CN103546547A - Cryptosystem for cloud storage files - Google Patents
Cryptosystem for cloud storage files Download PDFInfo
- Publication number
- CN103546547A CN103546547A CN201310466023.7A CN201310466023A CN103546547A CN 103546547 A CN103546547 A CN 103546547A CN 201310466023 A CN201310466023 A CN 201310466023A CN 103546547 A CN103546547 A CN 103546547A
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- user
- storage
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a cryptosystem for cloud storage files. The cryptosystem comprises a file encryption filter, a crypto module, a key management and service system, a key management and service client. Encryption and decryption of the cloud storage files can be achieved through the file encryption filter under the condition of not changing a file cloud storage system, and processing software or programs corresponding to encrypted files can use the encrypted files insusceptibly. Furthermore, an independent third party is used to run the key management and service system for providing key service, only a user himself or herself can be guaranteed to be able to see files stored in a cloud system. In a word, by the aid of the cryptosystem, information security problem of cloud storage of the files is well solved.
Description
Technical field
The invention belongs to field of information security technology, particularly a kind of cloud storage file encryption system.
Background technology
It is a kind of system that network data stores service is provided that the cloud storage system (being called for short file cloud storage system) of file storage is provided, and it,, due to easy to use, receives praises from customers.But the data security of cloud storage system is the problem that cloud storage user is concerned about, worries most most all the time, is again the problem solving not yet well at present, it is also one of obstacle hindering the development of cloud storage service.
It is to being stored in the file encryption in high in the clouds system (service end of file cloud storage system) that file in cloud storage is carried out to the most effective scheme of safeguard protection, and a kind of simple cloud storage file encipherment scheme is wherein: user is before uploading to file the high in the clouds system of file cloud storage system, first own manual tool using is encrypted being stored in the file in high in the clouds, as use the encryption function of compressing file instrument WinZip, WinRAR, or use special file encryption instrument (as the instrument of deedbox, safety cabinet and so on); After on the file in the system of high in the clouds being downloaded to subscriber's local computing equipment (as PC, mobile terminal), before using file, the instrument that re-uses is decrypted operation to encrypted file (abbreviation encrypt file).But the disadvantage of this scheme is user uses inconvenience, and be not inconsistent (having increased extra encryption, decryption oprerations) with user's common use habit.
To a solution of this problem, be by cloud storage client, automatically file to be encrypted when the upload file; During download file, cloud storage client is decrypted encrypted file automatically.This to the scheme of file encryption, deciphering, there are the following problems automatically when uploading, downloading: current file cloud storage system is except there being system beyond the clouds to preserve the function of user file, a lot of file cloud storage systems also provide synchronously renewing file function, and soon with user, the file (as the file under certain file directory) in local computing device (PC, mobile terminal) synchronously upgrades (according to the synchronous update strategy of setting) to the user file in the system of high in the clouds automatically; Had after synchronizing function, if the scheme of encrypting while still adopting foregoing upload file, carrying out file encryption, deciphering during download file, may there is so carrying out the situation that a large amount of file encryptions or decryption oprerations are processed during simultaneous operation, this is obviously inappropriate, not only efficiency is low, and bring extra complexity (because the consistency of judgement high in the clouds file and local file will be more complicated to synchronous processing, even may not, such as, if judge the consistency of file by comparing the mode of the information fingerprint of file).
With regard to being kept at the data encryption and decryption technology scheme of user file of high in the clouds system of file cloud storage system, the simplest a kind of scheme is that the password generated symmetric key that utilizes file cloud storage system user (owner of file) oneself to set is encrypted and deciphers (at subscription client or file storage high in the clouds, be encrypted, decryption oprerations process) to leaving the user file of high in the clouds system in.The shortcoming of this scheme is: the one, and password is easily cracked, and the 2nd, once user has forgotten password, so, user oneself also cannot decipher, use one's own encrypt file, thereby make troubles or lose to the user of file cloud storage system.A kind of scheme addressing this problem is to allow file cloud storage system (high in the clouds) also preserve a user's password or the key of password generated, in needs for user recovers password or key, but the problem that this password or key recovery scheme are brought is: the one, and file cloud storage system operator can see that user is kept at the file content in the high in the clouds system of file cloud storage system by the password preserved or key, and this to be often user do not wish occur or the thing worried (such as organization user is kept at the customer data file in file cloud storage system, financial data file etc. is all that organization user does not wish that file cloud storage system operator sees), the 2nd, be kept at user password in file cloud storage system or key itself exist stolen possibility (such as due to suffer outside attack or from inner stealing).
Except the above problem, for the file encryption of file cloud storage system, also have a problem to need to solve: how for the file cloud storage system of having disposed, in situation that system is not modified, to realize encryption, the decipher function of file.This is because file cloud storage system is a huge system, in order to add encryption function, original system is changed to the newly deployed cost of laying equal stress on by being that huge ,Bu Huibei cloud storage service provider accepts, and also can not accepted by user.
For the problem that in above file cloud storage system, file encryption faces, the present invention intends adopting file encryption filter to solve in conjunction with the technical scheme of separate keys service.
Described file encryption filter is that a kind of particular filter that file is encrypted and is deciphered in computer file system drives (Filter Driver).Current most computers system all adopts driving stack (the Loadable Driver Stack) framework that can load, and filter drives (Filter Driver) to be a kind ofly encased in this file system driver stack and the driving that file system function is expanded, it defers to the driving interface of standard, can tackle the operation calls for file, comprise establishment, read, write, deleted file, and arrange, obtain the operation of fileinfo, and as required file operation is intervened, comprise for file and reading, writing data is encrypted and decryption processing automatically.To utilize in the present invention file encryption filter to realize file encryption, deciphering, automatic encryption while comprising upload file, file in synchronization folder is encrypted automatically, and open, while reading encrypt file, automatically encrypt file be decrypted to operation etc. when handling procedure corresponding to encrypt file (application program).This by the scheme that adopts file encryption filter automatically file to be encrypted, to be deciphered in needs, not only can meet user operation use habit, avoided as much as possible user's intervention, and can in the situation that existing file cloud storage system not being modified, realize data encryption, the deciphering of cloud storage file.
So-called separate keys service is exactly that independently key management and service system are stored the service that user provides data encryption, deciphers related key for cloud by one, comprise generation, recover, this independently key management and service system can by one with the mechanism of operating file cloud storage system or department mutually independently mechanism or department be responsible for operation (such as by one independently third party be responsible for operation), thereby avoid the travelling mechanism of file cloud storage system can obtain the key of decrypted user data.
Summary of the invention
The object of this invention is to provide a kind of encryption, deciphering that not only can realize cloud storage file, and can in encryption, decrypting process, user's intervention be reduced to a minimum, by cipher key service independently, guarantee the safety of file encryption, decruption key and only have user just can see encrypted file simultaneously, and can be at the cloud storage file encryption system of realizing the function of encrypting, deciphering without existing file cloud storage system is done to any change in the situation that.
To achieve these goals, the technical solution adopted in the present invention is:
A storage file encryption system, described encryption system comprises:
File encryption filter: the filter that carries out file encryption, decryption processing being inserted in the driving stack of user's computing equipment file system drives; Described file encryption filter for file cloud storage system by cloud store that client is set in user's computing equipment file system, need to store the file that creates and copy under user's computing equipment local file catalogue of the file synchronization in the system of high in the clouds with file, automatically carry out file encryption, and no matter to create, copy main body be that trusted process is also non-trusted process; The local file catalogue that described needs carry out synchronous user's computing equipment of processing is called synchronous directory; During the file of the corresponding types after encryption of trusted process reading and writing, described file encryption filter carries out file decryption, encryption automatically; When an encrypt file of non-trusted process reading and writing, described file encryption filter not for encrypt file be decrypted, encryption, for the non-trusted process of an encrypt file, what when non-trusted process reads this document, read is ciphertext, if revised file data while writing, will cause file destroyed (if do not have revised file data while writing, not affecting original); When file storage man-machine interaction client or file storage sync client read the non-encrypted file of user's computing equipment this locality, whether the file no matter being read is under synchronous directory, and described file encryption filter guarantees that file data that file storage man-machine interaction client or file storage sync client read is through encrypting; Described file encryption filter calls crypto module file is encrypted, is deciphered;
Crypto module: install, operate on user's computing equipment, user file is encrypted for storing, decruption key, and the combination of carrying out component software or the software and hardware of Password Operations and crypto-operation; Described Password Operations comprises that key generates, imports, derives, deletes, and is called and carry out crypto-operation by file encryption filter, and described crypto-operation comprises data encryption, deciphering;
Key management and service system: be responsible for generating, manage and recover user's file encryption, the service system of decruption key is used to user that cipher key service is provided;
Key management and service client: the client utility that obtains online and manage for user key; When obtaining online or recover user for the key of file encryption, deciphering, described key management is connected key management and service system with service client, application is obtained or recovers user key, and differentiates with key management and the mutual completing user identity of service system in the process of obtaining or replying key; Described key management and service client be the key (comprising the symmetric key or the private key that obtain) for file encryption, deciphering by the user who obtains from key management and service system or recover, and is kept in described crypto module;
File encryption configuration management tool: operate in the program that user's computing equipment this locality is configured and manages encryption and decryption operational processes, comprise trusted and the non-trusted process of setting a file type; File encryption configuration management tool is an optional components, if require without existence without the configuration management of customization;
Described trusted process refer to the corresponding process software of a file type (as Word document) or program (as Word edit routine) on user's computing equipment, move after resulting program running example, or the trusted process that sets for a file type or All Files type of the file encryption configuration management tool that uses cloud storage file encryption system;
Described non-trusted process refers to every other program running example beyond trusted process corresponding to file type (comprise user's computing equipment local runtime and outside all program running examples of operation);
Described trusted process and non-trusted process are all for a file type, and different file types is to there being different trusted process (if Word, the corresponding trusted process of Excel document are respectively the running examples of Word program, Excel program);
Described trusted process, non-trusted process operate the file on subscriber's local computing equipment by common mode, comprise establishment, open, reading and writing, deletion action;
Described file cloud storage system refers to provide the system (comprise being deployed in stores service to be provided on the Internet towards the public or to be deployed in enterprises the system of stores service is provided towards employee) of network file stores service, and described file cloud storage system comprises file storage high in the clouds system, file storage man-machine interaction client, file storage sync client;
Described file storage high in the clouds system refers in file cloud storage system for storing service end system or the platform of user file;
Described file storage man-machine interaction client refers in local subscription client software or the program of using, the file cloud storage system of human-computer interaction function being provided of user's computing equipment, by described file storage man-machine interaction client user, can the file of user's computing equipment this locality be uploaded to file storage high in the clouds system by manual operations, or the file that file is stored in the system of high in the clouds downloads to user's computing equipment this locality, and the file being kept in the system of file storage high in the clouds is operated, comprise and check, delete;
Described file storage sync client refers to operate in software program or the assembly on user's computing equipment, file under the synchronous directory of its inspection user's computing equipment this locality and user are kept at the consistency of the respective file in the system of file storage high in the clouds, and (being about to this locality synchronizes with the respective file in high in the clouds according to predefined synchronization policy, to carry out corresponding file synchronization operation, as made progress and high in the clouds file synchronization, synchronize with local file downwards, or phase mutually synchronization), described file storage sync client is carried out mode or the automatic synchronization of file synchronization, automatically detect the variation of file and inconsistent and carry out corresponding file synchronization operation (at this moment file storage sync client normally operates in backstage) according to predefined synchronization policy, or manual synchronous, when being selected synchronous menu or pressed lockage button by human-computer interaction interface, user detects the variation of file and inconsistent and carry out corresponding file synchronization operation (at this moment according to corresponding synchronization policy, file storage man-machine interaction client and file storage sync client are normally two-in-one),
The cloud storage client of described setting synchronous directory is file storage man-machine interaction client, or file storage sync client, or other are specifically designed to other clients that the storage of file cloud arranges;
For all file types, file storage man-machine interaction client and file storage sync client belong to non-trusted process all the time;
For a concrete file cloud storage system, the above file storage man-machine interaction client and file storage sync client exist simultaneously, or only have an existence, or the two is integrated in a software program;
Division and the name of file storage high in the clouds system, file storage man-machine interaction client and the file storage sync client of described file cloud storage system, division and the name of carrying out according to the function composition of file cloud storage system, if a concrete file cloud storage system is different with name for the division of the assembly of corresponding function, described file encryption filter carries out corresponding file encryption, decryption oprerations processing (difference that is name does not affect enforcement of the present invention) for the assembly of implementing corresponding function;
File storage high in the clouds system, file storage man-machine interaction client and the file storage sync client of described file cloud storage system operate by common mode; or operate by original mode; mode when described common or original mode refers to not use described cloud storage file encryption system, described operation comprises that file uploads, downloads and synchronously (described file cloud storage system can be the file cloud storage system of having disposed).
When described file storage man-machine interaction client or file storage sync client read the non-encrypted file of user's computing equipment this locality, whether the file no matter being read is under synchronous directory, and described file encryption filter guarantees that file data that file storage man-machine interaction client or file storage sync client read is through encrypting as follows:
The first step: whether the local file that judgement will be read encrypt file, does not if so, do further encryption to the file data reading; Otherwise, proceed to next step;
Second step: whether the non-encrypted file reading under synchronous directory, is if so, first encrypted and makes it to become encrypt file the file that will read, and then return to the file data (encrypted file data) reading; Otherwise, to reading the file data returning, be encrypted, but original be not encrypted.
When any one process, comprise trusted and non-trusted process, while opening or reading a unencrypted file under subscriber's local computing equipment synchronous directory, described file encryption filter is automatically encrypted and makes it to become encrypt file the file that will open or read.
The setting of described cloud storage file encryption system by advance (as coding time preset) or file encryption configuration management tool are set the trusted process of every kind of file type, but for all file types, file storage man-machine interaction client and file storage sync client belong to non-trusted process all the time, can not change be set by file encryption configuration management tool.
If require human-computer interaction terminal (as the Explorer of Windows) by user's computing equipment operating system to copy out and be stored in file under the alternative document catalogue of user's computing equipment this locality from synchronous directory, with the form of non-encrypted file, exist, the human-computer interaction terminal program of user's computing equipment operating system is set to trusted process.
The form with non-encrypted file exists to the file under the local alternative document catalogue of the user's computing equipment beyond synchronous directory if require, by file, store man-machine interaction client downloads, and described file encryption filter is stored man-machine interaction client downloads (create, preserve) for file and is automatically decrypted processing to the encrypt file under synchronous directory alternative document catalogue in addition.
The present invention makes in the situation that existing file cloud storage system is made any changes, not realize the encryption of cloud storage file, deciphering by file encryption filter, and makes the alignment processing software of encrypt file or program can use insusceptibly encrypt file; Further, by adopting independent third party to move key management and service system provides cipher key service, can guarantee to only have user just can see the file of storing in the system of high in the clouds.In a word, the present invention has solved the safety encipher problem of file cloud storage well.
Accompanying drawing explanation
The schematic diagram of Fig. 1 cloud storage file of the present invention encryption system.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
File cloud storage system does not belong to the content that the present invention will implement, and it can be a file cloud storage system of having disposed existence, or the file cloud storage system of deployment newly developed.
How the filter of the file system based on computer (equipment) operating system drives and develop and realize file encryption filtration of the present invention, can be referring to the related development document of the file system of concrete computer system (equipment), such as, how for the file system of Windows operating system, to develop the related development data that file encryption filter can drive referring to the file filter device of Windows file system (particularly mini-Filter drives), document, these development data, document is at the developing web MSDN(msdn.microsoft.com.cn of Microsoft) and many open source informations all can obtain in comprising forum, and many data are described for exploitation file encryption filter specially.In other operating system, under (SuSE) Linux OS, also there is similar file filter device driving mechanism.
Described file encryption filter can be by adding a head or an additional afterbody in encrypted file, and in the head adding or additional afterbody, add that the flag information of making an appointment is distinguished, mark encryption file and non-encrypted file, and preservation with file encryption, decipher relevant key information, comprise the information such as key title, algorithm.Described file encryption filter also can adopt that other suitable modes are distinguished, mark encryption file and non-encrypted file, and provides with file encryption, deciphers relevant key information.
Key management and service system are service systems based on C/S model, and its client is key management and service client.The cryptographic system that file encryption adopts is depended in the realization of key management and service system.Here, adoptable cryptographic system can be symmetric-key cryptography, can be also non-symmetric-key cryptography.If what adopt is symmetric-key cryptography, concrete cryptographic algorithm can be 3DES or AES etc., and for the management of symmetric key, existing multiple administrative skill or system can be for adopting at present, wherein, symmetric key administrative skill based on sign or system are effectively the simplest: user ID is obtained to symmetric key corresponding to user ID with a master key (also referred to as seed key) by computing, and the user ID here can be the information that mailbox, cell-phone number, identification card number etc. can unique identification users.This symmetric key administrative skill or system based on sign is simple, and it is convenient to recover user key.
If encrypting the cryptographic system adopting is non-symmetric-key cryptography, concrete cryptographic algorithm can be RSA or ECC etc., key management system can adopt PKI/CA(Public Key Infrastructure/Certification Authority), and key management of the present invention and service system are the CA system+KMC(Key Management Center in PKI) system, wherein, KMC system for generation of, preserve the key pair of user encryption digital certificate, and in needs, recover the key pair of encrypted digital certificate, even can adopt simplification, the public-key cryptography management and service system that there is no digital certificate, only have KMC system to be responsible for generation, preserve the key pair of user encryption digital certificate, and in needs, recover the key pair of encrypted digital certificate, or, if concrete cryptographic algorithm is IBE(Identity Based Encryption), key management and service system are private key maker (Private Key Generator, PKG) and relevant user management, the Verification Systems in IBE.
Determined after the scheme of the cryptographic system that adopts and corresponding cryptographic algorithm, key management and service, the concrete exploitation of key management and service system realizes can use common development of information system technology, as C/C++ or C# .Net or J2EE open language mention environment.
Key management and service client can be used C/C++ exploitation.The information interaction agreement of key management and service system and key management and service client, relevant with service system scheme with adopted cryptographic system, cryptographic algorithm and corresponding key management, if adopt symmetric key cipher algorithm and symmetric key management system, can adopt self-defining agreement; If adopt asymmetric key cipher algorithm and PKI/CA or IBE key management system, can adopt corresponding standard agreement (having the corresponding world or industrial standard).Secure communication between key management and service system and key management and service client can be used existing security information encrypted tunnel technology, as SSL etc.
User, use key management and service client with key management and service system online interaction, obtain in the process of key, the fail safe of user being carried out to online identity discriminating is extremely important, once because there is personation, such as password is stolen, be cracked and will cause the generation of personation, to cause user for file encryption, key stolen of deciphering, the safety of file threatens, so, need to adopt the online identity authentication schemes of high safety, such as, adopt digital certificate, dynamic password, or double factor identity is differentiated, the double factor identity authentication schemes of simple possible comprises: general common name/password+random e-mail messages or short message confirming (mail or note dynamic password), or random e-mail messages or short message confirming for two different mail addresses or short message terminal.
The concrete exploitation of crypto module can adopt C/C++, and for adopted cryptographic system, cryptographic algorithm and realize; Crypto module interface can adopt standard interface, as Windows CSP, PKCS#11, also can adopt self defined interface; The structure of enciphered data can adopt PKCS#7, i.e. Cryptographic Message Syntax(CMS).
If crypto module is carried out in application layer (not operation system kernel layer), described file encryption filter cannot directly call crypto module and carries out data encryption, decryption oprerations.At this moment can develop one in the program of user's computing equipment running background, the program of file encryption filter by this running background module (mechanism providing by operating system between file encryption filter and the program of running background is carried out alternately) that accesses to your password is provided.
The exploitation of final act encryption configuration management tool can adopt C/C++, and realizes relevant configuration management function.
Other unaccounted concrete technology are implemented, and are well-known, self-explantory for those skilled in the relevant art.
Claims (7)
1. a cloud storage file encryption system, described encryption system comprises:
File encryption filter: the filter that carries out file encryption, decryption processing being inserted in the driving stack of user's computing equipment file system drives; Described file encryption filter for file cloud storage system by cloud store that client is set in user's computing equipment file system, need to store the file that creates and copy under user's computing equipment local file catalogue of the file synchronization in the system of high in the clouds with file, automatically carry out file encryption, and no matter to create and copy main body be that trusted process is also non-trusted process; The local file catalogue that described needs carry out synchronous user's computing equipment of processing is called synchronous directory; During the file of the corresponding types after encryption of trusted process reading and writing, described file encryption filter carries out file decryption, encryption automatically; When an encrypt file of non-trusted process reading and writing, described file encryption filter is not decrypted and encryption for encrypt file, for the non-trusted process of an encrypt file, what when non-trusted process reads this document, read is ciphertext, if revised file data while writing, will cause file destroyed; When file storage man-machine interaction client or file storage sync client read the non-encrypted file of user's computing equipment this locality, whether the file no matter being read is under synchronous directory, and described file encryption filter guarantees that file data that file storage man-machine interaction client or file storage sync client read is through encrypting; Described file encryption filter calls crypto module file is encrypted, is deciphered;
Crypto module: install, operate on user's computing equipment, user file is encrypted for storing, decruption key, and the combination of carrying out component software or the software and hardware of Password Operations and crypto-operation; Described Password Operations comprises that key generates, imports, derives, deletes, and is called and carry out crypto-operation by file encryption filter, and described crypto-operation comprises data encryption, deciphering;
Key management and service system: be responsible for generating, manage and recover user's file encryption, the service system of decruption key is used to user that cipher key service is provided;
Key management and service client: the client utility that obtains online and manage for user key; When obtaining online or recover user for the key of file encryption, deciphering, described key management is connected key management and service system with service client, application is obtained or recovers user key, and differentiates with key management and the mutual completing user identity of service system in the process of obtaining or replying key; Described key management and service client be the key for file encryption, deciphering by the user who obtains from key management and service system or recover, and is kept in described crypto module;
Described trusted process refer to a corresponding process software of file type or program on user's computing equipment, move after resulting program running example, or the trusted process that sets for a file type or All Files type of the file encryption configuration management tool that uses cloud storage file encryption system;
Described non-trusted process refers to the every other program running example beyond trusted process corresponding to file type;
Described trusted process and non-trusted process are all for a file type, and different file types is to there being different trusted processes;
Described trusted process, non-trusted process operate the file on subscriber's local computing equipment by common mode, and described operation comprises establishment, opens, reading and writing, deletion action;
Described file cloud storage system refers to provide the system of network file stores service, and described file cloud storage system comprises file storage high in the clouds system, file storage man-machine interaction client and file storage sync client;
Described file storage high in the clouds system refers in file cloud storage system for storing service end system or the platform of user file;
Described file storage man-machine interaction client refers in local subscription client software or the program of using, the file cloud storage system of human-computer interaction function being provided of user's computing equipment, by described file storage man-machine interaction client user, can the file of user's computing equipment this locality be uploaded to file storage high in the clouds system by manual operations, or the file that file is stored in the system of high in the clouds downloads to user's computing equipment this locality, and the file being kept in the system of file storage high in the clouds is operated, described operation comprises checks, deletes;
Described file storage sync client refers to operate in software program or the assembly on user's computing equipment, file under the synchronous directory of its inspection user's computing equipment this locality and user are kept at the consistency of the respective file in the system of file storage high in the clouds, and carry out corresponding file synchronization operation according to predefined synchronization policy; Described file storage sync client is carried out mode or the automatic synchronization of file synchronization, automatically detect the variation of file and inconsistent and carry out corresponding file synchronization operation according to predefined synchronization policy, or manual synchronous, when being selected synchronous menu or pressed lockage button by human-computer interaction interface, user detects the variation of file and inconsistent and carry out corresponding file synchronization operation according to corresponding synchronization policy;
The cloud storage client of described setting synchronous directory is file storage man-machine interaction client, or file storage sync client, or other are specifically designed to other clients that the storage of file cloud arranges;
For all file types, file storage man-machine interaction client and file storage sync client belong to non-trusted process all the time;
For a concrete file cloud storage system, the above file storage man-machine interaction client and file storage sync client exist simultaneously, or only have an existence, or the two is integrated in a software program;
Division and the name of file storage high in the clouds system, file storage man-machine interaction client and the file storage sync client of described file cloud storage system, division and the name of carrying out according to the function composition of file cloud storage system, if a concrete file cloud storage system is different with name for the division of the assembly of corresponding function, described file encryption filter carries out corresponding file encryption, decryption oprerations processing for the assembly of implementing corresponding function;
File storage high in the clouds system, file storage man-machine interaction client and the file storage sync client of described file cloud storage system operate by common mode; or operate by original mode; mode when described common or original mode refers to not use described cloud storage file encryption system, described operation comprises that file uploads, downloads and synchronously.
2. cloud storage file encryption system according to claim 1, is characterized in that:
Described encryption system also comprises an optional components:
File encryption configuration management tool: operate in the program that user's computing equipment this locality is configured and manages encryption and decryption operational processes, comprise trusted and the non-trusted process of setting a file type;
Described file encryption configuration management tool is in described cloud storage file encryption system one independently component software, or an assembly in the storage man-machine interaction client of the file in described encryption system or file storage sync client;
If the function of configuration management is not provided at user side, described file encryption configuration management tool assembly does not exist.
3. cloud storage file encryption system according to claim 1, it is characterized in that: when described file storage man-machine interaction client or file storage sync client read the non-encrypted file of user's computing equipment this locality, whether the file no matter being read is under synchronous directory, and described file encryption filter guarantees that file data that file storage man-machine interaction client or file storage sync client read is through encrypting as follows:
The first step: whether the local file that judgement will be read encrypt file, does not if so, do further encryption to the file data reading; Otherwise, proceed to next step;
Second step: whether the non-encrypted file reading under synchronous directory, is if so, first encrypted and makes it to become encrypt file the file that will read, and then return to the file data reading; Otherwise, to reading the file data returning, be encrypted, but original be not encrypted.
4. cloud storage file encryption system according to claim 1, is characterized in that:
When any one process, comprise trusted and non-trusted process, while opening or reading a unencrypted file under subscriber's local computing equipment synchronous directory, described file encryption filter is automatically encrypted and makes it to become encrypt file the file that will open or read.
5. cloud storage file encryption system according to claim 1 and 2, is characterized in that:
Described cloud storage file encryption system is set the trusted process of every kind of file type by preset or file encryption configuration management tool, but for all file types, file storage man-machine interaction client and file storage sync client belong to non-trusted process all the time, can not change be set by file encryption configuration management tool; The described trusted process by preset setting refers to the trusted process for a file type fixing in file encryption filter program.
6. cloud storage file encryption system according to claim 1, is characterized in that:
If require human-computer interaction terminal by user's computing equipment operating system to copy out and be stored in file under the local alternative document catalogue of user's computing equipment from synchronous directory, with the form of non-encrypted file, exist, the human-computer interaction terminal program of user's computing equipment operating system is set to trusted process.
7. cloud storage file encryption system according to claim 1, is characterized in that:
The form with non-encrypted file exists to the file under the local alternative document catalogue of the user's computing equipment beyond synchronous directory if require, by file, store man-machine interaction client downloads, and described file encryption filter is stored man-machine interaction client downloads for file and is automatically decrypted processing to the encrypt file under synchronous directory alternative document catalogue in addition.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310466023.7A CN103546547B (en) | 2013-10-08 | 2013-10-08 | A kind of cloud storage file encryption system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310466023.7A CN103546547B (en) | 2013-10-08 | 2013-10-08 | A kind of cloud storage file encryption system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103546547A true CN103546547A (en) | 2014-01-29 |
| CN103546547B CN103546547B (en) | 2016-09-21 |
Family
ID=49969586
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310466023.7A Active CN103546547B (en) | 2013-10-08 | 2013-10-08 | A kind of cloud storage file encryption system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103546547B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103825953A (en) * | 2014-03-04 | 2014-05-28 | 武汉理工大学 | User mode encrypt file system |
| CN103888467A (en) * | 2014-03-31 | 2014-06-25 | 武汉理工大学 | Sharing-oriented safety file folder encryption system |
| CN103916480A (en) * | 2014-04-15 | 2014-07-09 | 武汉理工大学 | File encrypting system for shared file |
| CN104333545A (en) * | 2014-10-26 | 2015-02-04 | 重庆智韬信息技术中心 | Method for encrypting cloud storage file data |
| CN105025102A (en) * | 2015-07-17 | 2015-11-04 | 中国海洋大学 | Network storage and calling method and storage system of 3D printing model file |
| CN105760768A (en) * | 2016-03-09 | 2016-07-13 | 成都爆米花信息技术有限公司 | Data security storage method |
| CN106685919A (en) * | 2016-11-19 | 2017-05-17 | 徐州医科大学 | Secure cloud storage method with passive dynamic key distribution mechanism |
| CN107645415A (en) * | 2017-09-27 | 2018-01-30 | 杭州迪普科技股份有限公司 | A kind of holding OpenStack service ends method and device consistent with equipment end data |
| CN108173880A (en) * | 2018-02-11 | 2018-06-15 | 合肥图久智能科技有限公司 | A kind of file encryption system based on third party's key management |
| CN108632206A (en) * | 2017-03-19 | 2018-10-09 | 上海格尔软件股份有限公司 | A kind of system that encryption cloud storage is combined with explorer |
| CN108833336A (en) * | 2018-04-18 | 2018-11-16 | 北京百度网讯科技有限公司 | Data processing method, device, computer equipment and storage medium |
| CN110598440A (en) * | 2019-08-08 | 2019-12-20 | 中腾信金融信息服务(上海)有限公司 | Distributed automatic encryption and decryption system |
| CN114666354A (en) * | 2022-03-21 | 2022-06-24 | 北京涵鑫盛科技有限公司 | File storage management system of cloud storage system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120201381A1 (en) * | 2011-02-03 | 2012-08-09 | mSignia, Inc. | Cryptographic security functions based on anticipated changes in dynamic minutiae |
| CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
-
2013
- 2013-10-08 CN CN201310466023.7A patent/CN103546547B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120201381A1 (en) * | 2011-02-03 | 2012-08-09 | mSignia, Inc. | Cryptographic security functions based on anticipated changes in dynamic minutiae |
| CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
Non-Patent Citations (2)
| Title |
|---|
| 傅颖勋: "安全云存储系统与关键技术综述", 《计算机研究与发展》 * |
| 杨坤: "基于Hadoop的云存储系统客户端的设计与实现", 《中国优秀硕士学位论文全文数据库(电子期刊)·信息科技辑》 * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103825953A (en) * | 2014-03-04 | 2014-05-28 | 武汉理工大学 | User mode encrypt file system |
| CN103825953B (en) * | 2014-03-04 | 2017-01-04 | 武汉理工大学 | A kind of user model encrypted file system |
| CN103888467A (en) * | 2014-03-31 | 2014-06-25 | 武汉理工大学 | Sharing-oriented safety file folder encryption system |
| CN103888467B (en) * | 2014-03-31 | 2016-09-21 | 武汉理工大学 | A kind of towards shared secure file folder encryption system |
| CN103916480A (en) * | 2014-04-15 | 2014-07-09 | 武汉理工大学 | File encrypting system for shared file |
| CN103916480B (en) * | 2014-04-15 | 2017-03-08 | 武汉理工大学 | A kind of file encryption system towards shared file |
| CN104333545B (en) * | 2014-10-26 | 2017-07-14 | 国网内蒙古东部电力有限公司信息通信分公司 | The method that cloud storage file data is encrypted |
| CN104333545A (en) * | 2014-10-26 | 2015-02-04 | 重庆智韬信息技术中心 | Method for encrypting cloud storage file data |
| CN105025102A (en) * | 2015-07-17 | 2015-11-04 | 中国海洋大学 | Network storage and calling method and storage system of 3D printing model file |
| CN105025102B (en) * | 2015-07-17 | 2018-07-06 | 中国海洋大学 | The network storage call method and storage system of a kind of 3D printing model file |
| CN105760768A (en) * | 2016-03-09 | 2016-07-13 | 成都爆米花信息技术有限公司 | Data security storage method |
| CN106685919A (en) * | 2016-11-19 | 2017-05-17 | 徐州医科大学 | Secure cloud storage method with passive dynamic key distribution mechanism |
| CN108632206A (en) * | 2017-03-19 | 2018-10-09 | 上海格尔软件股份有限公司 | A kind of system that encryption cloud storage is combined with explorer |
| CN107645415A (en) * | 2017-09-27 | 2018-01-30 | 杭州迪普科技股份有限公司 | A kind of holding OpenStack service ends method and device consistent with equipment end data |
| CN108173880A (en) * | 2018-02-11 | 2018-06-15 | 合肥图久智能科技有限公司 | A kind of file encryption system based on third party's key management |
| CN108173880B (en) * | 2018-02-11 | 2020-10-16 | 合肥图久智能科技有限公司 | File encryption system based on third party key management |
| CN108833336A (en) * | 2018-04-18 | 2018-11-16 | 北京百度网讯科技有限公司 | Data processing method, device, computer equipment and storage medium |
| US11397820B2 (en) | 2018-04-18 | 2022-07-26 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for processing data, computer device and storage medium |
| CN110598440A (en) * | 2019-08-08 | 2019-12-20 | 中腾信金融信息服务(上海)有限公司 | Distributed automatic encryption and decryption system |
| CN110598440B (en) * | 2019-08-08 | 2023-05-09 | 中腾信金融信息服务(上海)有限公司 | Distributed automatic encryption and decryption system |
| CN114666354A (en) * | 2022-03-21 | 2022-06-24 | 北京涵鑫盛科技有限公司 | File storage management system of cloud storage system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103546547B (en) | 2016-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11647007B2 (en) | Systems and methods for smartkey information management | |
| CN103546547A (en) | Cryptosystem for cloud storage files | |
| TWI601405B (en) | Method and apparatus for cloud-assisted cryptography | |
| CN109948322B (en) | Personal cloud storage data safe box device and method for localized encryption protection | |
| CN104023085A (en) | Security cloud storage system based on increment synchronization | |
| JP2014127721A (en) | Encryption key management program and data management system | |
| CN105245328A (en) | User and file key generation and management method based on third party | |
| US10116442B2 (en) | Data storage apparatus, data updating system, data processing method, and computer readable medium | |
| CN101924739A (en) | Method for encrypting, storing and retrieving software certificate and private key | |
| CN110445840B (en) | File storage and reading method based on block chain technology | |
| CN105072134A (en) | Cloud disk system file secure transmission method based on three-level key | |
| Thilakanathan et al. | Secure multiparty data sharing in the cloud using hardware-based TPM devices | |
| CN108173880B (en) | File encryption system based on third party key management | |
| CN102004873A (en) | Method for restoring encrypted information in encryption card | |
| CN113836546B (en) | Key management method, device, equipment and storage medium | |
| US8516609B2 (en) | Personal encryption device | |
| CN115412236A (en) | Method for key management and password calculation, encryption method and device | |
| KR20160146623A (en) | A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal | |
| Sharma et al. | Transcrypt: A secure and transparent encrypting file system for enterprises | |
| Karani et al. | Secure File Storage Using Hybrid Cryptography | |
| US11522691B2 (en) | Techniques for virtual cryptographic key ceremonies | |
| KR101703847B1 (en) | A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal | |
| JP2016163198A (en) | File management device, file management system, file management method, and file management program | |
| Pal et al. | Enhancing file data security in linux operating system by integrating secure file system | |
| EP4042309A1 (en) | Hybrid content protection architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |