CN103973698B - User access right revoking method in cloud storage environment - Google Patents

User access right revoking method in cloud storage environment Download PDF

Info

Publication number
CN103973698B
CN103973698B CN201410213922.0A CN201410213922A CN103973698B CN 103973698 B CN103973698 B CN 103973698B CN 201410213922 A CN201410213922 A CN 201410213922A CN 103973698 B CN103973698 B CN 103973698B
Authority
CN
China
Prior art keywords
data
user
token
request
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410213922.0A
Other languages
Chinese (zh)
Other versions
CN103973698A (en
Inventor
李春花
周可
吴泽邦
魏荣磊
边泽明
杨勇
张彦哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201410213922.0A priority Critical patent/CN103973698B/en
Publication of CN103973698A publication Critical patent/CN103973698A/en
Application granted granted Critical
Publication of CN103973698B publication Critical patent/CN103973698B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a user access right revoking method in a cloud storage environment. The method solves the problems that in an existing cloud environment, when user right is revoked, potential safety hazards are caused, and performance expenditure is caused by data re-encryption. The method involves a client side process, a cloud storage system process and a safety management center process, wherein a cloud storage system achieves token chain management updating and notifies a safety management center of distribution of secret keys and tokens, and ciphertext is placed in an interference block to be processed, and a user access request is judged and replied; the safety management center achieves user registration and logging, right giving and revoking, secret key management and distribution and user token distribution. According to the user access right revoking method, interference processing on the ciphertext is achieved through a token mechanism, and an immediate revoking mechanism is adopted; when the user right is revoked, the token is updated immediately, the ciphertext is subjected to re-interference processing, and the potential safety hazards caused when the user right is revoked in a non-immediate revoking mechanism are avoided. According to the method, data do not need to be subjected to re-encryption processing, and performance expenditure of a system is greatly reduced.

Description

A kind of access privilege recovery method in cloud storage environment
Technical field
The invention belongs to computer memory technical and field of information security technology, more particularly, to a kind of cloud storage ring Access privilege recovery method in border.
Background technology
, while providing the user data storage and business service, the safety of its high in the clouds data is always for cloud storage system It is user and the major issue of company manager's particularly concern.For ensureing the privacy of user data, current cloud storage safety Framework is usually that data is encrypted with storage, and cloud service provider judges user to this using corresponding access control policy Whether data has legal access rights, and the management of key and distribution are responsible for by trusted third party.Although this is in certain journey The safety of high in the clouds data is strengthened on degree, but the form of ciphertext storage also can cause new problem.When need change user couple During the access rights of certain data, the key that the user for ensureing recovery authority holds this data is invalid, and general scheme is to this Data carries out re-encryption process, then carries out the renewal of key and again distributes.Because in cloud environment, userbase is huge and uses Family authority may frequently change, and the re-encryption of data and the redistribution of key will bring great performance cost.If will weigh Encryption is placed on user to carry out when uploading data, is uncertain because user executes the upload data manipulation time, leads to data Re-encryption opportunity is also uncertain, and the user being recovered authority during this still can access this data in fact it could happen that Reclaim authority user evil intentional system and write dirty data, this scheme cannot solve the problems, such as the re-encryption of read-only data in addition.
Content of the invention
Disadvantages described above for prior art or Improvement requirement, the invention provides the user in a kind of cloud storage environment visits Ask authority recovery method, it is intended that random process is thrown, to realize returning immediately of user right based on ciphertext by high in the clouds Receive, to solve the potential safety hazard that causes when existing user right reclaims and re-encryption is carried out to data to cause very big performance cost Technical problem.
For achieving the above object, according to one aspect of the present invention, there is provided the user in a kind of cloud storage environment accesses Authority recovery method, comprises the following steps:
(1) client receives the data operation request from user, and judges this request type, and read data request is still weighed Limit operation requests, if write data requests, then proceed to step (2), if read data request, then proceed to step (6), if It is limiting operation request, then proceed to step (11);
(2) client generates the symmetric key being encrypted for data corresponding to write data requests at random, and to peace Full administrative center submits encryption key requests to;
(3) security management center determines the legitimacy of this user according to encryption key requests, and whether judges validated user Authority corresponding in the corresponding data of write data requests reclaims in list, if not existing, obtains the corresponding encryption of this data close Key, and this encryption key is returned to client;
(4) client utilizes the symmetric key generating in step (2), encrypts write data requests pair using symmetric encipherment algorithm The data answered, to obtain ciphertext data, encrypts the symmetrically close of generation using the encryption key receiving and public personal key algorithm Key, to obtain ciphertext key, ciphertext data and ciphertext key is packaged as ciphertext packet, and writes data to the transmission of cloud storage end Request;
(5) cloud storage end receives the write data requests from client, determines the conjunction of this user according to this write data requests Method, and generate a token at random when corresponding data has write access authority to legal user to write data requests, and Using this token as the last-of-chain token of the corresponding token chain of the data in write data requests, generate interference block at random and according in token The rule formulated, will disturb block insertion ciphertext data, and preserve the data obtaining;
(6) client sends read data request to cloud storage end;
(7) according to the user identity certificate in the read data request of client, cloud storage end determines that this user's is legal Property, and when legal user has the read access authority to this data, this data is returned to client, search this data pair Last-of-chain token in the token chain answered, sends key request to security management center;
(8) security management center is according to corresponding to whether this key request judges user in the corresponding data of read data request Authority reclaim in list, if not existing, decruption key corresponding to search request data, and decruption key, token are returned to Client, subsequently into step (9), if existing, returns client refusal information on services to client, then process terminates;
(9) client waits and receives the information that cloud storage end and security management center return, if cloud storage end returns letter Cease the data message for request and security management center return information is decruption key and token, then go to step (10), otherwise mistake Journey terminates;
(10) client processes, using the token returning, the data returning, and rejects the interference block in data, obtains ciphertext number According to obtaining symmetric key using the ciphertext key in the decryption key decryption returned data returning, and utilize symmetric key decryption Ciphertext data, to obtain user's request initial data;
(11) client sends user right to security management center and reclaims request;
(12) security management center reclaims requests verification user identity certificate according to client user's authority, to judge user Whether legal, if legal, go to step (13), otherwise return user identity certificate error message to client, then process knot Bundle;
(13) security management center judges whether the user reclaiming authority reclaims request corresponding data id in this user right Corresponding authority reclaims in list, if user does not reclaim in list in authority, will reclaim the user id insertion authority of authority Reclaim list, send user right to cloud storage end and reclaim request, and return user right to client and reclaim successful information, so After proceed to step (14);If user reclaims in list in authority, return this user to client and reclaim in list in authority Information;
(14) token chain according to corresponding to user right reclaims request lookup wherein data id for the cloud storage end, and obtain chain Tail token, rejects the interference block in the data corresponding to data id using the last-of-chain token obtaining, and obtains processing without interference Ciphertext data, using token create-rule, at random generate a new token, and be added into token chain, as new chain Tail token, the random ciphertext data generating interference block the rule according to formulation in new token, block insertion being disturbed to obtain, obtain And preserve new interference data, and return client user's authority recovery successful information.
Preferably, encryption key requests include No. id of user identity certificate and the corresponding data of write data requests, write Request of data include user identity certificate, packing after ciphertext data, ciphertext key, first number of the corresponding data of write data requests According to read data request includes user identity certificate and the id of the corresponding data of read data request, and user right reclaims request and includes The user id that user identity certificate, user right reclaim the id asking corresponding data and reclaim authority.
Preferably, the following sub-step of step (3) inclusion:
(3-1) according to the user identity certificate in encryption key requests, security management center judges whether user is legal, such as Really legal, proceed to step (3-2), otherwise return request failure information to user, then process terminates;
(3-2) security management center judges that authority whether corresponding in the corresponding data of write data requests for this user reclaims In list, if returning user's request failure information, otherwise proceeding to step (3-3), if wherein permissions list does not exist, table Show that user does not reclaim in list in authority;
(3-3) security management center searches whether to find the corresponding encryption key of this data in local cipher key store, If finding, proceeding to step (3-4), otherwise proceeding to step (3-5);
(3-4) encryption key finding is returned to client by security management center, subsequently into step (4);
(3-5) security management center is generated at random according to this data and using public and private key encryption mechanism and to preserve encryption close Key, and the encryption key of generation is returned to client, subsequently into step (4).
Preferably, further comprise the steps of: client and receiving after the encryption key of security management center, to bursting tube Reason center sends and is properly received response,
Preferably, the following sub-step of step (5) inclusion:
(5-1) cloud storage end receives the write data requests from client, verifies user identity certificate, to judge that user is No legal, if not rule returns user identity certificate error message, then process terminates;If legal, go to step (5-2);
(5-2) cloud storage end judges whether user has the write access authority to the corresponding data of write data requests, if not having Have permission then return user's no write access authority information, then process terminates, if there being write access authority, goes to step (5-3);
(5-3) cloud storage end generates a token at random, and using this token as the corresponding order of the data in write data requests The last-of-chain token of board chain, random generation disturbs block and according to the rule formulated in token, will disturb block insertion ciphertext data, and preserve The data obtaining, and return user written data successful information to client.
Preferably, the following sub-step of step (7) inclusion:
(7-1) according to the user identity certificate in the read data request of client, cloud storage end judges whether user closes Method, if legal, goes to step (7-2), otherwise returns user identity certificate error message to client, and then process terminates;
(7-2) cloud storage end judges that the corresponding data of read data request whether there is, if existing, goes to step (7-3), no Then return request data not existence information to client, then process terminates;
(7-3) cloud storage end judges whether user has the read access authority to this data, if having, this data is returned To client, search the last-of-chain token in the corresponding token chain of this data, send key request, this request to security management center Including the id of data, last-of-chain token, user identity certificate;Otherwise return user's no read access authority information to client.
In general, by the contemplated above technical scheme of the present invention compared with prior art, can obtain down and show Beneficial effect:
(1) recovery immediately of user right can be realized, it is to avoid because user right reclaims the potential safety hazard being likely to occur, As in non-immediate reclaim mechanism, the user reclaiming authority still meets access control condition due to it, still can be to data Conduct interviews it might even be possible to carry out malice writes dirty data;Secondly, the uncertainty of user right recovery time, can cause be The security breaches of system;In addition non-immediate reclaim mechanism cannot solve the problems, such as read-only data re-encryption;
(2) in traditional user right reclaim mechanism, inevitably need to carry out re-encryption operation, so that recovery authority is used The old key at family lost efficacy to avoid it to utilize old secret key decryption ciphertext to obtain up-to-date data.And proposed by the present invention interference block at Reason method is it is only necessary to the rule formulated in the random token generating of ciphertext data separate of high in the clouds storage, reinsert interference Block, for reclaim authority user due to up-to-date token cannot be obtained, so even have old key also cannot decipher obtain former Beginning data.Due to the performance bottleneck of AES, therefore re-encryption often brings great performance cost, and the present invention utilizes Again the interference of ciphertext data is processed, it is to avoid re-encryption problem when user right reclaims, and greatly reduces the performance of system Expense;
(3) present invention supports write data requests completely, and the user written data request of the present invention writes data flow with generally used now Journey difference increased a step when being that cloud storage end data preserves, and carries out inserting the place of interference block to uploading data using token Reason, the present invention similarly supports other access request of data of user in the same manner, the such as request such as deletion, movement, renaming.
(4) suitability of the present invention wide it is not limited to cloud environment system, due to the create-rule of token, ciphertext data Interference is processed all does not have necessary connection with cloud storage system, therefore there is the system of user right recovery for any one, this Invention all will be suitable for.
Brief description
Fig. 1 is the schematic flow sheet of the present invention.
Fig. 2 is client process schematic diagram.
Fig. 3 is cloud storage end process schematic diagram.
Fig. 4 is token structures schematic diagram.
Fig. 5 is token chain structural representation.
Fig. 6 is interference block structure schematic diagram.
Fig. 7 is ciphertext data to be carried out with interference process schematic diagram.
Fig. 8 is security management center process schematic diagram.
Fig. 9 is User logs in and read access data time sequence figure.
Figure 10 is User logs in and write access data time sequence figure.
Figure 11 is User logs in and reclaims user right sequential chart.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, below in conjunction with drawings and Examples, right The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only in order to explain the present invention, and It is not used in the restriction present invention.As long as additionally, involved technical characteristic in each embodiment of invention described below The conflict of not constituting each other just can be mutually combined.
Hereinafter the technical term with regard to the present invention is explained and illustrated first:
Original: refer to unencrypted file;
Letter of identity: a kind of data structure of label user identity characteristic, judge and access control for user identity Middle judge whether user has access rights;
Symmetric Cryptography: encryption and deciphering adopt identical key, deciphering is the inverse operation of encryption;
Symmetric key: the random binary data generating, for original encryption or deciphering;
Encryption file: using symmetric key to original using the file obtaining after symmetric key cipher encryption mechanism;
Integrity check key: the random binary data generating, for encrypted file-encryption;
Signature file: using integrity check key, two obtaining are encrypted to encryption file using hash function and enter Data processed;
Authority reclaims list: record reclaims the user totem information of authority;
Interference block: can customize the binary data blocks of length;
Token: the data structure of the essential information of all of interference block in record insertion encryption file, for encrypting file Middle insertion or rejecting interference block;
Token chain: the chain structure being made up of token, wherein chain token below can derive before token, and it Front token cannot derive token below;
The present invention is further described with accompanying drawing with reference to embodiments.
As shown in figure 1, the present invention includes client process, cloud storage system process and security management center process, respectively Operate on client host, certification end main frame and the cloud storage system main frame of distributed file system.Three module cooperative fortune OK, wherein client realizes various access operation requests, including login system, read access request of data, writes data and uploads and return Receive user right, in client, during read access data, first pass through the token receiving from security management center and reject cloud storage system Interference block in system returned data, is recovered ciphertext, is then decrypted using key and obtains initial data;And write access is then to add Ciphertext data, ciphertext uploads;Cloud storage system realizes token chain management update, notifies security management center distribution key, token, right Ciphertext is inserted interference block and is processed and user access request judgement reply;Security management center realizes user's registration, login, authority Authorize, reclaim, key management and distribution, and User Token distribution.
The present invention carries out interference process using token chain mechanism to the ciphertext data that user uploads, even if therefore user has Decruption key, when there is no corresponding token, user cannot recover ciphertext data, therefore cannot decrypting ciphertext obtain original Data, thus avoid necessary re-encryption operation when user right reclaims.
Token is a data structure comprising to disturb block to generate and insertion ciphertext is regular, and high in the clouds can be by token to close Literary composition carries out interference process;User by token, interference can be processed after data in interference block reject, thus recovering ciphertext Data.Token chain, the chain structure being made up of token, wherein chain token below can release before token, and before Token cannot release token below, wherein last-of-chain token is used for, for high in the clouds, the crucial token that interference processes ciphertext data, together When be also user carry out reject interference block process token.Newly-generated one when user right reclaims it is only necessary in token chain Individual last-of-chain token, and using newly-generated token, ciphertext data is carried out with the process of interference again, you can realize the vertical of user right Reclaim.
As shown in figure 1, the access privilege recovery method in cloud storage environment of the present invention comprises the following steps:
(1) client receives the data operation request from user, and judges this request type, and read data request is still weighed Limit operation requests, if write data requests, then proceed to step (2), if read data request, then proceed to step (13), such as Fruit is limiting operation request, then proceed to step (20);
(2) client generates the symmetric key being encrypted for data corresponding to write data requests at random, and to peace Full administrative center submits encryption key requests to, and this request includes user identity certificate and the corresponding data of write data requests No. id;Specifically, this step be using symmetric encipherment algorithm (such as advanced encryption standard, referred to as Aes) generate key;
(3) according to the user identity certificate in encryption key requests, security management center judges whether user is legal, if Legal, proceed to step (4), otherwise return request failure information to user, then process terminates;
(4) security management center judges that authority whether corresponding in the corresponding data of write data requests for this user reclaims row In table, if returning user's request failure information, otherwise proceeding to step (5), if wherein permissions list does not exist, representing and use Family is not reclaimed in list in authority;
(5) security management center searches whether to find the corresponding encryption key of this data in local cipher key store, if Find, proceed to step (6), otherwise proceed to step (7);
(6) encryption key finding is returned to client by security management center, subsequently into step (8);
(7) security management center generates at random and preserves encryption key according to this data and using public and private key encryption mechanism, And the encryption key of generation is returned to client, then proceed to step (8);Specifically, the random encryption key that generates is to adopt With using asymmetric encryption mechanism, such as rsa algorithm;
(8) client receive from security management center encryption key backward security administrative center send correctly connect Receive response, and go to step (9);
(9) client utilizes the symmetric key generating in step (2), encrypts write data requests pair using symmetric encipherment algorithm The data answered, to obtain ciphertext data, then utilizes the encryption key receiving in (8) and public personal key algorithm encrypting step (2) symmetric key generating in, to obtain ciphertext key, ciphertext data and ciphertext key is packaged as ciphertext packet, and to Cloud storage end send write data requests, specifically, write data requests include user identity certificate, packing after ciphertext data, Metadata of the corresponding data of ciphertext key, write data requests etc.;
(10) cloud storage end receives the write data requests from client, verifies user identity certificate, to judge that user is No legal, if not rule returns user identity certificate error message, then process terminates;If legal, go to step (11);
(11) cloud storage end judges whether user has the write access authority to the corresponding data of write data requests, if not having Authority then returns user's no write access authority information, and then process terminates, if there being write access authority, goes to step (12);
Specifically, user right judges to depend on the access control policy of cloud storage end employing, such as identity-based Access control policy authorize user right using accesses control list, if user in accesses control list then it represents that user Have read access authority, otherwise represent that user does not have read access authority;
(12) cloud storage end generates a token (token) at random, and using this token as the data in write data requests The last-of-chain token of corresponding token chain, random generation disturbs block and according to the rule formulated in token, will disturb block inserting step (9) The ciphertext data obtaining, preserves the data obtaining, and returns user written data successful information to client;Specifically, if order Board chain does not exist, then a newly-built empty token chain, and using the random token generating as empty token chain first token;
Wherein, cloud storage end judge and store user upload data process be described further with reference to example:
If it is data that user written data asks corresponding data, and assumes that user has legal access rights, then cloud is deposited Chu Duan is to judge whether data has existed first, that is, judge user write data or newly upload data, wherein write data by Exist in token chain, directly obtained last-of-chain token token;The new data that uploads then generates a new token at random Token, and first token as the corresponding token chain of this data;
According to token formulating rules, generate the interference block as Fig. 6, and will disturb block insertion user's upload data, obtain as Data data inserted after disturbing block shown in Fig. 7 ' and preserve;
(13) client sends read data request to cloud storage end, and wherein read data request includes user identity certificate and reading The id of the corresponding data of request of data;
(14) according to the user identity certificate in the read data request of client, cloud storage end judges whether user closes Method, if legal, goes to step (16), otherwise returns user identity certificate error message to client, and then process terminates;
(15) cloud storage end judges that the corresponding data of read data request whether there is, if existing, goes to step (16), otherwise Return request data not existence information to client, then process terminates;
(16) cloud storage end judges whether user has the read access authority to this data, if having, this data is returned to Client, searches the last-of-chain token in the corresponding token chain of this data, sends key request, this request bag to security management center Include the id of data, last-of-chain token, user identity certificate;Otherwise return user's no read access authority information to client;
Specifically, user right judges to depend on the access control policy that cloud storage end profit adopts, such as based on body Part access control policy authorize user right using accesses control list, if user in accesses control list then it represents that use Family has read access authority, otherwise represents that user does not have read access authority;The data returning client includes the number of user's request According to, request data corresponding ciphertext key.
(17) according to this key request, security management center judges whether user is right in read data request corresponding data institute The authority answered reclaims in list, if (if wherein authority recovery list does not exist, also not representing that user does not reclaim list in authority In) the then decruption key corresponding to search request data, and decruption key, token are returned to client, subsequently into step (18), if existing, return client refusal information on services to client, then process terminates
(18) client waits and receives the information that cloud storage end and security management center return, if cloud storage end returns letter Cease the data message for request and security management center return information is decruption key and token then goes to step (19), otherwise represent User haves no right to read this request data, and then process terminates;
(19) data that client returns first with the token process step (16) that step (17) returns, rejects in data Interference block, obtain ciphertext data, using the ciphertext in decryption key decryption step (16) returned data that step (17) returns Key obtains symmetric key, and utilizes symmetric key decryption ciphertext data, to obtain user's request initial data;
With reference to embodiment, the process obtaining after cloud storage end and security management center return information is made further Illustrate:
User receives ciphertext data data of high in the clouds return, ciphertext key enc (kaes) and its metadata metadata, Receive the decruption key k of security management center returnsAnd token token;
User has more the interference block insertion rule formulated in token first, the interference block in data is removed, acquisition does not have Data data of interference block ', such as Fig. 7, rejects the inverse process that interference block is insertion interference block;User utilizes ksDeciphering enc (kaes) obtain symmetric key kaes, two above step can be with parallel processing;Then user utilizes kaesDeciphering data ' just can get The initial data of request.
(20) client sends user right to security management center and reclaims request, and this user right reclaims request and includes using The user id that family letter of identity, user right reclaim the id asking corresponding data and reclaim authority;
(21) security management center reclaims requests verification user identity certificate according to client user's authority, to judge user Whether legal, if legal, go to step (22), otherwise return user identity certificate error message to client, then process knot Bundle
(22) security management center judges whether the user reclaiming authority reclaims request corresponding data id in this user right Corresponding authority reclaims in list, if user does not reclaim in list in authority, will reclaim the user id insertion authority of authority Reclaim list, send user right to cloud storage end and reclaim request, and return user right to client and reclaim successful information, so After proceed to step (23), this user right reclaims request and includes this data id and the user id of recovery authority;If user is in authority Reclaim in list, then return this user to client and reclaim information in list in authority;If reclaiming permissions list not deposit Reclaim list in a then newly-built authority, specifically newly-built authority reclaims the access control that tabulating method specifically can adopt according to system Strategy selecting (in the access control of identity-based, realizing) using accesses control list acl, then according to user does not exist Authority reclaims list execution subsequent operation;
(23) token chain according to corresponding to user right reclaims request lookup wherein data id for the cloud storage end, and obtain chain Tail token;
(24) the interference block in the data corresponding to data id is rejected at cloud storage end using the last-of-chain token that (23) obtain, and obtains To the ciphertext data processing without interference;Using token create-rule, generate a new token at random, and be added into making Board chain, as new last-of-chain token, random generation disturbs block and according to the rule formulated in new token, and block insertion will be disturbed to obtain Ciphertext data, obtain and preserve new interference data;Return client user's authority and reclaim successful information.
Specifically, Fig. 2 describes client process schematic diagram in detail, and Fig. 3 is cloud storage end process schematic diagram, and Fig. 8 is peace Full administrative center process schematic diagram, three process cooperative cooperatings, complete the operation requests of user, integrated operation flow process such as Fig. 1 institute Show.Above-mentioned steps (13) to (19) correspond to read data request, and its sequential chart is as shown in Figure 9;Above-mentioned steps (2) to (12) correspondence is write Request of data, its sequential chart is as shown in Figure 10;Above-mentioned steps (20) to (24) corresponding authority reclaims request, its sequential chart such as Figure 11 Shown.
In addition Fig. 4 to 7 represents token and the data structure of token chain and the using priciple of token and interference block, for above-mentioned Step (12), (24), the present invention carries out the construction of token chain using pseudo-random algorithm, and what therefore achievable token generated can not be pre- The property surveyed, above-mentioned steps (12), (19), (24) utilize token processing data method mainly to utilize the data structure of token definition, figure 6th, Fig. 7 shows the process carrying out data processing according to token.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, not in order to Limit the present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should comprise Within protection scope of the present invention.

Claims (6)

1. the access privilege recovery method in a kind of cloud storage environment is it is characterised in that comprise the following steps:
(1) client receives the data operation request from user, and judges this request type, is write data requests, or reads Request of data, or limiting operation request, if write data requests, then proceed to step (2), if read data request, then Proceed to step (6), if limiting operation request, then proceed to step (11);
(2) client generates the symmetric key being encrypted for data corresponding to write data requests at random, and to bursting tube Encryption key requests are submitted at reason center to;
(3) security management center determines the legitimacy of this user according to encryption key requests, and judges whether validated user is being write Authority corresponding to the corresponding data of request of data reclaims in list, if not existing, obtains the corresponding encryption key of this data, and This encryption key is returned to client;
(4) client utilizes the symmetric key generating in step (2), corresponding using symmetric encipherment algorithm encryption write data requests Data, to obtain ciphertext data, encrypts, using the encryption key receiving and public personal key algorithm, the symmetric key generating, with Obtain ciphertext key, ciphertext data and ciphertext key are packaged as ciphertext packet, and send write data requests to cloud storage end;
(5) cloud storage end receives the write data requests from client, determines the legitimacy of this user according to this write data requests, And generate a token at random when corresponding data has write access authority to legal user to write data requests, and this is made As the last-of-chain token of the corresponding token chain of the data in write data requests, random generation disturbs block and according to formulation in token to board Rule, will disturb block insertion ciphertext data, and preserve the data obtaining;The chain structure that wherein token chain is made up of token, Token before wherein chain token below can be derived, and token before cannot derive token below;
(6) client sends read data request to cloud storage end;
(7) cloud storage end determines the legitimacy of this user according to the user identity certificate in the read data request of client, And when legal user has the read access authority to this data, this data is returned to client, search this data corresponding Last-of-chain token in token chain, sends key request to security management center;
(8) power according to corresponding to whether this key request judges user in the corresponding data of read data request for the security management center Limit reclaims in list, if not existing, decruption key corresponding to search request data, and decruption key, token are returned to client End, subsequently into step (9), if existing, returns client refusal information on services to client, then process terminates;
(9) client waits and receives the information that cloud storage end and security management center return, if cloud storage end return information is Request data message and security management center return information be decruption key and token, then go to step (10), else process tie Bundle;
(10) client processes, using the token returning, the data returning, and rejects the interference block in data, obtains ciphertext data, profit Obtain symmetric key with the ciphertext key in the decryption key decryption returned data of return, and utilize symmetric key decryption ciphertext number According to obtain user's request initial data;
(11) client sends user right to security management center and reclaims request;
(12) security management center reclaims requests verification user identity certificate according to client user's authority, whether to judge user Legal, if legal, go to step (13), otherwise return user identity certificate error message to client, then process terminates;
(13) security management center judges whether the user reclaiming authority is right in this user right recovery request corresponding data id institute The authority answered reclaims in list, if user does not reclaim in list in authority, the user id insertion authority reclaiming authority is reclaimed List, sends user right to cloud storage end and reclaims request, and returns user right recovery successful information, Ran Houzhuan to client Enter step (14);If user reclaims in list in authority, return this user to client and reclaim prompting in list in authority Information;
(14) token chain according to corresponding to user right reclaims request lookup wherein data id for the cloud storage end, and obtain last-of-chain order Board, rejects the interference block in the data corresponding to data id using the last-of-chain token obtaining, and obtains close without interference process Civilian data, using token create-rule, generates a new token at random, and is added into token chain, as new last-of-chain order Board, the random ciphertext data generating interference block the rule according to formulation in new token, block insertion being disturbed to obtain, obtain simultaneously Preserve new interference data, and return client user's authority and reclaim successful information.
2. access privilege recovery method according to claim 1 it is characterised in that
Encryption key requests include user identity certificate and corresponding data id of write data requests;
Write data requests include user identity certificate, packing after ciphertext data, ciphertext key, the corresponding data of write data requests Metadata;
Read data request includes user identity certificate and corresponding data id of read data request;
User right reclaims request and includes user identity certificate, user right recovery corresponding data id of request and reclaim authority User id.
3. access privilege recovery method according to claim 1 is it is characterised in that step (3) includes following sub-step Rapid:
(3-1) according to the user identity certificate in encryption key requests, security management center judges whether user is legal, if closed Rule proceeds to step (3-2), otherwise returns request failure information to user, and then process terminates;
(3-2) security management center judges that authority whether corresponding in the corresponding data of write data requests for this user reclaims list In, if returning user's request failure information, otherwise proceeding to step (3-3), if wherein permissions list does not exist, representing and use Family is not reclaimed in list in authority;
(3-3) security management center searches whether to find the corresponding encryption key of this data in local cipher key store, if looking for To then proceeding to step (3-4), otherwise proceed to step (3-5);
(3-4) encryption key finding is returned to client by security management center, subsequently into step (4);
(3-5) security management center generates at random and preserves encryption key according to this data and using public and private key encryption mechanism, and The encryption key of generation is returned to client, subsequently into step (4).
4. access privilege recovery method according to claim 1 exists it is characterised in that further comprising the steps of: client Receive after the encryption key of security management center, send to security management center and be properly received response.
5. access privilege recovery method according to claim 1 is it is characterised in that step (5) includes following sub-step Rapid:
(5-1) cloud storage end receives the write data requests from client, verifies user identity certificate, to judge whether user closes Method, if not rule returns user identity certificate error message, then process terminates;If legal, go to step (5-2);
(5-2) cloud storage end judges whether user has the write access authority to the corresponding data of write data requests, if not weighing Limit then returns user's no write access authority information, and then process terminates, if there being write access authority, goes to step (5-3);
(5-3) cloud storage end generates a token at random, and this token is corresponded to token chain as the data in write data requests Last-of-chain token, random generate interference block and according to the rule formulated in token, will disturb block to insert ciphertext data, preservation obtains Data, and to client return user written data successful information.
6. access privilege recovery method according to claim 1 is it is characterised in that step (7) includes following sub-step Rapid:
(7-1) according to the user identity certificate in the read data request of client, cloud storage end judges whether user is legal, If legal, go to step (7-2), otherwise return user identity certificate error message to client, then process terminates;
(7-2) cloud storage end judges that the corresponding data of read data request whether there is, and if existed; would go to step (7-3), otherwise to Client returns request data not existence information, and then process terminates;
(7-3) cloud storage end judges whether user has the read access authority to this data, if having, this data is returned to visitor Family end, searches the last-of-chain token in the corresponding token chain of this data, sends key request to security management center, and this request includes Data id, last-of-chain token, user identity certificate;Otherwise return user's no read access authority information to client.
CN201410213922.0A 2014-05-19 2014-05-19 User access right revoking method in cloud storage environment Active CN103973698B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410213922.0A CN103973698B (en) 2014-05-19 2014-05-19 User access right revoking method in cloud storage environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410213922.0A CN103973698B (en) 2014-05-19 2014-05-19 User access right revoking method in cloud storage environment

Publications (2)

Publication Number Publication Date
CN103973698A CN103973698A (en) 2014-08-06
CN103973698B true CN103973698B (en) 2017-01-25

Family

ID=51242744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410213922.0A Active CN103973698B (en) 2014-05-19 2014-05-19 User access right revoking method in cloud storage environment

Country Status (1)

Country Link
CN (1) CN103973698B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104901968B (en) * 2015-06-10 2018-01-05 华中科技大学 A kind of key management distribution method in safe cloud storage system
CN104935588B (en) * 2015-06-12 2017-11-24 华中科技大学 A kind of hierarchical encryption management method of safe cloud storage system
CN107612910A (en) * 2017-09-19 2018-01-19 北京邮电大学 A kind of distributed document data access method and system
CN109218295A (en) * 2018-08-22 2019-01-15 平安科技(深圳)有限公司 Document protection method, device, computer equipment and storage medium
CN111222034B (en) * 2019-12-31 2023-05-16 湖南华菱涟源钢铁有限公司 Data mobile display method and device and cloud server
CN112818404B (en) * 2021-02-26 2022-11-04 青岛大学 Data access permission updating method, device, equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383702A (en) * 2008-10-06 2009-03-11 中兴通讯股份有限公司 Method and system protecting cipher generating parameter in tracing region updating
CN103326999A (en) * 2012-12-14 2013-09-25 无锡华御信息技术有限公司 File safety management system based on cloud service
CN103441844A (en) * 2013-07-31 2013-12-11 南京神盾信息技术有限公司 Data safety and intranet monitoring system based on cloud storage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383702A (en) * 2008-10-06 2009-03-11 中兴通讯股份有限公司 Method and system protecting cipher generating parameter in tracing region updating
CN103326999A (en) * 2012-12-14 2013-09-25 无锡华御信息技术有限公司 File safety management system based on cloud service
CN103441844A (en) * 2013-07-31 2013-12-11 南京神盾信息技术有限公司 Data safety and intranet monitoring system based on cloud storage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于属性的分布式存储安全访问控制技术》;陈杰;《中国优秀硕士学位论文全文数据库 信息科技辑》;20131215(第S2期);第22-23、30-31页 *

Also Published As

Publication number Publication date
CN103973698A (en) 2014-08-06

Similar Documents

Publication Publication Date Title
US10742422B1 (en) Digital transaction signing for multiple client devices using secured encrypted private keys
US7975312B2 (en) Token passing technique for media playback devices
US6915434B1 (en) Electronic data storage apparatus with key management function and electronic data storage method
CN103973698B (en) User access right revoking method in cloud storage environment
CN104009987B (en) Fine-grained cloud platform security access control method based on user identity capacity
US11943350B2 (en) Systems and methods for re-using cold storage keys
CN110324143A (en) Data transmission method, electronic equipment and storage medium
CN103731395B (en) The processing method and system of file
CN108737374A (en) The method for secret protection that data store in a kind of block chain
CN105100076A (en) Cloud data security system based on USB Key
CN106104562A (en) Safety of secret data stores and recovery system and method
US10298551B1 (en) Privacy-preserving policy enforcement for messaging
JP2007280180A (en) Electronic document
US20150143107A1 (en) Data security tools for shared data
US11570155B2 (en) Enhanced secure encryption and decryption system
CN109274644A (en) A kind of data processing method, terminal and watermark server
US11997075B1 (en) Signcrypted envelope message
KR20210058313A (en) Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment
CN114826702B (en) Database access password encryption method and device and computer equipment
Garg et al. Security on cloud computing using split algorithm along with cryptography and steganography
EP3455763B1 (en) Digital rights management for anonymous digital content sharing
Shalabi et al. Cryptographically enforced role-based access control for NoSQL distributed databases
EP3044720A1 (en) Performing an operation on a data storage
US8755521B2 (en) Security method and system for media playback devices
CN111541652B (en) System for improving security of secret information keeping and transmission

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant