CN112507034B - Data storage method and system - Google Patents

Data storage method and system Download PDF

Info

Publication number
CN112507034B
CN112507034B CN202110170267.5A CN202110170267A CN112507034B CN 112507034 B CN112507034 B CN 112507034B CN 202110170267 A CN202110170267 A CN 202110170267A CN 112507034 B CN112507034 B CN 112507034B
Authority
CN
China
Prior art keywords
public
private key
key pair
trusted
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110170267.5A
Other languages
Chinese (zh)
Other versions
CN112507034A (en
Inventor
管亚阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd, Ant Blockchain Technology Shanghai Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110766889.4A priority Critical patent/CN113468270A/en
Priority to CN202110170267.5A priority patent/CN112507034B/en
Publication of CN112507034A publication Critical patent/CN112507034A/en
Application granted granted Critical
Publication of CN112507034B publication Critical patent/CN112507034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2246Trees, e.g. B+trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2255Hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

The specification discloses a data storage method and a data storage system. The key server generates and stores a public and private key pair in advance according to the request of the user side, and returns a unique identification of the public and private key pair at the local of the key server to the user side; the method comprises the following steps: a user side sends a signature request to a key server side, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair; the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts a hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side; the user side sends the data to be stored and the digital signature to a trusted storage side; the trusted storage side verifies the digital signature based on a public key in the designated public-private key pair provided by the key server side; and if the verification is passed, storing the data to be stored into the credible account book database.

Description

Data storage method and system
Technical Field
The embodiment of the specification relates to the field of data storage, in particular to a data storage method and system.
Background
Currently, public and private key pairs in cryptography have wide application in network security, where users can digitally sign based on their own private keys.
When a user stores data in the credible account book database, the user needs to perform digital signature on the stored data by using a private key of the user, so that the user is prevented from being repudiated. After receiving the data to be stored sent by the user, the trusted account book database can check the digital signature by using the public key of the user. If the verification is passed, the data to be stored can be stored in the credible ledger database.
In general, the private key of the user is stored locally and is easily lost.
Disclosure of Invention
In order to solve the above technical problems, the present specification provides a data storage method and system. The technical scheme is as follows.
A data storage method, the key server generates and stores the public and private key pair according to the user request in advance, and returns the unique identification of the public and private key pair in the local of the key server to the user; the method comprises the following steps:
a user sends a signature request to a key server, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts a hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to a user;
the user sends the data to be stored and the digital signature to a trusted storage end; the trusted storage terminal maintains a trusted account book database;
the trusted storage side verifies the digital signature based on a public key in the designated public-private key pair provided by the key server side; and if the verification is passed, storing the data to be stored into the credible account book database.
A data storage system, comprising: the system comprises a user side, a key server side and a trusted storage side; the key server stores a public and private key pair generated in advance according to a user side request, and the user side stores a unique identification of the public and private key pair in the local key server;
the user side is used for: sending a signature request to a key server, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server is used for: determining a corresponding appointed public and private key pair according to the unique identifier, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returning the digital signature to a user side;
the user side is used for: sending the data to be stored and the digital signature to a trusted storage end; the trusted storage terminal maintains a trusted account book database;
the trusted storage side is used for: verifying the digital signature based on a public key in the designated public and private key pair provided by the key server; and if the verification is passed, storing the data to be stored into the credible account book database.
Through the technical scheme, the public and private key pair is generated and stored at the key server, and needs to participate in the key server when a private key signature or a public key signature is used, so that the public and private key pair can not be stored locally at a user side, the security of the public and private key pair is improved, and the public and private key pair is difficult to lose from the key server.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic structural diagram of a global Mercker tree provided in an embodiment of the present disclosure;
FIG. 2 is a schematic system structure diagram of an application data storage method provided in an embodiment of the present specification;
FIG. 3 is a flow chart illustrating a data storage method provided by an embodiment of the present disclosure;
FIG. 4 is an interaction diagram of a data storage method provided by an embodiment of the present specification;
fig. 5 is a schematic structural diagram of a data storage system according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments derived by one of ordinary skill in the art from the embodiments given herein are intended to fall within the scope of the disclosure.
Currently, public and private key pairs in cryptography have wide application in network security, where users can digitally sign based on their own private keys.
When a user stores data in the credible account book database, the user needs to perform digital signature on the stored data by using a private key of the user, so that the user is prevented from being repudiated. After receiving the data to be stored sent by the user, the trusted account book database can check the digital signature by using the public key of the user. If the verification is passed, the data to be stored can be stored in the credible ledger database.
In theory, the private key is only mastered by the user, and the digital signature can be used for proving the identity of the user and preventing the user from repudiation. If the private key is lost, network security problems can arise. For example, it is difficult for a user to digitally sign after losing a private key; or the lawbreaker can use the private key lost by the user to store illegal data in the trusted account book database, and use the private key lost by the user to perform digital signature, so that the illegal data is stored in the trusted account book database, and the user cannot easily distinguish that the operation is not executed.
In general, the private key of the user is stored locally and is easily lost.
In order to avoid the loss of the public and private key pair of the user, the specification provides a data storage method, wherein data storage refers to storing data in a trusted ledger database.
A trusted ledger database is a technique that ensures from a technical level that stored data is not modified. The following is explained for the trusted ledger database.
The trusted ledger database may be maintained by a trusted storage. The trusted ledger database may be a centralized database. Therefore, data storage is carried out based on the credible ledger database, and compared with other decentralized or distributed data storage schemes, the data storage method is high in storage efficiency and low in storage cost.
The structure of the trusted account book database may be the same as that of a general database or the block chain structure. In an alternative embodiment, the trusted ledger in the trusted ledger database may be a block chain ledger. The description is not intended to be limiting. If the structure of the trusted account book database is the same as the block chain structure, it is difficult to modify the stored information, otherwise, modification and recalculation are required for each subsequent block.
The credibility of the credible ledger database can be reflected by the following 3 aspects.
1. Global mercker tree.
For each piece of information in the credible account book database, one leaf node of the global Merck tree corresponds to the leaf node.
In an alternative embodiment, for each piece of information in the trusted ledger database, a hash value of the information may be calculated as a leaf node, and added to the global merkel tree.
In the global merkel tree, new hash values may be calculated comprehensively for the hash values corresponding to the two child nodes (specifically, the hash values corresponding to the two child nodes may be added and then the sum hash value is calculated, or the hash values corresponding to the two child nodes are concatenated and then the hash value of the concatenation result is calculated) as parent nodes of the two child nodes. And obtaining the parent node through continuous calculation, and determining the hash value corresponding to the root node in the global Merckel tree.
In order to facilitate better understanding of the global merkel tree, fig. 1 is a schematic structural diagram of a global merkel tree provided in the present specification.
The method comprises two global Mercker tree structures, wherein in one structure, every two leaf nodes are grouped and a father node is calculated; and grouping the nodes obtained by calculation pairwise to calculate a father node. If a missing single child node exists in each two groups, the hash value corresponding to the child node can be copied to obtain two child node calculation father nodes. By continuously calculating the parent node, the hash value (i.e. root hash) corresponding to the root node can be finally determined.
In another structure, for each newly added leaf node, the leaf node and the current root node can be used together as two child nodes, a parent node is obtained through calculation, and the parent node obtained through calculation is used as the root node.
It is understood that, in an alternative embodiment, for each additional information in the trusted account book database, a corresponding hash value may be calculated to obtain a leaf node, and then an update root hash is calculated based on the above two groups, or an update root hash is calculated according to the leaf node and the current root node.
In an alternative embodiment, the root hash corresponding to the time point may be returned to the client at each time point scheduled at a preset time (i.e., periodically or aperiodically). Since the client retains the root hash of the history, the client has the ability to verify whether the trusted storage side modified the information, which can discover the modification to the information.
It should be noted that the global merkel tree may not be updated continuously, that is, the global merkel tree and the root hash may not be updated every time one piece of information is stored, but the global merkel tree and the root hash may be updated immediately according to all stored information when the root hash needs to be generated and returned to the client, so as to improve the utilization rate of the computing resources and reduce the time delay required for storage.
Through the global Merck tree, all information in the credible ledger database can be associated, if any information is subsequently modified, the whole global Merck tree is modified, the father node and the root hash are recalculated, and the difficulty of subsequently modifying the information is increased, so that the information stored in the credible ledger database is difficult to modify by a credible storage end, the credible storage of a technical level is realized, and the trust of a business level is not needed.
2. And (4) signing by multiple parties.
In an alternative embodiment, the information in the trusted ledger database may be digitally signed by the device sending the information, thereby preventing repudiation by the device and preventing subsequent modification of the information by the trusted storage. If the trusted storage terminal carries out subsequent modification on the information, the modified information cannot be matched with the digital signature, namely, the signature verification cannot pass.
In another alternative embodiment, for information in the trusted ledger database, in order to clarify the time when the information is stored in the trusted ledger database, and also in order to prevent the trusted storage side from communicating with the information sending side, a timestamp may be added to the information. In order to ensure the credibility of the timestamp, the information (or the unique identifier of the information, such as a hash value of the information) may be sent to the trusted time service mechanism by the trusted storage, digitally signed by the trusted time service structure for the received information and the current time point, and returned to the trusted storage. Obviously, the trusted time service will only sign based on the current point in time. If the trusted storage terminal and the information sender communicate badly and modify the stored information, the trusted time service mechanism cannot sign the information at the past time point and only signs the information based on the current time point, so that the subsequent modification of the information at different time points can be verified.
Because the trusted time service signature is carried out on each piece of information, the storage time delay is larger, and the subsequent modification usually occurs in a longer time after the information is stored, the trusted time service signature can be carried out on all the information stored in the time at intervals, so that the storage time delay is reduced; and the trusted time service signature can be carried out on the information every time a preset number of pieces of information are stored, so that the storage time delay is reduced.
In addition, in an optional embodiment, after the trusted storage side stores a certain piece of information, a signature of the trusted storage side for the information may be returned to the information sender, so as to determine that the trusted storage side has stored the information, and the trusted storage side is difficult to repudiate.
3. Public network account book.
In an alternative embodiment, the root hash of the history may be stored into the public network ledger for a global merkel tree. The public network account book can be acquired by any device in the public network, and the trusted storage end cannot determine which devices acquire the historical root hash in the public network account book, so that the trusted storage end is warned to not perform subsequent modification on the historical root hash based on the public property, and the credibility degree is improved.
Through the analysis of the credible account book database, credible storage at the technical level can be realized, and the trust at the business level is not needed.
Therefore, for the trusted account book database, the user is required to perform digital signature on the data to be stored by using the user private key.
In order to protect the private key of the user from being leaked, the method provided by the specification further comprises a key server.
The key service end may be a device providing key-related services, and the specific services may include a key generation service, a key protection service, and the like.
In this specification, at least 1 kind of key generation algorithm may be stored in the key server, and may be used to generate a public-private key pair, and may store the generated public-private key pair, so that only the user and an object authorized by the user may access the public-private key pair corresponding to the user, thereby improving the security of the public-private key pair.
A data storage method provided in the present specification is explained in detail below with reference to the drawings.
First, the device related to the method is explained, and as shown in fig. 2, a system structure diagram of an application data storage method provided in this specification is shown. The system comprises a user side, a key service side and a trusted storage side.
The user terminal may be a user device that needs to store data into the trusted ledger database, and the trusted storage terminal may be a device that maintains the trusted ledger database.
Fig. 3 is a schematic flow chart of a data storage method provided in this specification. The key server can generate and store a public and private key pair in advance according to the request of the user side, and can return the unique identification of the public and private key pair in the local of the key server to the user side. Therefore, the key server can store a public and private key pair generated in advance according to the request of the user side, and the user side can store the unique identification of the public and private key pair at the local part of the key server.
The following is explained for the key server.
In an alternative embodiment, the key server may store at least two key generation algorithms.
The user side request can appoint a key generation algorithm in at least two key generation algorithms stored in the key service side, so that the key service side generates and stores a corresponding public and private key pair. Namely, the key server can generate and store the corresponding public and private key pair in advance according to the key generation algorithm specified by the request of the user side in at least two key generation algorithms.
In another alternative embodiment, the key server may generate and store a public-private key pair in advance according to key parameters in the user side request; or the key server can also generate and store a public-private key pair by taking a locally generated random number as a key parameter in advance according to the request of the user side.
In order to further improve the security of the public-private key pair, especially the security of the private key, and prevent the private key from being revealed to the key server, in an alternative embodiment, the key server may be deployed with a trusted execution environment; the trusted execution environment is completely isolated from the normal execution environment, and the key server cannot normally acquire data in the trusted execution environment. Therefore, the generation process of the public-private key pair can be executed in the trusted execution environment, so that it is difficult for the key server to determine the specific generation process and the generated public-private key pair, and the generated public-private key pair can also be stored in the trusted execution environment.
Specifically, the key server generates and stores a public-private key pair in the trusted execution environment according to a request of the user side in the trusted execution environment.
Of course, in order to prevent the generated public and private key pair from being lost, in an alternative embodiment, the key server may include a plurality of devices, and each device stores the public and private key pair generated by the key server through distributed storage. And the public and private key pair is prevented from being lost by utilizing the backup of a plurality of devices. The key service end may specifically include a main device and at least one spare device, where the main device stores the generated public and private key pair, and the other spare devices store backups of the generated public and private key pair.
The following is explained with respect to a specific data storage method, which may include at least the following steps.
S101: and the user side sends a signature request to the key server side, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair.
S102: and the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side.
Corresponding to the above-mentioned embodiments related to the trusted execution environment, in an alternative embodiment, since the public-private key pair is stored in the trusted execution environment of the key server, the process of obtaining the digital signature may also be executed in the trusted execution environment.
The method specifically comprises the following steps: determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in a trusted execution environment; in a trusted execution environment, the hash value of the data to be stored is encrypted by using a private key in a specified public and private key pair to obtain a digital signature.
S103: the user side sends the data to be stored and the digital signature to the trusted storage side; the trusted storage terminal maintains a trusted account book database.
S104: the trusted storage end verifies the digital signature based on a public key in a designated public and private key pair provided by the key server end; and if the verification is passed, storing the data to be stored into the credible account book database.
The following explains how the key server provides the public key to the trusted storage.
In an alternative embodiment, the key server determines that the public key can be provided to the trusted storage according to the authorization of the user side. That is, the key server may receive an authorization request sent by the user side, where the authorization request may include an identifier of the trusted storage side and a unique identifier of a designated public-private key pair.
The identification of the trusted storage can be used for sending data to the trusted storage; the unique identification of the designated public-private key pair may be used to determine a single designated public-private key pair that the user-side authorizes the trusted storage to obtain.
Based on the authorization request, the key server side can directly send the public key to the trusted storage side, so that the trusted storage side can store the public key conveniently; or the trusted storage side applies for the key server side when the digital signature needs to be verified, and the key server side determines the corresponding authorized public key (namely, the public key which can be acquired by the trusted storage side) according to the identifier of the trusted storage side.
Specifically, in an alternative embodiment, the key server may determine a designated public-private key pair according to the unique identifier in the authorization request; and sending the public key in the designated public and private key pair to the trusted storage end based on the identification of the trusted storage end.
In another alternative embodiment, the key server allows the trusted storage to obtain the public key in the designated public-private key pair in the key server based on the authorization request.
Because the trusted storage end may be authorized with a plurality of public and private key pairs, that is, the trusted storage end may obtain a plurality of public and private key pairs in the key service end, when the specific trusted storage end obtains the public key in the designated public and private key pair in the key service end, the corresponding at least one public and private key pair may be determined in the plurality of public and private key pairs based on the user identifier or the unique identifier of the designated public and private key pair.
Certainly, because the security requirement of the public key is not high, the trusted storage side can also directly obtain the public keys in all authorized public and private key pairs, so that the subsequent verification of the signature is facilitated, and the public keys do not need to be obtained from the key service side again.
Through the method and the process, a public-private key pair is generated and stored at the key server, and when a private key is used for signing or a public key is obtained, the key server needs to participate, for example, the key server performs digital signature on data to be stored, and the trusted storage end obtains the public key from the key server to perform verification of the digital signature. The public and private key pairs are not stored locally at the user side, and the key service side only allows the user and an object authorized by the user to obtain the public key, so that the security of the public and private key pairs is improved, and the public and private key pairs are difficult to lose or leak from the key service side.
In addition, the security of the public and private key pair can be further improved by means of a trusted execution environment and distributed storage backup, and the public and private key pair is prevented from being lost or leaked.
For further understanding, fig. 4 is an interaction diagram of a data storage method provided in this specification.
Wherein the interaction involves a user side, a key server side and a trusted storage side.
A specific interaction flow may include the following two phases, a key generation phase and a data storage phase.
Wherein, the following steps can be included for the key generation phase.
The user side sends a key generation request to the key server side; the request may be used to determine a key generation algorithm among at least two key generation algorithms stored at the key service to generate a public-private key pair for the user.
And the key server generates a public and private key pair of the user based on the determined key generation algorithm, stores the public and private key pair to the local, and determines a unique identifier corresponding to the public and private key pair to return to the user side so that the user side can determine the public and private key pair to carry out digital signature according to the unique identifier.
The user side sends an authorization request to the key server side; the request may be for causing the key service to allow the trusted storage to use a public key of a specified public-private key pair. For details, reference may be made to the above explanations of the process flows.
The key generation phase is now complete.
And for the data storage phase, the following steps may be included.
The user side sends a signature request to the key server side; the request may include a hash value of the data to be stored and a unique identification specifying a public-private key pair.
And the key server side determines a corresponding appointed public and private key pair in the stored public and private key pairs according to the unique identifier, encrypts the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side.
And the user side sends the data to be stored and the digital signature to the trusted storage side.
The trusted storage end sends a public key acquisition request to the key server end, and the key server end can return all public keys which are allowed to be acquired by the trusted storage end to the trusted storage end.
The trusted storage end verifies the received digital signature based on a public key in a designated public and private key pair; and after the verification is confirmed to pass, storing the data to be stored into the credible account book database.
At this point, the data storage phase is complete.
The present specification also provides a system embodiment. Fig. 5 is a schematic structural diagram of a data storage system provided in this specification. The system may include: a user side 201, a key service side 202 and a trusted storage side 203.
The key server 202 may store a public-private key pair generated in advance according to a user request, and the user 201 stores a unique identifier of the public-private key pair locally at the key server 202.
The user terminal 201 may be configured to: and sending a signature request to the key server 202, wherein the request comprises a hash value of data to be stored and a unique identifier of a specified public and private key pair.
The key server 202 may be configured to: and determining a corresponding appointed public and private key pair according to the unique identifier, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returning the digital signature to the user side 201.
The user terminal 201 may be configured to: sending the data to be stored and the digital signature to the trusted storage 203; trusted store 203 may maintain a database of trusted ledgers.
The trusted storage 203 may be configured to: verifying the digital signature based on a public key in a designated public and private key pair provided by the key service side 202; and if the verification is passed, storing the data to be stored into the credible account book database.
The key server 202 may store at least two key generation algorithms, which may be specifically used for: and generating and storing a corresponding public and private key pair in advance according to a key generation algorithm appointed by a user request in at least two key generation algorithms.
The key server 202 may be specifically configured to: generating and storing a public and private key pair in advance according to key parameters in a user side request; or generating and storing a public-private key pair by taking a locally generated random number as a key parameter according to a user side request in advance.
The key server 202 may be deployed with a trusted execution environment; correspondingly, the key server 202 may specifically be configured to: in the trusted execution environment, a public and private key pair is generated and stored in the trusted execution environment according to a user side request in advance.
The key server 202 may be specifically configured to: determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in a trusted execution environment; in a trusted execution environment, the hash value of the data to be stored is encrypted by using a private key in a specified public and private key pair to obtain a digital signature.
The key server 202 may also be configured to: receiving an authorization request sent by a user side, wherein the authorization request comprises an identifier of a trusted storage side and a unique identifier of a designated public and private key pair; based on the authorization request, the trusted storage is allowed to use a public key in a specified public-private key pair.
For a related explanation of the system embodiments reference may be made to the method embodiments described above.
The foregoing is only a detailed description of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, many modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as protection for the embodiments of the present disclosure.

Claims (15)

1. A data storage method, the key server generates and stores the public and private key pair according to the request of the user terminal in advance, and returns the unique identification of the public and private key pair at the local of the key server to the user terminal; the method comprises the following steps:
a user side sends a signature request to a key server side, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts a hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side;
the user side sends the data to be stored and the digital signature to a trusted storage side; the trusted storage terminal maintains a trusted account book database; wherein a global merkel tree is maintained in the trusted ledger database; returning the current root hash of the global Mercker tree to the user terminal at each time point planned by a preset time plan; the history root hash of the global Mercker tree is stored in a public network account book which can be obtained by any device in a public network;
the trusted storage side verifies the digital signature based on a public key in the designated public-private key pair provided by the key server side; and if the verification is passed, storing the data to be stored into the credible account book database.
2. The method of claim 1, wherein the key server stores at least two key generation algorithms;
the key server generates and stores a public and private key pair in advance according to a user side request, and specifically comprises the following steps:
and the key server generates and stores a corresponding public and private key pair in advance according to a key generation algorithm specified by the request of the user side in the at least two key generation algorithms.
3. The method of claim 1, wherein the key server generates and stores a public-private key pair in advance according to a user side request, and specifically comprises:
the key server generates and stores a public and private key pair in advance according to key parameters in the user side request;
or
The key server generates and stores a public and private key pair by taking a locally generated random number as a key parameter according to the request of the user side in advance.
4. The method of claim 1, the key server deployed with a trusted execution environment;
the key server generates and stores a public and private key pair in advance according to a user side request, and specifically comprises the following steps:
and the key server side generates and stores the public and private key pair in the trusted execution environment in advance according to the request of the user side in the trusted execution environment.
5. The method of claim 4, wherein the determining a corresponding designated public and private key pair according to the unique identifier and encrypting the hash value of the data to be stored by using a private key in the designated public and private key pair to obtain a digital signature specifically includes:
determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in the trusted execution environment; and in the trusted execution environment, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature.
6. The method of claim 1, wherein the key server comprises a plurality of devices, and each device stores a public-private key pair generated by the key server.
7. The method of claim 1, further comprising:
a key server receives an authorization request sent by a user side, wherein the authorization request comprises an identifier of a trusted storage side and a unique identifier of a designated public and private key pair;
a key server allows the trusted storage to use a public key of the designated public-private key pair based on the authorization request.
8. The method of claim 1, the trusted ledger being a block-chained ledger.
9. A data storage system, comprising: the system comprises a user side, a key server side and a trusted storage side; the key server stores a public and private key pair generated in advance according to a user side request, and the user side stores a unique identification of the public and private key pair in the local key server;
the user side is used for: sending a signature request to a key server, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server is used for: determining a corresponding appointed public and private key pair according to the unique identifier, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returning the digital signature to a user side;
the user side is used for: sending the data to be stored and the digital signature to a trusted storage end; the trusted storage terminal maintains a trusted account book database; wherein a global merkel tree is maintained in the trusted ledger database; returning the current root hash of the global Mercker tree to the user terminal at each time point planned by a preset time plan; the history root hash of the global Mercker tree is stored in a public network account book which can be obtained by any device in a public network;
the trusted storage side is used for: verifying the digital signature based on a public key in the designated public and private key pair provided by the key server; and if the verification is passed, storing the data to be stored into the credible account book database.
10. The system of claim 9, the key server stores at least two key generation algorithms;
the key server is specifically configured to: and generating and storing a corresponding public and private key pair in advance according to a key generation algorithm appointed by the user side request in the at least two key generation algorithms.
11. The system of claim 9, wherein the key server is specifically configured to:
generating and storing a public and private key pair in advance according to key parameters in a user side request;
or
And generating and storing a public and private key pair by taking a locally generated random number as a key parameter according to a user side request in advance.
12. The system of claim 9, the key server deployed with a trusted execution environment;
the key server is specifically configured to: in the trusted execution environment, a public and private key pair is generated and stored in the trusted execution environment according to a user side request in advance.
13. The system of claim 12, wherein the key server is specifically configured to:
determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in the trusted execution environment; and in the trusted execution environment, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature.
14. The system of claim 9, the key server further configured to:
receiving an authorization request sent by a user side, wherein the authorization request comprises an identifier of a trusted storage side and a unique identifier of a designated public and private key pair;
based on the authorization request, the trusted storage is allowed to use a public key of the specified public-private key pair.
15. The system of claim 9, the trusted ledger being a block-chained ledger.
CN202110170267.5A 2021-02-07 2021-02-07 Data storage method and system Active CN112507034B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110766889.4A CN113468270A (en) 2021-02-07 2021-02-07 Data storage method and system
CN202110170267.5A CN112507034B (en) 2021-02-07 2021-02-07 Data storage method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110170267.5A CN112507034B (en) 2021-02-07 2021-02-07 Data storage method and system

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202110766889.4A Division CN113468270A (en) 2021-02-07 2021-02-07 Data storage method and system

Publications (2)

Publication Number Publication Date
CN112507034A CN112507034A (en) 2021-03-16
CN112507034B true CN112507034B (en) 2021-06-01

Family

ID=74952791

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202110170267.5A Active CN112507034B (en) 2021-02-07 2021-02-07 Data storage method and system
CN202110766889.4A Pending CN113468270A (en) 2021-02-07 2021-02-07 Data storage method and system

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202110766889.4A Pending CN113468270A (en) 2021-02-07 2021-02-07 Data storage method and system

Country Status (1)

Country Link
CN (2) CN112507034B (en)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120053929A (en) * 2010-11-18 2012-05-29 이혜지 The agent system for digital signature using sign private key with double encryption and method thereof features to store in web storage
US10693658B2 (en) * 2016-02-12 2020-06-23 Visa International Service Association Methods and systems for using digital signatures to create trusted digital asset transfers
CN110011801B (en) * 2018-11-16 2020-10-20 创新先进技术有限公司 Remote certification method and device for trusted application program and electronic equipment
CN109951290B (en) * 2019-01-31 2022-03-01 创新先进技术有限公司 Time service authentication method, device and equipment for chain type account book
CN110071808A (en) * 2019-04-09 2019-07-30 郭浩 A kind of the secure digital identity verification method and device of block chain user
CN110163006B (en) * 2019-04-18 2020-07-07 阿里巴巴集团控股有限公司 Signature verification method, system, device and equipment in block chain type account book
CN110266494B (en) * 2019-05-23 2020-08-04 阿里巴巴集团控股有限公司 Time service authentication method, device and equipment in block chain type account book
SG11202010205SA (en) * 2019-11-13 2020-11-27 Alipay Hangzhou Inf Tech Co Ltd Managing trust points in ledger systems

Also Published As

Publication number Publication date
CN113468270A (en) 2021-10-01
CN112507034A (en) 2021-03-16

Similar Documents

Publication Publication Date Title
CN111159288B (en) Method, system, device and medium for storing, verifying and realizing chained structure data
CN107196966B (en) Identity authentication method and system based on block chain multi-party trust
US11615060B2 (en) Constructing a multiple entity root of trust
CN106487821B (en) Digital signature method based on Internet block chain technology
US20100217986A1 (en) Authenticated secret sharing
CN110912706A (en) Identity-based dynamic data integrity auditing method
EP3394848A1 (en) Method for storing data on a storage entity
US11050745B2 (en) Information processing apparatus, authentication method, and recording medium for recording computer program
WO2015155368A1 (en) System and method for sequential data signatures
CN111339199B (en) Block chain key recovery method and device
US20220086009A1 (en) Method for generating stateful hash based signatures of messages to be signed
Chen et al. An approach to verifying data integrity for cloud storage
US20210105136A1 (en) Method for securing a data exchange in a distributed infrastructure
Karbasi et al. A post-quantum end-to-end encryption over smart contract-based blockchain for defeating man-in-the-middle and interception attacks
CN115604038B (en) Cloud storage data auditing system and method based on blockchain and edge computing
CN110784300B (en) Secret key synthesis method based on multiplication homomorphic encryption
US20160080336A1 (en) Key Usage Detection
CN114297678A (en) Operation method, device, equipment and storage medium of union chain system
CN112507034B (en) Data storage method and system
Hegde et al. Hash based integrity verification for vehicular cloud environment
Zou et al. Dynamic provable data possession based on ranked merkle hash tree
CN113987546A (en) Alliance chain system based on identification password system
Hahn et al. Verifiable outsourced decryption of encrypted data from heterogeneous trust networks
US10469267B2 (en) Method of managing implicit certificates using a distributed public keys infrastructure
CN115037530B (en) Ciphertext deduplication and decentralization audit method based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40048349

Country of ref document: HK