KR20170049700A - Cloud system for storing secure data and method thereof - Google Patents

Cloud system for storing secure data and method thereof Download PDF

Info

Publication number
KR20170049700A
KR20170049700A KR1020150149590A KR20150149590A KR20170049700A KR 20170049700 A KR20170049700 A KR 20170049700A KR 1020150149590 A KR1020150149590 A KR 1020150149590A KR 20150149590 A KR20150149590 A KR 20150149590A KR 20170049700 A KR20170049700 A KR 20170049700A
Authority
KR
South Korea
Prior art keywords
data
user terminal
metadata
server
stored
Prior art date
Application number
KR1020150149590A
Other languages
Korean (ko)
Other versions
KR101790757B1 (en
Inventor
이임영
김원빈
Original Assignee
순천향대학교 산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 순천향대학교 산학협력단 filed Critical 순천향대학교 산학협력단
Priority to KR1020150149590A priority Critical patent/KR101790757B1/en
Publication of KR20170049700A publication Critical patent/KR20170049700A/en
Application granted granted Critical
Publication of KR101790757B1 publication Critical patent/KR101790757B1/en

Links

Images

Classifications

    • G06F17/30156
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • G06F11/1453Management of the data involved in backup or backup restore using de-duplication of the data
    • G06F17/30174
    • G06F17/30997
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Quality & Reliability (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The exemplary embodiment of the present invention provides a metadata server that determines whether data is duplicated using metadata of uploaded data and transmits the duplicated data to a user terminal, and receives the duplicated data from the user terminal and verifies the duplicated data, And a storage server for storing data. Therefore, by verifying data transmitted to the information storage server, it is possible to reduce a number of communication times, a calculation amount, and a traffic amount of communication data generated in the process of storing cryptographic data, and reduce the risk of data contamination.

Figure P1020150149590

Description

[0001] The present invention relates to a cloud system for storing encrypted data,

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cloud system for storing cryptographic data, and more particularly, to a cloud system and method in which cryptographic data is deduplicated and stored.

Recently, demand for cloud storage has increased and many studies are underway. With the development of IT technology, many kinds of devices are being used, and most of the devices are connected to the network. In the environment using existing local storage space, it is changing to store the data of the device in the cloud story using the network in recent years, or to integrate and manage the digital document and information of the enterprise. Cloud storage is largely classified as a private cloud and a public cloud, both of which use data storage in physical storage. As the amount of data stored increases, the number and amount of physical storage devices required increases, which is a costly problem for the cloud environment used by a large number of users. Many researches have been conducted to improve the data storage space efficiency of cloud storage. When many companies and researchers store the same data repeatedly, the actual storage space of the data can be reduced by referring to the originally stored data, rather than allocating space as many times as the number of requests, thereby reducing the maintenance cost of the cloud storage environment.

On the other hand, a technique for preventing repeated storage of data is called a data de-duplication technique. A method for preventing repeated storage of data proceeds in various manners, but a basic operation is performed by comparing previously stored data with newly stored data to determine whether or not the same data is stored. The method of comparing the stored data proceeds through a linear comparison, but the larger the size of the data, the slower the comparison speed of the data becomes.

As a unit for comparing data redundancy, there is a file unit comparison and a block unit comparison. The file-by-file comparison is a method of comparing data of a file unit as a single object, so that even if only one bit of data of two files is recognized as a different file, duplication is not performed. Therefore, the deduplication efficiency is low. However, because the size of a file can be as large as a single file, the deduplication processing speed is very fast. On the other hand, a method of dividing a single file into blocks is also used. In this method, a file is divided into blocks of a certain size and used as one object. The advantage of this method is that even if some of the original files of the two files are different, the duplication is more efficient than the file-by-file comparison method because the two files are individually blocked and only the same part is removed. However, in this method, since a file is divided into a plurality of blocks and each block undergoes a comparison process, the deduplication rate is slower than the deduplication per file unit.

Also, it can be classified into two types depending on the position of deduplication. Data deduplication typically involves deduplicating the original files by sending them to the cloud storage. This method is called a target deduplication method and since the original file is transferred to the cloud storage as it is, the user terminal does not require a deduplication operation. Also, since the hardware processing performance of cloud storage is generally higher than that of an individual user, the processing speed for de-duplication is fast. However, because data sources are transported to cloud storage, there is a lot of data communication traffic. On the other hand, a method of transferring the data to the cloud storage by processing the deduplication at the user's terminal may be used. In this method, data de-duplication is performed at the user's terminal to transmit only the non-duplicated data to the cloud storage. Therefore, data communication traffic is less than the target deduplication method. However, as described above, since the processing performance of the personal user terminal is lower than that of the hardware of the cloud storage, it may take a long time in the deduplication process and a heavy load may be generated on the user's terminal.

On the other hand, information leakage may occur due to internal and external factors of providers of cloud storage. If the information stored in the cloud storage is plain unencrypted, the contents of the leaked data can be fully known. Therefore, it is necessary to encrypt the data stored in the cloud storage. A simple encryption scheme is a technique in which different ciphertexts are generated according to the encryption key possessed by the encrypting subject even if the original text is the same. On the other hand, the data de-duplication technique is a technique of comparing two data to judge whether or not they are the same data. Therefore, even if the original data is the same, different ciphers are different from each other. Various encryption methods and communication methods are applied for this purpose. In this process, there arises a problem that a large number of communications and calculation are performed.

In addition, if integrity is not guaranteed because the verification procedure of the data stored in the cloud storage is not included, the data corresponding to the metadata by the third party different from the stored data and the data actually stored may be different from the data corresponding to the metadata There is a risk of contamination where the problem of getting stolen, corrupted, or malicious code is acquired.

Korean Registered Patent No. 10-1374594 (Published date 2014.03.10.)

SUMMARY OF THE INVENTION An object of the present invention is to provide an encryption data deduplication storage method which improves the communication method and communication data and has a relatively small number of communication and a calculation amount.

The exemplary embodiment of the present invention provides a metadata server that determines whether data is duplicated using metadata of uploaded data and transmits the duplicated data to a user terminal, and receives the duplicated data from the user terminal and verifies the duplicated data, And a storage server for storing data.

The metadata server may generate and transmit a unique session key for encrypting the data to the user terminal.

The metadata server decrypts the data encrypted with the session key and can read whether or not the data is duplicated with the stored metadata.

The metadata server may generate an unsaved data list and a signature value of the data list and transmit the generated signature list to the user terminal.

The storage server may receive the data block of the unsaved data list from the user terminal, process the data block, and compare the data block with the signature value.

The metadata server receives the signature value of the storage server and can generate and store metadata of the file from the signature value.

Data transmission between the user terminal and the metadata server may be performed through a hash value.

According to another embodiment of the present invention, there is provided a method for receiving a hash value of encrypted data from a user terminal and performing deduplication with previously stored data, receiving a duplicated data block generated from the duplicated data list from the user terminal, And synchronizing the stored data blocks. The present invention also provides a method for deduplicating and storing encrypted data in a cloud system.

And generating and transmitting a unique session key for encrypting the data to the user terminal before the deduplication step.

The deduplication step may decrypt the data encrypted with the session key and read the duplication with the stored metadata.

In the deduplication step, deduplication may be performed to generate an unsaved data list and a signature value of the data list, and transmit the unsigned data list and the signature value to the user terminal.

The storing may include receiving a data block of the unsaved data list from the user terminal, processing the data block, and comparing the data block with the signature value.

The synchronizing step may generate and store metadata of a file from the signature value.

As described above, the cloud system according to the present invention distinguishes between a metadata server and an information storage server, determines whether the meta data server is duplicated, and transmits only data that is not duplicated to the information storage server. Also, by verifying data transmitted to the information storage server, it is possible to reduce a number of communication times, a calculation amount, and a traffic amount of communication data generated in the process of storing encrypted data, and reduce the risk of data contamination.

FIG. 1 is a block diagram illustrating a system for redundantly storing encrypted data according to an embodiment of the present invention. Referring to FIG.
FIG. 2 is a diagram illustrating a method of Convergent Encryption (CE) technology according to an embodiment of the present invention.
3 is a diagram illustrating a structure of metadata according to an embodiment of the present invention.
4 is a flowchart showing a deduplication / storage method according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "electrically connected" with another part in between .

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise. Also, the terms " part, "" module," and " module ", etc. in the specification mean a unit for processing at least one function or operation and may be implemented by hardware or software or a combination of hardware and software have.

The cloud system for duplicating and storing password data of the present invention is based on a metadata server and an information storage server. In order to compare and remove the encrypted data, the user communicates with the metadata server and has a procedure of uploading the corresponding file to the information storage server based on the result of communication with the metadata server.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a system 100 for eliminating and storing encrypted data according to an embodiment of the present invention.

Referring to FIG. 1, a cloud system 100 according to an exemplary embodiment of the present invention includes a metadata server 110 that transmits / receives data to / from a user terminal 200, and an information storage server.

At this time, the information transmission / reception of each of the metadata server 110, the user terminal 200, and the information storage server 120 is performed through a network including wired and wireless, ID) and the public keys of each other are distributed.

The user terminal 200 is a terminal 200 capable of performing upload and download for accessing a cloud service provided by the cloud system 100 and sharing information, and includes a smart phone, a notebook, or a tablet PC.

The user terminal 200 interacts with the servers of the cloud system 100 via a wired / wireless network, wherein the wireless network may include wifi, bluetooth, and the like.

In addition, the user terminal 200 may further include a display device capable of displaying an operation with the cloud system 100.

The cloud system 100, which removes encrypted data and stores it, confirms the user terminal 200, issues a session key, verifies whether or not the blocks of the file to be uploaded by the user terminal 200 are stored, and returns a result And an information storage server 120 for storing only data that is not overlapped with the metadata server 110 in cooperation with the metadata server 110.

The metadata server 110 receiving the upload request from the user terminal 200 confirms the corresponding user terminal 200 and issues a session key which is a symmetric encryption key for the communication session with the corresponding user terminal 200.

After issuing the session key, the user terminal 200 encrypts the file to be uploaded by dividing it into blocks, encrypts the encrypted file with the session key, and transmits the encrypted hash value to the metadata server 110.

The metadata server 110 compares the received hash values with the hash values previously stored in the metadata server 110 to determine whether to store the hash values, and reconstructs only the unsaved hash values to construct the data. The metadata server 110 encrypts the reconstructed hash value using the secret key of its own public key encryption algorithm, generates a signature value, and transmits the signature value to the user terminal 200. The user terminal 200 reconstructs a block to be uploaded based on the reconstructed hash value received from the metadata server 110 and transmits the reconstructed block to the information storage server 120 together with the signature value transmitted by the metadata server 110 send.

The information storage server 120 compares the transmitted block with the signature value to determine whether the user has transmitted the correct blocks. When the user transmits the correct block, the information storage server 120 notifies that the user has transmitted the correct block through synchronization with the metadata server 110, and the metadata server 110 stores the data stored in the information storage server 120 Lt; / RTI >

In FIG. 1, the information storage server 120 and the metadata server 110 are illustrated as being formed together, but this does not indicate physical proximity.

Hereinafter, specific symbols will be used to describe them.

Before describing the embodiments of the present invention, the symbols used in the following description are defined as follows.

*: Participating object (

Figure pat00001
:user
Figure pat00002
,
Figure pat00003
: Metadata Server,
Figure pat00004
: Information storage server)

Figure pat00005
: Original file

Figure pat00006
: One-way hash function

Figure pat00007
: Duplicate
Figure pat00008
Number of

Figure pat00009
: Not duplicated
Figure pat00010
Number of

Figure pat00011
:
Figure pat00012
All
Figure pat00013
Number of

Figure pat00014
:
Figure pat00015
Convergent Encryption Encryption Key to Encrypt

Figure pat00016
:
Figure pat00017
Encrypted with
Figure pat00018

Figure pat00019
:
Figure pat00020
Hash < / RTI >
Figure pat00021

Figure pat00022
:
Figure pat00023
Consisting of a set of
Figure pat00024
List of

Figure pat00025
: Duplicate removed
Figure pat00026

Figure pat00027
: Duplicate removed
Figure pat00028

Figure pat00029
:file
Figure pat00030
Hash < / RTI >
Figure pat00031

Figure pat00032
:user
Figure pat00033
Identifier

Figure pat00034
: Encrypted
Figure pat00035
Set of

Figure pat00036
: The session key between the metadata server and the user

Figure pat00037
: * Symmetric key

Figure pat00038
: * Public key

Figure pat00039
: * Private key

Figure pat00040
: Encryption using key ** as an encryption key

Figure pat00041
: Decryption using key ** as decryption key

Figure 2 illustrates a method of the Convergent Encryption (CE) technology used in the system 100 of the present invention.

CE encryption method is the original file

Figure pat00042
The hash value obtained by hashing the hash algorithm in the hash module
Figure pat00043
As a symmetric key, and calculates it as shown in Equation (1) by using an encryption key encrypted by the encryption module.

[ Equation 1 ]

Figure pat00044

3 is a diagram illustrating a structure of metadata according to an embodiment of the present invention.

Referring to FIG. 3, the metadata stored in the metadata server 110 includes metadata

Figure pat00045
Identifier (
Figure pat00046
), A list of hashed blocks (
Figure pat00047
), Data obtained by encrypting a set of encryption keys (block
Figure pat00048
), user
Figure pat00049
Identifier (
Figure pat00050
).

Specifically, as shown in Equation 2,

Figure pat00051
Hash
Figure pat00052
.

& Quot; (2 ) & quot ;

Figure pat00053

Also,

Figure pat00054
And uses CE to encrypt it. CE encryption is a specially generated encryption key
Figure pat00055
To use a general symmetric key encryption scheme. The generation of the encryption key used at this time is calculated as shown in Equation (3).

& Quot; (3 ) & quot ;

Figure pat00056

Figure pat00057
Encrypted using
Figure pat00058
The
Figure pat00059
( CID ), and the hashed data
Figure pat00060
List of
Figure pat00061
.

Also,

Figure pat00062
List of
Figure pat00063
And
Figure pat00064
on
Figure pat00065
,
Figure pat00066
,
Figure pat00067
To generate metadata.

Hereinafter, with reference to FIG. 4, a description will be given of a method of deduplicating and storing encryption data between the cloud system 100 and the user terminal 200 according to an embodiment of the present invention.

The embodiment includes an encryption and deduplication request step of the user terminal 200, a deduplication processing step, a step in which the user terminal 200 uploads the deduplicated encrypted data, and a data synchronization step.

In the cloud system 100 of the embodiment, since the confidentiality of data is required, it is necessary to encrypt the transmitted data. Therefore, it is necessary to distribute the session key between the metadata and the user terminal 200.

First, the user terminal 200 transmits its identifier < RTI ID = 0.0 >

Figure pat00068
(S100).

After confirming the user's identity from the identifier, the metadata server 110 distributes the encrypted session key to the user using the public key of the user terminal 200 (S110).

Next, the user terminal 200 transmits the session key of the file to be uploaded

Figure pat00069
By encrypting
Figure pat00070
And
Figure pat00071
,
Figure pat00072
To the metadata server 110 (S120).

Next, the deduplication step of the metadata server 110 proceeds (S130).

The deduplication step may include comparing the hash value of the cipher data transmitted from the user terminal 200 with the data stored in the metadata server 110, comparing the cipher data and generating a list of the unsaved data, ≪ / RTI >

First, the metadata server 110 transmits

Figure pat00073
Decoded
Figure pat00074
And the metadata stored in the metadata server 110
Figure pat00075
And determines whether or not each block is stored.

Next, the metadata server 110 transmits the metadata

Figure pat00076
Blocks which are not stored among the blocks of
Figure pat00077
. In addition, the metadata server 110 creates a signature value that can be created only by the metadata server 110
Figure pat00078
To the user (S140). The signature value generation is as shown in Equation (4).

& Quot; (4 ) & quot ;

Next, the user terminal 200 uploads the block to the information storage server 120, and the information storage server 120 verifies the block.

First, the user terminal 200

Figure pat00080
And signature value
Figure pat00081
And reconstructs a block that is not stored in the information storage server 120
Figure pat00082
.

to the next,

Figure pat00083
And the signature value received from the metadata server 110
Figure pat00084
,
Figure pat00085
To the information storage server 120 (S160).

Accordingly, the information storage server 120

Figure pat00086
Included in
Figure pat00087
Respectively.
Figure pat00088
. next,
Figure pat00089
With a list of
Figure pat00090
And is compared with the signature value (S170).

The comparison operation procedure is shown in Equation (5).

& Quot; (5 ) & quot ;

Figure pat00091

Figure pat00092

If the two hash values are equal to each other as in Equation (5), the unsaved data is stored.

Finally, when the data is normally stored in the information storage server 120, the metadata server 110 may synchronize with the metadata server 110 so that the metadata can be normally stored in the metadata server 110.

The information storage server 120 verifies the operation value of the data uploaded by the user and the signature value of the metadata server 110, and when the normal data is uploaded, the signature value of the metadata server 110

Figure pat00093
Signed with its own secret key, and transmits it to the metadata server 110 (S180).

The operation of the secret key is shown in Equation (6).

& Quot; (6 ) & quot ;

Figure pat00094

The metadata server 110 receives the signature value of the information storage server 120 and can confirm the contents of the signature value. The signature value generated by the metadata server 110 itself,

Figure pat00095
Through the
Figure pat00096
It is confirmed that the block of < RTI ID = 0.0 >
Figure pat00097
(S190), and terminates the cloud upload.

As described above, after confirming whether or not the data is duplicated through the metadata, the information is stored in the information storage server 120, thereby minimizing the data transmission for duplicate verification, and using the encryption technology to solve the security problem.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but is capable of numerous modifications and alterations without departing from the spirit or scope of the invention.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention as defined in the following claims. There will be.

100: Cloud system
110: Metadata server
200: user terminal

Claims (5)

A metadata server for determining whether the data is duplicated using the metadata of the uploaded data and transmitting the data to the user terminal,
A storage server for receiving the deduplicated data from the user terminal and for verifying the deduplicated data,
≪ / RTI > Receiving a hash value of the encrypted data from the user terminal and proceeding to deduplication with the stored data,
Receiving and verifying and storing the deduplicated data block generated from the deduplicated data list from the user terminal, and
Synchronizing the stored data blocks
And storing the encrypted data in the storage medium. 3. The method of claim 2,
Before the deduplication step
Further comprising generating and transmitting a unique session key for encrypting the data to the user terminal, and transmitting the generated session key to the user terminal. The method of claim 3,
Wherein the de-
And decrypting the encrypted data with the session key and reading the duplicated data with the stored metadata. 5. The method of claim 4,
Wherein the de-
And generating a signature value of the unlisted data list and the data list and transmitting the generated signature list to the user terminal.
KR1020150149590A 2015-10-27 2015-10-27 Cloud system for storing secure data and method thereof KR101790757B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150149590A KR101790757B1 (en) 2015-10-27 2015-10-27 Cloud system for storing secure data and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150149590A KR101790757B1 (en) 2015-10-27 2015-10-27 Cloud system for storing secure data and method thereof

Publications (2)

Publication Number Publication Date
KR20170049700A true KR20170049700A (en) 2017-05-11
KR101790757B1 KR101790757B1 (en) 2017-10-27

Family

ID=58741997

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150149590A KR101790757B1 (en) 2015-10-27 2015-10-27 Cloud system for storing secure data and method thereof

Country Status (1)

Country Link
KR (1) KR101790757B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190044264A (en) * 2017-10-20 2019-04-30 김남희 Good restaurant information providing system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190044264A (en) * 2017-10-20 2019-04-30 김남희 Good restaurant information providing system

Also Published As

Publication number Publication date
KR101790757B1 (en) 2017-10-27

Similar Documents

Publication Publication Date Title
US11108753B2 (en) Securing files using per-file key encryption
US10877850B2 (en) Systems and methods of transmitting data
EP3062261B1 (en) Community-based de-duplication for encrypted data
US8892866B2 (en) Secure cloud storage and synchronization systems and methods
CN106453612B (en) A kind of storage of data and shared system
US10685141B2 (en) Method for storing data blocks from client devices to a cloud storage system
KR102450295B1 (en) Method and apparatus for deduplication of encrypted data
KR101285281B1 (en) Security system and its security method for self-organization storage
EP3235163B1 (en) De-duplication of encrypted data
Yan et al. A scheme to manage encrypted data storage with deduplication in cloud
CN104852949A (en) Cloud storage data management method and system based on hybrid encryption mechanism
CN103731423A (en) Safe method for repeated data deleting
CN109787747B (en) Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools
KR101790757B1 (en) Cloud system for storing secure data and method thereof
CN109787965B (en) Quantum computing resistant cloud storage method and system based on multiple asymmetric key pools
CN104683113A (en) Security storage method based on data encryption
CN104660720A (en) Security storage method based on identity authentication
CN117061126A (en) System and method for managing encryption and decryption of cloud disk files
Gaikwad et al. Journal homepage: http://www. journalijar. com INTERNATIONAL JOURNAL OF ADVANCED RESEARCH RESEARCH ARTICLE

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant