsystem receives request, sends flow data and experimental evidence and gives stream Receiving Agent System.Stream Receiving Agent calls verification processing module to carry out integrity verification to the data flow received, is verified, calls stream Data dump module will be transmitted to relative users or storage by the flow data verified, otherwise abandon simultaneously alert.
Specifically, the data that stream secure exchange server receives are divided into two classes, the first kind is to act on behalf of subsystem from transmission The data that system is read from data flow, the second class is come the checking request data for the Receiving Agent subsystem that flows automatically.If received Primary sources flow secure exchange server subsystem after extracting more new information in data flow data, according to more new information The structure of certification tree is updated, remaining data are stored in data center.If receiving secondary sources, stream safety Swap server subsystem can generate experimental evidence according to checking request therein, and will count from data center's taking-up related data It is sent to Receiving Agent in response according to the evidence with generation.
As shown in figure 8, for the Whole Work Flow of the stream security exchange system under cloud platform disclosed by the invention, it is main to wrap Work containing following three parts:
First part: following work is completed by transmission agent subsystem
(1) security parameter is generated;
(2) stream exchange initialization information is generated;
(3) it sends and requests to data flow secure exchange server subsystem, send authentication initialization tree;
(4) data source information is acquired;
(5) certification tree more new information is generated;
(6) flow data and certification tree more new information are sent;
With the generation of data flow, (4)-(6) step cycle is executed.
Second part: following work is completed by stream secure exchange server subsystem
(1) receiving stream exchanges initialization information;
(2) receiving stream-oriented data and authentication information;
(3) administrative authentication information, including maintenance certification tree construction, complete the functions such as node insertion, node updates;
With the generation of data flow, (1)-(3) step cycle is executed.
(4) checking request is received
(5) authentication data is generated according to solicited message
(6) it sends flow data and authenticates evidence accordingly
With the forwarding of data flow, (4)-(6) step cycle is executed.
Part III: following work is completed by Receiving Agent subsystem:
(1) checking request is sent;
(2) it receives data flow and verifies;
(3) it is proved to be successful and then stores or forward.
With the reception of data flow, (1)-(3) step cycle is executed.
In conclusion the present invention exchanges urgent need around high-volume dynamic dataflow actual time safeties such as audio-videos, utilize Hash and double trapdoor Hash creatively construct the identifiable tree of dynamic for large-scale data stream exchange with real-time verification, The dynamic for devising identifiable tree initial constructing method and efficient stable state updates verification algorithm, and it is complete without recalculating to update verifying Portion's node realizes the verifying of read-while-write side, meets flow data dynamic and updates and fast verification requirement, it is ensured that Streaming Media number According to the timeliness and stationarity of lasting exchange and verifying, solves the efficient actual time safety inter-network exchange of continuous high-volume audio/video flow Problem.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part It is bright.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (5)

1. a kind of certification tree constructing method characterized by comprising
Before data flow generation, the initialisation structures based on hash function and double trapdoor hash function building certification trees;
In the real-time propagation process of data flow, the leaf node of the certification tree is constantly updated, to realize to the real-time of generation The generation of addition, the update and experimental evidence of data flow;
Routing information based on leaf node to root node obtains the verification information of respective nodes, original with root node by comparing Whether trapdoor cryptographic Hash unanimously carries out real-time verification.
2. the stream security exchange system based on certification tree under a kind of cloud platform characterized by comprising stream sends and acts on behalf of subsystem System, stream secure exchange server subsystem and stream Receiving Agent subsystem;Wherein:
The stream sends agent subsystem, for acquiring the data from data source, to collected described from data source Data carry out stream exchange pretreatment and flow data certification, and data are sent to the stream secure exchange server by treated Subsystem;
The stream secure exchange server subsystem, for receive that the stream sends that agent subsystem sends after treatment Flow data, and certification tree is constructed and safeguarded according to the flow data received, after receiving forwarding request, the flow data is forwarded To the stream Receiving Agent subsystem;
The stream Receiving Agent subsystem, the data sent for receiving the stream secure exchange server subsystem, and dock The data received carry out flow data verifying and dump.
3. system according to claim 2, which is characterized in that it includes: that security parameter is raw that the stream, which sends agent subsystem, At module, stream exchange initialization module, flow data authentication module and flow data sending module;Wherein:
The security parameter generation module, for constructing key, counter, state vector required for stream certification is set;
The stream exchanges initialization module, and the initialization for realizing random flow fragmentation calculates and the initialization structure of stream certification tree It builds;
The flow data authentication module calculates for realizing flow data acquisition, fragment, newly-increased flow data and experimental evidence is raw At;
Flow data and authentication data are sent to stream secure exchange server for completing by the flow data sending module System.
4. system according to claim 3, which is characterized in that the stream secure exchange server subsystem, comprising: first Flow data receiving module, stream authentication management module, stream receive request module, experimental evidence generation module, flow data and verifying and demonstrate,prove According to forwarding module and system management module;Wherein:
The first-class data reception module, for receiving the flow data and authentication data that the flow data sending module is sent;
The stream authentication management module, for the certification tree information according to the flow data and authentication data received to server end Carry out maintenance and management;
The stream receives request module, for the monitoring to the stream Receiving Agent subsystem exchange request;
The experimental evidence generation module, after receiving the exchange request from the stream Receiving Agent subsystem, for that need to test The flow data of card generates experimental evidence;
The flow data and experimental evidence forwarding module, for the forwarding of flow data and the transmission of experimental evidence;
The system management module carries out system administration for convection current secure exchange server subsystem.
5. system according to claim 4, which is characterized in that the stream Receiving Agent subsystem includes: the second flow data Receiving module, flow verification processing module and flow data dump module;Wherein:
The second data reception module, for initiating exchange request to the stream secure exchange server subsystem, receiving Flow data and corresponding experimental evidence;
The flow verification processing module, for extracting experimental evidence and verifying the complete of switched traffic according to the experimental evidence Property;
The flow data dump module, for will relative users or storage to be transmitted to by the flow data verified.
CN201910321880.5A 2019-04-28 2019-04-28 Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform Pending CN110086795A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910321880.5A CN110086795A (en) 2019-04-28 2019-04-28 Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910321880.5A CN110086795A (en) 2019-04-28 2019-04-28 Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform

Publications (1)

Publication Number Publication Date
CN110086795A true CN110086795A (en) 2019-08-02

Family

ID=67415935

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910321880.5A Pending CN110086795A (en) 2019-04-28 2019-04-28 Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform

Country Status (1)

Country Link
CN (1) CN110086795A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111682940A (en) * 2020-04-28 2020-09-18 中国人民解放军战略支援部队信息工程大学 Multi-tenant virtual domain isolation construction method based on L-DHT
CN112637203A (en) * 2020-12-18 2021-04-09 中国人民解放军战略支援部队信息工程大学 Large data stream verification method and system
CN113065118A (en) * 2021-03-16 2021-07-02 青岛海尔科技有限公司 Method and device for determining authentication code, storage medium and electronic device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103268460A (en) * 2013-06-20 2013-08-28 北京航空航天大学 Integrity verification method of cloud storage data
CN103607291A (en) * 2013-10-25 2014-02-26 北京科东电力控制系统有限责任公司 Alarm analysis merging method for power secondary system intranet security monitoring platform
CN106897368A (en) * 2017-01-16 2017-06-27 西安电子科技大学 Database update operating method is set and its be can verify that in the summation of Merkle Hash

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103268460A (en) * 2013-06-20 2013-08-28 北京航空航天大学 Integrity verification method of cloud storage data
CN103607291A (en) * 2013-10-25 2014-02-26 北京科东电力控制系统有限责任公司 Alarm analysis merging method for power secondary system intranet security monitoring platform
CN106897368A (en) * 2017-01-16 2017-06-27 西安电子科技大学 Database update operating method is set and its be can verify that in the summation of Merkle Hash

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
陈亮: "数据安全交换若干关键技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑(2016)》 *
黄雪刚等: "面向流式数据认证的变色龙认证树算法研究", 《四川大学学报(工程科学版)》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111682940A (en) * 2020-04-28 2020-09-18 中国人民解放军战略支援部队信息工程大学 Multi-tenant virtual domain isolation construction method based on L-DHT
CN111682940B (en) * 2020-04-28 2023-05-05 中国人民解放军战略支援部队信息工程大学 L-DHT-based multi-tenant virtual domain isolation construction method
CN112637203A (en) * 2020-12-18 2021-04-09 中国人民解放军战略支援部队信息工程大学 Large data stream verification method and system
CN113065118A (en) * 2021-03-16 2021-07-02 青岛海尔科技有限公司 Method and device for determining authentication code, storage medium and electronic device
CN113065118B (en) * 2021-03-16 2022-06-14 青岛海尔科技有限公司 Method and device for determining authentication code, storage medium and electronic device

Similar Documents

Publication Publication Date Title
RU2754189C2 (en) Method and device for distributed database that allows deleting events
JP6966544B2 (en) Methods and equipment for distributed databases with anonymous entries
CN109165190A (en) A kind of electronic data based on block chain intelligence contract deposits card method
CN110086795A (en) Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform
CN108615156A (en) A kind of data structure based on block chain
CN109347868A (en) A kind of Information Authentication method, apparatus and storage medium
Jing et al. Authentication of k nearest neighbor query on road networks
CN110569246B (en) Block chain node information synchronization method and device, computer equipment and storage medium
CN108092766B (en) Ciphertext search authority verification method and system
JP2023544422A (en) Method and apparatus for distributed database in a network
CN109985389A (en) Cards game anti-cheating method and its system based on block chain intelligence contract
WO2008035390A2 (en) Method for dynamic secure management of an authenticated relational table in a database
KR20180133863A (en) Method and system for protecting stored data
CN113554421A (en) Police affair resource data governance cooperation method based on block chain
JP2022551874A (en) Method and Apparatus for Secure Symbiosis Mining
CN114328518A (en) UTXO model-based low storage consumption method and system
KR102349014B1 (en) Method and system for building fast synchronizable decentralized distributed database
CN108876378A (en) Publicly-owned chain data enciphering back-up method
CN109067849A (en) Method of data synchronization based on block
CN109067702A (en) A kind of method that system of real name network identity is generated and protected
KR101593674B1 (en) Verifiable data management method and system
Singh Blockchain and IOT integrated Smart City Architecture
JP2004341624A (en) Device and method for evaluating information
KR102189668B1 (en) Method for building decentralized hierarchical multi-blockchains
KR20200091306A (en) Blockchains with modifiable recorded transactions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190802

RJ01 Rejection of invention patent application after publication