CN103546547B - A kind of cloud storage file encryption system - Google Patents
A kind of cloud storage file encryption system Download PDFInfo
- Publication number
- CN103546547B CN103546547B CN201310466023.7A CN201310466023A CN103546547B CN 103546547 B CN103546547 B CN 103546547B CN 201310466023 A CN201310466023 A CN 201310466023A CN 103546547 B CN103546547 B CN 103546547B
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- user
- storage
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 claims description 64
- 230000008569 process Effects 0.000 claims description 61
- 230000003993 interaction Effects 0.000 claims description 37
- 230000001360 synchronised effect Effects 0.000 claims description 24
- 230000006870 function Effects 0.000 claims description 17
- 239000000203 mixture Substances 0.000 claims description 12
- 230000008859 change Effects 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 230000009471 action Effects 0.000 claims description 2
- 230000008676 import Effects 0.000 claims description 2
- 230000002452 interceptive effect Effects 0.000 claims 2
- 230000003362 replicative effect Effects 0.000 claims 1
- 235000015170 shellfish Nutrition 0.000 claims 1
- 238000007726 management method Methods 0.000 description 42
- 238000011161 development Methods 0.000 description 5
- 230000018109 developmental process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 2
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of encryption system for file cloud storage, described encryption system includes file encryption filter, crypto module, key management and service system, key management and service client.The present invention makes it possible to realize the encryption to cloud storage file, deciphering in the case of not making any changes existing file cloud storage system by file encryption filter, and makes the alignment processing software of encryption file or program can use encryption file insusceptibly;Further, provide cipher key service by using independent third party to run key management with service system, can guarantee that only user just can see the file of storage in cloud system.In a word, the present invention solves the information security issue of file cloud storage well.
Description
Technical field
The invention belongs to field of information security technology, particularly one cloud storage file encryption system
System.
Background technology
The cloud storage system (being called for short file cloud storage system) providing file storage is a kind of offer
The system of network data storage service, it, due to easy to use, receives praises from customers.But cloud is deposited
The data safety of storage system is cloud storage user most concerned about, the problem worried most the most all the time, is again
The problem solved the most well at present, is also one of obstacle hindering cloud storage business development.
It is to being stored in high in the clouds that file in cloud storage carries out the maximally effective scheme of safeguard protection
File encryption in system (service end of file cloud storage system), and one therein is simple
Cloud storage file encryption scheme be: user is at the cloud by files passe to file cloud storage system
Before end system, first the file in high in the clouds to be stored in is encrypted by oneself manual use instrument, as
Use the encryption function of compressing file instrument WinZip, WinRAR, or use special literary composition
Part Encryption Tool (such as the instrument of deedbox, safety cabinet etc);When in cloud system
File download to user's local computing device (such as PC, mobile terminal) upper after,
Before using file, encrypted file (being called for short encryption file) is decrypted by the instrument that re-uses
Operation.But the disadvantage of this scheme be user in-convenience in use, and with generally the making of user
It is not inconsistent (adding extra encryption, decryption oprerations) by custom.
It is automatic by cloud storage client when upper transmitting file to a solution of this problem
File is encrypted;When downloading file, encrypted file is entered by cloud storage client automatically
Row deciphering.This upload, scheme to file encryption, deciphering exists and asks as follows automatically when downloading
Topic: current file cloud storage system preserves the function of user file except there being system beyond the clouds
Outward, a lot of file cloud storage systems additionally provides synchronously renewing file function, will high in the clouds system
User file in system with user in local computing device (PC, mobile terminal)
It is (same according to set that file (file as under certain file directory) carries out synchronized update automatically
Walk more New Policy);After having had synchronizing function, if still using foregoing upper transmitting file
The scheme of file encryption, deciphering is carried out, then can during simultaneously operating when Shi Jiami, download file
Can occur needing to carry out substantial amounts of file encryption or the situation of decryption oprerations process, this is clearly the most not
Suitably, not only efficiency is low, and brings extra complexity (because judging to synchronization process
High in the clouds file and the concordance of local file are by more complicated, even not possible, such as, if
The concordance of file is judged) by the way of the information fingerprint of comparison file.
Just be saved in the cloud system of file cloud storage system user file data encryption and
For decryption technology scheme, simplest a kind of scheme is to utilize file cloud to store system user
The password generated symmetric key that (owner of file) sets oneself is to leaving cloud system in
User file encrypt and decrypt (subscription client or file store high in the clouds be encrypted,
Decryption oprerations processes).The shortcoming of this scheme is: one is that password is easily cracked, and two are
User has once forgotten password, then, user oneself also will be unable to deciphering, use one's own
Encryption file, thus make troubles or lose to the user of file cloud storage system.Solve this
A kind of scheme of problem is the mouth allowing file cloud storage system (high in the clouds) also preserve a user
Order or the key of password generated, be that user recovers password or key needs when, but this
The problem that password or key recovery scheme are brought is: one is that file cloud storage system operator is permissible
Password or key by preserving see that user is saved in the cloud system of file cloud storage system
In file content, and this to be often user be not intended to occur or the thing worried (such as
Organization user is saved in the customer data file in file cloud storage system, financial data file etc.
Be all organization user be not intended to file cloud storage system operator see), two are stored in literary composition
There is stolen possibility (such as due to meet with in user password or key itself in part cloud storage system
Attacked by outside or stolen from internal).
In addition to problems described above, the file encryption for file cloud storage system also has one
Problem needs to solve: the most how for the file cloud storage system disposed, do not entering system
The encryption of file, deciphering function is realized in the case of row amendment.This is because file cloud storage system
It is a huge system, in order to add encryption function, original system is modified and again
The cost disposed will be huge, will not be accepted by cloud storage service provider, also will not be by
User is accepted.
For file encryption problem encountered in above file cloud storage system, the present invention intends adopting
The technical scheme combining separate keys service by file encryption filter is solved.
Described file encryption filter is that file is added by the one in computer file system
Close and deciphering particular filter drives (Filter Driver).Current most computers
System all uses driving stack (the Loadable Driver Stack) framework that can load, and mistake
Filter drives (Filter Driver) to be that one can be encased in this file system driver stack
And the driving that file system function is extended, it is deferred to the driving interface of standard, can intercept
For the operation calls of file, including establishment, reading and writing, deletion file, and arrange, obtain
Take the operation of fileinfo, and as required file operation is intervened, including for file
Reading and writing data encrypt and decrypt process automatically.File encryption mistake will be utilized in the present invention
Filter realizes file encryption, deciphering, including automatic encryption during upper transmitting file, to synchronous documents
File in folder is encrypted automatically, and when encrypting the processing routine (application program) that file is corresponding
Open, read encryption file time, automatically to encryption file be decrypted operation etc..This pass through
Use the side that file is encrypted needing when, deciphers by file encryption filter automatically
Case, not only can meet operating with custom, being avoided as much as the intervention of user of user,
And cloud storage literary composition can be realized in the case of existing file cloud storage system not being modified
The data encryption of part, deciphering.
So-called separate keys service is cloud by an independent key management with service system exactly
Storage user provides the service of the key involved by data encryption, deciphering, including generating, recovering,
This independent key management can be by one and operating file cloud storage system with service system
Mutually independent mechanism of mechanism or department or department liable run (such as by one the independent the 3rd
Side is responsible for operation), thus deciphering is used to avoid the travelling mechanism of file cloud storage system to be obtained in that
The key of user data.
Summary of the invention
It is an object of the invention to provide and a kind of not only can realize the encryption of cloud storage file, deciphering,
And in encryption, decrypting process, the intervention of user can be reduced to a minimum, pass through simultaneously
Independent cipher key service ensures file encryption, the safety of decruption key and only this talent of user
Encrypted file can be seen, and can be without existing file cloud storage system is made any change
In the case of realize encryption, the cloud storage file encryption system of function of deciphering.
To achieve these goals, the technical solution adopted in the present invention is:
A kind of cloud storage file encryption system, described encryption system includes:
File encryption filter: be inserted into that user calculates installable file system drives in stack
The individual filter driving carrying out file encryption, decryption processing;Described file encryption filter for
File cloud storage system is set in user calculates installable file system by cloud storage client
, need to calculate equipment local file with the user of file synchronization in file storage cloud system
The file created under catalogue and replicate, automatically carries out file encryption, and no matter creates, replicates master
Body is trusted process or untrusted process;The described user needing to carry out synchronization process calculates and sets
Standby local file directory is referred to as synchronous directory;After trusted process reading and writing one are encrypted
The file of corresponding types time, described file encryption filter carries out file decryption, encryption automatically
Process;When untrusted process reading and writing one encryption file, described file encryption filters
Device be not for encrypt file be decrypted, encryption, i.e. for one encryption the non-of file be subject to
For letter process, what untrusted process was read when reading this document is ciphertext, if having modified when writing
File data then will cause file to be destroyed (if not revising file data when writing, the most not to be affected former
File);When file storage man-machine interaction client or file storage sync client read user
During the local non-encrypted file of calculating equipment, whether the file no matter being read is at synchronous directory
Under, described file encryption filter guarantees that file storage man-machine interaction client or file storage are same
The file data that step client reads is through encryption;Described file encryption filter is called close
File is encrypted, deciphers by code module;
Crypto module: install, run on the user computing device, is used for storing user file and adds
Close, decruption key, and carry out Password Operations and the component software of crypto-operation or software and
The combination of hardware;Described Password Operations includes that key generates, imports, derives, deletes, and
Called by file encryption filter and carry out crypto-operation, described crypto-operation include data encryption,
Deciphering;
Key management and service system: be responsible for generate, manage and recover user file encryption,
The service system of decruption key, is used for providing the user cipher key service;
Key management and service client: the client obtaining online for user key and managing
Instrument;When online acquisition or recovery user are used for the key of file encryption, deciphering, described close
Key management is connected key management and service system with service client, and application obtains or recovers user
Key, and complete alternately with service system with key management during obtaining or replying key
User identity differentiates;Described key management and service client will be from key management and service systems
The user obtained or recover (includes the symmetric key obtained for the key of file encryption, deciphering
Or private key), it is saved in described crypto module;
File encryption configuration management tool: operate in user and calculate equipment this locality to encryption and deciphering
Operation processes and carries out the program that configures and manage, including setting the trusted of a file type and non-
Trusted process;File encryption configuration management tool is an optional assembly, if joining without customization
Put management to require then without existing;
Described trusted process refers to that the process corresponding to a file type (such as Word document) is soft
Part or program (such as Word edit routine) run on the user computing device after obtained by program
Running example, or use the file encryption configuration management tool pin of cloud storage file encryption system
To the trusted process set by a file type or All Files type;
Described untrusted process refer to beyond the trusted process that file type is corresponding all its
His program running example (include user calculate equipment local runtime and outside all programs of running
Running example);
For described trusted process and untrusted process are both for a file type, different
File type is to there being the different trusted process (trusteds as corresponding to Word, Excel document
Process is Word program, the running example of Excel program respectively);
Described trusted process, untrusted process press common mode on user's local computing device
File operate, including creating, open, reading and writing, deletion action;
Described file cloud storage system refers to that the system providing network file storage service (includes disposing
Storage service is provided the most towards the public or is deployed in enterprises towards employee's offer
The system of storage service), described file cloud storage system includes that file stores cloud system, literary composition
Part storage man-machine interaction client, file storage sync client;
Described file storage cloud system refers in file cloud storage system for storing user file
Service end system or platform;
Described file storage man-machine interaction client refers to that calculating equipment this locality user uses, provides
The subscription client software of the file cloud storage system of human-computer interaction function or program, by described
User can be calculated equipment this locality by manual operations by file storage man-machine interaction client user
Files passe store cloud system to file, or file is stored under the file in cloud system
It is downloaded to user and calculates equipment this locality, and the file being saved in file storage cloud system is entered
Row operation, including checking, deleting;
Described file storage sync client refers to the software run on the user computing device
Program or assembly, it checks that the file that user calculates under the synchronous directory that equipment is local is protected with user
There is file and store the concordance of the respective file in cloud system, and according to set in advance same
Step strategy carries out corresponding file synchronization operation and (will local carry out with the respective file in high in the clouds
Synchronize, as upwards with high in the clouds file synchronization, the most Tong Bu with local file downwards, or be mutually in step);
Described file storage sync client carries out mode or the automatic synchronization of file synchronization, i.e. certainly
The change of dynamic detection file and inconsistent and carry out accordingly according to synchronization policy set in advance
File synchronization operation (at this moment file storage sync client is typically to operate in backstage), or
Manual synchronization, i.e. user by human-computer interaction interface select synchronize menu or press synchronization by
The change of file and inconsistent and carry out corresponding literary composition according to corresponding synchronization policy is detected during button
Part simultaneously operating (at this moment, file storage man-machine interaction client and file storage sync client
The most two-in-one);
The cloud storage client of described setting synchronous directory is that file stores man-machine interaction client,
Or file stores sync client, or other are specifically designed to what file cloud storage was arranged
Other clients;
All of file type, file storage man-machine interaction client and file storage are synchronized
Client always belongs to untrusted process;
For a concrete file cloud storage system, the above file storage man-machine interaction visitor
Family end and file storage sync client exist simultaneously, or an only existence, or the two
It is integrated in a software program;
The file storage cloud system of described file cloud storage system, file storage man-machine interaction visitor
Family end and file store division and the name of sync client, are based on file cloud storage system
Function composition and the division that carries out and name, if concrete file cloud storage system for
The division of the assembly of corresponding function is different with name, and the most described file encryption filter is for enforcement
The assembly of corresponding function carries out the file encryption of correspondence, decryption oprerations processes (the i.e. difference of name
Do not affect the enforcement of the present invention);
The file storage cloud system of described file cloud storage system, file storage man-machine interaction visitor
Family end and file storage sync client are operated by common mode, or by original side
Formula operates, and described usual or original mode refers to not use described cloud storage file encryption system
Mode during system, described operation includes files passe, download and synchronize that (described file cloud is deposited
Storage system can be the file cloud storage system disposed).
When described file storage man-machine interaction client or file storage sync client read and use
When family calculates the non-encrypted file of equipment this locality, whether the file no matter being read is at synchronous directory
Under, described file encryption filter guarantee as follows file storage man-machine interaction client or
The file data that file storage sync client reads is through encryption:
The first step: judge that local file to be read has encrypted file the most is the most right
The file data read makees further encryption;Otherwise, next step is proceeded to;
Second step: whether the non-encrypted file of reading is under synchronous directory, the most first to wanting
The file read is encrypted and makes encryption file, then returns again to the file data read
(encrypted file data);Otherwise, it is encrypted reading the file data returned,
But original is not encrypted.
When any one process, including trusted and untrusted process, open or read user local
During a unencrypted file under calculating equipment synchronous directory, described file encryption filter from
Dynamic be encrypted the file to open or to read makes encryption file.
Described cloud storage file encryption system by setting in advance (as during coding in advance
Set) or file encryption configuration management tool set the trusted process of every kind of file type, but right
In all of file type, file storage man-machine interaction client and file storage sync client
Always belong to untrusted process, it is impossible to change is set by file encryption configuration management tool.
If requiring to calculate the human-computer interaction terminal of device operating system (such as Windows by user
Explorer) copy out from synchronous directory and be stored in user calculate equipment local other
File under file directory is presented in non-encrypted file, then user calculates equipment and operates system
The human-computer interaction terminal program of system is set to trusted process.
If requiring the use beyond by file storage man-machine interaction client downloads to synchronous directory
File under the alternative document catalogue of calculating equipment this locality, family is presented in non-encrypted file, then
Described file encryption filter (i.e. creates for file storage man-machine interaction client downloads, protects
Deposit) encryption file under the alternative document catalogue beyond synchronous directory is decrypted place automatically
Reason.
The present invention is made it possible to existing file cloud storage system not by file encryption filter
Realize the encryption to cloud storage file, deciphering in the case of making any change, and make to add ciphertext
The alignment processing software of part or program can use encryption file insusceptibly;Further, logical
Cross employing independent third party and key management and service system offer cipher key service are provided, can guarantee that only
There is user just can see the file of storage in cloud system.In a word, the present invention solves well
The safe cryptography issue of file cloud of having determined storage.
Accompanying drawing explanation
The schematic diagram of the cloud storage file encryption system of Fig. 1 present invention.
Detailed description of the invention
The invention will be further described with embodiment below in conjunction with the accompanying drawings.
File cloud storage system is not belonging to the content that the present invention is to be implemented, and it can be a portion
The file cloud storage system that administration exists, or the file cloud storage system of deployment newly developed.
The filter of file system based on computer (equipment) operating system drives exploitation
And the file encryption realizing the present invention filters, can be found in the literary composition of concrete computer system (equipment)
The related development document of part system, such as, how for the file system of Windows operating system
System exploitation file encryption filter can be found in the file filter device of Windows file system and drives
The related development data of (particularly mini-Filter driving), document, these development data,
Document is at the exploitation website MSDN(msdn.microsoft.com.cn of Microsoft) and many open
Data includes all can obtaining in forum, and many data are specifically designed for developing file encryption filter
It is described.In other operating system, under (SuSE) Linux OS, also there is similar literary composition
Part filter driving mechanism.
Described file encryption filter can by encrypted file add a head or
An additional afterbody, and add, in the head added or additional afterbody, the mark made an appointment
Information is distinguished, is identified encryption file and non-encrypted file, and preserves and file encryption, solution
Close relevant key information, the information such as including key title, algorithm.Described file encryption filters
Device can also use other suitable modes to distinguish, identify encryption file and non-encrypted file,
And provide with file encryption, decipher relevant key information.
Key management and service system are service systems based on C/S model, its client
It is i.e. key management and service client.File is depended in the realization of key management and service system
The cipher system that encryption is used.Here, adoptable cipher system can be that symmetric key is close
Code system, it is also possible to be non-symmetric-key cryptography.If using symmetric key cipher
System, the most concrete cryptographic algorithm can be 3DES or AES etc., and for symmetric key
Management, the most existing multiple management technique or system are available for using, wherein, based on mark
Symmetric key management technique or system are the simplest effectively: by ID with a master key (also
It is referred to as seed key) obtain the symmetric key that ID is corresponding, user here by computing
Mark can be the information that mailbox, cell-phone number, identification card number etc. can uniquely identify user.This
Plant symmetric key management technique based on mark or system is simple, and it is convenient to recover user key.
If the cipher system that encryption is used is non-symmetric-key cryptography, the most concrete is close
Code algorithm can be RSA or ECC etc., and key management system can use PKI/CA(Public
Key Infrastructure/Certification Authority), and the key of the present invention
Management and service system are the CA system+KMC(Key Management Center in PKI)
System, wherein, KMC system is used for producing, preserving the double secret key of user encryption digital certificate,
And needing when, recover the double secret key of encrypted digital certificate, it might even be possible to that employing simplifies,
Not having the public-key cryptography management and service system of digital certificate, the most only KMC system is responsible for product
Raw, the double secret key of preservation user encryption digital certificate, and needs when, recover encryption numeral
The double secret key of certificate;Or, if concrete cryptographic algorithm is IBE(Identity Based
Encryption), then key management and service system are the private key generator in IBE
(Private Key Generator, PKG) and relevant user management, Verification System.
Determine used cipher system and corresponding cryptographic algorithm, key management and service
After scheme, key management realizes using common information system with the concrete exploitation of service system
Development technique, such as C/C++ or C# .Net or J2EE development language and environment.
Key management and service client can use C/C++ to develop.Key management and service system
With the IT policy of key management Yu service client, with the cipher system used, close
Code algorithm and corresponding key management are relevant with service system scheme, according to symmetric key cipher
Algorithm and symmetric key management system, then can use self-defining agreement;According to asymmetric close
Key cryptographic algorithm and PKI/CA or IBE key management system, then can use the standard of correspondence
Agreement (has corresponding international or industrial standard).Key management and service system and key management with
Secure communication between service client can use existing safety information encrypted tunnel technology,
Such as SSL etc..
Use key management and service client online with service system with key management user
Alternately, obtaining during key, the safety that user carries out online identity discriminating is the heaviest
, because once there is personation, such as password is stolen, be cracked the generation by causing personation,
Key stolen that user will be caused to be used for file encryption, deciphering, the safety of file threatens,
So, need use high safety online identity authentication schemes, such as, use digital certificate,
Dynamic password, or the discriminating of double factor identity, the double factor identity authentication schemes bag of simple possible
Include: (mail or note are dynamic for general common name/password+random e-mail messages or short message confirming
Password), or for two different mail addresses or the random e-mail messages of short message terminal or hands
Machine SMS confirmation.
The concrete exploitation of crypto module can use C/C++, and for the cipher system used,
Cryptographic algorithm and realize;Crypto module interface can use standard interface, as Windows CSP,
PKCS#11, it is possible to use self defined interface;The structure of encryption data can use PKCS#7, i.e.
Cryptographic Message Syntax(CMS).
If crypto module performs in application layer (non-OS inner nuclear layer), the most described file adds
Close filter cannot directly invoke crypto module and carry out data encryption, decryption oprerations.At this moment can open
Send out a program calculating equipment running background user, state file encryption filter by after this
The program that platform runs uses crypto module (between file encryption filter and the program of running background
The mechanism provided by operating system is interacted).
The exploitation of final act encryption configuration management instrument can use C/C++, and realizes relevant
Configuration management function.
Other unaccounted concrete technology implementations, are many for those skilled in the relevant art
Well known, it is implicit that.
Claims (7)
1. a cloud storage file encryption system, is characterized in that: described file encryption system includes literary composition
Part encryption filter, crypto module, key management and service system, key management and services client
End and file encryption configuration management tool, wherein:
File encryption filter: be inserted into that user calculates installable file system drives in stack
Carry out file encryption, the filter of decryption processing drives;Described file encryption filter is for file
Cloud storage system is set in user calculates installable file system by cloud storage client, needs
Calculate with the user of the file synchronization in file storage cloud system and create under equipment local file directory
File with replicating, carries out file encryption automatically, and no matter to create and replicate main body be trusted process
Or untrusted process;The described user needing to carry out synchronization process calculates the local file mesh of equipment
Record is referred to as synchronous directory;Respective file type after trusted process reading and writing one are encrypted
During file, described file encryption filter carries out file decryption, encryption automatically;When one non-
During trusted process reading and writing one encryption file, described file encryption filter is not for encrypting file
It is decrypted and encryption, i.e. for the untrusted process of an encryption file, untrusted
What process was read when reading this document is ciphertext, if having modified file data when writing, will cause file
Destroyed;When file storage man-machine interaction client or file storage sync client read user's meter
During the local non-encrypted file of calculation equipment, the file no matter being read whether under synchronous directory, institute
State file encryption filter and guarantee file storage man-machine interaction client or file storage sync client
The file data read is through encryption;Described file encryption filter calls crypto module to literary composition
Part is encrypted, deciphers;
Crypto module: install, run on the user computing device, be used for storing user file encryption,
Decruption key, and carry out Password Operations and the component software of crypto-operation or software and hardware
Combination;Described Password Operations includes that key generates, imports, derives, deletes, and is added by file
Close filter calls and carries out crypto-operation, and described crypto-operation includes data encryption, deciphering;
Key management and service system: be responsible for generating, managing and recover the file encryption of user, solution
The service system of decryption key, is used for providing the user cipher key service;
Key management and service client: the client work obtaining online for user key and managing
Tool;When online acquisition or recovery user are used for the key of file encryption, deciphering, described key pipe
Reason is connected key management and service system with service client, and application obtains or recovers user key,
And complete user identity alternately with key management and service system during obtaining or reply key
Differentiate;Described key management will obtain or recovery with service system from key management with service client
User for file encryption, the key of deciphering, be saved in described crypto module;
File encryption configuration management tool: operate in user and calculate equipment this locality to encryption and deciphering behaviour
Dealing with the program carrying out configuring and manage, the function of described file encryption configuration management tool includes
Set a file type or the trusted process of All Files type;Described file encryption configuration management
Instrument is an independent component software in described cloud storage file encryption system;
Described trusted process refers to that the process software corresponding to a file type or program calculate user
Program running example obtained by after running on equipment, or use cloud storage file encryption system
File encryption configuration management tool is for the trusted set by a file type or All Files type
Process;
Described untrusted process refers to the every other journey beyond the trusted process that file type is corresponding
Sort run example;
For described trusted process and untrusted process are both for file type, including for one
File type, multiple file type or All Files type, different file types is to having each
Trusted process;
Described trusted process, untrusted process press common mode on user's local computing device
File operates, described operation includes creating, opens, reading and writing, deletion action;
Described file cloud storage system refers to provide the system of network file storage service, described file cloud
Storage system includes that file storage cloud system, file storage man-machine interaction client and file are deposited
Storage sync client;
Described file storage cloud system refers in file cloud storage system for storing the clothes of user file
Business end system or platform;
Described file storage man-machine interaction client refers to that calculating equipment this locality user uses, provides people
The subscription client software of the file cloud storage system of machine interactive function or program, by described file
User can be calculated on the file that equipment is local by storage man-machine interaction client user by manual operations
Pass to file storage cloud system, or the file download stored by file in cloud system is counted to user
Calculation equipment is local, and operates the file being saved in file storage cloud system, described
Operation includes checking, deleting;
Described file storage sync client refers to the software program run on the user computing device
Or assembly, it checks that the file that user calculates under the synchronous directory that equipment is local is saved in literary composition with user
The concordance of the respective file in part storage cloud system, and enter according to synchronization policy set in advance
Row corresponding file synchronization operation;Described file storage sync client carries out the mode of file synchronization
Or automatic synchronization, the most automatically detect file change and inconsistent and according to set in advance with
Step strategy carries out corresponding file synchronization operation, or Manual synchronization, i.e. user by man-machine
Interactive interface detects the change of file and inconsistent and root when selecting synchronize menu or press lockage button
Corresponding file synchronization operation is carried out according to corresponding synchronization policy;
The cloud storage client of described setting synchronous directory is that file stores man-machine interaction client, or
Person is that file stores sync client, or other are specifically designed to other of file cloud storage setting
Client;
Visitor is synchronized for all of file type, file storage man-machine interaction client and file storage
Family end always belongs to untrusted process;
For a concrete file cloud storage system, the above file storage man-machine interaction client
End and file storage sync client exist simultaneously, or an only existence, or the two is integrated
In a software program;
The file storage cloud system of described file cloud storage system, file storage man-machine interaction client
End and file store division and the name of sync client, are based on the merit of file cloud storage system
The division that can form and carry out and name, if a concrete file cloud storage system is for corresponding merit
The division of the assembly of energy is different with name, and the most described file encryption filter is for implementing corresponding function
Assembly carry out correspondence file encryption, decryption oprerations process;
The file storage cloud system of described file cloud storage system, file storage man-machine interaction client
End and file storage sync client operate in usual manner, or carry out by original mode
Operation, described usual or original mode refers to not use side during described cloud storage file encryption system
Formula, described operation includes files passe, downloads and synchronize.
Cloud storage file encryption system the most according to claim 1, is characterized in that:
If described file encryption system does not provide the function of configuration management, the most described file at user side
Encryption configuration administration tools component does not exists.
Cloud storage file encryption system the most according to claim 1, is characterized in that: when described
File storage man-machine interaction client or file storage sync client read user and calculate equipment this locality
Non-encrypted file time, the file no matter being read whether under synchronous directory, described file encryption
Filter guarantees file storage man-machine interaction client or file storage sync client as follows
The file data read is through encryption:
The first step: judge that local file to be read has encrypted file the most, the most not to reading
The file data taken makees further encryption;Otherwise, next step is proceeded to;
Second step: whether the non-encrypted file of reading is under synchronous directory, the most first to read
The file taken is encrypted and makes encryption file, then returns again to the file data read;No
Then, it is encrypted reading the file data returned, but original is not encrypted.
Cloud storage file encryption system the most according to claim 1, is characterized in that:
When any one process, including trusted and untrusted process, open or read user this locality meter
During a unencrypted file under calculation equipment synchronous directory, described file encryption filter is the most right
The file opened or read is encrypted and makes encryption file.
Cloud storage file encryption system the most according to claim 1 and 2, is characterized in that:
Described cloud storage file encryption system sets every by preset or file encryption configuration management tool
Plant the trusted process of file type, but for all of file type, file storage man-machine interaction visitor
Family end and file storage sync client always belong to untrusted process, it is impossible to joined by file encryption
Put management instrument and change is set;The described trusted process by preset setting refers to filter at file encryption
The trusted process for a file type fixing in device program.
Cloud storage file encryption system the most according to claim 1, is characterized in that:
If requiring, the human-computer interaction terminal being calculated device operating system by user is copied from synchronous directory
Shellfish goes out and is stored in user to calculate the file under the alternative document catalogue of equipment this locality with non-encrypted file
Form exists, then user calculates the human-computer interaction terminal program of device operating system and is set to own
The trusted process of file type.
Cloud storage file encryption system the most according to claim 1, is characterized in that:
If requiring to be counted to the user beyond synchronous directory by file storage man-machine interaction client downloads
File under the alternative document catalogue of calculation equipment this locality presented in non-encrypted file, the most described literary composition
Part encryption filter is for other beyond file storage man-machine interaction client downloads to synchronous directory
Encryption file under file directory is decrypted process automatically.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310466023.7A CN103546547B (en) | 2013-10-08 | 2013-10-08 | A kind of cloud storage file encryption system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310466023.7A CN103546547B (en) | 2013-10-08 | 2013-10-08 | A kind of cloud storage file encryption system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103546547A CN103546547A (en) | 2014-01-29 |
CN103546547B true CN103546547B (en) | 2016-09-21 |
Family
ID=49969586
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310466023.7A Expired - Fee Related CN103546547B (en) | 2013-10-08 | 2013-10-08 | A kind of cloud storage file encryption system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103546547B (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103825953B (en) * | 2014-03-04 | 2017-01-04 | 武汉理工大学 | A kind of user model encrypted file system |
CN103888467B (en) * | 2014-03-31 | 2016-09-21 | 武汉理工大学 | A kind of towards shared secure file folder encryption system |
CN103916480B (en) * | 2014-04-15 | 2017-03-08 | 武汉理工大学 | A kind of file encryption system towards shared file |
CN104333545B (en) * | 2014-10-26 | 2017-07-14 | 国网内蒙古东部电力有限公司信息通信分公司 | The method that cloud storage file data is encrypted |
CN105025102B (en) * | 2015-07-17 | 2018-07-06 | 中国海洋大学 | The network storage call method and storage system of a kind of 3D printing model file |
CN105760768A (en) * | 2016-03-09 | 2016-07-13 | 成都爆米花信息技术有限公司 | Data security storage method |
CN106685919A (en) * | 2016-11-19 | 2017-05-17 | 徐州医科大学 | Secure cloud storage method with passive dynamic key distribution mechanism |
CN108632206A (en) * | 2017-03-19 | 2018-10-09 | 上海格尔软件股份有限公司 | A kind of system that encryption cloud storage is combined with explorer |
CN107645415B (en) * | 2017-09-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Method and device for keeping data consistency between OpenStack server and equipment |
CN108173880B (en) * | 2018-02-11 | 2020-10-16 | 合肥图久智能科技有限公司 | File encryption system based on third party key management |
CN108833336A (en) * | 2018-04-18 | 2018-11-16 | 北京百度网讯科技有限公司 | Data processing method, device, computer equipment and storage medium |
CN110598440B (en) * | 2019-08-08 | 2023-05-09 | 中腾信金融信息服务(上海)有限公司 | Distributed automatic encryption and decryption system |
CN114666354B (en) * | 2022-03-21 | 2022-12-27 | 北京涵鑫盛科技有限公司 | File storage management system of cloud storage system |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8817984B2 (en) * | 2011-02-03 | 2014-08-26 | mSignia, Inc. | Cryptographic security functions based on anticipated changes in dynamic minutiae |
-
2013
- 2013-10-08 CN CN201310466023.7A patent/CN103546547B/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102685148A (en) * | 2012-05-31 | 2012-09-19 | 清华大学 | Method for realizing secure network backup system under cloud storage environment |
Non-Patent Citations (2)
Title |
---|
基于Hadoop的云存储系统客户端的设计与实现;杨坤;《中国优秀硕士学位论文全文数据库(电子期刊)·信息科技辑》;20120731;全文 * |
安全云存储系统与关键技术综述;傅颖勋;《计算机研究与发展》;20130131;第50卷(第1期);136-145 * |
Also Published As
Publication number | Publication date |
---|---|
CN103546547A (en) | 2014-01-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103546547B (en) | A kind of cloud storage file encryption system | |
US10819521B2 (en) | Providing low risk exceptional access | |
US11036869B2 (en) | Data security with a security module | |
CN106104562B (en) | System and method for securely storing and recovering confidential data | |
JP4083218B2 (en) | Multi-step digital signature method and system | |
US9608813B1 (en) | Key rotation techniques | |
US10820198B2 (en) | Providing low risk exceptional access with verification of device possession | |
US9621524B2 (en) | Cloud-based key management | |
AU2017325928A1 (en) | Encrypted userdata transit and storage | |
CN116601912A (en) | Post-secret provisioning service providing encryption security | |
CN103686716A (en) | Android access control system for enhancing confidentiality and integrality | |
CN101924739A (en) | Method for encrypting, storing and retrieving software certificate and private key | |
CN112655037B (en) | Secure file distribution system and secure file distribution method | |
BE1024812A9 (en) | A SECURITY APPROACH FOR THE STORAGE OF CREDENTIALS FOR OFFLINE USE AND AGAINST COPY PROTECTED CLEAN CONTENT IN DEVICES | |
CN110266641A (en) | Information-reading method and device | |
CN115150193A (en) | Method and system for encrypting sensitive information in data transmission and readable storage medium | |
De Souza et al. | Audit and backup procedures for hardware security modules | |
CN102831360A (en) | Personal electronic document safety management system and management method thereof | |
Vanitha et al. | Data sharing: Efficient distributed accountability in cloud using third party auditor | |
JP2008035449A (en) | Data distributing method using self-decryption file and information processing system using the same | |
JP2013179473A (en) | Account generation management system, account generation management server, account generation management method, account generation management program | |
Cooper | Analysis of security in cloud platforms using OpenStack as case study | |
Śmieszek et al. | Electronic safe for passwords storage | |
CN112380574A (en) | Data chaining method based on block chain and SE chip | |
WO2024026428A1 (en) | Digital identity allocation, assignment, and management |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160921 |
|
CF01 | Termination of patent right due to non-payment of annual fee |