CN103138939B - Based on the key access times management method of credible platform module under cloud memory module - Google Patents

Based on the key access times management method of credible platform module under cloud memory module Download PDF

Info

Publication number
CN103138939B
CN103138939B CN201310104307.1A CN201310104307A CN103138939B CN 103138939 B CN103138939 B CN 103138939B CN 201310104307 A CN201310104307 A CN 201310104307A CN 103138939 B CN103138939 B CN 103138939B
Authority
CN
China
Prior art keywords
key
data
dek
module
data encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310104307.1A
Other languages
Chinese (zh)
Other versions
CN103138939A (en
Inventor
王丽娜
任正伟
邓入弋
彭瑞卿
张�浩
余荣威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN201310104307.1A priority Critical patent/CN103138939B/en
Publication of CN103138939A publication Critical patent/CN103138939A/en
Application granted granted Critical
Publication of CN103138939B publication Critical patent/CN103138939B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

Based on the key access times management method of credible platform module under a kind of cloud memory module, data owner Owner end arranges credible platform module TPMo, key management finger daemon module KMD and encrypting module DE, and data consumer User end arranges credible platform module TPMu, VIRTUAL COUNTER administration module VCM and key management module KM; Data owner Owner uploads to the server of cloud service provider CSP after being encrypted data; Data consumer User end manages key access times, comprise key management module KM and receive access request, first search key whether to exist, if do not exist, initiate key application to data owner Owner, and completed the transmission of key by key migration agreement; Key management module KM loads data encryption key DEK, destroys key when key access times exceedes the access times N that data owner Owner specifies.

Description

Based on the key access times management method of credible platform module under cloud memory module
Technical field
The present invention relates to computer information safety technique field, relate generally to the key management based on credible platform module, utilize credible platform module to realize safe storage and the use of key under cloud memory module, the confidentiality of data under protection cloud memory module.
Background technology
As the important component part of cloud computing, cloud storage is absorbed in provides online storage service based on the Internet to user.Under cloud memory module, store and namely serve, user is without the need to considering the ins and outs that the availability, reliability etc. of the storage class of physical equipment, storage mode and data are concrete, but can as required from cloud service provider (Cloud Service Provider, CSP) place obtains corresponding service, accesses the data of oneself whenever and wherever possible.Cloud stored energy brings opportunity in raising IT efficiency, cost savings and green calculating etc., is also faced with some security challenges simultaneously.
Under cloud memory module, Data Hosting is stored in third party CSP place, and departed from the control range that data owner Owner holds, its fail safe highly depends on CSP.Considering that CSP is insincere, is the confidentiality of protected data, and data owner Owner holds and first to clear data encryption, then encrypt data can be stored in CSP place, and key is then by Owner oneself keeping.Now, key safe storage and to use be exactly the key point of protected data confidentiality.First, key should be all safe storage at data owner Owner end and data consumer User end, prevents the confidentiality causing data because of the leakage of key to be destroyed.Secondly, key should be restricted in the use that User holds, namely should control User to the use of key, prevent because User may cause security strategy to be destroyed to the unrestricted use of key or the leakage of data.
Summary of the invention
The invention provides the key access times management method based on credible platform module under a kind of cloud memory module; with the confidentiality of the safe storage and data that effectively ensure key, control and management authorized user to the use of key, prevent user from the unprotect of key, unrestrictedly use are destroyed to the confidentiality of data.
Technical scheme of the present invention is the key access times management method based on credible platform module under a kind of cloud memory module, arrange credible platform module TPMo, key management finger daemon module KMD and encrypting module DE at data owner Owner end, data consumer User end arranges credible platform module TPMu, VIRTUAL COUNTER administration module VCM and key management module KM; Data owner Owner is encrypted data, and uploads in the server of cloud service provider CSP by the encrypt data after encryption;
Data consumer User end manages key access times, and implementation comprises the following steps,
Step 1, after key management module KM receives the data access request messages of application program, first searches data encryption key corresponding to this encrypt data in local file system dEKwhether exist, if do not exist, then go to step 2; Exist and then go to step 3;
Step 2, key management module KM initiates key application to data owner Owner, and completes data encryption key by key migration agreement dEKtransmission, obtain data encryption key dEK; Then, key management module KM and VIRTUAL COUNTER administration module VCM is this data encryption key alternately dEKgenerate the VIRTUAL COUNTER V_counter of a record key access times, the value of this V_counter of initialization vCbe 0; And perform key storage, by data encryption key dEKbe stored securely in local file system, and in local file system, safeguard the data handle of encrypt data iD data , key handles iD dEK and the handle of VIRTUAL COUNTER V_counter iD v_counter between corresponding relation;
The identity of data consumer User and access authority information are sent to cloud service provider CSP by data owner Owner;
Data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows to cloud service provider CSP, the identity of the identity that cloud service provider CSP provides according to Owner and access authority information verification msg user User and access rights, then send to data consumer User by encrypt data;
Then 3 are gone to step;
Step 3, key management module KM loads data encryption key dEK, in loading procedure, judge data encryption key dEKthe number of times used vCthe access times that data owner Owner specifies whether are exceeded n.If data encryption key dEKthe number of times used vCvalue is greater than data encryption key dEKappointment access times n, then this key is deleted from local file system, and " return " key" loads failure information; If key loads successfully, go to step 4;
Step 4, key management module KM uses dEKthe encrypt data of decryption application request access, and clear data is returned to application program;
Step 5, key management module KM performs key storage, again by data encryption key dEKbe stored in local file system.
And described data owner Owner is encrypted data, and upload in the server of cloud service provider CSP by the encrypt data after encryption, implementation comprises following sub-step,
110) identifier of data encryption module DE enciphered data Data, data Data is data handle iD data , data encryption module DE is by data handle iD data issue key management finger daemon module KMD, initiate to generate key request to key management finger daemon module KMD;
120) key management finger daemon module KMD stochastic generation data encryption key dEK, and by data encryption key dEKpass to data encryption module DE; Data encryption key dEKfile handle be iD dEK , key management finger daemon module KMD is in local maintenance and store data handle iD data with file handle iD dEK corresponding relation;
130) data encryption module DE AES encryption algorithm is to data Data data encryption key dEKencryption, and gained encrypt data is uploaded in the server of cloud service provider CSP;
140) key management finger daemon module KMD initiates Binding key to credible platform module TPMo and generates request, by data encryption key dEKissue credible platform module TPMo, credible platform module TPMo is data encryption key dEKgenerate a Binding key ownerBindKey, and use Binding key ownerBindKeyto data encryption key dEKencryption, returns to key management finger daemon module KMD by gained ciphertext;
150) key management finger daemon module KMD safe data storage encryption key in local file system dEK, implementation is for preserving credible platform module TPMo Binding key ownerBindKeyto data encryption key dEKencryption gained ciphertext.
And described key management module KM initiates key application to data owner Owner, and implementation comprises following sub-step,
210) the key management module KM that data consumer User holds asks credible platform module TPMu to generate a unsymmetrical key asyKey, unsymmetrical key asyKeyfather's key be the storage root key of credible platform module TPMu, and obtain unsymmetrical key asyKeypKI asyKey_pub;
220) key management module KM is by PKI asyKey_pub, subscriber identity information UserInfo and the data request information DataReq key management that sends to data owner Owner to hold guards module KMD.
And, describedly complete data encryption key by key migration agreement dEKtransmission, implementation comprises following sub-step,
310) module KMD identifying user identity information UserInfo and data request information DataReq is guarded in key management, if checking is not passed through, then stops the operation of key migration agreement; If be verified, then guarded the data handle of module KMD maintenance and storage by key management iD data with file handle iD dEK between relation search corresponding data encryption key dEK, and produce data encryption key dEKappointment access times n, by data encryption key dEKappointment access times nwith data encryption key dEKcarry out series connection and obtain character string n|| dEK;
320) key management is guarded module KMD and key information KeyInfo is passed to credible platform module TPMo, and credible platform module TPMo generates a transportable Binding key bindKey;
330) key management guards module KMD by character string n|| dEK, PKI asyKey_pubpass to credible platform module TPMo, credible platform module TPMo verifies Binding key bindKeymigration authorization message, be verified, use Binding key bindKeypKI bindKey_pubright n|| dEKencryption, uses PKI asyKey_pubto Binding key bindKeyencryption, and by gained cipher-text information e bindKey_pub ( n|| dEK) and e asyKey_pub ( bindKey) return to key management and guard module KMD;
340) key management guards module KMD by the cipher-text information after encryption e bindKey_pub ( n|| dEK) and e asyKey_pub ( bindKey), send to key management module KM, complete data encryption key dEKtransmission.
And described key management module KM performs key storage flow process safe data storage encryption key in local file system dEK, implementation comprises following sub-step,
410) counter that key management module KM calls VIRTUAL COUNTER administration module VCM increases the value that order increment order makes virtual monotone counter vCadd 1, and obtain after increase vCvalue;
420) key management module KM is by data encryption key dEKappointment access times n, access times vCand data encryption key dEKuse hash function hash() is signed, and obtains signing messages digest= hash( n||DEK||VC);
430) key management module KM is by character string n|| dEKand cipher-text information e asyKey_pub ( bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu private key asyKey_prito cipher-text information e asyKey_pub ( bindKey) decrypt Binding key bindKey, then by PKI bindKey_pubenciphered data encryption key dEKappointment access times nand data encryption key dEK, and by the cipher-text information after encryption e bindKey_pub ( n|| dEK) return to key management module KM;
440) key management module KM will to data encryption key dEKappointment access times n, access times vCand data encryption key dEKgained signing messages after signature digestand cipher-text information e bindKey_pub ( n|| dEK), e asyKey_pub ( bindKey) be saved in local file system.
And described key management module KM performs key and loads flow process, implementation comprise first determine whether that first time loads key, if then perform following sub-step 510)-540), if not then perform following sub-step 510)-550),
510) key management module KM reads key information from local file system, obtains signing messages digest, encryption after Binding key bindKeyand data encryption key dEKgained cipher-text information e bindKey_pub ( n|| dEK) and e asyKey_pub ( bindKey);
520) key management module KM is by cipher-text information e asyKey_pub ( bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu unsymmetrical key asyKeyprivate key asyKey_prideciphering obtains Binding key bindKey;
530) key management module KM is by cipher-text information e bindKey_pub ( n|| dEK) being loaded into credible platform module TPMu inside, credible platform module TPMu uses Binding key bindKeydeciphering obtains data encryption key dEKappointment access times nand data encryption key dEK, and by data encryption key dEKappointment access times nand data encryption key dEKreturn to key management module KM;
540) key management module KM is to VIRTUAL COUNTER administration module VCM request msg encryption key dEKthe currency of VIRTUAL COUNTER V_counter vCif, data encryption key dEKthe number of times used vCvalue is greater than data encryption key dEKthe access times of specifying nthen by data encryption key dEKdestroy, return and load unsuccessfully; Otherwise, perform 550);
550) key management module KM uses hash function hash() is to data encryption key dEKthe access times of specifying n, data encryption key dEKthe number of times used vCvalue and data encryption key dEKcertifying signature information, namely calculates digest '= hash( n||DEK||VC), if digest= digest 'then being verified " return " key" loads successfully; Otherwise " return " key" loads unsuccessfully.
The present invention compared with prior art has following major advantage:
Reliable computing technology is applied in cloud memory module by the one, utilizes key management and the safe storage function of credible platform module, and the secret key safety achieved under cloud memory module stores.
2nd, is in key distribution and transmission, and adopt the safe transmission of key migration protocol realization key between data owner Owner and data consumer User, fail safe is higher.
3rd. in key use, the access times of key and monotonically increasing VIRTUAL COUNTER are bound mutually, make the access times of key be restricted, thus efficiently solve the unrestricted use of key and the safety problem caused.
In a word, the present invention utilizes key management and the safe storage function of credible platform module, makes key can safe storage and transmission; Utilize the monotone counter function of credible platform module, by to the access times of key and the binding of monotonically increasing virtual counter value and judgement, management and the access times of control key, thus efficiently solve the unrestricted use of key and the safety problem that causes.
Accompanying drawing explanation
Fig. 1 is the key access times management system framework based on credible platform module under the cloud memory module of the embodiment of the present invention.
Fig. 2 is the key migration agreement flow process of the embodiment of the present invention.
Fig. 3 is the key storage flow process of the embodiment of the present invention.
Fig. 4 is that the key of the embodiment of the present invention loads flow process.
Fig. 5 is the limited use flow process of key of the embodiment of the present invention.
Embodiment
Technical solution of the present invention is described in detail below in conjunction with drawings and Examples.
The present invention proposes the key access times management method based on credible platform module under cloud memory module, idiographic flow is: data owner Owner is stored in after data encryption in the server of cloud service provider CSP.When data consumer User needs access Owner to be stored in the data at CSP place, initiate data access request to Owner, obtain the certificate of authority and key from Owner.The certificate of authority shows to CSP by User, gets encrypt data from CSP.The key management module KM of User end, before data decryption, judges the availability of key, if key can be used, then uses secret key decryption data, clear data is returned to User.If key has exceeded predetermined access times or key receives Replay Attack, KM will delete key, and " return " key" loads failure information, thus achieves the control to key access times.
Under the cloud memory module of embodiment based on the key access times management system framework of credible platform module as shown in Figure 1, comprising:
Data owner Owner end is provided with credible platform module TPMo, key management finger daemon module KMD, encrypting module DE:
Credible platform module TPMo: credible platform module is commonly referred to as TPM, the credible platform module that data owner Owner holds is designated TPMo by embodiment.Credible platform module can provide physics monotone counter, provides the keys such as storage root key SRK, migration key and Binding key, carries out some secret key encryptions and decryption oprerations in inside.
Key management finger daemon module KMD: provide secret generating function, accepts the key request of user User, and performs key migration agreement alternately with the key management module KM of User key is sent to User;
Data encryption module DE: provide data encryption feature, is uploaded to cloud service provider CSP by after data symmetric password encryption.
Data consumer User end is provided with credible platform module TPMu, VIRTUAL COUNTER administration module VCM, key management module KM:
Credible platform module TPMu: credible platform module is commonly referred to as TPM, the credible platform module that data consumer User holds is designated TPMu by embodiment.Credible platform module can provide physics monotone counter, provides the keys such as storage root key SRK, migration key and Binding key, carries out some secret key encryptions and decryption oprerations in inside.
VIRTUAL COUNTER administration module VCM: provide and create virtual monotone counter function, with TPMu alternately for each applies the virtual monotone counter V_counter of establishment one, and perform corresponding order management and use virtual monotone counter V_counter, comprise the currency increasing V_counter, the currency reading V_counter;
Key management module KM: provide and ask key to data owner Owner, search key in local file system, judge whether key can be used, delete the function such as key, data decryption, perform key migration agreement alternately with the key management finger daemon module KMD of Owner and obtain key from Owner, and obtain the currency of V_counter alternately to judge whether key can be used with VIRTUAL COUNTER administration module VCM.As key can be used, then data decryption, returns to application program by clear data; If key has exceeded predetermined access times or key receives Replay Attack, delete key, " return " key" loads failure information.
During concrete enforcement, each module can adopt computer software mode to realize with reference to workflow by those skilled in the art.
Based on the system architecture of embodiment, realize the groundwork flow process that key uses, comprise following step, as shown in Figure 1:
(1) data owner Owner is encrypted data, and is uploaded in the server of cloud service provider CSP by the encrypt data after encryption.
(2) when data consumer User wants usage data owner Owner to be stored in the data at cloud service provider CSP place, data access request is initiated to data owner Owner.
(3) identity of data owner Owner verification msg user User and access rights, if User is disabled user or initiates access request to the data that it does not have access rights, then do not respond the request of User; Otherwise Owner issues access authorization certificate to User, and the relevant informations such as key are sent to safely User; User obtains data encryption key by key migration agreement dEKafter, perform key storage flow process at local secure storage data encryption key dEK.
(4) information such as the identity of data consumer User and access rights are sent to cloud service provider CSP by data owner Owner.
(5) data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows the identity and the access rights that judge User to CSP, CSP according to the information such as User identity and access rights that Owner provides; If User can visit data, then encrypt data is sent to User; Otherwise, do not respond the access request of User.
(6) after data consumer User gets encrypt data from cloud service provider CSP, by the data encryption key obtained from data owner Owner dEKdeciphering visit data.
Consider data encryption key dEKreuse, the present invention proposes further: if User obtains data encryption key from Owner dEK, then perform key loading flow process and decrypt data encryption key dEK, then use data encryption key dEKdata decryption, obtains clear data.After obtaining clear data, User just performs key storage flow process by data encryption key dEKstore in this locality.If User does not also obtain data encryption key from Owner dEK, then first perform key migration agreement and obtain data encryption key dEK, obtain data encryption key dEKafter first perform key storage flow storage data encryption key dEK, perform key afterwards again and load flow process and key storage flow process.
As shown in Figure 5, the data consumer User end of embodiment manages key access times.Data consumer User end may have multiple application program to need to use key, as applied 1 ... application n, respectively has counterpart keys.A certain application program specifically uses the implementation of key to comprise the following steps,
Step 1, after key management module KM receives the data access request messages of application program, first searches data encryption key corresponding to this encrypt data in local file system dEKwhether exist, if do not exist, then go to step 2; Exist and then go to step 3.
Step 2, key management module KM initiates key application to data owner Owner, and completes data encryption key by key migration agreement dEKtransmission, obtain data encryption key dEK; Then, key management module KM and VIRTUAL COUNTER administration module VCM is this data encryption key alternately dEKgenerate a record data encryption key dEKthe VIRTUAL COUNTER V_counter of access times, the value of this V_counter of initialization vCbe 0; And perform key storage, by data encryption key dEKbe stored securely in local file system, and in local file system, safeguard the data handle of encrypt data iD data , key handles iD dEK and the handle of VIRTUAL COUNTER V_counter iD v_counter between corresponding relation;
The identity of data consumer User and access authority information are sent to cloud service provider CSP by data owner Owner;
Data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows to cloud service provider CSP, the identity of the identity that cloud service provider CSP provides according to Owner and access authority information verification msg user User and access rights, then send to data consumer User by encrypt data;
Go to step 3.
Follow-uply reuse data encryption key dEKtime, without the need to transmission data encipher key again dEKand encrypt data.
Step 3, key management module KM loads data encryption key dEK, in loading procedure, judge data encryption key dEKthe number of times used vCwhether having exceeded data owner Owner is data encryption key dEKthe access times of specifying n.If data encryption key dEKthe number of times used vCexceed data encryption key dEKthe access times of specifying n, namely vC> n, then by data encryption key dEKdelete from local file system, and " return " key" loads failure information; If key loads successfully, go to step 4.
Step 4, key management module KM usage data encryption key dEKthe encrypt data of decryption application request access, and clear data is returned to application program.
Step 5, key management module KM performs key storage, again by data encryption key dEKbe stored in local file system.Use data encryption key at every turn like this dEKafter all perform a key storage flow process at local secure storage data encryption key dEK.
For the sake of ease of implementation, be described further as follows to several critical stages of said system workflow:
1. data owner end to data processing stage:
Data owner Owner to data processing stage, mainly comprise following step:
110) identifier of data encryption module DE enciphered data Data, data Data is data handle iD data , data encryption module DE is by data handle iD data issue key management finger daemon module KMD, initiate to generate key request to key management finger daemon module KMD;
120) key management finger daemon module KMD stochastic generation data encryption key dEK, and by data encryption key dEKpass to data encryption module DE.Data encryption key dEKfile handle be iD dEK , key management finger daemon module KMD is in local maintenance and store data handle iD data with file handle iD dEK corresponding relation;
130) data encryption module DE AES encryption algorithm is to data Data data encryption key dEKencryption, and gained encrypt data is uploaded in the server of cloud service provider CSP;
140) key management finger daemon module KMD initiates Binding key to credible platform module TPMo and generates request, by data encryption key dEKissue credible platform module TPMo, credible platform module TPMo is data encryption key dEKgenerate a Binding key ownerBindKey, and use Binding key ownerBindKeyto data encryption key dEKencryption, returns to key management finger daemon module KMD by gained ciphertext
150) key management finger daemon module KMD safe data storage encryption key in local file system dEK, namely preserve credible platform module TPMo Binding key ownerBindKeyto data encryption key dEKencryption gained ciphertext.
2. the cipher key delivery stage:
Cipher key delivery based on a key migration protocol realization, as shown in Figure 2:
First key management module KM initiates key application to data owner Owner, performs following steps:
210) the key management module KM that data consumer User holds asks credible platform module TPMu to generate a unsymmetrical key asyKey, unsymmetrical key asyKeyfather's key be credible platform module TPMu storage root key ( storage Root Key, sRK), and obtain unsymmetrical key asyKeypKI asyKey_pub, (unsymmetrical key asyKeyprivate key asyKey_priby the storage root key of credible platform module TPMu sRKbe stored in TPMu outside after encryption, use unsymmetrical key asyKeytime, first by the private key after encryption asyKey_pribe loaded into credible platform module TPMu, by the storage root key of credible platform module TPMu sRKdeciphering, is easy description, hereafter no longer explains);
220) key management module KM is by PKI asyKey_pub, subscriber identity information UserInfo and the data request information DataReq key management that sends to data owner Owner to hold guards module KMD.
Then completed the transmission of key by key migration agreement, perform following steps:
310) module KMD identifying user identity information UserInfo and data request information DataReq is guarded in key management, if checking is not passed through, then and the operation of termination protocol; If be verified, then guarded the data handle of module KMD maintenance and storage by key management iD data with file handle iD dEK between relation search corresponding data encryption key dEK, and produce data encryption key dEKthe access times of specifying n, by data encryption key dEKappointment access times nwith data encryption key dEKcarry out series connection and obtain character string n|| dEK.
320) key management is guarded module KMD and key information KeyInfo is passed to credible platform module TPMo, and credible platform module TPMo generates a transportable Binding key bindKey;
330) key management guards module KMD by character string n|| dEK, PKI asyKey_pubpass to credible platform module TPMo, credible platform module TPMo verifies Binding key bindKeymigration authorization message, be verified, use Binding key bindKeypKI bindKey_pubto character string n|| dEKencryption, uses PKI asyKey_pubto Binding key bindKey(comprise bindKeypKI and private key) encryption, and by gained cipher-text information e bindKey_pub ( n|| dEK) and e asyKey_pub ( bindKey) return to key management and guard module KMD;
340) key management guards module KMD by the cipher-text information after encryption, namely e bindKey_pub ( n|| dEK) and e asyKey_pub ( bindKey), send to key management module KM, complete data encryption key dEKtransmission.
3. the key operational phase of holding data consumer:
Data encryption key dEKwhen the use of data consumer's end, need to carry out key storage flow process, key loading flow process to realize data encryption key in this locality dEKsafe storage and limited use.
Key storage flow process comprises following step, as shown in Figure 3:
410) counter that key management module KM calls VIRTUAL COUNTER administration module VCM increases the value that order increment order makes virtual monotone counter vCadd 1, and obtain after increase vCvalue;
vCwhat record is exactly data encryption key dEKcurrent access times. dEKuse once, vCjust increase by 1 time
420) key management module KM is by data encryption key dEKappointment access times n, data encryption key dEKaccess times vCand data encryption key dEKuse hash function hash() is signed, and obtains signing messages digest= hash( n||DEK||VC);
430) key management module KM is by character string n|| dEKand cipher-text information e asyKey_pub ( bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu private key asyKey_prito cipher-text information e asyKey_pub ( bindKey) decrypt Binding key bindKey, then by PKI bindKey_pubenciphered data encryption key dEKappointment access times nand data encryption key dEK, and by the cipher-text information after encryption e bindKey_pub ( n|| dEK) return to key management module KM;
440) key management module KM will to data encryption key dEKappointment access times n, data encryption key dEKaccess times vCand data encryption key dEKgained signing messages after signature digestand cipher-text information e bindKey_pub ( n|| dEK), e asyKey_pub ( bindKey) be saved in local file system.
Key loads flow process and is used for the loading of key management module KM execution key, implementation comprise first determine whether first time load key, if then perform following sub-step 510)-540), if not then perform following sub-step 510)-550),, as shown in Figure 4:
510) key management module KM reads key information from local file system (can adopt key file list), obtains signing messages digest, Binding key after encryption bindKeyand data encryption key dEK, i.e. cipher-text information e bindKey_pub ( n|| dEK) and e asyKey_pub ( bindKey);
520) key management module KM is by cipher-text information e asyKey_pub ( bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu unsymmetrical key asyKeyprivate key asyKey_prideciphering obtains Binding key bindKey;
530) key management module KM is by cipher-text information e bindKey_pub ( n|| dEK) being loaded into credible platform module TPMu inside, credible platform module TPMu uses Binding key bindKeydeciphering obtains data encryption key dEKappointment access times nand data encryption key dEK, and by data encryption key dEKappointment access times nand data encryption key dEKreturn to key management module KM;
540) key management module KM is to VIRTUAL COUNTER administration module VCM request msg encryption key dEKthe currency of VIRTUAL COUNTER V_counter vCif, data encryption key dEKaccess times vCvalue is greater than data encryption key dEKappointment access times nthen by data encryption key dEKdestroy, return and load unsuccessfully; Otherwise, perform 550);
550) key management module KM uses hash function hash() is to data encryption key dEKappointment access times n, data encryption key dEKaccess times vCvalue and data encryption key dEKcertifying signature information, namely calculates digest '= hash( n||DEK||VC), if digest= digest 'then being verified " return " key" loads successfully; Otherwise " return " key" loads unsuccessfully.
Specific embodiment described herein is only to the explanation for example of the present invention's spirit.Those skilled in the art can make various amendment or supplement or adopt similar mode to substitute to described specific embodiment, but can't depart from spirit of the present invention or surmount the scope that appended claims defines.

Claims (6)

1. under a cloud memory module based on the key access times management method of credible platform module, it is characterized in that: arrange credible platform module TPMo, key management finger daemon module KMD and encrypting module DE at data owner Owner end, data consumer User end arranges credible platform module TPMu, VIRTUAL COUNTER administration module VCM and key management module KM; Data owner Owner is encrypted data, and uploads in the server of cloud service provider CSP by the encrypt data after encryption;
Data consumer User end manages key access times, and implementation comprises the following steps,
Step 1, after key management module KM receives the data access request messages of application program, whether the data encryption key DEK first searching this encrypt data corresponding in local file system exists, if do not exist, then goes to step 2; Exist and then go to step 3;
Step 2, key management module KM initiates key application to data owner Owner, and is completed the transmission of data encryption key DEK by key migration agreement, obtains data encryption key DEK; Then, key management module KM and VIRTUAL COUNTER administration module VCM generates for this data encryption key DEK the VIRTUAL COUNTER V_counter that is recorded key access times alternately, and the value VC of this V_counter of initialization is 0; And perform key storage, data encryption key DEK is stored securely in local file system, and in local file system, safeguards the data handle ID of encrypt data data, file handle ID dEKand the handle ID of VIRTUAL COUNTER V_counter v_counterbetween corresponding relation;
The identity of data consumer User and access authority information are sent to cloud service provider CSP by data owner Owner;
Data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows to cloud service provider CSP, the identity of the identity that cloud service provider CSP provides according to Owner and access authority information verification msg user User and access rights, then send to data consumer User by encrypt data;
Then 3 are gone to step;
Step 3, key management module KM loads data encryption key DEK, and judging in loading procedure whether number of times VC that data encryption key DEK has used has exceeded data owner Owner is the access times N that this data encryption key DEK specifies; If the number of times VC that data encryption key DEK has used has exceeded the access times N that data encryption key DEK specifies, then this data encryption key DEK is deleted from local file system, and " return " key" loads failure information; If key loads successfully, go to step 4;
Step 4, key management module KM uses the encrypt data of DEK decryption application request access, and clear data is returned to application program;
Step 5, key management module KM performs key storage, is again stored in local file system by data encryption key DEK.
2. according to claim 1 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described data owner Owner is encrypted data, and the encrypt data after encryption is uploaded in the server of cloud service provider CSP, implementation comprises following sub-step
110) identifier of data encryption module DE enciphered data Data, data Data is data handle ID data, data encryption module DE is by data handle ID dataissue key management finger daemon module KMD, initiate to generate key request to key management finger daemon module KMD;
120) key management finger daemon module KMD stochastic generation data encryption key DEK, and data encryption key DEK is passed to data encryption module DE; The file handle of data encryption key DEK is ID dEK, key management finger daemon module KMD is in local maintenance and store data handle ID datawith file handle ID dEKcorresponding relation;
130) data encryption module DE AES encryption algorithm is encrypted data Data data encryption key DEK, and uploads in the server of cloud service provider CSP by gained encrypt data;
140) key management finger daemon module KMD initiates Binding key to credible platform module TPMo and generates request, data encryption key DEK is issued credible platform module TPMo, credible platform module TPMo is that data encryption key DEK generates a Binding key OwnerBindKey, and with Binding key OwnerBindKey, data encryption key DEK is encrypted, gained ciphertext is returned to key management finger daemon module KMD;
150) key management finger daemon module KMD safe data storage encryption key DEK in local file system, implementation encrypts gained ciphertext for preserving credible platform module TPMo Binding key OwnerBindKey to data encryption key DEK.
3. according to claim 2 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described key management module KM initiates key application to data owner Owner, and implementation comprises following sub-step,
210) the key management module KM that data consumer User holds asks credible platform module TPMu to generate a unsymmetrical key AsyKey, father's key of unsymmetrical key AsyKey is the storage root key of credible platform module TPMu, and obtains the PKI AsyKey_pub of unsymmetrical key AsyKey;
220) key management that PKI AsyKey_pub, subscriber identity information UserInfo and data request information DataReq send to data owner Owner to hold is guarded module KMD by key management module KM.
4. according to claim 3 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: the described transmission being completed data encryption key DEK by key migration agreement, implementation comprises following sub-step,
310) module KMD identifying user identity information UserInfo and data request information DataReq is guarded in key management, if checking is not passed through, then stops the operation of key migration agreement; If be verified, then guarded the data handle ID of module KMD maintenance and storage by key management datawith file handle ID dEKbetween relation search corresponding data encryption key DEK, and produce the appointment access times N of data encryption key DEK, appointment access times N and the data encryption key DEK of data encryption key DEK carried out connecting obtaining character string N||DEK;
320) key management is guarded module KMD and key information KeyInfo is passed to credible platform module TPMo, and credible platform module TPMo generates a transportable Binding key BindKey;
330) key management is guarded module KMD and character string N||DEK, PKI AsyKey_pub is passed to credible platform module TPMo, credible platform module TPMo verifies the migration authorization message of Binding key BindKey, be verified and then with the PKI BindKey_pub of Binding key BindKey, character string N||DEK encrypted, with PKI AsyKey_pub, Binding key BindKey is encrypted, and by gained cipher-text information E bindKey_puband E (N||DEK) asyKey_pub(BindKey) return to key management and guard module KMD;
340) key management guards module KMD by the cipher-text information E after encryption bindKey_puband E (N||DEK) asyKey_pub(BindKey), send to key management module KM, complete the transmission of data encryption key DEK.
5. according to claim 4 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described key management module KM performs key storage flow process safe data storage encryption key DEK in local file system, implementation comprises following sub-step
410) counter that key management module KM calls VIRTUAL COUNTER administration module VCM increases order increment order makes the value VC of virtual monotone counter add 1, and obtains the VC value after increase;
420) key management module KM by appointment access times N, the data encryption key DEK of data encryption key DEK access times VC and data encryption key DEK use hash function hash () to sign, obtain signing messages digest=hash (N||DEK||VC);
430) key management module KM is by N||DEK and cipher-text information E asyKey_pub(BindKey) be loaded into credible platform module TPMu inner, credible platform module TPMu with private key AsyKey_pri to cipher-text information E asyKey_pub(BindKey) Binding key BindKey is decrypted, then by the appointment access times N of PKI BindKey_pub enciphered data encryption key DEK and data encryption key DEK, and by the cipher-text information E after encryption bindKey_pub(N||DEK) key management module KM is returned to;
440) key management module KM is by appointment access times N, the data encryption key DEK rear gained signing messages digest and cipher-text information E of access times VC and DEK signature to data encryption key DEK bindKey_pub(N||DEK), E asyKey_pub(BindKey) be saved in local file system.
6. according to claim 5 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described key management module KM performs key and loads flow process, implementation comprise first determine whether first time load key, if then perform following sub-step 510)-540), if not then perform following sub-step 510)-550)
510) key management module KM reads key information from local file system, obtains signing messages digest, the rear Binding key BindKey and data encryption key DEK gained cipher-text information E of encryption bindKey_puband E (N||DEK) asyKey_pub(BindKey);
520) key management module KM is by cipher-text information E asyKey_pub(BindKey) be loaded into credible platform module TPMu inner, the private key AsyKey_pri deciphering of credible platform module TPMu unsymmetrical key AsyKey obtains Binding key BindKey;
530) key management module KM is by cipher-text information E bindKey_pub(N||DEK) credible platform module TPMu is loaded into inner, credible platform module TPMu uses Binding key BindKey deciphering to obtain appointment access times N and the data encryption key DEK of data encryption key DEK, and the appointment access times N of data encryption key DEK and data encryption key DEK is returned to key management module KM;
540) key management module KM is to the currency VC of the VIRTUAL COUNTER V_counter of VIRTUAL COUNTER administration module VCM request msg encryption key DEK, if the number of times VC value that data encryption key DEK has used is greater than the appointment access times N of data encryption key DEK, data encryption key DEK is destroyed, returns and load unsuccessfully; Otherwise, perform 550);
550) key management module KM uses the number of times VC value that used of hash function hash () appointment access times N, data encryption key DEK to access times data encryption key DEK and data encryption key DEK certifying signature information, namely calculate digest '=hash (N||DEK||VC), if digest=digest ', be verified " return " key" and load successfully; Otherwise " return " key" loads unsuccessfully.
CN201310104307.1A 2013-03-28 2013-03-28 Based on the key access times management method of credible platform module under cloud memory module Active CN103138939B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310104307.1A CN103138939B (en) 2013-03-28 2013-03-28 Based on the key access times management method of credible platform module under cloud memory module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310104307.1A CN103138939B (en) 2013-03-28 2013-03-28 Based on the key access times management method of credible platform module under cloud memory module

Publications (2)

Publication Number Publication Date
CN103138939A CN103138939A (en) 2013-06-05
CN103138939B true CN103138939B (en) 2015-09-16

Family

ID=48498295

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310104307.1A Active CN103138939B (en) 2013-03-28 2013-03-28 Based on the key access times management method of credible platform module under cloud memory module

Country Status (1)

Country Link
CN (1) CN103138939B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103581190B (en) * 2013-11-07 2016-04-27 江南大学 A kind of file security access control method based on cloud computing technology
CN105553661B (en) * 2014-10-29 2019-09-17 航天信息股份有限公司 Key management method and device
CN104484624B (en) * 2014-12-15 2018-08-28 上海新储集成电路有限公司 A kind of monotone counter and the dull method counted
CN105426771B (en) * 2015-10-28 2018-06-26 成都比特信安科技有限公司 A kind of method for realizing big data safety
CN105357202A (en) * 2015-11-12 2016-02-24 中国电子科技网络信息安全有限公司 Cloud platform user key management device and management method
CN105653965B (en) * 2016-01-22 2018-09-11 东信和平科技股份有限公司 A kind of intelligence card encoder monitoring device and method
CN105871539B (en) * 2016-03-18 2020-02-14 华为技术有限公司 Key processing method and device
EP3535683B1 (en) * 2016-11-04 2020-10-21 Visa International Service Association Data encryption control using multiple controlling authorities
CN108199837B (en) * 2018-01-23 2020-12-25 新华三信息安全技术有限公司 Key negotiation method and device
US11316693B2 (en) * 2018-04-13 2022-04-26 Microsoft Technology Licensing, Llc Trusted platform module-based prepaid access token for commercial IoT online services
CN109587115B (en) * 2018-11-02 2021-01-26 青岛微智慧信息有限公司 Safe distribution and use method of data files
WO2020168546A1 (en) * 2019-02-22 2020-08-27 云图有限公司 Secret key migration method and apparatus
US11556365B2 (en) 2019-09-24 2023-01-17 International Business Machines Corporation Obscuring information in virtualization environment
CN110806919B (en) * 2019-09-25 2021-11-02 苏州浪潮智能科技有限公司 Method and system for protecting virtual machine image in cloud environment
CN112073194B (en) * 2020-09-10 2021-06-22 四川长虹电器股份有限公司 Security management method for resisting secret key leakage
CN112840683B (en) * 2021-01-18 2022-04-22 华为技术有限公司 Vehicle key management method, device and system
CN113642018A (en) * 2021-08-11 2021-11-12 永旗(北京)科技有限公司 Key management method based on block chain

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889431A (en) * 2006-07-27 2007-01-03 北京飞天诚信科技有限公司 Multifunction intelligent key equipment and safety controlling method thereof
CN101282220A (en) * 2008-05-14 2008-10-08 北京深思洛克数据保护中心 Information safety equipment for reinforcing key use security as well as implementing method thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110047381A1 (en) * 2009-08-21 2011-02-24 Board Of Regents, The University Of Texas System Safemashups cloud trust broker

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889431A (en) * 2006-07-27 2007-01-03 北京飞天诚信科技有限公司 Multifunction intelligent key equipment and safety controlling method thereof
CN101282220A (en) * 2008-05-14 2008-10-08 北京深思洛克数据保护中心 Information safety equipment for reinforcing key use security as well as implementing method thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种适于云存储的数据确定性删除方法;王丽娜 等;《电子学报》;20120228(第2期);全文 *
基于可信平台模块的虚拟单调计数器研究;李昊 等;《计算机研究与发展》;20110331(第3期);全文 *

Also Published As

Publication number Publication date
CN103138939A (en) 2013-06-05

Similar Documents

Publication Publication Date Title
CN103138939B (en) Based on the key access times management method of credible platform module under cloud memory module
CN109862041B (en) Digital identity authentication method, equipment, device, system and storage medium
US11799656B2 (en) Security authentication method and device
US8196186B2 (en) Security architecture for peer-to-peer storage system
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN109361668A (en) A kind of data trusted transmission method
CN109379387B (en) Safety certification and data communication system between Internet of things equipment
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
CN105471833A (en) Safe communication method and device
US11831753B2 (en) Secure distributed key management system
US20220108028A1 (en) Providing cryptographically secure post-secrets-provisioning services
CN105100076A (en) Cloud data security system based on USB Key
CN106027503A (en) Cloud storage data encryption method based on TPM
CN107920052B (en) Encryption method and intelligent device
CN108809633B (en) Identity authentication method, device and system
US20220014367A1 (en) Decentralized computing systems and methods for performing actions using stored private data
Kim et al. Puf based iot device authentication scheme
CN111970114B (en) File encryption method, system, server and storage medium
CN111104691A (en) Sensitive information processing method and device, storage medium and equipment
US20130124860A1 (en) Method for the Cryptographic Protection of an Application
Jalil et al. A secure and efficient public auditing system of cloud storage based on BLS signature and automatic blocker protocol
CN104767766A (en) Web Service interface verification method, Web Service server and client side
CN114154181A (en) Privacy calculation method based on distributed storage
CN103944721A (en) Method and device for protecting terminal data security on basis of web
CN105871858A (en) Method and system for ensuring high data safety

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant