CN101753539A - Network data storage method and server - Google Patents
Network data storage method and server Download PDFInfo
- Publication number
- CN101753539A CN101753539A CN200810227900A CN200810227900A CN101753539A CN 101753539 A CN101753539 A CN 101753539A CN 200810227900 A CN200810227900 A CN 200810227900A CN 200810227900 A CN200810227900 A CN 200810227900A CN 101753539 A CN101753539 A CN 101753539A
- Authority
- CN
- China
- Prior art keywords
- data file
- file
- key
- data
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000013500 data storage Methods 0.000 title claims abstract description 23
- 238000003860 storage Methods 0.000 claims abstract description 106
- 238000012795 verification Methods 0.000 claims description 2
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000007812 deficiency Effects 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Abstract
The invention discloses a network data storage method and a server. The disturbing network data storage method provided by the invention comprises the following steps: judging whether a data file needs to be encrypted and/or signed or not by the server according to configuration information of the storage region of the data file; encrypting a network data stream uploaded at a client when the data file needs to be encrypted but does not need to be signed according to the judgment, and writing the encrypted data stream into the data file; writing the network data stream uploaded at the client into the data file when the data file needs to be signed but does not need to be encrypted according to the judgment, and signing the data file; and encrypting the network data stream uploaded at the client when the data file needs to be encrypted and signed according to the judgment, writing the encrypted network data stream into the data file, and signing the data file. The invention improves the openness, the expansibility, the robustness and the reading/writing visit efficiency of the network storage server on the premise of ensuring the confidentiality and the completeness of the data storage.
Description
Technical field
The present invention relates to network safety filed, relate in particular to a kind of network data storage method and server.
Background technology
Along with the TCP/IP development of internet technology, file transfer protocol (FTP) (File Transfer Protocol, FTP) and distributed creation in World Wide Web (WWW) and Version Control (Web-based Distributed Authoring andVersioning, WEBDAV) agreement has obtained application more and more widely, server end utilizes FTP and WEBDAV agreement to provide the network storage for client, formed the network storage of supporting standard agreement, the user can use and support the client of FTP or WEBDAV to carry out server side file read access (download of network data) and write access operations such as (uploading network data) by network.
For realizing supporting the network storage of FTP and WEBDAV agreement, tend to deployment corresponding server system (ftp server and WEBDAV server) is installed at server side, the file system that existing ftp server and WEBDAV server are based on server end mostly provides stores service, and the storage of file employing plain code, the method for this employing plain code storage file can't guarantee the confidentiality and the integrality of data.
For confidentiality and the integrality that guarantees file, existing solution is normally used extra special secure file system at server end, be encapsulated in behind the file encryption of secure file system with a plurality of needs to be keep secret in certain single file of bottom document system, and unify the key information of maintenance documentation information (as filename, file size etc.) and each file in internal system.Adopt secure file system to have following problem as the backstage of ftp server and WEBDAV server:
1, secure file system generally is a private system, does not have unified interface, and is open not enough;
2, the cryptographic algorithm of whole secure file system is the unification fixed, the autgmentability deficiency;
3, because the All Files in the secure file system is all concentrated in the single file that is encapsulated in the bottom document system, during certain specific file in the read access secure file system, need from the single file of bottom document system, this document is extracted earlier; During certain specific file in the write access secure file system, this document need be write in the single file of bottom document system, read efficient is lower.
4, the cryptographic algorithm relative fixed of secure file system, and secure file system is with the fileinfo and the key centralized management of inside, the zone (disk sector) of storage file information or key part is damaged, and can cause whole secure file system to take place to visit the system robustness deficiency.
Summary of the invention
The invention provides a kind of network data storage method and server,, improve opening, autgmentability, robustness and the read efficient of network storage server in order under the prerequisite of confidentiality that guarantees storage and integrality.
A kind of network data upload method that the embodiment of the invention provides comprises:
Server is according to the configuration information of storage area under the data file, judges whether described data file need encrypt and/or whether need sign;
When judging that described data file need encrypt need not sign the time, the network data flow that described client is uploaded is encrypted, and the described network data flow that will encrypt writes described data file;
When judging that described data file need sign need not encrypt the time, the network data flow that described client is uploaded writes described data file, and described data file is signed;
When judging that described data file need be encrypted and sign, the network data flow that described client is uploaded is encrypted, the network data flow of encrypting is write described data file, described data file is signed.
To a plurality of storage areas of dividing in advance, whether the data file that disposes its storage respectively needs to encrypt and cryptographic algorithm and/or whether need is signed and the parameter information of signature algorithm;
Describedly client uploaded network data flow encrypt, comprising:
Cryptographic algorithm according to storage area configuration under the described data file generates encryption key;
According to the encryption key of described cryptographic algorithm and generation, the network data flow that client is uploaded is encrypted;
Described the data file is signed, comprising:
According to the signature algorithm of storage area configuration under the described data file, described data file is signed.
Described encryption key is encrypted;
Encryption key with described cryptographic algorithm, after encrypting and/or described signature algorithm, signature result generate key file and storage; Described key file is corresponding one by one with described data file.
Described server is according to the key file of client-requested data downloaded file correspondence, judges whether described data file has been encrypted and/or whether signed;
When judging that described data file encrypted when unsigning, the data flow of described data file is decrypted, and the described data flow that will decipher outputs to described client;
When judging that described data file has been signed unencryption, to described data file certifying signature, and after checking is passed through, the data flow of described data file is outputed to described client;
When judging that described data file has been signed and when having encrypted, to described data file certifying signature, and after checking is passed through, the data flow of described data file is decrypted, decrypted data stream is outputed to described client.
Described to data file verification signature, comprising:
Signature algorithm that comprises in the key file according to described data file correspondence and signature result are to the data file certifying signature that reads;
Described data flow to the data file is decrypted, and comprising:
Encryption key after encrypting in the described key file is decrypted, obtains decruption key; Use the cryptographic algorithm in described decruption key and the described key file that the data flow of described data file is decrypted.
A kind of network storage server that the embodiment of the invention provides comprises: judge module, encrypting module, signature blocks and configuration information memory module;
Described judge module, the configuration information of storage area under the data file that is used for storing according to the configuration information memory module judges whether described data file need encrypt and/or whether need sign;
Described encrypting module is used for judging described data file when described judge module and need encrypts need not sign the time, the network data flow that described client is uploaded is encrypted, and the network data flow of encrypting is write described data file; And when described judge module is judged described data file and need be encrypted and sign, after described data file is encrypted and write to the network data flow that described client is uploaded, described data file is sent to described signature blocks;
Described signature blocks is used for judging described data file when described judge module and need signs need not encrypt the time, and the network data flow that described client is uploaded writes described data file, and described data file is signed; And receive the data file that encrypting module transmits, the described data file that receives is signed;
Described configuration information memory module is used to store the configuration information of each storage area.
The network storage server that the embodiment of the invention provides also comprises:
Configuration module, be used for whether the data file that a plurality of storage areas of dividing in advance dispose its storage is respectively needed to encrypt and cryptographic algorithm and/or whether need is signed and the parameter information of signature algorithm, and the described parameter information that will dispose is stored in the described configuration information memory module.
Described encrypting module also is used for the cryptographic algorithm according to storage area configuration under the described data file of described configuration information memory module storage, generates encryption key; According to the encryption key of described cryptographic algorithm and generation, the network data flow that reads is encrypted, generate the network data flow of encrypting;
Described signature blocks also is used for the signature algorithm according to storage area configuration under the described data file of described configuration information memory module storage, and the data file is signed.
The network storage server that the embodiment of the invention provides also comprises:
The key file generation module is used for described encryption key is encrypted; And the encryption key with described cryptographic algorithm, after encrypting and/or described signature algorithm, signature result generate key file, and corresponding one by one with described data file;
The key file memory module is used to store described key file.
The network storage server that the embodiment of the invention provides also comprises: authentication module and deciphering module;
Described judge module also is used for the key file according to client-requested data downloaded file correspondence, and whether whether judgement request data downloaded file encrypted and/or signed;
Described authentication module is used for when described judge module judges that described data file has been signed unencryption, to described data file certifying signature, and after checking is passed through, the data flow of described data file is outputed to described client; And when described judge module judgment data file has been signed and encrypted,, and after checking is passed through, described data file is sent to described deciphering module to described data file certifying signature;
Described deciphering module is used for judging described data file when described judge module and has encrypted when unsigning, and the data flow of described data file is decrypted, and decrypted data stream is outputed to described client; And receive the data file that described authentication module sends, and the data flow of the described data file that receives is decrypted, decrypted data stream is outputed to described client.
Authentication module in the network storage server that the embodiment of the invention provides also is used for the signature algorithm that comprises according to described key file and the result that signs, to the data file certifying signature that reads;
Deciphering module in the network storage server that the embodiment of the invention provides also is used for the encryption key after the encryption of described key file is decrypted, and obtains decruption key; Use the cryptographic algorithm in described decruption key and the described key file that the data flow of described data file is decrypted.
Beneficial effect of the present invention is as follows:
A kind of network data storage method and server that the embodiment of the invention provides, server receives the data upload request that client is initiated, create data file, configuration information according to storage area under the data file, the network data flow that client is uploaded is encrypted, the network data flow after encrypting is write data file; After maybe the network data flow of uploading being write data file, the data file is signed, or after the network data flow that client is uploaded encrypted, the network data flow after encrypting is write data file, and the data file is signed.Network storage method that the embodiment of the invention provides and server, owing to data file can be disperseed to be stored in a plurality of storage areas of dividing in advance, the not high problem of efficient of the read of having avoided the file of all encryptions in the secure file system of the prior art all to be stored in single file being brought; Moreover, because the parameter information of the encryption of the configuration of different storage zone and/or signature can be different, not only improved the autgmentability of system, also guaranteed the integrality and the confidentiality of network stored data.
Further, in the network storage method that the embodiment of the invention provides, also encryption key with cryptographic algorithm, after encrypting and/or signature algorithm, signature result generate key file, and it is corresponding one by one with data file, the key file of certain data file is cracked or damages, can the safety of other data files not impacted, the secure file system of having avoided the existing network storage server to adopt is managed the key of all encrypt files concentratedly bring drawback, has improved the robustness of system further.Because the existence of key file, make the deciphering of data file not rely on the configuration parameter of affiliated storage area, therefore can revise the configuration parameter of storage area at any time as required, further improve the autgmentability of system, also further guaranteed the integrality and the confidentiality of network stored data.
The network data storage method that inventive embodiments provides, can realize by the file system that adopts existing network server OS self, because the file system of operating system has unified interface to upper system, has guaranteed the opening of network storage server.
Description of drawings
Data upload flow chart in the network data storage method that Fig. 1 provides for the embodiment of the invention;
The flow chart of the generation key file that Fig. 2 provides for the embodiment of the invention;
Data are downloaded flow chart in the network data storage method that Fig. 3 provides for the embodiment of the invention;
The structural representation of the network storage server that Fig. 4 provides for the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing, a kind of network data storage method provided by the invention and server are described in detail with specific embodiment.
The network data storage method that the embodiment of the invention provides improves at server side.The network data storage method that the embodiment of the invention provides can be applied to common network storage server such as FTP or WEBDAV server etc., the file system of utilizing the existing operating system of FTP or WEBDAV server to provide just can realize, and do not need the backstage storage system of the special secure file system of extra employing as network data.Like this, because the external interface of file system of operating system is unified interface (for example FTP of standard or WEBDAV interface), guaranteed the opening of network storage server.From the angle of read and write access, directly the efficient of access server operating system self file system also is better than the efficient by the other secure file system of server OS visit.
The network data storage method that the embodiment of the invention provides, can a plurality of storage areas will be divided in advance in the memory space of server this locality, each storage area for example can the respective file system a catalogue, as " Server1/area1 ", " Server1/area2 " or the like.Can also realize operations such as storage area increase, deletion and modifications.
And, for each storage area, need in advance data file to wherein storage whether need to encrypt and cryptographic algorithm and/or whether need to sign and the parameter information of signature algorithm is configured respectively, the configuration information of each storage area is separate, can be to different area configurations different cryptographic algorithm and different signature algorithms, the data file encipher only that a certain zone can be set is not signed, and the data file in another one zone not only needs encryption also to need to sign, or the like.No longer enumerate at this.In concrete use, can also as required the configuration information of storage area be made amendment.
Upload flow process below in conjunction with the network data that client is initiated, the network data storage method that the embodiment of the invention provides is described.
The network data storage method that the embodiment of the invention provides as shown in Figure 1, may further comprise the steps:
Step S101, server receive the data upload request that client is initiated.
For client, can be as required, request is stored in the form of uploaded data stream with file in any one storage area of server side.
Step S102, server create data file in storage area according to the storage area information that carries data file in this data upload request.
Can be in the data upload request that client sends by unified resource positioning mark (the Uniform Resource Locator that carries storage area, URL) which storage area is indicated specifically is, for example " ftp: //Server1/area1 ", " http://Server1/area2 " etc.
Step S103, according to the configuration information of storage area under the data file, whether the judgment data file needs to encrypt; If judged result is not, execution in step S104, if, execution in step S105;
Step S104, the network data flow of uploading is write direct in the data file that creates, then execution in step S108.
Step S105, the cryptographic algorithm that disposes according to storage area under this data file generate encryption key.
Encryption key among this step S105 is to generate in real time at random, and the encryption key that generates in the process of stream that at every turn uploads data is all inequality.
Step S106, according to the encryption key that the cryptographic algorithm and the step S105 of storage area configuration under this data file generates, the network data flow of uploading is encrypted.
Step S107, the network data flow of encrypting is write in the data file that creates.
Step S108, according to the configuration information of storage area under the data file, whether the judgment data file needs signature; If judged result is for being that execution in step S109 if not, jumps to step S110.
Step S109, according to the signature algorithm of storage area configuration under this data file, this data file is signed.After signature is finished, carry out following step S110.
Step S110, return the affirmation message of uploading success to client.
In the embodiment of the invention, can also be on the basis of above-mentioned flow process, increase the flow process that generates key file, generating the flow process of key file can be independently and outside the flow process shown in Figure 1, also can be included among the flow process shown in Figure 1, close as a whole flow process to step S110 with above-mentioned steps S101.For explanatorily clear, use and illustrate with the flow chart of Fig. 2.
As shown in Figure 2, generate the flow process of key file in the embodiment of the invention, may further comprise the steps:
Step S201, according to the configuration information of storage area under the data file, whether the judgment data file needs to encrypt and whether need signature, when arbitrary judged result when being, execution in step S202; If not, judge that promptly this data file neither needs to encrypt when also not needing to sign, directly jump to step S208 and finish current flow process.
This step S201 can be after step S104 shown in Figure 1 or step S107, carries out before the step S108.
Step S202, according to the data file of setting and the rule of correspondence of key file, create key file.
The embodiment of the invention does not limit key file and adopts which kind of particular type, for example text file type or relational database record etc.
Step S203, according to the configuration information of storage area under the data file, whether the judgment data file needs signature, if, carry out following step S204, if not, jump to step S206.
This step S203 can be same step with the step S108 among Fig. 1.
Step S204, with signature algorithm, the signature result write key file.
This step S204 can carry out after step S109 shown in Figure 1.
Step S205, according to the configuration information of storage area under the data file, whether the judgment data file needs to encrypt, if, execution in step S206, if not, directly execution in step S208.
Step S206, use public-key encryption key is encrypted.
Server is can pre-configured public and private key right, uses the PKI of configuration that encryption key is encrypted in this step.
Step S207, the encryption key with cryptographic algorithm, after encrypting write key file.
Step S208, process ends.
This flow process can be carried out last step S110 shown in Figure 1 after finishing.
In the embodiment of the invention, when creating key file, can adopt the predefined rule of correspondence,, and can be stored in the same storage area corresponding one by one between the key file created and the data file.For instance, the rule of correspondence of key file and data file can be as follows:
The filename of key file can adopt the filename of data file to add distinctive suffix composition.As shown in the table:
Table 1
| File name | Size | Type |
| ??5-421.txt | ??3KB | Text document |
| ??5-421.txt.cipher | ??1KB | The CIPHER file |
| ??5-422.GIF | ??129KB | The TIF image |
| ??5-422.GIF.cipher | ??1KB | The CIPHER file |
In the last table 1, file 5_421.txt by name and 5_422.GIF are data files, and 5_421.txt.cipher and 5_422.GIF.cipher are respectively the key files of above-mentioned two data file correspondences.
Obviously, in the embodiment of the invention, the rule of correspondence of key file and data file is not limited to above-mentioned corresponded manner.
In the file system of embodiment of the invention server side, the file attribute of above-mentioned key file can be set to hide, and when the server side locating file, server side can not show corresponding key file by network in domestic consumer.
There is the user of authority that the data file of server side is made amendment or when deleting, need revises or delete its corresponding key file simultaneously.
To upload flow process corresponding with the network data in the network storage method that the embodiment of the invention provides, when client was initiated the network data download request, the network data storage method that the embodiment of the invention provides was in the server side handling process, as shown in Figure 3, may further comprise the steps:
Step S301, server receive the network data download request that client is initiated.
Step S302, according to the URL and the file identification information of this data file of carrying in this request, in the field of storage of correspondence, read this data file.
Step S303, according to the key file of this data file correspondence, judge whether this data file signs, if, execution in step S304; If not, execution in step S308.
Among this step S303, can be by the rule of correspondence between data file and the key file, find the key file of this data file correspondence, according to the particular content that comprises in the key file judge whether this data file signs (if only comprised cryptographic algorithm in this key file and encrypt after encryption key, can judge so that this data file has been encrypted and unsign, if only comprised signature algorithm and signature result in this key file, can judge this data file unencryption of having signed so, if comprise above-mentioned two category informations in this key file simultaneously, can judge that so this data file encrypts and sign).
Step S304, according to the signature algorithm that comprises in this key file and the signature result, to the data file certifying signature that reads.
Whether step S305, judgement checking are passed through; During authentication failed, execution in step S306.When checking is passed through, execution in step S307.
Step S306, return to client and wrong affirmation message to occur.
Step S307, according to the key file of this data file correspondence, judge whether this data file encrypts, if execution in step S308 if not, jumps to step S310.
The private key of step S308, use configuration is decrypted the encryption key after the encryption in this key file, obtains decruption key.
Step S309, use decruption key that step S308 obtains and the cryptographic algorithm in this key file, the data flow of data file is decrypted the network data flow after obtaining deciphering.
Step S310, with the data flow transmission of data file to client.
Step S311, return and download successful affirmation message.
According to the network data storage method that the embodiment of the invention provides, the embodiment of the invention also provides a kind of network storage server, as shown in Figure 4, comprising: judge module 401, encrypting module 402, signature blocks 403 and configuration information memory module 404; Wherein:
Encrypting module 402 is used for judging data file when judge module 401 and need encrypts need not sign the time, the network data flow that client is uploaded is encrypted, and the network data flow of encrypting is write this data file; And when judge module 401 is judged this data file and need be encrypted and sign, after this data file is encrypted and write to the network data flow that reads, this data file is sent to signature blocks 403;
Signature blocks 403 is used for judging this data file when judge module 401 and need signs need not encrypt the time, and the network data flow that client is uploaded writes this data file, and this data file is signed; And receive the data file that encrypting module 402 transmits, the data file that receives is signed;
Configuration information memory module 404 is used to store the configuration information of each storage area.
The network storage server that the embodiment of the invention provides, as shown in Figure 4, can also comprise: configuration module 405, be used for whether the data file that a plurality of storage areas of dividing in advance dispose its storage is respectively needed to encrypt and cryptographic algorithm and/or whether need is signed and the parameter information of signature algorithm, and the parameter information of configuration is stored in the configuration information memory module 404.
Encrypting module 402 also is used for the cryptographic algorithm according to storage area configuration under this data file of configuration information memory module 404 storages, generates encryption key; According to the encryption key of this cryptographic algorithm and generation, the network data flow that reads is encrypted, generate the network data flow of encrypting;
Signature blocks 403 also is used for the signature algorithm according to storage area configuration under this data file of configuration information memory module 404 storages, and the data file is signed.
The network storage server that the embodiment of the invention provides as shown in Figure 4, can also comprise: key file generation module 406 and key file memory module 407;
Key file generation module 406 is used to use public-key encryption key is encrypted; And the encryption key with cryptographic algorithm, after encrypting and/or described signature algorithm, signature result generate key file, and corresponding one by one with this data file;
Key file memory module 407 is used for the storage key file.
Network data in a kind of network data storage method that provides according to the embodiment of the invention is downloaded flow process, and the network storage server that the embodiment of the invention provides as shown in Figure 4, can also comprise following two modules: authentication module 408 and deciphering module 409;
Deciphering module 409 is used for judging these data files when judge module 401 and has encrypted when unsigning, and the data flow of this data file is decrypted, and decrypted data stream is outputed to client; And the data file that sends of Receipt Validation module 408, the data flow of the data file that receives is decrypted, decrypted data stream is outputed to client.
Deciphering module 409 also is used for the cryptographic algorithm of using private key and key file to comprise, and the encryption key after the encryption in the key file is decrypted, and obtains decruption key; Use decruption key that the data flow of this data file is decrypted.
A kind of network data storage method and server that the embodiment of the invention provides, server receives the data upload request that client is initiated, create data file, configuration information according to storage area under the data file, the network data flow that client is uploaded is encrypted, the network data flow after encrypting is write data file; After maybe the network data flow of uploading being write data file, the data file is signed, or after the network data flow that client is uploaded encrypted, the network data flow after encrypting is write data file, and the data file is encrypted.When client-requested is carried out network data when downloading, correspondingly, according to the configuration information of storage area under the data file, the operation that the data file is verified and/or deciphered, with checking by and/or deciphering after document data flow send client to.
Network storage method that the embodiment of the invention provides and server, owing to data file can be disperseed to be stored in a plurality of storage areas of dividing in advance, the not high problem of efficient of the read of having avoided the file of all encryptions in the secure file system of the prior art all to be stored in same file being brought; Moreover, because the parameter information of the encryption of the configuration of different storage zone and/or signature can be different, not only improved the autgmentability of system, also further guaranteed the integrality and the confidentiality of network stored data.
Further, in the network storage method that the embodiment of the invention provides, also encryption key with cryptographic algorithm, after encrypting and/or signature algorithm, signature result generate key file and corresponding one by one with data file, the key file of certain data file is cracked or damages, can the safety of other data files not impacted, the secure file system of having avoided the existing network storage server to adopt is managed the key of all encrypt files concentratedly bring drawback, has improved the robustness of system further.Because the existence of key file, make the deciphering of data file not rely on the configuration parameter of affiliated storage area, therefore can revise the configuration parameter of storage area at any time as required, further improve the autgmentability of system, also further guaranteed the integrality and the confidentiality of network stored data.
In addition, the network data storage method that inventive embodiments provides, can directly adopt the file system of existing network server OS self to carry out the operation of uploading and downloading of data, because the file system of operating system has unified interface (for example FTP of standard or WEBDAV interface) to upper system, has guaranteed the opening of network storage server.From the angle of read and write access, directly the efficient of access server operating system self file system also is better than the efficient by the other secure file system of server OS visit.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (10)
1. a network data storage method is characterized in that, comprising:
Server is according to the configuration information of storage area under the data file, judges whether described data file need encrypt and/or whether need sign;
When judging that described data file need encrypt need not sign the time, the network data flow that described client is uploaded is encrypted, and the described network data flow that will encrypt writes described data file;
When judging that described data file need sign need not encrypt the time, the network data flow that described client is uploaded writes described data file, and described data file is signed;
When judging that described data file need be encrypted and sign, the network data flow that described client is uploaded is encrypted, the network data flow of encrypting is write described data file, described data file is signed.
2. the method for claim 1 is characterized in that, also comprises:
To a plurality of storage areas of dividing in advance, whether the data file that disposes its storage respectively needs to encrypt and cryptographic algorithm and/or whether need is signed and the parameter information of signature algorithm;
Describedly client uploaded network data flow encrypt, comprising:
Cryptographic algorithm according to storage area configuration under the described data file generates encryption key;
According to the encryption key of described cryptographic algorithm and generation, the network data flow that client is uploaded is encrypted;
Described the data file is signed, comprising:
According to the signature algorithm of storage area configuration under the described data file, described data file is signed.
3. method as claimed in claim 2 is characterized in that, also comprises:
Described encryption key is encrypted;
Encryption key with described cryptographic algorithm, after encrypting and/or described signature algorithm, signature result generate key file and storage; Described key file is corresponding one by one with described data file.
4. method as claimed in claim 3 is characterized in that, also comprises:
Described server is according to the key file of client-requested data downloaded file correspondence, judges whether described data file has been encrypted and/or whether signed;
When judging that described data file encrypted when unsigning, the data flow of described data file is decrypted, and the described data flow that will decipher outputs to described client;
When judging that described data file has been signed unencryption, to described data file certifying signature, and after checking is passed through, the data flow of described data file is outputed to described client;
When judging that described data file has been signed and when having encrypted, to described data file certifying signature, and after checking is passed through, the data flow of described data file is decrypted, decrypted data stream is outputed to described client.
5. method as claimed in claim 4 is characterized in that, and is described to data file verification signature, comprising:
Signature algorithm that comprises in the key file according to described data file correspondence and signature result are to the data file certifying signature that reads;
Described data flow to the data file is decrypted, and comprising:
Encryption key after encrypting in the described key file is decrypted, obtains decruption key; Use the cryptographic algorithm in described decruption key and the described key file that the data flow of described data file is decrypted.
6. a network storage server is characterized in that, comprising: judge module, encrypting module, signature blocks and configuration information memory module;
Described judge module, the configuration information of storage area under the data file that is used for storing according to the configuration information memory module judges whether described data file need encrypt and/or whether need sign;
Described encrypting module is used for judging described data file when described judge module and need encrypts need not sign the time, the network data flow that described client is uploaded is encrypted, and the network data flow of encrypting is write described data file; And when described judge module is judged described data file and need be encrypted and sign, after described data file is encrypted and write to the network data flow that described client is uploaded, described data file is sent to described signature blocks;
Described signature blocks is used for judging described data file when described judge module and need signs need not encrypt the time, and the network data flow that described client is uploaded writes described data file, and described data file is signed; And receive the data file that encrypting module transmits, the described data file that receives is signed;
Described configuration information memory module is used to store the configuration information of each storage area.
7. server as claimed in claim 6, it is characterized in that, also comprise: configuration module, be used for whether the data file that a plurality of storage areas of dividing in advance dispose its storage is respectively needed to encrypt and cryptographic algorithm and/or whether need is signed and the parameter information of signature algorithm, and the described parameter information that will dispose is stored in the described configuration information memory module;
Described encrypting module also is used for the cryptographic algorithm according to storage area configuration under the described data file of described configuration information memory module storage, generates encryption key; According to the encryption key of described cryptographic algorithm and generation, the network data flow that reads is encrypted, generate the network data flow of encrypting;
Described signature blocks also is used for the signature algorithm according to storage area configuration under the described data file of described configuration information memory module storage, and the data file is signed.
8. server as claimed in claim 7 is characterized in that, also comprises:
The key file generation module is used for described encryption key is encrypted; And the encryption key with described cryptographic algorithm, after encrypting and/or described signature algorithm, signature result generate key file, and corresponding one by one with described data file;
The key file memory module is used to store described key file.
9. server as claimed in claim 8 is characterized in that, also comprises: authentication module and deciphering module;
Described judge module also is used for the key file according to client-requested data downloaded file correspondence, and whether whether judgement request data downloaded file encrypted and/or signed;
Described authentication module is used for when described judge module judges that described data file has been signed unencryption, to described data file certifying signature, and after checking is passed through, the data flow of described data file is outputed to described client; And when described judge module judgment data file has been signed and encrypted,, and after checking is passed through, described data file is sent to described deciphering module to described data file certifying signature;
Described deciphering module is used for judging described data file when described judge module and has encrypted when unsigning, and the data flow of described data file is decrypted, and decrypted data stream is outputed to described client; And receive the data file that described authentication module sends, and the data flow of the described data file that receives is decrypted, decrypted data stream is outputed to described client.
10. server as claimed in claim 9 is characterized in that, described authentication module also is used for the signature algorithm that comprises according to described key file and the result that signs, to the data file certifying signature that reads;
Described deciphering module also is used for the encryption key after the encryption of described key file is decrypted, and obtains decruption key; Use the cryptographic algorithm in described decruption key and the described key file that the data flow of described data file is decrypted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102279004A CN101753539B (en) | 2008-12-01 | 2008-12-01 | Network data storage method and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102279004A CN101753539B (en) | 2008-12-01 | 2008-12-01 | Network data storage method and server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101753539A true CN101753539A (en) | 2010-06-23 |
| CN101753539B CN101753539B (en) | 2012-06-06 |
Family
ID=42479949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102279004A Expired - Fee Related CN101753539B (en) | 2008-12-01 | 2008-12-01 | Network data storage method and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101753539B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078866A (en) * | 2013-01-14 | 2013-05-01 | 成都西可科技有限公司 | Transparent encryption method for mobile platform |
| CN103973715A (en) * | 2014-05-29 | 2014-08-06 | 广东轩辕网络科技股份有限公司 | Cloud computing security system and method |
| CN104751072A (en) * | 2015-03-17 | 2015-07-01 | 山东维固信息科技股份有限公司 | Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology |
| CN105100087A (en) * | 2015-07-08 | 2015-11-25 | 上海迈外迪网络科技有限公司 | Management method, management server and system for SQL (Structured Query Language) database |
| CN105656866A (en) * | 2014-12-02 | 2016-06-08 | 华为技术有限公司 | Data encryption method and system |
| CN106209754A (en) * | 2015-05-08 | 2016-12-07 | 中标软件有限公司 | Method and system to software kit automatic signature in version control system |
| CN107277141A (en) * | 2017-06-21 | 2017-10-20 | 京东方科技集团股份有限公司 | Data judgment method and distributed memory system applied to distributed memory system |
| CN108011857A (en) * | 2016-11-01 | 2018-05-08 | 北京京东尚科信息技术有限公司 | Data dynamic encryption transmission configuration method and apparatus |
| CN108880811A (en) * | 2018-09-30 | 2018-11-23 | 北京集创北方科技股份有限公司 | Living creature characteristic recognition system and its communication means |
| CN109565498A (en) * | 2016-06-02 | 2019-04-02 | 北京易掌云峰科技有限公司 | It is transmitted using the dynamic of the performance of header |
| CN114095175A (en) * | 2021-10-19 | 2022-02-25 | 网络通信与安全紫金山实验室 | Data security method and device capable of gray level check and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1219260C (en) * | 2003-09-02 | 2005-09-14 | 四川大学 | Method for controlling storage and access of security file system |
| CN101247232B (en) * | 2008-03-27 | 2012-09-26 | 上海金鑫计算机系统工程有限公司 | Encryption technique method based on digital signature in data communication transmission |
-
2008
- 2008-12-01 CN CN2008102279004A patent/CN101753539B/en not_active Expired - Fee Related
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078866B (en) * | 2013-01-14 | 2015-11-04 | 成都西可科技有限公司 | Mobile platform transparent encryption method |
| CN103078866A (en) * | 2013-01-14 | 2013-05-01 | 成都西可科技有限公司 | Transparent encryption method for mobile platform |
| CN103973715A (en) * | 2014-05-29 | 2014-08-06 | 广东轩辕网络科技股份有限公司 | Cloud computing security system and method |
| CN103973715B (en) * | 2014-05-29 | 2017-03-22 | 广东轩辕网络科技股份有限公司 | Cloud computing security system and method |
| CN105656866A (en) * | 2014-12-02 | 2016-06-08 | 华为技术有限公司 | Data encryption method and system |
| CN104751072A (en) * | 2015-03-17 | 2015-07-01 | 山东维固信息科技股份有限公司 | Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology |
| CN106209754B (en) * | 2015-05-08 | 2019-01-22 | 中标软件有限公司 | To the method and system of software package automatic signature in version control system |
| CN106209754A (en) * | 2015-05-08 | 2016-12-07 | 中标软件有限公司 | Method and system to software kit automatic signature in version control system |
| CN105100087A (en) * | 2015-07-08 | 2015-11-25 | 上海迈外迪网络科技有限公司 | Management method, management server and system for SQL (Structured Query Language) database |
| CN109565498A (en) * | 2016-06-02 | 2019-04-02 | 北京易掌云峰科技有限公司 | It is transmitted using the dynamic of the performance of header |
| CN108011857A (en) * | 2016-11-01 | 2018-05-08 | 北京京东尚科信息技术有限公司 | Data dynamic encryption transmission configuration method and apparatus |
| CN107277141A (en) * | 2017-06-21 | 2017-10-20 | 京东方科技集团股份有限公司 | Data judgment method and distributed memory system applied to distributed memory system |
| CN107277141B (en) * | 2017-06-21 | 2020-03-31 | 京东方科技集团股份有限公司 | Data judgment method applied to distributed storage system and distributed storage system |
| CN108880811A (en) * | 2018-09-30 | 2018-11-23 | 北京集创北方科技股份有限公司 | Living creature characteristic recognition system and its communication means |
| CN108880811B (en) * | 2018-09-30 | 2021-11-23 | 北京集创北方科技股份有限公司 | Biometric identification system and communication method thereof |
| CN114095175A (en) * | 2021-10-19 | 2022-02-25 | 网络通信与安全紫金山实验室 | Data security method and device capable of gray level check and storage medium |
| CN114095175B (en) * | 2021-10-19 | 2024-03-26 | 网络通信与安全紫金山实验室 | Gray-check-capable data confidentiality method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101753539B (en) | 2012-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101753539B (en) | Network data storage method and server | |
| US11076290B2 (en) | Assigning an agent device from a first device registry to a second device registry | |
| US9860235B2 (en) | Method of establishing a trusted identity for an agent device | |
| CN110535662B (en) | Method and system for realizing user operation record based on block chain data certificate storage service | |
| US11089018B2 (en) | Global unique device identification code distribution method | |
| US9819494B2 (en) | Digital signature service system based on hash function and method thereof | |
| CN105847228A (en) | Access control framework for information centric networking | |
| CN101651714B (en) | Downloading method and related system and equipment | |
| US20100241852A1 (en) | Methods for Producing Products with Certificates and Keys | |
| WO2015056008A1 (en) | Method for assigning an agent device from a first device registry to a second device registry | |
| KR101285281B1 (en) | Security system and its security method for self-organization storage | |
| US20190349347A1 (en) | Registry apparatus, agent device, application providing apparatus and corresponding methods | |
| CN109064596B (en) | Password management method and device and electronic equipment | |
| CN103139143B (en) | The method of digital copyright management, system and server | |
| CN104901968A (en) | Method for managing and distributing secret keys in secure cloud storage system | |
| JP2004110197A (en) | Information processing method and method of managing access authority for use at center system | |
| CN103403729A (en) | Secure management and personalization of unique code signing keys | |
| CN111194033B (en) | In-vehicle secure communication method, system and computer storage medium | |
| CN107368749B (en) | File processing method, device, equipment and computer storage medium | |
| CN115766270A (en) | File decryption method, file encryption method, key management method, device and equipment | |
| JP3810966B2 (en) | Cryptographic communication center apparatus, cryptographic communication system, and recording medium | |
| CN106156625A (en) | The method of a kind of plug-in unit signature and electronic equipment | |
| Ray et al. | A solution for industrial device commissioning along with the initial trust establishment | |
| TW202002562A (en) | Device and method for distributing machine ID, and internet-connected device | |
| CN117220852A (en) | Trusted data sharing method and system based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120606 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |