CN102685148B - Method for realizing secure network backup system under cloud storage environment - Google Patents

Method for realizing secure network backup system under cloud storage environment Download PDF

Info

Publication number
CN102685148B
CN102685148B CN201210176807.1A CN201210176807A CN102685148B CN 102685148 B CN102685148 B CN 102685148B CN 201210176807 A CN201210176807 A CN 201210176807A CN 102685148 B CN102685148 B CN 102685148B
Authority
CN
China
Prior art keywords
client
user
file
directory tree
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201210176807.1A
Other languages
Chinese (zh)
Other versions
CN102685148A (en
Inventor
舒继武
傅颖勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201210176807.1A priority Critical patent/CN102685148B/en
Publication of CN102685148A publication Critical patent/CN102685148A/en
Application granted granted Critical
Publication of CN102685148B publication Critical patent/CN102685148B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention relates to a method for realizing a secure network backup system under a cloud storage environment, belonging to the technical field of storage security. The method is characterized in that a system architecture is invented in a trust network of a network backup system under the cloud storage environment, a trust domain is established in a server according to a user requirement, and then identity authentication is performed by using a public key infrastructure (PKI), so that the non-deceptiveness and non-repudiation of a user are guaranteed; a Hash algorithm is used to calculate a Hash value of a file, a key and an advanced encryption standard (AES) algorithm are used for data encryption, and then the ciphertext of the file is uploaded to a file server in a cloud storage area, so that the confidentiality and the completeness of data are guaranteed; a synchronization manner based on a directory tree is used to increase the synchronization efficiency and the confidentiality of the system; a hierarchical key management manner is used to reduce the management burden of the system while guaranteeing data security; a version control function is provided to guarantee the continuity of the version of the file; and encryption key selection manners of many levels of granularity are provided to increase the flexibility of the system.

Description

The implementation method of the safety net disc system under a kind of cloud storage environment
Technical field
The implementation method of the safety net disc system under cloud storage environment belongs to storage security field, relates in particular to that safe access control wherein, data are synchronous, the technical field such as key distribution management and file management.
Background technology
Develop rapidly along with cloud computing technology, cloud storage has also been subject to paying close attention to widely and applying gradually, the file owner can upload to the classified papers of oneself in cloud storage, and You Yun storage service provider carries out unified management, and net disc system is typical case's application of cloud storage.By net disc system, the file owner can authorize other users to use the file of oneself, by shared and the synchronous mode of data, realizes the collaborative work between user.
Although net disc system can be usingd cloud storage as medium, realizes easily the collaborative work between user, if there is no the protection of security mechanism, user is left the private data of oneself in cloud storage in and will be existed huge potential safety hazard.With regard to data security, first key element is the confidentiality of data.If user is left data in cloud storage in form expressly, cloud storage service provider can be random these data of access, if cloud storage service provider is by these data for illegal objective, that will bring huge loss to user, even produce some not predictable consequences.Second integrality that key element is data of safety.If data are distorted by disabled user in transmitting procedure in unsafe network with plaintext form, or the information that is unfavorable for oneself in the deletion user data that cloud storage service provider has a mind to, to reach the illegal objective of oneself, whether user needs to detect these data is really that oneself is uploaded and by anyone, was not distorted.The three elements of safety are availabilities, and the cloud storage service provider that this point is general can both guarantee.In addition, in net disc system under cloud storage environment, the control of authority of safety is also a very important problem, because the shared confidentiality that is bound to destroy data of data, the framework that so how builds security mechanism under new trust systems seems very important.
In general, in the safety net disc system under cloud storage environment, data owner and authorized user are all believable, the leakage that they can malice or destroy data; Er Yun storage service provider, network and unauthorized user are all incredible, and they may leak user's data at any time, and network and unauthorized user be the wracking data of malice even likely.The consideration of Dan Yun storage service provider based on prestige, the movement that can not make easily the charge oneself that user can find and can be strong comes.
Safety net disc system is that object is under this trust systems, to guarantee the safety of user data.Its general implementation method is as follows: first data owner calculates the cryptographic Hash of local file, then in own local right local file and cryptographic Hash, is encrypted, and then just data and cryptographic Hash is left in cloud storage.So, cloud storage service provider and network interception person all cannot obtain the plaintext of file, have guaranteed the confidentiality of data.User Cong Yun storage service provider goes out to fetch after the ciphertext of file and this document cryptographic Hash to its deciphering, and then the file after deciphering is calculated to cryptographic Hash, if conform to the cryptographic Hash that previously left high in the clouds in, this document is complete and is not tampered, and has guaranteed thus the integrality of data.User can will pass to authorized user after the file encryption key of oneself, to reach the object that in data sharing, access rights are controlled.But because the transmission of file encryption key very likely destroys confidentiality and the holonomic system of system itself, in the framework of the safety net disc system under cloud storage environment, the control of the authority that how to conduct interviews is a most important link.
Safety net disc system under existing cloud storage environment is broadly divided into two classes: a class is to transfer to data owner to carry out completely the access control power of data, if other users think visit data and must be first get in touch and carry out authentication with the owner of data, by obtaining the access rights of key and data after authentication.This mode seems that safety is very suitable, but to system, brought new drawback: sharing users must be shared data owner by the time could gain access after reaching the standard grade, greatly reduce the efficiency of system, to sharing data owner's system, caused extra expense simultaneously; Another kind of is to preserve key by sharing users oneself, and the mode of chain is carried out the transmission of key in data sharing process in addition, has also destroyed to a certain extent the fail safe of data.
The present invention has realized the safety net disc system under a kind of cloud storage environment, guaranteed the confidentiality and integrity of user data, the in the situation that of data sharing, can effectively manage user's authority, the functions such as efficient data are synchronous, Version Control are provided for user simultaneously.This system also has good expansibility.
Summary of the invention
The object of the present invention is to provide the system architecture of the safety net disc system under a kind of cloud storage environment, make user in the trust systems of safety net disc system, even if lost, to the control of system physical resource, also still can guarantee safely and efficiently data and the confidentiality in shared procedure thereof, integrality, the functions such as data are synchronous, Version Control are provided simultaneously.
Framework of the present invention comprises: cloud storage service provider, server, client and network.Its effect is as follows respectively:
1) cloud storage service provider: general cloud storage provider by the services such as access that provide a set of API that data are provided, is used for preserving all data and directory metadata information in native system;
2) server: its effect is to preserve user profile, comprise User operation log, server end directory trees etc. are kept at the data of client upload in cloud storage as bridge simultaneously, and from cloud storage, data are taken out and returned to client when client needs;
3) client: the owner of data, the data of oneself are had to absolute control, be also simultaneously upload, the promoter of the operation such as download, access rights modification;
4) network: the medium of transfer of data, the access request of transmission user and fileinfo;
Thinking of the present invention is:
1) use the cloud stores service platform of increasing income:
Safety net disc system under this cloud storage environment has adopted the swift project of OpenStack as the bottom cloud storage system support of system.The high in the clouds operational software of the common research and development of OpenStack Shi Yige US National Aeronautics and Space Administration and Rackspace, with the mandate of Apache licence.Swift is the storage sub-project of OpenStack, and it is copy more than, extendible distributed objects storage system, can expand to PB level.In actual applications, swift project has increases income, high reliability, is easy to the advantages such as expansion, can be good at meeting in security factor to the reliability of bottom storage medium, availability requirement.
2) confidentiality and integrity of data protection:
In native system, user is the first hash algorithm that uses in this locality before uploading data---and SHA1 algorithm is to file Yi Kuaiwei unit calculating cryptographic Hash, then use oneself file key and cryptographic algorithm aes algorithm to be encrypted file Yi Kuaiwei unit, and then data ciphertext and cryptographic Hash are uploaded in cloud memory block and stored, so just guaranteed that user data leaves the confidentiality in cloud storage in; During user's download file, first data ciphertext and cryptographic Hash are downloaded to this locality, then use file key to be decrypted it and the data after deciphering are recalculated to cryptographic Hash, finally two cryptographic Hash are compared to carry out data integrity verifying, to guarantee the integrality of data.
3) use PKI system to carry out hierarchy management to key:
Native system is divided into three layers by key and manages, and reason is to utilize the organizational form of level to carry out organization and administration to key, can when guaranteeing fail safe, reduce overhead, can alleviate keeper's burden simultaneously.The level of key management is as follows:
I. file encryption key: file encryption key is the ground floor in level key.File encryption key adopts user to specify or the random mode generating, and for same user, all data files and cryptographic Hash all adopt this key (or new key that key generates thus) to be encrypted.In the trust systems of this type systematic, user and authorized shared user can trust, and server (cloud stores service provider), unauthorized user and communication network are all incredible.Therefore, guaranteeing that file encryption key is not revealed under the prerequisite to insincere role, the way to manage of this key can be brought following some benefit: the first, and number of keys is few, is more easy to more at least system management, and more protection is machine-processed more easily simultaneously.The second, file encryption key exists a certain proportion of amplification when writing into directory metadata, so the saving of number of keys can be saved many spaces for server;
Ii. directory metadata: directory metadata is the second layer in level key.In order to record the adeditive attribute of catalogue, we are provided with directory metadata for each catalogue.Directory metadata leaves high in the clouds in together with data, by server end, controlled, recorded the Directory Type (whether being shared) of each catalogue, the absolute path of catalogue, directory owner, list of access rights (comprise the user name of authorized user and the file key of the data owner after this client public key is encrypted to);
Iii. private key for user: private key for user is the 3rd layer in level key, is also the maximum layer in level key management.The private key that user uses oneself corresponding oneself that from the Access Control List (ACL) of directory metadata the inside decrypts file owner's encryption key, and then use the secret key decryption decrypting to go out plaintext and the cryptographic Hash of data, then utilize cryptographic Hash to carry out completeness check.
4) to data file, provide Version Control:
The old version of the small documents that user uploads will be preserved in cloud storage, to facilitate user to carry out old version rollback.The directory tree the inside that is recorded in server end has comprised version information record, is used for all old versions of file to manage maintenance.
5) selectable data encryption mode:
User data can be selected the cipher mode of each file, comprises not encrypting, directly with file secret key encryption, file key and directory name, jointly generating the modes such as encryption key, can adjust flexibly user's encryption granularity.
The invention is characterized in: described method is to be in the shared secure cloud storage networking based on personal user being jointly comprised of client computer, server and cloud storage server, realizes according to the following steps successively:
Step (1), system initialization;
Client computer, hereinafter to be referred as client, is provided with data encrypting and deciphering module, data integrity authentication module, local module, file sharing module and the protocol communication module monitored;
Server end is provided with: authentication module, and storage control module, access control module, Version Control module and directory metadata administration module, wherein:
Directory metadata administration module is for inquiring about directory metadata, attended operation in being updated in, described directory metadata comprises: Directory Type, owner's user name, absolute path, Access Control List (ACL), authorized user quantity and key generating mode, wherein Access Control List (ACL) comprises: user name and corresponding key ciphertext, and described key ciphertext is to use the public key encryption of institute's respective user, respective user can be used own private key to decipher;
Cloud storage server, hereinafter to be referred as cloud storage end, is provided with: memory module and data reliability module, wherein:
Memory module is provided with the memory interface that the described server end of a set of confession calls, to the form that needs canned data with object is left in to described cloud storage end;
Data reliability module, according to the needs of described server end, is all copies that leave the document creation some of cloud storage end in;
Step (2), for described cloud storage end builds and cloud storage platform of initialization, step is as follows:
Step (2.1), in each cloud store service computes machine of (SuSE) Linux OS is housed, copy more than is installed respectively, extendible distributed cloud storage system swift, and an appointment machine is wherein as Proxy agent node, reshuffle Proxy agency service, create account, container and object, be configured to the form of shellring, started Proxy agency service;
Step (2.2), configures each cloud store service computes machine, realizes the association between described shellring;
Step (2.3), starts described swift system, and cloud stores service is provided;
Step (3), user's initialization personal information, step is as follows:
Step (3.1), passes through invoking server interface to the new user of described server registration client user;
Step (3.2), described server end is confirming that user registers after user name and password used, to an X509 certificate of being authorized by PKIX of registration body's application;
Step (3.3), the server end described in after the described certificate of user's procedure to apply (3.2), PKI being wherein kept at;
Step (3.4), described server end is kept at the essential information that comprises the cryptographic Hash binding mailbox of user name, password in the users table in database, and create this user's server end directory tree, with the form of file, be kept at described cloud storage end;
Step (4), the mode of a kind of directory tree comparison of customer end adopted generates a kind of operation queue of using in client directory tree, server end directory tree and disk directory tree execution simultaneous operation according to the following steps:
Step (4.1), described client sends synchronization request to described server end;
Step (4.2), described server end returns to user's nearest operating list after checking active user identity, comprising: this user on this machine two between subsynchronous during this period of time in, the deletion that this user does catalogue or file on other machines, movement and rename operation, deletion, movement, rename operation and active user's that other users carry out the shared catalogue of this user server end directory tree;
Step (4.3), described user carries out the operating list that described server end returns item by item, completes above three generic operations synchronous of file or catalogue;
Step (4.4), described user end to server request shared key, returns to client according to the information in Access Control List (ACL) by the authorized All Files encryption key of all these users after described server authentication identity;
Step (4.5), client structure initialization directory tree, step is as follows:
Step (4.5.1), described client reading and saving, at local client directory tree spanned file, creates this user's client directory tree and forms the client directory tree node that this client directory is set in internal memory:
Described client directory tree is a binary tree structure, and its form comprises: root, nodes, nodesCount and maxnodesCount, wherein,
Nodes, has recorded all nodes of described client directory tree in array mode;
NodesCount, has recorded the total nodal point number in described client directory tree;
MaxNodesCount, represents that described client directory tree allows at most the nodal point number comprising;
The form of client directory tree node comprises: nodeType, name, appendAttribute, lastModifyTime, lchild and rchild, wherein:
NodeType, recording node in described client directory tree corresponding is catalogue or file;
Name, records the title of catalogue described in described client directory tree or file;
AppendAttribute, for the catalogue in described client directory tree, whether being shared of record, for the file in described client directory tree, record be the version number of latest edition;
Lchild, has recorded the call number of the left child of this node in described client directory tree;
Rchild, has recorded the call number of the right child of this node in described client directory tree;
LastModifytime, records the up-to-date modification time of this node that the safety net disc system CorsBox under described cloud storage environment safeguards;
Step (4.5.2), client creates this user's server end directory tree in internal memory according to server end directory tree step (4.2) Suo Shu, for recording the real time data state of described cloud storage server, the structure of client server end directory tree is identical with client directory tree, just the node type in nodes array is client server end directory tree node, client server end directory tree node comprises: nodeType, name, appendAttribute, lchild and rchild, wherein:
NodeType, recording node in described client server end directory tree corresponding is catalogue or file;
Name, the catalogue that record is described or the title of file;
AppendAttribute, for the catalogue in described client server end directory tree, whether being shared of record, for the file in described server end directory tree, record be the version number of latest edition;
Lchild, has recorded the call number of the left child of this node in described client server end directory tree;
Rchild, has recorded the call number of the right child of this node in described client server end directory tree;
Step (4.5.3), described client is at every catalogue and the subdirectory thereof of described client directory tree in scanning disk when subsynchronous, in internal memory, create the real time data of disk directory tree recording user, the structure of user's disk directory tree is identical with client directory tree, just the node type in nodes array is disk directory tree node, disk directory tree node comprises: nodeType, name, lastModifyTime, lchild and rchild, wherein:
NodeType, recording node in described disk directory tree corresponding is catalogue or file;
Name, records the title of catalogue described in described disk directory tree or file;
LastModifytime, has recorded the last modification time of this node in described client;
Lchild, has recorded the call number of the left child of this node in described disk directory tree;
Rchild, has recorded the call number of the right child of this node in described disk directory tree;
Step (4.6), client, by the directory tree building in comparison step (4.5), generates the operation queue of pending operation, and concrete steps are as follows:
Step (4.6.1), client comparison client directory tree and disk directory tree, and comparison result is kept in set A, be used for the recording user operation that off-line carries out on this machine;
Step (4.6.2), client comparison client directory tree and server end directory tree, and comparison result is kept in set B, be used for recording this user on this machine two subsynchronous between the operation carried out of other clients;
Step (4.6.3), the content in client comparison set A and set B, and generate on-unit queue according to comparison result;
Step (4.7), the operation queue generating in execution step (4.6) item by item, completes simultaneous operation;
Step (5), client is revised access rights:
Step (5.1), client is shared certain file: first client checks treats whether ancestors' catalogue of Shared Folders and descendants's catalogue are shared, if be shared, point out this file of user not to be shared, otherwise to server, initiate sharing request, after the server request of receiving, revise the shared flag bit in this directory metadata, then file creates new Operation Log for this reason, then delete the lower all old versions of this document folder, the most backward client is returned to the prompting of sharing a success;
Step (5.2), certain user's access rights are added/deleted to client: only have the owner of data can revise the access rights of own Shared Folders; If interpolation authority, user end to server initiates to add authority request, after server authentication user identity, user's to be added PKI is returned to client, client sends to server end after pressing from both sides corresponding encryption key with this public key encryption this document, server writes the ciphertext of this key in directory metadata, and in sharing table, add a shared record, the most backward client is returned to interpolation authority and is successfully pointed out;
If erase right, will be cancelled authority user after server end identifying user identity and key ciphertext is deleted from directory metadata, delete the record to use in sharing table simultaneously, then to client, return to erase right and successfully point out;
Step (5.3), client is checked shared content: client checks that sharing content completes according to following steps successively:
Step (5.3.1), user end to server initiates to check up-to-date sharing request;
Step (5.3.2), server is searched sharing table after receiving request, whether accepts shared file name and owner ID returns to client by client is non-selected, and in sharing table, these paths is set to processed;
Step (5.3.3), client ejects dialog box request user operation, if user selects to accept to share to go to step (5.3.4), otherwise directly returns;
Step (5.3.4), server end returns to client by the ACL item of corresponding this user in the metadata of the All Files ciphertext under this share directory and this catalogue;
Step (5.3.5), the private key of client use oneself decrypts this document from the ACL item returning and presss from both sides corresponding encryption key;
Step (5.3.6), client decrypts the plaintext of All Files, then according to the cryptographic Hash of expressly adhering to, does completeness check below;
Step (5.4), client is cancelled shared:
Only have the owner of file could cancel shared, after server authentication user identity, delete sharing all about this file in sharing table, then the shared flag bit in the directory metadata of this document folder changed into unshared and deletes all ACL items, then to client, returning to successfully modified prompting; Client is to successfully pointing out the rear shared state of revising this node in client directory tree;
Step (6): FileVersion is controlled:
Step (6.1), when client upload file, first server judges the size of this document, if small documents adds version number at filename end, and is kept at high in the clouds; If not small documents is directly kept at high in the clouds, if existed, directly cover;
Step (6.2), client can be carried out the old version rollback of small documents at any time, backspace file version list after server authentication user identity, user can carry out rollback according to the suitable version of need to selecting of oneself;
Step (7), user selects cipher mode:
Client can automatically generate a public file under working directory, and all contents that are kept under this file are not encrypted; In addition, the key generation method that user can certain non-public file of manual modification in client, once but the key generating mode of certain file is designated, and its ancestors' catalogue and descendants's catalogue be designated key create-rule more all; Key generate to be the title of user's encryption key and this document folder to generate by certain algorithm, if not refer in particular to rule, gives tacit consent to direct user's file encryption key its data are encrypted.
The present invention carried out test in department of computer science, Tsinghua university High Performance Computing research institute, test result shows, safety net disc system under this cloud storage environment can be under cloud storage environment for when user provides the synchronous and file-sharing function of efficient data, guaranteed confidentiality, integrality and the access control of data, performance cost is also within user's acceptable scope.
Accompanying drawing explanation:
Fig. 1 system architecture diagram.
Fig. 2 user's upload file schematic diagram.
Fig. 3 user's download file schematic diagram.
Fig. 4 data owner adds access rights schematic diagram.
Embodiment:
The specific embodiment of the present invention is as follows:
step 1: system initialization.
Client computer, hereinafter to be referred as client, is provided with data encrypting and deciphering module, data integrity authentication module, local module, file sharing module and the protocol communication module monitored;
Server end is provided with: authentication module, and storage control module, access control module, Version Control module and directory metadata administration module, wherein:
Directory metadata administration module is for inquiring about directory metadata, attended operation in being updated in, described directory metadata comprises: Directory Type, owner's user name, absolute path, Access Control List (ACL), authorized user quantity and key generating mode, wherein Access Control List (ACL) comprises: user name and corresponding key ciphertext, and described key ciphertext is to use the public key encryption of institute's respective user, respective user can be used own private key to decipher;
Cloud storage server, hereinafter to be referred as cloud storage end, is provided with: the reliable module of memory module and data, wherein:
Memory module is provided with the memory interface that the described server end of a set of confession calls, to the form that needs canned data with object is left in to described cloud storage end;
Data reliability module, according to the needs of described server end, is all copies that leave the document creation some of cloud storage end in;
step 2: for described cloud storage end builds and cloud storage platform of initialization.
step (2.1): in each sub-cloud storage that (SuSE) Linux OS is housed, copy more than is installed respectively, extendible distributed cloud storage system swift, and an appointment machine is wherein as Proxy agent node, reshuffle Proxy agency service, create account, container and object, be configured to the form of shellring, starts Proxy agency service;
step (2.2): configure each cloud store service computes machine, realize the association between described shellring;
step (2.3): start described swift system, cloud stores service is provided;
step 3: user's initialization personal information:
step 3.1: user's application in registration obtains user ID.User ID is user's unique identify label in system, and server is by user's sign, to determine user's identity, judges its access rights; Identity for main body (comprising server and user) in recognition system safely and effectively, so that system is set up trusting relationship each other to the user who operates, system needs a kind of User Identity mechanism that is independent of the safety of bottom storage system.In native system, adopt PKIX (PKI, Public Key Infrastructure), by digital certificate, provide user ID for system.Digital certificate is by just, authoritative mechanism, to be signed and issued to the electronic document of main body, in the document, record the term of validity, cryptographic algorithm sign, public key information and the out of Memory of principal name, certificate serial number, issuer-name, certificate, and be platform or the framework that has comprised hardware, software, manpower, strategy and process through the digital signature PKIX of the side of signing and issuing, it utilizes public-key technology that the function that digital certificate is created, manages, distributes, uses, stored and cancels is provided.Certification authority (CA, Cerfiticate Authority) and registration body (RA, Registration Authority) are the important component parts of PKIX.The former is the core of PKIX, it is a believable third party, by other information (comprising user identity) of user's PKI and user are bound together as user signs and issues digital certificate, and provide certificate inquiry, cancel, life cycle management and key management; The latter is mainly that user oriented is fulfiled some responsibilities that certification authority is appointed.The technical system that PKIX is a kind of maturation, be widely used, has unified codes and standards, and has a lot of comparatively complete realizations.Utilize PKIX to provide user ID for system, the work that maintenance customer can be identified to uniqueness authenticity is given this ripe system and is completed, make system user in the situation that needn't understanding complex management details, verify safely and efficiently the identity of other system main body simultaneously, realize the mutual trust between user, thereby guarantee authenticity, integrality, confidentiality and the non-repudiation of user profile; step 3.2: server is saved to user's essential information (cryptographic Hash, the binding mailbox etc. that comprise user name, password) in the users table in database;
step 3.3: client initial work catalogue, and under working directory, generate shares, public and tri-files of public/shares, the shared content (encryption) of other users of content under shares file wherein, the lower content of public folder is oneself not encrypt the file of uploading, the non-encrypted content that public/shares shares for other users;
step 3.4: the client directory tree that client is initial for active user generates, is then persisted to it in file, and indicates the position at this document place in configuration file;
step 3.5: this user's of server initialization server end directory tree, is then persisted to it in file, and this file is saved in cloud storage according to certain naming rule;
step 4: client executing simultaneous operation.Client is used a kind of method of synchronization based on directory tree, carries out simultaneous operation and generates band operating list, then according to the pending action type recording in each element in list, carries out one by one simultaneous operation:
● if be pendingly operating as user's upload file, user is upload file in accordance with the following steps, specifically as shown in Figure 2:
step is 1.: client is used certain hash algorithm to calculate the cryptographic Hash of file to be uploaded;
step is 2.: client is used corresponding encryption key to be encrypted file and cryptographic Hash;
step is 3.: the cryptographic Hash of client by file cipher text and after encrypting is spliced into a file, then to server, initiates upload request;
step is 4.: after server authentication user identity, by the data of client upload, the mode (small documents) with latest edition leaves in cloud storage, and returns and upload successfully to client;
If ● the pending user's download file that is operating as, user is download file in accordance with the following steps, specifically as shown in Figure 3:
step is 1.: the download request of initiating certain file with user orientation server;
step is 2.: after server authentication user identity, this document is taken out and return to client from cloud storage;
step is 3.: the file that client is used corresponding key to return server is decrypted, and then according to the file decrypting, isolates data file and cryptographic Hash, then data file is kept to this locality;
step is 4.: the cryptographic Hash of client calculated data file, and itself and the cryptographic Hash downloading are compared, carry out the completeness check of data;
● if be pendingly operating as client conflict and process, illustrate that this file revised by a plurality of clients simultaneously, client need to conflict with processing to this document and operated so, and concrete steps are as follows:
step is 1.: user is by local file rename;
step is 2.: the latest edition file of client call download interface Download Server end;
step is 3.: client call is uploaded interface and uploaded the file after local rename;
step is 4.: client can be selected to delete or rename conflict file as required;
step 5: client is revised access rights.Client is added access rights can be divided into following two classes:
● user add access rights: only have data owner could add in accordance with the following steps access rights, specifically as shown in Figure 4:
step is 1.: user end to server is obtained the PKI for the treatment of authorized user;
step is 2.: whether user can select the authenticity to certification authority verification certificate;
step is 3.: client is used the file key of this public key encryption oneself;
step is 4.: client uploads onto the server this file key, writes the directory metadata of this share directory after server authentication authority, and in sharing table, adds and share record;
● user cancels access rights: only have data owner just can cancel access rights, concrete steps are as follows:
step is 1.: user end to server initiates to cancel request;
step is 2.: after server authentication user right, delete the ACL item in the directory metadata that this share directory is corresponding, delete the record in sharing table simultaneously.
step 6: FileVersion is controlled:
step (5.1): when client upload file, first server judges the size of this document, if small documents adds version number at filename end, and is kept at high in the clouds; If not small documents is directly kept at high in the clouds (directly covering if existed);
step (5.2): client can be carried out the old version rollback of small documents at any time, backspace file version list after server authentication user identity, user can carry out rollback according to the suitable version of need to selecting of oneself;
step 7: user selects cipher mode:
client can automatically generate a public file under working directory, and all contents that are kept under this file are not encrypted; In addition, user client can certain file of manual modification the key generation method of (non-public folder), once but the key generating mode of certain file is designated, its ancestors' catalogue and descendants's catalogue be designated key create-rule more all; Key generate to be the title of user's encryption key and this document folder to generate by certain algorithm, if not refer in particular to rule, gives tacit consent to direct user's file encryption key its data are encrypted.
As shown in Figure 1, the core of invention is the safety net disc system having proposed under a kind of cloud storage environment to system architecture of the present invention, its realize mainly by following components with and corresponding module form:
● cloud storage end
Cloud storage end is mainly by following module composition:
1. memory module
This module provides a set of memory interface, by server end, calls these interfaces, leaves the form that needs canned data with object in cloud storage end.
2. data reliability module
This module N copy (N is specified as required by server end) that be all document creations that leave high in the clouds in, has guaranteed the reliability of data.
● client
Client is mainly by following module composition:
1. data encrypting and deciphering module
This module has been born the cryptographic algorithm operation that all encryption and decryption are relevant, comprises and uses blocks of files key encryption and decryption blocks of files etc., uses public and private key encryption and decryption file key etc.
2. data integrity authentication module
This module provides the operations such as blocks of files content integrity checking, and the operation such as blocks of files content Hash value calculating.
3. module is monitored in this locality
This module is used for monitoring users to the modification of carrying out in local working directory, comprises the operations such as deletion, movement and rename.
4. file sharing module
This module provides the operation of all user's Shared Folders, comprises demand file folder, revises access rights and cancel the operations such as shared.
5. protocol communication module
This module is a module of client maximum, and it has comprised all operations that relates to communication of client, mainly contains the processing of uploading, download, conflict, registers new user etc.
● server
1. authentication module
This module is used for identity conforming to of Gen Qi registration center registration whether of authentication of users, to prevent that network evil backstage manipulator or other unauthorized persons from forging user identity.
2. storage control module
This module is called cloud memory interface, and user's server end directory tree, directory metadata and data file are saved to high in the clouds.
3. access control module
According to user right, to the conduct interviews control of authority of data, but client do not rely on the access control of server, even the giving data disabled user and also cannot read data expressly of server malice.
4. Version Control module
The small documents that server is uploaded user has carried out Version Control, allows user that certain small documents is rolled back to certain old version.This module has comprised the operation that all Version Control are relevant.
5. directory metadata administration module
This module is used for directory metadata to safeguard, comprises the operations such as inquiry, renewal.The structure of directory metadata in internal memory is as follows:
The structure of Access Control List (ACL) (ACL) is as follows:
User name Key ciphertext
User name 1 Key ciphertext
User name 2 Key ciphertext
Key ciphertext
User name n Key ciphertext
Wherein key ciphertext corresponding to each user is to use this user's PKI to be encrypted, and user can use the private key of oneself to be decrypted it.
System testing
The present invention tests native system in high-performance calculation research institute of Computer Science and Technology Department of Tsing-Hua University, its content comprises functional test and performance test, respectively the fail safe of system and performance are tested, test result shows, the present invention stores the fail safe that can guarantee user data in shared trust systems at cloud, and performance cost is an acceptable scope simultaneously.
● functional test
We have used ten station servers to carry out functional test to native system.Wherein four station servers are used for disposing cloud storage end, and three station servers are used for deployment server end, and other three station servers are as client, respectively the server line operate of going forward side by side.Content measurement and test result are as shown in the table:
● performance test
The hardware environment of performance test is seven configuration same server, and it is Intel (R) Xeon (R) X5472 that every station server has all adopted model, the four core CPU that dominant frequency is 3.0GHz, and 8GB internal memory, connects with gigabit LAN between server.Wherein make cloud storage server for four, do CorsBox server for three.Software environment is Ubuntu Linux2.6.33 kernel, openstack-swift1.3.0, bcprov-jdk16-146.jar.The hardware environment of client is: Intel (R) Core (TM) 2, and the double-core CPU that dominant frequency is 2.40GHz, 2GB internal memory, software environment is Windows7 operating system.
1. upload operation
As shown in Figure 2, user end to server is uploaded the file of a 64M size, the time loss following (unit is ms) of operations:
Operating procedure 16M file 32M file 64M file
The time of file is read in this locality 91 123 1003
Calculation document cryptographic Hash 0 1 1
Encrypt file and cryptographic Hash 965 1185 2266
Upload onto the server 9055 15636 31255
Server is saved to high in the clouds 2100 2663 3801
Total time 12211 19608 38326
From elapsed time, calculate the time of cryptographic Hash in 1 millisecond, negligible; Cryptography associative operation is that disk expense has increased by about 45% burden, but, all all take and uploads or download as prerequisite the encryption and decryption of data, and by common unreliable network, be connected between client and server, therefore cryptography is that whole I/O process has additionally increased by about 6% added burden, and this expense is completely in user's tolerance interval.
2. down operation
As shown in Figure 3, client is downloaded the file of a 64M size from server, the time loss following (unit is ms) of operations:
Operating procedure 16M file 32M file 64M file
Server is from high in the clouds reading out data 202 385 603
Client is from server downloading data 3765 6422 10703
Client declassified document 1148 1285 2245
Client is carried out completeness check 0 0 0
Write disk 44 411 823
Total time 5159 8503 14374
From extra consumption, cryptography is that whole I/O process has additionally increased by approximately 15% expense.Downloading process is obviously fast than uploading, and this is because we are optimized coded system, used client also to exchange temporal efficiency for times over the memory headroom size of file.
3. add limiting operation
As shown in Figure 4, client licenses to user B by its share directory photo, the time loss following (unit is ms) of operations:
Operating procedure Elapsed time (ms)
Client is obtained user B PKI 2496
The client encrypt file key that uses public-key 450
Client uploads onto the server key 1386
Server update directory metadata 6
Total time 4338
4. cancel limiting operation
Client is cancelled the access rights of user B to catalogue photo, the time loss following (unit is ms) of operations:
Operating procedure Operating time (ms)
Request time 654
The server operation time 1166
Total time 1712
This shows that to revise in the present invention the time overhead of access privilege operation less, there is good high efficiency.

Claims (1)

1. the implementation method of the safety net disc system under a cloud storage environment, it is characterized in that in the network of the safety net disc system under the cloud storage environment jointly being formed by client computer, server and cloud storage server, realize according to the following steps successively:
Step (1), system initialization;
Client computer, hereinafter to be referred as client, is provided with data encrypting and deciphering module, data integrity authentication module, local module, file sharing module and the protocol communication module monitored;
Server end is provided with: authentication module, and storage control module, access control module, Version Control module and directory metadata administration module, wherein:
Directory metadata administration module is for inquiring about directory metadata, attended operation in being updated in, described directory metadata comprises: Directory Type, owner's user name, absolute path, Access Control List (ACL), authorized user quantity and key generating mode, wherein Access Control List (ACL) comprises: user name and corresponding key ciphertext, and described key ciphertext is to use the public key encryption of institute's respective user, respective user can be used own private key to decipher;
Cloud storage server, hereinafter to be referred as cloud storage end, is provided with: memory module and data reliability module, wherein:
Memory module is provided with the memory interface that the described server end of a set of confession calls, to the form that needs canned data with object is left in to described cloud storage end;
Data reliability module, according to the needs of described server end, is all copies that leave the document creation some of cloud storage end in;
Step (2), for described cloud storage end builds and cloud storage platform of initialization, step is as follows:
Step (2.1), in each cloud store service computes machine of (SuSE) Linux OS is housed, copy more than is installed respectively, extendible distributed cloud storage system swift, and an appointment machine is wherein as Proxy agent node, reshuffle Proxy agency service, create account, container and object, be configured to the form of shellring, started Proxy agency service;
Step (2.2), configures each cloud store service computes machine, realizes the association between described shellring;
Step (2.3), starts described swift system, and cloud stores service is provided;
Step (3), user's initialization personal information, step is as follows:
Step (3.1), passes through invoking server interface to the new user of described server registration client user;
Step (3.2), described server end is confirming that user registers after user name and password used, to an X509 certificate of being authorized by PKIX of registration body's application;
Step (3.3), the server end described in after the described certificate of user's procedure to apply (3.2), PKI being wherein kept at;
Step (3.4), described server end is kept at the essential information that comprises the cryptographic Hash binding mailbox of user name, password in the users table in database, and create this user's server end directory tree, with the form of file, be kept at described cloud storage end;
Step (4), the mode of a kind of directory tree comparison of customer end adopted generates a kind of operation queue of using in client directory tree, server end directory tree and disk directory tree execution simultaneous operation according to the following steps:
Step (4.1), described client sends synchronization request to described server end;
Step (4.2), described server end returns to user's nearest operating list after checking active user identity, comprising: this user on this machine two between subsynchronous during this period of time in, the deletion that this user does catalogue or file on other machines, movement and rename operation, the deletion that other users carry out the shared catalogue of this user, movement, rename operation, and active user's server end directory tree;
Step (4.3), described user carries out the operating list that described server end returns item by item, completes above three generic operations synchronous of file or catalogue;
Step (4.4), described user end to server request shared key, returns to client according to the information in Access Control List (ACL) by the authorized All Files encryption key of all these users after described server authentication identity;
Step (4.5), client structure initialization directory tree, step is as follows:
Step (4.5.1), described client reading and saving, at local client directory tree spanned file, creates this user's client directory tree and forms the client directory tree node that this client directory is set in internal memory:
Described client directory tree is a binary tree structure, and its form comprises: root, nodes, nodesCount and maxnodesCount, wherein,
Nodes, has recorded all nodes of described client directory tree in array mode;
NodesCount, has recorded the total nodal point number in described client directory tree;
MaxNodesCount, represents that described client directory tree allows at most the nodal point number comprising;
The form of client directory tree node comprises: nodeType, name, appendAttribute, lastModifyTime, lchild and rchild, wherein:
NodeType, recording node in described client directory tree corresponding is catalogue or file;
Name, records the title of catalogue described in described client directory tree or file;
AppendAttribute, for the catalogue in described client directory tree, whether being shared of record, for the file in described client directory tree, record be the version number of latest edition;
Lchild, has recorded the call number of the left child of this node in described client directory tree;
Rchild, has recorded the call number of the right child of this node in described client directory tree;
LastModifytime, records the up-to-date modification time of this node that the secure network storage system CorsBox under described cloud storage environment safeguards;
Step (4.5.2), client computer creates this user's server end directory tree in internal memory according to server end directory tree step (4.2) Suo Shu, for recording the real time data state of described cloud storage server, the structure of client server end directory tree is identical with client directory tree, just the node type in nodes array is client server end directory tree node, client server end directory tree node comprises: nodeType, name, appendAttribute, lchild and rchild, wherein:
NodeType, recording node in described client server end directory tree corresponding is catalogue or file;
Name, the catalogue that record is described or the title of file;
AppendAttribute, for the catalogue in described client server end directory tree, whether being shared of record, for the file in described server end directory tree, record be the version number of latest edition;
Lchild, has recorded the call number of the left child of this node in described client server end directory tree;
Rchild, has recorded the call number of the right child of this node in described client server end directory tree;
Step (4.5.3), described client is at every catalogue and the subdirectory thereof of described client directory tree in scanning disk when subsynchronous, in internal memory, create the real time data of disk directory tree recording user, the structure of user's disk directory tree is identical with client directory tree, just the node type in nodes array is disk directory tree node, disk directory tree node comprises: nodeType, name, lastModifyTime, lchild and rchild, wherein:
NodeType, recording node in described disk directory tree corresponding is catalogue or file;
Name, records the title of catalogue described in described disk directory tree or file;
LastModifytime, has recorded the last modification time of this node in described client;
Lchild, has recorded the call number of the left child of this node in described disk directory tree;
Rchild, has recorded the call number of the right child of this node in described disk directory tree;
Step (4.6), client, by the directory tree building in comparison step (4.5), generates the operation queue of pending operation, and concrete steps are as follows:
Step (4.6.1), client comparison client directory tree and disk directory tree, and comparison result is kept in set A, be used for the recording user operation that off-line carries out on this machine;
Step (4.6.2), client comparison client directory tree and server end directory tree, and comparison result is kept in set B, be used for recording this user on this machine two subsynchronous between the operation carried out of other clients;
Step (4.6.3), the content in client comparison set A and set B, and generate on-unit queue according to comparison result;
Step (4.7), the operation queue generating in execution step (4.6) item by item, completes simultaneous operation;
Step (5), client is revised access rights:
Step (5.1), client is shared certain file: first client checks treats whether ancestors' catalogue of Shared Folders and descendants's catalogue are shared, if be shared, point out this file of user not to be shared, otherwise to server, initiate sharing request, after the server request of receiving, revise the shared flag bit in this directory metadata, then file creates new Operation Log for this reason, then delete the lower all old versions of this document folder, the most backward client is returned to the prompting of sharing a success;
Step (5.2), certain user's access rights are added/deleted to client: only have the owner of data can revise the access rights of own Shared Folders; If interpolation authority, user end to server initiates to add authority request, after server authentication user identity, user's to be added PKI is returned to client, client sends to server end after pressing from both sides corresponding encryption key with this public key encryption this document, server writes the ciphertext of this key in directory metadata, and in sharing table, add a shared record, the most backward client is returned to interpolation authority and is successfully pointed out;
If erase right, will be cancelled authority user after server end identifying user identity and key ciphertext is deleted from directory metadata, delete the record to use in sharing table simultaneously, then to client, return to erase right and successfully point out;
Step (5.3), client is checked shared content: client checks that sharing content completes according to following steps successively:
Step (5.3.1), client is initiating to check up-to-date sharing request to server;
Step (5.3.2), server is searched sharing table after receiving request, whether accepts shared file name and owner ID returns to client by client is non-selected, and in sharing table, these paths is set to processed;
Step (5.3.3), client ejects dialog box request user operation, if user selects to accept to share to go to step (5.3.4), otherwise directly returns;
Step (5.3.4), server end returns to client by the ACL item of corresponding this user in the metadata of the All Files ciphertext under this share directory and this catalogue;
Step (5.3.5), the private key of client use oneself decrypts this document from the ACL item returning and presss from both sides corresponding encryption key;
Step (5.3.6), client decrypts the plaintext of All Files, then according to the cryptographic Hash of expressly adhering to, does completeness check below;
Step (5.4), client is cancelled shared:
Only have the owner of file could cancel shared, after server authentication user identity, delete sharing all about this file in sharing table, then the shared flag bit in the directory metadata of this document folder changed into unshared and deletes all ACL items, then to client, returning to successfully modified prompting; Client is to successfully pointing out the rear shared state of revising this node in client directory tree;
Step (6): FileVersion is controlled:
Step (6.1), when client upload file, first server judges the size of this document, if small documents adds version number at filename end, and is kept at high in the clouds; If not small documents is directly kept at high in the clouds, if existed, directly cover;
Step (6.2), client can be carried out the old version rollback of small documents at any time, backspace file version list after server authentication user identity, user can carry out rollback according to the suitable version of need to selecting of oneself;
Step (7), user selects cipher mode:
Client can automatically generate a public file under working directory, and all contents that are kept under this file are not encrypted; In addition, the key generation method that user can certain non-public file of manual modification in client, once but the key generating mode of certain file is designated, and its ancestors' catalogue and descendants's catalogue be designated key create-rule more all; Key generate to be the title of user's encryption key and this document folder to generate by certain algorithm, if not refer in particular to rule, gives tacit consent to direct user's file encryption key its data are encrypted.
CN201210176807.1A 2012-05-31 2012-05-31 Method for realizing secure network backup system under cloud storage environment Expired - Fee Related CN102685148B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210176807.1A CN102685148B (en) 2012-05-31 2012-05-31 Method for realizing secure network backup system under cloud storage environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210176807.1A CN102685148B (en) 2012-05-31 2012-05-31 Method for realizing secure network backup system under cloud storage environment

Publications (2)

Publication Number Publication Date
CN102685148A CN102685148A (en) 2012-09-19
CN102685148B true CN102685148B (en) 2014-10-15

Family

ID=46816511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210176807.1A Expired - Fee Related CN102685148B (en) 2012-05-31 2012-05-31 Method for realizing secure network backup system under cloud storage environment

Country Status (1)

Country Link
CN (1) CN102685148B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539602A (en) * 2014-12-22 2015-04-22 北京航空航天大学 Safe key managing method applied to cloud storage

Families Citing this family (88)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103731395B (en) * 2012-10-10 2017-11-14 中兴通讯股份有限公司 The processing method and system of file
CN102930218B (en) * 2012-10-23 2015-06-10 深圳企业云科技有限公司 File management system and file management method
CN103795744A (en) * 2012-10-30 2014-05-14 上海今日在线科技发展有限公司 On-line test cloud service platform
CN103037008B (en) * 2012-12-24 2016-03-30 珠海金山办公软件有限公司 A kind of right management method of Synchronization Network dish and system
CN103973646B (en) * 2013-01-31 2018-05-11 中国电信股份有限公司 Use the method for public cloud storage service, client terminal device and system
CN103312690A (en) * 2013-04-19 2013-09-18 无锡成电科大科技发展有限公司 System and method for key management of cloud computing platform
CN103235905A (en) * 2013-04-27 2013-08-07 成都菲普迪斯科技有限公司 DUDP real-time data protection method
CN104468461A (en) * 2013-09-12 2015-03-25 上海宝信软件股份有限公司 Unstructured data protection method based on cloud storage technology
CN104468664A (en) * 2013-09-18 2015-03-25 中兴通讯股份有限公司 Method and device for uploading files to cloud storage system, and method and device for downloading files from cloud storage system
CN103546547B (en) * 2013-10-08 2016-09-21 武汉理工大学 A kind of cloud storage file encryption system
CN103532958A (en) * 2013-10-21 2014-01-22 济南政和科技有限公司 Method for encrypting website resources
CN103716385A (en) * 2013-12-16 2014-04-09 乐视致新电子科技(天津)有限公司 Cloud-based picture storage method and apparatus
CN103793663A (en) * 2013-12-26 2014-05-14 北京奇虎科技有限公司 Folder locking and unlocking methods and folder locking and unlocking devices
CN104780192B (en) * 2014-01-15 2019-05-31 上海携程商务有限公司 File synchronisation method, single-point server and group system
CN103841180B (en) * 2014-01-17 2018-07-03 北京京东尚科信息技术有限公司 A kind of network data synchronizing method, apparatus, terminal device and server based on operational order
CN104866508B (en) * 2014-02-26 2019-05-03 中国电信股份有限公司 The method and apparatus of file is managed under cloud environment
CN104917723B (en) * 2014-03-11 2019-04-23 中国电信股份有限公司 For realizing the shared methods, devices and systems of encryption file security
CN103905557A (en) * 2014-04-09 2014-07-02 曙光云计算技术有限公司 Data storage method and device used for cloud environment and downloading method and device
CN104980477B (en) * 2014-04-14 2019-07-09 航天信息股份有限公司 Data access control method and system under cloud storage environment
CN104021451A (en) * 2014-06-20 2014-09-03 江苏易合大成网络科技有限公司 Mixed enterprise content management method and system based on cloud storage and local storage
CN105205402A (en) * 2014-06-26 2015-12-30 佘堃 Privacy cluster metadata separation based cloud storage privacy protection method
CN104182487A (en) * 2014-08-11 2014-12-03 浪潮软件股份有限公司 Unified storage method supporting various storage modes
CN104298934A (en) * 2014-10-27 2015-01-21 浪潮(北京)电子信息产业有限公司 File verification method, server and system in cloud calculation system
CN104601707A (en) * 2015-01-21 2015-05-06 苏州蓝海彤翔系统科技有限公司 Network disk data processing method and device
CN104767732A (en) * 2015-03-18 2015-07-08 深圳市杰和科技发展有限公司 File sharing permission control method suitable for Linux server
CN104683481B (en) * 2015-03-19 2017-10-13 上海携程商务有限公司 Using dissemination method and system
CN104866780B (en) * 2015-04-24 2018-01-05 广东电网有限责任公司信息中心 The leakage-preventing method of unstructured data assets based on classification
CN104809405B (en) * 2015-04-24 2018-06-01 广东电网有限责任公司信息中心 The leakage-preventing method of structural data assets based on classification
CN104869361B (en) * 2015-05-20 2018-06-05 浙江宇视科技有限公司 A kind of Video Monitoring Terminal equipment in video monitoring system
CN105007302B (en) * 2015-06-04 2018-05-15 广东省国际工程咨询有限公司 A kind of mobile terminal data storage method
CN106341371A (en) * 2015-07-08 2017-01-18 杭州奕锐电子有限公司 Cloud storage data encryption method and cloud storage system
CN105072184B (en) * 2015-08-12 2018-09-04 汕头大学 A kind of shared file system suitable for medium-sized and small enterprises
CN105072134A (en) * 2015-08-31 2015-11-18 成都卫士通信息产业股份有限公司 Cloud disk system file secure transmission method based on three-level key
CN105208017B (en) * 2015-09-07 2019-01-04 四川神琥科技有限公司 A kind of memorizer information acquisition methods
CN105245328B (en) * 2015-09-09 2018-08-10 西安电子科技大学 It is a kind of that management method is generated based on the key of third-party user and file
CN105302695B (en) * 2015-11-10 2018-06-29 浪潮(北京)电子信息产业有限公司 A kind of linux system management monitoring system and method based on object model
CN105302920B (en) * 2015-11-23 2020-01-03 上海爱数信息技术股份有限公司 Cloud storage data optimization management method and system
CN105430000A (en) * 2015-12-17 2016-03-23 北京华油信通科技有限公司 Cloud computing security management system
CN105491145A (en) * 2015-12-21 2016-04-13 清华大学 Agglomeration system of multi-manufacturer cloud storage service, and method
CN106936766A (en) * 2015-12-29 2017-07-07 大唐高鸿信安(浙江)信息科技有限公司 Credible cloud automatic deployment system and method based on credible chip
CN106021327B (en) * 2016-05-06 2019-10-01 南开大学 A kind of Dropbox system for supporting multi-user to read while write and its read document method, written document method
CN105812391A (en) * 2016-05-16 2016-07-27 广州鼎鼎信息科技有限公司 Safe cloud storage system
CN106529327B9 (en) * 2016-10-08 2023-02-03 西安电子科技大学 Data access system and method for encrypted database in hybrid cloud environment
TWI632799B (en) * 2016-11-16 2018-08-11 黃冠寰 An accountable handshake data transfer protocol
CN106506668B (en) * 2016-11-23 2019-07-16 浪潮云信息技术有限公司 A method of object storage is realized based on distributed storage
CN108234436A (en) * 2016-12-22 2018-06-29 航天信息股份有限公司 A kind of encryption method and system based on the storage of OpenStack objects
CN106815324B (en) * 2016-12-27 2020-08-04 中电万维信息技术有限责任公司 Cloud computing object storage-based quick retrieval system
CN107070946A (en) * 2017-05-19 2017-08-18 济南浪潮高新科技投资发展有限公司 The cloud storage system realized based on openstack
CN107276749A (en) * 2017-06-02 2017-10-20 中山大学 One kind agency's weight Designated-Verifier label decryption method
CN107426223B (en) * 2017-08-01 2020-06-05 中国工商银行股份有限公司 Cloud document encryption and decryption method, cloud document encryption and decryption device and cloud document processing system
CN107395612A (en) * 2017-08-08 2017-11-24 四川长虹电器股份有限公司 Realize the System and method for of network disk data safety
CN107402727A (en) * 2017-08-08 2017-11-28 郑州云海信息技术有限公司 A kind of memory management method and device
CN107948235B (en) * 2017-09-01 2021-01-01 清华大学 JAR-based cloud data security management and audit device
CN107645415B (en) * 2017-09-27 2021-04-27 杭州迪普科技股份有限公司 Method and device for keeping data consistency between OpenStack server and equipment
CN107622380A (en) * 2017-09-29 2018-01-23 南京宏海科技有限公司 Based on cloud service interaction, the method for preserving document information, approaches to IM
CN107770276A (en) * 2017-10-26 2018-03-06 广州百兴网络科技有限公司 It is a kind of to realize that user data manages the network system and method with renewal independently
CN107613026A (en) * 2017-10-31 2018-01-19 四川仕虹腾飞信息技术有限公司 Distributed file management system based on cloud storage system
CN107612763B (en) * 2017-11-08 2020-10-02 浪潮通用软件有限公司 Metadata management method, application server, service system, medium and controller
CN107896213B (en) * 2017-11-16 2021-07-20 重庆顺利科技有限公司 Electronic prescription data storage method
CN108563396B (en) * 2017-12-11 2020-12-25 上海高顿教育科技有限公司 Safe cloud object storage method
CN109995821A (en) * 2017-12-29 2019-07-09 中移(苏州)软件技术有限公司 Method and system, the client, server, object storage system of file upload
CN108170820B (en) * 2018-01-02 2022-04-22 联想(北京)有限公司 Container processing method, control server and distributed cluster
CN108427712A (en) * 2018-01-31 2018-08-21 佛山市聚成知识产权服务有限公司 A kind of system for realizing big data safety
CN110311880B (en) * 2018-03-20 2021-08-06 中移(苏州)软件技术有限公司 File uploading method, device and system
CN108833339B (en) * 2018-04-25 2021-02-12 广东工业大学 Encrypted access control method under content-centric network
CN109948322B (en) * 2018-10-25 2023-03-21 贵州财经大学 Personal cloud storage data safe box device and method for localized encryption protection
CN109981634A (en) * 2019-03-20 2019-07-05 中共中央办公厅电子科技学院(北京电子科技学院) A kind of cloud storage system based on cryptographic technique
CN110069567A (en) * 2019-04-02 2019-07-30 北京信安世纪科技股份有限公司 Method of data synchronization and system between a kind of database
CN110166458B (en) * 2019-05-23 2022-08-02 王怀尊 Three-level key encryption method
CN110399425B (en) * 2019-07-07 2020-07-28 上海鸿翼软件技术股份有限公司 Intelligent network disk micro-service system
CN110399342A (en) * 2019-07-17 2019-11-01 中科恒运股份有限公司 A kind of base application solution about data share exchange
CN110609779B (en) * 2019-08-20 2022-04-19 腾讯科技(深圳)有限公司 Data processing method and device, electronic equipment and computer readable storage medium
CN110830561B (en) * 2019-10-25 2020-11-17 华中科技大学 Multi-user ORAM access system and method under asynchronous network environment
CN110807210B (en) * 2019-11-04 2022-07-15 北京联想协同科技有限公司 Information processing method, platform, system and computer storage medium
CN113132426A (en) * 2019-12-30 2021-07-16 同方威视科技江苏有限公司 Cloud platform file management system and method based on user permission
CN111245933A (en) * 2020-01-10 2020-06-05 上海德拓信息技术股份有限公司 Log-based object storage additional writing implementation method
CN111245832A (en) * 2020-01-13 2020-06-05 深圳云塔信息技术有限公司 Encryption system and method for interfacing with cloud storage platform
CN111680308B (en) * 2020-05-25 2023-07-18 数篷科技(深圳)有限公司 File sharing method, method for controlling shared file, device and terminal thereof
CN111880829A (en) * 2020-08-06 2020-11-03 武汉众邦银行股份有限公司 Distributed application file synchronization method based on Linux
CN112202808B (en) * 2020-10-14 2021-04-09 深圳市智安网络有限公司 Data security management system based on cloud computing
CN113472737B (en) * 2021-05-14 2023-05-02 阿里巴巴(中国)有限公司 Data processing method and device of edge equipment and electronic equipment
CN113536956B (en) * 2021-06-23 2023-06-27 华南理工大学 Method for detecting multimedia data tampering
CN113626859B (en) * 2021-07-26 2024-04-12 西安电子科技大学 Method, system, equipment and medium for supporting encryption protection of key escrow personal file
CN114143100B (en) * 2021-12-06 2022-06-14 粤港澳大湾区数字经济研究院(福田) Authorization control method, system, intelligent terminal and computer readable storage medium
CN114238867B (en) * 2022-02-28 2022-05-17 南开大学 Automatic switching access method for distributed multi-backup copyright content
CN116366283B (en) * 2023-02-07 2023-08-18 南京模砾半导体有限责任公司 File secure transmission method based on symmetric encryption
CN116527692B (en) * 2023-06-29 2023-11-10 广东维信智联科技有限公司 Contract file cloud synchronization method based on Internet
CN116610634B (en) * 2023-07-19 2023-09-26 南京中孚信息技术有限公司 File synchronization system and method for network disk terminal

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102075542A (en) * 2011-01-26 2011-05-25 中国科学院软件研究所 Cloud computing data security supporting platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8885832B2 (en) * 2007-03-30 2014-11-11 Ricoh Company, Ltd. Secure peer-to-peer distribution of an updatable keyring

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102075542A (en) * 2011-01-26 2011-05-25 中国科学院软件研究所 Cloud computing data security supporting platform

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"一种基于云存储的同步网络存储系统的设计与实现";文双全;《中国优秀硕士论文全文数据库信息科技辑》;20100915(第09期);正文第34-60页 *
"云存储系统中基于更新日志的元数据缓存同步策略";吴海佳等;《电信科学》;20110915(第9期);第32-36页 *
吴海佳等."云存储系统中基于更新日志的元数据缓存同步策略".《电信科学》.2011,(第9期),第32-36页.
文双全."一种基于云存储的同步网络存储系统的设计与实现".《中国优秀硕士论文全文数据库信息科技辑》.2010,(第09期),正文第34-60页.

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539602A (en) * 2014-12-22 2015-04-22 北京航空航天大学 Safe key managing method applied to cloud storage

Also Published As

Publication number Publication date
CN102685148A (en) 2012-09-19

Similar Documents

Publication Publication Date Title
CN102685148B (en) Method for realizing secure network backup system under cloud storage environment
US8997198B1 (en) Techniques for securing a centralized metadata distributed filesystem
CN102394894B (en) Network virtual disk file safety management method based on cloud computing
CN102821096B (en) Distributed storage system and file sharing method thereof
CN102014133B (en) Method for implementing safe storage system in cloud storage environment
CN103780607B (en) The method of the data de-duplication based on different rights
CN103609059A (en) Systems and methods for secure data sharing
Rajathi et al. A survey on secure storage in cloud computing
CN103516523A (en) Data encryption system structure based on cloud storage
Virvilis et al. A cloud provider-agnostic secure storage protocol
CN106326666A (en) Health record information management service system
Periasamy et al. Efficient hash function–based duplication detection algorithm for data Deduplication deduction and reduction
Geeta et al. Sdvadc: secure deduplication and virtual auditing of data in cloud
Sivashakthi et al. A survey on storage techniques in cloud computing
CN110555783A (en) block chain-based power marketing data protection method and system
CN108494552B (en) Cloud storage data deduplication method supporting efficient convergence key management
Paul et al. Data storage security issues in cloud computing
Uma et al. Enhanced convergent encryption key generation for secured data deduplication in cloud storage
Bharat et al. A Secured and Authorized Data Deduplication in Hybrid Cloud with Public Auditing
Ma et al. A secure and efficient data deduplication scheme with dynamic ownership management in cloud computing
Kavya et al. A survey on data auditing approaches to preserve privacy and data integrity in cloud computing
Dahshan Data security in cloud storage services
KR101895895B1 (en) Data deduplication method and system
Inamdar et al. Data Security in Hadoop Distributed File System
Thakur et al. Data integrity authentication techniques in cloud computing: a survey

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141015