CN112291356A - Self-verification variable name distributed storage method based on CNFS protocol - Google Patents
Self-verification variable name distributed storage method based on CNFS protocol Download PDFInfo
- Publication number
- CN112291356A CN112291356A CN202011200979.9A CN202011200979A CN112291356A CN 112291356 A CN112291356 A CN 112291356A CN 202011200979 A CN202011200979 A CN 202011200979A CN 112291356 A CN112291356 A CN 112291356A
- Authority
- CN
- China
- Prior art keywords
- user node
- node
- uploading
- file
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
- G06F16/137—Hash-based
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
- G06F16/1824—Distributed file systems implemented using Network-attached Storage [NAS] architecture
- G06F16/183—Provision of network file services by network file servers, e.g. by using NFS, CIFS
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
- G06F16/1834—Distributed file systems implemented based on peer-to-peer networks, e.g. gnutella
- G06F16/1837—Management specially adapted to peer-to-peer storage networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/562—Brokering proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Abstract
The invention relates to the technical field of distributed storage, and provides a self-verification variable name distributed storage method based on a CNFS protocol, which comprises the following steps: 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol; step 200, an uploading user node A allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a domain name server system, uploads a file and indexes the file to the own namespace; step 300, an access user node acquires a file object, and verifies the authenticity of an object issued by an uploading user node by detecting whether a signature is matched with a public key and uploading user node information; step 400, the access user node analyzes and uploads the data hash value issued under the user node name space, and initiates a download request corresponding to the data hash to the storage node. The invention effectively reduces the network burden and improves the system expansibility.
Description
Technical Field
The invention relates to the technical field of distributed storage, in particular to a self-verification variable-name distributed storage method based on a CNFS protocol.
Background
The blockchain technology is considered to be the core technology of next generation subversion after a steam engine, power and the internet, and the blockchain technology is only used as the bottom layer technology of a bitcoin in the early period and is a chain data structure which cannot be tampered. Over the years of development, the blockchain changes from a simple data structure to a general term of distributed ledger series technology. A blockchain is a distributed database intended to maintain the consistency of the database among nodes that are not trusted by each other and is not tamper-evident.
The generation of the block chain aims to achieve decentralization, achieve consensus under the condition that no central mechanism exists, and maintain one account book together. The motivation for its design is not for efficiency or scalability. And a CNFS protocol is innovatively proposed in combination with the increasing importance of the Chinese government on the block chain. The CNFS (Cluster Net File System, peer-to-peer hypermedia distribution) protocol is a network transmission protocol stack based on content addressing distributed storage and shared files, a point-to-point hypermedia transmission protocol is created, and the combination of the point-to-point hypermedia transmission protocol and a block chain supplements the defects of low storage efficiency, high cost, difficult coordination among chains in a cross-chain and the like of the block chain, and the worry of China about potential safety hazards in complete decentralization is met.
The use of the merkle DAG in the CNFS protocol makes it possible to search for data by addressing according to the content hash value, and can accurately find the content and effectively remove redundant data. As long as the contents of the file are not modified, the link for each chunk can be linked to the hash value of the next content, the link is always valid and no check on its data validity is needed. But at the same time of convenience, if a user updates the content of a file, the hash value of the whole path related to the file in the merkle tree is forced to change until the root of the tree is modified, the change occurring locally in the user is high in the cost of synchronizing to the whole blockchain network, and if the hash information of the whole branch is synchronized every time the file is modified, the practicability of the CNFS protocol is greatly reduced, and the data storage efficiency is low.
Disclosure of Invention
The invention mainly solves the problems that after a content addressable DAG object is formed in a CNFS protocol, the content address of a user data object simultaneously changes a Hash tree of a whole branch directory after the content of the user data object is updated, so that the network cost for modifying synchronous Hash information each time is overlarge, and the user unfriendly problem is caused by taking a file Hash as an address in a self-verification file system.
The invention provides a self-verification variable name distributed storage method based on a CNFS protocol, which comprises the following processes:
step 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol, which comprises the following steps 101 to 103:
step 101, when an uploading user node accesses a file system based on a CNFS protocol for the first time, the uploading user node loads an access agent module, and the agent module sends an authentication user request to a super node;
step 102, the super node judges whether the uploading user node is a legal node according to the authentication user request, after judging that the uploading user node is legal, whether the uploading user node completes registration in a server module of the super node is checked, if the uploading user node does not complete registration, step 103 is carried out; if the uploading user node is registered, allowing the user node to log in;
103, uploading a user node and generating CNFS node information through the unique identifier of the user node;
step 200, the uploading user node allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a domain name server system, uploads a file and indexes the file to the own namespace, and the method comprises the following steps 201 to 203:
step 201, an uploading user node reads a unique identifier of the uploading user node, and searches mapping data about the unique identifier in a local storage; if the searching is successful, updating the serial number of the mapping data, calling an updating interface of a routing layer in a file system of a CNFS protocol, and issuing the unique identifier and the routing mapping relation to the whole network; if the local search fails, calling an acquisition method of a routing layer in a file system of a CNFS protocol, searching route mapping data corresponding to the unique identifier from the whole network, and if the search succeeds, updating a data serial number and broadcasting the data serial number to the whole network again; if the whole network searching fails, newly establishing a unique identifier and file Hash mapping data and broadcasting the unique identifier and the file Hash mapping data to the whole network;
step 202, adding a domain name to a domain name server system by an uploading user node, so that the uploading user node can access a file object in a file system of a CNFS protocol through the domain name;
step 300, the access user node obtains the file object, and verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information, including the following steps 301 to 304:
step 301, an access user node initiates a content access request to an upload user node, and the upload user node sends an original public key of the access user node;
step 302, after receiving the original public key of the uploading user node, the access user node sends the own public key to the uploading user node, randomly generates two access public keys, encrypts the two access public keys by using the public key of the uploading user node, and transmits the encrypted data to the uploading user node;
step 303, after receiving the encrypted access public key, the uploading user node decrypts the two access public keys by using the private key of the uploading user node, simultaneously randomly generates another two service public keys, encrypts the two service public keys by using the initial public key of the accessing user node, and sends the two service public keys to the accessing user node;
step 304, after receiving the encrypted service public key, the access user node decrypts by using its own private key, signs the data transmitted by both parties each time after the decryption is successful, and both parties send the signature to the other party together with the data to be sent; the access user node verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information;
step 400, the access user node analyzes and uploads a data hash value issued under a user node name space, and initiates a download request corresponding to the data hash to the storage node, which includes the following steps 401 to 404:
step 401, an access user node searches mapping data of an upload user node from a local cache and caches the mapping data in the local cache;
step 402, if the cache search fails, the access user node initiates an acquired network request to a file system routing layer of a CNFS protocol;
step 403, after the visiting user node successfully queries and uploads the mapping data of the user node a through local and network queries, the application layer receives a file hash value of the uploading user node; the access user node accesses and uploads the specific data content of the user node through the hash value;
in step 404, after receiving the hash value of the specific file of the uploading user node, the access user node searches a hash storage location of the file from the super node through the distributed storage network, the super node checks the hash of the file and then sends the storage location to the access user node, and the user node sends a download request to the storage node.
Further, when the private key of the uploading user node is leaked, the uploading user node sends a key revocation instruction to all other user nodes; and after receiving the key revocation instruction, the other user nodes revoke the address and the path corresponding to the key revocation instruction and forbid access.
The invention provides a self-verification variable name distributed storage method based on a CNFS protocol.A user node calls a proxy module to authenticate, check and verify a request to a super node, the user node generates a unique identifier as node information after passing the first verification, and the super node can judge whether a new user is admitted or not by continuously modifying the authentication protocol. The CNFS protocol allocates a namespace for the user node and uses the unique identifier as a named address. Uploading a user node to release a new file object in a CNFS network, firstly searching a mapping relation of a unique identifier in a distributed hash table in a local storage or a network, and calling the mapping relation of a routing layer method in a CNFS protocol after the whole network broadcasting is updated. The user can select to add the hash address of the user to the DNS system by using a DNSLink method, so that other user nodes can access the name space of the uploaded user node through the domain name. The new file object is signed by the upload user private key and the protocol mounts the file object in the user's namespace. When the access user node acquires the file object issued by the uploading user node, whether the signature is matched with the public key and the node information of the uploading user node is detected, and therefore the authenticity of the user issued object is verified. When the user exchanges data, the user node is uploaded, and after the user node is accessed to exchange the key by using the secure hash function, the signatures of the two parties are generated so that the two parties can form an encrypted secure channel. After the signatures of both parties are formed, the access user node analyzes the hash data under the unique identifier of the namespace of the uploading user node, obtains the specific data content under the unique identifier of the uploading user node after the hash data of the file is successfully obtained by local caching and initiating a network request to a routing layer to obtain the mapping relation of the unique identifier, and downloads the specific data by initiating a download request to the storage node.
The invention creates the possibility of constructing the self-authentication name in the global name space under the encryption environment, and solves the network redundancy caused by the synchronous hash information for each modification in the Mercker directed acyclic graph caused by the change of the updated file hash by the self-verification mode of uniquely identifying the mounted file hash in the user name space. And meanwhile, a file path is improved by using a DNSLink technology, so that the user friendliness is improved. Providing user authentication and self-authenticating user key revocation instructions prevents malicious users from being directed to the wrong file server. The invention can be used in the CNFS protocol naming layer, provides technical support for the CNFS protocol naming layer, effectively reduces network burden and improves system expansibility and safety. The method can provide technical support for a naming layer of the CNFS protocol, can effectively reduce network communication cost, and keeps fixed names in an environment with variable data object contents, so that the protocol can construct variable self-authentication names in an encryption environment and a global naming space.
Drawings
FIG. 1 is a flowchart of an implementation of a self-verification variable name distributed storage method based on a CNFS protocol according to the present invention;
FIG. 2 is a block diagram of a file system of the CNFS protocol;
FIG. 3 is a flowchart of an implementation of step 100;
FIG. 4 is a flowchart of an implementation of step 200;
FIG. 5 is a flowchart of an implementation of step 300;
FIG. 6 is a flowchart of an implementation of step 400;
fig. 7 is a flowchart of a process when the private key of the upload user node is compromised.
Detailed Description
In order to make the technical problems solved, technical solutions adopted and technical effects achieved by the present invention clearer, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some but not all of the relevant aspects of the present invention are shown in the drawings.
Fig. 1 is a flowchart of an implementation of a self-verification variable name distributed storage method based on a CNFS protocol according to the present invention. As shown in fig. 1, a self-verification variable name distributed storage method based on a CNFS protocol provided in an embodiment of the present invention includes:
and 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol.
In this embodiment, the uploading user node is represented by the user node a. Fig. 2 is a frame diagram of a file system of the CNFS protocol, and as shown in fig. 2, the file system based on the CNFS protocol includes: the system comprises a super node, a storage node and a plurality of user nodes, wherein the user nodes are CNFS clients of users, can perform user functions such as cache routing mapping, file uploading, namespace allocation, file downloading and user verification, and are inlets of the system used by the users. In this embodiment, a user node that performs file uploading is referred to as an uploading user node, and a user node that performs file accessing and downloading is referred to as an accessing user node. The super node is a key ring for innovatively providing semi-centralized distributed storage in a CNFS protocol, and is responsible for functions of using a block chain to store metadata to examine data and the like. In the invention, the super node is responsible for the verification function of the user, the agent module of the user node is responsible for interacting with the super node to finish the user verification, and the super node is responsible for finishing addressing according to the downloading request of the user to the content hash and providing the addressing for the user node. The storage nodes are responsible for distributively storing the file blocks and the file hash table and providing downloads. The hash table is responsible for storing hash values of all file blocks of the node to realize file block position index.
As shown in fig. 3, step 100 includes the following steps 101 to 103:
step 101, when an uploading user node accesses a file system based on a CNFS protocol for the first time, the uploading user node loads an access Agent module (Agent module), and the Agent module sends an authentication user request to a super node.
102, the super node judges whether the uploading user node A is a legal node according to the authentication user request, and checks whether the uploading user node A completes registration in a server module of the super node after judging that the uploading user node A is legal, and if the uploading user node A does not complete registration, the step 103 is carried out; and if the uploading user node A finishes the registration, allowing the user node to log in.
In the step, whether the uploading user node A is a legal node is judged by an anonymous examination method of the super node; and if the uploading user node A is judged to be an illegal node, rejecting the request of the uploading user node A.
And 103, uploading the unique identifier of the user node A to generate the CNFS node information.
In this embodiment, the hash value of the public key of the uploading user node a is used as a unique identifier, and is represented as node id hash (node.
Step 200, the uploading user node A allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a Domain Name Server (DNS) system, uploads a file and indexes the file to the own namespace. Step 200 comprises the following steps 201 to 203:
step 201, an uploading user node a reads a unique identifier (NodeID) of itself, and searches mapping data about the unique identifier in a local storage; if the searching is successful, updating the serial number of the mapping data, calling an update (PutValue) interface of a routing layer in a file system of a CNFS protocol, and issuing the unique identifier and the routing mapping relation to the whole network; if the local search fails, calling a method for obtaining a routing layer (GetValue) in a file system of a CNFS protocol, searching route mapping data corresponding to the unique identifier from the whole network, and updating a data serial number and broadcasting the data serial number to the whole network again if the search is successful; if the whole network searching fails, resetting (SetValue method) is called, and mapping data of the unique identifier and the file hash is newly built and broadcasted to the whole network.
In a file system of a CNFS protocol, mapping data is a mapping relation of a hash table, and a relation between a unique identifier and a file hash is reflected.
In step 202, the uploading user node a adds a Domain Name to a Domain Name Server (DNS) System, so that it can access a file object in a file System of the CNFS protocol through the Domain Name.
In the step, a domain name mode is used for replacing a Hash addressing mode, the complicated Hash value website is converted into a domain name website with better user friendliness, and the domain name website can address the same ip address.
As shown in fig. 4, in steps 201 to 202, the unique identifier is used to allocate an address to the user, in order to reduce network load, first, route mapping data is searched locally, if the search fails, a network mapping relationship is searched from the whole network, if the search fails again, the route mapping is reset, after the mapping relationship is updated, a DNSLink function can be selected to add a domain name, and a domain name or an ip address which is not easy to be memorized by the user is selected.
The CNFS path is, for example: Cnfs/vXCBsf 7afas9adsf79asd 7/.
And step 300, the access user node acquires the file object, and verifies the authenticity of the object issued by the uploading user node A by detecting whether the signature is matched with the public key and the information of the uploading user node A.
In this embodiment, the visiting user node is represented by user node B.
Step 301, an access user node B initiates a content access request to an upload user node a, and the upload user node a sends its original public key to the access user node B;
step 302, after receiving the original public key of the uploading user node a, the access user node B sends its own public key to the uploading user node a, randomly generates two access public keys, encrypts the two access public keys by using the public key of the uploading user node a, and transmits the encrypted data to the uploading user node a.
Wherein the two access public keys are marked as C1, C2.
Step 303, after receiving the encrypted access public key, the uploading user node a decrypts the two access public keys C1 and C2 by using the private key of the uploading user node a, and simultaneously randomly generates another two service public keys S1 and S2, encrypts the two service public keys S1 and S2 by using the initial public key of the accessing user node B, and sends the encrypted two service public keys to the accessing user node B.
Step 304, after receiving the encrypted service public key, the access user node B decrypts by using its own private key, signs the data transmitted by both parties each time after the decryption is successful, and both parties send the signature to the other party together with the data to be sent; and the access user node B verifies the authenticity of the object issued by the uploading user node A by detecting whether the signature is matched with the public key and the information of the uploading user node A.
Specifically, before each data transmission, SHA-1(Secure Hash Algorithm 1) is used to sign the file object data to be transmitted, and when the access user node B goes to the upload user node a, the following formula is used to sign the file object data:
Session-C=SHA-1(“C-S”,Pub-S,Pub-S1,Pub-C,Pub-C1)
when uploading user node a to visiting user node B, signature is performed using the following formula:
Session-S=SHA-1(“S-C”,Pub-S,Pub-S2,Pub-C,Pub-C2)
in the embodiment, the client detects whether the signature is matched with the public key and the node information, and modification and damage of a malicious node to data are avoided. In the signature, Pub-S is a public key of an uploading user node A, and Pub-C is a public key of an accessing user node B.
The purpose of this step is that the access user node B verifies the identity of the upload user node a, as shown in fig. 5, a secure channel is established, after a user initiates a content access request to the data owner upload user node a, the upload user node a first sends a public key to the access user node B, the upload user node a exchanges two pairs of random public keys with the access user node B, the exchange process uses the public keys of both parties to encrypt, and after receiving, both parties can decrypt with their own private keys to obtain a plaintext. The mutual random public key is used for signing, and the data transmission process of both parties needs to send the signatures to ensure the communication safety.
Step 400, the access user node B analyzes the data hash value issued under the namespace of the upload user node a, and initiates a download request corresponding to the data hash to the storage node.
Step 401, the visiting user node B searches the mapping data of the uploading user node a from the local cache, and caches the mapping data in the local cache.
In the step, if the uploading user node A successfully allocates the variable name space, uploads the file and indexes the file to the own name space, the accessing user node B enters the CNFS network, searches the mapping data of the uploading user node A from the local cache and caches the mapping data in the local cache, and the network access cost can be effectively reduced by firstly reading the mapping data from the local cache each time.
Step 402, if the cache lookup fails, the visiting user node B initiates an acquired network request to the file system routing layer of the CNFS protocol.
In step 403, after the visiting user node B successfully uploads the mapping data of the user node a through local and network queries, the application layer receives the file hash value of the uploading user node a. The visiting user node B can access the specific data content of the uploading user node A through the hash value.
In step 404, after receiving the hash value of the specific file uploaded to the user node a, the access user node B searches a hash storage location of the file from the super node through the distributed storage network, the super node checks the hash of the file and then sends the storage location to the access user node B, and the user node B sends a download request to the storage node.
As shown in fig. 6, the node B of the access user first searches for the file mapping data from the local cache, and if the local search fails, initiates a network request to the routing layer, obtains the file hash value of the user by using a GetValue method, uploads the file hash value of the node a of the user, and the node B of the access user can initiate a download request to the storage node through the hash value.
In addition, when the private key of the uploading user node A is leaked, the uploading user node A sends a key revocation instruction to all other user nodes; and after receiving the key revocation instruction, the other user nodes revoke the address and the path corresponding to the key revocation instruction and forbid access.
The form of the key revocation instruction is as follows:
RevokeMessage={“Pathrevoke”,NodeId,Pub_key,NULL}||Secret_key
the RevokeMessage represents a key revocation instruction, Pathrevoke is a constant field, NodeId is a self-verification path needing to revoke a key, and Pub _ key and Secret _ key are a private key and a public key needing to revoke.
As shown in fig. 7, when the private key of the uploading user node is compromised, the private key, the public key and the unique identifier may be broadcast to the whole network in the same direction, and after receiving the revocation instruction, other user nodes are prohibited from accessing the revoked address. While the uploading user node continuously requires its proxy module to check whether its previous self-authentication path has been revoked. The method can prevent the path of the original self-verification file from being wrongly positioned in the name space of the attacker.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: modifications of the technical solutions described in the embodiments or equivalent replacements of some or all technical features may be made without departing from the scope of the technical solutions of the embodiments of the present invention.
Claims (2)
1. A self-verification variable name distributed storage method based on a CNFS protocol is characterized by comprising the following processes:
step 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol, which comprises the following steps 101 to 103:
step 101, when an uploading user node accesses a file system based on a CNFS protocol for the first time, the uploading user node loads an access agent module, and the agent module sends an authentication user request to a super node;
step 102, the super node judges whether the uploading user node is a legal node according to the authentication user request, after judging that the uploading user node is legal, whether the uploading user node completes registration in a server module of the super node is checked, if the uploading user node does not complete registration, step 103 is carried out; if the uploading user node is registered, allowing the user node to log in;
103, uploading a user node and generating CNFS node information through the unique identifier of the user node;
step 200, the uploading user node allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a domain name server system, uploads a file and indexes the file to the own namespace, and the method comprises the following steps 201 to 203:
step 201, an uploading user node reads a unique identifier of the uploading user node, and searches mapping data about the unique identifier in a local storage; if the searching is successful, updating the serial number of the mapping data, calling an updating interface of a routing layer in a file system of a CNFS protocol, and issuing the unique identifier and the routing mapping relation to the whole network; if the local search fails, calling an acquisition method of a routing layer in a file system of a CNFS protocol, searching route mapping data corresponding to the unique identifier from the whole network, and if the search succeeds, updating a data serial number and broadcasting the data serial number to the whole network again; if the whole network searching fails, newly establishing a unique identifier and file Hash mapping data and broadcasting the unique identifier and the file Hash mapping data to the whole network;
step 202, adding a domain name to a domain name server system by an uploading user node, so that the uploading user node can access a file object in a file system of a CNFS protocol through the domain name;
step 203, the uploading user node distributes files in the name space, the files are signed by the private key of the uploading user node, the hash of the signed files is mounted under the CNFS path of the file, and the hash is used as an index;
step 300, the access user node obtains the file object, and verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information, including the following steps 301 to 304:
step 301, an access user node initiates a content access request to an upload user node, and the upload user node sends an original public key of the access user node;
step 302, after receiving the original public key of the uploading user node, the access user node sends the own public key to the uploading user node, randomly generates two access public keys, encrypts the two access public keys by using the public key of the uploading user node, and transmits the encrypted data to the uploading user node;
step 303, after receiving the encrypted access public key, the uploading user node decrypts the two access public keys by using the private key of the uploading user node, simultaneously randomly generates another two service public keys, encrypts the two service public keys by using the initial public key of the accessing user node, and sends the two service public keys to the accessing user node;
step 304, after receiving the encrypted service public key, the access user node decrypts by using its own private key, signs the data transmitted by both parties each time after the decryption is successful, and both parties send the signature to the other party together with the data to be sent; the access user node verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information;
step 400, the access user node analyzes and uploads a data hash value issued under a user node name space, and initiates a download request corresponding to the data hash to the storage node, which includes the following steps 401 to 404:
step 401, an access user node searches mapping data of an upload user node from a local cache and caches the mapping data in the local cache;
step 402, if the cache search fails, the access user node initiates an acquired network request to a file system routing layer of a CNFS protocol;
step 403, after the visiting user node successfully queries and uploads the mapping data of the user node a through local and network queries, the application layer receives a file hash value of the uploading user node; the access user node accesses and uploads the specific data content of the user node through the hash value;
in step 404, after receiving the hash value of the specific file of the uploading user node, the access user node searches a hash storage location of the file from the super node through the distributed storage network, the super node checks the hash of the file and then sends the storage location to the access user node, and the user node sends a download request to the storage node.
2. The CNFS protocol-based self-authentication variable name distributed storage method according to claim 1, wherein when a private key of the uploading user node is leaked, the uploading user node sends a key revocation instruction to all other user nodes; and after receiving the key revocation instruction, the other user nodes revoke the address and the path corresponding to the key revocation instruction and forbid access.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011200979.9A CN112291356B (en) | 2020-11-02 | 2020-11-02 | Self-verification variable name distributed storage method based on CNFS protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011200979.9A CN112291356B (en) | 2020-11-02 | 2020-11-02 | Self-verification variable name distributed storage method based on CNFS protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112291356A true CN112291356A (en) | 2021-01-29 |
CN112291356B CN112291356B (en) | 2022-01-04 |
Family
ID=74353296
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011200979.9A Active CN112291356B (en) | 2020-11-02 | 2020-11-02 | Self-verification variable name distributed storage method based on CNFS protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112291356B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113141414A (en) * | 2021-05-07 | 2021-07-20 | 大连理工大学 | Grouped multi-chain asynchronous consensus method for block chain nodes in CNFS protocol |
CN114221956A (en) * | 2021-11-08 | 2022-03-22 | 北京中合谷投资有限公司 | Content examination method of distributed network |
CN115238257A (en) * | 2022-09-26 | 2022-10-25 | 深圳市亲邻科技有限公司 | Access control face permission updating method and device, computer equipment and storage medium |
US11817946B2 (en) * | 2021-03-30 | 2023-11-14 | Oxylabs, Uab | Proxy selection by monitoring quality and available capacity |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105893468A (en) * | 2016-03-28 | 2016-08-24 | 乐视控股(北京)有限公司 | Cache data synchronization method system for CDN system |
CN106612285A (en) * | 2016-12-30 | 2017-05-03 | Tcl集团股份有限公司 | Distributed cloud data management method and system based on peer-to-peer network |
US20180101684A1 (en) * | 2016-10-06 | 2018-04-12 | Mastercard International Incorporated | Method and system for identity and credential protection and verification via blockchain |
CN108848111A (en) * | 2018-08-06 | 2018-11-20 | 杭州云象网络技术有限公司 | A kind of decentralization Virtual Private Network construction method based on block chain technology |
CN110309117A (en) * | 2019-07-08 | 2019-10-08 | 匿名科技(重庆)集团有限公司 | A kind of High Availabitity block chain storage method |
TW202004620A (en) * | 2018-05-23 | 2020-01-16 | 葉佰蒼 | Digital documents publication system based on blockchain network and implementing method thereof |
CN111095863A (en) * | 2017-09-18 | 2020-05-01 | 区块链控股有限公司 | Block chain based system and method for communicating, storing and processing data over a block chain network |
CN111241115A (en) * | 2020-01-07 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Data synchronization method, device, equipment and storage medium |
CN111309701A (en) * | 2020-02-19 | 2020-06-19 | 北京航空航天大学 | Multi-cloud storage management system based on block chain |
-
2020
- 2020-11-02 CN CN202011200979.9A patent/CN112291356B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105893468A (en) * | 2016-03-28 | 2016-08-24 | 乐视控股(北京)有限公司 | Cache data synchronization method system for CDN system |
US20180101684A1 (en) * | 2016-10-06 | 2018-04-12 | Mastercard International Incorporated | Method and system for identity and credential protection and verification via blockchain |
CN106612285A (en) * | 2016-12-30 | 2017-05-03 | Tcl集团股份有限公司 | Distributed cloud data management method and system based on peer-to-peer network |
CN111095863A (en) * | 2017-09-18 | 2020-05-01 | 区块链控股有限公司 | Block chain based system and method for communicating, storing and processing data over a block chain network |
TW202004620A (en) * | 2018-05-23 | 2020-01-16 | 葉佰蒼 | Digital documents publication system based on blockchain network and implementing method thereof |
CN108848111A (en) * | 2018-08-06 | 2018-11-20 | 杭州云象网络技术有限公司 | A kind of decentralization Virtual Private Network construction method based on block chain technology |
CN110309117A (en) * | 2019-07-08 | 2019-10-08 | 匿名科技(重庆)集团有限公司 | A kind of High Availabitity block chain storage method |
CN111241115A (en) * | 2020-01-07 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Data synchronization method, device, equipment and storage medium |
CN111309701A (en) * | 2020-02-19 | 2020-06-19 | 北京航空航天大学 | Multi-cloud storage management system based on block chain |
Non-Patent Citations (3)
Title |
---|
YE SUN,FENG ZHANG,WEIJIE XIA, YAOHUA CHEN: ""Application Research on Blockchain-based Steel Structure Traceability Management"", 《2020 2ND INTERNATIONAL CONFERENCE ON MACHINE LEARNING, BIG DATA AND BUSINESS INTELLIGENCE》 * |
杨伟杰: "" 基于区块链的分布式文件存储系统的设计和实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
胡志言,杜学绘,曹利峰: ""会话密钥协商协议研究进展"", 《计算机应用与软件》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11817946B2 (en) * | 2021-03-30 | 2023-11-14 | Oxylabs, Uab | Proxy selection by monitoring quality and available capacity |
CN113141414A (en) * | 2021-05-07 | 2021-07-20 | 大连理工大学 | Grouped multi-chain asynchronous consensus method for block chain nodes in CNFS protocol |
CN114221956A (en) * | 2021-11-08 | 2022-03-22 | 北京中合谷投资有限公司 | Content examination method of distributed network |
CN115238257A (en) * | 2022-09-26 | 2022-10-25 | 深圳市亲邻科技有限公司 | Access control face permission updating method and device, computer equipment and storage medium |
CN115238257B (en) * | 2022-09-26 | 2023-01-06 | 深圳市亲邻科技有限公司 | Access control face permission updating method and device, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112291356B (en) | 2022-01-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112291356B (en) | Self-verification variable name distributed storage method based on CNFS protocol | |
US11140177B2 (en) | Distributed data authentication and validation using blockchain | |
US11336463B2 (en) | Information assurance (IA) using an integrity and identity resilient blockchain | |
KR101330392B1 (en) | Network nodes and methods for data authorization in distributed storage networks | |
Lou et al. | A blockchain-based key management scheme for named data networking | |
CN112425139B (en) | Apparatus and method for resolving domain name | |
CN110430061B (en) | Vehicle networking equipment identity authentication method based on block chain technology | |
Alzahrani | An information-centric networking based registry for decentralized identifiers and verifiable credentials | |
JP2011008818A (en) | Secure recovery in serverless distributed file system | |
JP2002358226A (en) | Serverless distributed file system | |
CN106790296B (en) | Domain name record verification method and device | |
US20160149711A1 (en) | Distributed identification system for peer to peer message transmission | |
EP1694027B1 (en) | Peer-to-peer network information | |
CN101341691A (en) | Authorisation and authentication | |
CN106790261A (en) | Distributed file system and the method for certification communication between its interior joint | |
JP4997769B2 (en) | Cryptographic communication system, key sharing method, and key providing apparatus | |
CN109951481B (en) | Information processing method and system based on block chain network adjacent nodes | |
Fotiou et al. | Securing named data networking routing using decentralized identifiers | |
WO2020010270A1 (en) | Dynamic routing using a distributed hash table | |
WO2008065349A1 (en) | Worldwide voting system | |
GB2444346A (en) | Anonymous authentication in a distributed system | |
CN114629631B (en) | Data trusted interaction method and system based on alliance chain and electronic equipment | |
Hanka et al. | Secure deployment of application-tailored protocols in future networks | |
WO2008065348A2 (en) | Perpetual data | |
KR100834576B1 (en) | Key management method and apparatus for providing secure communication on p2p network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |