CN101753539A - Network data storage method and server - Google Patents

Network data storage method and server Download PDF

Info

Publication number
CN101753539A
CN101753539A CN 200810227900 CN200810227900A CN101753539A CN 101753539 A CN101753539 A CN 101753539A CN 200810227900 CN200810227900 CN 200810227900 CN 200810227900 A CN200810227900 A CN 200810227900A CN 101753539 A CN101753539 A CN 101753539A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
data file
data
file
signature
encrypted
Prior art date
Application number
CN 200810227900
Other languages
Chinese (zh)
Other versions
CN101753539B (en )
Inventor
刘伟晏
杨汉强
王凡
王绪胜
马淑桂
Original Assignee
北京大学;北大方正集团有限公司;北京方正电子政务信息科技有限公司;国家档案局档案科学技术研究所;国家档案局
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses a network data storage method and a server. The disturbing network data storage method provided by the invention comprises the following steps: judging whether a data file needs to be encrypted and/or signed or not by the server according to configuration information of the storage region of the data file; encrypting a network data stream uploaded at a client when the data file needs to be encrypted but does not need to be signed according to the judgment, and writing the encrypted data stream into the data file; writing the network data stream uploaded at the client into the data file when the data file needs to be signed but does not need to be encrypted according to the judgment, and signing the data file; and encrypting the network data stream uploaded at the client when the data file needs to be encrypted and signed according to the judgment, writing the encrypted network data stream into the data file, and signing the data file. The invention improves the openness, the expansibility, the robustness and the reading/writing visit efficiency of the network storage server on the premise of ensuring the confidentiality and the completeness of the data storage.

Description

一种网络数据存储方法及服务器 A network server and data storage method

技术领域 FIELD

[0001] 本发明涉及网络安全领域,尤其涉及一种网络数据存储方法及服务器。 [0001] The present invention relates to the field of network security, particularly to a network server and a data storage method.

背景技术 Background technique

[0002] 随着TCP/IP网络技术的发展,文件传输协议(File Transfer Protocol, FTP) 禾口万维网分布式创作禾口片反本控制(Web—based Distributed Authoring andVersioning, WEBDAV)协议得到了越来越广泛的应用,服务器端利用FTP和WEBDAV协议为客户端提供网络存储,形成了支持标准协议的网络存储,使用者可以使用支持FTP或WEBDAV的客户端通过网络进行服务器侧文件读访问(下载网络数据)和写访问(上载网络数据)等操作。 [0002] With the development of TCP / IP network technology, file transfer protocol (File Transfer Protocol, FTP) World Wide Web Distributed Authoring Wo Wo mouth mouth piece breach the control (Web-based Distributed Authoring andVersioning, WEBDAV) protocol has been increasingly the more widely used, and the server using the FTP protocol client WEBDAV provide network storage, forming a network storage supports standard protocols, a user may use or support WEBDAV FTP server side of the client through the network read access (download network data) and write access (upload data network) and other operations. [0003] 为实现支持FTP和WEBDAV协议的网络存储,往往会在服务器侧安装部署相应的服务器系统(FTP服务器和WEBDAV服务器),现有的FTP服务器和WEBDAV服务器大多是基于服务器端的文件系统提供存储服务,而且文件采用明码存储,这种采用明码存储文件的方法无法保证数据的保密性和完整性。 [0003] The networked storage supports FTP and WEBDAV protocols, often install and deploy a corresponding server system (FTP server and WEBDAV server) on the server side, most of the existing FTP servers and WEBDAV server is a server-based file system provides a storage services, and file is stored unencrypted, this method is stored unencrypted file can not guarantee the confidentiality and integrity of data.

[0004] 为了保证文件的保密性和完整性,现有的解决方案通常是在服务器端使用额外的专门的安全文件系统,安全文件系统将多个需要保密的文件加密后封装在底层文件系统的某个单一文件中,并在系统内部统一维护文件信息(如文件名、文件大小等)以及每个文件的密钥信息。 [0004] In order to ensure the confidentiality and integrity of files, the existing solutions are often additional specialized secure file system on the server side, a plurality of file systems require secure confidential files after encryption encapsulated in the underlying file system a single file and unified maintenance file information (such as file name, file size, etc.) as well as key information about each file within the system. 采用安全文件系统作为FTP服务器和WEBDAV服务器的后台存储存在以下几个问题: The presence of the following questions using a secure file system as an FTP server and back-end storage server WEBDAV:

[0005] 1、安全文件系统一般是私有系统,没有统一的接口,开放性不足; [0005] 1, the security system in general is a private system, there is no unified interface, lack of openness;

[0006] 2、整个安全文件系统的加密算法是固定的统一的,扩展性不足; [0006] 2, the entire security file system encryption algorithm is fixed unified, scalable insufficient;

[0007] 3、由于安全文件系统内的所有文件都集中封装在底层文件系统的单一文件中,在 [0007] 3, since all of the files in a secure file system are then assembled in a single file in the underlying file system, the

读访问安全文件系统内的某个特定文件时,需要先从底层文件系统的单一文件中将该文件 When reading a specific file in the file system access security, we need to start with a single file in the underlying file system files

提取出来;在写访问安全文件系统内的某个特定文件时,需要将该文件写入底层文件系统 Extracted; when writing a particular file in the file system access security, the need to file written to the underlying file system

的单一文件中,读/写访问效率较低。 A single file, read / write access to low efficiency.

[0008] 4、安全文件系统的加密算法相对固定,且安全文件系统将内部的文件信息和密钥集中管理,存储文件信息或密钥部分的区域(磁盘扇区)发生损坏,会导致整个安全文件系统发生无法访问,系统健壮性不足。 [0008] 4, secure file system encryption algorithm is relatively fixed, and the secure file system area (disk sectors) inside the file management information and the key set, storing the document information or part of the damaged key, will cause the entire security can not access the file system occurs, lack of robustness of the system.

发明内容 SUMMARY

[0009] 本发明提供了一种网络数据存储方法及服务器,用以在保证数据存储的保密性和完整性的前提下,提高网络存储服务器的开放性、扩展性、健壮性和读/写访问效率。 [0009] The present invention provides a network server and a data storage method for the premise of ensure the confidentiality and integrity of data storage, to improve openness, scalability, robustness, and network storage server read / write access effectiveness. [0010] 本发明实施例提供的一种网络数据上载方法,包括: [0010] A network on a data upload method according to an embodiment of the present invention, comprising:

[0011] 服务器根据数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名; [0011] server according to the profile data file storage area belongs, determining whether it is necessary to encrypt the data file and / or if the signature is required;

[0012] 当判断所述数据文件需加密不需签名时,对所述客户端上载的网络数据流进行加密,并将加密的所述网络数据流写入所述数据文件; [0012] When determining that the data file without the need to encrypt the signature, the client uploads the network traffic is encrypted, the encrypted file and writing the data of the network data stream;

4[0013] 当判断所述数据文件需签名不需加密时,将所述客户端上载的网络数据流写入所述数据文件,对所述数据文件进行签名; 4 [0013] When determining that the data file without the need to encrypt the signature, the client uploads the data stream written to said network data file, the data file is signed;

[0014] 当判断所述数据文件需要加密和签名时,对所述客户端上载的网络数据流进行加 [0014] When determining that the data file needs to be encrypted and a signature of the carrier on the client network data stream applied

密,将加密的网络数据流写入所述数据文件,对所述数据文件进行签名。 Secret, encrypted network traffic will be written to the data file, the data file is signed.

[0015] 对预先划分的多个存储区域,分别配置其存储的数据文件是否需要加密以及加密 If [0015] a plurality of divided memory areas in advance, which are stored in the configuration file needs to be encrypted and the encrypted data

算法和/或是否需要签名以及签名算法的参数信息; Algorithm and / or the need for a signature and the signature algorithm parameter information;

[0016] 所述对客户端上载网络数据流进行加密,包括: [0016] The carrier network to encrypt the data stream on a client, comprising:

[0017] 根据所述数据文件所属存储区域配置的加密算法,生成加密密钥; [0017] According to the configuration of the encryption algorithm to the data file storage area belongs, generating an encryption key;

[0018] 根据所述加密算法和生成的加密密钥,对客户端上载的网络数据流进行加密; [0018] The encryption algorithm and the encryption key generated, the client uploads the encrypted network traffic;

[0019] 所述对数据文件进行签名,包括: [0019] The signed data files, comprising:

[0020] 根据所述数据文件所属存储区域配置的签名算法,对所述数据文件进行签名。 [0020] The signature algorithm configuration data file relevant to the storage area, the data file is signed. [0021] 对所述加密密钥进行加密; [0021] The encrypting of the encryption key;

[0022] 将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件并存储;所述密钥文件与所述数据文件一一对应。 [0022] The encryption algorithm, the encryption key encrypted and / or the signature algorithm, the signature generation key file and store the result; the key file and the data file correspondence.

[0023] 所述服务器根据客户端请求下载的数据文件对应的密钥文件,判断所述数据文件是否已加密和/或是否已签名; [0023] The client requests the server to download the data file corresponding to the key file, determines whether the data file is encrypted and / or are signed;

[0024] 当判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的所述数据流输出到所述客户端; [0024] When it is determined that the data file has been encrypted is not signed, the data stream to decrypt the data file, and the decrypted data stream to the client;

[0025] 当判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端; [0025] When determining that the data file is not encrypted signed, verifies the signature of the data file, and after the verification, the output data stream of the data file to the client;

[0026] 当判断所述数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通 [0026] When it is determined that the data file has been signed and encrypted, verifies the signature of the data file and verified through

过后,对所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 Later, the data stream of the data file is decrypted, the decrypted output data stream to the client.

[0027] 所述对数据文件验证签名,包括: [0027] The verification signature data files, comprising:

[0028] 根据所述数据文件对应的密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名; [0028] The results of the signature algorithm and signature key corresponding to the data file contained in the file, the data file of the read signature verification;

[0029] 所述对数据文件的数据流进行解密,包括: [0029] The data stream to decrypt the data files, comprising:

[0030] 将所述密钥文件中加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 [0030] The said encryption key to decrypt the encrypted file key, to obtain the decryption key; the encryption algorithm using the decryption key and the key file to the data stream to decrypt the data file .

[0031] 本发明实施例提供的一种网络存储服务器,包括:判断模块、加密模块、签名模块和配置信息存储模块; [0031] A network storage server according to an embodiment of the present invention, comprising: a determining module, the encryption module, and a signature module configuration information storage module;

[0032] 所述判断模块,用于根据配置信息存储模块中存储的数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名; [0032] The determining module, according to the configuration information of the storage module the data stored in the file storage area belongs, determining whether the data file for an encryption and / or signature if required;

[0033] 所述加密模块,用于当所述判断模块判断出所述数据文件需加密不需签名时,对 When [0033] the encryption module, configured to, when the determining module determines that the data file without the need to encrypt the signature on

所述客户端上载的网络数据流进行加密,并将加密的网络数据流写入所述数据文件;以及 The carrier on the client network data traffic to be encrypted, and the encrypted network traffic to the data file is written; and

当所述判断模块判断出所述数据文件需加密和签名时,在对所述客户端上载的网络数据流 When the determining module determines that the data file for an encrypted and signed in the network on the client data streams uploaded

进行加密并写入所述数据文件后,将所述数据文件传送至所述签名模块; After writing the data file is encrypted and, transferring the data file to the signature module;

[0034] 所述签名模块,用于当所述判断模块判断出所述数据文件需签名不需加密时,将 [0034] The signature module, configured to, when the determining module determines that the data file does not need encryption and signature of the

所述客户端上载的网络数据流写入所述数据文件,并对所述数据文件进行签名;以及接收 The carrier network on a client data stream written to the data file, the data file and a signature; and receiving

加密模块传送的数据文件,对接收的所述数文件进行签名;[0035] 所述配置信息存储模块,用于存储各存储区域的配置信息。 File encryption module transmits the data, the number of signed documents received; [0035] the configuration information storing module, for storing configuration information of each storage area. [0036] 本发明实施例提供的网络存储服务器,还包括: [0036] The network storage server according to an embodiment of the present invention, further comprising:

[0037] 配置模块,用于对预先划分的多个存储区域分别配置其存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息,并将配置的所述参数信息存储于所述配置信息存储模块中。 [0037] The configuration module for storing a plurality of the divided regions are respectively arranged in advance whether the stored data file needs to be encrypted and the encryption algorithm and / or parameter information whether the signature and the signature algorithm and the parameter configuration information the configuration information stored in the storage module.

[0038] 所述加密模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储区域配置的加密算法,生成加密密钥;根据所述加密算法和生成的加密密钥,对读取的网络数据流进行加密,生成加密的网络数据流; [0038] The encryption module is further configured for the encryption algorithm according to the configuration of the data file information storage module storing the storage area belongs, generating an encryption key; according to the encryption algorithm and encryption key generated for reading the network data stream is encrypted, the network generates the encrypted data stream;

[0039] 所述签名模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储 [0039] The signature module is further configured to store the relevant data file according to the configuration information stored in the storage module

区域配置的签名算法,对数据文件进行签名。 Signature Algorithm configuration of the area, the data file is signed.

[0040] 本发明实施例提供的网络存储服务器,还包括: [0040] The network storage server according to an embodiment of the present invention, further comprising:

[0041] 密钥文件生成模块,用于对所述加密密钥进行加密;以及将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件,并与所述数据文件一一对应; [0042] 密钥文件存储模块,用于存储所述密钥文件。 [0041] The key file generating module, for encrypting the encryption key; and the encryption algorithm, the encryption key encrypted and / or the signature algorithm, signature result to generate the key file, and with the data file correspondence; [0042] key file storing module for storing the key file.

[0043] 本发明实施例提供的网络存储服务器,还包括:验证模块和解密模块; Embodiment [0043] embodiment of the present invention to provide a network storage server, further comprising: an authentication module and a decryption module;

[0044] 所述判断模块,还用于根据客户端请求下载的数据文件对应的密钥文件,判断请 [0044] The determining module is further configured to request to download the data file by the client, corresponding to the key file is determined please

求下载的数据文件是否已加密和/或是否已签名; Whether seeking the downloaded data file is encrypted and / or are signed;

[0045] 所述验证模块,用于当所述判断模块判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端;以及当所述判断模块判断数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件发送至所述解密模块; [0045] The authentication module is configured to, after the judging module determines that the data file is not encrypted signed, verifies the signature of the data file, and the verification is passed, when the data stream is output to the data file the client; and if the judging module determines that the data file has been signed and encrypted, verifies the signature of the data file, and after the verification, transmitting the data file to the decryption module;

[0046] 所述解密模块,用于当所述判断模块判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的数据流输出到所述客户端;以及接收所述验证模块发送的数据文件,对接收的所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 [0046] The decryption module configured to, when the judging module determines that the file is encrypted unsigned data, the data stream to decrypt the data file, and outputs the decrypted data stream to the client; and receiving the authentication module sends the data file, the data file of the data stream received is decrypted, the decrypted data stream to the client.

[0047] 本发明实施例提供的网络存储服务器中的验证模块,还用于根据所述密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名; [0047] Network Storage server provided in the embodiment of the present invention, the authentication module is further configured in accordance with the result of the signature algorithm and signature key contained in the file, the data file of the read signature verification;

[0048] 本发明实施例提供的网络存储服务器中的解密模块,还用于对所述密钥文件中的加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 [0048] Network Storage server provided in the embodiment of the present invention, the decryption module is also used for the key encryption key to decrypt the encrypted file, to obtain the decryption key; and the use of the decryption key said encryption algorithm key file to the data stream to decrypt the data file. [0049] 本发明有益效果如下: [0049] Advantageous effects of the present invention are as follows:

[0050] 本发明实施例提供的一种网络数据存储方法及服务器,服务器接收客户端发起的数据上载请求,创建数据文件,根据数据文件所属存储区域的配置信息,对客户端上载的网络数据流进行加密,将加密后的网络数据流写入数据文件;或将上载的网络数据流写入数据文件后,对数据文件进行签名,或对客户端上载的网络数据流进行加密后,将加密后的网络数据流写入数据文件,并对数据文件进行签名。 A network provided data storage method and a server according to the [0050] present invention, the server receives the client initiates the data upload request, create a data file, according to the configuration information of the data file belongs storage area network data uploaded by a client stream encrypting the network data stream writes the encrypted data file; after or uploaded network data stream written to the data file, the data file is signed, or uploaded client network traffic is encrypted, the encrypted network data stream to write data files, and the data file is signed. 本发明实施例提供的网络存储方法及服务器,由于可以将数据文件分散存储于预先划分的多个存储区域中,避免了现有技术中的安全文件系统中所有加密的文件都存储于单一文件所带来的读/写访问的效率不高的问题;再者,由于不同存储区域的配置的加密和/或签名的参数信息可以不同,不仅提高了系 Embodiment of the present invention and method for storing network server provided, since the data files are stored in a plurality of dispersed storage regions divided in advance, it avoids the prior art secure file system all encrypted files are stored in a single file bring the read / write access efficiency is not high; Moreover, since the encryption configuration of different storage areas and / or signature parameter information may be different, not only to improve the system

6统的扩展性,还保证了网络存储数据的完整性和保密性。 6 scalable system, but also to ensure the integrity and confidentiality of the data storage network.

[0051] 进一步地,本发明实施例提供的网络存储方法中,还将加密算法、加密后的加密密钥和/或签名算法、签名结果生成密钥文件,并与数据文件一一对应,某个数据文件的密钥文件被破解或损坏,不会对其他数据文件的安全造成影响,避免了现有网络存储服务器采用的安全文件系统将所有加密文件的密钥集中管理带来的弊端,进一步地提高了系统的健壮性。 [0051] Further, the embodiment of the network storage method provided in the present invention, also the encryption algorithm, the encryption key encrypted and / or signature algorithm, the signature result to generate the key file, the data file and correspondence, a data file key file is cracked or damaged, will not affect the safety of other data files, avoiding the drawbacks of the existing network storage server using a secure file system will be key to centrally manage all the encrypted file to bring further improve the robustness of the system. 由于密钥文件的存在,使得数据文件的解密不依赖于所属存储区域的配置参数,因此随时可以根据需要修改存储区域的配置参数,进一步提高了系统的扩展性,还进一步保证了网络存储数据的完整性和保密性。 Because of the key file, decrypts the data file that is not dependent on the configuration parameter storage area belongs, and is ready to modify the configuration parameters required storage area, further improve the scalability of the system, to ensure that the network further stored data integrity and confidentiality.

[0052] 发明实施例提供的网络数据存储方法,通过采用现有网络服务器操作系统自身的文件系统即可实现,由于操作系统的文件系统对上层系统而言具有统一的接口,保证了网络存储服务器的开放性。 Network data storage method provided in this embodiment [0052] The invention can be realized by using existing network server operating system file system itself, because the operating system's file system for a unified interface to an upper layer of the system, to ensure that the network storage server openness.

附图说明 BRIEF DESCRIPTION

[0053] 图1为本发明实施例提供的网络数据存储方法中数据上载流程图; [0054] 图2为本发明实施例提供的生成密钥文件的流程图; [0055] 图3为本发明实施例提供的网络数据存储方法中数据下载流程图; [0056] 图4为本发明实施例提供的网络存储服务器的结构示意图。 [0053] FIG. 1 contains a flowchart of the data on the network data storage method according to an embodiment of the present invention; [0054] FIG 2 is a flowchart of generating a key file provided by the embodiment of the invention; [0055] 3 of the present invention, FIG. network data storage method in a flowchart of download data according to an embodiment; [0056] FIG. 4 is a schematic structure of a network storage server according to an embodiment of the present invention.

具体实施方式 detailed description

[0057] 下面结合附图,以具体的实施例对本发明提供的一种网络数据存储方法及服务器进行详细的说明。 [0057] DRAWINGS A data storage method and a network server to a specific embodiment of the present invention will be provided in detail.

[0058] 本发明实施例提供的网络数据存储方法,针对服务器侧进行了改进。 Network data storage method provided in this embodiment [0058] of the present invention, improved for the server side. 本发明实施例提供的网络数据存储方法可以应用于常见的网络存储服务器如FTP或WEBDAV服务器等, 利用FTP或WEBDAV服务器现有操作系统提供的文件系统就可以实现,而不需要额外采用专门的安全文件系统作为网络数据的后台存储系统。 Network data storage method according to an embodiment of the present invention may be applied to a common network storage server such as an FTP server, or the like WEBDAV, using the file system existing FTP or WEBDAV server operating system can be achieved without the use of special additional security file system as a background network data storage system. 这样,由于操作系统的文件系统对外的接口是统一的接口(例如标准的FTP或WEBDAV接口),保证了网络存储服务器的开放性。 Thus, since the operating system's file system external interface is a unified interface (such as standard FTP or WEBDAV Interface) to ensure the openness of the network storage server. 从读写访问的角度来说,直接访问服务器操作系统自身文件系统的效率,也优于通过服务 From the perspective of read and write access, the efficiency of direct access to the server operating system, file system itself, but also through superior service

器操作系统访问另外的安全文件系统的效率。 The efficiency of the operating system to access additional safety file system.

[0059] 本发明实施例提供的网络数据存储方法,可以预先将服务器本地的存储空间中划分多个存储区域,每个存储区域例如可以对应文件系统的一个目录,如"Serverl/areal"、 "Serverl/area2"等等。 [0059] network data storage method provided in the embodiment of the present invention, the local server may be previously divided into a plurality of storage space in the storage areas, each storage area may correspond, for example, a file system directory, such as "Serverl / areal", " Serverl / area2 "and so on. 还可以实现对存储区域增加、删除和修改等操作。 You can also achieve increased storage area, delete and modify such an operation. [0060] 并且,对于每个存储区域,需要预先对其中存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息分别进行配置,各个存储区域的配置信息是相互独立的,可以对不同的区域配置不同的加密算法和不同的签名算法,可以设置某一区域的数据文件仅加密不签名,而另外一个区域的数据文件不仅需要加密还需要进行签名,等等。 [0060] and, for each memory region, it is necessary for the data file is stored therein needs to be encrypted and the encryption algorithm and / or parameter information whether the signature algorithm and signature are configured, the configuration information of the respective storage areas are each independently can be configured for different regions and different encryption algorithms different signature algorithm, you can set the data files of a given region is not only encrypted signature, and the other a data file encryption region not only need to be signed, and so on. 在此不再枚举。 Which I will not enumerate. 在具体使用过程中,还可以根据需要,对存储区域的配置信息进行修改。 In the specific use, it may also be necessary, the configuration information storing area to be modified.

[0061] 下面结合客户端发起的网络数据上载流程,说明本发明实施例提供的网络数据存储方法。 [0061] The following process data on the network in conjunction with the carrier initiated by the client, the network description data storing method according to an embodiment of the present invention.

7[0062] 本发明实施例提供的网络数据存储方法,如图1所示,包括以下步骤: [0063] 步骤S101、服务器接收客户端发起的数据上载请求。 7 [0062] network data storage method provided in the embodiment of the present invention, shown in Figure 1, comprising the steps of: [0063] step S101, the server receives a data upload request initiated by the client.

[0064] 对于客户端来说,可以根据需要,请求将上载的数据流以文件的形式存储于服务器侧的任何一个存储区域中。 Any storage region [0064] For the client, as needed, request the uploaded data stream is stored in the server side in the form of a file.

[0065] 步骤S102、服务器根据该数据上载请求中携带有数据文件的存储区域信息,在存储区域中创建数据文件。 [0065] step S102, the server carries the information of the data storage area of ​​file data carrier according to the request, create a data file in the storage area.

[0066] 客户端发送的数据上载请求中可以通过携带存储区域的统一资源定位标识(Uniform Resource Locator, URL)来指示具体是哪个存储区域,例如"ftp:〃Server1/ areal ,,、 "http: //Server 1/area2 ,,等。 [0066] The data upload request sent by a client may be indicated by a Uniform Resource Locator carry identification (Uniform Resource Locator, URL) to which the storage area is particularly memory area, for example, "ftp: 〃Server1 / areal ,,," http: // Server 1 / area2 ,, and so on.

[0067] 步骤S103、根据数据文件所属存储区域的配置信息,判断数据文件是否需要加密; 若判断结果为否,执行步骤S104,若是,执行步骤S105 ; [0067] Step S103, the data file belongs according to configuration information storage area, determines whether the data file needs to be encrypted; if the judgment result is negative, performing step S104, if yes, performs step S105;

[0068] 步骤S104、将上载的网络数据流直接写入创建好的数据文件中,然后执行步骤S108。 [0068] step S104, the network traffic uploaded directly write the created data file, and then perform step S108.

[0069] 步骤S105、根据该数据文件所属存储区域配置的加密算法生成加密密钥。 [0069] step S105, the encryption key from the encryption algorithm to generate the configuration data file storage area belongs.

[0070] 本步骤S105中的加密密钥是随机实时生成的,在每次上载数据流的过程中生成 [0070] encryption key in step S105 is present randomly generated in real time, during each generates upload data stream

的加密密钥都不相同。 The encryption key is not the same.

[0071] 步骤S106、根据该数据文件所属存储区域配置的加密算法和步骤S105生成的加密密钥,对上载的网络数据流进行加密。 [0071] step S106, the encryption algorithm and the encryption key in accordance with the step of the configuration of data file storage area belongs S105 generated by the network to the uploaded data stream is encrypted.

[0072] 步骤S107、将加密的网络数据流写入创建好的数据文件中。 [0072] Step S107, the encrypted network traffic the created data file is written.

[0073] 步骤S108、根据数据文件所属存储区域的配置信息,判断数据文件是否需要签名; 若判断结果为是,执行步骤S109,若否,跳转至步骤S110。 [0073] Step S108, the data file belongs according to configuration information storage area, determines whether the data file needs to be signed; if the determination result is yes, perform step S109, if No, go to step S110.

[0074] 步骤S109、根据该数据文件所属存储区域配置的签名算法,对该数据文件进行签 [0074] step S109, the signature algorithm in accordance with the configuration data file relevant to the storage area, the data files are checked

名。 name. 签名完成后,执行下述步骤SllO。 After the signature is completed, the following steps are performed SllO.

[0075] 步骤S110、向客户端返回上载成功的确认消息。 [0075] step S110, the client returns to the confirmation of a successful upload message.

[0076] 本发明实施例中,还可以在上述流程的基础上,增加生成密钥文件的流程,生成密钥文件的流程可以独立与图1所示的流程之外,也可以包含在图1所示的流程之中,与上述步骤S101至步骤S110合为一个整体的流程。 [0076] Example embodiments of the present invention, may also be on the basis of the above processes, the process of increasing the generated file key to generate the key file and process flow may independently other than shown in FIG. 1, may be included in FIG. 1 shown in the flow, the above-described steps S101 to S110 of the process as a whole together. 为了说明地清楚,使用用图2的流程图进行示意。 To illustrate the clarity, the schematic flowchart of Figure 2.

[0077] 如图2所示,本发明实施例中生成密钥文件的流程,包括以下步骤: [0078] 步骤S201、根据数据文件所属存储区域的配置信息,判断数据文件是否需要加密和是否需要签名,当任一判断结果为是时,执行步骤S202 ;若否,即判断该数据文件既不需要加密也并不需要签名时,直接跳转至步骤S208结束当前流程。 [0077] As shown in FIG. 2, the flow key file generated in the embodiment of the present invention, comprising the steps of: [0078] step S201, the data file belongs according to configuration information storage area, determines whether the data file needs to be encrypted and whether signatures, when any one of the determination result is YES, a step S202; if NO, i.e., there is neither a need to encrypt the data file does not need to be signed directly jumps to step S208 to end the current process.

[0079] 本步骤S201可以在图1所示的步骤S104或步骤S107之后,步骤S108之前执行。 After S107, the step S108 may be performed before the step shown in FIG. 1 [0079] The present step or steps S201 S104.

[0080] 步骤S202、按照设定的数据文件和密钥文件的对应规则,创建密钥文件。 [0080] step S202, in a corresponding rule data file and key file set key file is created.

[0081] 本发明实施例并不限定密钥文件采用何种具体类型,例如文本文件类型或关系数 [0081] Example embodiments of the present invention is not limited to the particular type of use which the key file, a text file or relational type Number e.g.

据库记录等。 According to library records.

[0082] 步骤S203、根据数据文件所属存储区域的配置信息,判断数据文件是否需要签名, [0082] step S203, the data file according to the configuration information storage area belongs, judges whether a signature data file,

若是,执行下述步骤S204、若否,跳转至步骤S206。 If yes, performing the following step S204, if No, go to step S206.

[0083] 本步骤S203可以与图1中的步骤S108为同一个步骤。 [0083] Step S203 may be present in step S108 in FIG. 1 for the same step.

8[0084] 步骤S204、将签名算法、签名结果写入密钥文件。 8 [0084] step S204, the signature algorithm, the signature result is written to the key file. [0085] 本步骤S204可以在图1所示的步骤S109之后执行。 [0085] This step may be performed after step S204 shown in FIG. 1 S109.

[0086] 步骤S205、根据数据文件所属存储区域的配置信息,判断数据文件是否需要加密, 若是,执行步骤S206 、若否,直接执行步骤S208 。 [0086] step S205, the data file belongs according to configuration information storage area, it is determined whether the data file needs to be encrypted, if yes, step S206, and if not, perform Step S208. [0087] 步骤S206、使用公钥对加密密钥进行加密。 [0087] step S206, using the public key encryption key.

[0088] 服务器可以预先配置公私密钥对,在此步骤中使用配置的公钥对加密密钥进行加密。 [0088] The server may be preconfigured public-private key pair encryption key encrypted using the public key configured in this step.

[0089] 步骤S207、将加密算法、加密后的加密密钥写入密钥文件。 [0089] step S207, the encryption algorithm, the encryption key encrypted key file is written. [0090] 步骤S208、结束流程。 [0090] step S208, the process ends.

[0091] 本流程结束后,可以执行图1所示的最后一个步骤SllO。 After [0091] the present process, the last step may be performed as shown in FIG. 1 SllO.

[0092] 本发明实施例中,在创建密钥文件时,可以采用预先设定的对应规则,将创建的密钥文件与数据文件之间一一对应,并且可以存储在同一个存储区域中。 Embodiment [0092] In the present invention, when the key file is created, a corresponding predetermined rule may be employed, one correspondence between the key files and data files created, and may be stored in the same storage area. 举例来说,密钥文件和数据文件的对应规则可以如下: For example, the rules corresponding to the key files and data files may be as follows:

[0093] 密钥文件的文件名可以采用数据文件的文件名加上特有的后缀组成。 Filename [0093] The key file may be a data file using the file name with a unique suffix. 如下表所示: Following table:

[0094] 表1 [0095] [0094] Table 1 [0095]

文件名称 大小 类型 File Name Size Type

5-421. txt 3KB 文本文档 5-421. Txt 3KB text document

5-421. txt. cipher 1KB CIPHER文件 5-421. Txt. Cipher 1KB CIPHER file

5-422. TIF 129KB TIF图像 5-422. TIF 129KB TIF image

5-422. TIF. cipher 1KB CIPHER文件 5-422. TIF. Cipher 1KB CIPHER file

[0096] 上表1中,文件名为5_421. txt和5_422. TIF是数据文件,5_421. txt. cipher和5_422. TIF. cipher分别是上述两个数据文件对应的密钥文件。 Table 1 [0096] the file name 5_421. Txt and 5_422. TIF file data, 5_421. Txt. Cipher and 5_422. TIF. Cipher data file are corresponding to the above-described two key files.

[0097] 显而易见,本发明实施例中,密钥文件和数据文件的对应规则并不局限于上述对应方式。 [0097] apparent, embodiments of the present invention, the mapping rules key files and data files corresponding to the above-described embodiment is not limited.

[0098] 在本发明实施例服务器侧的文件系统中,上述密钥文件的文件属性可以设置为隐藏,普通用户通过网络在服务器侧查找文件时,服务器侧不会显示相应的密钥文件。 [0098] In the embodiment of the file system on the server side of the embodiment of the present invention, the above key attribute file to be hidden, ordinary users to find files on a network server side, the server side does not display the appropriate key file. [0099] 有权限的用户对服务器侧的数据文件进行修改或删除时,需要同时修改或删除其对应的密钥文件。 When the [0099] authorized users of the file server-side data is modified or deleted, you need to modify or delete the corresponding key files.

[0100] 与本发明实施例提供的网络存储方法中的网络数据上载流程相对应,当客户端发起网络数据下载请求时,本发明实施例提供的网络数据存储方法,在服务器侧处理流程,如图3所示,包括以下步骤: [0100] data on the network the network storage method provided by the present invention are reflected in the flow corresponds, when the client initiates a network data download request, the network data storing method according to an embodiment of the present invention, the process flow on the server side, such as As shown in FIG. 3, comprising the steps of:

[0101] 步骤S301、服务器接收客户端发起的网络数据下载请求。 [0101] step S301, the server receives a client request to initiate data download network.

[0102] 步骤S302、根据该请求中携带的该数据文件的URL和文件标识信息,在对应的存储领域中读取该数据文件。 [0102] step S302, the identification information according to the URL of the file and the data file is carried in the request, read the data file in the corresponding memory area.

[0103] 步骤S303、根据该数据文件对应的密钥文件,判断该数据文件是否已签名,若是, 执行步骤S304 ;若否,执行步骤S308。 [0103] step S303, the file based on the data corresponding to the key file, determines whether the data file has been signed, and if yes, executes step S304,; otherwise, go to step S308.

[0104] 本步骤S303中,可以通过数据文件和密钥文件之间的对应规则,找到该数据文件对应的密钥文件,根据密钥文件中包含的具体内容来判断该数据文件是否签名(如果该密钥文件中仅包含了加密算法和加密后的加密密钥,那么可以判断该数据文件已加密未签名,如果该密钥文件中仅包含了签名算法和签名结果,那么可以判断该数据文件已签名未加密,如果该密钥文件中同时包含上述两类信息,那么可以判断该数据文件已加密并且已签名)。 [0104] In this step S303, by the corresponding rules between data and key files, the data file to find the corresponding key file is determined according to the specific content of the key file contains the data if the signature file (if the key file contains the encryption algorithm and encryption key encrypted only, you can determine whether the data file is encrypted unsigned, if the file contains only the key signature algorithm and signature result, it can be determined that the data file signed not encrypted, if the key file contains the above-described two types of information, it can be judged that the data file is encrypted and signed).

[0105] 步骤S304、根据该密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名。 [0105] step S304, the signature algorithm and according to the result of the signature key contained in the file, the data file is read to verify the signature.

[0106] 步骤S305、判断验证是否通过;验证失败时,执行步骤S306。 [0106] step S305, the verify is determined by; verification fails, to step S306. 验证通过时,执行步骤S307。 When the verification is passed, performing step S307.

[0107] 步骤S306、向客户端返回出现错误的确认消息。 [0107] step S306, the client returns an acknowledgment message to errors.

[0108] 步骤S307、根据该数据文件对应的密钥文件,判断该数据文件是否已加密,若是, 执行步骤S308,若否,跳转至步骤S310。 [0108] step S307, based on the data file corresponding to the key file, determines whether the data file is encrypted, if yes, step S308, and if not, go to step S310.

[0109] 步骤S308、使用配置的私钥,对该密钥文件中的加密后的加密密钥进行解密,得到解密密钥。 [0109] step S308, using the configured private key, the key encryption key to decrypt the encrypted file, to obtain the decryption key.

[0110] 步骤S309、使用步骤S308得到的解密密钥和该密钥文件中的加密算法,对数据文 [0110] step S309, the decryption key obtained in step S308 using the key file and the encryption algorithm, the data packet

件的数据流进行解密,得到解密后的网络数据流。 Decrypting the data stream element, to obtain the decrypted network traffic.

[0111] 步骤S310、将数据文件的数据流传输至客户端。 [0111] step S310, the data of the streaming data files to the client.

[0112] 步骤S311 、返回下载成功的确认消息。 [0112] Step S311, returns a successful download acknowledgment message.

[0113] 根据本发明实施例提供的网络数据存储方法,本发明实施例还提供了一种网络存储服务器,如图4所示,包括:判断模块401、加密模块402、签名模块403和配置信息存储模 [0113] The network data storage method according to an embodiment of the present invention, embodiments of the present invention further provides a network storage server, shown in Figure 4, comprising: a determining module 401, encryption module 402, and a signature module configuration information 403 memory modules

块404 ;其中: Block 404; wherein:

[0114] 判断模块401,用于根据配置信息存储模块404中存储的该数据文件所属存储区域的配置信息,判断该数据文件是否需加密和/或是否需签名; [0114] a determination module 401, according to the configuration information of the data file storage area belongs module configuration information stored in the storage 404, determines whether it is necessary to encrypt the data file and / or if the signature is required;

[0115] 加密模块402,用于当判断模块401判断出数据文件需加密不需签名时,对客户端上载的网络数据流进行加密,并将加密的网络数据流写入该数据文件;以及当判断模块401判断出该数据文件需加密和签名时,在对读取的网络数据流进行加密并写入该数据文件后,将该数据文件传送至签名模块403 ; [0115] The encryption module 402, configured to, when the determining module 401 determines that the required data file does not need encryption signature of the carrier on the client encrypts network data stream, and writes the encrypted file data network data stream; and when when determining module 401 determines that the data file for an encrypted and signed in the network data stream read and write the encrypted data file, the data file is transmitted to the signature module 403;

[0116] 签名模块403,用于当判断模块401判断出该数据文件需签名不需加密时,将客户端上载的网络数据流写入该数据文件,并对该数据文件进行签名;以及接收加密模块402 传送的数据文件,对接收的数据文件进行签名; [0117] 配置信息存储模块404,用于存储各存储区域的配置信息。 [0116] signature module 403, configured to, when the determining module 401 determines that the data file does not need encryption and signature of the client network uploaded data stream written to the data file, the data file and the signature; and receiving encrypted data file transfer module 402, the received data file is signed; [0117] configuration information storing module 404, configuration information is stored in each storage area.

[0118] 本发明实施例提供的网络存储服务器,如图4所示,还可以包括:配置模块405,用于对预先划分的多个存储区域分别配置其存储的数据文件是否需要加密以及加密算法和/ 或是否需要签名以及签名算法的参数信息,并将配置的参数信息存储于配置信息存储模块404中。 [0118] embodiment of the present invention is provided in a network storage server, shown in Figure 4, may further comprise: a configuration module 405, a plurality of divided storage regions are arranged in advance stored data file needs to be encrypted and the encryption algorithm whether and / or whether a signature and signature algorithm parameter information, and configuration information is stored in the parameter configuration information storage module 404. [0119] 加密模块402,还用于根据配置信息存储模块404中存储的该数据文件所属存储区域配置的加密算法,生成加密密钥;根据该加密算法和生成的加密密钥,对读取的网络数据流进行加密,生成加密的网络数据流; [0119] The encryption module 402 is also configured for the encryption algorithm according to the relevant file data storage area configuration information stored in the storage module 404, to generate an encryption key; based on the encryption algorithm and the encryption key generation on the read encrypting network traffic, the network generates the encrypted data stream;

[0120] 签名模块403,还用于根据配置信息存储模块404存储的该数据文件所属存储区域配置的签名算法,对数据文件进行签名。 [0120] signature module 403 is further configured to configure a signature algorithm based on the configuration information of the data file stored in the storage module 404 belongs to a storage area, the data file is signed.

[0121] 本发明实施例提供的网络存储服务器,如图4所示,还可以包括:密钥文件生成模块406和密钥文件存储模块407 ; Embodiment [0121] embodiment of the present invention to provide a network storage server, shown in Figure 4, may further include: a key file generating module 406, and a key file storing module 407;

[0122] 密钥文件生成模块406,用于使用公钥对加密密钥进行加密;以及将加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件,并与该数据文件一一对应; [0123] 密钥文件存储模块407,用于存储密钥文件。 [0122] key file generating module 406, using public key encryption key; and the encryption algorithm, the encryption key encrypted and / or the signature algorithm, signature result to generate the key file, and with the data file correspondence; [0123] 407 key file storing module, for storing the key file.

[0124] 根据本发明实施例提供的一种网络数据存储方法中的网络数据下载流程,本发明实施例提供的网络存储服务器,如图4所示,还可以包括下面两个模块:验证模块408和解密模块409 ; [0124] The network data download process A network data storage method provided in the embodiment of the present invention, the embodiment of the present invention is provided in a network storage server, shown in Figure 4, the following two modules may further comprise: a verification module 408 and a decryption module 409;

[0125] 判断模块401,还用于根据客户端请求下载的数据文件对应的密钥文件,判断请求下载的数据文件是否已加密和/或是否已签名; [0125] determining module 401 is further configured to request to download the data file by the client, corresponding to the key file and determines whether a request to download data file is encrypted and / or are signed;

[0126] 验证模块408,用于当判断模块401判断该数据文件已签名未加密时,对该数据文件验证签名,并在验证通过后,将该数据文件的数据流输出到客户端;以及当判断模块401 判断该数据文件已签名且已加密时,对该数据文件验证签名,并在验证通过后,将该数据文件发送至解密模块409 ; [0126] authentication module 408, if the determining module 401 determines that the data file is not encrypted signed, verifies the signature of the data file, and after the verification, file data of the data stream output to the client; and when when determining module 401 determines that the data file has been signed and encrypted, verifies the signature of the data file, and after the verification, the data file is sent to the decryption module 409;

[0127] 解密模块409,用于当判断模块401判断该数据文件已加密未签名时,对该数据文 When [0127] the decryption module 409, a determining module 401 determines if the file is encrypted unsigned data, the data packet

件的数据流进行解密,并将解密的数据流输出到客户端;以及接收验证模块408发送的数 Data stream element decrypt the decrypted data stream output to the client; and the number of receiving transmitted authentication module 408

据文件,对接收的数据文件的数据流进行解密,将解密的数据流输出到客户端。 Data file, the data file of the data stream received is decrypted, the decrypted output data stream to the client.

[0128] 本发明实施例提供的网络存储服务器中的验证模块408,还用于根据该数据文件 [0128] Network Storage Server according to an embodiment of the present invention, the verification module 408, based on the data file for further

对应的密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名。 Signature algorithm and signature key corresponding to the results contained in the file, the data file is read to verify the signature.

[0129] 解密模块409,还用于使用私钥和密钥文件中包含的加密算法,对密钥文件中的加 [0129] the decryption module 409 is further configured to use an encryption algorithm and a private key contained in the file, in addition to the key file

密后的加密密钥进行解密,得到解密密钥;使用解密密钥对该数据文件的数据流进行解密。 Secret encryption key is decrypted, to obtain the decryption key; data stream using the decryption key to decrypt the data file.

[0130] 本发明实施例提供的一种网络数据存储方法及服务器,服务器接收客户端发起的 [0130] The present invention provides a method of data storage and network server provided, the server receives the client-initiated

数据上载请求,创建数据文件,根据数据文件所属存储区域的配置信息,对客户端上载的网 Data upload request, create a data file, a data file according to the configuration information storage area belongs, to the network client upload

络数据流进行加密,将加密后的网络数据流写入数据文件;或将上载的网络数据流写入数 Envelope data stream is encrypted, the network data stream encrypted data file is written; network or writes data stream uploaded

据文件后,对数据文件进行签名,或对客户端上载的网络数据流进行加密后,将加密后的网 According to the document after, the data file is signed, or uploaded client network traffic is encrypted, the encrypted network

络数据流写入数据文件,并对数据文件进行加密。 Envelope data stream is written data file, and the data files are encrypted. 当客户端请求进行网络数据下载时,相应 When a network client requests to download data, the corresponding

地,根据数据文件所属存储区域的配置信息,对数据文件进行验证和/或解密的操作,将验 , The data file belongs according to configuration information storage area, the data file authentication and / or decryption operations, the test

证通过和/或解密后的文件数据流传送给客户端。 Card file data and / or post-decrypted by the stream to the client.

[0131] 本发明实施例提供的网络存储方法及服务器,由于可以将数据文件分散存储于预先划分的多个存储区域中,避免了现有技术中的安全文件系统中所有加密的文件都存储于同一个文件所带来的读/写访问的效率不高的问题;再者,由于不同存储区域的配置的加密和/或签名的参数信息可以不同,不仅提高了系统的扩展性,还进一步保证了网络存储数据的完整性和保密性。 [0131] Method and network storage server according to an embodiment of the present invention, since the data files are stored in a plurality of dispersed storage regions divided in advance, avoids all encrypted files prior art security system are stored in the file It brought the same file read / write access efficiency is not high; Moreover, since the encryption configuration of different storage areas and / or signature parameter information may be different, not only improves the scalability of the system, further guarantee integrity and confidentiality of the data storage network.

[0132] 进一步地,本发明实施例提供的网络存储方法中,还将加密算法、加密后的加密密钥和/或签名算法、签名结果生成密钥文件并与数据文件一一对应,某个数据文件的密钥文件被破解或损坏,不会对其他数据文件的安全造成影响,避免了现有网络存储服务器采用的安全文件系统将所有加密文件的密钥集中管理带来的弊端,进一步地提高了系统的健壮性。 [0132] Further, the embodiment of the network storage method provided in the present invention, also the encryption algorithm, the encryption key encrypted and / or signature algorithm, the signature generation key file and the result data file with one correspondence, a data file key file is cracked or damaged, will not affect the safety of other data files, avoiding the drawbacks of the existing network storage server using a secure file system will be key to centrally manage all encrypted files brought further improve the robustness of the system. 由于密钥文件的存在,使得数据文件的解密不依赖于所属存储区域的配置参数,因此随时可以根据需要修改存储区域的配置参数,进一步提高了系统的扩展性,还进一步保证了网络存储数据的完整性和保密性。 Because of the key file, decrypts the data file that is not dependent on the configuration parameter storage area belongs, and is ready to modify the configuration parameters required storage area, further improve the scalability of the system, to ensure that the network further stored data integrity and confidentiality.

[0133] 另外,发明实施例提供的网络数据存储方法,可以直接采用现有网络服务器操作系统自身的文件系统进行数据的上载和下载的操作,由于操作系统的文件系统对上层系统而言具有统一的接口(例如标准的FTP或WEBDAV接口),保证了网络存储服务器的开放性。 [0133] Further, network data storage method provided in the embodiment of the invention, can be directly used existing network server operating system itself file system data upload and download operations, since the operation system's file system with a uniform system for the upper interface (e.g., FTP or WEBDAV standard interfaces), to ensure that the open network storage server. 从读写访问的角度来说,直接访问服务器操作系统自身文件系统的效率,也优于通过服务 From the perspective of read and write access, the efficiency of direct access to the server operating system, file system itself, but also through superior service

器操作系统访问另外的安全文件系统的效率。 The efficiency of the operating system to access additional safety file system.

[0134] 显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。 [0134] Obviously, those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. 这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 Thus, if these modifications and variations of the present invention fall within the claims of the invention and the scope of equivalents thereof, the present invention intends to include these modifications and variations.

Claims (10)

  1. 一种网络数据存储方法,其特征在于,包括:服务器根据数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名;当判断所述数据文件需加密不需签名时,对所述客户端上载的网络数据流进行加密,并将加密的所述网络数据流写入所述数据文件;当判断所述数据文件需签名不需加密时,将所述客户端上载的网络数据流写入所述数据文件,对所述数据文件进行签名;当判断所述数据文件需要加密和签名时,对所述客户端上载的网络数据流进行加密,将加密的网络数据流写入所述数据文件,对所述数据文件进行签名。 A network data storage method, characterized by comprising: a data server according to configuration information file storage area belongs, determining whether it is necessary to encrypt the data file and / or if the signature is required; if the data file is determined without the need to encrypt the signature when, on the carrier of the network client to encrypt the data stream, and writing the encrypted data file to the network traffic; and when determining that the data file without the need to encrypt the signature will be contained on the client network data stream written to the data file, the data file is signed; and when determining that the data file needs to be encrypted and a signature of the carrier on the client network traffic is encrypted, the encrypted network traffic writing the data file, the data file is signed.
  2. 2. 如权利要求l所述的方法,其特征在于,还包括:对预先划分的多个存储区域,分别配置其存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息;所述对客户端上载网络数据流进行加密,包括:根据所述数据文件所属存储区域配置的加密算法,生成加密密钥; 根据所述加密算法和生成的加密密钥,对客户端上载的网络数据流进行加密; 所述对数据文件进行签名,包括:根据所述数据文件所属存储区域配置的签名算法,对所述数据文件进行签名。 2. The method according to claim l, characterized in that, further comprising: a plurality of storage areas is classified in advance, are arranged whether stored data file needs to be encrypted and the encryption algorithm and / or the need for a signature and a signature algorithm parameter information; the network for carrying a data stream encrypted client, comprising: an encryption algorithm in accordance with the configuration of the file data storage area belongs, generating an encryption key; according to the encryption algorithm and the encryption key generated, the client uploading network data traffic to be encrypted; the sign of the data file, comprising: a signature algorithm according to the configuration data file relevant to the storage area, the data file is signed.
  3. 3. 如权利要求2所述的方法,其特征在于,还包括: 对所述加密密钥进行加密;将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件并存储;所述密钥文件与所述数据文件一一对应。 3. The method according to claim 2, characterized by further comprising: encrypting the encryption key; the encryption algorithm, the encryption key encrypted and / or the signature algorithm, the signature result generated and storing the key files; the key file and the data file correspondence.
  4. 4. 如权利要求3所述的方法,其特征在于,还包括:所述服务器根据客户端请求下载的数据文件对应的密钥文件,判断所述数据文件是否已加密和/或是否已签名;当判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的所述数据流输出到所述客户端;当判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端;当判断所述数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通过后, 对所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 4. The method according to claim 3, characterized in that, further comprising: a server according to the client requests to download a data file corresponding to the key file, determines whether the data file is encrypted and / or are signed; when determining the unsigned data file is encrypted, the data stream to decrypt the data file, and the decrypted data stream to the client; and when determining that the encrypted data file is not signed, verifies the signature of the data file, and after the verification, the output data stream of the data file to the client; when it is determined that the data file has been signed and encrypted, verifies the signature of the data file, and after the verification, the data stream of the data file is decrypted, the decrypted output data stream to the client.
  5. 5. 如权利要求4所述的方法,其特征在于,所述对数据文件验证签名,包括: 根据所述数据文件对应的密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名;所述对数据文件的数据流进行解密,包括:将所述密钥文件中加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 5. The method according to claim 4, characterized in that, the verification signature data files, comprising: a signature according to the signature algorithm and the results of the data file corresponding to the file key included in the read data file signature verification; the data stream to decrypt the data file, comprising: an encryption key in the encrypted file key is decrypted, to obtain the decryption key; using the decryption key and the key file the data stream encryption algorithm to decrypt the data file.
  6. 6. —种网络存储服务器,其特征在于,包括:判断模块、加密模块、签名模块和配置信息存储模块;所述判断模块,用于根据配置信息存储模块中存储的数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名;所述加密模块,用于当所述判断模块判断出所述数据文件需加密不需签名时,对所述客户端上载的网络数据流进行加密,并将加密的网络数据流写入所述数据文件;以及当所述判断模块判断出所述数据文件需加密和签名时,在对所述客户端上载的网络数据流进行加密并写入所述数据文件后,将所述数据文件传送至所述签名模块;所述签名模块,用于当所述判断模块判断出所述数据文件需签名不需加密时,将所述客户端上载的网络数据流写入所述数据文件,并对所述数据文件进行签名;以及接收加密模块传送的数据文 6. - kind of network storage server, wherein, comprising: a determining module, the encryption module, and a signature module configuration information storage module; the judging module, for storing configuration information according to the configuration data file stored in the module storage area belongs whether the information needed to determine whether the data file encryption and / or signature if required; the encryption module, configured to, when the determining module determines that the data file without the need to encrypt the signature, the client of the carrier network the data stream is encrypted, and the encrypted network traffic data is written to the file; and when the judging module determines that the data file for an encryption and signing, encrypting the carrier on the client network traffic and after writing the data file, transmits the data file to the signature module; said signature module, configured to, when the determining module determines that the data file without the need to encrypt the signature, the client the upper end of the carrier network data stream written to the data file, the data file and a signature; encryption module and a data packet transmitted by the receiving 件,对接收的所述数据文件进行签名;所述配置信息存储模块,用于存储各存储区域的配置信息。 Member, the signature received data file; the configuration information storing module, for storing configuration information of each storage area.
  7. 7. 如权利要求6所述的服务器,其特征在于,还包括:配置模块,用于对预先划分的多个存储区域分别配置其存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息,并将配置的所述参数信息存储于所述配置信息存储模块中;所述加密模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储区域配置的加密算法,生成加密密钥;根据所述加密算法和生成的加密密钥,对读取的网络数据流进行加密,生成加密的网络数据流;所述签名模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储区域配置的签名算法,对数据文件进行签名。 7. The server according to claim 6, characterized in that, further comprising: a configuration module for storing a plurality of the divided regions are respectively arranged in advance whether the stored data file needs to be encrypted and the encryption algorithm and / or whether a signature signature algorithm and parameter information, and the configuration of the parameter information stored in the configuration information storage module; the encryption module is further configured according to the configuration information stored in the data file stored in ordinary storage region module configuration encryption algorithm, to generate an encryption key; according to the encryption algorithm and encryption key generated network data stream read encrypted, the network generates the encrypted data stream; said signature module is further configured according to the configuration the signature algorithm configuration data file stored in the information storage module belongs to a storage area, the data file is signed.
  8. 8. 如权利要求7所述的服务器,其特征在于,还包括:密钥文件生成模块,用于对所述加密密钥进行加密;以及将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件,并与所述数据文件一一对应; 密钥文件存储模块,用于存储所述密钥文件。 8. The server according to claim 7, characterized in that, further comprising: a key file generating module for encrypting said encryption key; and the encryption algorithm, encryption key and the encryption / or the signature algorithm, signature result to generate the key file, and correspond with the data file; key file storing module for storing the key file.
  9. 9. 如权利要求8所述的服务器,其特征在于,还包括:验证模块和解密模块; 所述判断模块,还用于根据客户端请求下载的数据文件对应的密钥文件,判断请求下载的数据文件是否已加密和/或是否已签名;所述验证模块,用于当所述判断模块判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端;以及当所述判断模块判断数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件发送至所述解密模块;所述解密模块,用于当所述判断模块判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的数据流输出到所述客户端;以及接收所述验证模块发送的数据文件,对接收的所述数据文件的数据流进行解密,将解密的数据流输 9. The server according to claim 8, characterized in that, further comprising: an authentication module and a decryption module; the determination module is further configured to request to download the data file by the client, corresponding to the key file requested to be downloaded is determined if the data file is encrypted and / or are signed; after the verifying module, configured to, when the determining module determines that the data file is not encrypted signed, verifies the signature of the data file, and verified by the the output data stream data files to the client; and when the determination module determines that the data file has been signed and encrypted, verifies the signature of the data file, and after the verification, transmitting the data file to said decryption module; said decryption module, when said determination module determines that the unsigned data file is encrypted, the data stream to decrypt the data file, and decrypted data to the output stream client; and receiving the authentication module sends the data file, the data file of the data stream received is decrypted, the decrypted output data stream 到所述客户端。 To the client.
  10. 10. 如权利要求9所述的服务器,其特征在于,所述验证模块,还用于根据所述密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名;所述解密模块,还用于对所述密钥文件中的加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 10. The server according to claim 9, wherein the verification module is further configured in accordance with the result of the signature algorithm and signature key contained in the file, the data file read verification signature; the decryption module is further used for the key encryption key to decrypt the encrypted file, to obtain the decryption key; decrypting the encrypted algorithm using the key and the key file data of the data file decrypting a stream.
CN 200810227900 2008-12-01 2008-12-01 Network data storage method and server CN101753539B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200810227900 CN101753539B (en) 2008-12-01 2008-12-01 Network data storage method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200810227900 CN101753539B (en) 2008-12-01 2008-12-01 Network data storage method and server

Publications (2)

Publication Number Publication Date
CN101753539A true true CN101753539A (en) 2010-06-23
CN101753539B CN101753539B (en) 2012-06-06

Family

ID=42479949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200810227900 CN101753539B (en) 2008-12-01 2008-12-01 Network data storage method and server

Country Status (1)

Country Link
CN (1) CN101753539B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078866A (en) * 2013-01-14 2013-05-01 成都西可科技有限公司 Transparent encryption method for mobile platform
CN103973715A (en) * 2014-05-29 2014-08-06 广东轩辕网络科技股份有限公司 Cloud computing security system and method
CN104751072A (en) * 2015-03-17 2015-07-01 山东维固信息科技股份有限公司 Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology
CN105100087A (en) * 2015-07-08 2015-11-25 上海迈外迪网络科技有限公司 Management method, management server and system for SQL (Structured Query Language) database

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1219260C (en) 2003-09-02 2005-09-14 四川大学 Storage and access control method for security file system
CN101247232B (en) 2008-03-27 2012-09-26 上海金鑫计算机系统工程有限公司 Encryption technique method based on digital signature in data communication transmission

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078866A (en) * 2013-01-14 2013-05-01 成都西可科技有限公司 Transparent encryption method for mobile platform
CN103078866B (en) * 2013-01-14 2015-11-04 成都西可科技有限公司 Transparent encryption mobile platform
CN103973715A (en) * 2014-05-29 2014-08-06 广东轩辕网络科技股份有限公司 Cloud computing security system and method
CN103973715B (en) * 2014-05-29 2017-03-22 广东轩辕网络科技股份有限公司 One kind of cloud security systems and methods
CN104751072A (en) * 2015-03-17 2015-07-01 山东维固信息科技股份有限公司 Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology
CN105100087A (en) * 2015-07-08 2015-11-25 上海迈外迪网络科技有限公司 Management method, management server and system for SQL (Structured Query Language) database

Also Published As

Publication number Publication date Type
CN101753539B (en) 2012-06-06 grant

Similar Documents

Publication Publication Date Title
US6678821B1 (en) Method and system for restricting access to the private key of a user in a public key infrastructure
US7509492B2 (en) Distributed scalable cryptographic access control
US6550011B1 (en) Media content protection utilizing public key cryptography
US20130266137A1 (en) Digital rights managment system, devices, and methods for binding content to an intelligent storage device
US20100064354A1 (en) Maidsafe.net
US20100017596A1 (en) System and method for managing authentication cookie encryption keys
US20020152261A1 (en) Method and system for preventing the infringement of intellectual property rights
US20070118735A1 (en) Systems and methods for trusted information exchange
US20050154889A1 (en) Method and system for a flexible lightweight public-key-based mechanism for the GSS protocol
US20050132201A1 (en) Server-based digital signature
US20100017859A1 (en) Authentication system for networked computer applications
US20020082997A1 (en) Controlling and managing digital assets
US20040039932A1 (en) Apparatus, system and method for securing digital documents in a digital appliance
US20050223216A1 (en) Method and system for recovering password protected private data via a communication network without exposing the private data
US20020048372A1 (en) Universal signature object for digital data
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
US7845011B2 (en) Data transfer system and data transfer method
US20030081774A1 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US20080104401A1 (en) System, Apparatus, Method, And Program Product For Authenticating Communication Partner Using Electronic Certificate Containing Personal Information
US20130268759A1 (en) Digital rights management system transfer of content and distribution
US20070250904A1 (en) Privacy protection system
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
US20070255659A1 (en) System and method for DRM translation
Miller et al. Strong security for distributed file systems
US20040098592A1 (en) Content distribution system

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted