CN116755618A - File secure access method based on blockchain and distributed storage - Google Patents
File secure access method based on blockchain and distributed storage Download PDFInfo
- Publication number
- CN116755618A CN116755618A CN202310650835.0A CN202310650835A CN116755618A CN 116755618 A CN116755618 A CN 116755618A CN 202310650835 A CN202310650835 A CN 202310650835A CN 116755618 A CN116755618 A CN 116755618A
- Authority
- CN
- China
- Prior art keywords
- file
- ciphertext
- algorithm
- digest
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000000605 extraction Methods 0.000 claims description 6
- 230000006798 recombination Effects 0.000 claims description 6
- 238000005215 recombination Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 3
- 238000013500 data storage Methods 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 17
- 238000004364 calculation method Methods 0.000 description 6
- 238000006467 substitution reaction Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/0644—Management of space entities, e.g. partitions, extents, pools
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/067—Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Human Computer Interaction (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A secure access method for a security file based on block chain and distributed storage is characterized by comprising the following steps: the integrated application block chain and the distributed storage system carry out security access on a security file, after dynamic file encryption is carried out according to the security and the size of the file before data storage, file ciphertext is uploaded to the distributed storage system, various abstract information required by the file is uploaded to the block chain, and relevant data of the file is obtained by taking the unique identification of the file as an index. The application realizes the safety and convenience of file storage at the same time.
Description
Technical Field
The application relates to the technical field of computer information security, in particular to a secure storage and acquisition method of a security electronic file, and specifically relates to a file secure access method based on block chain and distributed storage.
Background
Protecting the authenticity, integrity, availability, security of electronic file content is an important point of research in the current computer file storage field. Because the trust type storage mode based on the third party is easy to attack and misuse, the confidential electronic file is not required to be read or accessed by the third party without authority, and the blockchain can realize the decentralization and the trust removal of the data storage, so that the security of sensitive data in the confidential electronic file is greatly ensured, and the non-tamper property and the traceability of the electronic file are ensured.
The blockchain is used as a chain structure, so that the defect of limited storage space exists, and the blockchain storage and the distributed storage technology are integrated. The distributed storage system adopts an extensible system structure, utilizes a plurality of storage servers to share storage load, utilizes the position servers to position storage information, can greatly improve the utilization rate of data resources, and provides a data sharing channel while meeting the requirement of users for storing data, thereby facilitating data exchange.
The distributed storage technology based on the block chain encrypts file information slices before file storage to generate a small amount of core encryption information to be stored in the block chain, and generates complete encryption data to be stored in a distributed storage system, so that the storage space of the block chain is increased, the safety of data storage is ensured, and meanwhile, the file access speed and convenience are ensured.
Disclosure of Invention
The application aims at solving the problem that the space of block chain storage is limited, and discloses a secure access method for a classified file based on block chain and distributed storage, a file encryption storage method and a file decryption acquisition method in a block chain and distributed file storage system.
One of the technical schemes of the application is as follows:
a secret file access method based on a block chain and a distributed file storage system is characterized by comprising a file encryption storage method and a matched file decryption acquisition method:
the file encryption storage method comprises the following steps:
s11, generating an asymmetrically encrypted public and private key pair by using an elliptic curve algorithm;
s12, calculating a file abstract of the file to be encrypted by using a hash algorithm;
s13, generating a symmetric encryption key from a file abstract of a file to be encrypted based on a character string extraction method;
s14, analyzing the file to be encrypted, obtaining the size and the security level of the file, and determining a symmetrical encryption algorithm according to the size and the security level of the file; when the file security level is more than or equal to the commercial secret, the AES-256 algorithm is adopted for all files, the DES algorithm is adopted for files with the file security level being public and the file size being more than 100M, and the AES-128 algorithm is adopted for files with the file security level being less than 100M;
s15, obtaining encryption keys and a symmetric encryption algorithm of the S13 and the S14, carrying out encryption processing on the file to form a file ciphertext and recording the size and the confidentiality grade of the file in a form of related attributes;
s16, combining the file abstracts and the file encryption keys generated in the S12 and the S13 to obtain an abstract to be encrypted, and encrypting the abstract to be encrypted by using an elliptic curve encryption algorithm to obtain an abstract ciphertext; if the file abstract and the file encryption key are subjected to character string splicing or the encryption key and the file abstract are subjected to character string mixing;
s17, uploading the file ciphertext slices to a distributed storage system for storage, calculating according to the content of the file ciphertext slices to obtain hash values corresponding to the slices, and splicing the identification codes of the file ciphertext slices to obtain identification set codes;
s18 stores the identification set code in S17, the digest ciphertext of the file obtained in S16, and the related attribute of the file in S15 in the blockchain with the file unique identification as an index.
The generation method of the unique file identifier comprises two implementation modes, namely:
s18a, taking the identification set code generated in S17 as a unique identification of the file;
and S18b, taking the file name named by the user uploading the file as a unique identification.
The file decryption acquisition method comprises the following steps:
s21, searching a block storing file information in a block chain by taking a unique identification of a file as an index, and acquiring a corresponding file abstract ciphertext, an identification set code of the file and related attributes of the file from the block, wherein the related attributes comprise the size and confidentiality level of the file;
s22, obtaining identification codes of all file slices according to the file identification set codes, searching in a distributed storage system according to the identification codes to obtain stored file ciphertext slices, and performing slice recombination to obtain complete file ciphertext;
s23, acquiring a file decryption key;
obtaining a private key of a user, decrypting the file abstract ciphertext obtained in the first step according to an elliptic curve encryption algorithm to obtain a file abstract plaintext; analyzing the file digest ciphertext by adopting a preset strategy to obtain digest plaintext of the file and obtaining a decryption key of the file according to the digest plaintext;
s24, analyzing the related attributes of the file, determining the size and confidentiality level of the stored file, and obtaining a decryption algorithm corresponding to the encryption algorithm of the corresponding file ciphertext;
s25, decrypting the file; and decrypting the file ciphertext obtained in the step S22 according to the decryption key obtained in the step S23 and the decryption algorithm obtained in the step S24 to obtain a decrypted file.
The second technical scheme of the application is as follows:
a secret file encryption storage device based on a block chain and a distributed file storage system is characterized in that: it comprises the following steps:
a public-private key generating module 310, configured to generate an asymmetrically encrypted public-private key pair using an elliptic curve algorithm;
a file digest generation module 320, configured to calculate a file digest of the file to be encrypted using a hash algorithm;
an encryption key generation module 330, configured to generate a symmetric encryption key from a file digest of a file to be encrypted based on a character string extraction method;
the encryption algorithm selecting module 340 is configured to parse a file to be encrypted, obtain a size and a security level of the file, and determine a symmetric encryption algorithm to be used according to the size and the security level of the file;
the file encrypting module 350 is used for encrypting the file according to the encryption key and the symmetric encryption algorithm to form a file ciphertext and recording the size and the confidentiality level of the file in the form of related attributes;
the digest encrypting module 360 is configured to combine the generated file digest and the file encrypting key into a digest to be encrypted, and encrypt the digest to be encrypted using an elliptic curve encryption algorithm to obtain a digest ciphertext;
the file uploading module 370 is configured to upload the file ciphertext slices to the distributed storage system for storage, calculate according to the content of the file ciphertext slices to obtain hash values corresponding to the slices, and splice identification codes of the file ciphertext slices to obtain identification set codes;
the file record module 380 stores the identification set code of the file, the digest ciphertext of the file, and the related attributes of the file in the blockchain with the unique file identification as an index.
The third technical scheme of the application is as follows:
a secret file decryption acquisition device based on a block chain and a distributed file storage system is characterized in that: it comprises the following steps:
the file obtaining module 410 takes the unique identification of the file as an index, retrieves the block storing the file information in the block chain, and obtains the corresponding file abstract ciphertext, the identification set code of the file and the file related attribute from the block, wherein the related attribute comprises the size and the confidentiality grade of the file;
the ciphertext combining module 420 obtains the identification codes of all the file slices according to the file identification set codes, searches in the distributed storage system according to the identification codes to obtain stored file ciphertext slices, and performs slice recombination to obtain complete file ciphertext;
a file decryption key acquisition module 430, configured to acquire a file decryption key; decrypting the file abstract ciphertext acquired by the file acquisition module 410 by using the private key of the user, and obtaining a file abstract plaintext according to an elliptic curve encryption algorithm; analyzing the file digest ciphertext by adopting a preset strategy to obtain digest plaintext of the file and obtaining a decryption key of the file according to the digest plaintext;
the file decryption algorithm obtaining module 440 is configured to parse the related attribute of the file, determine the size and security level of the stored file, and obtain a decryption algorithm corresponding to the encryption algorithm of the corresponding file ciphertext;
a file decryption module 450 for decrypting the file; and decrypting the file ciphertext according to the decryption key and the decryption algorithm to obtain a decrypted file.
Briefly:
the application discloses a secure access method of a security file based on block chain and distributed storage, which comprises the following steps:
step S1: the secret file sender encrypts and stores the file, and specifically comprises the following steps:
step S11, encrypting the abstract of the file; obtaining a file abstract based on a hash algorithm, and intercepting a character string with a fixed length from the abstract by adopting a character intercepting mode to serve as a file symmetric encryption key; combining the abstract of the file and the obtained symmetric encryption key to obtain an abstract to be encrypted, and encrypting an elliptic curve by using a public key of a file receiver to obtain a file abstract ciphertext;
step S12, dynamically encrypting the file; dynamically determining a symmetric encryption algorithm based on the size and the security level of the file, and encrypting the file by using the symmetric encryption key obtained in the step S11 to obtain a file ciphertext;
step S13, the file sender performs storage of file related data, including data storage of the distributed storage system of step S131 and data storage of the S132 blockchain:
step S131, slicing the file ciphertext formed in the step S12, and storing each slice in a distributed storage system; calculating hash values of the slices based on the slice contents, and taking the hash values as identification codes for identifying the storage addresses; returning the identification codes, and combining the identification codes of all the slices to obtain an identification set code;
step S132, storing the file digest ciphertext, the identification set code in step S131, the file size and the security level in step S12 in the blockchain by taking the unique identification of the file as an index;
step S2: the file sender sends the unique file identifier to the file receiver;
step S3: the file receiving party takes the unique file identification as an index and searches the corresponding file abstract ciphertext, the identification set code, the file size and the confidentiality level from the blockchain; judging whether the receiving party can decrypt the file abstract ciphertext through the private key of the receiving party, if not, the receiving party has no file viewing authority, and ending the flow; if yes, executing the subsequent steps;
step S4: the file receiving party obtains a file abstract plaintext through decryption of a private key, further analyzes the abstract plaintext to obtain a file encryption key, and determines a decryption algorithm of the file based on the size and the confidentiality level of the file;
step S5: the file receiver obtains a storage address of the file ciphertext in the distributed storage system through analysis of the identification set code, obtains each file ciphertext slice and restores the file ciphertext to the file ciphertext; decrypting the file ciphertext through the decryption algorithm and the encryption key determined in the step S4 to obtain a file plaintext; and after the file is decrypted, the sharing flow is ended.
In step S11, the digest of the file is obtained based on the hash algorithm, specifically, the digest of the file is calculated by using the MD5 or SHA256 algorithm.
In step S11, the digest of the file is obtained based on the hash algorithm, and when the shared file is a large file, the UUID of the file is obtained first, and then the hash algorithm is used to calculate the digest of the file corresponding to the UUID.
The dynamically determined symmetric encryption algorithm in step S12 is specifically that when the file with the file security level being higher than the secret adopts AES-256 algorithm, and when the file with the file security level being public and the file size being greater than 100M adopts DES algorithm, the file with the file size being less than 100M adopts AES-128 algorithm.
The unique identification of the file is the identification set code obtained in S131.
The unique file identifier is a non-repeated file name which is custom named by a user;
the beneficial effects of the application are as follows:
the application comprehensively adopts the technology based on the block chain and the distributed storage, can perform the distributed storage on the file, and can not cause the leakage or the falsification of the file because the third-party trust type storage mode is attacked. Meanwhile, the block chain and the distributed file system are used for maintaining the storage of intermediate data in the file encryption and decryption process, so that the problem of single-point failure of the system is avoided, and the stable operation of the system is ensured. The scheme of the application uses an off-line encryption mode, so that the problem of data leakage in the file plaintext transmission process is avoided, and the file can be transmitted and stored more safely. The encryption means adopted are adjusted according to the confidentiality level and the file size, so that the time consumption and the computational resource waste in the encryption process are reduced on the basis of ensuring the file security, and the security and the usability of the file storage system are met.
Drawings
FIG. 1 is a flow chart of a file encryption storage method based on a blockchain and a distributed file storage system.
FIG. 2 is a flow chart of a file decryption acquisition method based on a blockchain and a distributed file storage system.
FIG. 3 is a block chain and distributed file storage system based file encryption storage device framework.
FIG. 4 is a block chain and distributed file storage system based file decryption retrieval device framework.
Fig. 5 is a block data structure of storing file information in a blockchain.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
As shown in fig. 1-5.
The application is composed of the following four parts:
a first part:
s1, a file encryption storage method based on a block chain and a distributed file storage system, as shown in FIG. 1, specifically comprises the following steps:
s11, generating an asymmetrically encrypted public-private key pair by using an elliptic curve algorithm, automatically uploading the public key to a blockchain, and reserving the private key by a user;
a public-private key generator provided using an elliptic curve algorithm generates a public-private key pair. The elliptic curve cipher is a public key encryption algorithm made by utilizing the characteristic that the discrete logarithm problem on the elliptic curve is not easy to solve, and the elliptic curve cipher is the same as the RSA cipher and utilizes the characteristic that the calculation is easy and the reverse thrust is difficult. In contrast, elliptic curve cryptography may use smaller key lengths and provide a considerable level of security than RSA cryptography, and elliptic curve cryptography algorithms may define bilinear mappings between groups, enabling identity-based cryptography.
The public and private key generation process can take an off-line form and is uniformly distributed by an administrator; or generate a public-private key pair when a user logs into the system. The public key is automatically uploaded to the blockchain, and the user reserves the private key. The private key is used as the only decrypted file in the decryption process, and the full right is saved by the user, so that the leakage is avoided. The public key is sharable as the only encrypted file in the encryption process. Sharing of the public key does not lead to leakage of the file, and is beneficial to the sharing process of the file. The public key is stored in the blockchain, so that the distribution process is more convenient and quicker by using a synchronous mechanism of the blockchain.
The elliptic curve encryption algorithm is implemented as follows:
defined herein using classical elliptic curve equation y 2 = 3 +x+b. Finite field of F p P is a prime number, and p elements are used to satisfy an elliptic equation. The points on this curve follow the point addition and point multiplication algorithm on the curve.
Key generation, namely selecting proper curve parameters a and b to generate a curve E (a, b). The base point G (, y) is selected from the curve. If the private key d is generated by selecting any mode, the public key K can be obtained by the formula (1)
K=d*G=(x 1 ,y 1 ) (1)
Encryption, namely, the encryption key Wen Dian is marked as M, the secret key is the public key K, and the encrypted ciphertext is marked as C. The equation (2) can be used to calculate:
C= (rG,M + rK)=(c 1 ,c 2 ) (2)
decryption using private key d and ciphertext C, plaintext M may be solved back by equation (3):
M=c 2 -dc 1 (3)
s12, calculating a file abstract of the file to be encrypted by using a hash algorithm;
the MD5 or SHA256 algorithm can be selected for calculating the file digest; in another alternative, since the file size has a great influence on the file digest calculation speed, for a relatively large file, the time consumed for calculating the digest by the file digest calculation method described above may be relatively long, and in order to improve the operation efficiency, a form of generating random non-repeated character strings based on the file, such as UUID, may be generated first, and then the file digest corresponding to the UUID is calculated, so as to reduce the time consumed for calculating the file digest. The file abstract can be used for judging whether the file is tampered or not in the subsequent process, namely, the file is ensured not to be tampered through comparison verification before and after the file is stored.
The SHA-256 algorithm is implemented as follows:
assuming that the file information is M, the length of M is L, and the hash value calculated by the SHA-256 algorithm of the file is H (M).
1. Padding by adding b 0 s and one 1 s at the end of M to ensure that the message length is an integer multiple of 512, resulting in
M ', the length of M' is denoted as l.
b=512-(Lmod512)
M' = (M, b 0, 1)
2. Dividing M' into n message blocks M of 512 bits in length 1 ,...,M n 。
n=l/512
3. Initialization of the initial values of 8 registers (A, B, C, D, E, F, G, H) of 32-bit length (where each register contains 4 bytes)
A=0x6A09E667 B=0xBB67AE85 C=0x3C6EF372
D=0xA54FF53A E=0x510E527F F=0x9B05688C
G=0x1F83D9AB H=0x5BE0CD19
4. Iterating the steps of, for each message block, repeating
1) Dividing the message block into 16 sub-blocks N of 32 bits length 0 ,...,N 15
2) Setting local variables a, b, c, d, e, f, g, h (each 32 bits long)
a=A b=B c=C d=D
e=E f=F g=G h=H
3) The following function calculation operations were looped for 64 times:
T1=h+Σ 1 (e)+Ch(e,f,g)+K t +W t (0≤t≤15)
W t =σ 1 (W t-2 )+W t-7 +σ 0 (W t-15 )+W t-16 (0≤t≤15)
T2=∑ 0 (a)+M aj (a,b,c)
h=g
g=f
f=e
e=d+T1
d=c
c=b
b=a
a=T1+T2
S n representing a cyclic right shift of n bits
R n Representing a right shift of n bits
The symbol "a" represents the sum of operations,representing non-operations
4) The calculated a, B, C, D, E, F, G, H after 64 cycles are added to the registers A, B, C, D, E, F, G, H and then the added values are placed in the registers again.
5. Hash value calculation result:
the file information M is calculated by SHA-256 algorithm calculated hash value H (M) =a||b| C D E F G H (the final values of each register are concatenated).
S13, generating a symmetric encryption key from a file abstract of a file to be encrypted based on a character string extraction method;
and (3) processing the file abstract generated in the step (S12), and obtaining the fixed-length character string by the file abstract through intercepting the fixed-length character string or according to a rule as a symmetric encryption key, for example, taking one byte of the file abstract or obtaining the character string with proper length according to the rule as the symmetric encryption key. Due to the uniqueness of the Hash algorithm, the uniqueness and randomness of the obtained secret key are ensured, and the difficulty of violent cracking can be increased.
S14, analyzing the file to be encrypted, obtaining the size and the security level of the file, and determining a symmetrical encryption algorithm according to the size and the security level of the file;
in the process of uploading the file, the file is firstly analyzed to obtain the size of the file and the security level of the file, and the specific encryption strategy is that when the security level of the file is more than or equal to the commercial secret, the file with the public security level and the file size of more than 100M is subjected to an AES-256 algorithm, and the file with the security level of more than or equal to the commercial secret is subjected to a DES algorithm, and the file with the security level of more than 100M is subjected to an AES-128 algorithm. The DES has a faster encryption and decryption speed than the AES algorithm, but the security is somewhat lower. The key length of different AES algorithms also affects the encryption speed, the longer the key length, the slower the encryption speed. Therefore, different encryption algorithms can be selected according to the combination of different file security levels and file sizes, and the overall encryption efficiency can be relatively improved on the premise of ensuring the file security. AES-256 is generally considered to be more secure than AES-128 and DES, so the AES-256 algorithm is used when the file security level is high. For files with a file security level of disclosure, an AES-128 or DES algorithm with lower security but less time consuming algorithm is adopted.
The DES algorithm is implemented as follows:
the DES algorithm encrypts 64-bit initial plaintext by using a 56-bit initial key to obtain 64-bit ciphertext, and the ciphertext is reversely processed by using the same key during decryption to obtain the initial plaintext. The encryption formula thereof can be expressed as formula (3):
DES(M)=IP -1 (M)*T 16 *T 15 *…*T 2 *T 1 *IP(M) (3)
where M represents the initial plaintext, IP () represents the initial permutation, IP -1 () Representing the inverse initial permutation, T represents the iterative encryption. The key generation process of the DES algorithm is as follows:
1. 8 irrelevant parity bits are added in the middle of the 56-bit initial key, and the 56-bit initial key is converted into a 64-bit key K.
C 0 =K[57:0] 0 =[63:56]
2. PC of 64-bit Key K 1 Permuting, generating a 56-bit key C 0 And D 0 Two parts.
3.C 0 And D 0 Left shift to generate C 1 And D 1 ,C 1 And D 1 Left shift to generate C 2 And D 2 The left shift value is according to C i And D i I value determination of (C), and so on to generate C 16 And D 16 And 16 subkeys.
4.C 1 To C 16 And D 1 To D 16 Performing PC 2 Permuting to generate 16 48-bit actual subkeys K 1 To K 16 。
K i = PC 2 (C i ,D i ) (4)
The encryption process of the DES algorithm is as follows:
ip initial substitution
The 64-bit plaintext M is initially replaced by L according to an IP table 0 And R is 0 Two parts, 32 bits each.
2. Performing 16 rounds of iterative encryption
The following operations will be performed for the i-th round of iteration (i=1, 2,., 16)
1) E extension permutation
Will be 32 bit R i-1 Performing expansion substitution to 48 bits and then performing sub-key K i Exclusive-or to obtain B i 。
2) S-box replacement
The S-box substitution realizes nonlinear transformation, and 8S boxes are provided, wherein each S box inputs 6 bits and outputs 4 bits. Will be 48 bits B i S boxes are replaced by 32-bit f after being divided into 8 groups i ,
f i =S(B i ) (6)
3) P substitution
The P permutation is used to adjust the position of the data bits. Will be 32 bits f i P substitution was performed to obtain F (R) i-1 ,K i )。
F(R i-1 ,K i )=P(f i ) (7)
4)L i And R is i Numerical iteration
When i<16, obtaining the corresponding value of the next iteration encryption and continuing the next iteration encryption, and ending the iteration encryption when i=16 to obtain L 16 And R is 16 。
L i =R i-1 (8)
3.IP -1 Final inverse initial transformation
Will L 16 And R is 16 And merging the inverse initial transformation to obtain 64-bit ciphertext C.
C=IP -1 (L 16 ,R 16 ) (10)
The decryption process of the DES algorithm can calculate the original plaintext M by reversing the encryption steps in reverse order.
S15, encrypting the file by using the determined encryption algorithm to obtain a file ciphertext and recording the size and the confidentiality level of the file in the form of related attributes.
The encryption key and the symmetric encryption algorithm of S13 and S14 are acquired. And encrypting the file stream to form a file ciphertext.
S16, combining the file digest and the file encryption key generated in the S12 and the S13 into a digest to be encrypted, and encrypting the file digest and the encryption key by using an elliptic curve encryption algorithm to obtain digest ciphertext;
and (3) before and after the file is encrypted or simultaneously, combining the file digest and the file encryption key generated in the S12 and the S13, such as performing character string splicing on the file digest and the file encryption key or performing character string mixing on the encryption key and the file digest, then encrypting by adopting a public key of an elliptic curve encryption algorithm, and generating digest ciphertext after encryption is completed.
S17, uploading the file ciphertext slices to a distributed storage system for storage, calculating according to the content of the file ciphertext slices to obtain hash values corresponding to the slices, taking the hash values as identification codes for identifying the file ciphertext slices, subsequently searching and obtaining the file ciphertext slices in the distributed storage system through the identification codes, and then combining the identification codes to obtain an identification set code; the identification set code may be a code obtained after string concatenation of the respective hash values.
S18, storing the identification set code, the digest ciphertext of the file obtained in S6 and the related attribute of the file in S5 in the blockchain by taking the unique file identification as an index.
The generation method of the unique file identifier comprises two implementation modes, namely:
s18a, the identification set code generated in S17 is used as the unique identification of the file, and because the identification set code is spliced by hash values obtained by hash calculation of the distributed storage system according to each file slice, the unique identification of the file can be ensured not to be repeated, and the identification set code can be directly used as an index if a user needs to search the file in a blockchain.
S18b, taking the file name named by the user uploading the file as a unique identifier, and prompting that the file is named repeatedly and needs to be renamed if other users upload the file names of the same file later; when the unique file identification adopts the implementation mode, certain limitation is required to be carried out on the application scene of the unique file identification, such as deployment of the application in an enterprise or organization; because the file is named by the user, the file has a certain degree of freedom, and is different from a character string code, and the unique identification of the file is easy to read and share by the user.
Thus, encryption of the file and distributed storage is completed. The method and the system adopt a mode based on joint use of the block chain and the distributed storage system, can store the file in a distributed mode, cannot leak or tamper the file due to attack on a third-party trust type storage mode, record the storage process of the file based on the block chain system, and store various basic information required by acquiring the file. The block chain and the distributed file system are used for maintaining the storage of intermediate data in the file encryption and decryption process, and the problem of single-point failure of the system is avoided, so that the file storage system can stably operate.
The scheme of the application uses an off-line encryption mode, so that the problem of data leakage in the file plaintext transmission process is avoided, and the file can be transmitted and stored more safely. The encryption means adopted are adjusted according to the confidentiality level and the file size, so that the time consumption and the computational resource waste in the encryption process are reduced on the basis of ensuring the file security, and the security and the usability of the file storage system are met.
A second part:
a matched file decryption method based on a block chain and a distributed file storage system is shown in figure 2.
S2, a matched file decryption method comprises the following steps.
S21, taking the unique identification of the file as an index, searching a block storing file information in a block chain, and acquiring a corresponding file abstract ciphertext, an identification set code of the file and related attributes of the file from the block, wherein the related attributes comprise the size and the confidentiality level of the file.
S22, obtaining the identification codes of all the file slices according to the file identification set codes, searching in the distributed storage system according to the identification codes to obtain stored file ciphertext slices, and performing slice recombination to obtain complete file ciphertext.
S23, acquiring a file decryption key;
and obtaining a private key of the user, obtaining a file abstract ciphertext in the first step, and decrypting according to an elliptic curve encryption algorithm to obtain a file abstract plaintext. Analyzing the file digest ciphertext by adopting a preset strategy to obtain the digest plaintext of the file and obtaining the decryption key of the file according to the digest plaintext.
S24, acquiring a decryption algorithm of the file; and (3) analyzing the related attributes of the file by the encryption key and S23, determining the size and the confidentiality level of the stored file, and obtaining a decryption algorithm corresponding to the encryption algorithm of the corresponding file ciphertext.
S25, decrypting the file; and decrypting the file ciphertext obtained in the step S22 according to the decryption key obtained in the step S23 and the decryption algorithm obtained in the step S24 to obtain a decrypted file.
Third section:
a supporting file encryption device based on a blockchain and a distributed file storage system, as shown in fig. 3.
S3, a matched file encryption device comprises:
a public-private key generating module 310, configured to generate an asymmetrically encrypted public-private key pair using an elliptic curve algorithm;
a file digest generation module 320, configured to calculate a file digest of the file to be encrypted using a hash algorithm;
an encryption key generation module 330, configured to generate a symmetric encryption key from a file digest of a file to be encrypted based on a character string extraction method;
the encryption algorithm selecting module 340 is configured to parse a file to be encrypted, obtain a size and a security level of the file, and determine a symmetric encryption algorithm to be used according to the size and the security level of the file;
the file encrypting module 350 is used for encrypting the file according to the encryption key and the symmetric encryption algorithm to form a file ciphertext and recording the size and the confidentiality level of the file in the form of related attributes;
the digest encrypting module 360 is configured to combine the generated file digest and the file encrypting key into a digest to be encrypted, and encrypt the digest to be encrypted using an elliptic curve encryption algorithm to obtain a digest ciphertext;
the file uploading module 370 is configured to upload the file ciphertext slices to the distributed storage system for storage, calculate according to the content of the file ciphertext slices to obtain hash values corresponding to the slices, and splice identification codes of the file ciphertext slices to obtain identification set codes;
the file record module 380 stores the identification set code of the file, the digest ciphertext of the file, and the related attributes of the file in the blockchain with the unique file identification as an index.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the encryption method, and will not be described herein.
Fourth part:
a matched file decrypting device based on a block chain and a distributed file storage system is shown in figure 4.
S4, a matched file decryption device comprises:
the file obtaining module 410 takes the unique identification of the file as an index, retrieves the block storing the file information in the block chain, and obtains the corresponding file abstract ciphertext, the identification set code of the file and the file related attribute from the block, wherein the related attribute comprises the size and the confidentiality grade of the file;
the ciphertext combining module 420 obtains the identification codes of all the file slices according to the file identification set codes, searches in the distributed storage system according to the identification codes to obtain stored file ciphertext slices, and performs slice recombination to obtain complete file ciphertext;
a file decryption key acquisition module 430, configured to acquire a file decryption key; decrypting the file abstract ciphertext acquired by the file acquisition module 410 by using the private key of the user, and obtaining a file abstract plaintext according to an elliptic curve encryption algorithm; analyzing the file digest ciphertext by adopting a preset strategy to obtain digest plaintext of the file and obtaining a decryption key of the file according to the digest plaintext;
the file decryption algorithm obtaining module 440 is configured to parse the related attribute of the file, determine the size and security level of the stored file, and obtain a decryption algorithm corresponding to the encryption algorithm of the corresponding file ciphertext;
a file decryption module 450 for decrypting the file; and decrypting the file ciphertext according to the decryption key and the decryption algorithm to obtain a decrypted file.
The block data structure of the blockchain of the present application storing file information is shown in fig. 5.
The application is not related in part to the same as or can be practiced with the prior art.
Claims (6)
1. A secret file access method based on a block chain and a distributed file storage system is characterized by comprising a file encryption storage method and a matched file decryption acquisition method;
the file encryption storage method comprises the following steps:
s11, generating an asymmetrically encrypted public and private key pair by using an elliptic curve algorithm;
s12, calculating a file abstract of the file to be encrypted by using a hash algorithm;
s13, generating a symmetric encryption key from a file abstract of a file to be encrypted based on a character string extraction method;
s14, analyzing the file to be encrypted, obtaining the size and the security level of the file, and determining a symmetrical encryption algorithm according to the size and the security level of the file; when the file security level is more than or equal to the commercial secret, the AES-256 algorithm is adopted for all files, the DES algorithm is adopted for files with the file security level being public and the file size being more than 100M, and the AES-128 algorithm is adopted for files with the file security level being less than 100M;
s15, obtaining encryption keys and symmetric encryption algorithms of the S13 and the S14, carrying out encryption processing on the file to form a file ciphertext and recording the size and the confidentiality grade of the file in a form of related attributes;
s16, combining the file abstracts and the file encryption keys generated in the S12 and the S13 to obtain an abstract to be encrypted, and encrypting the abstract to be encrypted by using an elliptic curve encryption algorithm to obtain an abstract ciphertext; if the file abstract and the file encryption key are subjected to character string splicing or the encryption key and the file abstract are subjected to character string mixing;
s17, uploading the file ciphertext slices to a distributed storage system for storage, calculating according to the content of the file ciphertext slices to obtain hash values corresponding to the slices, and splicing the identification codes of the file ciphertext slices to obtain identification set codes;
s18, storing the identification set code in S17, the digest ciphertext of the file obtained in S16 and the related attribute of the file in S15 in a blockchain by taking the unique file identification as an index;
the matched file decryption acquisition method comprises the following steps:
s21, searching a block storing file information in a block chain by taking a unique identification of a file as an index, and acquiring a corresponding file abstract ciphertext, an identification set code of the file and related attributes of the file from the block, wherein the related attributes comprise the size and confidentiality level of the file;
s22, obtaining identification codes of all file slices according to the file identification set codes, searching in a distributed storage system according to the identification codes to obtain stored file ciphertext slices, and performing slice recombination to obtain complete file ciphertext;
s23, acquiring a file decryption key;
obtaining a private key of a user, decrypting the file abstract ciphertext obtained in the first step according to an elliptic curve encryption algorithm to obtain a file abstract plaintext; analyzing the file digest ciphertext by adopting a preset strategy to obtain digest plaintext of the file and obtaining a decryption key of the file according to the digest plaintext;
s24, analyzing the related attributes of the file, determining the size and confidentiality level of the stored file, and obtaining a decryption algorithm corresponding to the encryption algorithm of the corresponding file ciphertext;
s25, decrypting the file; and decrypting the file ciphertext obtained in the step S22 according to the decryption key obtained in the step S23 and the decryption algorithm obtained in the step S24 to obtain a decrypted file.
2. The method of claim 1, wherein the digest of the file is calculated using an MD5 or SHA256 algorithm when the digest of the file is obtained using a hash algorithm.
3. The method of claim 1, wherein when the digest of the file is obtained using a hash algorithm, when the shared file is a large file, the UUID of the file is obtained first, and then the digest of the file corresponding to the UUID is calculated using the hash algorithm.
4. A secret file encryption storage device based on a block chain and a distributed file storage system is characterized in that: it comprises the following steps:
a public-private key generation module (310), wherein the public-private key generation module (310) is used for generating an asymmetrically encrypted public-private key pair by using an elliptic curve algorithm;
a file digest generation module (320), wherein the file digest generation module (320) is used for calculating the file digest of the file to be encrypted by using a hash algorithm;
an encryption key generation module (330), the encryption key generation module (330) is used for generating a symmetric encryption key from a file digest of a file to be encrypted based on a character string extraction method;
the encryption algorithm selection module (340) is used for analyzing the file to be encrypted, acquiring the size and the security level of the file, and determining the adopted symmetric encryption algorithm according to the size and the security level of the file;
a file encrypting module (350), the file encrypting module (350) is used for encrypting the file according to the encrypting key and the symmetric encrypting algorithm to form a file ciphertext and recording the size and the confidentiality grade of the file in the form of related attributes;
the digest encryption module (360) is used for combining the generated file digest and the file encryption key into a digest to be encrypted, and encrypting the digest to be encrypted by using an elliptic curve encryption algorithm to obtain a digest ciphertext;
the file uploading module (370) is used for uploading the file ciphertext slices to the distributed storage system for storage, calculating according to the content of the file ciphertext slices to obtain hash values corresponding to the slices, and splicing the identification codes of the file ciphertext slices to obtain an identification set code;
and the file recording module (380) stores the identification set code of the file, the file abstract ciphertext and the related attribute of the file in the blockchain by taking the unique file identification as an index.
5. A secret file decryption acquisition device based on a block chain and a distributed file storage system is characterized in that: it comprises the following steps:
a file acquisition module (410), wherein the file acquisition module (410) takes the unique identification of the file as an index, retrieves the block storing the file information in the block chain, and acquires the corresponding file abstract ciphertext, the identification set code of the file and the file related attribute from the block, wherein the related attribute comprises the size and the confidentiality grade of the file;
the ciphertext combining module (420) obtains the identification codes of all file slices according to the file identification set codes, searches in the distributed storage system according to the identification codes to obtain stored file ciphertext slices, and performs slice recombination to obtain complete file ciphertext;
a file decryption key acquisition module (430), the file decryption key acquisition module (430) being configured to acquire a file decryption key; decrypting the file abstract ciphertext acquired by the file acquisition module 410 by using the private key of the user, and obtaining a file abstract plaintext according to an elliptic curve encryption algorithm; analyzing the file digest ciphertext by adopting a preset strategy to obtain digest plaintext of the file and obtaining a decryption key of the file according to the digest plaintext;
a file decryption algorithm obtaining module (440), where the file decryption algorithm obtaining module (440) is configured to parse related attributes of the file, determine a size and a security level of the stored file, and obtain a decryption algorithm corresponding to the encryption algorithm of the corresponding file ciphertext;
a file decryption module (450), the file decryption module (450) being configured to decrypt the file; and decrypting the file ciphertext according to the decryption key and the decryption algorithm to obtain a decrypted file.
6. The method of claim 1, wherein the file unique identifier is a user-custom named non-duplicate file name; the generation method of the unique file identifier comprises two implementation modes, namely:
s18a, taking the identification set code generated in S17 as a unique identification of the file;
and S18b, taking the file name named by the user uploading the file as a unique identification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310650835.0A CN116755618A (en) | 2023-06-02 | 2023-06-02 | File secure access method based on blockchain and distributed storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310650835.0A CN116755618A (en) | 2023-06-02 | 2023-06-02 | File secure access method based on blockchain and distributed storage |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116755618A true CN116755618A (en) | 2023-09-15 |
Family
ID=87956423
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310650835.0A Pending CN116755618A (en) | 2023-06-02 | 2023-06-02 | File secure access method based on blockchain and distributed storage |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116755618A (en) |
-
2023
- 2023-06-02 CN CN202310650835.0A patent/CN116755618A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Orobosade et al. | Cloud application security using hybrid encryption | |
| Iyer et al. | A novel idea on multimedia encryption using hybrid crypto approach | |
| Koko et al. | Comparison of Various Encryption Algorithms and Techniques for improving secured data Communication | |
| US9059838B2 (en) | Encryption algorithm with randomized buffer | |
| JP2004336794A (en) | Method and apparatus for generation of public key based on user-defined id in cryptosystem | |
| KR20180007974A (en) | Methods for encrypting data, decrypting data and apparatus using the same | |
| Goyal et al. | Cryptographic security using various encryption and decryption method | |
| US20170302444A1 (en) | System and methods for keyed communications channel encryption and decryption | |
| Mateescu et al. | A hybrid approach of system security for small and medium enterprises: Combining different cryptography techniques | |
| CN109495478B (en) | Block chain-based distributed secure communication method and system | |
| Tyagi et al. | Analysis and Implementation of AES and RSA for cloud | |
| Kumar et al. | A novel framework for secure file transmission using modified AES and MD5 algorithms | |
| US20230216659A1 (en) | Method for processing encrypted data | |
| CN114036541A (en) | Application method for compositely encrypting and storing user private content | |
| KR100388059B1 (en) | Data encryption system and its method using asymmetric key encryption algorithm | |
| CN116755618A (en) | File secure access method based on blockchain and distributed storage | |
| Siva et al. | Hybrid cryptography security in public cloud using TwoFish and ECC algorithm | |
| JP5586758B1 (en) | Dynamic encryption key generation system | |
| Xue-Zhou | Network data encryption strategy for cloud computing | |
| KR20120108121A (en) | Searchable symmetric encryption method and system | |
| Pandey et al. | Data security using various cryptography Techniques: A Recent Survey | |
| US20170126399A1 (en) | Encryption apparatus, storage system, decryption apparatus, encryption method, decryption method, and computer readable medium | |
| Almarimi et al. | Developing a cryptosystem for xml documents | |
| Dodmane | A new hybrid symmetric-key technique to enhance data security of textual information using random number generator | |
| CN102474413A (en) | Private key compression |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |