CN102014133A - Method for implementing safe storage system in cloud storage environment - Google Patents

Method for implementing safe storage system in cloud storage environment Download PDF

Info

Publication number
CN102014133A
CN102014133A CN2010105693982A CN201010569398A CN102014133A CN 102014133 A CN102014133 A CN 102014133A CN 2010105693982 A CN2010105693982 A CN 2010105693982A CN 201010569398 A CN201010569398 A CN 201010569398A CN 102014133 A CN102014133 A CN 102014133A
Authority
CN
China
Prior art keywords
file
key
user
access control
trust domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010105693982A
Other languages
Chinese (zh)
Other versions
CN102014133B (en
Inventor
舒继武
薛巍
薛矛
沈志荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN 201010569398 priority Critical patent/CN102014133B/en
Publication of CN102014133A publication Critical patent/CN102014133A/en
Application granted granted Critical
Publication of CN102014133B publication Critical patent/CN102014133B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to a method for implementing a safe storage system in a cloud storage environment and belongs to the technical field of storage safety. The method is characterized in that a trust domain is established in a server according to the requirements of a user; in the trust domain, identity authentication is performed by using an public key infrastructure (PKI); the independence between the storage system and a bottom layer system is realized by utilizing a filesystem in user space (FUSE); a hash value of a file is calculated by utilizing a secure hash algorithm (SHA1) and taking a block as a unit, a file block is encrypted by utilizing a key and an advanced encryption standard (AES) algorithm of a symmetric encipherment algorithm and taking a block as a unit, and a file cipher text is uploaded to a file server in a cloud storage area so as to guarantee the confidentiality and integrity of the file; a filer owner postpones encrypting the file again when permission is revoked by designating a user with the permission of accessing the file and the permissions thereof in an access control list; and only when the user modifies the content of the file, the user encrypts the file block in which the modified content is positioned again and the system implements three layers of key management, namely a file block key, a safe metadata file key and a trust domain server key so that not only the safety of the file is guaranteed when the permission is revoked, but also the management load of the system is not increased.

Description

A kind of implementation method of safe storage system under the cloud storage environment
Technical field
The implementation method of safe storage system belongs to the storage security field under the cloud storage environment, relates in particular to technical fields such as safe access control, key distribution management and file management wherein.
Background technology
Now along with the develop rapidly of cloud computing technology, the cloud storage also has been subjected to paying close attention to widely and using gradually, the file owner can create file, and file uploaded in the cloud memory block, file is transferred to cloud storage service provider to be managed, this document owner can allow to specify other users that this document is carried out read and write access simultaneously, has realized the share and access of file.
Though cloud storage service provider can visit to the file-sharing that the user provides convenience, the safety problem that is present in wherein then can not be ignored.At first, the confidentiality of file can't guarantee: file is to be stored in the cloud memory block with the plaintext form, these information all place among the sight line of cloud storage service provider without reservation, if cloud storage service provider has obtained these fileinfos, and be applied to illegal objective, then will bring the consequence that can not estimate to the user; Secondly, the integrality of fileinfo can't guarantee: other users during to this document shared, the information of file is to transmit in network with form expressly, brought opportunity so just for the network interception person, the network interception person can intercept fileinfo in network, after obtaining fileinfo, some information that are unfavorable for oneself can be left out, artificially add some simultaneously to own favourable deceptive information, and then this information is issued other users, reach the illegal objective of oneself; Once more, not management effectively for authority, and the fail safe of authority when cancelling can't guarantee: how can effectively realize user's sharing this document, and after a user's the access rights to this document are cancelled, how can guarantee that content after this document upgrades can not cancelled the user of authority again and obtain.More than these all be the test safe storage system some safety issues.
The function of safe storage system is to use the family can guarantee the safety of shared data, its implementation method is: at first the file owner uses hash algorithm that this document is calculated cryptographic Hash with piece as unit in this locality, and use key and cryptographic algorithm that file is encrypted as unit with piece, then ciphertext and cryptographic Hash being put into public memory block together stores, the keeper of common storage area just can't learn the content of file like this, guaranteed the confidentiality of data, simultaneously key distribution has been thought the user that can conduct interviews to this document to him by the owner of this document.These users can visit this document, and with the key of grasping accessed content place blocks of files are decrypted, and calculate the cryptographic Hash of these pieces then, see whether equate with the cryptographic Hash of preserving, if equate, then the content of explanation visit is complete, reads the content of file at last again.The safe storage system of being realized now at home and abroad, though guaranteed the confidentiality and integrity of file, but also have some shortcomings: at first, the realization of the storage system that has needs the support of bottom storage system, or even need change or have the requirement of particular core version to the version of kernel, many inconvenience have been brought to the user like this, if the user need use these safe storage systems, then need to install specific bottom storage system, or need the kernel of particular version, or need make amendment to kernel; Secondly, the safe storage system that has has used rivest, shamir, adelman when file is operated, also need to use the key rolling back action in some cases, because the complexity of rivest, shamir, adelman is higher, so the performance of such safe storage system allows of no optimist; Once more, major part safe storage system is now cancelled in the authority for the treatment of the user, what generally use is positive cancelling method, actively cancelling the background that operation occurs is: because the owner of file may think that certain user of granted access this document can destroy or this user may distribute the content of file this document, cause the file owner do not wish the effect seen, therefore the file owner may cancel this user's authority, but because this user has grasped the needed key of visit this document, therefore in order to guarantee safety of files, the file owner has to regenerate at once new key, and newly file is encrypted at once with new key reconsul, at last new key distribution is given other validated users except the user who is cancelled authority, Here it is actively cancels, doing some consequences of bringing like this is, for big file, it is very huge actively to cancel the cryptography expense of bringing of encrypting again at once, in the environment of frequently cancelling, the expense of this safe storage system also may allow the user be difficult to bear simultaneously.
The present invention has realized the safe storage system under a kind of cloud storage environment, it has guaranteed the confidentiality and integrity of data for the user, the management effectively that user's authority is carried out simultaneously, and safety of files when having guaranteed that authority is cancelled, this system also has good expansibility.
Summary of the invention
The object of the present invention is to provide the system architecture of safe storage system under a kind of cloud storage environment, still can carry out file-sharing safely and efficiently even make the user in incredible storage and network environment, lose to the control of system physical resource, data security protecting is irrelevant with the bottom storage system of having disposed simultaneously: the bottom storage system only provides reliable data storage service, and the protection of data confidentiality, integrality and access control are then finished in the trust domain of setting up according to user's request; The user can not rely on the bottom storage system provides the Information Security protection mechanism just can guarantee the fail safe end to end of own data, and the bottom storage system also can't be interfered the security of users protection mechanism conversely.This framework with the responsibility of data security protecting from the user be not possessed of control power the data server of limit and the more weak single client computer of fail safe focus on have higher security level other, can by user oneself set maintenance, on the believable trust domain server; thereby eliminated the trust demand of storage system to insincere file server; and reduced user's management complexity and leaked the security risk of being brought by client key, therefore be highly suitable for the user does not have control authority to the bottom shared-file system application scenarios.
Framework of the present invention comprises: trust domain server, file server, client and network.Its effect is as follows respectively:
1) trust domain server: its effect is that the identity to the user authenticates, and the key of file is managed and distributes;
2) file server: its effect is storage file and security metadata file;
3) client: create file and file is conducted interviews;
4) network: as the medium of file transfer, the access request of transmission user and fileinfo;
Thinking of the present invention is:
1) this storage system and bottom storage system are irrelevant; Be that data security protecting is irrelevant with the bottom storage system of having disposed, the bottom storage system only provides reliable data storage service, and the protection of data confidentiality, integrality and access control are then finished in the trust domain of setting up according to user's request; The user can not rely on the bottom storage system provides the Information Security protection mechanism just can guarantee the fail safe end to end of own data, and the bottom storage system also can't be interfered the security of users protection mechanism conversely;
2) confidentiality and integrity of file protection;
I. the file owner creates file; At first using hash algorithm in this locality---the SHA1 algorithm calculates cryptographic Hash with piece as unit to file, use key and cryptographic algorithm aes algorithm that file is encrypted as unit with piece then, upload to then in the cloud memory block and store, so just guaranteed the confidentiality of file in the cloud memory block, wherein the SHA1 algorithm is to be designed by American National security bureau, and by a kind of SHA of National Institute of Standards and Technology issue, it is a kind of hash algorithm that is widely used, its use is the digital information (being commonly referred to as cryptographic Hash) that tediously long File Compress is become one section uniqueness, guarantee the legitimacy and the fail safe of original file, simultaneously aes algorithm be the American National technical standard committee determined Advanced Encryption Standard in 2000, be a kind of cryptographic algorithm of protected data safety of extensive use; The key management file owner gives the trust domain server with the authority of key distribution and management and carries out easily.
Ii. the file owner specifies Access Control List (ACL), specifies the user with authority that this document is conducted interviews; Create the Access Control List (ACL) of a this document as the file owner, he is thought and can be added into Access Control List (ACL) to the user that this document conducts interviews, and Access Control List (ACL) issued the trust domain server, the trust domain server is issued user on the Access Control List (ACL) with the key of this document.When the user with access rights conducts interviews to file, data are to transmit in network with the ciphertext form, it is that unit is decrypted with the piece that the user utilizes the key-pair file of grasp again, file after using the SHA1 algorithm to deciphering then calculates cryptographic Hash with piece as unit, judge whether to equate with the cryptographic Hash that reads, if equate, represent that then data are complete, read file content at last, if the cryptographic Hash that the user calculates is unequal with the cryptographic Hash that reads, represent that then the integrality of data suffered destruction, then report an error to system;
3) the dispensing tube reason trust domain server unification of key is carried out; The main key management that realizes mainly is divided into three layers in this safe storage system, its reason is: utilize the organizational form of level that symmetric key is carried out organization and administration, both guarantee systematic function and fail safe thereby reach, do not increase the purpose of the administrative burden of system again.Operating procedure is as follows:
I. blocks of files key: in order to handle big file safely and efficiently, in native system, be the encrypted in units file with the piece, and claim that this piece is a blocks of files, to distinguish bottom storage system piece, each blocks of files all uses an independent symmetric key that is called the blocks of files key to encrypt, and each file all has one group of blocks of files key;
Ii. security metadata file key: the key that is kept in the security metadata file is the second level, and these keys comprise a lock box sub-key LBK and a file signature key FSK.Lock box sub-key LBK refers to: an All Files piece key in the file is housed in lock box, but this box is encrypted by the lock box sub-key LBK of symmetry then.The authorized user that only obtains lock box sub-key LBK could be deciphered lock box, and then obtains the blocks of files key with the declassified document content; File signature key FSK writes the signature key of user after file is made amendment.In this safe storage system, distinguish read operation and write operation by file signature key FSK just, need to prove that lock box sub-key LBK and file signature key FSK are symmetric keys, adopt the lower symmetric key of complexity can significantly reduce the cryptography computing cost of system;
Iii. trust domain server key: uppermost level is the trust domain server key; So-called trust domain server key is two symmetric keys that the trust domain server is safeguarded, one is called trust domain server for encrypting key A SEK, and one is called trust domain server signature key A SSK.The former is used for the lock box sub-key LBK and the file signature key FSK of the pairing security metadata file of data file encryption, thereby conduct interviews control and differentiation are read-write operation; The latter is used as the input parameter of hmac algorithm, access control block (ACB) in the security metadata file is calculated the HMAC value to guarantee its integrality, wherein HMAC is a kind of a kind of Message Authentication Code that uses cryptographic Hash function and cipher key calculation to come out, and its effect mainly is that the integrality of message is checked.The trust domain server must guarantee the confidentiality of these two keys, whenever all these two keys can not be revealed to all other men, and this point can realize by the hardware supplementary means in actual applications.
The invention is characterized in that described method is in the network that trust domain server, client and file server are formed, the file system FUSE of use user's space realizes according to following steps on Linux successively:
Step (1): the initialization of network,
Step (1.1): the initialization of trust domain server, set up user authentication module and access control module, wherein user authentication module has adopted SSL/TLS agreement and PKIX PKI, access control module is the access control of carrying out under the file owner authorizes file, three grades of key management mechanisms in system, have been adopted, wherein first order key is the blocks of files key, in order to handle big file safely and efficiently, in native system, be the encrypted in units file with the piece, and claim that this piece is a blocks of files, each blocks of files all uses an independent symmetric key that is called the blocks of files key to encrypt, after the blocks of files key is encrypted, be stored in the security metadata file, second level key is a security metadata file key, comprise a lock box sub-key LBK and a file signature key FSK, each file all has security metadata file key alone, wherein lock box sub-key LBK is used to encrypt the All Files piece key in this document, guarantee the confidentiality of blocks of files key, the latter writes the signature key of user after file data is made amendment, be used to distinguish read operation and write operation, third level key is the trust domain server key, be two symmetric keys that the trust domain server is safeguarded, one is called trust domain server for encrypting key A SEK, be used for the lock box sub-key LBK and the file signature key FSK of the pairing security metadata file of data file encryption, thereby conduct interviews control and differentiation are read-write operation, one is called trust domain server signature key A SSK, be used for to the Message Authentication Code of the calculating of the access control block (ACB) in the security metadata file based on Hash, it is the HMAC value, to guarantee the integrality of access control block (ACB)
Step (1.2): client is provided with the data encrypting and deciphering module, the data integrity authentication module, and cache module, file system interface,
Step (1.3): file server is provided with memory module;
Step (2): user applies obtains User Identity, and step is as follows:
Step (2.1): user's user authentication module to the trust domain server on the channel that client is being encrypted by secure socket layer protocol SSL and Transport Layer Security TLS sends the User Identity request,
Step (2.2): described user authentication module is based on PKIX, user identity and trust domain server identity all are to authenticate by the X.509 certificate that PKIX is authorized, the new user of system at first must apply for certificate to registration body, just can use this system then;
Step (3): the owner of file creates file according to following steps:
Step (3.1): the described file owner sends the request of creating file to described trust domain server: the file owner at first creates the content of access control block (ACB), content comprises: user's identify label, filename, specified cryptographic algorithm and pattern and Access Control List (ACL), and access control block (ACB) is issued the access control module of trust domain server, wherein said Access Control List (ACL) comprises the cryptographic Hash of user name and this user's access rights
Step (3.2): the described trust domain server process file owner creates the request of file, use authentication module that the possessory identity of file is authenticated, judge its identity and authority, the file of creating for its request generates lock box sub-key LBK and file signature key FSK then;
Step (3.3): the trust domain server uses trust domain encryption key ASEK encryption lock box key LBK and file signature key FSK, and use trust domain signature key ASSK to calculate the HMAC value as access control block (ACB), and deposit in the HMAC territory of access control block (ACB), then access control block (ACB) is returned to the file owner;
Step (3.4): the described file owner creates file, the input data, hash algorithm safe in utilization then, it is the SHA1 algorithm, to file is that unit calculates cryptographic Hash with the piece, and cryptographic Hash is kept in the security metadata file, and re-using the blocks of files key-pair file is that unit is encrypted with the piece, and the spanned file ciphertext, at last the ciphertext of file and security metadata file are issued described file server and store;
Step (4): read the file that the user is created according to following steps read step (3):
Step (4.1): read file data ciphertext and security metadata file from described file server end,
Step (4.2): carry out the authentication that this reads the user according to the following steps,
Step (4.2.1): read the user oneself identify label and the access control block (ACB) in the security metadata file are issued described trust domain server,
Step (4.2.2): trust domain server calls authentication module is confirmed user's identify label; Call access control module; Use trust domain key ASEK to decipher this access control block (ACB); Acquisition comprises the information of lock box sub-key LBK, file signature key FSK and ACL; Use trust domain signature key ASSK to calculate the HMAC value of access control block (ACB); To judge the integrality of access control block (ACB); And determine to read user's read right according to ACL; Then lock box sub-key LBK is issued and read the user
Step (4.3): this is read the user and obtains after the lock box sub-key LBK, utilize its deciphering to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain the cleartext information of file data at last, and use the SHA1 algorithm that the blocks of files at reading content place is calculated cryptographic Hash, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data,, data integrity is described then if equate, the user reads these data again, otherwise then reports an error to system;
Step (5): write the user and write according to following steps or the revised file data,
Step (5.1): this writes the user at first reads the described file data that will revise from described file server end ciphertext and security metadata file,
Step (5.2): write the user and carry out authentication according to the following steps,
Step (5.2.1): this is write the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, described trust domain server calls authentication module is confirmed user's identify label, and call described access control module, use trust domain key A SEK to decipher this access control block (ACB), acquisition comprises lock box sub-key LBK, file signature key FSK and Access Control List (ACL) are in interior information, use trust domain signature key ASSK to recomputate the HMAC value of this access control block (ACB), whether see with HMAC value in the access control block (ACB) and equate, judge whether this access control block (ACB) is complete, and determine to write the write permission that the user has by Access Control List (ACL), then, and lock box sub-key LBK and file signature key FSK returned to the user
Step (5.3) is write the user and is write according to the following steps or revised file,
Step (5.3.1) is write the user and is used lock box sub-key LBK to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain plaintext document information, and use the SHA1 algorithm that file is calculated the cryptographic Hash that will revise content place blocks of files with piece as unit, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data
Step (5.3.2): the file to step (5.3.1) writes or revises, and uses the blocks of files key again new file data to be encrypted, and uses file signature key FSK to sign,
Step (5.3.3): write the user and amended file data and security metadata file are issued described file server store;
Step (6): the described file owner carries out the authority destruction operation according to the following steps:
Step (6.1): this document owner obtains the security metadata file from described file server end, and the user list that the identify label of oneself, access control block (ACB) in the security metadata file and plan are cancelled is issued the trust domain server then,
Step (6.2): this trust domain server is executable operations according to the following steps,
Step (6.2.1): possessory identify label authenticates to file to call described authentication module, determines that it has the user's of cancelling operation permission,
Step (6.2.1): call described access control module, use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), lock box sub-key LBK and file signature key FSK are in interior information, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), judge the complete of this access control block (ACB), from the Access Control List (ACL) of access control block (ACB), delete the Access Control List (ACL) item at the user place that need cancel then, then generate new lock box sub-key LBK ' and new file signature key FSK ' for file, the trust domain server is encrypted newly-generated lock box sub-key LBK ' and newly-generated file signature key FSK ' again with trust domain server for encrypting key A SEK then, and use trust domain server signature key A SSK again the access control block (ACB) of revising to be calculated HMAC
Step (6.2.2): described trust domain server returns to the file owner with new access control block (ACB), new file signature key FSK ', new lock box sub-key LBK ' and old lock box sub-key LBK,
Step (6.3): the described file owner uses lazy destruction operation in the following manner: use old lock box sub-key LBK deciphering All Files piece key, use new these blocks of files keys of lock box sub-key LBK ' encryption, carry out again when the cryptographic operation again of blocks of files is postponed till the user to the renewal of blocks of files.
Effect of the present invention is as follows:
1. do not rely on the bottom document system and guarantee the confidentiality of user file in the cloud memory block, the user who only has lawful authority just can obtain the information of file;
2. guaranteed the user to integrality end to end in the file operation process, whether the user can in time find illegally to be distorted when data are transmitted in network or because the variation of storage medium causes situations such as data corruption;
3. reduced the expense that authority is cancelled, particularly a multi-user, in the frequent application scenarios of permission modification, the present invention can largely improve the efficient that authority is cancelled;
The present invention carried out test in department of computer science, Tsinghua university high-performance calculation technical research institute, the result shows, this safe storage system can be under the cloud storage environment for when the user provides file-sharing, also can guarantee confidentiality, integrality and the access control of data, and performance cost is also within user's acceptable scope.
Description of drawings:
Fig. 1 system construction drawing.
Fig. 2 file owner creates the file schematic diagram.
Fig. 3 reads the user and reads the file schematic diagram.
Fig. 4 writes user's written document schematic diagram.
Fig. 5 file owner cancels the user right schematic diagram.
Fig. 6 access control block (ACB) figure schematic diagram.
Fig. 7 stand-alone environment uses IOzone test comparison ext3 and readwrite performance of the present invention down.
Use IOzone test comparison NFS and readwrite performance of the present invention under Fig. 8 cluster environment.
Embodiment:
The specific embodiment of the present invention is as follows:
Step 1: user applies obtains user ID: user ID is user's unique identify label in system, and the file owner and trust domain server all are the identity of determining the user by user's sign, judge its access rights; Identity for main body (comprising trust domain server and user) in the recognition system safely and effectively, so that system sets up each other trusting relationship to the user who operates, system needs a kind of User Identity mechanism that is independent of the safety of bottom storage system.In native system, adopt PKIX (PKI, Public Key Infrastructure), come to provide user ID for system by digital certificate.Digital certificate is the electronic document that is signed and issued to main body by just, authoritative mechanism, record the term of validity, cryptographic algorithm sign, public key information and the out of Memory of principal name, certificate serial number, issuer-name, certificate in the document, and be platform or the framework that has comprised hardware, software, manpower, strategy and process through the digital signature PKIX of the side of signing and issuing, it utilizes public-key technology that the function that digital certificate is created, manages, distributes, uses, stored and cancels is provided.Certification authority (CA, CerfiticateAuthority) and registration body (RA, Registration Authority) be the important component part of PKIX.The former is the core of PKIX, it is a believable third party, by user's PKI and other information (comprising user identity) of user are bound together for the user signs and issues digital certificate, and provide certificate inquiry, cancel, life cycle management and key management; The latter mainly is that user oriented is fulfiled some responsibilities that certification authority is appointed.The technical system that PKIX is a kind of maturation, be widely used has unified codes and standards, and a lot of comparatively complete realizations are arranged.Utilize PKIX to provide user ID for system, the work that the maintenance customer can be identified uniqueness and authenticity is given this ripe system and is finished, make system user under the situation that needn't understand the complex management details, verify the identity of other system main body safely and efficiently simultaneously, realize the mutual trust between the user, thereby guarantee authenticity, integrality, confidentiality and the non-repudiation of user profile;
Step 2: the file owner creates file, and the file owner creates and has the following steps as the step 1 of file, specifically as shown in Figure 2;
Figure BSA00000370577200082
Step 2.1: the file owner sends the request of creating file to the trust domain server: the file owner at first creates the content of access control block (ACB), content comprises: his identify label, filename, specified cryptographic algorithm and pattern and Access Control List (ACL), and access control block (ACB) issued the trust domain server;
Figure BSA00000370577200083
Step 2.2: the trust domain server process file owner creates the request of file: the trust domain server at first according to file possessory identify label judge its identity and authority, the file of creating for its request generates lock box sub-key LBK and file signature key FSK then, then the trust domain server uses trust domain encryption key ASEK encryption lock box key LBK and file signature key FSK, and use trust domain signature key ASSK to calculate the HMAC value as access control block (ACB), then access control block (ACB) is returned to the file owner;
Figure BSA00000370577200084
Step 2.3: the file owner creates file: the file owner creates file, the input content, use the SHA1 algorithm that file is calculated cryptographic Hash with piece as unit then, cryptographic Hash is kept in the security metadata file, re-using the blocks of files key-pair file is that unit is encrypted with the piece, and the spanned file ciphertext, at last the ciphertext of file and security metadata file are issued file server and store;
Figure BSA00000370577200085
Step 3: read the user and read file, read the user and read fileinfo and generally have the following steps, specifically as shown in Figure 3:
Figure BSA00000370577200086
Step 3.1: read file cipher text and security metadata file; Read the user and at first read file cipher text and security metadata file, obtain access control block (ACB) from the file server end;
Figure BSA00000370577200087
Step 3.2: the authentication of reading the user; Read the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, trust domain is after receiving the identify label and access control block (ACB) of reading the user, at first use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), information such as lock box sub-key LBK and file signature key FSK, use the trust domain signature key ASSK of oneself then, calculate the HMAC value of access control block (ACB), judge the integrality of access control block (ACB), the trust domain server has been confirmed user's identify label then, and determined to read user's read right according to Access Control List (ACL), lock box sub-key LBK is issued read the user then;
Figure BSA00000370577200088
Step 3.3: read the user and read file; Reading the user obtains after the lock box sub-key LBK, utilize its deciphering to obtain the blocks of files key, use the blocks of files key that the blocks of files at reading content place is decrypted then, obtain cleartext information, and use the SHA1 algorithm that the blocks of files at reading content place is calculated cryptographic Hash, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data, if institute's read data is complete, then reads this data, otherwise report an error to system;
Figure BSA00000370577200091
Step 4: write the user file is made amendment, general step is as follows, specifically as shown in Figure 4:
Figure BSA00000370577200092
Step 4.1: write the user and read file cipher text and security metadata file; Write the user at first reads the file that will revise from the file server end ciphertext and security metadata file;
Step 4.2: write user's authentication; Write the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, after the trust domain server receives access control block (ACB), use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), information such as lock box sub-key LBK and file signature key FSK, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), whether see with HMAC value in the access control block (ACB) and equate, judge whether this access control block (ACB) is complete, confirm user's identify label then, and determine the write permission that the user has by Access Control List (ACL), and lock box sub-key LBK and file signature key FSK returned to the user
Figure BSA00000370577200094
Step 4.3: write the user's modification file; Write the user after obtaining lock box sub-key LBK and file signature key FSK, use lock box sub-key LBK to obtain the blocks of files key, use the blocks of files key that the blocks of files at modification content place is decrypted then, obtain cleartext information, and use the SHA1 algorithm that the blocks of files that will revise the content place is calculated, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of the data of revising, and then write the user's modification file, use the blocks of files key again the content that writes to be calculated cryptographic Hash and encrypted then, and use file signature key FSK to sign, also need at last security metadata is upgraded;
Step 4.4: write the user and amended file and security metadata file are issued file server store;
Figure BSA00000370577200096
Step 5: the operation that authority is cancelled; When the file owner thinks that certain user may damage or can outwards disseminate this document information file, this user's authority may be cancelled, the authority when the file owner cancels the user generally has following steps, specifically as shown in Figure 5;
Figure BSA00000370577200097
Step 5.1: the file owner sends request to the trust domain server, and user's authority is cancelled in request; At first the file owner obtains the security metadata file from the file server end, then the identify label of oneself, the access control block (ACB) in the security metadata file and the user list of cancelling is issued the trust domain server;
Figure BSA00000370577200098
Step 5.2: the trust domain server to file possessory request handle; After the trust domain server receives user's request, at first use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), information such as lock box sub-key LBK and file signature key FSK, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), after judging this access control block (ACB) complete, the possessory identity of file is being authenticated, after the possessory identity of definite file and its have the user's of cancelling operation permission, the Access Control List (ACL) item at the user place that deletion need be cancelled from the Access Control List (ACL) of access control block (ACB) then generates new lock box sub-key LBK ' and new file signature key FSK ' for file then.The trust domain server is encrypted newly-generated lock box sub-key LBK ' and file signature key FSK ' again with trust domain server for encrypting key then, and uses trust domain server signature key again the access control block (ACB) of revising to be calculated HMAC.Then, the trust domain server returns to the file owner with new access control block (ACB), new file signature key, new lock box sub-key LBK ' and old lock box sub-key LBK;
Figure BSA00000370577200099
Step 5.3: the file owner uses lazy destruction operation; The file owner at first uses old lock box sub-key LBK deciphering All Files piece key, use new these blocks of files keys of lock box sub-key LBK ' encryption, and new access control block message is written in the security metadata file, so-called lazy cancelling method refers to: the file owner uses new key that whole file (promptly all blocks of files) is encrypted again, but carries out will postpone till the user to the renewal of blocks of files to the cryptographic operation again of blocks of files the time again;
System configuration of the present invention uses FUSE (Filesystem in Userspace) framework to realize on Linux as shown in Figure 1.FUSE is a kind of by the widely used technology of file system developer.By FUSE, file system developer can develop the user's attitude file system of oneself rapidly easily under the prerequisite of not revising kernel.Have benefited from its kernel module, FUSE can call from VFS layer interception system, then these system calls is passed to the operation logic of file system to realize that some are special of user's attitude of developer oneself.FUSE also make the user can be under the situation that does not have the root authority file system of carry oneself.In addition, FUSE is independent of specific bottom storage system, has good portability.These characteristics have satisfied design of the present invention and realization demand fully.In the cryptography operation, the present invention uses the OpenSSL storehouse to carry out the cryptography associative operation, and wherein OpenSSL is.This storehouse is celebrated with good realization and complete interface, therefore is widely used.In system, use SHA-1 as cryptographic Hash function, use HMAC based on SHA-1 as the MAC function, and use the block encryption function of AES-256 as acquiescence.These parameters all are to be configured when the carry system by the user.In addition, OpenSSL also provides the realization preferably to Public Key Infrastructure(PKI), can be used in the system and set up safe lane with the Verification System role and between user and trust domain server.
Core of the present invention is the safe storage system that has proposed under a kind of cloud storage environment, its realize mainly by following components with and corresponding module form:
● the trust domain server
The trust domain server mainly contains following module and constitutes:
1. user authentication module
This module is responsible for user identity is verified.In fact because adopted at SSL/TLS and PKIX, user identity and trust domain server identity all are to authenticate by the X.509 certificate that PKIX is authorized, the new user of system at first must be to (the RA of registration body, RegistrationAuthority) the application certificate just can use this system then.Although this process need is based on the support of the PKIX of asymmetric encryption, and can introduce certain expense, this asymmetric calculating only adds for the first time new user and just can take place and only carry out once; In the follow-up file access process that occupies most service times, carry out whole be that symmetric cryptography calculates, so compare the system that other adopt asymmetric encryption, native system can't be introduced too much performance cost.When user and trust domain server communicated, the trust domain server need be verified user certificate, and therefrom obtains user's user name, calculates the user name cryptographic Hash in view of the above so that carry out follow-up access control.
The user is when carrying out file access, must be at first on the channel of encrypting by the SSL/TLS agreement on the client with the trust domain server interaction, the trust domain server need be verified user certificate, and therefrom obtains user's user name, calculates the user name cryptographic Hash in view of the above; The trust domain server pass through the checking of authentification of user and access control right after, the user just can finally obtain the blocks of files key.
It is pointed out that about PKIX tissue or mechanism that some have demand for security may dispose PKIX, so this is not an extra configuration requirement.
2. access control module
This module is carried out the access control to file under the file owner authorizes, performed operation comprises the checking (by calculating the HMAC value of access control block (ACB)) of the access control block (ACB) integrality that the user is sent, checking (checking user's identify label to user identity, and by relatively sending the user name Hash of Access Control List (ACL) preservation in user name cryptographic Hash and the access control block (ACB) in the request), the user is asked the checking (obtaining user's the limiting operation that is had by queried access control tabulation) of access rights, and to the deciphering of association key in the access control block (ACB) (use trust domain encryption key ASEK that access control block (ACB) is decrypted, use trust domain signature key ASSK to calculate the HMAC value of access control block (ACB)).
● client
Client mainly is made of following module:
1. data encrypting and deciphering module
This module has been born the relevant cryptography operating operation of most encryption and decryption of system, comprises using blocks of files key encryption and decryption blocks of files etc.This module also be responsible for to be handled communicating by letter between client and the trust domain server in addition.
2. data integrity authentication module
This module provides operations such as blocks of files content integrity checking, and operation such as blocks of files content Hash value renewal.
3. cache module
Cache module provides buffer memory to improve systematic function.Buffer memory is divided into security metadata buffer memory and file data buffer memory two parts.Wherein, the security metadata buffer memory is to carrying out buffer memory such as access control block (ACB), the key that is used for access control; The file data buffer memory then is responsible for the cache file data.This module also is responsible for safeguarding the consistency of buffer memory and real data in addition.
4. file system interface
This module provides POSIX file system call.The present invention has realized most of logic in these interfaces, considered to the conversion process in FUSE mount point path with because be the expansion that unit verification msg content integrity causes, and realized support that the file cavity is read and write access request skew and length with the blocks of files.
● file server
1. memory module: storage file ciphertext and security metadata file.Wherein, the main composition of security metadata file is: some integrity informations of access control block (ACB) and file.The content of access control block (ACB) mainly comprises as shown in Figure 6: the cryptographic Hash of filename, Access Control List (ACL), the pattern of cryptographic algorithm and encryption, lock box sub-key and file signature key, and the HMAC value of whole access control block (ACB), wherein Access Control List (ACL) is as shown in the table, it is a two-dimensional array, wherein row are cryptographic Hash of user name, the purpose of doing like this is the confidentiality and integrity that can guarantee user name, another row are operating rights of user, wherein " r " expression user has the read operation authority, " w " expression user has the write operation authority, for executable file, " x " but expression executable operations authority; In addition, the integrity information of file mainly is the cryptographic Hash of blocks of files etc.
User name (cryptographic Hash) Operating right
Hash (user name 1) rw-?
Hash (user name 2) r--?
...? ...?
Hash (user name n) r--?
Performance test
The present invention has carried out the test of system in high-performance calculation research institute of Computer Science and Technology Department of Tsing-Hua University, these tests comprise the benchmark program IOzone of the file system of using the industry approval, under unit and cluster environment, test readwrite performance of the present invention respectively, and tested the performance of the present invention under authority is cancelled.
● the test of unit STP
Use IOzone that the performance of the file system of the present invention under unit file system ext3 is tested.Experimental situation comprises a Sun SunFire with 1.8GHz AMD double-core CPU and 4GB internal memory TMV20z server, the operating system of moving on this server are Debian Linux (version 2.6.30).Move trust domain server end and client software on this server simultaneously.For eliminating the influence of file system cache, experiment is made as 8GB (2 times to the Installed System Memory size) with file size.In test, the test file size is 8GB; The file system access requests size is respectively 64KB.
Owing to there is not cost on network communication, the cryptography computing cost will occupy the major part of overhead.By the present invention is moved IOzone under AES-256 cryptographic algorithm CFB pattern, and with result and directly result's contrast of operation IOzone on ext3, help to understand in depth (because of cryptography calculate due to decreased performance) systematic function, the result who obtains at last is as shown in Figure 7.
As can be seen from the figure compare with ext3, the present invention is because the expense that cryptography is calculated is brought average about 30% decreased performance.
● the test of cluster STP
For making the actual performance of test result near the present invention's file system under network environment, this paper uses IOzone that the present invention and the NFS of frame on NFS carried out performance relatively.Experimental situation is erected at the Dell PowerEdge with 7 nodes TMOn the M605 blade cluster, comprise 1 trust domain server, 1 NFSv4 server and 5 are equipped with client computer of the present invention, and these machines connect by the 1000Mbps Ethernet.Trust domain server and nfs server operate in respectively on the machine with two 800MHz AMD four nuclear CPU and 16GB internal memory, client of the present invention is housed then operates in respectively on 5 client computer with two 800MHz AMD, four nuclear CPU and 8GB internal memory.The operating system of moving on these machines all is Fedora Core 10Linux (version 2.6.32).Experiment adopts 256 aes algorithms to do DEA, adopts the SHA-1 algorithm as cryptographic Hash function, and uses HMAC based on SHA-1 as the MAC algorithm.For the influence of eliminating file system cache and test to the support of big file in the practical application, file size is made as 16GB (2 times to the Installed System Memory size).
It is pointed out that to be that more closing to reality is used, the 64KB that acquiescence is chosen in experiment is as the blocks of files size, and selects the encryption mode of CFB as AES-256, because its fail safe is better, and extensive use in practice.
Experiment utilizes IOzone to test NFS respectively and asks sequential write, order rewriting, the sequential read of carrying out and the throughput in proper order read with 64KB with the present invention who is erected on the NFS on the 16GB file.Experimental result as shown in Figure 8, among the figure result be on 5 nodes the test gained the polymerization throughput.
As can be seen from the figure, the polymerization access speed of frame of the present invention on NFS extremely approaches the speed of NFS itself, this shows that when client increases bottom is stored as for bottleneck, and the computing cost that the present invention introduces is just very not obvious.Experimental result shows that in shared storage environment, the present invention can well be used.
● authority is cancelled
Test environment comprises a trust domain server and a client computer, being configured to of every machine: the Sun SunFire that 1.8GHz AMD double-core CPU and 4GB internal memory are housed TMV20z server, operating system are Debian Linux (kernel version 2 .6.30).Experiment is at first authorized r--authority to 1000 different users on the file of a 1GB size, the authority with these users is revised as rw-then, cancels these users' authority at last.Experiment has been done on average in the operating time of the relevant authority that each user that test obtains on the access control instrument of client of the present invention is housed and with these times, obtain under the result shown in.
Action name Time (ms)
Authority is authorized 1.862739?
Permission modification 1.858765?
Authority is cancelled 21.744502?
Shorter to user's rights of using operating time expense of big file in the present invention as can be seen, have good high efficiency.

Claims (1)

1. the implementation method of a kind of safe storage system under the cloud storage environment, it is characterized in that, described method is in the network that trust domain server, client and file server are formed, and the file system FUSE of use user's space realizes according to following steps on Linux successively:
Step (1): the initialization of network,
Step (1.1): the initialization of trust domain server, set up user authentication module and access control module, wherein user authentication module has adopted SSL/TLS agreement and PKIX PKI, access control module is the access control of carrying out under the file owner authorizes file, three grades of key management mechanisms in system, have been adopted, wherein first order key is the blocks of files key, in order to handle big file safely and efficiently, in native system, be the encrypted in units file with the piece, and claim that this piece is a blocks of files, each blocks of files all uses an independent symmetric key that is called the blocks of files key to encrypt, after the blocks of files key is encrypted, be stored in the security metadata file, second level key is a security metadata file key, comprise a lock box sub-key LBK and a file signature key FSK, each file all has security metadata file key alone, wherein lock box sub-key LBK is used to encrypt the All Files piece key in this document, guarantee the confidentiality of blocks of files key, the latter writes the signature key of user after file data is made amendment, be used to distinguish read operation and write operation, third level key is the trust domain server key, be two symmetric keys that the trust domain server is safeguarded, one is called trust domain server for encrypting key A SEK, be used for the lock box sub-key LBK and the file signature key FSK of the pairing security metadata file of data file encryption, thereby conduct interviews control and differentiation are read-write operation, one is called trust domain server signature key A SSK, be used for to the Message Authentication Code of the calculating of the access control block (ACB) in the security metadata file based on Hash, it is the HMAC value, to guarantee the integrality of access control block (ACB)
Step (1.2): client is provided with the data encrypting and deciphering module, the data integrity authentication module, and cache module, file system interface,
Step (1.3): file server is provided with memory module;
Step (2): user applies obtains User Identity, and step is as follows:
Step (2.1): user's user authentication module to the trust domain server on the channel that client is being encrypted by secure socket layer protocol SSL and Transport Layer Security TLS sends the User Identity request,
Step (2.2): described user authentication module is based on PKIX, user identity and trust domain server identity all are to authenticate by the X.509 certificate that PKIX is authorized, the new user of system at first must apply for certificate to registration body, just can use this system then;
Step (3): the owner of file creates file according to following steps:
Step (3.1): the described file owner sends the request of creating file to described trust domain server: the file owner at first creates the content of access control block (ACB), content comprises: user's identify label, filename, specified cryptographic algorithm and pattern and Access Control List (ACL), and access control block (ACB) is issued the access control module of trust domain server, wherein said Access Control List (ACL) comprises the cryptographic Hash of user name and this user's access rights
Step (3.2): the described trust domain server process file owner creates the request of file, use authentication module that the possessory identity of file is authenticated, judge its identity and authority, the file of creating for its request generates lock box sub-key LBK and file signature key FSK then;
Step (3.3): the trust domain server uses trust domain encryption key ASEK encryption lock box key LBK and file signature key FSK, and use trust domain signature key ASSK to calculate the HMAC value as access control block (ACB), and deposit in the HMAC territory of access control block (ACB), then access control block (ACB) is returned to the file owner;
Step (3.4): the described file owner creates file, the input data, hash algorithm SHA1 safe in utilization then, to file is that unit calculates cryptographic Hash with the piece, cryptographic Hash is kept in the security metadata file, re-using the blocks of files key-pair file is that unit is encrypted with the piece, and the spanned file ciphertext, at last the ciphertext of file and security metadata file is issued described file server and stores;
Step (4): read the file that the user is created according to following steps read step (3):
Step (4.1): read file data ciphertext and security metadata file from described file server end,
Step (4.2): carry out the authentication that this reads the user according to the following steps,
Step (4.2.1): read the user oneself identify label and the access control block (ACB) in the security metadata file are issued described trust domain server,
Step (4.2.2): trust domain server calls authentication module is confirmed user's identify label; Call access control module; Use trust domain key ASEK to decipher this access control block (ACB); Acquisition comprises the information of lock box sub-key LBK, file signature key FSK and ACL; Use trust domain signature key ASSK to calculate the HMAC value of access control block (ACB); To judge the integrality of access control block (ACB); And determine to read user's read right according to ACL; Then lock box sub-key LBK is issued and read the user
Step (4.3): this is read the user and obtains after the lock box sub-key LBK, utilize its deciphering to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain the cleartext information of file data at last, and use the SHA1 algorithm that the blocks of files at reading content place is calculated cryptographic Hash, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data,, data integrity is described then if equate, the user reads these data again, otherwise then reports an error to system;
Step (5): write the user and write according to following steps or the revised file data,
Step (5.1): this writes the user at first reads the described file data that will revise from described file server end ciphertext and security metadata file,
Step (5.2): write the user and carry out authentication according to the following steps,
Step (5.2.1): this is write the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, described trust domain server calls authentication module is confirmed user's identify label, and call described access control module, use trust domain key A SEK to decipher this access control block (ACB), acquisition comprises lock box sub-key LBK, file signature key FSK and Access Control List (ACL) are in interior information, use trust domain signature key ASSK to recomputate the HMAC value of this access control block (ACB), whether see with HMAC value in the access control block (ACB) and equate, judge whether this access control block (ACB) is complete, and determine to write the write permission that the user has by Access Control List (ACL), then, and lock box sub-key LBK and file signature key FSK returned to the user
Step (5.3) is write the user and is write according to the following steps or revised file,
Step (5.3.1) is write the user and is used lock box sub-key LBK to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain plaintext document information, and use the SHA1 algorithm that file is calculated the cryptographic Hash that will revise content place blocks of files with piece as unit, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data
Step (5.3.2): the file to step (5.3.1) writes or revises, and uses the blocks of files key again new file data to be encrypted, and uses file signature key FSK to sign,
Step (5.3.3): write the user and amended file data and security metadata file are issued described file server store;
Step (6): the described file owner carries out the authority destruction operation according to the following steps:
Step (6.1): this document owner obtains the security metadata file from described file server end, and the user list that the identify label of oneself, access control block (ACB) in the security metadata file and plan are cancelled is issued the trust domain server then,
Step (6.2): this trust domain server is executable operations according to the following steps,
Step (6.2.1): possessory identify label authenticates to file to call described authentication module, determines that it has the user's of cancelling operation permission,
Step (6.2.1): call described access control module, use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), lock box sub-key LBK and file signature key FSK are in interior information, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), judge the complete of this access control block (ACB), from the Access Control List (ACL) of access control block (ACB), delete the Access Control List (ACL) item at the user place that need cancel then, then generate new lock box sub-key LBK ' and new file signature key FSK ' for file, the trust domain server is encrypted newly-generated lock box sub-key LBK ' and newly-generated file signature key FSK ' again with trust domain server for encrypting key A SEK then, and use trust domain server signature key A SSK again the access control block (ACB) of revising to be calculated HMAC
Step (6.2.2): described trust domain server returns to the file owner with new access control block (ACB), new file signature key FSK ', new lock box sub-key LBK ' and old lock box sub-key LBK,
Step (6.3): the described file owner uses lazy destruction operation in the following manner: use old lock box sub-key LBK deciphering All Files piece key, use new these blocks of files keys of lock box sub-key LBK ' encryption, carry out again when the cryptographic operation again of blocks of files is postponed till the user to the renewal of blocks of files.
CN 201010569398 2010-11-26 2010-11-26 Method for implementing safe storage system in cloud storage environment Expired - Fee Related CN102014133B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010569398 CN102014133B (en) 2010-11-26 2010-11-26 Method for implementing safe storage system in cloud storage environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010569398 CN102014133B (en) 2010-11-26 2010-11-26 Method for implementing safe storage system in cloud storage environment

Publications (2)

Publication Number Publication Date
CN102014133A true CN102014133A (en) 2011-04-13
CN102014133B CN102014133B (en) 2013-08-21

Family

ID=43844144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010569398 Expired - Fee Related CN102014133B (en) 2010-11-26 2010-11-26 Method for implementing safe storage system in cloud storage environment

Country Status (1)

Country Link
CN (1) CN102014133B (en)

Cited By (104)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102170452A (en) * 2011-05-19 2011-08-31 浪潮电子信息产业股份有限公司 Authorization and management method for cloud storage system
CN102299970A (en) * 2011-09-27 2011-12-28 惠州紫旭科技有限公司 Data black box subsystem based on cloud computing
CN102298619A (en) * 2011-08-10 2011-12-28 中兴通讯股份有限公司 Method for fast reading hole document by upper layer document system and system
CN102307240A (en) * 2011-09-20 2012-01-04 清华大学 Method for sharing files on internet by utilizing computer equipment
CN102316164A (en) * 2011-09-07 2012-01-11 深圳市硅格半导体有限公司 Cloud storage user side equipment and data processing method thereof
CN102438004A (en) * 2011-09-05 2012-05-02 深圳创维数字技术股份有限公司 Method and system for acquiring metadata information of media file and multimedia player
CN102546740A (en) * 2011-06-24 2012-07-04 奇智软件(北京)有限公司 Method, device and system used for compression and uncompression and based on cloud compression file
CN102546181A (en) * 2012-01-09 2012-07-04 西安电子科技大学 Cloud storage encrypting and deciphering method based on secret key pool
CN102624708A (en) * 2012-02-23 2012-08-01 浙江工商大学 Efficient data encryption, updating and access control method for cloud storage
CN102685148A (en) * 2012-05-31 2012-09-19 清华大学 Method for realizing secure network backup system under cloud storage environment
CN102739689A (en) * 2012-07-16 2012-10-17 四川师范大学 File data transmission device and method used for cloud storage system
CN102761521A (en) * 2011-04-26 2012-10-31 上海格尔软件股份有限公司 Cloud security storage and sharing service platform
WO2012163043A1 (en) * 2011-11-09 2012-12-06 华为技术有限公司 Method, device and system for protecting data security in cloud
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103001772A (en) * 2012-11-27 2013-03-27 江苏乐买到网络科技有限公司 Security protection terminal for data
CN103024041A (en) * 2012-12-13 2013-04-03 曙光云计算技术有限公司 Data sharing method in cloud computing system
CN103065082A (en) * 2012-07-04 2013-04-24 北京京航计算通讯研究所 Software security protection method based on Linux system
CN103139149A (en) * 2011-11-25 2013-06-05 国民技术股份有限公司 Method and system for accessing data in cloud storage
CN103248623A (en) * 2013-04-18 2013-08-14 广东一一五科技有限公司 On-line access control method and system of storage region
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN103312823A (en) * 2013-07-09 2013-09-18 苏州市职业大学 Cloud computing system
CN103379144A (en) * 2012-04-18 2013-10-30 爱国者电子科技有限公司 Cloud storage mobile device and cloud storage method of cloud storage data
CN103428299A (en) * 2013-09-04 2013-12-04 安徽大学 Cloud storage access control method
CN103533006A (en) * 2012-07-06 2014-01-22 中兴通讯股份有限公司 United cloud disk client, server, system and united cloud disk service method
CN103561034A (en) * 2013-11-11 2014-02-05 武汉理工大学 Secure file sharing system
CN103561021A (en) * 2013-11-01 2014-02-05 全渝娟 Method for realizing cloud storage system
CN103581196A (en) * 2013-11-13 2014-02-12 上海众人网络安全技术有限公司 Distributed file transparent encryption method and transparent decryption method
CN103581001A (en) * 2012-07-24 2014-02-12 深圳市中兴移动通信有限公司 Gateway system with cloud storage and data interaction method applied to system
CN103595703A (en) * 2013-03-08 2014-02-19 重庆城市管理职业学院 Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL
CN103595696A (en) * 2012-08-15 2014-02-19 中兴通讯股份有限公司 Method and device for file ownership certification
CN103595721A (en) * 2013-11-14 2014-02-19 福建伊时代信息科技股份有限公司 Safe sharing method, sharing device and sharing system for files of network disk
CN103684712A (en) * 2012-09-14 2014-03-26 百度在线网络技术(北京)有限公司 Method, device and network disc for quickly resuming file transmission
CN103685140A (en) * 2012-08-31 2014-03-26 腾讯科技(深圳)有限公司 Resource sharing method and system based on cloud storage
CN103716404A (en) * 2013-12-31 2014-04-09 华南理工大学 Remote data integrity authentication data structure in cloud environment and implement method thereof
CN103731395A (en) * 2012-10-10 2014-04-16 中兴通讯股份有限公司 Processing method and system for files
CN103763319A (en) * 2014-01-13 2014-04-30 华中科技大学 Method for safely sharing mobile cloud storage light-level data
CN103793663A (en) * 2013-12-26 2014-05-14 北京奇虎科技有限公司 Folder locking and unlocking methods and folder locking and unlocking devices
CN103973646A (en) * 2013-01-31 2014-08-06 中国电信股份有限公司 Method, client device and system for storing services by aid of public cloud
CN104219627A (en) * 2014-08-26 2014-12-17 北京乐富科技有限责任公司 Method and device for transmitting positioning information
CN104298934A (en) * 2014-10-27 2015-01-21 浪潮(北京)电子信息产业有限公司 File verification method, server and system in cloud calculation system
CN104301442A (en) * 2014-11-17 2015-01-21 浪潮电子信息产业股份有限公司 Method for realizing client of access object storage cluster based on fuse
CN104408381A (en) * 2014-11-27 2015-03-11 大连理工大学 Protection method of data integrity in cloud storage
CN104539602A (en) * 2014-12-22 2015-04-22 北京航空航天大学 Safe key managing method applied to cloud storage
CN104601563A (en) * 2015-01-06 2015-05-06 南京信息工程大学 MLE-based (message-locked encryption-based) publicly accessible cloud storage data procession checking method
CN104601579A (en) * 2015-01-20 2015-05-06 成都市酷岳科技有限公司 Computer system for ensuring information security and method thereof
WO2015149309A1 (en) * 2014-04-02 2015-10-08 华为终端有限公司 Data processing method and terminal
CN104980401A (en) * 2014-04-09 2015-10-14 北京亿赛通科技发展有限责任公司 Secure data storage system and secure data storage and reading method of NAS server
CN105100248A (en) * 2015-07-30 2015-11-25 国家电网公司 Cloud storage security realization method based on data encryption and access control
CN105141593A (en) * 2015-08-10 2015-12-09 刘澄宇 Private cloud platform secure computation method
CN105187204A (en) * 2015-09-29 2015-12-23 北京元心科技有限公司 Encryption method and decryption method for file, and encryption and decryption system
CN105208017A (en) * 2015-09-07 2015-12-30 四川神琥科技有限公司 Memory information acquisition method
CN105224880A (en) * 2015-08-31 2016-01-06 安一恒通(北京)科技有限公司 Information acquisition method and device
CN105554127A (en) * 2015-12-22 2016-05-04 内蒙古农业大学 Private cloud backup mechanism of multilayer data security encryption method
CN105812436A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Heterogeneous storage operation method and device
WO2016115663A1 (en) * 2015-01-19 2016-07-28 Nokia Technologies Oy Method and apparatus for heterogeneous data storage management in cloud computing
CN105868647A (en) * 2016-03-28 2016-08-17 乐视控股(北京)有限公司 File signing system and method
CN105989311A (en) * 2016-07-04 2016-10-05 南京金佰达电子科技有限公司 Document level-based high-safety external storage method
CN106063185A (en) * 2014-03-31 2016-10-26 英特尔公司 Methods and apparatus to securely share data
CN106055993A (en) * 2016-08-13 2016-10-26 深圳市樊溪电子有限公司 Encryption storage system for block chains and method for applying encryption storage system
CN106095954A (en) * 2016-06-14 2016-11-09 成都镜杰科技有限责任公司 Data base management method for enterprise supply chain
CN106131048A (en) * 2016-08-13 2016-11-16 深圳市樊溪电子有限公司 A kind of non-trusted remote transaction file security for block chain stores system
WO2016184221A1 (en) * 2015-05-15 2016-11-24 中兴通讯股份有限公司 Password management method, device and system
CN106330452A (en) * 2016-08-13 2017-01-11 深圳市樊溪电子有限公司 Security network attachment device and method for block chain
CN106411884A (en) * 2016-09-29 2017-02-15 郑州云海信息技术有限公司 Method and device for data storage and encryption
CN106407681A (en) * 2016-09-19 2017-02-15 南京工业大学 Storage and access method for personal health records in cloud system environment
CN106469124A (en) * 2015-08-20 2017-03-01 深圳市中兴微电子技术有限公司 A kind of memory access control method and device
CN106611128A (en) * 2016-07-19 2017-05-03 四川用联信息技术有限公司 Secondary encryption-based data validation and data recovery algorithm in cloud storage
CN106790148A (en) * 2016-12-28 2017-05-31 上海优刻得信息科技有限公司 Prevent access, output checking method and device, the auditing system of leakage of data
CN107015982A (en) * 2016-01-27 2017-08-04 阿里巴巴集团控股有限公司 A kind of method, device and the equipment of monitoring system file integrality
CN107332858A (en) * 2017-08-07 2017-11-07 成都汇智远景科技有限公司 Cloud date storage method
CN107359990A (en) * 2017-08-03 2017-11-17 北京奇艺世纪科技有限公司 A kind of secret information processing method, apparatus and system
WO2017210563A1 (en) * 2016-06-02 2017-12-07 Reid Consulting Group, Inc. System and method for securely storing and sharing information
CN103379144B (en) * 2012-04-18 2018-02-09 爱国者安全科技(北京)有限公司 The cloud storage method of cloud storage mobile device and cloud storage data
CN107920130A (en) * 2017-12-07 2018-04-17 北京书生电子技术有限公司 The method and apparatus of inside and outside network data synchronization
US9973484B2 (en) 2011-10-31 2018-05-15 Reid Consulting Group, Inc. System and method for securely storing and sharing information
CN108234436A (en) * 2016-12-22 2018-06-29 航天信息股份有限公司 A kind of encryption method and system based on the storage of OpenStack objects
CN108259406A (en) * 2016-12-28 2018-07-06 中国电信股份有限公司 Examine the method and system of SSL certificate
CN108337220A (en) * 2017-11-27 2018-07-27 中国电子科技集团公司电子科学研究院 Data processing method, system and key server
CN108499084A (en) * 2018-04-09 2018-09-07 杨娟 System for body-building or training
CN109218415A (en) * 2018-08-28 2019-01-15 浪潮电子信息产业股份有限公司 Distributed node management method, node and storage medium
CN109214183A (en) * 2017-07-03 2019-01-15 阿里巴巴集团控股有限公司 The method, apparatus and equipment of software, storage medium and processor are extorted in killing
CN109313678A (en) * 2018-09-05 2019-02-05 福建联迪商用设备有限公司 A kind of method and terminal for calling API
CN109448192A (en) * 2018-11-13 2019-03-08 公安部第三研究所 Safe and intelligent lock system based on encryption chip
KR20190054763A (en) * 2017-11-14 2019-05-22 (주)피스페이스 File leakage prevention based on security file system and commonly used file access interface
CN109992987A (en) * 2017-12-29 2019-07-09 深圳市融汇通金科技有限公司 Script file guard method, device and terminal device based on Nginx
CN110166458A (en) * 2019-05-23 2019-08-23 王怀尊 A kind of three-level code key encryption system
CN110298165A (en) * 2018-03-22 2019-10-01 腾讯科技(深圳)有限公司 Have secure access to method, apparatus and the authentication proxy of shared drive
CN110378133A (en) * 2019-06-28 2019-10-25 深圳市元征科技股份有限公司 A kind of document protection method, device, electronic equipment and storage medium
CN110768782A (en) * 2019-09-26 2020-02-07 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on asymmetric key pool and IBS
CN111339034A (en) * 2020-05-18 2020-06-26 湖南天琛信息科技有限公司 Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method
CN111491023A (en) * 2020-04-10 2020-08-04 西咸新区予果微码生物科技有限公司 Microbial detection system based on CRISPR technology
US10789373B2 (en) 2011-10-31 2020-09-29 Reid Consulting Group, Inc. System and method for securely storing and sharing information
CN112016124A (en) * 2020-09-07 2020-12-01 公安部第三研究所 Method for realizing information query based on data object main body de-identification
CN112106323A (en) * 2018-07-12 2020-12-18 塞克罗斯股份有限公司 Method for establishing a secure hierarchical reference system
CN112214758A (en) * 2019-07-09 2021-01-12 意法半导体(大西部)公司 Apparatus and method for managing encrypted software applications
CN112513849A (en) * 2018-07-31 2021-03-16 日本电信电话株式会社 Information processing apparatus, authentication method, and authentication program
CN112862994A (en) * 2021-02-07 2021-05-28 中国第一汽车股份有限公司 ETC anti-disassembly authentication method, ETC, vehicle-mounted equipment terminal and system
CN112948870A (en) * 2021-04-13 2021-06-11 北京国联易安信息技术有限公司 Electronic document security management method and management system based on big data
CN113507448A (en) * 2021-06-17 2021-10-15 中国汽车技术研究中心有限公司 Security access service authentication method and system
CN113691560A (en) * 2016-02-05 2021-11-23 安赛飞保安有限公司 Data transfer method, method for controlling data use, and cryptographic apparatus
US11290261B2 (en) 2011-10-31 2022-03-29 Reid Consulting Group, Inc. System and method for securely storing and sharing information
CN114386098A (en) * 2021-12-31 2022-04-22 江苏任务网络科技有限公司 Big data storage and traceability system
CN114567447A (en) * 2022-04-26 2022-05-31 佳瑛科技有限公司 Data sharing management method and device based on cloud server
CN115580403A (en) * 2022-12-09 2023-01-06 深圳市永达电子信息股份有限公司 PKI-based computing node access control method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580487A (en) * 2015-01-20 2015-04-29 成都信升斯科技有限公司 Mass data storage system and processing method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007143057A2 (en) * 2006-06-02 2007-12-13 Microsoft Corporation Logon and machine unlock integration
CN101095133A (en) * 2004-03-26 2007-12-26 微软公司 Rights management inter-entity message policies and enforcement
WO2008109661A2 (en) * 2007-03-05 2008-09-12 Vidoop, Llc. Method and system for securely caching authentication elements

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101095133A (en) * 2004-03-26 2007-12-26 微软公司 Rights management inter-entity message policies and enforcement
WO2007143057A2 (en) * 2006-06-02 2007-12-13 Microsoft Corporation Logon and machine unlock integration
WO2008109661A2 (en) * 2007-03-05 2008-09-12 Vidoop, Llc. Method and system for securely caching authentication elements

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LANXIANG CHEN 等: "A Direction to Avoid Re-encryption in Cryptographic File Sharing", 《LECTURE NOTES IN COMPUTER SCIENCE, 2007》 *
洪澄 等: "AB-ACCS:一种云存储密文访问控制方法", 《计算机研究与发展》 *

Cited By (158)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761521A (en) * 2011-04-26 2012-10-31 上海格尔软件股份有限公司 Cloud security storage and sharing service platform
CN102761521B (en) * 2011-04-26 2016-08-31 上海格尔软件股份有限公司 Cloud security storage and sharing service platform
CN102170452A (en) * 2011-05-19 2011-08-31 浪潮电子信息产业股份有限公司 Authorization and management method for cloud storage system
CN102546740A (en) * 2011-06-24 2012-07-04 奇智软件(北京)有限公司 Method, device and system used for compression and uncompression and based on cloud compression file
CN102546740B (en) * 2011-06-24 2015-05-06 奇智软件(北京)有限公司 Method, device and system used for compression and uncompression and based on cloud compression file
CN102298619A (en) * 2011-08-10 2011-12-28 中兴通讯股份有限公司 Method for fast reading hole document by upper layer document system and system
CN102438004A (en) * 2011-09-05 2012-05-02 深圳创维数字技术股份有限公司 Method and system for acquiring metadata information of media file and multimedia player
CN102316164A (en) * 2011-09-07 2012-01-11 深圳市硅格半导体有限公司 Cloud storage user side equipment and data processing method thereof
CN102307240A (en) * 2011-09-20 2012-01-04 清华大学 Method for sharing files on internet by utilizing computer equipment
CN102299970A (en) * 2011-09-27 2011-12-28 惠州紫旭科技有限公司 Data black box subsystem based on cloud computing
US11818251B2 (en) 2011-10-31 2023-11-14 Crowdstrike, Inc. System and method for securely storing and sharing information
US9973484B2 (en) 2011-10-31 2018-05-15 Reid Consulting Group, Inc. System and method for securely storing and sharing information
US10789373B2 (en) 2011-10-31 2020-09-29 Reid Consulting Group, Inc. System and method for securely storing and sharing information
US11290261B2 (en) 2011-10-31 2022-03-29 Reid Consulting Group, Inc. System and method for securely storing and sharing information
CN103262491A (en) * 2011-11-09 2013-08-21 华为技术有限公司 Method, device and system for protecting data security in cloud
WO2012163043A1 (en) * 2011-11-09 2012-12-06 华为技术有限公司 Method, device and system for protecting data security in cloud
US9203614B2 (en) 2011-11-09 2015-12-01 Huawei Technologies Co., Ltd. Method, apparatus, and system for protecting cloud data security
CN103139149A (en) * 2011-11-25 2013-06-05 国民技术股份有限公司 Method and system for accessing data in cloud storage
CN102546181A (en) * 2012-01-09 2012-07-04 西安电子科技大学 Cloud storage encrypting and deciphering method based on secret key pool
CN102546181B (en) * 2012-01-09 2014-12-17 西安电子科技大学 Cloud storage encrypting and deciphering method based on secret key pool
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN102624708A (en) * 2012-02-23 2012-08-01 浙江工商大学 Efficient data encryption, updating and access control method for cloud storage
CN103379144A (en) * 2012-04-18 2013-10-30 爱国者电子科技有限公司 Cloud storage mobile device and cloud storage method of cloud storage data
CN103379144B (en) * 2012-04-18 2018-02-09 爱国者安全科技(北京)有限公司 The cloud storage method of cloud storage mobile device and cloud storage data
CN102685148A (en) * 2012-05-31 2012-09-19 清华大学 Method for realizing secure network backup system under cloud storage environment
CN102685148B (en) * 2012-05-31 2014-10-15 清华大学 Method for realizing secure network backup system under cloud storage environment
CN103065082A (en) * 2012-07-04 2013-04-24 北京京航计算通讯研究所 Software security protection method based on Linux system
CN103533006B (en) * 2012-07-06 2019-09-24 中兴通讯股份有限公司 A kind of joint cloud disk client, server, system and joint cloud disk service method
CN103533006A (en) * 2012-07-06 2014-01-22 中兴通讯股份有限公司 United cloud disk client, server, system and united cloud disk service method
CN102739689A (en) * 2012-07-16 2012-10-17 四川师范大学 File data transmission device and method used for cloud storage system
CN102739689B (en) * 2012-07-16 2015-05-13 四川师范大学 File data transmission device and method used for cloud storage system
CN103581001A (en) * 2012-07-24 2014-02-12 深圳市中兴移动通信有限公司 Gateway system with cloud storage and data interaction method applied to system
CN103595696A (en) * 2012-08-15 2014-02-19 中兴通讯股份有限公司 Method and device for file ownership certification
CN103595696B (en) * 2012-08-15 2018-05-01 中兴通讯股份有限公司 The method and device that a kind of File Ownership proves
CN103685140A (en) * 2012-08-31 2014-03-26 腾讯科技(深圳)有限公司 Resource sharing method and system based on cloud storage
CN103685140B (en) * 2012-08-31 2018-05-22 腾讯科技(深圳)有限公司 Resource share method and system based on cloud storage
CN103684712A (en) * 2012-09-14 2014-03-26 百度在线网络技术(北京)有限公司 Method, device and network disc for quickly resuming file transmission
CN103684712B (en) * 2012-09-14 2017-04-05 百度在线网络技术(北京)有限公司 Method, device and Dropbox that the fast quick-recovery of file is retransmitted
CN103731395A (en) * 2012-10-10 2014-04-16 中兴通讯股份有限公司 Processing method and system for files
CN103731395B (en) * 2012-10-10 2017-11-14 中兴通讯股份有限公司 The processing method and system of file
CN103001772A (en) * 2012-11-27 2013-03-27 江苏乐买到网络科技有限公司 Security protection terminal for data
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
CN103024041A (en) * 2012-12-13 2013-04-03 曙光云计算技术有限公司 Data sharing method in cloud computing system
CN103973646A (en) * 2013-01-31 2014-08-06 中国电信股份有限公司 Method, client device and system for storing services by aid of public cloud
CN103973646B (en) * 2013-01-31 2018-05-11 中国电信股份有限公司 Use the method for public cloud storage service, client terminal device and system
CN103595703A (en) * 2013-03-08 2014-02-19 重庆城市管理职业学院 Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL
CN103248623A (en) * 2013-04-18 2013-08-14 广东一一五科技有限公司 On-line access control method and system of storage region
CN103248623B (en) * 2013-04-18 2017-02-08 广东一一五科技股份有限公司 On-line access control method and system of storage region
CN103312823A (en) * 2013-07-09 2013-09-18 苏州市职业大学 Cloud computing system
CN103312823B (en) * 2013-07-09 2016-08-10 苏州市职业大学 A kind of cloud computing system
CN103428299B (en) * 2013-09-04 2016-06-01 安徽大学 Cloud storage access control method
CN103428299A (en) * 2013-09-04 2013-12-04 安徽大学 Cloud storage access control method
CN103561021A (en) * 2013-11-01 2014-02-05 全渝娟 Method for realizing cloud storage system
CN103561034B (en) * 2013-11-11 2016-08-17 武汉理工大学 A kind of secure file shared system
CN103561034A (en) * 2013-11-11 2014-02-05 武汉理工大学 Secure file sharing system
CN103581196A (en) * 2013-11-13 2014-02-12 上海众人网络安全技术有限公司 Distributed file transparent encryption method and transparent decryption method
CN103581196B (en) * 2013-11-13 2016-05-11 上海众人网络安全技术有限公司 Distributed document transparent encryption method and transparent decryption method
CN103595721B (en) * 2013-11-14 2017-12-01 福建伊时代信息科技股份有限公司 Network disk file secure sharing method, sharing means and shared system
CN103595721A (en) * 2013-11-14 2014-02-19 福建伊时代信息科技股份有限公司 Safe sharing method, sharing device and sharing system for files of network disk
CN103793663A (en) * 2013-12-26 2014-05-14 北京奇虎科技有限公司 Folder locking and unlocking methods and folder locking and unlocking devices
CN103716404B (en) * 2013-12-31 2017-02-01 华南理工大学 Remote data integrity authentication data structure in cloud environment and implement method thereof
CN103716404A (en) * 2013-12-31 2014-04-09 华南理工大学 Remote data integrity authentication data structure in cloud environment and implement method thereof
CN103763319A (en) * 2014-01-13 2014-04-30 华中科技大学 Method for safely sharing mobile cloud storage light-level data
CN106063185B (en) * 2014-03-31 2019-12-03 英特尔公司 Method and apparatus for safely shared data
CN106063185A (en) * 2014-03-31 2016-10-26 英特尔公司 Methods and apparatus to securely share data
WO2015149309A1 (en) * 2014-04-02 2015-10-08 华为终端有限公司 Data processing method and terminal
CN104980401B (en) * 2014-04-09 2018-05-01 北京亿赛通科技发展有限责任公司 Nas server date safety storing system, secure storage and read method
CN104980401A (en) * 2014-04-09 2015-10-14 北京亿赛通科技发展有限责任公司 Secure data storage system and secure data storage and reading method of NAS server
CN104219627A (en) * 2014-08-26 2014-12-17 北京乐富科技有限责任公司 Method and device for transmitting positioning information
CN104219627B (en) * 2014-08-26 2018-07-27 北京乐富科技有限责任公司 A kind of method and device sending location information
CN104298934A (en) * 2014-10-27 2015-01-21 浪潮(北京)电子信息产业有限公司 File verification method, server and system in cloud calculation system
CN104301442A (en) * 2014-11-17 2015-01-21 浪潮电子信息产业股份有限公司 Method for realizing client of access object storage cluster based on fuse
CN104408381A (en) * 2014-11-27 2015-03-11 大连理工大学 Protection method of data integrity in cloud storage
CN104408381B (en) * 2014-11-27 2017-04-12 大连理工大学 Protection method of data integrity in cloud storage
CN104539602A (en) * 2014-12-22 2015-04-22 北京航空航天大学 Safe key managing method applied to cloud storage
CN104539602B (en) * 2014-12-22 2017-12-26 北京航空航天大学 A kind of safety key managing method being applied in cloud storage
CN105812436A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Heterogeneous storage operation method and device
CN104601563B (en) * 2015-01-06 2017-09-15 南京信息工程大学 The method of the sharable content object cloud storage data property held based on MLE
CN104601563A (en) * 2015-01-06 2015-05-06 南京信息工程大学 MLE-based (message-locked encryption-based) publicly accessible cloud storage data procession checking method
WO2016115663A1 (en) * 2015-01-19 2016-07-28 Nokia Technologies Oy Method and apparatus for heterogeneous data storage management in cloud computing
US10581856B2 (en) 2015-01-19 2020-03-03 Nokia Technologies Oy Method and apparatus for heterogeneous data storage management in cloud computing
CN104601579A (en) * 2015-01-20 2015-05-06 成都市酷岳科技有限公司 Computer system for ensuring information security and method thereof
WO2016184221A1 (en) * 2015-05-15 2016-11-24 中兴通讯股份有限公司 Password management method, device and system
CN105100248A (en) * 2015-07-30 2015-11-25 国家电网公司 Cloud storage security realization method based on data encryption and access control
CN105141593A (en) * 2015-08-10 2015-12-09 刘澄宇 Private cloud platform secure computation method
CN106469124A (en) * 2015-08-20 2017-03-01 深圳市中兴微电子技术有限公司 A kind of memory access control method and device
WO2017036042A1 (en) * 2015-08-31 2017-03-09 安一恒通(北京)科技有限公司 Information collection method and apparatus
CN105224880A (en) * 2015-08-31 2016-01-06 安一恒通(北京)科技有限公司 Information acquisition method and device
CN105224880B (en) * 2015-08-31 2019-06-18 安一恒通(北京)科技有限公司 Information acquisition method and device
CN105208017B (en) * 2015-09-07 2019-01-04 四川神琥科技有限公司 A kind of memorizer information acquisition methods
CN105208017A (en) * 2015-09-07 2015-12-30 四川神琥科技有限公司 Memory information acquisition method
CN105187204A (en) * 2015-09-29 2015-12-23 北京元心科技有限公司 Encryption method and decryption method for file, and encryption and decryption system
CN105554127A (en) * 2015-12-22 2016-05-04 内蒙古农业大学 Private cloud backup mechanism of multilayer data security encryption method
CN107015982A (en) * 2016-01-27 2017-08-04 阿里巴巴集团控股有限公司 A kind of method, device and the equipment of monitoring system file integrality
CN113691560A (en) * 2016-02-05 2021-11-23 安赛飞保安有限公司 Data transfer method, method for controlling data use, and cryptographic apparatus
CN113691560B (en) * 2016-02-05 2023-08-25 安赛飞保安有限公司 Data transmission method, method for controlling data use, and cryptographic device
WO2017166527A1 (en) * 2016-03-28 2017-10-05 乐视控股(北京)有限公司 File signature system and method
CN105868647A (en) * 2016-03-28 2016-08-17 乐视控股(北京)有限公司 File signing system and method
WO2017210563A1 (en) * 2016-06-02 2017-12-07 Reid Consulting Group, Inc. System and method for securely storing and sharing information
CN106095954B (en) * 2016-06-14 2019-05-24 上海棉联电子商务有限公司 Data base management method for enterprise supply chain
CN106095954A (en) * 2016-06-14 2016-11-09 成都镜杰科技有限责任公司 Data base management method for enterprise supply chain
CN105989311B (en) * 2016-07-04 2018-11-27 南京金佰达电子科技有限公司 A kind of high security external storage method based on document level
CN105989311A (en) * 2016-07-04 2016-10-05 南京金佰达电子科技有限公司 Document level-based high-safety external storage method
CN106611128A (en) * 2016-07-19 2017-05-03 四川用联信息技术有限公司 Secondary encryption-based data validation and data recovery algorithm in cloud storage
CN106330452A (en) * 2016-08-13 2017-01-11 深圳市樊溪电子有限公司 Security network attachment device and method for block chain
CN106055993A (en) * 2016-08-13 2016-10-26 深圳市樊溪电子有限公司 Encryption storage system for block chains and method for applying encryption storage system
WO2018032379A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Untrusted remote transaction file secure storage system for block chain
WO2018032374A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Encrypted storage system for block chain and method using same
WO2018032373A1 (en) * 2016-08-13 2018-02-22 深圳市樊溪电子有限公司 Security network attachment device and method for block chain
CN106131048A (en) * 2016-08-13 2016-11-16 深圳市樊溪电子有限公司 A kind of non-trusted remote transaction file security for block chain stores system
CN106131048B (en) * 2016-08-13 2020-05-19 广州商品清算中心股份有限公司 Non-trust remote transaction file safe storage system for block chain
CN106407681A (en) * 2016-09-19 2017-02-15 南京工业大学 Storage and access method for personal health records in cloud system environment
CN106407681B (en) * 2016-09-19 2019-03-26 南京工业大学 A kind of cloud system environment individual health record storage access method
CN106411884A (en) * 2016-09-29 2017-02-15 郑州云海信息技术有限公司 Method and device for data storage and encryption
CN108234436A (en) * 2016-12-22 2018-06-29 航天信息股份有限公司 A kind of encryption method and system based on the storage of OpenStack objects
CN106790148A (en) * 2016-12-28 2017-05-31 上海优刻得信息科技有限公司 Prevent access, output checking method and device, the auditing system of leakage of data
CN108259406A (en) * 2016-12-28 2018-07-06 中国电信股份有限公司 Examine the method and system of SSL certificate
CN109214183A (en) * 2017-07-03 2019-01-15 阿里巴巴集团控股有限公司 The method, apparatus and equipment of software, storage medium and processor are extorted in killing
CN107359990A (en) * 2017-08-03 2017-11-17 北京奇艺世纪科技有限公司 A kind of secret information processing method, apparatus and system
CN107332858B (en) * 2017-08-07 2020-08-28 深圳格隆汇信息科技有限公司 Cloud data storage method
CN107332858A (en) * 2017-08-07 2017-11-07 成都汇智远景科技有限公司 Cloud date storage method
KR20190054763A (en) * 2017-11-14 2019-05-22 (주)피스페이스 File leakage prevention based on security file system and commonly used file access interface
KR102368208B1 (en) * 2017-11-14 2022-02-28 (주)피스페이스 File leakage prevention based on security file system and commonly used file access interface
CN108337220A (en) * 2017-11-27 2018-07-27 中国电子科技集团公司电子科学研究院 Data processing method, system and key server
CN107920130A (en) * 2017-12-07 2018-04-17 北京书生电子技术有限公司 The method and apparatus of inside and outside network data synchronization
CN109992987B (en) * 2017-12-29 2021-04-27 港融科技有限公司 Script file protection method and device based on Nginx and terminal equipment
CN109992987A (en) * 2017-12-29 2019-07-09 深圳市融汇通金科技有限公司 Script file guard method, device and terminal device based on Nginx
CN110298165A (en) * 2018-03-22 2019-10-01 腾讯科技(深圳)有限公司 Have secure access to method, apparatus and the authentication proxy of shared drive
CN108499084A (en) * 2018-04-09 2018-09-07 杨娟 System for body-building or training
CN112106323B (en) * 2018-07-12 2024-03-22 塞克罗斯股份有限公司 Method for storing and reading data on a storage device in an untrusted environment
CN112106323A (en) * 2018-07-12 2020-12-18 塞克罗斯股份有限公司 Method for establishing a secure hierarchical reference system
CN112513849A (en) * 2018-07-31 2021-03-16 日本电信电话株式会社 Information processing apparatus, authentication method, and authentication program
CN109218415B (en) * 2018-08-28 2021-06-29 浪潮电子信息产业股份有限公司 Distributed node management method, node and storage medium
CN109218415A (en) * 2018-08-28 2019-01-15 浪潮电子信息产业股份有限公司 Distributed node management method, node and storage medium
CN109313678A (en) * 2018-09-05 2019-02-05 福建联迪商用设备有限公司 A kind of method and terminal for calling API
CN109313678B (en) * 2018-09-05 2021-11-09 福建联迪商用设备有限公司 API calling method and terminal
CN109448192A (en) * 2018-11-13 2019-03-08 公安部第三研究所 Safe and intelligent lock system based on encryption chip
CN110166458A (en) * 2019-05-23 2019-08-23 王怀尊 A kind of three-level code key encryption system
CN110166458B (en) * 2019-05-23 2022-08-02 王怀尊 Three-level key encryption method
CN110378133B (en) * 2019-06-28 2023-05-05 深圳市元征科技股份有限公司 File protection method and device, electronic equipment and storage medium
CN110378133A (en) * 2019-06-28 2019-10-25 深圳市元征科技股份有限公司 A kind of document protection method, device, electronic equipment and storage medium
CN112214758A (en) * 2019-07-09 2021-01-12 意法半导体(大西部)公司 Apparatus and method for managing encrypted software applications
CN110768782A (en) * 2019-09-26 2020-02-07 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on asymmetric key pool and IBS
CN110768782B (en) * 2019-09-26 2022-11-15 如般量子科技有限公司 Anti-quantum computation RFID authentication method and system based on asymmetric key pool and IBS
CN111491023A (en) * 2020-04-10 2020-08-04 西咸新区予果微码生物科技有限公司 Microbial detection system based on CRISPR technology
CN111339034B (en) * 2020-05-18 2020-08-11 湖南天琛信息科技有限公司 Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method
CN111339034A (en) * 2020-05-18 2020-06-26 湖南天琛信息科技有限公司 Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method
CN112016124A (en) * 2020-09-07 2020-12-01 公安部第三研究所 Method for realizing information query based on data object main body de-identification
CN112016124B (en) * 2020-09-07 2024-05-28 公安部第三研究所 Method for implementing information inquiry based on de-identification of data object main body
CN112862994A (en) * 2021-02-07 2021-05-28 中国第一汽车股份有限公司 ETC anti-disassembly authentication method, ETC, vehicle-mounted equipment terminal and system
CN112948870A (en) * 2021-04-13 2021-06-11 北京国联易安信息技术有限公司 Electronic document security management method and management system based on big data
CN113507448B (en) * 2021-06-17 2022-05-17 中国汽车技术研究中心有限公司 Security access service authentication method and system
CN113507448A (en) * 2021-06-17 2021-10-15 中国汽车技术研究中心有限公司 Security access service authentication method and system
CN114386098B (en) * 2021-12-31 2024-05-03 江苏大道云隐科技有限公司 Big data storage and traceability system
CN114386098A (en) * 2021-12-31 2022-04-22 江苏任务网络科技有限公司 Big data storage and traceability system
CN114567447B (en) * 2022-04-26 2022-07-19 佳瑛科技有限公司 Data sharing management method and device based on cloud server
CN114567447A (en) * 2022-04-26 2022-05-31 佳瑛科技有限公司 Data sharing management method and device based on cloud server
CN115580403A (en) * 2022-12-09 2023-01-06 深圳市永达电子信息股份有限公司 PKI-based computing node access control method

Also Published As

Publication number Publication date
CN102014133B (en) 2013-08-21

Similar Documents

Publication Publication Date Title
CN102014133B (en) Method for implementing safe storage system in cloud storage environment
TWI709314B (en) Data processing method and device
CN109886040B (en) Data processing method, data processing device, storage medium and processor
US9026805B2 (en) Key management using trusted platform modules
US20100005318A1 (en) Process for securing data in a storage unit
CN103780607B (en) The method of the data de-duplication based on different rights
CN102685148A (en) Method for realizing secure network backup system under cloud storage environment
CN102075544A (en) Encryption system, encryption method and decryption method for local area network shared file
CN105100076A (en) Cloud data security system based on USB Key
CN111010430B (en) Cloud computing security data sharing method based on double-chain structure
CN106027503A (en) Cloud storage data encryption method based on TPM
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
CN104601579A (en) Computer system for ensuring information security and method thereof
CN104468615A (en) Data sharing based file access and permission change control method
KR20110018331A (en) Secure data cache
CN104580487A (en) Mass data storage system and processing method
CN104009987A (en) Fine-grained cloud platform security access control method based on user identity capacity
US11604888B2 (en) Digital storage and data transport system
CN103580855A (en) Usbkey management plan based on sharing technology
CN103516523A (en) Data encryption system structure based on cloud storage
CN103226670B (en) A kind of document access control system based on access control model
CN115567312B (en) Alliance chain data authority management system and method capable of meeting various scenes
CN112307508B (en) Revocable data sharing system based on SGX, CP-ABE and block chain
CN117454440A (en) Technology archive authentication method and intelligent management system based on traceable digital signature technology
CN104618419A (en) Scheme based on content sharing policy in cloud

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130821