CN102014133A - Method for implementing safe storage system in cloud storage environment - Google Patents
Method for implementing safe storage system in cloud storage environment Download PDFInfo
- Publication number
- CN102014133A CN102014133A CN2010105693982A CN201010569398A CN102014133A CN 102014133 A CN102014133 A CN 102014133A CN 2010105693982 A CN2010105693982 A CN 2010105693982A CN 201010569398 A CN201010569398 A CN 201010569398A CN 102014133 A CN102014133 A CN 102014133A
- Authority
- CN
- China
- Prior art keywords
- file
- key
- user
- access control
- trust domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 101100217298 Mus musculus Aspm gene Proteins 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 230000006378 damage Effects 0.000 claims description 7
- 230000004069 differentiation Effects 0.000 claims description 3
- 101000896740 Solanum tuberosum Cysteine protease inhibitor 9 Proteins 0.000 claims 3
- 238000012360 testing method Methods 0.000 description 17
- 238000007726 management method Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000002474 experimental method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 3
- 230000009897 systematic effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000006116 polymerization reaction Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000011017 operating method Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011056 performance test Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a method for implementing a safe storage system in a cloud storage environment and belongs to the technical field of storage safety. The method is characterized in that a trust domain is established in a server according to the requirements of a user; in the trust domain, identity authentication is performed by using an public key infrastructure (PKI); the independence between the storage system and a bottom layer system is realized by utilizing a filesystem in user space (FUSE); a hash value of a file is calculated by utilizing a secure hash algorithm (SHA1) and taking a block as a unit, a file block is encrypted by utilizing a key and an advanced encryption standard (AES) algorithm of a symmetric encipherment algorithm and taking a block as a unit, and a file cipher text is uploaded to a file server in a cloud storage area so as to guarantee the confidentiality and integrity of the file; a filer owner postpones encrypting the file again when permission is revoked by designating a user with the permission of accessing the file and the permissions thereof in an access control list; and only when the user modifies the content of the file, the user encrypts the file block in which the modified content is positioned again and the system implements three layers of key management, namely a file block key, a safe metadata file key and a trust domain server key so that not only the safety of the file is guaranteed when the permission is revoked, but also the management load of the system is not increased.
Description
Technical field
The implementation method of safe storage system belongs to the storage security field under the cloud storage environment, relates in particular to technical fields such as safe access control, key distribution management and file management wherein.
Background technology
Now along with the develop rapidly of cloud computing technology, the cloud storage also has been subjected to paying close attention to widely and using gradually, the file owner can create file, and file uploaded in the cloud memory block, file is transferred to cloud storage service provider to be managed, this document owner can allow to specify other users that this document is carried out read and write access simultaneously, has realized the share and access of file.
Though cloud storage service provider can visit to the file-sharing that the user provides convenience, the safety problem that is present in wherein then can not be ignored.At first, the confidentiality of file can't guarantee: file is to be stored in the cloud memory block with the plaintext form, these information all place among the sight line of cloud storage service provider without reservation, if cloud storage service provider has obtained these fileinfos, and be applied to illegal objective, then will bring the consequence that can not estimate to the user; Secondly, the integrality of fileinfo can't guarantee: other users during to this document shared, the information of file is to transmit in network with form expressly, brought opportunity so just for the network interception person, the network interception person can intercept fileinfo in network, after obtaining fileinfo, some information that are unfavorable for oneself can be left out, artificially add some simultaneously to own favourable deceptive information, and then this information is issued other users, reach the illegal objective of oneself; Once more, not management effectively for authority, and the fail safe of authority when cancelling can't guarantee: how can effectively realize user's sharing this document, and after a user's the access rights to this document are cancelled, how can guarantee that content after this document upgrades can not cancelled the user of authority again and obtain.More than these all be the test safe storage system some safety issues.
The function of safe storage system is to use the family can guarantee the safety of shared data, its implementation method is: at first the file owner uses hash algorithm that this document is calculated cryptographic Hash with piece as unit in this locality, and use key and cryptographic algorithm that file is encrypted as unit with piece, then ciphertext and cryptographic Hash being put into public memory block together stores, the keeper of common storage area just can't learn the content of file like this, guaranteed the confidentiality of data, simultaneously key distribution has been thought the user that can conduct interviews to this document to him by the owner of this document.These users can visit this document, and with the key of grasping accessed content place blocks of files are decrypted, and calculate the cryptographic Hash of these pieces then, see whether equate with the cryptographic Hash of preserving, if equate, then the content of explanation visit is complete, reads the content of file at last again.The safe storage system of being realized now at home and abroad, though guaranteed the confidentiality and integrity of file, but also have some shortcomings: at first, the realization of the storage system that has needs the support of bottom storage system, or even need change or have the requirement of particular core version to the version of kernel, many inconvenience have been brought to the user like this, if the user need use these safe storage systems, then need to install specific bottom storage system, or need the kernel of particular version, or need make amendment to kernel; Secondly, the safe storage system that has has used rivest, shamir, adelman when file is operated, also need to use the key rolling back action in some cases, because the complexity of rivest, shamir, adelman is higher, so the performance of such safe storage system allows of no optimist; Once more, major part safe storage system is now cancelled in the authority for the treatment of the user, what generally use is positive cancelling method, actively cancelling the background that operation occurs is: because the owner of file may think that certain user of granted access this document can destroy or this user may distribute the content of file this document, cause the file owner do not wish the effect seen, therefore the file owner may cancel this user's authority, but because this user has grasped the needed key of visit this document, therefore in order to guarantee safety of files, the file owner has to regenerate at once new key, and newly file is encrypted at once with new key reconsul, at last new key distribution is given other validated users except the user who is cancelled authority, Here it is actively cancels, doing some consequences of bringing like this is, for big file, it is very huge actively to cancel the cryptography expense of bringing of encrypting again at once, in the environment of frequently cancelling, the expense of this safe storage system also may allow the user be difficult to bear simultaneously.
The present invention has realized the safe storage system under a kind of cloud storage environment, it has guaranteed the confidentiality and integrity of data for the user, the management effectively that user's authority is carried out simultaneously, and safety of files when having guaranteed that authority is cancelled, this system also has good expansibility.
Summary of the invention
The object of the present invention is to provide the system architecture of safe storage system under a kind of cloud storage environment, still can carry out file-sharing safely and efficiently even make the user in incredible storage and network environment, lose to the control of system physical resource, data security protecting is irrelevant with the bottom storage system of having disposed simultaneously: the bottom storage system only provides reliable data storage service, and the protection of data confidentiality, integrality and access control are then finished in the trust domain of setting up according to user's request; The user can not rely on the bottom storage system provides the Information Security protection mechanism just can guarantee the fail safe end to end of own data, and the bottom storage system also can't be interfered the security of users protection mechanism conversely.This framework with the responsibility of data security protecting from the user be not possessed of control power the data server of limit and the more weak single client computer of fail safe focus on have higher security level other, can by user oneself set maintenance, on the believable trust domain server; thereby eliminated the trust demand of storage system to insincere file server; and reduced user's management complexity and leaked the security risk of being brought by client key, therefore be highly suitable for the user does not have control authority to the bottom shared-file system application scenarios.
Framework of the present invention comprises: trust domain server, file server, client and network.Its effect is as follows respectively:
1) trust domain server: its effect is that the identity to the user authenticates, and the key of file is managed and distributes;
2) file server: its effect is storage file and security metadata file;
3) client: create file and file is conducted interviews;
4) network: as the medium of file transfer, the access request of transmission user and fileinfo;
Thinking of the present invention is:
1) this storage system and bottom storage system are irrelevant; Be that data security protecting is irrelevant with the bottom storage system of having disposed, the bottom storage system only provides reliable data storage service, and the protection of data confidentiality, integrality and access control are then finished in the trust domain of setting up according to user's request; The user can not rely on the bottom storage system provides the Information Security protection mechanism just can guarantee the fail safe end to end of own data, and the bottom storage system also can't be interfered the security of users protection mechanism conversely;
2) confidentiality and integrity of file protection;
I. the file owner creates file; At first using hash algorithm in this locality---the SHA1 algorithm calculates cryptographic Hash with piece as unit to file, use key and cryptographic algorithm aes algorithm that file is encrypted as unit with piece then, upload to then in the cloud memory block and store, so just guaranteed the confidentiality of file in the cloud memory block, wherein the SHA1 algorithm is to be designed by American National security bureau, and by a kind of SHA of National Institute of Standards and Technology issue, it is a kind of hash algorithm that is widely used, its use is the digital information (being commonly referred to as cryptographic Hash) that tediously long File Compress is become one section uniqueness, guarantee the legitimacy and the fail safe of original file, simultaneously aes algorithm be the American National technical standard committee determined Advanced Encryption Standard in 2000, be a kind of cryptographic algorithm of protected data safety of extensive use; The key management file owner gives the trust domain server with the authority of key distribution and management and carries out easily.
Ii. the file owner specifies Access Control List (ACL), specifies the user with authority that this document is conducted interviews; Create the Access Control List (ACL) of a this document as the file owner, he is thought and can be added into Access Control List (ACL) to the user that this document conducts interviews, and Access Control List (ACL) issued the trust domain server, the trust domain server is issued user on the Access Control List (ACL) with the key of this document.When the user with access rights conducts interviews to file, data are to transmit in network with the ciphertext form, it is that unit is decrypted with the piece that the user utilizes the key-pair file of grasp again, file after using the SHA1 algorithm to deciphering then calculates cryptographic Hash with piece as unit, judge whether to equate with the cryptographic Hash that reads, if equate, represent that then data are complete, read file content at last, if the cryptographic Hash that the user calculates is unequal with the cryptographic Hash that reads, represent that then the integrality of data suffered destruction, then report an error to system;
3) the dispensing tube reason trust domain server unification of key is carried out; The main key management that realizes mainly is divided into three layers in this safe storage system, its reason is: utilize the organizational form of level that symmetric key is carried out organization and administration, both guarantee systematic function and fail safe thereby reach, do not increase the purpose of the administrative burden of system again.Operating procedure is as follows:
I. blocks of files key: in order to handle big file safely and efficiently, in native system, be the encrypted in units file with the piece, and claim that this piece is a blocks of files, to distinguish bottom storage system piece, each blocks of files all uses an independent symmetric key that is called the blocks of files key to encrypt, and each file all has one group of blocks of files key;
Ii. security metadata file key: the key that is kept in the security metadata file is the second level, and these keys comprise a lock box sub-key LBK and a file signature key FSK.Lock box sub-key LBK refers to: an All Files piece key in the file is housed in lock box, but this box is encrypted by the lock box sub-key LBK of symmetry then.The authorized user that only obtains lock box sub-key LBK could be deciphered lock box, and then obtains the blocks of files key with the declassified document content; File signature key FSK writes the signature key of user after file is made amendment.In this safe storage system, distinguish read operation and write operation by file signature key FSK just, need to prove that lock box sub-key LBK and file signature key FSK are symmetric keys, adopt the lower symmetric key of complexity can significantly reduce the cryptography computing cost of system;
Iii. trust domain server key: uppermost level is the trust domain server key; So-called trust domain server key is two symmetric keys that the trust domain server is safeguarded, one is called trust domain server for encrypting key A SEK, and one is called trust domain server signature key A SSK.The former is used for the lock box sub-key LBK and the file signature key FSK of the pairing security metadata file of data file encryption, thereby conduct interviews control and differentiation are read-write operation; The latter is used as the input parameter of hmac algorithm, access control block (ACB) in the security metadata file is calculated the HMAC value to guarantee its integrality, wherein HMAC is a kind of a kind of Message Authentication Code that uses cryptographic Hash function and cipher key calculation to come out, and its effect mainly is that the integrality of message is checked.The trust domain server must guarantee the confidentiality of these two keys, whenever all these two keys can not be revealed to all other men, and this point can realize by the hardware supplementary means in actual applications.
The invention is characterized in that described method is in the network that trust domain server, client and file server are formed, the file system FUSE of use user's space realizes according to following steps on Linux successively:
Step (1): the initialization of network,
Step (1.1): the initialization of trust domain server, set up user authentication module and access control module, wherein user authentication module has adopted SSL/TLS agreement and PKIX PKI, access control module is the access control of carrying out under the file owner authorizes file, three grades of key management mechanisms in system, have been adopted, wherein first order key is the blocks of files key, in order to handle big file safely and efficiently, in native system, be the encrypted in units file with the piece, and claim that this piece is a blocks of files, each blocks of files all uses an independent symmetric key that is called the blocks of files key to encrypt, after the blocks of files key is encrypted, be stored in the security metadata file, second level key is a security metadata file key, comprise a lock box sub-key LBK and a file signature key FSK, each file all has security metadata file key alone, wherein lock box sub-key LBK is used to encrypt the All Files piece key in this document, guarantee the confidentiality of blocks of files key, the latter writes the signature key of user after file data is made amendment, be used to distinguish read operation and write operation, third level key is the trust domain server key, be two symmetric keys that the trust domain server is safeguarded, one is called trust domain server for encrypting key A SEK, be used for the lock box sub-key LBK and the file signature key FSK of the pairing security metadata file of data file encryption, thereby conduct interviews control and differentiation are read-write operation, one is called trust domain server signature key A SSK, be used for to the Message Authentication Code of the calculating of the access control block (ACB) in the security metadata file based on Hash, it is the HMAC value, to guarantee the integrality of access control block (ACB)
Step (1.2): client is provided with the data encrypting and deciphering module, the data integrity authentication module, and cache module, file system interface,
Step (1.3): file server is provided with memory module;
Step (2): user applies obtains User Identity, and step is as follows:
Step (2.1): user's user authentication module to the trust domain server on the channel that client is being encrypted by secure socket layer protocol SSL and Transport Layer Security TLS sends the User Identity request,
Step (2.2): described user authentication module is based on PKIX, user identity and trust domain server identity all are to authenticate by the X.509 certificate that PKIX is authorized, the new user of system at first must apply for certificate to registration body, just can use this system then;
Step (3): the owner of file creates file according to following steps:
Step (3.1): the described file owner sends the request of creating file to described trust domain server: the file owner at first creates the content of access control block (ACB), content comprises: user's identify label, filename, specified cryptographic algorithm and pattern and Access Control List (ACL), and access control block (ACB) is issued the access control module of trust domain server, wherein said Access Control List (ACL) comprises the cryptographic Hash of user name and this user's access rights
Step (3.2): the described trust domain server process file owner creates the request of file, use authentication module that the possessory identity of file is authenticated, judge its identity and authority, the file of creating for its request generates lock box sub-key LBK and file signature key FSK then;
Step (3.3): the trust domain server uses trust domain encryption key ASEK encryption lock box key LBK and file signature key FSK, and use trust domain signature key ASSK to calculate the HMAC value as access control block (ACB), and deposit in the HMAC territory of access control block (ACB), then access control block (ACB) is returned to the file owner;
Step (3.4): the described file owner creates file, the input data, hash algorithm safe in utilization then, it is the SHA1 algorithm, to file is that unit calculates cryptographic Hash with the piece, and cryptographic Hash is kept in the security metadata file, and re-using the blocks of files key-pair file is that unit is encrypted with the piece, and the spanned file ciphertext, at last the ciphertext of file and security metadata file are issued described file server and store;
Step (4): read the file that the user is created according to following steps read step (3):
Step (4.1): read file data ciphertext and security metadata file from described file server end,
Step (4.2): carry out the authentication that this reads the user according to the following steps,
Step (4.2.1): read the user oneself identify label and the access control block (ACB) in the security metadata file are issued described trust domain server,
Step (4.2.2): trust domain server calls authentication module is confirmed user's identify label; Call access control module; Use trust domain key ASEK to decipher this access control block (ACB); Acquisition comprises the information of lock box sub-key LBK, file signature key FSK and ACL; Use trust domain signature key ASSK to calculate the HMAC value of access control block (ACB); To judge the integrality of access control block (ACB); And determine to read user's read right according to ACL; Then lock box sub-key LBK is issued and read the user
Step (4.3): this is read the user and obtains after the lock box sub-key LBK, utilize its deciphering to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain the cleartext information of file data at last, and use the SHA1 algorithm that the blocks of files at reading content place is calculated cryptographic Hash, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data,, data integrity is described then if equate, the user reads these data again, otherwise then reports an error to system;
Step (5): write the user and write according to following steps or the revised file data,
Step (5.1): this writes the user at first reads the described file data that will revise from described file server end ciphertext and security metadata file,
Step (5.2): write the user and carry out authentication according to the following steps,
Step (5.2.1): this is write the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, described trust domain server calls authentication module is confirmed user's identify label, and call described access control module, use trust domain key A SEK to decipher this access control block (ACB), acquisition comprises lock box sub-key LBK, file signature key FSK and Access Control List (ACL) are in interior information, use trust domain signature key ASSK to recomputate the HMAC value of this access control block (ACB), whether see with HMAC value in the access control block (ACB) and equate, judge whether this access control block (ACB) is complete, and determine to write the write permission that the user has by Access Control List (ACL), then, and lock box sub-key LBK and file signature key FSK returned to the user
Step (5.3) is write the user and is write according to the following steps or revised file,
Step (5.3.1) is write the user and is used lock box sub-key LBK to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain plaintext document information, and use the SHA1 algorithm that file is calculated the cryptographic Hash that will revise content place blocks of files with piece as unit, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data
Step (5.3.2): the file to step (5.3.1) writes or revises, and uses the blocks of files key again new file data to be encrypted, and uses file signature key FSK to sign,
Step (5.3.3): write the user and amended file data and security metadata file are issued described file server store;
Step (6): the described file owner carries out the authority destruction operation according to the following steps:
Step (6.1): this document owner obtains the security metadata file from described file server end, and the user list that the identify label of oneself, access control block (ACB) in the security metadata file and plan are cancelled is issued the trust domain server then,
Step (6.2): this trust domain server is executable operations according to the following steps,
Step (6.2.1): possessory identify label authenticates to file to call described authentication module, determines that it has the user's of cancelling operation permission,
Step (6.2.1): call described access control module, use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), lock box sub-key LBK and file signature key FSK are in interior information, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), judge the complete of this access control block (ACB), from the Access Control List (ACL) of access control block (ACB), delete the Access Control List (ACL) item at the user place that need cancel then, then generate new lock box sub-key LBK ' and new file signature key FSK ' for file, the trust domain server is encrypted newly-generated lock box sub-key LBK ' and newly-generated file signature key FSK ' again with trust domain server for encrypting key A SEK then, and use trust domain server signature key A SSK again the access control block (ACB) of revising to be calculated HMAC
Step (6.2.2): described trust domain server returns to the file owner with new access control block (ACB), new file signature key FSK ', new lock box sub-key LBK ' and old lock box sub-key LBK,
Step (6.3): the described file owner uses lazy destruction operation in the following manner: use old lock box sub-key LBK deciphering All Files piece key, use new these blocks of files keys of lock box sub-key LBK ' encryption, carry out again when the cryptographic operation again of blocks of files is postponed till the user to the renewal of blocks of files.
Effect of the present invention is as follows:
1. do not rely on the bottom document system and guarantee the confidentiality of user file in the cloud memory block, the user who only has lawful authority just can obtain the information of file;
2. guaranteed the user to integrality end to end in the file operation process, whether the user can in time find illegally to be distorted when data are transmitted in network or because the variation of storage medium causes situations such as data corruption;
3. reduced the expense that authority is cancelled, particularly a multi-user, in the frequent application scenarios of permission modification, the present invention can largely improve the efficient that authority is cancelled;
The present invention carried out test in department of computer science, Tsinghua university high-performance calculation technical research institute, the result shows, this safe storage system can be under the cloud storage environment for when the user provides file-sharing, also can guarantee confidentiality, integrality and the access control of data, and performance cost is also within user's acceptable scope.
Description of drawings:
Fig. 1 system construction drawing.
Fig. 2 file owner creates the file schematic diagram.
Fig. 3 reads the user and reads the file schematic diagram.
Fig. 4 writes user's written document schematic diagram.
Fig. 5 file owner cancels the user right schematic diagram.
Fig. 6 access control block (ACB) figure schematic diagram.
Fig. 7 stand-alone environment uses IOzone test comparison ext3 and readwrite performance of the present invention down.
Use IOzone test comparison NFS and readwrite performance of the present invention under Fig. 8 cluster environment.
Embodiment:
The specific embodiment of the present invention is as follows:
Step 1: user applies obtains user ID: user ID is user's unique identify label in system, and the file owner and trust domain server all are the identity of determining the user by user's sign, judge its access rights; Identity for main body (comprising trust domain server and user) in the recognition system safely and effectively, so that system sets up each other trusting relationship to the user who operates, system needs a kind of User Identity mechanism that is independent of the safety of bottom storage system.In native system, adopt PKIX (PKI, Public Key Infrastructure), come to provide user ID for system by digital certificate.Digital certificate is the electronic document that is signed and issued to main body by just, authoritative mechanism, record the term of validity, cryptographic algorithm sign, public key information and the out of Memory of principal name, certificate serial number, issuer-name, certificate in the document, and be platform or the framework that has comprised hardware, software, manpower, strategy and process through the digital signature PKIX of the side of signing and issuing, it utilizes public-key technology that the function that digital certificate is created, manages, distributes, uses, stored and cancels is provided.Certification authority (CA, CerfiticateAuthority) and registration body (RA, Registration Authority) be the important component part of PKIX.The former is the core of PKIX, it is a believable third party, by user's PKI and other information (comprising user identity) of user are bound together for the user signs and issues digital certificate, and provide certificate inquiry, cancel, life cycle management and key management; The latter mainly is that user oriented is fulfiled some responsibilities that certification authority is appointed.The technical system that PKIX is a kind of maturation, be widely used has unified codes and standards, and a lot of comparatively complete realizations are arranged.Utilize PKIX to provide user ID for system, the work that the maintenance customer can be identified uniqueness and authenticity is given this ripe system and is finished, make system user under the situation that needn't understand the complex management details, verify the identity of other system main body safely and efficiently simultaneously, realize the mutual trust between the user, thereby guarantee authenticity, integrality, confidentiality and the non-repudiation of user profile;
Step 2: the file owner creates file, and the file owner creates and has the following steps as the step 1 of file, specifically as shown in Figure 2;
Step 2.1: the file owner sends the request of creating file to the trust domain server: the file owner at first creates the content of access control block (ACB), content comprises: his identify label, filename, specified cryptographic algorithm and pattern and Access Control List (ACL), and access control block (ACB) issued the trust domain server;
Step 2.2: the trust domain server process file owner creates the request of file: the trust domain server at first according to file possessory identify label judge its identity and authority, the file of creating for its request generates lock box sub-key LBK and file signature key FSK then, then the trust domain server uses trust domain encryption key ASEK encryption lock box key LBK and file signature key FSK, and use trust domain signature key ASSK to calculate the HMAC value as access control block (ACB), then access control block (ACB) is returned to the file owner;
Step 2.3: the file owner creates file: the file owner creates file, the input content, use the SHA1 algorithm that file is calculated cryptographic Hash with piece as unit then, cryptographic Hash is kept in the security metadata file, re-using the blocks of files key-pair file is that unit is encrypted with the piece, and the spanned file ciphertext, at last the ciphertext of file and security metadata file are issued file server and store;
Step 3: read the user and read file, read the user and read fileinfo and generally have the following steps, specifically as shown in Figure 3:
Step 3.1: read file cipher text and security metadata file; Read the user and at first read file cipher text and security metadata file, obtain access control block (ACB) from the file server end;
Step 3.2: the authentication of reading the user; Read the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, trust domain is after receiving the identify label and access control block (ACB) of reading the user, at first use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), information such as lock box sub-key LBK and file signature key FSK, use the trust domain signature key ASSK of oneself then, calculate the HMAC value of access control block (ACB), judge the integrality of access control block (ACB), the trust domain server has been confirmed user's identify label then, and determined to read user's read right according to Access Control List (ACL), lock box sub-key LBK is issued read the user then;
Step 3.3: read the user and read file; Reading the user obtains after the lock box sub-key LBK, utilize its deciphering to obtain the blocks of files key, use the blocks of files key that the blocks of files at reading content place is decrypted then, obtain cleartext information, and use the SHA1 algorithm that the blocks of files at reading content place is calculated cryptographic Hash, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data, if institute's read data is complete, then reads this data, otherwise report an error to system;
Step 4: write the user file is made amendment, general step is as follows, specifically as shown in Figure 4:
Step 4.1: write the user and read file cipher text and security metadata file; Write the user at first reads the file that will revise from the file server end ciphertext and security metadata file;
Step 4.2: write user's authentication; Write the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, after the trust domain server receives access control block (ACB), use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), information such as lock box sub-key LBK and file signature key FSK, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), whether see with HMAC value in the access control block (ACB) and equate, judge whether this access control block (ACB) is complete, confirm user's identify label then, and determine the write permission that the user has by Access Control List (ACL), and lock box sub-key LBK and file signature key FSK returned to the user
Step 4.3: write the user's modification file; Write the user after obtaining lock box sub-key LBK and file signature key FSK, use lock box sub-key LBK to obtain the blocks of files key, use the blocks of files key that the blocks of files at modification content place is decrypted then, obtain cleartext information, and use the SHA1 algorithm that the blocks of files that will revise the content place is calculated, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of the data of revising, and then write the user's modification file, use the blocks of files key again the content that writes to be calculated cryptographic Hash and encrypted then, and use file signature key FSK to sign, also need at last security metadata is upgraded;
Step 4.4: write the user and amended file and security metadata file are issued file server store;
Step 5: the operation that authority is cancelled; When the file owner thinks that certain user may damage or can outwards disseminate this document information file, this user's authority may be cancelled, the authority when the file owner cancels the user generally has following steps, specifically as shown in Figure 5;
Step 5.1: the file owner sends request to the trust domain server, and user's authority is cancelled in request; At first the file owner obtains the security metadata file from the file server end, then the identify label of oneself, the access control block (ACB) in the security metadata file and the user list of cancelling is issued the trust domain server;
Step 5.2: the trust domain server to file possessory request handle; After the trust domain server receives user's request, at first use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), information such as lock box sub-key LBK and file signature key FSK, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), after judging this access control block (ACB) complete, the possessory identity of file is being authenticated, after the possessory identity of definite file and its have the user's of cancelling operation permission, the Access Control List (ACL) item at the user place that deletion need be cancelled from the Access Control List (ACL) of access control block (ACB) then generates new lock box sub-key LBK ' and new file signature key FSK ' for file then.The trust domain server is encrypted newly-generated lock box sub-key LBK ' and file signature key FSK ' again with trust domain server for encrypting key then, and uses trust domain server signature key again the access control block (ACB) of revising to be calculated HMAC.Then, the trust domain server returns to the file owner with new access control block (ACB), new file signature key, new lock box sub-key LBK ' and old lock box sub-key LBK;
Step 5.3: the file owner uses lazy destruction operation; The file owner at first uses old lock box sub-key LBK deciphering All Files piece key, use new these blocks of files keys of lock box sub-key LBK ' encryption, and new access control block message is written in the security metadata file, so-called lazy cancelling method refers to: the file owner uses new key that whole file (promptly all blocks of files) is encrypted again, but carries out will postpone till the user to the renewal of blocks of files to the cryptographic operation again of blocks of files the time again;
System configuration of the present invention uses FUSE (Filesystem in Userspace) framework to realize on Linux as shown in Figure 1.FUSE is a kind of by the widely used technology of file system developer.By FUSE, file system developer can develop the user's attitude file system of oneself rapidly easily under the prerequisite of not revising kernel.Have benefited from its kernel module, FUSE can call from VFS layer interception system, then these system calls is passed to the operation logic of file system to realize that some are special of user's attitude of developer oneself.FUSE also make the user can be under the situation that does not have the root authority file system of carry oneself.In addition, FUSE is independent of specific bottom storage system, has good portability.These characteristics have satisfied design of the present invention and realization demand fully.In the cryptography operation, the present invention uses the OpenSSL storehouse to carry out the cryptography associative operation, and wherein OpenSSL is.This storehouse is celebrated with good realization and complete interface, therefore is widely used.In system, use SHA-1 as cryptographic Hash function, use HMAC based on SHA-1 as the MAC function, and use the block encryption function of AES-256 as acquiescence.These parameters all are to be configured when the carry system by the user.In addition, OpenSSL also provides the realization preferably to Public Key Infrastructure(PKI), can be used in the system and set up safe lane with the Verification System role and between user and trust domain server.
Core of the present invention is the safe storage system that has proposed under a kind of cloud storage environment, its realize mainly by following components with and corresponding module form:
● the trust domain server
The trust domain server mainly contains following module and constitutes:
1. user authentication module
This module is responsible for user identity is verified.In fact because adopted at SSL/TLS and PKIX, user identity and trust domain server identity all are to authenticate by the X.509 certificate that PKIX is authorized, the new user of system at first must be to (the RA of registration body, RegistrationAuthority) the application certificate just can use this system then.Although this process need is based on the support of the PKIX of asymmetric encryption, and can introduce certain expense, this asymmetric calculating only adds for the first time new user and just can take place and only carry out once; In the follow-up file access process that occupies most service times, carry out whole be that symmetric cryptography calculates, so compare the system that other adopt asymmetric encryption, native system can't be introduced too much performance cost.When user and trust domain server communicated, the trust domain server need be verified user certificate, and therefrom obtains user's user name, calculates the user name cryptographic Hash in view of the above so that carry out follow-up access control.
The user is when carrying out file access, must be at first on the channel of encrypting by the SSL/TLS agreement on the client with the trust domain server interaction, the trust domain server need be verified user certificate, and therefrom obtains user's user name, calculates the user name cryptographic Hash in view of the above; The trust domain server pass through the checking of authentification of user and access control right after, the user just can finally obtain the blocks of files key.
It is pointed out that about PKIX tissue or mechanism that some have demand for security may dispose PKIX, so this is not an extra configuration requirement.
2. access control module
This module is carried out the access control to file under the file owner authorizes, performed operation comprises the checking (by calculating the HMAC value of access control block (ACB)) of the access control block (ACB) integrality that the user is sent, checking (checking user's identify label to user identity, and by relatively sending the user name Hash of Access Control List (ACL) preservation in user name cryptographic Hash and the access control block (ACB) in the request), the user is asked the checking (obtaining user's the limiting operation that is had by queried access control tabulation) of access rights, and to the deciphering of association key in the access control block (ACB) (use trust domain encryption key ASEK that access control block (ACB) is decrypted, use trust domain signature key ASSK to calculate the HMAC value of access control block (ACB)).
● client
Client mainly is made of following module:
1. data encrypting and deciphering module
This module has been born the relevant cryptography operating operation of most encryption and decryption of system, comprises using blocks of files key encryption and decryption blocks of files etc.This module also be responsible for to be handled communicating by letter between client and the trust domain server in addition.
2. data integrity authentication module
This module provides operations such as blocks of files content integrity checking, and operation such as blocks of files content Hash value renewal.
3. cache module
Cache module provides buffer memory to improve systematic function.Buffer memory is divided into security metadata buffer memory and file data buffer memory two parts.Wherein, the security metadata buffer memory is to carrying out buffer memory such as access control block (ACB), the key that is used for access control; The file data buffer memory then is responsible for the cache file data.This module also is responsible for safeguarding the consistency of buffer memory and real data in addition.
4. file system interface
This module provides POSIX file system call.The present invention has realized most of logic in these interfaces, considered to the conversion process in FUSE mount point path with because be the expansion that unit verification msg content integrity causes, and realized support that the file cavity is read and write access request skew and length with the blocks of files.
● file server
1. memory module: storage file ciphertext and security metadata file.Wherein, the main composition of security metadata file is: some integrity informations of access control block (ACB) and file.The content of access control block (ACB) mainly comprises as shown in Figure 6: the cryptographic Hash of filename, Access Control List (ACL), the pattern of cryptographic algorithm and encryption, lock box sub-key and file signature key, and the HMAC value of whole access control block (ACB), wherein Access Control List (ACL) is as shown in the table, it is a two-dimensional array, wherein row are cryptographic Hash of user name, the purpose of doing like this is the confidentiality and integrity that can guarantee user name, another row are operating rights of user, wherein " r " expression user has the read operation authority, " w " expression user has the write operation authority, for executable file, " x " but expression executable operations authority; In addition, the integrity information of file mainly is the cryptographic Hash of blocks of files etc.
User name (cryptographic Hash) | Operating right |
Hash (user name 1) | rw-? |
Hash (user name 2) | r--? |
...? | ...? |
Hash (user name n) | r--? |
Performance test
The present invention has carried out the test of system in high-performance calculation research institute of Computer Science and Technology Department of Tsing-Hua University, these tests comprise the benchmark program IOzone of the file system of using the industry approval, under unit and cluster environment, test readwrite performance of the present invention respectively, and tested the performance of the present invention under authority is cancelled.
● the test of unit STP
Use IOzone that the performance of the file system of the present invention under unit file system ext3 is tested.Experimental situation comprises a Sun SunFire with 1.8GHz AMD double-core CPU and 4GB internal memory
TMV20z server, the operating system of moving on this server are Debian Linux (version 2.6.30).Move trust domain server end and client software on this server simultaneously.For eliminating the influence of file system cache, experiment is made as 8GB (2 times to the Installed System Memory size) with file size.In test, the test file size is 8GB; The file system access requests size is respectively 64KB.
Owing to there is not cost on network communication, the cryptography computing cost will occupy the major part of overhead.By the present invention is moved IOzone under AES-256 cryptographic algorithm CFB pattern, and with result and directly result's contrast of operation IOzone on ext3, help to understand in depth (because of cryptography calculate due to decreased performance) systematic function, the result who obtains at last is as shown in Figure 7.
As can be seen from the figure compare with ext3, the present invention is because the expense that cryptography is calculated is brought average about 30% decreased performance.
● the test of cluster STP
For making the actual performance of test result near the present invention's file system under network environment, this paper uses IOzone that the present invention and the NFS of frame on NFS carried out performance relatively.Experimental situation is erected at the Dell PowerEdge with 7 nodes
TMOn the M605 blade cluster, comprise 1 trust domain server, 1 NFSv4 server and 5 are equipped with client computer of the present invention, and these machines connect by the 1000Mbps Ethernet.Trust domain server and nfs server operate in respectively on the machine with two 800MHz AMD four nuclear CPU and 16GB internal memory, client of the present invention is housed then operates in respectively on 5 client computer with two 800MHz AMD, four nuclear CPU and 8GB internal memory.The operating system of moving on these machines all is Fedora Core 10Linux (version 2.6.32).Experiment adopts 256 aes algorithms to do DEA, adopts the SHA-1 algorithm as cryptographic Hash function, and uses HMAC based on SHA-1 as the MAC algorithm.For the influence of eliminating file system cache and test to the support of big file in the practical application, file size is made as 16GB (2 times to the Installed System Memory size).
It is pointed out that to be that more closing to reality is used, the 64KB that acquiescence is chosen in experiment is as the blocks of files size, and selects the encryption mode of CFB as AES-256, because its fail safe is better, and extensive use in practice.
Experiment utilizes IOzone to test NFS respectively and asks sequential write, order rewriting, the sequential read of carrying out and the throughput in proper order read with 64KB with the present invention who is erected on the NFS on the 16GB file.Experimental result as shown in Figure 8, among the figure result be on 5 nodes the test gained the polymerization throughput.
As can be seen from the figure, the polymerization access speed of frame of the present invention on NFS extremely approaches the speed of NFS itself, this shows that when client increases bottom is stored as for bottleneck, and the computing cost that the present invention introduces is just very not obvious.Experimental result shows that in shared storage environment, the present invention can well be used.
● authority is cancelled
Test environment comprises a trust domain server and a client computer, being configured to of every machine: the Sun SunFire that 1.8GHz AMD double-core CPU and 4GB internal memory are housed
TMV20z server, operating system are Debian Linux (kernel version 2 .6.30).Experiment is at first authorized r--authority to 1000 different users on the file of a 1GB size, the authority with these users is revised as rw-then, cancels these users' authority at last.Experiment has been done on average in the operating time of the relevant authority that each user that test obtains on the access control instrument of client of the present invention is housed and with these times, obtain under the result shown in.
Action name | Time (ms) |
Authority is authorized | 1.862739? |
Permission modification | 1.858765? |
Authority is cancelled | 21.744502? |
Shorter to user's rights of using operating time expense of big file in the present invention as can be seen, have good high efficiency.
Claims (1)
1. the implementation method of a kind of safe storage system under the cloud storage environment, it is characterized in that, described method is in the network that trust domain server, client and file server are formed, and the file system FUSE of use user's space realizes according to following steps on Linux successively:
Step (1): the initialization of network,
Step (1.1): the initialization of trust domain server, set up user authentication module and access control module, wherein user authentication module has adopted SSL/TLS agreement and PKIX PKI, access control module is the access control of carrying out under the file owner authorizes file, three grades of key management mechanisms in system, have been adopted, wherein first order key is the blocks of files key, in order to handle big file safely and efficiently, in native system, be the encrypted in units file with the piece, and claim that this piece is a blocks of files, each blocks of files all uses an independent symmetric key that is called the blocks of files key to encrypt, after the blocks of files key is encrypted, be stored in the security metadata file, second level key is a security metadata file key, comprise a lock box sub-key LBK and a file signature key FSK, each file all has security metadata file key alone, wherein lock box sub-key LBK is used to encrypt the All Files piece key in this document, guarantee the confidentiality of blocks of files key, the latter writes the signature key of user after file data is made amendment, be used to distinguish read operation and write operation, third level key is the trust domain server key, be two symmetric keys that the trust domain server is safeguarded, one is called trust domain server for encrypting key A SEK, be used for the lock box sub-key LBK and the file signature key FSK of the pairing security metadata file of data file encryption, thereby conduct interviews control and differentiation are read-write operation, one is called trust domain server signature key A SSK, be used for to the Message Authentication Code of the calculating of the access control block (ACB) in the security metadata file based on Hash, it is the HMAC value, to guarantee the integrality of access control block (ACB)
Step (1.2): client is provided with the data encrypting and deciphering module, the data integrity authentication module, and cache module, file system interface,
Step (1.3): file server is provided with memory module;
Step (2): user applies obtains User Identity, and step is as follows:
Step (2.1): user's user authentication module to the trust domain server on the channel that client is being encrypted by secure socket layer protocol SSL and Transport Layer Security TLS sends the User Identity request,
Step (2.2): described user authentication module is based on PKIX, user identity and trust domain server identity all are to authenticate by the X.509 certificate that PKIX is authorized, the new user of system at first must apply for certificate to registration body, just can use this system then;
Step (3): the owner of file creates file according to following steps:
Step (3.1): the described file owner sends the request of creating file to described trust domain server: the file owner at first creates the content of access control block (ACB), content comprises: user's identify label, filename, specified cryptographic algorithm and pattern and Access Control List (ACL), and access control block (ACB) is issued the access control module of trust domain server, wherein said Access Control List (ACL) comprises the cryptographic Hash of user name and this user's access rights
Step (3.2): the described trust domain server process file owner creates the request of file, use authentication module that the possessory identity of file is authenticated, judge its identity and authority, the file of creating for its request generates lock box sub-key LBK and file signature key FSK then;
Step (3.3): the trust domain server uses trust domain encryption key ASEK encryption lock box key LBK and file signature key FSK, and use trust domain signature key ASSK to calculate the HMAC value as access control block (ACB), and deposit in the HMAC territory of access control block (ACB), then access control block (ACB) is returned to the file owner;
Step (3.4): the described file owner creates file, the input data, hash algorithm SHA1 safe in utilization then, to file is that unit calculates cryptographic Hash with the piece, cryptographic Hash is kept in the security metadata file, re-using the blocks of files key-pair file is that unit is encrypted with the piece, and the spanned file ciphertext, at last the ciphertext of file and security metadata file is issued described file server and stores;
Step (4): read the file that the user is created according to following steps read step (3):
Step (4.1): read file data ciphertext and security metadata file from described file server end,
Step (4.2): carry out the authentication that this reads the user according to the following steps,
Step (4.2.1): read the user oneself identify label and the access control block (ACB) in the security metadata file are issued described trust domain server,
Step (4.2.2): trust domain server calls authentication module is confirmed user's identify label; Call access control module; Use trust domain key ASEK to decipher this access control block (ACB); Acquisition comprises the information of lock box sub-key LBK, file signature key FSK and ACL; Use trust domain signature key ASSK to calculate the HMAC value of access control block (ACB); To judge the integrality of access control block (ACB); And determine to read user's read right according to ACL; Then lock box sub-key LBK is issued and read the user
Step (4.3): this is read the user and obtains after the lock box sub-key LBK, utilize its deciphering to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain the cleartext information of file data at last, and use the SHA1 algorithm that the blocks of files at reading content place is calculated cryptographic Hash, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data,, data integrity is described then if equate, the user reads these data again, otherwise then reports an error to system;
Step (5): write the user and write according to following steps or the revised file data,
Step (5.1): this writes the user at first reads the described file data that will revise from described file server end ciphertext and security metadata file,
Step (5.2): write the user and carry out authentication according to the following steps,
Step (5.2.1): this is write the user trust domain server is issued in identify label of oneself and the access control block (ACB) in the security metadata file, described trust domain server calls authentication module is confirmed user's identify label, and call described access control module, use trust domain key A SEK to decipher this access control block (ACB), acquisition comprises lock box sub-key LBK, file signature key FSK and Access Control List (ACL) are in interior information, use trust domain signature key ASSK to recomputate the HMAC value of this access control block (ACB), whether see with HMAC value in the access control block (ACB) and equate, judge whether this access control block (ACB) is complete, and determine to write the write permission that the user has by Access Control List (ACL), then, and lock box sub-key LBK and file signature key FSK returned to the user
Step (5.3) is write the user and is write according to the following steps or revised file,
Step (5.3.1) is write the user and is used lock box sub-key LBK to obtain the blocks of files key, use blocks of files key-pair file data to be decrypted then, obtain plaintext document information, and use the SHA1 algorithm that file is calculated the cryptographic Hash that will revise content place blocks of files with piece as unit, whether see consistent with the cryptographic Hash of preserving in the security metadata, judge the integrality of institute's read data
Step (5.3.2): the file to step (5.3.1) writes or revises, and uses the blocks of files key again new file data to be encrypted, and uses file signature key FSK to sign,
Step (5.3.3): write the user and amended file data and security metadata file are issued described file server store;
Step (6): the described file owner carries out the authority destruction operation according to the following steps:
Step (6.1): this document owner obtains the security metadata file from described file server end, and the user list that the identify label of oneself, access control block (ACB) in the security metadata file and plan are cancelled is issued the trust domain server then,
Step (6.2): this trust domain server is executable operations according to the following steps,
Step (6.2.1): possessory identify label authenticates to file to call described authentication module, determines that it has the user's of cancelling operation permission,
Step (6.2.1): call described access control module, use trust domain key A SEK to decipher this access control block (ACB), obtain Access Control List (ACL), lock box sub-key LBK and file signature key FSK are in interior information, and the trust domain signature key ASSK that uses oneself recomputates the HMAC value of this access control block (ACB), judge the complete of this access control block (ACB), from the Access Control List (ACL) of access control block (ACB), delete the Access Control List (ACL) item at the user place that need cancel then, then generate new lock box sub-key LBK ' and new file signature key FSK ' for file, the trust domain server is encrypted newly-generated lock box sub-key LBK ' and newly-generated file signature key FSK ' again with trust domain server for encrypting key A SEK then, and use trust domain server signature key A SSK again the access control block (ACB) of revising to be calculated HMAC
Step (6.2.2): described trust domain server returns to the file owner with new access control block (ACB), new file signature key FSK ', new lock box sub-key LBK ' and old lock box sub-key LBK,
Step (6.3): the described file owner uses lazy destruction operation in the following manner: use old lock box sub-key LBK deciphering All Files piece key, use new these blocks of files keys of lock box sub-key LBK ' encryption, carry out again when the cryptographic operation again of blocks of files is postponed till the user to the renewal of blocks of files.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010569398 CN102014133B (en) | 2010-11-26 | 2010-11-26 | Method for implementing safe storage system in cloud storage environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010569398 CN102014133B (en) | 2010-11-26 | 2010-11-26 | Method for implementing safe storage system in cloud storage environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102014133A true CN102014133A (en) | 2011-04-13 |
CN102014133B CN102014133B (en) | 2013-08-21 |
Family
ID=43844144
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201010569398 Expired - Fee Related CN102014133B (en) | 2010-11-26 | 2010-11-26 | Method for implementing safe storage system in cloud storage environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102014133B (en) |
Cited By (104)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102170452A (en) * | 2011-05-19 | 2011-08-31 | 浪潮电子信息产业股份有限公司 | Authorization and management method for cloud storage system |
CN102299970A (en) * | 2011-09-27 | 2011-12-28 | 惠州紫旭科技有限公司 | Data black box subsystem based on cloud computing |
CN102298619A (en) * | 2011-08-10 | 2011-12-28 | 中兴通讯股份有限公司 | Method for fast reading hole document by upper layer document system and system |
CN102307240A (en) * | 2011-09-20 | 2012-01-04 | 清华大学 | Method for sharing files on internet by utilizing computer equipment |
CN102316164A (en) * | 2011-09-07 | 2012-01-11 | 深圳市硅格半导体有限公司 | Cloud storage user side equipment and data processing method thereof |
CN102438004A (en) * | 2011-09-05 | 2012-05-02 | 深圳创维数字技术股份有限公司 | Method and system for acquiring metadata information of media file and multimedia player |
CN102546740A (en) * | 2011-06-24 | 2012-07-04 | 奇智软件(北京)有限公司 | Method, device and system used for compression and uncompression and based on cloud compression file |
CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
CN102624708A (en) * | 2012-02-23 | 2012-08-01 | 浙江工商大学 | Efficient data encryption, updating and access control method for cloud storage |
CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
CN102739689A (en) * | 2012-07-16 | 2012-10-17 | 四川师范大学 | File data transmission device and method used for cloud storage system |
CN102761521A (en) * | 2011-04-26 | 2012-10-31 | 上海格尔软件股份有限公司 | Cloud security storage and sharing service platform |
WO2012163043A1 (en) * | 2011-11-09 | 2012-12-06 | 华为技术有限公司 | Method, device and system for protecting data security in cloud |
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
CN103001772A (en) * | 2012-11-27 | 2013-03-27 | 江苏乐买到网络科技有限公司 | Security protection terminal for data |
CN103024041A (en) * | 2012-12-13 | 2013-04-03 | 曙光云计算技术有限公司 | Data sharing method in cloud computing system |
CN103065082A (en) * | 2012-07-04 | 2013-04-24 | 北京京航计算通讯研究所 | Software security protection method based on Linux system |
CN103139149A (en) * | 2011-11-25 | 2013-06-05 | 国民技术股份有限公司 | Method and system for accessing data in cloud storage |
CN103248623A (en) * | 2013-04-18 | 2013-08-14 | 广东一一五科技有限公司 | On-line access control method and system of storage region |
CN103248479A (en) * | 2012-02-06 | 2013-08-14 | 中兴通讯股份有限公司 | Cloud storage safety system, data protection method and data sharing method |
CN103312823A (en) * | 2013-07-09 | 2013-09-18 | 苏州市职业大学 | Cloud computing system |
CN103379144A (en) * | 2012-04-18 | 2013-10-30 | 爱国者电子科技有限公司 | Cloud storage mobile device and cloud storage method of cloud storage data |
CN103428299A (en) * | 2013-09-04 | 2013-12-04 | 安徽大学 | Cloud storage access control method |
CN103533006A (en) * | 2012-07-06 | 2014-01-22 | 中兴通讯股份有限公司 | United cloud disk client, server, system and united cloud disk service method |
CN103561034A (en) * | 2013-11-11 | 2014-02-05 | 武汉理工大学 | Secure file sharing system |
CN103561021A (en) * | 2013-11-01 | 2014-02-05 | 全渝娟 | Method for realizing cloud storage system |
CN103581196A (en) * | 2013-11-13 | 2014-02-12 | 上海众人网络安全技术有限公司 | Distributed file transparent encryption method and transparent decryption method |
CN103581001A (en) * | 2012-07-24 | 2014-02-12 | 深圳市中兴移动通信有限公司 | Gateway system with cloud storage and data interaction method applied to system |
CN103595703A (en) * | 2013-03-08 | 2014-02-19 | 重庆城市管理职业学院 | Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL |
CN103595696A (en) * | 2012-08-15 | 2014-02-19 | 中兴通讯股份有限公司 | Method and device for file ownership certification |
CN103595721A (en) * | 2013-11-14 | 2014-02-19 | 福建伊时代信息科技股份有限公司 | Safe sharing method, sharing device and sharing system for files of network disk |
CN103684712A (en) * | 2012-09-14 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method, device and network disc for quickly resuming file transmission |
CN103685140A (en) * | 2012-08-31 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Resource sharing method and system based on cloud storage |
CN103716404A (en) * | 2013-12-31 | 2014-04-09 | 华南理工大学 | Remote data integrity authentication data structure in cloud environment and implement method thereof |
CN103731395A (en) * | 2012-10-10 | 2014-04-16 | 中兴通讯股份有限公司 | Processing method and system for files |
CN103763319A (en) * | 2014-01-13 | 2014-04-30 | 华中科技大学 | Method for safely sharing mobile cloud storage light-level data |
CN103793663A (en) * | 2013-12-26 | 2014-05-14 | 北京奇虎科技有限公司 | Folder locking and unlocking methods and folder locking and unlocking devices |
CN103973646A (en) * | 2013-01-31 | 2014-08-06 | 中国电信股份有限公司 | Method, client device and system for storing services by aid of public cloud |
CN104219627A (en) * | 2014-08-26 | 2014-12-17 | 北京乐富科技有限责任公司 | Method and device for transmitting positioning information |
CN104298934A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | File verification method, server and system in cloud calculation system |
CN104301442A (en) * | 2014-11-17 | 2015-01-21 | 浪潮电子信息产业股份有限公司 | Method for realizing client of access object storage cluster based on fuse |
CN104408381A (en) * | 2014-11-27 | 2015-03-11 | 大连理工大学 | Protection method of data integrity in cloud storage |
CN104539602A (en) * | 2014-12-22 | 2015-04-22 | 北京航空航天大学 | Safe key managing method applied to cloud storage |
CN104601563A (en) * | 2015-01-06 | 2015-05-06 | 南京信息工程大学 | MLE-based (message-locked encryption-based) publicly accessible cloud storage data procession checking method |
CN104601579A (en) * | 2015-01-20 | 2015-05-06 | 成都市酷岳科技有限公司 | Computer system for ensuring information security and method thereof |
WO2015149309A1 (en) * | 2014-04-02 | 2015-10-08 | 华为终端有限公司 | Data processing method and terminal |
CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
CN105100248A (en) * | 2015-07-30 | 2015-11-25 | 国家电网公司 | Cloud storage security realization method based on data encryption and access control |
CN105141593A (en) * | 2015-08-10 | 2015-12-09 | 刘澄宇 | Private cloud platform secure computation method |
CN105187204A (en) * | 2015-09-29 | 2015-12-23 | 北京元心科技有限公司 | Encryption method and decryption method for file, and encryption and decryption system |
CN105208017A (en) * | 2015-09-07 | 2015-12-30 | 四川神琥科技有限公司 | Memory information acquisition method |
CN105224880A (en) * | 2015-08-31 | 2016-01-06 | 安一恒通(北京)科技有限公司 | Information acquisition method and device |
CN105554127A (en) * | 2015-12-22 | 2016-05-04 | 内蒙古农业大学 | Private cloud backup mechanism of multilayer data security encryption method |
CN105812436A (en) * | 2014-12-31 | 2016-07-27 | 中国移动通信集团公司 | Heterogeneous storage operation method and device |
WO2016115663A1 (en) * | 2015-01-19 | 2016-07-28 | Nokia Technologies Oy | Method and apparatus for heterogeneous data storage management in cloud computing |
CN105868647A (en) * | 2016-03-28 | 2016-08-17 | 乐视控股(北京)有限公司 | File signing system and method |
CN105989311A (en) * | 2016-07-04 | 2016-10-05 | 南京金佰达电子科技有限公司 | Document level-based high-safety external storage method |
CN106063185A (en) * | 2014-03-31 | 2016-10-26 | 英特尔公司 | Methods and apparatus to securely share data |
CN106055993A (en) * | 2016-08-13 | 2016-10-26 | 深圳市樊溪电子有限公司 | Encryption storage system for block chains and method for applying encryption storage system |
CN106095954A (en) * | 2016-06-14 | 2016-11-09 | 成都镜杰科技有限责任公司 | Data base management method for enterprise supply chain |
CN106131048A (en) * | 2016-08-13 | 2016-11-16 | 深圳市樊溪电子有限公司 | A kind of non-trusted remote transaction file security for block chain stores system |
WO2016184221A1 (en) * | 2015-05-15 | 2016-11-24 | 中兴通讯股份有限公司 | Password management method, device and system |
CN106330452A (en) * | 2016-08-13 | 2017-01-11 | 深圳市樊溪电子有限公司 | Security network attachment device and method for block chain |
CN106411884A (en) * | 2016-09-29 | 2017-02-15 | 郑州云海信息技术有限公司 | Method and device for data storage and encryption |
CN106407681A (en) * | 2016-09-19 | 2017-02-15 | 南京工业大学 | Storage and access method for personal health records in cloud system environment |
CN106469124A (en) * | 2015-08-20 | 2017-03-01 | 深圳市中兴微电子技术有限公司 | A kind of memory access control method and device |
CN106611128A (en) * | 2016-07-19 | 2017-05-03 | 四川用联信息技术有限公司 | Secondary encryption-based data validation and data recovery algorithm in cloud storage |
CN106790148A (en) * | 2016-12-28 | 2017-05-31 | 上海优刻得信息科技有限公司 | Prevent access, output checking method and device, the auditing system of leakage of data |
CN107015982A (en) * | 2016-01-27 | 2017-08-04 | 阿里巴巴集团控股有限公司 | A kind of method, device and the equipment of monitoring system file integrality |
CN107332858A (en) * | 2017-08-07 | 2017-11-07 | 成都汇智远景科技有限公司 | Cloud date storage method |
CN107359990A (en) * | 2017-08-03 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of secret information processing method, apparatus and system |
WO2017210563A1 (en) * | 2016-06-02 | 2017-12-07 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
CN103379144B (en) * | 2012-04-18 | 2018-02-09 | 爱国者安全科技(北京)有限公司 | The cloud storage method of cloud storage mobile device and cloud storage data |
CN107920130A (en) * | 2017-12-07 | 2018-04-17 | 北京书生电子技术有限公司 | The method and apparatus of inside and outside network data synchronization |
US9973484B2 (en) | 2011-10-31 | 2018-05-15 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
CN108234436A (en) * | 2016-12-22 | 2018-06-29 | 航天信息股份有限公司 | A kind of encryption method and system based on the storage of OpenStack objects |
CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
CN108337220A (en) * | 2017-11-27 | 2018-07-27 | 中国电子科技集团公司电子科学研究院 | Data processing method, system and key server |
CN108499084A (en) * | 2018-04-09 | 2018-09-07 | 杨娟 | System for body-building or training |
CN109218415A (en) * | 2018-08-28 | 2019-01-15 | 浪潮电子信息产业股份有限公司 | Distributed node management method, node and storage medium |
CN109214183A (en) * | 2017-07-03 | 2019-01-15 | 阿里巴巴集团控股有限公司 | The method, apparatus and equipment of software, storage medium and processor are extorted in killing |
CN109313678A (en) * | 2018-09-05 | 2019-02-05 | 福建联迪商用设备有限公司 | A kind of method and terminal for calling API |
CN109448192A (en) * | 2018-11-13 | 2019-03-08 | 公安部第三研究所 | Safe and intelligent lock system based on encryption chip |
KR20190054763A (en) * | 2017-11-14 | 2019-05-22 | (주)피스페이스 | File leakage prevention based on security file system and commonly used file access interface |
CN109992987A (en) * | 2017-12-29 | 2019-07-09 | 深圳市融汇通金科技有限公司 | Script file guard method, device and terminal device based on Nginx |
CN110166458A (en) * | 2019-05-23 | 2019-08-23 | 王怀尊 | A kind of three-level code key encryption system |
CN110298165A (en) * | 2018-03-22 | 2019-10-01 | 腾讯科技(深圳)有限公司 | Have secure access to method, apparatus and the authentication proxy of shared drive |
CN110378133A (en) * | 2019-06-28 | 2019-10-25 | 深圳市元征科技股份有限公司 | A kind of document protection method, device, electronic equipment and storage medium |
CN110768782A (en) * | 2019-09-26 | 2020-02-07 | 如般量子科技有限公司 | Anti-quantum computation RFID authentication method and system based on asymmetric key pool and IBS |
CN111339034A (en) * | 2020-05-18 | 2020-06-26 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
CN111491023A (en) * | 2020-04-10 | 2020-08-04 | 西咸新区予果微码生物科技有限公司 | Microbial detection system based on CRISPR technology |
US10789373B2 (en) | 2011-10-31 | 2020-09-29 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
CN112016124A (en) * | 2020-09-07 | 2020-12-01 | 公安部第三研究所 | Method for realizing information query based on data object main body de-identification |
CN112106323A (en) * | 2018-07-12 | 2020-12-18 | 塞克罗斯股份有限公司 | Method for establishing a secure hierarchical reference system |
CN112214758A (en) * | 2019-07-09 | 2021-01-12 | 意法半导体(大西部)公司 | Apparatus and method for managing encrypted software applications |
CN112513849A (en) * | 2018-07-31 | 2021-03-16 | 日本电信电话株式会社 | Information processing apparatus, authentication method, and authentication program |
CN112862994A (en) * | 2021-02-07 | 2021-05-28 | 中国第一汽车股份有限公司 | ETC anti-disassembly authentication method, ETC, vehicle-mounted equipment terminal and system |
CN112948870A (en) * | 2021-04-13 | 2021-06-11 | 北京国联易安信息技术有限公司 | Electronic document security management method and management system based on big data |
CN113507448A (en) * | 2021-06-17 | 2021-10-15 | 中国汽车技术研究中心有限公司 | Security access service authentication method and system |
CN113691560A (en) * | 2016-02-05 | 2021-11-23 | 安赛飞保安有限公司 | Data transfer method, method for controlling data use, and cryptographic apparatus |
US11290261B2 (en) | 2011-10-31 | 2022-03-29 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
CN114386098A (en) * | 2021-12-31 | 2022-04-22 | 江苏任务网络科技有限公司 | Big data storage and traceability system |
CN114567447A (en) * | 2022-04-26 | 2022-05-31 | 佳瑛科技有限公司 | Data sharing management method and device based on cloud server |
CN115580403A (en) * | 2022-12-09 | 2023-01-06 | 深圳市永达电子信息股份有限公司 | PKI-based computing node access control method |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104580487A (en) * | 2015-01-20 | 2015-04-29 | 成都信升斯科技有限公司 | Mass data storage system and processing method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007143057A2 (en) * | 2006-06-02 | 2007-12-13 | Microsoft Corporation | Logon and machine unlock integration |
CN101095133A (en) * | 2004-03-26 | 2007-12-26 | 微软公司 | Rights management inter-entity message policies and enforcement |
WO2008109661A2 (en) * | 2007-03-05 | 2008-09-12 | Vidoop, Llc. | Method and system for securely caching authentication elements |
-
2010
- 2010-11-26 CN CN 201010569398 patent/CN102014133B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101095133A (en) * | 2004-03-26 | 2007-12-26 | 微软公司 | Rights management inter-entity message policies and enforcement |
WO2007143057A2 (en) * | 2006-06-02 | 2007-12-13 | Microsoft Corporation | Logon and machine unlock integration |
WO2008109661A2 (en) * | 2007-03-05 | 2008-09-12 | Vidoop, Llc. | Method and system for securely caching authentication elements |
Non-Patent Citations (2)
Title |
---|
LANXIANG CHEN 等: "A Direction to Avoid Re-encryption in Cryptographic File Sharing", 《LECTURE NOTES IN COMPUTER SCIENCE, 2007》 * |
洪澄 等: "AB-ACCS:一种云存储密文访问控制方法", 《计算机研究与发展》 * |
Cited By (158)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102761521A (en) * | 2011-04-26 | 2012-10-31 | 上海格尔软件股份有限公司 | Cloud security storage and sharing service platform |
CN102761521B (en) * | 2011-04-26 | 2016-08-31 | 上海格尔软件股份有限公司 | Cloud security storage and sharing service platform |
CN102170452A (en) * | 2011-05-19 | 2011-08-31 | 浪潮电子信息产业股份有限公司 | Authorization and management method for cloud storage system |
CN102546740A (en) * | 2011-06-24 | 2012-07-04 | 奇智软件(北京)有限公司 | Method, device and system used for compression and uncompression and based on cloud compression file |
CN102546740B (en) * | 2011-06-24 | 2015-05-06 | 奇智软件(北京)有限公司 | Method, device and system used for compression and uncompression and based on cloud compression file |
CN102298619A (en) * | 2011-08-10 | 2011-12-28 | 中兴通讯股份有限公司 | Method for fast reading hole document by upper layer document system and system |
CN102438004A (en) * | 2011-09-05 | 2012-05-02 | 深圳创维数字技术股份有限公司 | Method and system for acquiring metadata information of media file and multimedia player |
CN102316164A (en) * | 2011-09-07 | 2012-01-11 | 深圳市硅格半导体有限公司 | Cloud storage user side equipment and data processing method thereof |
CN102307240A (en) * | 2011-09-20 | 2012-01-04 | 清华大学 | Method for sharing files on internet by utilizing computer equipment |
CN102299970A (en) * | 2011-09-27 | 2011-12-28 | 惠州紫旭科技有限公司 | Data black box subsystem based on cloud computing |
US11818251B2 (en) | 2011-10-31 | 2023-11-14 | Crowdstrike, Inc. | System and method for securely storing and sharing information |
US9973484B2 (en) | 2011-10-31 | 2018-05-15 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
US10789373B2 (en) | 2011-10-31 | 2020-09-29 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
US11290261B2 (en) | 2011-10-31 | 2022-03-29 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
CN103262491A (en) * | 2011-11-09 | 2013-08-21 | 华为技术有限公司 | Method, device and system for protecting data security in cloud |
WO2012163043A1 (en) * | 2011-11-09 | 2012-12-06 | 华为技术有限公司 | Method, device and system for protecting data security in cloud |
US9203614B2 (en) | 2011-11-09 | 2015-12-01 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for protecting cloud data security |
CN103139149A (en) * | 2011-11-25 | 2013-06-05 | 国民技术股份有限公司 | Method and system for accessing data in cloud storage |
CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
CN102546181B (en) * | 2012-01-09 | 2014-12-17 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
CN103248479A (en) * | 2012-02-06 | 2013-08-14 | 中兴通讯股份有限公司 | Cloud storage safety system, data protection method and data sharing method |
CN102624708A (en) * | 2012-02-23 | 2012-08-01 | 浙江工商大学 | Efficient data encryption, updating and access control method for cloud storage |
CN103379144A (en) * | 2012-04-18 | 2013-10-30 | 爱国者电子科技有限公司 | Cloud storage mobile device and cloud storage method of cloud storage data |
CN103379144B (en) * | 2012-04-18 | 2018-02-09 | 爱国者安全科技(北京)有限公司 | The cloud storage method of cloud storage mobile device and cloud storage data |
CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
CN102685148B (en) * | 2012-05-31 | 2014-10-15 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
CN103065082A (en) * | 2012-07-04 | 2013-04-24 | 北京京航计算通讯研究所 | Software security protection method based on Linux system |
CN103533006B (en) * | 2012-07-06 | 2019-09-24 | 中兴通讯股份有限公司 | A kind of joint cloud disk client, server, system and joint cloud disk service method |
CN103533006A (en) * | 2012-07-06 | 2014-01-22 | 中兴通讯股份有限公司 | United cloud disk client, server, system and united cloud disk service method |
CN102739689A (en) * | 2012-07-16 | 2012-10-17 | 四川师范大学 | File data transmission device and method used for cloud storage system |
CN102739689B (en) * | 2012-07-16 | 2015-05-13 | 四川师范大学 | File data transmission device and method used for cloud storage system |
CN103581001A (en) * | 2012-07-24 | 2014-02-12 | 深圳市中兴移动通信有限公司 | Gateway system with cloud storage and data interaction method applied to system |
CN103595696A (en) * | 2012-08-15 | 2014-02-19 | 中兴通讯股份有限公司 | Method and device for file ownership certification |
CN103595696B (en) * | 2012-08-15 | 2018-05-01 | 中兴通讯股份有限公司 | The method and device that a kind of File Ownership proves |
CN103685140A (en) * | 2012-08-31 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Resource sharing method and system based on cloud storage |
CN103685140B (en) * | 2012-08-31 | 2018-05-22 | 腾讯科技(深圳)有限公司 | Resource share method and system based on cloud storage |
CN103684712A (en) * | 2012-09-14 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method, device and network disc for quickly resuming file transmission |
CN103684712B (en) * | 2012-09-14 | 2017-04-05 | 百度在线网络技术(北京)有限公司 | Method, device and Dropbox that the fast quick-recovery of file is retransmitted |
CN103731395A (en) * | 2012-10-10 | 2014-04-16 | 中兴通讯股份有限公司 | Processing method and system for files |
CN103731395B (en) * | 2012-10-10 | 2017-11-14 | 中兴通讯股份有限公司 | The processing method and system of file |
CN103001772A (en) * | 2012-11-27 | 2013-03-27 | 江苏乐买到网络科技有限公司 | Security protection terminal for data |
CN102970299A (en) * | 2012-11-27 | 2013-03-13 | 西安电子科技大学 | File safe protection system and method thereof |
CN103024041A (en) * | 2012-12-13 | 2013-04-03 | 曙光云计算技术有限公司 | Data sharing method in cloud computing system |
CN103973646A (en) * | 2013-01-31 | 2014-08-06 | 中国电信股份有限公司 | Method, client device and system for storing services by aid of public cloud |
CN103973646B (en) * | 2013-01-31 | 2018-05-11 | 中国电信股份有限公司 | Use the method for public cloud storage service, client terminal device and system |
CN103595703A (en) * | 2013-03-08 | 2014-02-19 | 重庆城市管理职业学院 | Linux safety file transmission system based on OpenSSL and Linux safety file transmission method based on OpenSSL |
CN103248623A (en) * | 2013-04-18 | 2013-08-14 | 广东一一五科技有限公司 | On-line access control method and system of storage region |
CN103248623B (en) * | 2013-04-18 | 2017-02-08 | 广东一一五科技股份有限公司 | On-line access control method and system of storage region |
CN103312823A (en) * | 2013-07-09 | 2013-09-18 | 苏州市职业大学 | Cloud computing system |
CN103312823B (en) * | 2013-07-09 | 2016-08-10 | 苏州市职业大学 | A kind of cloud computing system |
CN103428299B (en) * | 2013-09-04 | 2016-06-01 | 安徽大学 | Cloud storage access control method |
CN103428299A (en) * | 2013-09-04 | 2013-12-04 | 安徽大学 | Cloud storage access control method |
CN103561021A (en) * | 2013-11-01 | 2014-02-05 | 全渝娟 | Method for realizing cloud storage system |
CN103561034B (en) * | 2013-11-11 | 2016-08-17 | 武汉理工大学 | A kind of secure file shared system |
CN103561034A (en) * | 2013-11-11 | 2014-02-05 | 武汉理工大学 | Secure file sharing system |
CN103581196A (en) * | 2013-11-13 | 2014-02-12 | 上海众人网络安全技术有限公司 | Distributed file transparent encryption method and transparent decryption method |
CN103581196B (en) * | 2013-11-13 | 2016-05-11 | 上海众人网络安全技术有限公司 | Distributed document transparent encryption method and transparent decryption method |
CN103595721B (en) * | 2013-11-14 | 2017-12-01 | 福建伊时代信息科技股份有限公司 | Network disk file secure sharing method, sharing means and shared system |
CN103595721A (en) * | 2013-11-14 | 2014-02-19 | 福建伊时代信息科技股份有限公司 | Safe sharing method, sharing device and sharing system for files of network disk |
CN103793663A (en) * | 2013-12-26 | 2014-05-14 | 北京奇虎科技有限公司 | Folder locking and unlocking methods and folder locking and unlocking devices |
CN103716404B (en) * | 2013-12-31 | 2017-02-01 | 华南理工大学 | Remote data integrity authentication data structure in cloud environment and implement method thereof |
CN103716404A (en) * | 2013-12-31 | 2014-04-09 | 华南理工大学 | Remote data integrity authentication data structure in cloud environment and implement method thereof |
CN103763319A (en) * | 2014-01-13 | 2014-04-30 | 华中科技大学 | Method for safely sharing mobile cloud storage light-level data |
CN106063185B (en) * | 2014-03-31 | 2019-12-03 | 英特尔公司 | Method and apparatus for safely shared data |
CN106063185A (en) * | 2014-03-31 | 2016-10-26 | 英特尔公司 | Methods and apparatus to securely share data |
WO2015149309A1 (en) * | 2014-04-02 | 2015-10-08 | 华为终端有限公司 | Data processing method and terminal |
CN104980401B (en) * | 2014-04-09 | 2018-05-01 | 北京亿赛通科技发展有限责任公司 | Nas server date safety storing system, secure storage and read method |
CN104980401A (en) * | 2014-04-09 | 2015-10-14 | 北京亿赛通科技发展有限责任公司 | Secure data storage system and secure data storage and reading method of NAS server |
CN104219627A (en) * | 2014-08-26 | 2014-12-17 | 北京乐富科技有限责任公司 | Method and device for transmitting positioning information |
CN104219627B (en) * | 2014-08-26 | 2018-07-27 | 北京乐富科技有限责任公司 | A kind of method and device sending location information |
CN104298934A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | File verification method, server and system in cloud calculation system |
CN104301442A (en) * | 2014-11-17 | 2015-01-21 | 浪潮电子信息产业股份有限公司 | Method for realizing client of access object storage cluster based on fuse |
CN104408381A (en) * | 2014-11-27 | 2015-03-11 | 大连理工大学 | Protection method of data integrity in cloud storage |
CN104408381B (en) * | 2014-11-27 | 2017-04-12 | 大连理工大学 | Protection method of data integrity in cloud storage |
CN104539602A (en) * | 2014-12-22 | 2015-04-22 | 北京航空航天大学 | Safe key managing method applied to cloud storage |
CN104539602B (en) * | 2014-12-22 | 2017-12-26 | 北京航空航天大学 | A kind of safety key managing method being applied in cloud storage |
CN105812436A (en) * | 2014-12-31 | 2016-07-27 | 中国移动通信集团公司 | Heterogeneous storage operation method and device |
CN104601563B (en) * | 2015-01-06 | 2017-09-15 | 南京信息工程大学 | The method of the sharable content object cloud storage data property held based on MLE |
CN104601563A (en) * | 2015-01-06 | 2015-05-06 | 南京信息工程大学 | MLE-based (message-locked encryption-based) publicly accessible cloud storage data procession checking method |
WO2016115663A1 (en) * | 2015-01-19 | 2016-07-28 | Nokia Technologies Oy | Method and apparatus for heterogeneous data storage management in cloud computing |
US10581856B2 (en) | 2015-01-19 | 2020-03-03 | Nokia Technologies Oy | Method and apparatus for heterogeneous data storage management in cloud computing |
CN104601579A (en) * | 2015-01-20 | 2015-05-06 | 成都市酷岳科技有限公司 | Computer system for ensuring information security and method thereof |
WO2016184221A1 (en) * | 2015-05-15 | 2016-11-24 | 中兴通讯股份有限公司 | Password management method, device and system |
CN105100248A (en) * | 2015-07-30 | 2015-11-25 | 国家电网公司 | Cloud storage security realization method based on data encryption and access control |
CN105141593A (en) * | 2015-08-10 | 2015-12-09 | 刘澄宇 | Private cloud platform secure computation method |
CN106469124A (en) * | 2015-08-20 | 2017-03-01 | 深圳市中兴微电子技术有限公司 | A kind of memory access control method and device |
WO2017036042A1 (en) * | 2015-08-31 | 2017-03-09 | 安一恒通(北京)科技有限公司 | Information collection method and apparatus |
CN105224880A (en) * | 2015-08-31 | 2016-01-06 | 安一恒通(北京)科技有限公司 | Information acquisition method and device |
CN105224880B (en) * | 2015-08-31 | 2019-06-18 | 安一恒通(北京)科技有限公司 | Information acquisition method and device |
CN105208017B (en) * | 2015-09-07 | 2019-01-04 | 四川神琥科技有限公司 | A kind of memorizer information acquisition methods |
CN105208017A (en) * | 2015-09-07 | 2015-12-30 | 四川神琥科技有限公司 | Memory information acquisition method |
CN105187204A (en) * | 2015-09-29 | 2015-12-23 | 北京元心科技有限公司 | Encryption method and decryption method for file, and encryption and decryption system |
CN105554127A (en) * | 2015-12-22 | 2016-05-04 | 内蒙古农业大学 | Private cloud backup mechanism of multilayer data security encryption method |
CN107015982A (en) * | 2016-01-27 | 2017-08-04 | 阿里巴巴集团控股有限公司 | A kind of method, device and the equipment of monitoring system file integrality |
CN113691560A (en) * | 2016-02-05 | 2021-11-23 | 安赛飞保安有限公司 | Data transfer method, method for controlling data use, and cryptographic apparatus |
CN113691560B (en) * | 2016-02-05 | 2023-08-25 | 安赛飞保安有限公司 | Data transmission method, method for controlling data use, and cryptographic device |
WO2017166527A1 (en) * | 2016-03-28 | 2017-10-05 | 乐视控股(北京)有限公司 | File signature system and method |
CN105868647A (en) * | 2016-03-28 | 2016-08-17 | 乐视控股(北京)有限公司 | File signing system and method |
WO2017210563A1 (en) * | 2016-06-02 | 2017-12-07 | Reid Consulting Group, Inc. | System and method for securely storing and sharing information |
CN106095954B (en) * | 2016-06-14 | 2019-05-24 | 上海棉联电子商务有限公司 | Data base management method for enterprise supply chain |
CN106095954A (en) * | 2016-06-14 | 2016-11-09 | 成都镜杰科技有限责任公司 | Data base management method for enterprise supply chain |
CN105989311B (en) * | 2016-07-04 | 2018-11-27 | 南京金佰达电子科技有限公司 | A kind of high security external storage method based on document level |
CN105989311A (en) * | 2016-07-04 | 2016-10-05 | 南京金佰达电子科技有限公司 | Document level-based high-safety external storage method |
CN106611128A (en) * | 2016-07-19 | 2017-05-03 | 四川用联信息技术有限公司 | Secondary encryption-based data validation and data recovery algorithm in cloud storage |
CN106330452A (en) * | 2016-08-13 | 2017-01-11 | 深圳市樊溪电子有限公司 | Security network attachment device and method for block chain |
CN106055993A (en) * | 2016-08-13 | 2016-10-26 | 深圳市樊溪电子有限公司 | Encryption storage system for block chains and method for applying encryption storage system |
WO2018032379A1 (en) * | 2016-08-13 | 2018-02-22 | 深圳市樊溪电子有限公司 | Untrusted remote transaction file secure storage system for block chain |
WO2018032374A1 (en) * | 2016-08-13 | 2018-02-22 | 深圳市樊溪电子有限公司 | Encrypted storage system for block chain and method using same |
WO2018032373A1 (en) * | 2016-08-13 | 2018-02-22 | 深圳市樊溪电子有限公司 | Security network attachment device and method for block chain |
CN106131048A (en) * | 2016-08-13 | 2016-11-16 | 深圳市樊溪电子有限公司 | A kind of non-trusted remote transaction file security for block chain stores system |
CN106131048B (en) * | 2016-08-13 | 2020-05-19 | 广州商品清算中心股份有限公司 | Non-trust remote transaction file safe storage system for block chain |
CN106407681A (en) * | 2016-09-19 | 2017-02-15 | 南京工业大学 | Storage and access method for personal health records in cloud system environment |
CN106407681B (en) * | 2016-09-19 | 2019-03-26 | 南京工业大学 | A kind of cloud system environment individual health record storage access method |
CN106411884A (en) * | 2016-09-29 | 2017-02-15 | 郑州云海信息技术有限公司 | Method and device for data storage and encryption |
CN108234436A (en) * | 2016-12-22 | 2018-06-29 | 航天信息股份有限公司 | A kind of encryption method and system based on the storage of OpenStack objects |
CN106790148A (en) * | 2016-12-28 | 2017-05-31 | 上海优刻得信息科技有限公司 | Prevent access, output checking method and device, the auditing system of leakage of data |
CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
CN109214183A (en) * | 2017-07-03 | 2019-01-15 | 阿里巴巴集团控股有限公司 | The method, apparatus and equipment of software, storage medium and processor are extorted in killing |
CN107359990A (en) * | 2017-08-03 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of secret information processing method, apparatus and system |
CN107332858B (en) * | 2017-08-07 | 2020-08-28 | 深圳格隆汇信息科技有限公司 | Cloud data storage method |
CN107332858A (en) * | 2017-08-07 | 2017-11-07 | 成都汇智远景科技有限公司 | Cloud date storage method |
KR20190054763A (en) * | 2017-11-14 | 2019-05-22 | (주)피스페이스 | File leakage prevention based on security file system and commonly used file access interface |
KR102368208B1 (en) * | 2017-11-14 | 2022-02-28 | (주)피스페이스 | File leakage prevention based on security file system and commonly used file access interface |
CN108337220A (en) * | 2017-11-27 | 2018-07-27 | 中国电子科技集团公司电子科学研究院 | Data processing method, system and key server |
CN107920130A (en) * | 2017-12-07 | 2018-04-17 | 北京书生电子技术有限公司 | The method and apparatus of inside and outside network data synchronization |
CN109992987B (en) * | 2017-12-29 | 2021-04-27 | 港融科技有限公司 | Script file protection method and device based on Nginx and terminal equipment |
CN109992987A (en) * | 2017-12-29 | 2019-07-09 | 深圳市融汇通金科技有限公司 | Script file guard method, device and terminal device based on Nginx |
CN110298165A (en) * | 2018-03-22 | 2019-10-01 | 腾讯科技(深圳)有限公司 | Have secure access to method, apparatus and the authentication proxy of shared drive |
CN108499084A (en) * | 2018-04-09 | 2018-09-07 | 杨娟 | System for body-building or training |
CN112106323B (en) * | 2018-07-12 | 2024-03-22 | 塞克罗斯股份有限公司 | Method for storing and reading data on a storage device in an untrusted environment |
CN112106323A (en) * | 2018-07-12 | 2020-12-18 | 塞克罗斯股份有限公司 | Method for establishing a secure hierarchical reference system |
CN112513849A (en) * | 2018-07-31 | 2021-03-16 | 日本电信电话株式会社 | Information processing apparatus, authentication method, and authentication program |
CN109218415B (en) * | 2018-08-28 | 2021-06-29 | 浪潮电子信息产业股份有限公司 | Distributed node management method, node and storage medium |
CN109218415A (en) * | 2018-08-28 | 2019-01-15 | 浪潮电子信息产业股份有限公司 | Distributed node management method, node and storage medium |
CN109313678A (en) * | 2018-09-05 | 2019-02-05 | 福建联迪商用设备有限公司 | A kind of method and terminal for calling API |
CN109313678B (en) * | 2018-09-05 | 2021-11-09 | 福建联迪商用设备有限公司 | API calling method and terminal |
CN109448192A (en) * | 2018-11-13 | 2019-03-08 | 公安部第三研究所 | Safe and intelligent lock system based on encryption chip |
CN110166458A (en) * | 2019-05-23 | 2019-08-23 | 王怀尊 | A kind of three-level code key encryption system |
CN110166458B (en) * | 2019-05-23 | 2022-08-02 | 王怀尊 | Three-level key encryption method |
CN110378133B (en) * | 2019-06-28 | 2023-05-05 | 深圳市元征科技股份有限公司 | File protection method and device, electronic equipment and storage medium |
CN110378133A (en) * | 2019-06-28 | 2019-10-25 | 深圳市元征科技股份有限公司 | A kind of document protection method, device, electronic equipment and storage medium |
CN112214758A (en) * | 2019-07-09 | 2021-01-12 | 意法半导体(大西部)公司 | Apparatus and method for managing encrypted software applications |
CN110768782A (en) * | 2019-09-26 | 2020-02-07 | 如般量子科技有限公司 | Anti-quantum computation RFID authentication method and system based on asymmetric key pool and IBS |
CN110768782B (en) * | 2019-09-26 | 2022-11-15 | 如般量子科技有限公司 | Anti-quantum computation RFID authentication method and system based on asymmetric key pool and IBS |
CN111491023A (en) * | 2020-04-10 | 2020-08-04 | 西咸新区予果微码生物科技有限公司 | Microbial detection system based on CRISPR technology |
CN111339034B (en) * | 2020-05-18 | 2020-08-11 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
CN111339034A (en) * | 2020-05-18 | 2020-06-26 | 湖南天琛信息科技有限公司 | Ciphertext storage plaintext access system, ciphertext storage method and plaintext access method |
CN112016124A (en) * | 2020-09-07 | 2020-12-01 | 公安部第三研究所 | Method for realizing information query based on data object main body de-identification |
CN112016124B (en) * | 2020-09-07 | 2024-05-28 | 公安部第三研究所 | Method for implementing information inquiry based on de-identification of data object main body |
CN112862994A (en) * | 2021-02-07 | 2021-05-28 | 中国第一汽车股份有限公司 | ETC anti-disassembly authentication method, ETC, vehicle-mounted equipment terminal and system |
CN112948870A (en) * | 2021-04-13 | 2021-06-11 | 北京国联易安信息技术有限公司 | Electronic document security management method and management system based on big data |
CN113507448B (en) * | 2021-06-17 | 2022-05-17 | 中国汽车技术研究中心有限公司 | Security access service authentication method and system |
CN113507448A (en) * | 2021-06-17 | 2021-10-15 | 中国汽车技术研究中心有限公司 | Security access service authentication method and system |
CN114386098B (en) * | 2021-12-31 | 2024-05-03 | 江苏大道云隐科技有限公司 | Big data storage and traceability system |
CN114386098A (en) * | 2021-12-31 | 2022-04-22 | 江苏任务网络科技有限公司 | Big data storage and traceability system |
CN114567447B (en) * | 2022-04-26 | 2022-07-19 | 佳瑛科技有限公司 | Data sharing management method and device based on cloud server |
CN114567447A (en) * | 2022-04-26 | 2022-05-31 | 佳瑛科技有限公司 | Data sharing management method and device based on cloud server |
CN115580403A (en) * | 2022-12-09 | 2023-01-06 | 深圳市永达电子信息股份有限公司 | PKI-based computing node access control method |
Also Published As
Publication number | Publication date |
---|---|
CN102014133B (en) | 2013-08-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102014133B (en) | Method for implementing safe storage system in cloud storage environment | |
TWI709314B (en) | Data processing method and device | |
CN109886040B (en) | Data processing method, data processing device, storage medium and processor | |
US9026805B2 (en) | Key management using trusted platform modules | |
US20100005318A1 (en) | Process for securing data in a storage unit | |
CN103780607B (en) | The method of the data de-duplication based on different rights | |
CN102685148A (en) | Method for realizing secure network backup system under cloud storage environment | |
CN102075544A (en) | Encryption system, encryption method and decryption method for local area network shared file | |
CN105100076A (en) | Cloud data security system based on USB Key | |
CN111010430B (en) | Cloud computing security data sharing method based on double-chain structure | |
CN106027503A (en) | Cloud storage data encryption method based on TPM | |
CN102025503B (en) | Data security implementation method in cluster environment and high-security cluster | |
CN104601579A (en) | Computer system for ensuring information security and method thereof | |
CN104468615A (en) | Data sharing based file access and permission change control method | |
KR20110018331A (en) | Secure data cache | |
CN104580487A (en) | Mass data storage system and processing method | |
CN104009987A (en) | Fine-grained cloud platform security access control method based on user identity capacity | |
US11604888B2 (en) | Digital storage and data transport system | |
CN103580855A (en) | Usbkey management plan based on sharing technology | |
CN103516523A (en) | Data encryption system structure based on cloud storage | |
CN103226670B (en) | A kind of document access control system based on access control model | |
CN115567312B (en) | Alliance chain data authority management system and method capable of meeting various scenes | |
CN112307508B (en) | Revocable data sharing system based on SGX, CP-ABE and block chain | |
CN117454440A (en) | Technology archive authentication method and intelligent management system based on traceable digital signature technology | |
CN104618419A (en) | Scheme based on content sharing policy in cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130821 |