CN103731395B - The processing method and system of file - Google Patents

The processing method and system of file Download PDF

Info

Publication number
CN103731395B
CN103731395B CN201210381985.8A CN201210381985A CN103731395B CN 103731395 B CN103731395 B CN 103731395B CN 201210381985 A CN201210381985 A CN 201210381985A CN 103731395 B CN103731395 B CN 103731395B
Authority
CN
China
Prior art keywords
server
client
user
security metadata
metadata file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210381985.8A
Other languages
Chinese (zh)
Other versions
CN103731395A (en
Inventor
罗圣美
舒继武
陈小华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201210381985.8A priority Critical patent/CN103731395B/en
Publication of CN103731395A publication Critical patent/CN103731395A/en
Application granted granted Critical
Publication of CN103731395B publication Critical patent/CN103731395B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of processing method of file and system, in the above-mentioned methods, first server receives the data file to be stored and security metadata file for coming from client, wherein, what security metadata file created when data file being encrypted by client;The client user being proved to be successful and data file while the security metadata file that uploads are sent to second server and preserved by first server.According to technical scheme provided by the invention, the data that can be stored in for user in cloud storage provide confidentiality end to end and integrity protection, and ensure the safety of access authority information in data sharing process.

Description

File processing method and system
Technical Field
The invention relates to the field of communication, in particular to a file processing method and system.
Background
With the rapid development of cloud storage, more and more people or services begin to choose to use a cloud storage environment to store own data, and cloud storage users can upload own files to the cloud storage environment, and are managed by a cloud storage service provider, and other users are assigned to have access rights to the files, so that the files are shared.
However, the cloud storage environment leaves the owner of the data out of full control, which exposes the security of the data to a series of threats, such as: denial of service attacks (DoS) using a large-scale botnet, vulnerability attacks using operating system or application service protocol vulnerabilities, and malicious attacks, theft, illegal use, etc. against user privacy information stored in the "cloud" are varied. In addition, the various systems and applications that make up the "cloud" are still confronted with the threat of various viruses, trojans and other malware faced in traditional standalone or intranet environments. These problems become even more acute if sensitive data (including economic documents, personal medical records) are stored in a cloud storage environment controlled by others, as users of shared storage increase. Therefore, a system based on cloud storage service (referred to as a cloud storage system for short) has a very urgent need for a security mechanism.
A security plug-in is software that can be embedded into a specific system or service to provide corresponding security functions. The security plug-in the related art is mainly applied to the security plug-in of banking business and third party payment software (such as a payment treasure), and most of the security plug-in and the third party payment software are embedded into a browser to provide security functions in a data encryption and decryption mode and a certificate verification mode.
Disclosure of Invention
The invention provides a file processing method and a file processing system, which are used for at least solving the problem of poor safety of data storage of a cloud storage system in the related technology.
According to one aspect of the invention, a method for processing a file is provided.
The file processing method comprises the following steps: the method comprises the steps that a first server receives a data file to be stored and a security metadata file from a client, wherein the security metadata file is created when the client encrypts the data file; and the first server sends the security metadata file which is uploaded by the client user who succeeds in verification and is simultaneously uploaded with the data file to the second server for storage.
Preferably, before the first server receives the data file to be stored and the security metadata file from the client, the method further includes: and the client calls a first preset extension program to encrypt the data file to create a security metadata file.
Preferably, before the first server receives the data file to be stored and the security metadata file from the client, the method further includes: the client requests the authentication center to distribute a public and private key pair matched with each other for the user successfully registered at the client; the client uploads a public key or a public and private key pair in the public and private key pair to the first server, wherein the client executes encryption processing operation on the private key before uploading the private key in the public and private key pair, the public and private key pair is used for encrypting a hash value of a data file, and the hash value of the data file is used for encrypting the data file.
Preferably, the sending, by the first server, the security metadata file uploaded by the client user who succeeds in verification and simultaneously uploaded with the data file to the second server for saving includes: and the first server calls a second preset extension program to verify the identification information registered in advance by the client user, and sends the security metadata file uploaded by the successfully verified client user to the second server.
Preferably, after the first server invokes the second preset extension program to verify the identification information registered in advance by the client user, and sends the security metadata file uploaded by the client user who is successfully verified to the second server, the method further includes: a first server receives a request message for updating a security metadata file from a client; after the first server acquires the security metadata file corresponding to the data file from the second server, calling a second preset extension program to verify the identification information of the user of the client, and sending the acquired security metadata file and the acquired data file to the client; and the first server receives the updated security metadata file uploaded by the client and sends the updated security metadata file to the second server.
Preferably, after the first server receives the updated security metadata file from the client and sends the updated security metadata file to the second server, the method further includes: the second server authenticates the user authenticated by the first server again; and after the second server successfully verifies, replacing the security metadata file currently stored by the second server with the received updated security metadata file.
Preferably, after the first server invokes the second preset extension program to verify the identification information registered in advance by the client user, and sends the security metadata file uploaded by the client user who is successfully verified to the second server, the method further includes: the first server receives a request message for downloading the security metadata file from the client; the first server verifies the identification information of the client user by calling a second preset extension program, and acquires a security metadata file corresponding to the verified user from the second server; and the first server sends the acquired security metadata file to the client.
Preferably, the above-mentioned security metadata file also carries an encryption mode adopted for encrypting the data file, and after the first server sends the obtained security metadata file to the client, the method further includes: the client decrypts a first hash value of the security metadata file from the security metadata file by adopting a private key in a public and private key pair; the client decrypts the data plaintext by adopting the first hash value and the data ciphertext downloaded from the first server, and recalculates a second hash value of the data plaintext, wherein the data ciphertext is obtained by calculating the hash value of the data plaintext by the client or other clients except the client, processing the hash value in an encryption mode by taking the hash value as a key, and uploading the processed hash value to the first server; and the client determines whether the security metadata file is complete according to the first hash value and the second hash value.
Preferably, after the first server invokes the second preset extension program to verify the identification information registered in advance by the client user, and sends the security metadata file uploaded by the client user who is successfully verified to the second server, the method further includes: the method comprises the steps that a first server receives a request message from a client for modifying an access control list item corresponding to a client user; the first server verifies the identification information of the client user by calling a second preset extension program, and acquires an access control list item corresponding to the verified user from the second server; and the first server sends the acquired access control list items and the currently stored public key corresponding to the user to be added to the client.
Preferably, after the first server sends the acquired access control list entry and the currently stored public key corresponding to the user to be added to the client, the method further includes: the client decrypts the hash value of the security metadata file from the access control list item by using a private key; the client side encrypts the decrypted hash value by adopting a public key corresponding to the user to be added, and regenerates an access control list item; and the client uploads the regenerated access control list items to the first server.
Preferably, after the client uploads the regenerated access control list entry to the first server, the method further includes: the second server receives the regenerated access control list items from the first server; the second server authenticates the user authenticated by the first server again; and after the second server is successfully verified, replacing the currently stored access control list item of the second server with the regenerated access control list item received from the first server.
Preferably, after the first server invokes the second preset extension program to verify the identification information registered in advance by the client user, and sends the security metadata file uploaded by the client user who is successfully verified to the second server, the method further includes: the method comprises the steps that a first server receives a request message from a client for deleting an access control list item corresponding to a client user; the first server verifies the identification information of the user of the client by calling a second preset extension program, and initiates a request message for deleting an access control list item corresponding to the verified user to the second server after the verification is successful; the second server authenticates the user authenticated by the first server again; and after the second server successfully verifies, deleting the access control list items which are currently stored by the second server and correspond to the verified users.
According to another aspect of the present invention, a system for processing a file is provided.
The file processing system according to the present invention comprises: a first server; the first server includes: the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a data file to be stored and a security metadata file from a client, and the security metadata file is created when the client encrypts the data file; and the first sending module is used for sending the security metadata file uploaded by the client user who succeeds in verification and the data file at the same time to the second server for storage.
Preferably, the system further comprises: a client; the client comprises: and the creating module is used for calling a first preset extension program to encrypt the data file and create the security metadata file.
Preferably, the client further comprises: the request module is used for requesting the authentication center to distribute a mutually matched public and private key pair for the user successfully registered at the client; the first uploading module is used for uploading a public key or a public and private key pair in the public and private key pair to the first server, wherein the client executes encryption processing operation on the private key before uploading the private key in the public and private key pair, the public and private key pair is used for encrypting a hash value of a data file, and the hash value of the data file is used for encrypting the data file.
Preferably, the first sending module is configured to invoke a second preset extension program to verify the identification information registered by the client user in advance, and send the security metadata file uploaded by the client user that is successfully verified to the second server.
Preferably, the first server further comprises: the second receiving module is used for receiving a request message for updating the security metadata file from the client; the second sending module is used for calling a second preset extension program to verify the identification information of the user of the client after the security metadata file corresponding to the verified user is obtained from the second server, and sending the obtained security metadata file and the obtained data file to the client; and the third sending module is used for receiving the updated security metadata file uploaded by the client and sending the updated security metadata file to the second server.
Preferably, the system further comprises: a second server; the first authentication module is used for carrying out re-authentication on the user authenticated by the first server; and the first replacement module is used for replacing the security metadata file currently stored by the second server with the received updated security metadata file after the verification is successful.
Preferably, the first server further comprises: the third receiving module is used for receiving a request message for downloading the security metadata file from the client; the first acquisition module is used for verifying the identification information of the client user by calling a second preset extension program and acquiring a security metadata file requested by the verified user from a second server; and the fourth sending module is used for sending the obtained security metadata file to the client.
Preferably, the client further comprises: the first decryption module is used for decrypting a first hash value of the security metadata file from the security metadata file by adopting a private key in a public and private key pair; the computing module is used for decrypting a data plaintext by adopting the first hash value and a data ciphertext downloaded from the first server and recalculating a second hash value of the data plaintext, wherein the data ciphertext is obtained by computing the hash value of the data plaintext by the client or other clients except the client, processing the hash value in an encryption mode by taking the hash value as a key and uploading the processed hash value to the first server; and the determining module is used for determining whether the security metadata file is complete according to the first hash value and the second hash value.
Preferably, the first server further comprises: a fourth receiving module, configured to receive a request message from the client to modify an access control list entry corresponding to the client user; the second acquisition module is used for verifying the identification information of the client user by calling a second preset extension program and acquiring an access control list item corresponding to the user passing the verification from a second server; and the fifth sending module is used for sending the acquired access control list items and the currently stored public key corresponding to the user to be added to the client.
Preferably, the client further comprises: the second decryption module is used for decrypting the hash value of the security metadata file from the access control list item by adopting a private key; the generation module is used for encrypting the decrypted hash value by adopting a public key corresponding to the user to be added and regenerating an access control list item; and the second uploading module is used for uploading the regenerated access control list items to the first server.
Preferably, the second server further comprises: a fifth receiving module, configured to receive a regenerated access control list entry from the first server; the second authentication module is used for carrying out re-authentication on the user authenticated by the first server; and the second replacement module is used for replacing the currently stored access control list item of the second server with the regenerated access control list item received from the first server after the verification is successful.
Preferably, the first server further comprises: a sixth receiving module, configured to receive a request message from the client to delete an access control list entry corresponding to the client user; a sixth sending module, configured to verify the identification information of the user at the client by calling a second preset extension program, and initiate, after the verification is successful, a request message for deleting an access control list entry corresponding to the user that passes the verification to the second server; the second server further includes: the third verification module is used for verifying the user verified by the first server again; and the deleting module is used for deleting the access control list items which are currently stored by the second server and correspond to the verified users after the verification is successful.
According to the method, the client side is adopted to encrypt the data file to be stored so as to create the security metadata file; the first server receives the data file to be stored and the security metadata file from the client, and sends the security metadata file corresponding to the successfully verified client user to the second server for storage, so that the problem of poor security of data storage of a cloud storage system in the related technology is solved, end-to-end confidentiality and integrity protection can be provided for data stored in cloud storage by the user, and the security of access authority information in the data sharing process is ensured.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart of a method of processing a file according to an embodiment of the present invention;
FIG. 2 is a flowchart of a user uploading a secure metadata file in accordance with a preferred embodiment of the present invention;
FIG. 3 is a flowchart of a user updating a secure metadata file in accordance with a preferred embodiment of the present invention;
FIG. 4 is a flowchart of a user downloading a secure metadata file in accordance with a preferred embodiment of the present invention;
FIG. 5 is a flowchart of a user modifying a secure metadata file in accordance with a preferred embodiment of the present invention;
FIG. 6 is a flowchart of a user deleting a secure metadata file in accordance with a preferred embodiment of the present invention;
FIG. 7 is a block diagram of a file processing system according to an embodiment of the present invention;
FIG. 8 is a block diagram of a file processing system in accordance with a preferred embodiment of the present invention; and
fig. 9 is a schematic configuration diagram of a document processing system according to a preferred embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Fig. 1 is a flowchart of a file processing method according to an embodiment of the present invention. As shown in fig. 1, the method may comprise the following process steps:
step S102: the method comprises the steps that a first server receives a data file to be stored and a security metadata file from a client, wherein the security metadata file is created when the client encrypts the data file;
step S104: and the first server sends the security metadata file which is uploaded by the client user who succeeds in verification and is simultaneously uploaded with the data file to the second server for storage.
In the related art, the security of data stored in a cloud storage system by a user is poor. With the method shown in fig. 1, a client encrypts a data file to be stored (e.g., a video file or an audio file) to create a secure metadata file (e.g., security storage information of the video or audio file); the first server receives the data file to be stored and the security metadata file from the client, and sends the security metadata file corresponding to the successfully verified client user to the second server for storage, so that the problem of poor security of data storage of a cloud storage system in the related technology is solved, end-to-end confidentiality and integrity protection can be provided for data stored in cloud storage by the user, and the security of access authority information in the data sharing process is ensured.
In a preferred embodiment, before uploading a data file, a client user needs to calculate a hash value for the data file by using a hash algorithm on a local client in advance; then, encrypting the data file by using a hash value and a symmetric encryption algorithm, and encrypting the hash value by using a public key to generate a secure metadata file; and finally, uploading the data ciphertext and the security metadata file to a server (equivalent to the first server), calling an interface provided by the security metadata server (equivalent to the second server) by the server, and storing the security metadata file in the security metadata server, so that the confidentiality of storing the user data in cloud storage is ensured.
Preferably, before the first server receives the data file to be stored and the security metadata file from the client in step S102, the following operations may be further included:
step S1: and the client calls a first preset extension program to encrypt the data file to create a security metadata file.
In a preferred embodiment, various functions embedded in the client can be written in advance, and the functions of the functions include data file encryption and decryption, hash value calculation and the like.
Preferably, before the first server receives the data file to be stored and the security metadata file from the client in step S102, the following steps may be further included:
step S2: the client requests the authentication center to distribute a public and private key pair matched with each other for the user successfully registered at the client;
step S3: the client uploads a public key or a public and private key pair in the public and private key pair to the first server, wherein the client executes encryption processing operation on the private key before uploading the private key in the public and private key pair, the public and private key pair is used for encrypting a hash value of a data file, and the hash value of the data file is used for encrypting the data file.
In a preferred embodiment, portions of the cloud storage system need to be initialized. The method specifically comprises the following steps:
(1) initialization of the client: the client plug-in (i.e. the first preset extension program) includes functions for encrypting and decrypting data, calculating hash value, applying public and private key pairs to the CA center and providing security function, and the client needs to call the functions in the plug-in sequence according to preset logic in a part of interfaces where the client interacts with the server so as to use the security service provided by the plug-in; a developer of the cloud storage system loads a function package (dynamic link library) in a client plug-in into a client source code, modifies interfaces interacting with a server one by one according to needs, and finally recompiles and releases the modified client;
(2) initialization of the server: the server plug-in (i.e. a second preset extension program mentioned below) includes all interface functions for communicating with the security metadata server, and the server needs to call the functions in the server plug-in sequence according to a preset logic in the interface corresponding to (1) to use the security service provided by the plug-in; inserting a function packet into the source code of the server as the client, modifying interfaces interacting with the client one by one according to the requirement, and finally recompiling and operating the modified server;
(3) initialization of the secure metadata management server: starting a security metadata management server, and providing related services of a security metadata file to the outside through a remote interface; the safety metadata management server is an independently operated logic entity and is responsible for all related operations of safety metadata maintenance so as to be called by a safety metadata management server plug-in and realize a cache mechanism of a safety metadata file.
In a preferred embodiment, a user may initiate a registration request to the cloud storage system through a client. If the registration is successful, the client can call a function applying a public and private key pair in the plug-in, and apply a unique public and private key pair for the user successfully registered at present to the CA; the CA can generate a Public and private Key pair for the user through Public Key Infrastructure (PKI) according to the registration information of the user, and the Public and private Key pair is used for identifying the user identity in the security plug-in; the client uploads the public key to a cloud storage system server, the server stores the public key in a unified way, and any user can obtain the public keys of other users; the user can upload the encrypted private key to the server side as required, so that the user can download and restore the private key from the server when logging in at different terminals, and cross-platform transmission of the private key is realized.
Preferably, the security metadata file may carry identification information of the client user, and in step S104, the sending, by the first server, the security metadata file that is uploaded by the client user who succeeds in verification and is simultaneously uploaded with the data file to the second server for saving may include the following processing:
step S4: and the first server calls a second preset extension program to verify the identification information registered in advance by the client user, and sends the security metadata file uploaded by the client user successfully verified to the second server.
In a preferred embodiment, FIG. 2 is a flow chart of a user uploading a secure metadata file according to a preferred embodiment of the present invention. As shown in fig. 2, the process may include the following process steps:
step S202: the client calculates the hash value of the data file and encrypts the data plaintext according to the encryption mode in the configuration file by taking the hash value as a key; a secure metadata file is then created, the contents of which may include: the method comprises the steps that the identity of an owner, file name hash, an appointed encryption algorithm and hash mode and an access control list are obtained, and each item in the access control list comprises a user name of a legal user and a hash value ciphertext encrypted by using a public key of the user; finally, the data ciphertext and the security metadata file are sent to a server;
step S204: the client uploads a data file and a security metadata file;
step S206: after storing the data ciphertext according to the original logic of the server, calling a remote interface through a plug-in, and transmitting the security metadata file and the operation user name to a security metadata management server;
step S208: after the safety metadata management server verifies the identity and the access authority of the user, the safety metadata file is stored locally, and meanwhile, the cache is updated.
Preferably, in step S4, after the first server calls the second preset extension program to verify the identification information registered by the client user in advance, and sends the security metadata file uploaded by the client user that is successfully verified to the second server, the method may further include the following steps:
step S5: a first server receives a request message for updating a security metadata file from a client;
step S6: after the first server acquires the security metadata file corresponding to the user passing the verification from the second server, calling a second preset extension program to verify the identification information of the user of the client, and sending the acquired security metadata file and the acquired data file to the client;
step S7: and the first server receives the updated security metadata file uploaded by the client and sends the updated security metadata file to the second server.
Preferably, after the first server receives the updated security metadata file from the client and sends the updated security metadata file to the second server in step S7, the following process may be further included:
step S8: the second server authenticates the user authenticated by the first server again;
step S9: and after the second server successfully verifies, replacing the security metadata file currently stored by the second server with the received updated security metadata file.
In a preferred embodiment, FIG. 3 is a flow chart of a user updating a secure metadata file according to a preferred embodiment of the present invention. As shown in fig. 3, the process may include the following process steps:
step S302: the client side sends an updating request to the server to obtain partial information in the security metadata file;
step S304: after verifying the user identity of the client, the server obtains relevant information from the security metadata management server through a plug-in, where the method may include: user names and public keys of all legal users, an encryption mode of files and a hash mode of the files;
step S306: the server returns the part of information to the client;
step S308: the client calls the plug-in to calculate the hash value of the file, calls the plug-in to encrypt the file and simultaneously calls the plug-in to calculate a new ACL;
step S310: the client encrypts a file to be uploaded through a plug-in, and generates a new ACL list;
step S312: the client uploads the data ciphertext and the new ACL list to the server;
step S314: the server firstly processes the data ciphertext according to the original logic, then calls an interface in the security metadata management server through the plug-in, sends a new ACL list and the user name of an operator to the security metadata management server, and the security metadata management server updates the security metadata file in a cache after verifying the identity and the access authority of the user.
Preferably, in step S4, after the first server invokes the second preset extension program to verify the identification information registered by the client user in advance, and sends the security metadata file uploaded by the client user that is successfully verified to the second server, the method may further include the following operations:
step S10: the first server receives a request message for downloading the security metadata file from the client;
step S11: the first server verifies the identification information of the client user by calling a second preset extension program, and acquires a security metadata file corresponding to the verified user from the second server;
step S12: and the first server sends the acquired security metadata file to the client.
In a preferred embodiment, the plug-in is embedded into the cloud storage system on the premise of not modifying the original functions and operations of the cloud storage system, so as to provide security services for the original cloud storage system, the provided security services are unrelated to the deployed cloud storage system bottom layer, and corresponding security services can be provided for the original cloud storage system only by modifying the implementation logic (for example, an uploading or downloading interface) of an interface between a client and a server in the original cloud storage system. Therefore, confidentiality and integrity of user data are guaranteed, meanwhile, the user access authority can be safely and efficiently managed on the basis of access control of an original cloud storage system, and the security of a data file when the authority is cancelled is guaranteed. In addition, the insert has good expansibility.
Preferably, the above-mentioned security metadata file may further carry an encryption mode used for encrypting the data file, and in step S12, after the first server sends the obtained security metadata file to the client, the following processing may be further included:
step S13: the client decrypts a first hash value of the security metadata file from the security metadata file by adopting a private key in a public and private key pair;
step S14: the client decrypts the data plaintext by adopting the first hash value and the data ciphertext downloaded from the first server, and recalculates a second hash value of the data plaintext, wherein the data ciphertext is obtained by calculating the hash value of the data plaintext by the client or other clients except the client, processing the hash value in an encryption mode by taking the hash value as a key, and uploading the processed hash value to the first server;
step S15: and the client determines whether the security metadata file is complete according to the first hash value and the second hash value.
In a preferred embodiment, FIG. 4 is a flow chart of a user downloading a secure metadata file according to a preferred embodiment of the present invention. As shown in fig. 4, the process may include the following process steps:
step S402: a client initiates a downloading request to a server;
step S404: after verifying the user identity of the client through the plug-in, the server obtains relevant information from the security metadata management server, where the relevant information may include: the encryption mode of the data file, the hash mode of the data file and the ACL item corresponding to the operation user;
step S406: the server returns the information and the data ciphertext to the client together;
step S408: the client decrypts the hash value of the data file from the ACL through the plug-in and the private key of the client, decrypts the data plaintext according to the hash value and the data ciphertext, and recalculates the hash value of the data plaintext to compare with the obtained hash value for integrity check, wherein if the hash value is the same as the obtained hash value, the data file is not tampered in the storage and transmission processes, otherwise, the user is prompted that the data file is tampered.
In the preferred embodiment, because the plug-in is added in the cloud storage system, when a user downloads a file, the user downloads part of information in the data ciphertext and the security metadata to the local, then decrypts the hash value of the data from the security metadata by using the private key of the user, and finally decrypts the data plaintext; and then recalculating the hash value of the decrypted data file to check the integrity of the data file, thereby ensuring the integrity of the data.
Preferably, in step S4, after the first server calls the second preset extension program to verify the identification information registered by the client user in advance, and sends the security metadata file uploaded by the client user that is successfully verified to the second server, the method may further include the following processing:
step S16: the method comprises the steps that a first server receives a request message from a client for modifying an access control list item corresponding to a client user;
step S17: the first server verifies the identification information of the client user by calling a second preset extension program, and acquires an access control list item corresponding to the verified user from the second server;
step S18: and the first server sends the acquired access control list items and the currently stored public key corresponding to the user to be added to the client.
Preferably, in step S18, after the first server sends the acquired access control list entry and the currently stored public key corresponding to the user to be added to the client, the method may further include the following operation:
step S19: the client decrypts the hash value of the security metadata file from the access control list item by using a private key;
step S20: the client side encrypts the decrypted hash value by adopting a public key corresponding to the user to be added, and regenerates an access control list item;
step S21: and the client uploads the regenerated access control list items to the first server.
Preferably, after the client uploads the regenerated access control list entry to the first server in step S21, the following process may be further included:
step S22: the second server receives the regenerated access control list items from the first server;
step S23: the second server authenticates the user authenticated by the first server again;
step S24: and after the second server is successfully verified, replacing the currently stored access control list item of the second server with the regenerated access control list item received from the first server.
In a preferred embodiment, FIG. 5 is a flow chart of a user modifying a secure metadata file according to a preferred embodiment of the present invention. As shown in fig. 5, the process may include the following process steps:
step S502: a user initiates a request for modifying the access authority to a server through a client;
step S504: after the identity of the operating user is verified through the plug-in, the server initiates a request to the security metadata management server to acquire an ACL item corresponding to the operating user;
step S506: the server returns the public key of the user to be added and the obtained ACL item to the client;
step S508: the client decrypts the hash value of the file through the plug-in and the user private key; the client side calculates an ACL item of the user to be added through the plug-in and the public key of the user to be added;
step S510: the client generates an ACL item of a user to be authorized;
step S512: the client uploads the generated ACL item of the user to be authorized to the server;
step S514: the server calls an interface of the security metadata management server through the plug-in, and the security metadata server updates an ACL list of the corresponding security metadata file in the cache.
Preferably, in step S4, after the first server calls the second preset extension program to verify the identification information registered by the client user in advance, and sends the security metadata file uploaded by the client user that is successfully verified to the second server, the method may further include the following steps:
step S25: the method comprises the steps that a first server receives a request message from a client for deleting an access control list item corresponding to a client user;
step S26: the first server verifies the identification information of the user of the client by calling a second preset extension program, and initiates a request message for deleting an access control list item corresponding to the verified user to the second server after the verification is successful;
step S27: the second server authenticates the user authenticated by the first server again;
step S28: and after the second server successfully verifies, deleting the access control list items which are currently stored by the second server and correspond to the verified users.
In a preferred embodiment, FIG. 6 is a flow diagram of a user deleting a secure metadata file in accordance with a preferred embodiment of the present invention. As shown in fig. 6, when the file owner considers that a certain user may damage the file or may disseminate the file information outwards, a measure for revoking the user's right may be taken, and the process of revoking the user's right by the file owner may include the following processing steps:
step S602: a client where a user is located initiates a request for revoking the authority to a server;
step S604: after the identity of the operating user is verified by the server through the plug-in, a request is sent to the security metadata server, and after the identity and the operating authority of the user are verified by the security metadata management server, the ACL item in the corresponding security metadata file is deleted in the cache.
Fig. 7 is a block diagram of a structure of a file processing system according to an embodiment of the present invention. As shown in fig. 7, the file processing system may include: a first server 10; the first server 10 may include: a first receiving module 100, configured to receive a data file to be stored and a security metadata file from a client, where the security metadata file is created when the client encrypts the data file; and the first sending module 102 is configured to send the security metadata file, which is uploaded by the client user successfully authenticated and is simultaneously uploaded with the data file, to the second server for storage.
By adopting the system shown in fig. 7, the problem of poor security of data storage of the cloud storage system in the related art is solved, end-to-end confidentiality and integrity protection can be provided for data stored in the cloud storage by a user, and the security of access authority information in the data sharing process is ensured.
Preferably, as shown in fig. 8, the system may further include: a client 20; the client 20 may include: the creating module 200 is configured to invoke a first preset extension program to encrypt the data file and create a security metadata file.
Preferably, as shown in fig. 8, the client 20 may further include: a request module 202, configured to request an authentication center to allocate a matched public and private key pair to a user who successfully registers at a client; the first uploading module 204 is configured to upload a public key or a public-private key pair in the public-private key pair to the first server, where the client performs an encryption processing operation on the private key before uploading the private key in the public-private key pair, the public-private key pair is used to encrypt a hash value of the data file, and the hash value of the data file is used to encrypt the data file.
In a preferred implementation process, the first sending module 102 is configured to invoke a second preset extension program to verify the identification information registered by the client user in advance, and send the security metadata file uploaded by the client user that is successfully verified to the second server.
Preferably, as shown in fig. 8, the first server 10 may further include: a second receiving module 104, configured to receive a request message for updating the security metadata file from the client; the second sending module 106 is configured to, after obtaining the security metadata file corresponding to the user who passes the verification from the second server, invoke a second preset extension program to verify the identification information of the user at the client, and send the obtained security metadata file and the obtained data file to the client; and a third sending module 108, configured to receive the updated security metadata file uploaded by the client, and send the updated security metadata file to the second server.
Preferably, as shown in fig. 8, the system may further include: a second server 30; a first authentication module 300 for re-authenticating the user authenticated by the first server; a first replacing module 302, configured to replace, after the verification is successful, the security metadata file currently stored by the second server with the received updated security metadata file.
Preferably, as shown in fig. 8, the first server 10 may further include: a third receiving module 110, configured to receive a request message for downloading the security metadata file from the client; a first obtaining module 112, configured to verify the identification information of the client user by calling a second preset extension program, and obtain, from the second server, a security metadata file requested by the verified user; and a fourth sending module 114, configured to send the obtained security metadata file to the client.
Preferably, as shown in fig. 8, the client 20 may further include: a first decryption module 206, configured to decrypt a first hash value of the secure metadata file from the secure metadata file by using a private key in a public and private key pair; the calculation module 208 is configured to decrypt a data plaintext by using the first hash value and a data ciphertext downloaded from the first server, and recalculate a second hash value of the data plaintext, where the data ciphertext is obtained by calculating a hash value of the data plaintext by the client or by other clients except the client, processing the hash value in an encryption mode by using the hash value as a key, and uploading the processed hash value to the first server; a determining module 210, configured to determine whether the security metadata file is complete according to the first hash value and the second hash value.
Preferably, as shown in fig. 8, the first server 10 may further include: a fourth receiving module 116, configured to receive a request message from the client to modify an access control list entry corresponding to the client user; a second obtaining module 118, configured to verify the identification information of the client user when invoking a second preset extension program, and obtain an access control list entry corresponding to the verified user from a second server; a fifth sending module 120, configured to send the obtained access control list entry and the currently stored public key corresponding to the user to be added to the client.
Preferably, as shown in fig. 8, the client 20 may further include: a second decryption module 212, configured to decrypt, using a private key, a hash value of the secure metadata file from the access control list entry; a generating module 214, configured to encrypt the decrypted hash value by using a public key corresponding to the user to be added, and regenerate an access control list entry; a second uploading module 216, configured to upload the regenerated access control list entry to the first server.
Preferably, as shown in fig. 8, the second server 30 may further include: a fifth receiving module 304, configured to receive a regenerated access control list entry from the first server; a second authentication module 306, configured to authenticate the user authenticated by the first server again; and a second replacement module 308, configured to replace, after successful verification, the currently stored access control list entry of the second server with the regenerated access control list entry received from the first server.
Preferably, as shown in fig. 8, the first server 10 may further include: a sixth receiving module 122, configured to receive a request message from the client to delete an access control list entry corresponding to the client user; a sixth sending module 124, configured to verify the identification information of the user at the client by calling the second preset extension program, and initiate, after the verification is successful, a request message for deleting the access control list entry corresponding to the user that passes the verification to the second server; the second server 30 may further include: a third authentication module 310, configured to authenticate the user authenticated by the first server again; and a deleting module 312, configured to delete the access control list entry corresponding to the authenticated user currently stored by the second server after the authentication is successful.
The preferred implementation described above is further described below in conjunction with fig. 9.
Fig. 9 is a schematic configuration diagram of a document processing system according to a preferred embodiment of the present invention. As shown in fig. 9. The document processing system may include:
client (equivalent to the above client): the client part is embedded with the plug-in provided by the invention in the cloud storage system;
client plug-in (equivalent to the first preset extension program): the part of the plug-in embedded into the cloud storage system client is mainly responsible for applying for public and private key pairs to CA, calculating the hash value of the data file and carrying out encryption and decryption operations on the data file, wherein the plug-in mainly comprises the following modules:
applying for a public and private key pair module (equivalent to the request module): the system is responsible for applying for a public and private key pair from the CA and generating the public and private key pair as the identity of a newly registered user;
a data encryption and decryption module (equivalent to the first decryption module, the second decryption module, the calculation module and the generation module): all encryption and decryption operations of the client are responsible, and the operations can include: encrypting and decrypting a data file and encrypting and decrypting a hash value; in the file encryption process, firstly, a hash algorithm is adopted to calculate the hash value of the file to form a key of the file; then selecting a symmetric encryption algorithm and a grouping mode, encrypting the file content by using a key, wherein the Hash mode, the encryption algorithm and the mode can be configured by a user; finally, generating security metadata information by using a public key of a legal user, and uploading the security metadata information to a server through an original system interface;
integrity check module (equivalent to the above determination module): verifying the integrity of the downloaded file; when the client downloads the data ciphertext from the server and decrypts the data plaintext by the data encryption and decryption module, the client operates the data encryption and decryption module to recalculate the hash value of the file plaintext, judges whether the hash value is the same as the obtained hash value, and if the hash value is the same as the obtained hash value, the client indicates that the data file requested to be accessed is complete; otherwise, the integrity of the requested accessed data file is destroyed.
Server (equivalent to the first server): the server part is embedded with the plug-in provided by the invention in the cloud storage system;
server plug-in (equivalent to the second preset extension): the part of the plug-in, which is embedded into a cloud storage system server, is responsible for calling an interface provided by a security metadata management server and processing security metadata information;
secure metadata management server (equivalent to the second server): the server which runs independently provides a remote calling interface for the outside and is responsible for operations such as access, maintenance, cache and the like of the security metadata file; the system mainly comprises the following modules:
a secure metadata access module (corresponding to the fifth receiving module): the function in the server plug-in is used for calling and is responsible for operations such as the insertion, deletion and the like of the security metadata;
an access right checking module (corresponding to the first verification module, the second verification module, and the third verification module): the access right verification module is independent from the access right verification module of the original cloud storage system and is responsible for verifying whether the user executing the operation has the right of the operation again, and the operation mode is as follows: for the uploading or downloading request, checking whether the information of the operation user exists in the ACL of the security metadata, if so, indicating that the user has the operation authority, otherwise, indicating that the user does not have the operation authority; and for the permission modification request, checking whether the file owner in the security metadata is an operation user, if so, having operation permission, otherwise, not having operation permission. In order to improve the system efficiency, all functions in the module are provided with a flag bit parameter, and the system can skip the check of the operation authority through the parameter, so that the system efficiency is improved;
a security metadata maintenance module (corresponding to the first replacement module, the second replacement module, and the deletion module): the function in the server plug-in is used for calling and is responsible for maintenance operations such as modification and updating of the security metadata; the security metadata file includes the file owner ID, the file name hash, the data encryption mode, the data hash mode, and the access control list, and the structure is shown in table 1:
TABLE 1
Owner ID Filename hashing Encryption mode Hash mode Access control lists
Wherein,
the owner ID is used for recording the owner of the security metadata file so as to verify whether the user has the operation authority when the access control list is modified;
the file name hash is used for performing simple verification operation to prove that the security metadata file is matched with the original data file so as to prevent operations such as malicious renaming of a cloud storage administrator;
encryption mode the encryption mode used to record the current data file may support a variety of encryption mechanisms, such as: encryption algorithms such as AES, DES, 3DES and the like and different grouping modes thereof;
the hash mode is used for recording the algorithm of the current hash value and can support mainstream algorithms such as SHA-1 and MD 5;
the access control list is used to record the access rights of the secure metadata file, wherein each element may contain the following two items:
(1) a user name for identifying a user having access rights;
(2) ACL entries, i.e. encrypted file hash (file encryption key), encryption key for transferring files to legitimate users and file hash for integrity checking
The specific structure is shown in table 2:
TABLE 2
User name Cipher key cryptograph
User name 1 Cipher key cryptograph
User name 2 Cipher key cryptograph
... Cipher key cryptograph
User name n Cipher key cryptograph
A secure metadata cache module: the system is responsible for caching common security metadata files in a memory through a data structure of a red and black tree so as to improve the performance of the system; the red and black trees used in the cache are established on a dynamic array, and an adding, deleting and searching interface and a comparison function are externally provided through a related function maintained by an automatic memory; the data structure of the red and black tree nodes is as follows:
the data structure of the red and black trees is as follows:
in order to reduce the pressure of the security metadata on the disk IO, the security metadata cache module caches the frequently accessed security metadata in the memory, and realizes the fast search of the cache in a mode of organizing the security metadata by a red and black tree. The module adopts a Least Recently Used (LRU) algorithm to carry out cache replacement, and when the cache capacity reaches an upper limit or the number of contained elements reaches the upper limit of the capacity, data which is not used for the least time is replaced from the cache, and the flow is as follows:
step 1: searching whether a certain element exists in the current cache, if not, continuing to execute the step 2, otherwise, skipping to the step 5;
step 2: reading required element information from a disk, checking whether the cache is full, if so, continuing to execute the step 3, otherwise, jumping to the step 4;
and step 3: deleting the least and longest unused elements in the cache;
and 4, step 4: inserting the new element into the cache;
and 5: updating the access time of the corresponding element in the cache to be the latest;
step 6: the value of the required element in the cache is returned.
From the above description, it can be seen that the above embodiments achieve the following technical effects (it is to be noted that these effects are those that certain preferred embodiments can achieve): the core of the technical scheme provided by the invention is that the management of the security metadata file is realized on the security metadata server, and the security metadata file is embedded into the existing cloud storage system in a plug-in mode to provide security service for the cloud storage system; the original logic of the cloud storage system does not need to be modified, and only corresponding function calls need to be added into an interactive interface between a client and a server; the end-to-end privacy and integrity of user data are guaranteed, only a legal user can decrypt the data plaintext, and the user can timely find whether the data is illegally tampered or the data is damaged due to the change of a storage medium; and a safety metadata cache mechanism is adopted, so that the system overhead of the plug-in the safety aspect can be reduced.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (22)

1. A method for processing a file, comprising:
the method comprises the steps that a first server receives a data file to be stored and a security metadata file from a client, wherein the security metadata file is created when the client encrypts the data file;
the first server sends the security metadata file uploaded by the client user who succeeds in verification and the data file at the same time to a second server for storage;
before the first server receives the data file to be stored and the security metadata file from the client, the method further includes: the client requests the authentication center to distribute a public and private key pair matched with each other for the user successfully registered in the client; and the client uploads the public and private key pair to the first server, wherein the client performs encryption processing operation on a private key before uploading the private key in the public and private key pair, the public and private key pair is used for encrypting a hash value of the data file, and the hash value of the data file is used for encrypting the data file.
2. The method of claim 1, further comprising, before the first server receives the data file to be stored and the security metadata file from the client:
and the client calls a first preset extension program to encrypt the data file to create the security metadata file.
3. The method of claim 1, wherein the sending, by the first server, the security metadata file uploaded simultaneously with the data file by the successfully authenticated client user to the second server for saving comprises:
and the first server calls a second preset extension program to verify the identification information registered by the client user in advance, and sends the security metadata file uploaded by the successfully verified client user to the second server.
4. The method according to claim 3, wherein after the first server invokes the second preset extension program to verify the identification information pre-registered by the client user and send the security metadata file uploaded by the successfully verified client user to the second server, the method further comprises:
the first server receiving a request message from the client to update the security metadata file;
after the first server acquires the security metadata file corresponding to the data file from the second server, the first server calls the second preset extension program to verify the identification information of the user of the client, and sends the acquired security metadata file and the data file to the client;
and the first server receives the updated security metadata file uploaded by the client and sends the updated security metadata file to the second server.
5. The method of claim 4, after the first server receives the updated security metadata file from the client and sends the updated security metadata file to the second server, further comprising:
the second server authenticates the user authenticated by the first server again;
and after the second server successfully verifies, replacing the security metadata file currently stored by the second server with the received updated security metadata file.
6. The method according to claim 3, wherein after the first server invokes the second preset extension program to verify the identification information pre-registered by the client user and send the security metadata file uploaded by the successfully verified client user to the second server, the method further comprises:
the first server receives a request message for downloading the security metadata file from the client;
the first server verifies the identification information of the client user by calling the second preset extension program, and acquires a security metadata file corresponding to the verified user from the second server;
and the first server sends the acquired security metadata file to the client.
7. The method according to claim 6, wherein the security metadata file further carries an encryption mode used for encrypting the data file, and after the first server sends the obtained security metadata file to the client, the method further comprises:
the client decrypts a first hash value of the security metadata file from the security metadata file by adopting a private key in the public and private key pair;
the client decrypts a data plaintext by using the first hash value and a data ciphertext downloaded from the first server, and recalculates a second hash value of the data plaintext, wherein the data ciphertext is obtained by calculating the hash value of the data plaintext by the client or other clients except the client, processing the hash value in the encryption mode by using the hash value as a key, and uploading the processed hash value to the first server;
and the client determines whether the security metadata file is complete according to the first hash value and the second hash value.
8. The method according to claim 3, wherein after the first server invokes the second preset extension program to verify the identification information pre-registered by the client user and send the security metadata file uploaded by the successfully verified client user to the second server, the method further comprises:
the first server receives a request message from the client for modifying an access control list item corresponding to the client user;
the first server verifies the identification information of the client user by calling the second preset extension program, and acquires an access control list item corresponding to the verified user from the second server;
and the first server sends the acquired access control list items and the currently stored public key corresponding to the user to be added to the client.
9. The method according to claim 8, wherein after the first server sends the obtained access control list entry and the currently stored public key corresponding to the user to be added to the client, the method further includes:
the client decrypts the hash value of the security metadata file from the access control list item by using the private key;
the client side encrypts the decrypted hash value by adopting a public key corresponding to the user to be added, and regenerates an access control list item;
and the client uploads the regenerated access control list items to the first server.
10. The method of claim 9, wherein after the client uploads the regenerated access control list entries to the first server, further comprising:
the second server receiving the regenerated access control list entries from the first server;
the second server authenticates the user authenticated by the first server again;
and after the second server is successfully verified, replacing the currently stored access control list item of the second server with the regenerated access control list item received from the first server.
11. The method according to claim 3, wherein after the first server invokes the second preset extension program to verify the identification information pre-registered by the client user and send the security metadata file uploaded by the successfully verified client user to the second server, the method further comprises:
the first server receives a request message from the client for deleting an access control list item corresponding to the client user;
the first server verifies the identification information of the user of the client by calling the second preset extension program, and initiates a request message for deleting an access control list item corresponding to the verified user to the second server after the verification is successful;
the second server authenticates the user authenticated by the first server again;
and after the second server successfully verifies, deleting the access control list items which are currently stored by the second server and correspond to the verified users.
12. A system for processing a document, comprising: a first server;
the first server includes:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving a data file to be stored and a security metadata file from a client, and the security metadata file is created when the client encrypts the data file;
the first sending module is used for sending the security metadata file uploaded by the client user who succeeds in verification and the data file at the same time to a second server for storage;
wherein the client further comprises: the request module is used for requesting the authentication center to distribute a mutually matched public and private key pair for the user successfully registered at the client; the first uploading module is used for uploading the public and private key pair to the first server, wherein the client executes encryption processing operation on the private key before uploading the private key in the public and private key pair, the public and private key pair is used for encrypting the hash value of the data file, and the hash value of the data file is used for encrypting the data file.
13. The system of claim 12, further comprising: the client side;
the client comprises:
and the creating module is used for calling a first preset extension program to encrypt the data file to create the security metadata file.
14. The system according to claim 12, wherein the first sending module is configured to invoke a second preset extension program to verify the identification information pre-registered by the client user, and send the security metadata file uploaded by the client user that is successfully verified to the second server.
15. The system of claim 14, wherein the first server further comprises:
a second receiving module, configured to receive a request message for updating the security metadata file from the client;
the second sending module is used for calling the second preset extension program to verify the identification information of the user of the client after the security metadata file corresponding to the verified user is obtained from the second server, and sending the obtained security metadata file and the obtained data file to the client;
and the third sending module is used for receiving the updated security metadata file uploaded by the client and sending the updated security metadata file to the second server.
16. The system of claim 15, further comprising: the second server;
the first authentication module is used for carrying out re-authentication on the user authenticated by the first server;
and the first replacement module is used for replacing the security metadata file currently stored by the second server with the received updated security metadata file after the verification is successful.
17. The system of claim 14, wherein the first server further comprises:
a third receiving module, configured to receive a request message from the client to download the security metadata file;
the first acquisition module is used for verifying the identification information of the client user by calling the second preset extension program and acquiring a security metadata file requested by the verified user from the second server;
and the fourth sending module is used for sending the obtained security metadata file to the client.
18. The system of claim 17, wherein the client further comprises:
the first decryption module is used for decrypting a first hash value of the security metadata file from the security metadata file by adopting a private key in the public and private key pair;
the computing module is used for decrypting a data plaintext by using the first hash value and a data ciphertext downloaded from the first server and recalculating a second hash value of the data plaintext, wherein the data ciphertext is obtained by computing the hash value of the data plaintext by the client or other clients except the client, processing the hash value in the encryption mode by using the hash value as a key, and uploading the processed hash value to the first server;
a determining module, configured to determine whether the security metadata file is complete according to the first hash value and the second hash value.
19. The system of claim 14, wherein the first server further comprises:
a fourth receiving module, configured to receive a request message from the client to modify an access control list entry corresponding to the client user;
the second obtaining module is used for verifying the identification information of the client user by calling the second preset extension program and obtaining an access control list item corresponding to the verified user from the second server;
and the fifth sending module is used for sending the acquired access control list items and the currently stored public key corresponding to the user to be added to the client.
20. The system of claim 19, wherein the client further comprises:
the second decryption module is used for decrypting the hash value of the security metadata file from the access control list item by adopting the private key;
the generating module is used for encrypting the decrypted hash value by adopting a public key corresponding to the user to be added and regenerating an access control list item;
and the second uploading module is used for uploading the regenerated access control list items to the first server.
21. The system of claim 20, wherein the second server further comprises:
a fifth receiving module, configured to receive the regenerated access control list entry from the first server;
the second verification module is used for verifying the user verified by the first server again;
and a second replacement module, configured to replace, after the verification is successful, the access control list entry currently stored in the second server with the regenerated access control list entry received from the first server.
22. The system of claim 14, wherein the first server further comprises:
a sixth receiving module, configured to receive a request message from the client to delete an access control list entry corresponding to the client user;
a sixth sending module, configured to verify the identification information of the user at the client by calling the second preset extension program, and initiate, after the verification is successful, a request message for deleting an access control list entry corresponding to the user that passes the verification to the second server;
the second server further comprises:
the third verification module is used for verifying the user verified by the first server again;
and the deleting module is used for deleting the access control list items which are currently stored by the second server and correspond to the verified users after the verification is successful.
CN201210381985.8A 2012-10-10 2012-10-10 The processing method and system of file Active CN103731395B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210381985.8A CN103731395B (en) 2012-10-10 2012-10-10 The processing method and system of file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210381985.8A CN103731395B (en) 2012-10-10 2012-10-10 The processing method and system of file

Publications (2)

Publication Number Publication Date
CN103731395A CN103731395A (en) 2014-04-16
CN103731395B true CN103731395B (en) 2017-11-14

Family

ID=50455326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210381985.8A Active CN103731395B (en) 2012-10-10 2012-10-10 The processing method and system of file

Country Status (1)

Country Link
CN (1) CN103731395B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108418833A (en) * 2018-03-23 2018-08-17 中科创达软件股份有限公司 A kind of management method of software, cloud server and terminal

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015158288A1 (en) * 2014-04-17 2015-10-22 苏州海博智能系统有限公司 Multi-dimensional information pointer platform and data access method thereof
CN104462965B (en) * 2014-11-14 2018-03-13 华为技术有限公司 Application integrity verification method and the network equipment
CN105025041B (en) * 2015-08-25 2019-03-12 北京百度网讯科技有限公司 The methods, devices and systems that file uploads
CN105072134A (en) * 2015-08-31 2015-11-18 成都卫士通信息产业股份有限公司 Cloud disk system file secure transmission method based on three-level key
CN105208017B (en) * 2015-09-07 2019-01-04 四川神琥科技有限公司 A kind of memorizer information acquisition methods
CN106936579A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 Cloud storage data storage and read method based on trusted third party agency
CN108234436A (en) * 2016-12-22 2018-06-29 航天信息股份有限公司 A kind of encryption method and system based on the storage of OpenStack objects
CN107295018A (en) * 2017-08-14 2017-10-24 北京连云决科技有限公司 A kind of safety storage of cloud disc file and sharing method
CN108563396B (en) * 2017-12-11 2020-12-25 上海高顿教育科技有限公司 Safe cloud object storage method
CN110889131B (en) * 2018-09-11 2022-04-05 北京金山办公软件股份有限公司 File sharing system
CN111695987A (en) * 2020-06-15 2020-09-22 北京同邦卓益科技有限公司 Client registration processing method, device, equipment and storage medium
CN111859378B (en) * 2020-07-31 2022-11-18 中国工商银行股份有限公司 Processing method and device for protecting data model
CN114327285A (en) * 2021-12-30 2022-04-12 南京中孚信息技术有限公司 Data storage method, device, equipment and storage medium
CN114374686B (en) * 2022-01-05 2024-03-01 北京百度网讯科技有限公司 File processing method, device and equipment based on browser
CN114698303B (en) * 2022-04-14 2023-07-04 张�浩 Teaching computer network information safety device
CN116366283B (en) * 2023-02-07 2023-08-18 南京模砾半导体有限责任公司 File secure transmission method based on symmetric encryption

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917403A (en) * 2010-07-23 2010-12-15 华中科技大学 Distributed key management method for ciphertext storage
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102685148A (en) * 2012-05-31 2012-09-19 清华大学 Method for realizing secure network backup system under cloud storage environment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8719143B2 (en) * 2006-09-28 2014-05-06 Microsoft Corporation Determination of optimized location for services and data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917403A (en) * 2010-07-23 2010-12-15 华中科技大学 Distributed key management method for ciphertext storage
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102685148A (en) * 2012-05-31 2012-09-19 清华大学 Method for realizing secure network backup system under cloud storage environment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108418833A (en) * 2018-03-23 2018-08-17 中科创达软件股份有限公司 A kind of management method of software, cloud server and terminal
CN108418833B (en) * 2018-03-23 2022-01-07 中科创达软件股份有限公司 Software management method, cloud server and terminal

Also Published As

Publication number Publication date
CN103731395A (en) 2014-04-16

Similar Documents

Publication Publication Date Title
CN103731395B (en) The processing method and system of file
US9424400B1 (en) Digital rights management system transfer of content and distribution
EP3398073B1 (en) Securely storing and distributing sensitive data in a cloud-based application
US9342701B1 (en) Digital rights management system and methods for provisioning content to an intelligent storage
US8856530B2 (en) Data storage incorporating cryptographically enhanced data protection
US9135464B2 (en) Secure storage system for distributed data
US8059818B2 (en) Accessing protected data on network storage from multiple devices
US9973481B1 (en) Envelope-based encryption method
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
Kapil et al. Attribute based honey encryption algorithm for securing big data: Hadoop distributed file system perspective
EP3035641A1 (en) Method for file upload to cloud storage system, download method and device
CN104601579A (en) Computer system for ensuring information security and method thereof
CN106797316B (en) Router, data equipment, the method and system for distributing data
US20160308845A1 (en) Method of operating a computing device, computing device and computer program
CN110445840B (en) File storage and reading method based on block chain technology
WO2022223036A1 (en) Method and apparatus for sharing encrypted data, and device and readable medium
CN105072134A (en) Cloud disk system file secure transmission method based on three-level key
KR20210143846A (en) encryption systems
US10740478B2 (en) Performing an operation on a data storage
CN114826702B (en) Database access password encryption method and device and computer equipment
US20230205908A1 (en) Protected storage for decryption data
Goswami et al. Investigation on storage level data integrity strategies in cloud computing: classification, security obstructions, challenges and vulnerability
CN108494724B (en) Cloud storage encryption system based on multi-authority attribute encryption algorithm
US9436849B2 (en) Systems and methods for trading of text based data representation
Thota et al. Split key management framework for Open Stack Swift object storage cloud

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant