CN102065129A - Cloud storage data control method - Google Patents
Cloud storage data control method Download PDFInfo
- Publication number
- CN102065129A CN102065129A CN2010105662880A CN201010566288A CN102065129A CN 102065129 A CN102065129 A CN 102065129A CN 2010105662880 A CN2010105662880 A CN 2010105662880A CN 201010566288 A CN201010566288 A CN 201010566288A CN 102065129 A CN102065129 A CN 102065129A
- Authority
- CN
- China
- Prior art keywords
- data
- initial data
- cloud storage
- stored
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a cloud storage data control method, belonging to the technical field of cloud storage data safety. The method comprises the following steps: converting original data to be stored into an inconvertible data block by a preset mode, forming the physical part of the original data, and storing the physical part in a cloud storage data center; and outputting necessary information for data restoration in the process of converting the original data into the physical part, taking the necessary information as the logic part of the original data, and storing the logic part of the original data for customer control. In the invention, the original data to be stored are converted into the physical part, the physical part is output to be restored into the logic part of the original data information, the physical part is stored in a cloud storage data center, and the logic part is for customer control, thereby controlling the physical part which physically occupies a larger space through controlling the logic part which physically occupies a smaller space, and realizing control of the possessed data.
Description
Technical field
The invention belongs to cloud storage data security technical field, particularly a kind of method of cloud storage Data Control.
Background technology
Data have been proved to be one of enterprise-essential assets, and the rapid growth of data makes enterprise face unprecedented challenge.Simultaneously, the cost pressure that fast changing world economic situation and keen competition bring makes enterprise have to consider as how reducing I T cost, the ever-increasing storage demand of reply enterprise.
Existing storage architecture can be divided into two kinds: a kind of is by the proprietary framework of a side, as DAS (direct attached storage, direct additional storage), SAN (Storage Area Network, storage area networks) and the network insertion storage server (Network access server, NAS) etc.This class storage system is monopolized use by a side, can offer user's better controlled power, better reliability and performance, but its autgmentability is relatively poor, is not suitable for large scale deployment; The user also is difficult to use the storage budget flexibly under this pattern, needs to drop into once to buy memory device, and along with the increase of memory capacity, cost control also will face the challenge.
Another kind is to share framework, i.e. cloud storage architecture in many ways.Difference according to its service category is divided into privately owned cloud (private cloud) and public cloud (public cloud).The architecture technology Network Based (internet and intranet) of cloud storage, for the user provides memory space and buys as required, leases and configuration service as required, this service is provided by third party department in third party or the enterprise usually and comprises memory device and special attendant.By this stores service, all departments can significantly reduce the demand and the corresponding management cost of its internal storage in enterprise or the enterprise, with rapid storage demand and the entreprise cost pressure that rises of balance.The above user who withdraws deposit storage can be individual, enterprise, even department in the enterprise or branch etc.
Yet no matter the cloud storage is which kind of operating mode (privately owned cloud and public cloud), and the data owner unavoidably entertains misgivings to the safety and the privacy of its data.And the risk of this data security and privacy be mainly derived from data are paid third party keeping after, it is to the forfeiture of all power control datas, promptly data can not need the data owner to authorize just can be accessed, copy, move, rewriting etc.
Existing cloud storage security solution is mostly at cloud storage data center; (be recorded in US 2008/0083036 Off-Premise Encryption of Data Storage as protecting by data encryption; in US 2008/0080718 Data Security in an Off-Premise Environment and the US 2008/0081613 Rights Management in a Cloud document); virtual and more perfect control of authority and authentication mechanism (being recorded in US 2008/0081613 Rights Management in a Cloud, in US2009/0228950 Self-Describing Authorization Policy for Accessing Cloud-based Resources and the US 2007/0039053 Security Server in the Cloud document).Said method has strengthened data owner's protecting data dynamics to a certain extent, but these methods fundamentally do not solve the control problem of data owner to its all data.Generally, because the user can't participate in the management of cloud stores service data center, in case after the user gave the preservation of cloud storage service provider with its data, the ownership of its data had just broken away from the scope of user's control.
With the public cloud is example, after the user is left data in cloud stores service data center end fully, its data probably are in the same place with his rival's deposit data, the data owner is uncontrollable because of data center administrator, the data leak that does not particularly have reasons such as power user's the mistake of access authority limitation or professional personal integrity to cause.
Though the control of data that has been encrypted in to a certain extent cryptographic key protection by the user; but it should be noted that; because of the unresolved key excessive problem that takes up room; the employed data encryption technology of existing cloud storage data protection still can't be used the cryptographic algorithm of " One-time pad "; therefore the data encryption technology of existing use in the cloud stores service in theory all can't prove irreversible; promptly under certain condition; as having enough computing capabilitys and time enough, its ciphertext of encrypting gained can be reduced into expressly or the part plaintext.The the 6th, 12 page of " applied cryptography learned agreement, algorithm and C source program " that the visible China Machine Press of particular content published on March 1st, 2003.
In other words, continuous progress along with decryption technology, the price of decryption hardware descends fast and performance constantly rises, be to guarantee the fully control of cloud storage user only to its all power control datas by encryption key, though the user holds encryption key in other words, still can't stop its data that are stored in cloud storage data center end illegally to be cracked and use with unauthorized.
In a word, existing cloud stores service scheme all can't avoid the user data being shifted out its control range (being mostly local) with when saving local memory space, keep its problem to the control of all data, however the latter's main misgivings of user when selecting the cloud stores service normally.
Summary of the invention
The object of the present invention is to provide the method for a kind of cloud storage Data Control, be intended to solve existing cloud memory technology and can't avoid user's data that it is all to shift out the problem that still keeps after its control range the control of its all data.
The invention provides a kind of method of cloud storage Data Control, this method comprises:
Initial data to be stored is converted to irreversible data block with preset mode, forms the physical piece of described initial data, and be stored in cloud storage data center;
Output is converted to described initial data and is used for the necessary information of reduction of data in the described physical piece process, as the logical gate of described initial data, the logical gate of described initial data is preserved and is controlled by the user.
The present invention is by being converted to physical piece with initial data to be stored, and the partial reduction of output physics becomes the logical gate of primary data information (pdi), physical piece is stored in cloud storage data center, logical gate is preserved and controlled by the user, thereby realize having controlled the physical piece of the bigger data that physically take up room, realized control having data by controlling the less logical gate that physically takes up room.
Description of drawings
Fig. 1 is that the cloud that the embodiment of the invention provides is stored the method flow diagram of Data Control;
Fig. 2 be the embodiment of the invention provide initial data to be stored is converted to the method flow diagram that data block forms the physical piece of initial data;
Fig. 3 is the principle schematic that source data is carried out order reorganization that the embodiment of the invention provides;
Fig. 4 is the method flow diagram that source data is recombinated at random that the embodiment of the invention provides;
Fig. 5 is the principle schematic that source data is recombinated at random that the embodiment of the invention provides;
Fig. 6 is the method flow diagram of the used key of generation One-time pad that provides of the embodiment of the invention;
Fig. 7 is the method schematic diagram that data are gathered that the embodiment of the invention provides.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
The present invention is by being converted into physical piece with initial data to be stored, and the partial reduction of output physics becomes the logical gate of primary data information (pdi), physical piece is stored in cloud storage data center, logical gate is preserved and controlled by the user, thereby realize having controlled the physical piece of the bigger data that physically take up room, realized control having data by controlling the less logical gate that physically takes up room.
Referring to Fig. 1, the embodiment of the invention provides a kind of method of cloud storage Data Control, and this method comprises the steps:
Step S101: initial data to be stored is converted to irreversible data block with preset mode, forms the physical piece of initial data;
Physical piece is the truly expressed of the occupied physical space of initial data, it is one group of data block, because of computer-readable storage medium can only be accepted 0,1 value, so show as a string 0,1 value, it is transformed through technological means by initial data usually and comes (as using method provided by the present invention), and how many computing capabilitys no matter the data after the conversion have with how long under the situation of the logical gate information of no initial data, all can't be reduced into initial data, so the physical piece of initial data is irreversible;
Step S102: output is converted to initial data and is used for the necessary information of reduction of data in the physical piece process, as the logical gate of initial data;
In the embodiment of the invention, the logical gate of initial data comprises that the physical piece of initial data is reduced into the information of initial data, be that initial data which data block is made of, the practical manifestation form of the physical piece of initial data and other information needed that is reduced into initial data, the shared physical space of this partial information is little, but the physical piece of initial data is reduced into the indispensable part of initial data; In addition, according to the needs of storage, the logical gate of initial data also comprises attribute, access rights and check value (as the MD5 value, the accuracy that data content is fetched in the checking) information of initial data;
Step S103: the physical piece of initial data is deposited in cloud storage data center;
In the embodiment of the invention, the quantity of the cloud stores service data center of the physical piece of storage initial data is unrestricted, can be one, also can be a plurality of; In addition, the embodiment of the invention can also be stored the result that data center returns according to cloud, the information that notification data is stored successfully or failed;
Step S104: the logical gate of initial data is preserved, and controlled by the user;
The logical gate of initial data is stored in the storage server in user's control range, as local certain server, also can be stored in the portable storage medium of user, can also be stored in the cloud storage data center or the server that are different from the physical piece of storing initial data.
In the embodiment of the invention, be stored in the cloud storage data center of appointment when selected certain initial data to be stored of user after, the backup filing strategy and the plan of setting data, this initial data is converted into logical gate and physical piece according to the backup filing strategy of setting with plan.
After initial data converts, the physical piece of initial data is reached an agreement on according to the cloud stores service visit of setting, and as authentication, the cloud storage data center that paying bill record etc. sends to appointment preserves, the logical gate of initial data is preserved, and controlled by the user.
Because under the prerequisite of the logical gate that does not have initial data, the physical piece of initial data can not be reduced into initial data, the physical piece of initial data is insignificant 0,1 character string under the prerequisite of the logical gate information that does not have initial data in other words, can't understand and use, thereby after separately preserving, realized having reached control to whole data by control to the logical gate of initial data.
Referring to Fig. 2, the embodiment of the invention provides a kind of initial data to be stored has been converted to the method that data block forms the physical piece of initial data, and this method comprises the steps:
Step S201: initial data to be stored is begun to be divided into several data blocks by predetermined length from data head, and go to heavy back to form source data;
Data go weight technology (data deduplication) in the industry cycle to be widely used, and repeat no more here;
Step S202: after each source data carried out content reorganization, form new data;
The invention process is being carried out the method that the content reorganization can adopt data content to recombinate in proper order, the also method that can adopt data content to recombinate at random to each source data;
Data content order recombination method comprises: by the permanent order queueing discipline that presets, gather the data that are in same position in each source data; The data of gathering are made up in order, form new data; For example, n m potential source data of the appointment that arranged in groups is good are vertically recombinated and are formed m n position new data, promptly finished the content of the source data after the grouping is carried out the order reorganization, as shown in Figure 3;
Data content recombination method at random comprises the steps, as shown in Figure 4:
Step S301: by the source data of the data recombination rule traversal new data correspondence to be formed that presets;
Step S302: by the data collecting rule that presets image data from source data;
Step S303: the data of gathering are made up in order, form new data;
The specific implementation method that data content is recombinated at random, referring to Fig. 5, suppose initial data through conversion, obtaining a string source data is source data 2-source data i, and all or part of source data of this initial data correspondence has been formed one group of source data to be recombinated with other source datas;
If the n in the setting designated groups f potential source data recombination is m g position new data, corresponding p the source data of each new data (1≤p≤n, p crosses conference influences performance, too small meeting influence fail safe), corresponding r the new data of each source data (1≤r≤m).In the process of structure new data, image data is u time from each source data, gets v position (1≤v≤f) at every turn;
Identifying i source data is sd
i, k new data is td
kHere m, n, p, r, i, k are natural numbers, and u, v are the integers more than or equal to 0, and p, u, v are true random numbers;
Its detailed construction process is as follows: at k new data (td of structure
k) time, at first travel through its corresponding p source data, from each source data, gather u time, gather the v bit data at every turn.The q time (Data Identification of 1≤q≤u) gather out is Ext from i source data for k new data
Iq k(s
Iq, e
Iq), s wherein
IqBe the initial slider position of the data acquisition that produces at random, e
IqBe the termination slider position of the data acquisition that produces at random, s
Iq, e
IqAll be natural number, and s
Iq≤ e
IqIf, s
Iq=e
Iq, the figure place that this secondary data collection is described so is 0, obviously v=e
Iq-s
Iq+ 1.It is exactly the new data of required structure that the data of gather are combined in order.Be expressed as:
td
k=(Ext
11 k(s
11,e
11),Ext
12 k(s
12,e
12),...,Ext
pu k(s
pu,e
pu))。
After simultaneously each data acquisition, generate the corresponding relation between source data and the new data synchronously.Suppose from sd
iIn gathered v bit data, i.e. Ext the q time
Iq k(s
Iq, e
Iq), be placed on td
kMiddle relevant position (is being placed on td with this image data
kIn just can calculate), the note sd
iThe corresponding td of the v bit data of gathering
kMiddle data bit is Rxt
Kq i(s
Kq, e
Kq), s wherein
KqFor this image data at td
kMiddle corresponding initial slider position, e
KqFor this image data at td
kMiddle corresponding termination slider position, s
Kq, e
KqAll be natural number, and s
Kq≤ e
KqIf, s
Kq=e
Kq, the figure place that this secondary data collection is described so is 0, further analyzes as can be known source data sd
iCan form by the specific data position sequential combination of reverse its corresponding new data of collection, promptly
sd
i=(Rxt
11 i(s
11,e
11),Rxt
12 i(s
12,e
12),...,Rxt
ru i(s
ru,e
ru))
In like manner, when making up k+1 new data, travel through the source data of this k+1 new data correspondence, gather according to the method described above, (data of being gathered can not repeat with the data of gathering before, and promptly data mustn't repeat to be gathered in the source data), the rest may be inferred, finish until all source data reorganization, and generate the corresponding relation of all new datas and all source datas and new data simultaneously.
In the said method, the new data after each source data and the reorganization can fixed length also can random length, and p, u, v can be variablees, they can be different during promptly each new data structure; Need to prove, p, u, provided the method for multiple generation true random number in the method that the v true random number generates, the 301st page of " applied cryptography learned agreement, algorithm and C source program " that China Machine Press published on March 1st, 2003, as the use random noise, clock uses a computer, cpu load, network packet arrives methods such as number of times, repeats no more here.Suppose with having generated three true random number R1 someway, R2, R3, so
p=R1?mod?n
u=R2?mod?w
v=R3?mod?f’
Wherein, mod is a modulo operation, and w is the maximum occurrences of the u of appointment, and f ' is remaining not by the image data figure place in the source data;
Step S203: with the One-time pad cryptographic algorithm new data is encrypted, obtained the physical piece of initial data.
After the embodiment of the invention was carried out the content reorganization to source data, " One-time pad " cryptographic algorithm that utilization can not crack was encrypted the data after recombinating, and has improved the fail safe of initial data more.
The embodiment of the invention is after above-mentioned steps S203, and the correspondence relationship information of correspondence relationship information, new data and key of also exporting and preserving new data and source data, source data and initial data simultaneously is to the logical gate of initial data.
Referring to Fig. 6, the embodiment of the invention provides the key generation method of One-time pad cryptographic algorithm, and its step is as follows:
Step S601: generate the true random number of predetermined length and the random seed of the predetermined length formed by true random number according to pre-setting method;
Step S602: random acquisition data repeatedly from random seed, with the data level of at every turn gathering be unified into be not less than length expressly true random number according to string;
Step S603: utilize true random number according to concatenating to become and expressly isometric truly random key.
When the length of random data string equals the length of plaintext surely, the truly random key that can select this true random number to be used to encrypt according to the string conduct; The length of random data string of taking seriously is during greater than expressly length, choose and expressly isometric serial data generation truly random key according to string according to the traversal of the original position at random true random number of string from true random number, if afterbody is not still chosen and expressly isometric serial data according to going here and there to true random number, then get back to true random number and continue to choose according to the string head, until choose with expressly isometric serial data till.
Below provide a kind of and generate the method that embodiment of the invention One-time pad is encrypted used random key, but protection scope of the present invention is not limited thereto realization.
In this realization, the truly random key of generation is a fixed length, promptly equals expressly length.
The following stated m, n, l, p are natural numbers, wherein, m is the length of random seed, and l is the length (equaling expressly length) of required generation random key, p is the data bits that has produced in the random key, and l-p is exactly that random key remains the not figure place of image data.
The random seed of the predetermined length that at first generates true random number 0,1 string of predetermined length m position and form by true random number, and its storage stored;
Secondly this random seed is done predetermined n time random data collection, if data acquisition is to the random train afterbody, then get back to this random seed head and continue data acquisition, the true random number that the data level of at every turn gathering is unified into predetermined length l position is according to string, i.e. truly random key (l equals length expressly).
Before each data acquisition, produce two true random numbers earlier, the back is to these two true random numbers deliverys respectively, obtains the initial slider position that the random data collection needs and the data length of required collection.
The initial slider position of each data acquisition and the data length of collection (can more than or equal to 0) all be at random.
Suppose before data acquisition, generated two true random number R1, R2 needs to produce two so now respectively less than random value T1, the T2 of m and l-p, so,
T1=R1?mod?m
T2=R2?mod(l-p)
Wherein, mod is a modulo operation.
Referring to Fig. 7, remember that k expressly corresponding truly random key is re
k(k is a natural number), re so
kEqual the sequential combination of the data of n random acquisition from the predetermined length random seed, the note data that the i time is gathered from random seed are (Cur
s, Cur
e)
i, Cur wherein
sBe the i time image data initial slider position, correspondingly Cur in random seed
eBe the termination slider position of the i time image data, Cur
sAnd Cur
eAll with the side-play amount sign from the random seed head, visible Cur
sAnd Cur
eAll be more than or equal to 0, smaller or equal to the integer of m, and Cur
eMore than or equal to Cur
s, work as Cur
eEqual Cur
sThe time, the figure place of data acquisition is 0.The data of gathering for the i time are Cur in the designated length random seed so
sTo Cur
eBetween data.Further, re
kCan be expressed as:
re
k=[(Cur
s,Cur
e)
1,(Cur
s,Cur
e)
2,....(Cur
s,Cur
e)
i,....(Cur
s,Cur
e)
n]
k。
Below only be a kind of implementation method, in addition, can also use the key generation method of given data times of collection random length random key, promptly n determines, l is uncertain; Indefinite data times of collection fixed length random key generation method, promptly n is indefinite, l determines; Indefinite data times of collection random length random key generation method, promptly n and l are indefinite; Random key is done after the pre-determined number computing method such as encrypting plaintext again to random key.
Promptly encrypt after generating above-mentioned truly random key, thereby can realize the purpose of data being encrypted with the method for " One-time pad " with the new data after its internal unit weight group.
Because traditional cloud storage data encryption method does not still have the precedent of application " One-time pad " cryptographic algorithm; so the data physical piece of the cloud that the conventional cryptography method is protected storage data center end in theory all is reversible to the reduction of source data; this technical scheme proposed by the invention can realize that then the data physical piece of its cloud of protecting storage data center end is irreversible to the reduction of source data, promptly can not crack.
In order further to illustrate feasibility of the present invention, now the shared physical space of the logical gate of initial data is analyzed as follows:
One, the shared physical space analysis of logical gate of initial data under the order recombination method
In this method, the logical gate information of initial data comprises the corresponding relation between the source data and new data in the content reorganization and the corresponding relation of (new data after the content reorganization) and random key expressly.
Suppose and need go data block after heavy to carry out the content reorganization and encrypt to several big or small 1MB, encryption function uses XOR (length that needs random key with expressly equate), and each random key generation needs the random acquisition data 100 times.
Because of the arrangement of source data in the order reorganization and new data is clocklike, thus the physical space that in fact corresponding relation between them takies can ignore, as long as the putting in order of the source data of noting and new data.
Below to encrypt back plaintext and the shared spatial analysis of random key corresponding relation with " One-time pad ":
Suppose the existing data that need the secret key encryption 1MB (also being the 8M position) of generation length 8M (=8,000,000) position.The size of employed random seed is 1Gbit, promptly 0,1 goes here and there at random for 1000,000,000, and the generation of setting each random key needs random acquisition data 100 times, i.e. n=100.
So, each vernier bit stealing physical space is not more than 4 bytes (Byte), so each data acquisition vernier is expressed and need be taken physical space and be not more than 8 bytes, gather so 100 times, be exactly 800 bytes, promptly be no more than 1024 bytes (=1KB).
So, every 1MB source data recombinate at random through data content and the conversion of One-time pad encryption method after, the physical space of the general 800B of needs is deposited the logical gate information of this source data, further calculating can get, and it is 1: 1250 than roughly that the logical gate information and the source data of this source data take physical space.Because of source data is that heavy getting gone in the initial data decomposition, so the relative physical space ratio that initial data logical gate information takies is littler.
Two, the data logical gate analysis that takes up room under the recombination method at random
With the order recombination method, the logical gate information of initial data comprises the corresponding relation and the corresponding relation of (new data after the content reorganization) and random key expressly between source data and the new data.
About to preserving the shared physical space analysis of corresponding relation between source data and the new data:
Corresponding to the reduction of each source data, correspondence relationship information mainly is between the source data of required preservation and the new data:
sd
i=(Rxt
11 i(s
11,e
11),Rxt
12 i(s
12,e
12),...,Rxt
ru i(s
ru,e
ru))
If the new data size after source data and the reorganization all is 1MB, promptly source data and new data are isometric, and can calculate vernier in each new data (is s
KqOr e
Kq, s wherein
KqFor this image data at td
kMiddle corresponding initial slider position, e
KqFor this image data at td
kIn corresponding termination slider position) physical space that takies is not more than 3B, so in the top corresponding relation each corresponding data at td
kThe physical space that initial sum termination vernier takies is not more than 6B.The generation of each new data need be gathered (when promptly generating new data to each corresponding Source Data Acquisition one secondary data) 100 times, that is to say so, and the new data that generates 1MB needs the physical space of 600B to deposit the corresponding relation of new data and source data.
At one-time pad disorderly under this encryption method, expressly the shared physical space of (new data after the content reorganization) and the corresponding relation of random key is as follows:
Suppose the existing data that need the secret key encryption 1MB (also being the 8M position) of generation length 8M (=8,000,000) position.The size of employed random seed is 1Gbit, promptly 0,1 goes here and there at random for 1000,000,000, and the generation of setting each random key needs random acquisition data 100 times, i.e. n=100.
So, each vernier bit stealing physical space is not more than 4 bytes (Byte), is not more than 8 bytes so each data acquisition vernier expression need take physical space, gather so 100 times, and be exactly 800 bytes.
So, every 1MB source data recombinate at random through data content and the conversion of One-time pad encryption method after, the physical space of the general 1400B of needs is deposited the logical gate information of this source data, further calculating can get, and it is 1: 730 than roughly that the logical gate information and the source data of this source data take physical space.Because of source data is that heavy getting gone in the initial data decomposition, so the relative physical space ratio that initial data logical gate information takies is littler.
It is pointed out that calculating that above two kinds of method data logical gates take physical space does not count used random seed and takies physical space (because it is disposable expense, by all be-encrypted data shared).Further as can be seen, encrypt by above content reorganization and One-time pad method, can realize purpose of design of the present invention, be about to data and do reasonable conversion and conversion, make it to be converted to the physical piece and the logical gate of initial data, wherein to take physical space bigger for physical piece, and it is less that logical gate takies physical space.
More than in two kinds of realizations, the physical piece of initial data under the prerequisite of the logical gate that does not have initial data, can't be reduced into initial data individually.
Because no matter how powerful computer is for the One-time pad cryptographic algorithm, all cannot crack, see " applied cryptography is learned agreement, algorithm and C source program " that China Machine Press publishes, the 6th, 12 page;
Secondly, even if cryptanalysis person is by attempting having obtained a suspicious plaintext many times, because of under One-time pad cryptographic algorithm system, all expressly all are etc. general, all keys all be at random and only use once, cryptanalysis person can't conclude which is correct plaintext, because before data encryption and transmission, all data contents were recombinated, so the what is called that is obtained " suspicious " expressly also can't correctly be understood.
In a word, by above method, the physical piece of initial data can't be reduced into initial data individually.
The data block that forms after the conversion to initial data, heavily handled through the past, content reorganization and encryption, more feasible physical piece to initial data is the original contents of restoring data individually under the prerequisite of the logical gate information that does not have initial data, and the shared space of the logical gate of initial data is very little, thereby realized that taking the less data logical gate of physical space by control controls whole data, and then by the logical gate and the physical piece of initial data are separately deposited, reach the user adopting the cloud stores service, kept control its all data to save the purpose while of local memory space.
The embodiment of the invention is after receiving outside access request to initial data, the initial data of at first obtaining and will visiting is corresponding, the physical piece of having preserved initial data is reduced into the logical gate of initial data, then according to predetermined cloud stores service visit agreement, as authentication, paying bill records etc. and the logical gate that is obtained are fetched the respective physical part from the cloud storage data center that storage will be visited the initial data physical piece, afterwards, the information of preserving according to the logical gate of the initial data of being obtained, the physical piece polymerization of described initial data of fetching is reduced into the initial data of visit, and the initial data after will reducing gives the external reference request, thereby realized the reduction of data retrieval.
The present invention is by being converted to data block with initial data to be stored, form the physical piece of initial data, the physical piece of output initial data is reduced into the logical gate of primary data information (pdi), the physical piece of initial data is under the situation of the logical gate of no initial data, can't be reduced into initial data, and then the physical piece of initial data is stored in cloud storage data center, the logical gate of initial data is preserved and controlled by the user, realized having controlled the physical piece of the bigger initial data that physically takes up room by controlling the less logical gate that physically takes up room, thereby realized the control of user to the data that had, when having guaranteed safety of user data and privacy, reached the purpose of saving amount of physical memory again.
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. the method for cloud storage Data Control is characterized in that described method comprises:
Initial data to be stored is converted to irreversible data block with preset mode, forms the physical piece of described initial data, and be stored in cloud storage data center;
Output is converted to described initial data and is used for the necessary information of reduction of data in the described physical piece process, as the logical gate of described initial data, the logical gate of described initial data is preserved and is controlled by the user.
2. the method for cloud storage Data Control as claimed in claim 1 is characterized in that the physical piece of described initial data is a string computer-readable 0,1 value that does not possess described initial data feature; The physical piece of described initial data is irreversible.
3. the method for cloud storage Data Control as claimed in claim 1 is characterized in that the logical gate of described initial data comprises the attribute of described initial data, access rights and check value information.
4. the method for cloud storage Data Control as claimed in claim 1, it is characterized in that, the logical gate of described initial data is stored in the portable storage medium, perhaps is stored in home server, perhaps is stored in the server that is different from the physical piece of storing described initial data.
5. the method for cloud as claimed in claim 1 storage Data Control is characterized in that, described initial data to be stored is converted to irreversible data block with preset mode, and the step that forms the physical piece of described initial data specifically comprises:
Initial data to be stored is begun to be divided into several data blocks by predetermined length from data head, and go to heavy back to form source data;
Each source data is carried out the content reorganization, form new data;
With the One-time pad cryptographic algorithm each new data is encrypted, obtained the physical piece of described initial data.
6. the method for cloud as claimed in claim 5 storage Data Control is characterized in that, described each source data is carried out the content reorganization, and the step that forms new data specifically comprises:
By the permanent order queueing discipline that presets, gather the data that are in same position in each source data;
The data of described collection are made up in order, form new data.
7. the method for cloud as claimed in claim 5 storage Data Control is characterized in that, described each source data is carried out the content reorganization, and the step that forms new data specifically comprises:
Source data by the data recombination rule traversal new data correspondence to be formed that presets;
By the data collecting rule that presets image data from described source data;
The data of described collection are made up in order, form new data.
8. the method for cloud storage Data Control as claimed in claim 5 is characterized in that, described step of each new data being encrypted with the One-time pad cryptographic algorithm specifically comprises:
Generate and store the true random number of predetermined length and the random seed of the predetermined length formed by described true random number according to pre-setting method;
Random acquisition data repeatedly from described random seed, with the data level of at every turn gathering be unified into be not less than length expressly true random number according to string;
, generate and expressly isometric truly random key according to string according to described true random number;
With described truly random key each new data is encrypted.
9. the method for cloud storage Data Control as claimed in claim 8 is characterized in that the step that the described truly random key of described usefulness is encrypted each new data also comprises:
Output is also preserved the logical gate of the correspondence relationship information of described new data and source data, described source data and described initial data, described new data and truly random key to described initial data.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105662880A CN102065129A (en) | 2010-11-29 | 2010-11-29 | Cloud storage data control method |
| PCT/CN2010/079332 WO2012071720A1 (en) | 2010-11-29 | 2010-12-01 | Method for controlling cloud storage data |
| US12/999,273 US8595512B2 (en) | 2010-11-29 | 2010-12-01 | Data control method of cloud storage |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105662880A CN102065129A (en) | 2010-11-29 | 2010-11-29 | Cloud storage data control method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102065129A true CN102065129A (en) | 2011-05-18 |
Family
ID=44000228
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105662880A Pending CN102065129A (en) | 2010-11-29 | 2010-11-29 | Cloud storage data control method |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102065129A (en) |
| WO (1) | WO2012071720A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611711A (en) * | 2012-04-09 | 2012-07-25 | 中山爱科数字科技股份有限公司 | Cloud data safe storing method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080080718A1 (en) * | 2006-09-29 | 2008-04-03 | Microsoft Corporation | Data security in an off-premise environment |
-
2010
- 2010-11-29 CN CN2010105662880A patent/CN102065129A/en active Pending
- 2010-12-01 WO PCT/CN2010/079332 patent/WO2012071720A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080080718A1 (en) * | 2006-09-29 | 2008-04-03 | Microsoft Corporation | Data security in an off-premise environment |
Non-Patent Citations (1)
| Title |
|---|
| BRUCE SCHNEIER: "《应用密码学-协议、算法与C源程序》", 31 May 2000, 机械工业出版社 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611711A (en) * | 2012-04-09 | 2012-07-25 | 中山爱科数字科技股份有限公司 | Cloud data safe storing method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012071720A1 (en) | 2012-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102006300B (en) | Method, device and system for encrypting cloud storage data | |
| CN109033855B (en) | Data transmission method and device based on block chain and storage medium | |
| Goodrich et al. | Privacy-preserving group data access via stateless oblivious RAM simulation | |
| CN101917403B (en) | Distributed key management method for ciphertext storage | |
| US8595512B2 (en) | Data control method of cloud storage | |
| CN107959567A (en) | Date storage method, data capture method, apparatus and system | |
| US20120136960A1 (en) | Cloud Storage Data Access Method, Apparatus and System | |
| CN102138300A (en) | Message authentication code pre-computation with applications to secure memory | |
| CN101986663A (en) | OTP-based cloud storage data storing method, device and system | |
| JP2008250369A (en) | Management method of secrete data file, management system and proxy server therefor | |
| CN103095452A (en) | Random encryption method needing to adopt exhaustion method for deciphering | |
| CN107995299A (en) | The blind storage method of anti-access module leakage under a kind of cloud environment | |
| CN108400970A (en) | Set of metadata of similar data message locking encryption De-weight method, cloud storage system in cloud environment | |
| CN102063587A (en) | Cloud storage data storage and retrieval method, device and system | |
| CN104967591A (en) | Cloud storage data read-write method and device, and read-write control method and device | |
| Huang et al. | Outsourced private information retrieval | |
| CN103973698B (en) | User access right revoking method in cloud storage environment | |
| US20080098217A1 (en) | Method for efficient and secure data migration between data processing systems | |
| JP6401875B2 (en) | Data processing system | |
| US20120136836A1 (en) | Cloud Storage Data Storing and Retrieving Method, Apparatus and System | |
| CN107786580A (en) | Paillier encryption methods based on cloud computing platform | |
| AU2019383298A1 (en) | Blockchain secured by backward chained elements | |
| CN102065129A (en) | Cloud storage data control method | |
| CN114629652A (en) | Key management system based on physical uncloneable function and operation method thereof | |
| CN106055987A (en) | Data storage method, data reading method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110518 |