CN103138939B - Based on the key access times management method of credible platform module under cloud memory module - Google Patents
Based on the key access times management method of credible platform module under cloud memory module Download PDFInfo
- Publication number
- CN103138939B CN103138939B CN201310104307.1A CN201310104307A CN103138939B CN 103138939 B CN103138939 B CN 103138939B CN 201310104307 A CN201310104307 A CN 201310104307A CN 103138939 B CN103138939 B CN 103138939B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- dek
- module
- data encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
Based on the key access times management method of credible platform module under a kind of cloud memory module, data owner Owner end arranges credible platform module TPMo, key management finger daemon module KMD and encrypting module DE, and data consumer User end arranges credible platform module TPMu, VIRTUAL COUNTER administration module VCM and key management module KM; Data owner Owner uploads to the server of cloud service provider CSP after being encrypted data; Data consumer User end manages key access times, comprise key management module KM and receive access request, first search key whether to exist, if do not exist, initiate key application to data owner Owner, and completed the transmission of key by key migration agreement; Key management module KM loads data encryption key DEK, destroys key when key access times exceedes the access times N that data owner Owner specifies.
Description
Technical field
The present invention relates to computer information safety technique field, relate generally to the key management based on credible platform module, utilize credible platform module to realize safe storage and the use of key under cloud memory module, the confidentiality of data under protection cloud memory module.
Background technology
As the important component part of cloud computing, cloud storage is absorbed in provides online storage service based on the Internet to user.Under cloud memory module, store and namely serve, user is without the need to considering the ins and outs that the availability, reliability etc. of the storage class of physical equipment, storage mode and data are concrete, but can as required from cloud service provider (Cloud Service Provider, CSP) place obtains corresponding service, accesses the data of oneself whenever and wherever possible.Cloud stored energy brings opportunity in raising IT efficiency, cost savings and green calculating etc., is also faced with some security challenges simultaneously.
Under cloud memory module, Data Hosting is stored in third party CSP place, and departed from the control range that data owner Owner holds, its fail safe highly depends on CSP.Considering that CSP is insincere, is the confidentiality of protected data, and data owner Owner holds and first to clear data encryption, then encrypt data can be stored in CSP place, and key is then by Owner oneself keeping.Now, key safe storage and to use be exactly the key point of protected data confidentiality.First, key should be all safe storage at data owner Owner end and data consumer User end, prevents the confidentiality causing data because of the leakage of key to be destroyed.Secondly, key should be restricted in the use that User holds, namely should control User to the use of key, prevent because User may cause security strategy to be destroyed to the unrestricted use of key or the leakage of data.
Summary of the invention
The invention provides the key access times management method based on credible platform module under a kind of cloud memory module; with the confidentiality of the safe storage and data that effectively ensure key, control and management authorized user to the use of key, prevent user from the unprotect of key, unrestrictedly use are destroyed to the confidentiality of data.
Technical scheme of the present invention is the key access times management method based on credible platform module under a kind of cloud memory module, arrange credible platform module TPMo, key management finger daemon module KMD and encrypting module DE at data owner Owner end, data consumer User end arranges credible platform module TPMu, VIRTUAL COUNTER administration module VCM and key management module KM; Data owner Owner is encrypted data, and uploads in the server of cloud service provider CSP by the encrypt data after encryption;
Data consumer User end manages key access times, and implementation comprises the following steps,
Step 1, after key management module KM receives the data access request messages of application program, first searches data encryption key corresponding to this encrypt data in local file system
dEKwhether exist, if do not exist, then go to step 2; Exist and then go to step 3;
Step 2, key management module KM initiates key application to data owner Owner, and completes data encryption key by key migration agreement
dEKtransmission, obtain data encryption key
dEK; Then, key management module KM and VIRTUAL COUNTER administration module VCM is this data encryption key alternately
dEKgenerate the VIRTUAL COUNTER V_counter of a record key access times, the value of this V_counter of initialization
vCbe 0; And perform key storage, by data encryption key
dEKbe stored securely in local file system, and in local file system, safeguard the data handle of encrypt data
iD data , key handles
iD dEK and the handle of VIRTUAL COUNTER V_counter
iD v_counter between corresponding relation;
The identity of data consumer User and access authority information are sent to cloud service provider CSP by data owner Owner;
Data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows to cloud service provider CSP, the identity of the identity that cloud service provider CSP provides according to Owner and access authority information verification msg user User and access rights, then send to data consumer User by encrypt data;
Then 3 are gone to step;
Step 3, key management module KM loads data encryption key
dEK, in loading procedure, judge data encryption key
dEKthe number of times used
vCthe access times that data owner Owner specifies whether are exceeded
n.If data encryption key
dEKthe number of times used
vCvalue is greater than data encryption key
dEKappointment access times
n, then this key is deleted from local file system, and " return " key" loads failure information; If key loads successfully, go to step 4;
Step 4, key management module KM uses
dEKthe encrypt data of decryption application request access, and clear data is returned to application program;
Step 5, key management module KM performs key storage, again by data encryption key
dEKbe stored in local file system.
And described data owner Owner is encrypted data, and upload in the server of cloud service provider CSP by the encrypt data after encryption, implementation comprises following sub-step,
110) identifier of data encryption module DE enciphered data Data, data Data is data handle
iD data , data encryption module DE is by data handle
iD data issue key management finger daemon module KMD, initiate to generate key request to key management finger daemon module KMD;
120) key management finger daemon module KMD stochastic generation data encryption key
dEK, and by data encryption key
dEKpass to data encryption module DE; Data encryption key
dEKfile handle be
iD dEK , key management finger daemon module KMD is in local maintenance and store data handle
iD data with file handle
iD dEK corresponding relation;
130) data encryption module DE AES encryption algorithm is to data Data data encryption key
dEKencryption, and gained encrypt data is uploaded in the server of cloud service provider CSP;
140) key management finger daemon module KMD initiates Binding key to credible platform module TPMo and generates request, by data encryption key
dEKissue credible platform module TPMo, credible platform module TPMo is data encryption key
dEKgenerate a Binding key
ownerBindKey, and use Binding key
ownerBindKeyto data encryption key
dEKencryption, returns to key management finger daemon module KMD by gained ciphertext;
150) key management finger daemon module KMD safe data storage encryption key in local file system
dEK, implementation is for preserving credible platform module TPMo Binding key
ownerBindKeyto data encryption key
dEKencryption gained ciphertext.
And described key management module KM initiates key application to data owner Owner, and implementation comprises following sub-step,
210) the key management module KM that data consumer User holds asks credible platform module TPMu to generate a unsymmetrical key
asyKey, unsymmetrical key
asyKeyfather's key be the storage root key of credible platform module TPMu, and obtain unsymmetrical key
asyKeypKI
asyKey_pub;
220) key management module KM is by PKI
asyKey_pub, subscriber identity information UserInfo and the data request information DataReq key management that sends to data owner Owner to hold guards module KMD.
And, describedly complete data encryption key by key migration agreement
dEKtransmission, implementation comprises following sub-step,
310) module KMD identifying user identity information UserInfo and data request information DataReq is guarded in key management, if checking is not passed through, then stops the operation of key migration agreement; If be verified, then guarded the data handle of module KMD maintenance and storage by key management
iD data with file handle
iD dEK between relation search corresponding data encryption key
dEK, and produce data encryption key
dEKappointment access times
n, by data encryption key
dEKappointment access times
nwith data encryption key
dEKcarry out series connection and obtain character string
n||
dEK;
320) key management is guarded module KMD and key information KeyInfo is passed to credible platform module TPMo, and credible platform module TPMo generates a transportable Binding key
bindKey;
330) key management guards module KMD by character string
n||
dEK, PKI
asyKey_pubpass to credible platform module TPMo, credible platform module TPMo verifies Binding key
bindKeymigration authorization message, be verified, use Binding key
bindKeypKI
bindKey_pubright
n||
dEKencryption, uses PKI
asyKey_pubto Binding key
bindKeyencryption, and by gained cipher-text information
e bindKey_pub (
n||
dEK) and
e asyKey_pub (
bindKey) return to key management and guard module KMD;
340) key management guards module KMD by the cipher-text information after encryption
e bindKey_pub (
n||
dEK) and
e asyKey_pub (
bindKey), send to key management module KM, complete data encryption key
dEKtransmission.
And described key management module KM performs key storage flow process safe data storage encryption key in local file system
dEK, implementation comprises following sub-step,
410) counter that key management module KM calls VIRTUAL COUNTER administration module VCM increases the value that order increment order makes virtual monotone counter
vCadd 1, and obtain after increase
vCvalue;
420) key management module KM is by data encryption key
dEKappointment access times
n, access times
vCand data encryption key
dEKuse hash function
hash() is signed, and obtains signing messages
digest=
hash(
n||DEK||VC);
430) key management module KM is by character string
n||
dEKand cipher-text information
e asyKey_pub (
bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu private key
asyKey_prito cipher-text information
e asyKey_pub (
bindKey) decrypt Binding key
bindKey, then by PKI
bindKey_pubenciphered data encryption key
dEKappointment access times
nand data encryption key
dEK, and by the cipher-text information after encryption
e bindKey_pub (
n||
dEK) return to key management module KM;
440) key management module KM will to data encryption key
dEKappointment access times
n, access times
vCand data encryption key
dEKgained signing messages after signature
digestand cipher-text information
e bindKey_pub (
n||
dEK),
e asyKey_pub (
bindKey) be saved in local file system.
And described key management module KM performs key and loads flow process, implementation comprise first determine whether that first time loads key, if then perform following sub-step 510)-540), if not then perform following sub-step 510)-550),
510) key management module KM reads key information from local file system, obtains signing messages
digest, encryption after Binding key
bindKeyand data encryption key
dEKgained cipher-text information
e bindKey_pub (
n||
dEK) and
e asyKey_pub (
bindKey);
520) key management module KM is by cipher-text information
e asyKey_pub (
bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu unsymmetrical key
asyKeyprivate key
asyKey_prideciphering obtains Binding key
bindKey;
530) key management module KM is by cipher-text information
e bindKey_pub (
n||
dEK) being loaded into credible platform module TPMu inside, credible platform module TPMu uses Binding key
bindKeydeciphering obtains data encryption key
dEKappointment access times
nand data encryption key
dEK, and by data encryption key
dEKappointment access times
nand data encryption key
dEKreturn to key management module KM;
540) key management module KM is to VIRTUAL COUNTER administration module VCM request msg encryption key
dEKthe currency of VIRTUAL COUNTER V_counter
vCif, data encryption key
dEKthe number of times used
vCvalue is greater than data encryption key
dEKthe access times of specifying
nthen by data encryption key
dEKdestroy, return and load unsuccessfully; Otherwise, perform 550);
550) key management module KM uses hash function
hash() is to data encryption key
dEKthe access times of specifying
n, data encryption key
dEKthe number of times used
vCvalue and data encryption key
dEKcertifying signature information, namely calculates
digest '=
hash(
n||DEK||VC), if
digest=
digest 'then being verified " return " key" loads successfully; Otherwise " return " key" loads unsuccessfully.
The present invention compared with prior art has following major advantage:
Reliable computing technology is applied in cloud memory module by the one, utilizes key management and the safe storage function of credible platform module, and the secret key safety achieved under cloud memory module stores.
2nd, is in key distribution and transmission, and adopt the safe transmission of key migration protocol realization key between data owner Owner and data consumer User, fail safe is higher.
3rd. in key use, the access times of key and monotonically increasing VIRTUAL COUNTER are bound mutually, make the access times of key be restricted, thus efficiently solve the unrestricted use of key and the safety problem caused.
In a word, the present invention utilizes key management and the safe storage function of credible platform module, makes key can safe storage and transmission; Utilize the monotone counter function of credible platform module, by to the access times of key and the binding of monotonically increasing virtual counter value and judgement, management and the access times of control key, thus efficiently solve the unrestricted use of key and the safety problem that causes.
Accompanying drawing explanation
Fig. 1 is the key access times management system framework based on credible platform module under the cloud memory module of the embodiment of the present invention.
Fig. 2 is the key migration agreement flow process of the embodiment of the present invention.
Fig. 3 is the key storage flow process of the embodiment of the present invention.
Fig. 4 is that the key of the embodiment of the present invention loads flow process.
Fig. 5 is the limited use flow process of key of the embodiment of the present invention.
Embodiment
Technical solution of the present invention is described in detail below in conjunction with drawings and Examples.
The present invention proposes the key access times management method based on credible platform module under cloud memory module, idiographic flow is: data owner Owner is stored in after data encryption in the server of cloud service provider CSP.When data consumer User needs access Owner to be stored in the data at CSP place, initiate data access request to Owner, obtain the certificate of authority and key from Owner.The certificate of authority shows to CSP by User, gets encrypt data from CSP.The key management module KM of User end, before data decryption, judges the availability of key, if key can be used, then uses secret key decryption data, clear data is returned to User.If key has exceeded predetermined access times or key receives Replay Attack, KM will delete key, and " return " key" loads failure information, thus achieves the control to key access times.
Under the cloud memory module of embodiment based on the key access times management system framework of credible platform module as shown in Figure 1, comprising:
Data owner Owner end is provided with credible platform module TPMo, key management finger daemon module KMD, encrypting module DE:
Credible platform module TPMo: credible platform module is commonly referred to as TPM, the credible platform module that data owner Owner holds is designated TPMo by embodiment.Credible platform module can provide physics monotone counter, provides the keys such as storage root key SRK, migration key and Binding key, carries out some secret key encryptions and decryption oprerations in inside.
Key management finger daemon module KMD: provide secret generating function, accepts the key request of user User, and performs key migration agreement alternately with the key management module KM of User key is sent to User;
Data encryption module DE: provide data encryption feature, is uploaded to cloud service provider CSP by after data symmetric password encryption.
Data consumer User end is provided with credible platform module TPMu, VIRTUAL COUNTER administration module VCM, key management module KM:
Credible platform module TPMu: credible platform module is commonly referred to as TPM, the credible platform module that data consumer User holds is designated TPMu by embodiment.Credible platform module can provide physics monotone counter, provides the keys such as storage root key SRK, migration key and Binding key, carries out some secret key encryptions and decryption oprerations in inside.
VIRTUAL COUNTER administration module VCM: provide and create virtual monotone counter function, with TPMu alternately for each applies the virtual monotone counter V_counter of establishment one, and perform corresponding order management and use virtual monotone counter V_counter, comprise the currency increasing V_counter, the currency reading V_counter;
Key management module KM: provide and ask key to data owner Owner, search key in local file system, judge whether key can be used, delete the function such as key, data decryption, perform key migration agreement alternately with the key management finger daemon module KMD of Owner and obtain key from Owner, and obtain the currency of V_counter alternately to judge whether key can be used with VIRTUAL COUNTER administration module VCM.As key can be used, then data decryption, returns to application program by clear data; If key has exceeded predetermined access times or key receives Replay Attack, delete key, " return " key" loads failure information.
During concrete enforcement, each module can adopt computer software mode to realize with reference to workflow by those skilled in the art.
Based on the system architecture of embodiment, realize the groundwork flow process that key uses, comprise following step, as shown in Figure 1:
(1) data owner Owner is encrypted data, and is uploaded in the server of cloud service provider CSP by the encrypt data after encryption.
(2) when data consumer User wants usage data owner Owner to be stored in the data at cloud service provider CSP place, data access request is initiated to data owner Owner.
(3) identity of data owner Owner verification msg user User and access rights, if User is disabled user or initiates access request to the data that it does not have access rights, then do not respond the request of User; Otherwise Owner issues access authorization certificate to User, and the relevant informations such as key are sent to safely User; User obtains data encryption key by key migration agreement
dEKafter, perform key storage flow process at local secure storage data encryption key
dEK.
(4) information such as the identity of data consumer User and access rights are sent to cloud service provider CSP by data owner Owner.
(5) data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows the identity and the access rights that judge User to CSP, CSP according to the information such as User identity and access rights that Owner provides; If User can visit data, then encrypt data is sent to User; Otherwise, do not respond the access request of User.
(6) after data consumer User gets encrypt data from cloud service provider CSP, by the data encryption key obtained from data owner Owner
dEKdeciphering visit data.
Consider data encryption key
dEKreuse, the present invention proposes further: if User obtains data encryption key from Owner
dEK, then perform key loading flow process and decrypt data encryption key
dEK, then use data encryption key
dEKdata decryption, obtains clear data.After obtaining clear data, User just performs key storage flow process by data encryption key
dEKstore in this locality.If User does not also obtain data encryption key from Owner
dEK, then first perform key migration agreement and obtain data encryption key
dEK, obtain data encryption key
dEKafter first perform key storage flow storage data encryption key
dEK, perform key afterwards again and load flow process and key storage flow process.
As shown in Figure 5, the data consumer User end of embodiment manages key access times.Data consumer User end may have multiple application program to need to use key, as applied 1 ... application n, respectively has counterpart keys.A certain application program specifically uses the implementation of key to comprise the following steps,
Step 1, after key management module KM receives the data access request messages of application program, first searches data encryption key corresponding to this encrypt data in local file system
dEKwhether exist, if do not exist, then go to step 2; Exist and then go to step 3.
Step 2, key management module KM initiates key application to data owner Owner, and completes data encryption key by key migration agreement
dEKtransmission, obtain data encryption key
dEK; Then, key management module KM and VIRTUAL COUNTER administration module VCM is this data encryption key alternately
dEKgenerate a record data encryption key
dEKthe VIRTUAL COUNTER V_counter of access times, the value of this V_counter of initialization
vCbe 0; And perform key storage, by data encryption key
dEKbe stored securely in local file system, and in local file system, safeguard the data handle of encrypt data
iD data , key handles
iD dEK and the handle of VIRTUAL COUNTER V_counter
iD v_counter between corresponding relation;
The identity of data consumer User and access authority information are sent to cloud service provider CSP by data owner Owner;
Data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows to cloud service provider CSP, the identity of the identity that cloud service provider CSP provides according to Owner and access authority information verification msg user User and access rights, then send to data consumer User by encrypt data;
Go to step 3.
Follow-uply reuse data encryption key
dEKtime, without the need to transmission data encipher key again
dEKand encrypt data.
Step 3, key management module KM loads data encryption key
dEK, in loading procedure, judge data encryption key
dEKthe number of times used
vCwhether having exceeded data owner Owner is data encryption key
dEKthe access times of specifying
n.If data encryption key
dEKthe number of times used
vCexceed data encryption key
dEKthe access times of specifying
n, namely
vC>
n, then by data encryption key
dEKdelete from local file system, and " return " key" loads failure information; If key loads successfully, go to step 4.
Step 4, key management module KM usage data encryption key
dEKthe encrypt data of decryption application request access, and clear data is returned to application program.
Step 5, key management module KM performs key storage, again by data encryption key
dEKbe stored in local file system.Use data encryption key at every turn like this
dEKafter all perform a key storage flow process at local secure storage data encryption key
dEK.
For the sake of ease of implementation, be described further as follows to several critical stages of said system workflow:
1. data owner end to data processing stage:
Data owner Owner to data processing stage, mainly comprise following step:
110) identifier of data encryption module DE enciphered data Data, data Data is data handle
iD data , data encryption module DE is by data handle
iD data issue key management finger daemon module KMD, initiate to generate key request to key management finger daemon module KMD;
120) key management finger daemon module KMD stochastic generation data encryption key
dEK, and by data encryption key
dEKpass to data encryption module DE.Data encryption key
dEKfile handle be
iD dEK , key management finger daemon module KMD is in local maintenance and store data handle
iD data with file handle
iD dEK corresponding relation;
130) data encryption module DE AES encryption algorithm is to data Data data encryption key
dEKencryption, and gained encrypt data is uploaded in the server of cloud service provider CSP;
140) key management finger daemon module KMD initiates Binding key to credible platform module TPMo and generates request, by data encryption key
dEKissue credible platform module TPMo, credible platform module TPMo is data encryption key
dEKgenerate a Binding key
ownerBindKey, and use Binding key
ownerBindKeyto data encryption key
dEKencryption, returns to key management finger daemon module KMD by gained ciphertext
150) key management finger daemon module KMD safe data storage encryption key in local file system
dEK, namely preserve credible platform module TPMo Binding key
ownerBindKeyto data encryption key
dEKencryption gained ciphertext.
2. the cipher key delivery stage:
Cipher key delivery based on a key migration protocol realization, as shown in Figure 2:
First key management module KM initiates key application to data owner Owner, performs following steps:
210) the key management module KM that data consumer User holds asks credible platform module TPMu to generate a unsymmetrical key
asyKey, unsymmetrical key
asyKeyfather's key be credible platform module TPMu storage root key (
storage Root Key,
sRK), and obtain unsymmetrical key
asyKeypKI
asyKey_pub, (unsymmetrical key
asyKeyprivate key
asyKey_priby the storage root key of credible platform module TPMu
sRKbe stored in TPMu outside after encryption, use unsymmetrical key
asyKeytime, first by the private key after encryption
asyKey_pribe loaded into credible platform module TPMu, by the storage root key of credible platform module TPMu
sRKdeciphering, is easy description, hereafter no longer explains);
220) key management module KM is by PKI
asyKey_pub, subscriber identity information UserInfo and the data request information DataReq key management that sends to data owner Owner to hold guards module KMD.
Then completed the transmission of key by key migration agreement, perform following steps:
310) module KMD identifying user identity information UserInfo and data request information DataReq is guarded in key management, if checking is not passed through, then and the operation of termination protocol; If be verified, then guarded the data handle of module KMD maintenance and storage by key management
iD data with file handle
iD dEK between relation search corresponding data encryption key
dEK, and produce data encryption key
dEKthe access times of specifying
n, by data encryption key
dEKappointment access times
nwith data encryption key
dEKcarry out series connection and obtain character string
n||
dEK.
320) key management is guarded module KMD and key information KeyInfo is passed to credible platform module TPMo, and credible platform module TPMo generates a transportable Binding key
bindKey;
330) key management guards module KMD by character string
n||
dEK, PKI
asyKey_pubpass to credible platform module TPMo, credible platform module TPMo verifies Binding key
bindKeymigration authorization message, be verified, use Binding key
bindKeypKI
bindKey_pubto character string
n||
dEKencryption, uses PKI
asyKey_pubto Binding key
bindKey(comprise
bindKeypKI and private key) encryption, and by gained cipher-text information
e bindKey_pub (
n||
dEK) and
e asyKey_pub (
bindKey) return to key management and guard module KMD;
340) key management guards module KMD by the cipher-text information after encryption, namely
e bindKey_pub (
n||
dEK) and
e asyKey_pub (
bindKey), send to key management module KM, complete data encryption key
dEKtransmission.
3. the key operational phase of holding data consumer:
Data encryption key
dEKwhen the use of data consumer's end, need to carry out key storage flow process, key loading flow process to realize data encryption key in this locality
dEKsafe storage and limited use.
Key storage flow process comprises following step, as shown in Figure 3:
410) counter that key management module KM calls VIRTUAL COUNTER administration module VCM increases the value that order increment order makes virtual monotone counter
vCadd 1, and obtain after increase
vCvalue;
vCwhat record is exactly data encryption key
dEKcurrent access times.
dEKuse once,
vCjust increase by 1 time
420) key management module KM is by data encryption key
dEKappointment access times
n, data encryption key
dEKaccess times
vCand data encryption key
dEKuse hash function
hash() is signed, and obtains signing messages
digest=
hash(
n||DEK||VC);
430) key management module KM is by character string
n||
dEKand cipher-text information
e asyKey_pub (
bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu private key
asyKey_prito cipher-text information
e asyKey_pub (
bindKey) decrypt Binding key
bindKey, then by PKI
bindKey_pubenciphered data encryption key
dEKappointment access times
nand data encryption key
dEK, and by the cipher-text information after encryption
e bindKey_pub (
n||
dEK) return to key management module KM;
440) key management module KM will to data encryption key
dEKappointment access times
n, data encryption key
dEKaccess times
vCand data encryption key
dEKgained signing messages after signature
digestand cipher-text information
e bindKey_pub (
n||
dEK),
e asyKey_pub (
bindKey) be saved in local file system.
Key loads flow process and is used for the loading of key management module KM execution key, implementation comprise first determine whether first time load key, if then perform following sub-step 510)-540), if not then perform following sub-step 510)-550),, as shown in Figure 4:
510) key management module KM reads key information from local file system (can adopt key file list), obtains signing messages
digest, Binding key after encryption
bindKeyand data encryption key
dEK, i.e. cipher-text information
e bindKey_pub (
n||
dEK) and
e asyKey_pub (
bindKey);
520) key management module KM is by cipher-text information
e asyKey_pub (
bindKey) be loaded into credible platform module TPMu inside, credible platform module TPMu unsymmetrical key
asyKeyprivate key
asyKey_prideciphering obtains Binding key
bindKey;
530) key management module KM is by cipher-text information
e bindKey_pub (
n||
dEK) being loaded into credible platform module TPMu inside, credible platform module TPMu uses Binding key
bindKeydeciphering obtains data encryption key
dEKappointment access times
nand data encryption key
dEK, and by data encryption key
dEKappointment access times
nand data encryption key
dEKreturn to key management module KM;
540) key management module KM is to VIRTUAL COUNTER administration module VCM request msg encryption key
dEKthe currency of VIRTUAL COUNTER V_counter
vCif, data encryption key
dEKaccess times
vCvalue is greater than data encryption key
dEKappointment access times
nthen by data encryption key
dEKdestroy, return and load unsuccessfully; Otherwise, perform 550);
550) key management module KM uses hash function
hash() is to data encryption key
dEKappointment access times
n, data encryption key
dEKaccess times
vCvalue and data encryption key
dEKcertifying signature information, namely calculates
digest '=
hash(
n||DEK||VC), if
digest=
digest 'then being verified " return " key" loads successfully; Otherwise " return " key" loads unsuccessfully.
Specific embodiment described herein is only to the explanation for example of the present invention's spirit.Those skilled in the art can make various amendment or supplement or adopt similar mode to substitute to described specific embodiment, but can't depart from spirit of the present invention or surmount the scope that appended claims defines.
Claims (6)
1. under a cloud memory module based on the key access times management method of credible platform module, it is characterized in that: arrange credible platform module TPMo, key management finger daemon module KMD and encrypting module DE at data owner Owner end, data consumer User end arranges credible platform module TPMu, VIRTUAL COUNTER administration module VCM and key management module KM; Data owner Owner is encrypted data, and uploads in the server of cloud service provider CSP by the encrypt data after encryption;
Data consumer User end manages key access times, and implementation comprises the following steps,
Step 1, after key management module KM receives the data access request messages of application program, whether the data encryption key DEK first searching this encrypt data corresponding in local file system exists, if do not exist, then goes to step 2; Exist and then go to step 3;
Step 2, key management module KM initiates key application to data owner Owner, and is completed the transmission of data encryption key DEK by key migration agreement, obtains data encryption key DEK; Then, key management module KM and VIRTUAL COUNTER administration module VCM generates for this data encryption key DEK the VIRTUAL COUNTER V_counter that is recorded key access times alternately, and the value VC of this V_counter of initialization is 0; And perform key storage, data encryption key DEK is stored securely in local file system, and in local file system, safeguards the data handle ID of encrypt data
data, file handle ID
dEKand the handle ID of VIRTUAL COUNTER V_counter
v_counterbetween corresponding relation;
The identity of data consumer User and access authority information are sent to cloud service provider CSP by data owner Owner;
Data consumer User initiates data access request to cloud service provider CSP, and the access authorization certificate issued by data owner Owner shows to cloud service provider CSP, the identity of the identity that cloud service provider CSP provides according to Owner and access authority information verification msg user User and access rights, then send to data consumer User by encrypt data;
Then 3 are gone to step;
Step 3, key management module KM loads data encryption key DEK, and judging in loading procedure whether number of times VC that data encryption key DEK has used has exceeded data owner Owner is the access times N that this data encryption key DEK specifies; If the number of times VC that data encryption key DEK has used has exceeded the access times N that data encryption key DEK specifies, then this data encryption key DEK is deleted from local file system, and " return " key" loads failure information; If key loads successfully, go to step 4;
Step 4, key management module KM uses the encrypt data of DEK decryption application request access, and clear data is returned to application program;
Step 5, key management module KM performs key storage, is again stored in local file system by data encryption key DEK.
2. according to claim 1 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described data owner Owner is encrypted data, and the encrypt data after encryption is uploaded in the server of cloud service provider CSP, implementation comprises following sub-step
110) identifier of data encryption module DE enciphered data Data, data Data is data handle ID
data, data encryption module DE is by data handle ID
dataissue key management finger daemon module KMD, initiate to generate key request to key management finger daemon module KMD;
120) key management finger daemon module KMD stochastic generation data encryption key DEK, and data encryption key DEK is passed to data encryption module DE; The file handle of data encryption key DEK is ID
dEK, key management finger daemon module KMD is in local maintenance and store data handle ID
datawith file handle ID
dEKcorresponding relation;
130) data encryption module DE AES encryption algorithm is encrypted data Data data encryption key DEK, and uploads in the server of cloud service provider CSP by gained encrypt data;
140) key management finger daemon module KMD initiates Binding key to credible platform module TPMo and generates request, data encryption key DEK is issued credible platform module TPMo, credible platform module TPMo is that data encryption key DEK generates a Binding key OwnerBindKey, and with Binding key OwnerBindKey, data encryption key DEK is encrypted, gained ciphertext is returned to key management finger daemon module KMD;
150) key management finger daemon module KMD safe data storage encryption key DEK in local file system, implementation encrypts gained ciphertext for preserving credible platform module TPMo Binding key OwnerBindKey to data encryption key DEK.
3. according to claim 2 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described key management module KM initiates key application to data owner Owner, and implementation comprises following sub-step,
210) the key management module KM that data consumer User holds asks credible platform module TPMu to generate a unsymmetrical key AsyKey, father's key of unsymmetrical key AsyKey is the storage root key of credible platform module TPMu, and obtains the PKI AsyKey_pub of unsymmetrical key AsyKey;
220) key management that PKI AsyKey_pub, subscriber identity information UserInfo and data request information DataReq send to data owner Owner to hold is guarded module KMD by key management module KM.
4. according to claim 3 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: the described transmission being completed data encryption key DEK by key migration agreement, implementation comprises following sub-step,
310) module KMD identifying user identity information UserInfo and data request information DataReq is guarded in key management, if checking is not passed through, then stops the operation of key migration agreement; If be verified, then guarded the data handle ID of module KMD maintenance and storage by key management
datawith file handle ID
dEKbetween relation search corresponding data encryption key DEK, and produce the appointment access times N of data encryption key DEK, appointment access times N and the data encryption key DEK of data encryption key DEK carried out connecting obtaining character string N||DEK;
320) key management is guarded module KMD and key information KeyInfo is passed to credible platform module TPMo, and credible platform module TPMo generates a transportable Binding key BindKey;
330) key management is guarded module KMD and character string N||DEK, PKI AsyKey_pub is passed to credible platform module TPMo, credible platform module TPMo verifies the migration authorization message of Binding key BindKey, be verified and then with the PKI BindKey_pub of Binding key BindKey, character string N||DEK encrypted, with PKI AsyKey_pub, Binding key BindKey is encrypted, and by gained cipher-text information E
bindKey_puband E (N||DEK)
asyKey_pub(BindKey) return to key management and guard module KMD;
340) key management guards module KMD by the cipher-text information E after encryption
bindKey_puband E (N||DEK)
asyKey_pub(BindKey), send to key management module KM, complete the transmission of data encryption key DEK.
5. according to claim 4 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described key management module KM performs key storage flow process safe data storage encryption key DEK in local file system, implementation comprises following sub-step
410) counter that key management module KM calls VIRTUAL COUNTER administration module VCM increases order increment order makes the value VC of virtual monotone counter add 1, and obtains the VC value after increase;
420) key management module KM by appointment access times N, the data encryption key DEK of data encryption key DEK access times VC and data encryption key DEK use hash function hash () to sign, obtain signing messages digest=hash (N||DEK||VC);
430) key management module KM is by N||DEK and cipher-text information E
asyKey_pub(BindKey) be loaded into credible platform module TPMu inner, credible platform module TPMu with private key AsyKey_pri to cipher-text information E
asyKey_pub(BindKey) Binding key BindKey is decrypted, then by the appointment access times N of PKI BindKey_pub enciphered data encryption key DEK and data encryption key DEK, and by the cipher-text information E after encryption
bindKey_pub(N||DEK) key management module KM is returned to;
440) key management module KM is by appointment access times N, the data encryption key DEK rear gained signing messages digest and cipher-text information E of access times VC and DEK signature to data encryption key DEK
bindKey_pub(N||DEK), E
asyKey_pub(BindKey) be saved in local file system.
6. according to claim 5 under cloud memory module based on the key access times management method of credible platform module, it is characterized in that: described key management module KM performs key and loads flow process, implementation comprise first determine whether first time load key, if then perform following sub-step 510)-540), if not then perform following sub-step 510)-550)
510) key management module KM reads key information from local file system, obtains signing messages digest, the rear Binding key BindKey and data encryption key DEK gained cipher-text information E of encryption
bindKey_puband E (N||DEK)
asyKey_pub(BindKey);
520) key management module KM is by cipher-text information E
asyKey_pub(BindKey) be loaded into credible platform module TPMu inner, the private key AsyKey_pri deciphering of credible platform module TPMu unsymmetrical key AsyKey obtains Binding key BindKey;
530) key management module KM is by cipher-text information E
bindKey_pub(N||DEK) credible platform module TPMu is loaded into inner, credible platform module TPMu uses Binding key BindKey deciphering to obtain appointment access times N and the data encryption key DEK of data encryption key DEK, and the appointment access times N of data encryption key DEK and data encryption key DEK is returned to key management module KM;
540) key management module KM is to the currency VC of the VIRTUAL COUNTER V_counter of VIRTUAL COUNTER administration module VCM request msg encryption key DEK, if the number of times VC value that data encryption key DEK has used is greater than the appointment access times N of data encryption key DEK, data encryption key DEK is destroyed, returns and load unsuccessfully; Otherwise, perform 550);
550) key management module KM uses the number of times VC value that used of hash function hash () appointment access times N, data encryption key DEK to access times data encryption key DEK and data encryption key DEK certifying signature information, namely calculate digest '=hash (N||DEK||VC), if digest=digest ', be verified " return " key" and load successfully; Otherwise " return " key" loads unsuccessfully.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310104307.1A CN103138939B (en) | 2013-03-28 | 2013-03-28 | Based on the key access times management method of credible platform module under cloud memory module |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310104307.1A CN103138939B (en) | 2013-03-28 | 2013-03-28 | Based on the key access times management method of credible platform module under cloud memory module |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103138939A CN103138939A (en) | 2013-06-05 |
CN103138939B true CN103138939B (en) | 2015-09-16 |
Family
ID=48498295
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310104307.1A Active CN103138939B (en) | 2013-03-28 | 2013-03-28 | Based on the key access times management method of credible platform module under cloud memory module |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103138939B (en) |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103581190B (en) * | 2013-11-07 | 2016-04-27 | 江南大学 | A kind of file security access control method based on cloud computing technology |
CN105553661B (en) * | 2014-10-29 | 2019-09-17 | 航天信息股份有限公司 | Key management method and device |
CN104484624B (en) * | 2014-12-15 | 2018-08-28 | 上海新储集成电路有限公司 | A kind of monotone counter and the dull method counted |
CN105426771B (en) * | 2015-10-28 | 2018-06-26 | 成都比特信安科技有限公司 | A kind of method for realizing big data safety |
CN105357202A (en) * | 2015-11-12 | 2016-02-24 | 中国电子科技网络信息安全有限公司 | Cloud platform user key management device and management method |
CN105653965B (en) * | 2016-01-22 | 2018-09-11 | 东信和平科技股份有限公司 | A kind of intelligence card encoder monitoring device and method |
CN105871539B (en) * | 2016-03-18 | 2020-02-14 | 华为技术有限公司 | Key processing method and device |
EP3535683B1 (en) * | 2016-11-04 | 2020-10-21 | Visa International Service Association | Data encryption control using multiple controlling authorities |
CN108199837B (en) * | 2018-01-23 | 2020-12-25 | 新华三信息安全技术有限公司 | Key negotiation method and device |
US11316693B2 (en) * | 2018-04-13 | 2022-04-26 | Microsoft Technology Licensing, Llc | Trusted platform module-based prepaid access token for commercial IoT online services |
CN109587115B (en) * | 2018-11-02 | 2021-01-26 | 青岛微智慧信息有限公司 | Safe distribution and use method of data files |
WO2020168546A1 (en) * | 2019-02-22 | 2020-08-27 | 云图有限公司 | Secret key migration method and apparatus |
US11556365B2 (en) | 2019-09-24 | 2023-01-17 | International Business Machines Corporation | Obscuring information in virtualization environment |
CN110806919B (en) * | 2019-09-25 | 2021-11-02 | 苏州浪潮智能科技有限公司 | Method and system for protecting virtual machine image in cloud environment |
CN112073194B (en) * | 2020-09-10 | 2021-06-22 | 四川长虹电器股份有限公司 | Security management method for resisting secret key leakage |
CN112840683B (en) * | 2021-01-18 | 2022-04-22 | 华为技术有限公司 | Vehicle key management method, device and system |
CN113642018A (en) * | 2021-08-11 | 2021-11-12 | 永旗(北京)科技有限公司 | Key management method based on block chain |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889431A (en) * | 2006-07-27 | 2007-01-03 | 北京飞天诚信科技有限公司 | Multifunction intelligent key equipment and safety controlling method thereof |
CN101282220A (en) * | 2008-05-14 | 2008-10-08 | 北京深思洛克数据保护中心 | Information safety equipment for reinforcing key use security as well as implementing method thereof |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110047381A1 (en) * | 2009-08-21 | 2011-02-24 | Board Of Regents, The University Of Texas System | Safemashups cloud trust broker |
-
2013
- 2013-03-28 CN CN201310104307.1A patent/CN103138939B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889431A (en) * | 2006-07-27 | 2007-01-03 | 北京飞天诚信科技有限公司 | Multifunction intelligent key equipment and safety controlling method thereof |
CN101282220A (en) * | 2008-05-14 | 2008-10-08 | 北京深思洛克数据保护中心 | Information safety equipment for reinforcing key use security as well as implementing method thereof |
Non-Patent Citations (2)
Title |
---|
一种适于云存储的数据确定性删除方法;王丽娜 等;《电子学报》;20120228(第2期);全文 * |
基于可信平台模块的虚拟单调计数器研究;李昊 等;《计算机研究与发展》;20110331(第3期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103138939A (en) | 2013-06-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103138939B (en) | Based on the key access times management method of credible platform module under cloud memory module | |
CN109862041B (en) | Digital identity authentication method, equipment, device, system and storage medium | |
US11799656B2 (en) | Security authentication method and device | |
US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
CN109361668A (en) | A kind of data trusted transmission method | |
CN109379387B (en) | Safety certification and data communication system between Internet of things equipment | |
CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
CN105471833A (en) | Safe communication method and device | |
US11831753B2 (en) | Secure distributed key management system | |
US20220108028A1 (en) | Providing cryptographically secure post-secrets-provisioning services | |
CN105100076A (en) | Cloud data security system based on USB Key | |
CN106027503A (en) | Cloud storage data encryption method based on TPM | |
CN107920052B (en) | Encryption method and intelligent device | |
CN108809633B (en) | Identity authentication method, device and system | |
US20220014367A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
Kim et al. | Puf based iot device authentication scheme | |
CN111970114B (en) | File encryption method, system, server and storage medium | |
CN111104691A (en) | Sensitive information processing method and device, storage medium and equipment | |
US20130124860A1 (en) | Method for the Cryptographic Protection of an Application | |
Jalil et al. | A secure and efficient public auditing system of cloud storage based on BLS signature and automatic blocker protocol | |
CN104767766A (en) | Web Service interface verification method, Web Service server and client side | |
CN114154181A (en) | Privacy calculation method based on distributed storage | |
CN103944721A (en) | Method and device for protecting terminal data security on basis of web | |
CN105871858A (en) | Method and system for ensuring high data safety |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |