CN103973698B - User access right revoking method in cloud storage environment - Google Patents
User access right revoking method in cloud storage environment Download PDFInfo
- Publication number
- CN103973698B CN103973698B CN201410213922.0A CN201410213922A CN103973698B CN 103973698 B CN103973698 B CN 103973698B CN 201410213922 A CN201410213922 A CN 201410213922A CN 103973698 B CN103973698 B CN 103973698B
- Authority
- CN
- China
- Prior art keywords
- data
- user
- token
- request
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a user access right revoking method in a cloud storage environment. The method solves the problems that in an existing cloud environment, when user right is revoked, potential safety hazards are caused, and performance expenditure is caused by data re-encryption. The method involves a client side process, a cloud storage system process and a safety management center process, wherein a cloud storage system achieves token chain management updating and notifies a safety management center of distribution of secret keys and tokens, and ciphertext is placed in an interference block to be processed, and a user access request is judged and replied; the safety management center achieves user registration and logging, right giving and revoking, secret key management and distribution and user token distribution. According to the user access right revoking method, interference processing on the ciphertext is achieved through a token mechanism, and an immediate revoking mechanism is adopted; when the user right is revoked, the token is updated immediately, the ciphertext is subjected to re-interference processing, and the potential safety hazards caused when the user right is revoked in a non-immediate revoking mechanism are avoided. According to the method, data do not need to be subjected to re-encryption processing, and performance expenditure of a system is greatly reduced.
Description
Technical field
The invention belongs to computer memory technical and field of information security technology, more particularly, to a kind of cloud storage ring
Access privilege recovery method in border.
Background technology
, while providing the user data storage and business service, the safety of its high in the clouds data is always for cloud storage system
It is user and the major issue of company manager's particularly concern.For ensureing the privacy of user data, current cloud storage safety
Framework is usually that data is encrypted with storage, and cloud service provider judges user to this using corresponding access control policy
Whether data has legal access rights, and the management of key and distribution are responsible for by trusted third party.Although this is in certain journey
The safety of high in the clouds data is strengthened on degree, but the form of ciphertext storage also can cause new problem.When need change user couple
During the access rights of certain data, the key that the user for ensureing recovery authority holds this data is invalid, and general scheme is to this
Data carries out re-encryption process, then carries out the renewal of key and again distributes.Because in cloud environment, userbase is huge and uses
Family authority may frequently change, and the re-encryption of data and the redistribution of key will bring great performance cost.If will weigh
Encryption is placed on user to carry out when uploading data, is uncertain because user executes the upload data manipulation time, leads to data
Re-encryption opportunity is also uncertain, and the user being recovered authority during this still can access this data in fact it could happen that
Reclaim authority user evil intentional system and write dirty data, this scheme cannot solve the problems, such as the re-encryption of read-only data in addition.
Content of the invention
Disadvantages described above for prior art or Improvement requirement, the invention provides the user in a kind of cloud storage environment visits
Ask authority recovery method, it is intended that random process is thrown, to realize returning immediately of user right based on ciphertext by high in the clouds
Receive, to solve the potential safety hazard that causes when existing user right reclaims and re-encryption is carried out to data to cause very big performance cost
Technical problem.
For achieving the above object, according to one aspect of the present invention, there is provided the user in a kind of cloud storage environment accesses
Authority recovery method, comprises the following steps:
(1) client receives the data operation request from user, and judges this request type, and read data request is still weighed
Limit operation requests, if write data requests, then proceed to step (2), if read data request, then proceed to step (6), if
It is limiting operation request, then proceed to step (11);
(2) client generates the symmetric key being encrypted for data corresponding to write data requests at random, and to peace
Full administrative center submits encryption key requests to;
(3) security management center determines the legitimacy of this user according to encryption key requests, and whether judges validated user
Authority corresponding in the corresponding data of write data requests reclaims in list, if not existing, obtains the corresponding encryption of this data close
Key, and this encryption key is returned to client;
(4) client utilizes the symmetric key generating in step (2), encrypts write data requests pair using symmetric encipherment algorithm
The data answered, to obtain ciphertext data, encrypts the symmetrically close of generation using the encryption key receiving and public personal key algorithm
Key, to obtain ciphertext key, ciphertext data and ciphertext key is packaged as ciphertext packet, and writes data to the transmission of cloud storage end
Request;
(5) cloud storage end receives the write data requests from client, determines the conjunction of this user according to this write data requests
Method, and generate a token at random when corresponding data has write access authority to legal user to write data requests, and
Using this token as the last-of-chain token of the corresponding token chain of the data in write data requests, generate interference block at random and according in token
The rule formulated, will disturb block insertion ciphertext data, and preserve the data obtaining;
(6) client sends read data request to cloud storage end;
(7) according to the user identity certificate in the read data request of client, cloud storage end determines that this user's is legal
Property, and when legal user has the read access authority to this data, this data is returned to client, search this data pair
Last-of-chain token in the token chain answered, sends key request to security management center;
(8) security management center is according to corresponding to whether this key request judges user in the corresponding data of read data request
Authority reclaim in list, if not existing, decruption key corresponding to search request data, and decruption key, token are returned to
Client, subsequently into step (9), if existing, returns client refusal information on services to client, then process terminates;
(9) client waits and receives the information that cloud storage end and security management center return, if cloud storage end returns letter
Cease the data message for request and security management center return information is decruption key and token, then go to step (10), otherwise mistake
Journey terminates;
(10) client processes, using the token returning, the data returning, and rejects the interference block in data, obtains ciphertext number
According to obtaining symmetric key using the ciphertext key in the decryption key decryption returned data returning, and utilize symmetric key decryption
Ciphertext data, to obtain user's request initial data;
(11) client sends user right to security management center and reclaims request;
(12) security management center reclaims requests verification user identity certificate according to client user's authority, to judge user
Whether legal, if legal, go to step (13), otherwise return user identity certificate error message to client, then process knot
Bundle;
(13) security management center judges whether the user reclaiming authority reclaims request corresponding data id in this user right
Corresponding authority reclaims in list, if user does not reclaim in list in authority, will reclaim the user id insertion authority of authority
Reclaim list, send user right to cloud storage end and reclaim request, and return user right to client and reclaim successful information, so
After proceed to step (14);If user reclaims in list in authority, return this user to client and reclaim in list in authority
Information;
(14) token chain according to corresponding to user right reclaims request lookup wherein data id for the cloud storage end, and obtain chain
Tail token, rejects the interference block in the data corresponding to data id using the last-of-chain token obtaining, and obtains processing without interference
Ciphertext data, using token create-rule, at random generate a new token, and be added into token chain, as new chain
Tail token, the random ciphertext data generating interference block the rule according to formulation in new token, block insertion being disturbed to obtain, obtain
And preserve new interference data, and return client user's authority recovery successful information.
Preferably, encryption key requests include No. id of user identity certificate and the corresponding data of write data requests, write
Request of data include user identity certificate, packing after ciphertext data, ciphertext key, first number of the corresponding data of write data requests
According to read data request includes user identity certificate and the id of the corresponding data of read data request, and user right reclaims request and includes
The user id that user identity certificate, user right reclaim the id asking corresponding data and reclaim authority.
Preferably, the following sub-step of step (3) inclusion:
(3-1) according to the user identity certificate in encryption key requests, security management center judges whether user is legal, such as
Really legal, proceed to step (3-2), otherwise return request failure information to user, then process terminates;
(3-2) security management center judges that authority whether corresponding in the corresponding data of write data requests for this user reclaims
In list, if returning user's request failure information, otherwise proceeding to step (3-3), if wherein permissions list does not exist, table
Show that user does not reclaim in list in authority;
(3-3) security management center searches whether to find the corresponding encryption key of this data in local cipher key store,
If finding, proceeding to step (3-4), otherwise proceeding to step (3-5);
(3-4) encryption key finding is returned to client by security management center, subsequently into step (4);
(3-5) security management center is generated at random according to this data and using public and private key encryption mechanism and to preserve encryption close
Key, and the encryption key of generation is returned to client, subsequently into step (4).
Preferably, further comprise the steps of: client and receiving after the encryption key of security management center, to bursting tube
Reason center sends and is properly received response,
Preferably, the following sub-step of step (5) inclusion:
(5-1) cloud storage end receives the write data requests from client, verifies user identity certificate, to judge that user is
No legal, if not rule returns user identity certificate error message, then process terminates;If legal, go to step (5-2);
(5-2) cloud storage end judges whether user has the write access authority to the corresponding data of write data requests, if not having
Have permission then return user's no write access authority information, then process terminates, if there being write access authority, goes to step (5-3);
(5-3) cloud storage end generates a token at random, and using this token as the corresponding order of the data in write data requests
The last-of-chain token of board chain, random generation disturbs block and according to the rule formulated in token, will disturb block insertion ciphertext data, and preserve
The data obtaining, and return user written data successful information to client.
Preferably, the following sub-step of step (7) inclusion:
(7-1) according to the user identity certificate in the read data request of client, cloud storage end judges whether user closes
Method, if legal, goes to step (7-2), otherwise returns user identity certificate error message to client, and then process terminates;
(7-2) cloud storage end judges that the corresponding data of read data request whether there is, if existing, goes to step (7-3), no
Then return request data not existence information to client, then process terminates;
(7-3) cloud storage end judges whether user has the read access authority to this data, if having, this data is returned
To client, search the last-of-chain token in the corresponding token chain of this data, send key request, this request to security management center
Including the id of data, last-of-chain token, user identity certificate;Otherwise return user's no read access authority information to client.
In general, by the contemplated above technical scheme of the present invention compared with prior art, can obtain down and show
Beneficial effect:
(1) recovery immediately of user right can be realized, it is to avoid because user right reclaims the potential safety hazard being likely to occur,
As in non-immediate reclaim mechanism, the user reclaiming authority still meets access control condition due to it, still can be to data
Conduct interviews it might even be possible to carry out malice writes dirty data;Secondly, the uncertainty of user right recovery time, can cause be
The security breaches of system;In addition non-immediate reclaim mechanism cannot solve the problems, such as read-only data re-encryption;
(2) in traditional user right reclaim mechanism, inevitably need to carry out re-encryption operation, so that recovery authority is used
The old key at family lost efficacy to avoid it to utilize old secret key decryption ciphertext to obtain up-to-date data.And proposed by the present invention interference block at
Reason method is it is only necessary to the rule formulated in the random token generating of ciphertext data separate of high in the clouds storage, reinsert interference
Block, for reclaim authority user due to up-to-date token cannot be obtained, so even have old key also cannot decipher obtain former
Beginning data.Due to the performance bottleneck of AES, therefore re-encryption often brings great performance cost, and the present invention utilizes
Again the interference of ciphertext data is processed, it is to avoid re-encryption problem when user right reclaims, and greatly reduces the performance of system
Expense;
(3) present invention supports write data requests completely, and the user written data request of the present invention writes data flow with generally used now
Journey difference increased a step when being that cloud storage end data preserves, and carries out inserting the place of interference block to uploading data using token
Reason, the present invention similarly supports other access request of data of user in the same manner, the such as request such as deletion, movement, renaming.
(4) suitability of the present invention wide it is not limited to cloud environment system, due to the create-rule of token, ciphertext data
Interference is processed all does not have necessary connection with cloud storage system, therefore there is the system of user right recovery for any one, this
Invention all will be suitable for.
Brief description
Fig. 1 is the schematic flow sheet of the present invention.
Fig. 2 is client process schematic diagram.
Fig. 3 is cloud storage end process schematic diagram.
Fig. 4 is token structures schematic diagram.
Fig. 5 is token chain structural representation.
Fig. 6 is interference block structure schematic diagram.
Fig. 7 is ciphertext data to be carried out with interference process schematic diagram.
Fig. 8 is security management center process schematic diagram.
Fig. 9 is User logs in and read access data time sequence figure.
Figure 10 is User logs in and write access data time sequence figure.
Figure 11 is User logs in and reclaims user right sequential chart.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, below in conjunction with drawings and Examples, right
The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only in order to explain the present invention, and
It is not used in the restriction present invention.As long as additionally, involved technical characteristic in each embodiment of invention described below
The conflict of not constituting each other just can be mutually combined.
Hereinafter the technical term with regard to the present invention is explained and illustrated first:
Original: refer to unencrypted file;
Letter of identity: a kind of data structure of label user identity characteristic, judge and access control for user identity
Middle judge whether user has access rights;
Symmetric Cryptography: encryption and deciphering adopt identical key, deciphering is the inverse operation of encryption;
Symmetric key: the random binary data generating, for original encryption or deciphering;
Encryption file: using symmetric key to original using the file obtaining after symmetric key cipher encryption mechanism;
Integrity check key: the random binary data generating, for encrypted file-encryption;
Signature file: using integrity check key, two obtaining are encrypted to encryption file using hash function and enter
Data processed;
Authority reclaims list: record reclaims the user totem information of authority;
Interference block: can customize the binary data blocks of length;
Token: the data structure of the essential information of all of interference block in record insertion encryption file, for encrypting file
Middle insertion or rejecting interference block;
Token chain: the chain structure being made up of token, wherein chain token below can derive before token, and it
Front token cannot derive token below;
The present invention is further described with accompanying drawing with reference to embodiments.
As shown in figure 1, the present invention includes client process, cloud storage system process and security management center process, respectively
Operate on client host, certification end main frame and the cloud storage system main frame of distributed file system.Three module cooperative fortune
OK, wherein client realizes various access operation requests, including login system, read access request of data, writes data and uploads and return
Receive user right, in client, during read access data, first pass through the token receiving from security management center and reject cloud storage system
Interference block in system returned data, is recovered ciphertext, is then decrypted using key and obtains initial data;And write access is then to add
Ciphertext data, ciphertext uploads;Cloud storage system realizes token chain management update, notifies security management center distribution key, token, right
Ciphertext is inserted interference block and is processed and user access request judgement reply;Security management center realizes user's registration, login, authority
Authorize, reclaim, key management and distribution, and User Token distribution.
The present invention carries out interference process using token chain mechanism to the ciphertext data that user uploads, even if therefore user has
Decruption key, when there is no corresponding token, user cannot recover ciphertext data, therefore cannot decrypting ciphertext obtain original
Data, thus avoid necessary re-encryption operation when user right reclaims.
Token is a data structure comprising to disturb block to generate and insertion ciphertext is regular, and high in the clouds can be by token to close
Literary composition carries out interference process;User by token, interference can be processed after data in interference block reject, thus recovering ciphertext
Data.Token chain, the chain structure being made up of token, wherein chain token below can release before token, and before
Token cannot release token below, wherein last-of-chain token is used for, for high in the clouds, the crucial token that interference processes ciphertext data, together
When be also user carry out reject interference block process token.Newly-generated one when user right reclaims it is only necessary in token chain
Individual last-of-chain token, and using newly-generated token, ciphertext data is carried out with the process of interference again, you can realize the vertical of user right
Reclaim.
As shown in figure 1, the access privilege recovery method in cloud storage environment of the present invention comprises the following steps:
(1) client receives the data operation request from user, and judges this request type, and read data request is still weighed
Limit operation requests, if write data requests, then proceed to step (2), if read data request, then proceed to step (13), such as
Fruit is limiting operation request, then proceed to step (20);
(2) client generates the symmetric key being encrypted for data corresponding to write data requests at random, and to peace
Full administrative center submits encryption key requests to, and this request includes user identity certificate and the corresponding data of write data requests
No. id;Specifically, this step be using symmetric encipherment algorithm (such as advanced encryption standard, referred to as
Aes) generate key;
(3) according to the user identity certificate in encryption key requests, security management center judges whether user is legal, if
Legal, proceed to step (4), otherwise return request failure information to user, then process terminates;
(4) security management center judges that authority whether corresponding in the corresponding data of write data requests for this user reclaims row
In table, if returning user's request failure information, otherwise proceeding to step (5), if wherein permissions list does not exist, representing and use
Family is not reclaimed in list in authority;
(5) security management center searches whether to find the corresponding encryption key of this data in local cipher key store, if
Find, proceed to step (6), otherwise proceed to step (7);
(6) encryption key finding is returned to client by security management center, subsequently into step (8);
(7) security management center generates at random and preserves encryption key according to this data and using public and private key encryption mechanism,
And the encryption key of generation is returned to client, then proceed to step (8);Specifically, the random encryption key that generates is to adopt
With using asymmetric encryption mechanism, such as rsa algorithm;
(8) client receive from security management center encryption key backward security administrative center send correctly connect
Receive response, and go to step (9);
(9) client utilizes the symmetric key generating in step (2), encrypts write data requests pair using symmetric encipherment algorithm
The data answered, to obtain ciphertext data, then utilizes the encryption key receiving in (8) and public personal key algorithm encrypting step
(2) symmetric key generating in, to obtain ciphertext key, ciphertext data and ciphertext key is packaged as ciphertext packet, and to
Cloud storage end send write data requests, specifically, write data requests include user identity certificate, packing after ciphertext data,
Metadata of the corresponding data of ciphertext key, write data requests etc.;
(10) cloud storage end receives the write data requests from client, verifies user identity certificate, to judge that user is
No legal, if not rule returns user identity certificate error message, then process terminates;If legal, go to step (11);
(11) cloud storage end judges whether user has the write access authority to the corresponding data of write data requests, if not having
Authority then returns user's no write access authority information, and then process terminates, if there being write access authority, goes to step (12);
Specifically, user right judges to depend on the access control policy of cloud storage end employing, such as identity-based
Access control policy authorize user right using accesses control list, if user in accesses control list then it represents that user
Have read access authority, otherwise represent that user does not have read access authority;
(12) cloud storage end generates a token (token) at random, and using this token as the data in write data requests
The last-of-chain token of corresponding token chain, random generation disturbs block and according to the rule formulated in token, will disturb block inserting step (9)
The ciphertext data obtaining, preserves the data obtaining, and returns user written data successful information to client;Specifically, if order
Board chain does not exist, then a newly-built empty token chain, and using the random token generating as empty token chain first token;
Wherein, cloud storage end judge and store user upload data process be described further with reference to example:
If it is data that user written data asks corresponding data, and assumes that user has legal access rights, then cloud is deposited
Chu Duan is to judge whether data has existed first, that is, judge user write data or newly upload data, wherein write data by
Exist in token chain, directly obtained last-of-chain token token;The new data that uploads then generates a new token at random
Token, and first token as the corresponding token chain of this data;
According to token formulating rules, generate the interference block as Fig. 6, and will disturb block insertion user's upload data, obtain as
Data data inserted after disturbing block shown in Fig. 7 ' and preserve;
(13) client sends read data request to cloud storage end, and wherein read data request includes user identity certificate and reading
The id of the corresponding data of request of data;
(14) according to the user identity certificate in the read data request of client, cloud storage end judges whether user closes
Method, if legal, goes to step (16), otherwise returns user identity certificate error message to client, and then process terminates;
(15) cloud storage end judges that the corresponding data of read data request whether there is, if existing, goes to step (16), otherwise
Return request data not existence information to client, then process terminates;
(16) cloud storage end judges whether user has the read access authority to this data, if having, this data is returned to
Client, searches the last-of-chain token in the corresponding token chain of this data, sends key request, this request bag to security management center
Include the id of data, last-of-chain token, user identity certificate;Otherwise return user's no read access authority information to client;
Specifically, user right judges to depend on the access control policy that cloud storage end profit adopts, such as based on body
Part access control policy authorize user right using accesses control list, if user in accesses control list then it represents that use
Family has read access authority, otherwise represents that user does not have read access authority;The data returning client includes the number of user's request
According to, request data corresponding ciphertext key.
(17) according to this key request, security management center judges whether user is right in read data request corresponding data institute
The authority answered reclaims in list, if (if wherein authority recovery list does not exist, also not representing that user does not reclaim list in authority
In) the then decruption key corresponding to search request data, and decruption key, token are returned to client, subsequently into step
(18), if existing, return client refusal information on services to client, then process terminates
(18) client waits and receives the information that cloud storage end and security management center return, if cloud storage end returns letter
Cease the data message for request and security management center return information is decruption key and token then goes to step (19), otherwise represent
User haves no right to read this request data, and then process terminates;
(19) data that client returns first with the token process step (16) that step (17) returns, rejects in data
Interference block, obtain ciphertext data, using the ciphertext in decryption key decryption step (16) returned data that step (17) returns
Key obtains symmetric key, and utilizes symmetric key decryption ciphertext data, to obtain user's request initial data;
With reference to embodiment, the process obtaining after cloud storage end and security management center return information is made further
Illustrate:
User receives ciphertext data data of high in the clouds return, ciphertext key enc (kaes) and its metadata metadata,
Receive the decruption key k of security management center returnsAnd token token;
User has more the interference block insertion rule formulated in token first, the interference block in data is removed, acquisition does not have
Data data of interference block ', such as Fig. 7, rejects the inverse process that interference block is insertion interference block;User utilizes ksDeciphering enc (kaes) obtain symmetric key kaes, two above step can be with parallel processing;Then user utilizes kaesDeciphering data ' just can get
The initial data of request.
(20) client sends user right to security management center and reclaims request, and this user right reclaims request and includes using
The user id that family letter of identity, user right reclaim the id asking corresponding data and reclaim authority;
(21) security management center reclaims requests verification user identity certificate according to client user's authority, to judge user
Whether legal, if legal, go to step (22), otherwise return user identity certificate error message to client, then process knot
Bundle
(22) security management center judges whether the user reclaiming authority reclaims request corresponding data id in this user right
Corresponding authority reclaims in list, if user does not reclaim in list in authority, will reclaim the user id insertion authority of authority
Reclaim list, send user right to cloud storage end and reclaim request, and return user right to client and reclaim successful information, so
After proceed to step (23), this user right reclaims request and includes this data id and the user id of recovery authority;If user is in authority
Reclaim in list, then return this user to client and reclaim information in list in authority;If reclaiming permissions list not deposit
Reclaim list in a then newly-built authority, specifically newly-built authority reclaims the access control that tabulating method specifically can adopt according to system
Strategy selecting (in the access control of identity-based, realizing) using accesses control list acl, then according to user does not exist
Authority reclaims list execution subsequent operation;
(23) token chain according to corresponding to user right reclaims request lookup wherein data id for the cloud storage end, and obtain chain
Tail token;
(24) the interference block in the data corresponding to data id is rejected at cloud storage end using the last-of-chain token that (23) obtain, and obtains
To the ciphertext data processing without interference;Using token create-rule, generate a new token at random, and be added into making
Board chain, as new last-of-chain token, random generation disturbs block and according to the rule formulated in new token, and block insertion will be disturbed to obtain
Ciphertext data, obtain and preserve new interference data;Return client user's authority and reclaim successful information.
Specifically, Fig. 2 describes client process schematic diagram in detail, and Fig. 3 is cloud storage end process schematic diagram, and Fig. 8 is peace
Full administrative center process schematic diagram, three process cooperative cooperatings, complete the operation requests of user, integrated operation flow process such as Fig. 1 institute
Show.Above-mentioned steps (13) to (19) correspond to read data request, and its sequential chart is as shown in Figure 9;Above-mentioned steps (2) to (12) correspondence is write
Request of data, its sequential chart is as shown in Figure 10;Above-mentioned steps (20) to (24) corresponding authority reclaims request, its sequential chart such as Figure 11
Shown.
In addition Fig. 4 to 7 represents token and the data structure of token chain and the using priciple of token and interference block, for above-mentioned
Step (12), (24), the present invention carries out the construction of token chain using pseudo-random algorithm, and what therefore achievable token generated can not be pre-
The property surveyed, above-mentioned steps (12), (19), (24) utilize token processing data method mainly to utilize the data structure of token definition, figure
6th, Fig. 7 shows the process carrying out data processing according to token.
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, not in order to
Limit the present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc., all should comprise
Within protection scope of the present invention.
Claims (6)
1. the access privilege recovery method in a kind of cloud storage environment is it is characterised in that comprise the following steps:
(1) client receives the data operation request from user, and judges this request type, is write data requests, or reads
Request of data, or limiting operation request, if write data requests, then proceed to step (2), if read data request, then
Proceed to step (6), if limiting operation request, then proceed to step (11);
(2) client generates the symmetric key being encrypted for data corresponding to write data requests at random, and to bursting tube
Encryption key requests are submitted at reason center to;
(3) security management center determines the legitimacy of this user according to encryption key requests, and judges whether validated user is being write
Authority corresponding to the corresponding data of request of data reclaims in list, if not existing, obtains the corresponding encryption key of this data, and
This encryption key is returned to client;
(4) client utilizes the symmetric key generating in step (2), corresponding using symmetric encipherment algorithm encryption write data requests
Data, to obtain ciphertext data, encrypts, using the encryption key receiving and public personal key algorithm, the symmetric key generating, with
Obtain ciphertext key, ciphertext data and ciphertext key are packaged as ciphertext packet, and send write data requests to cloud storage end;
(5) cloud storage end receives the write data requests from client, determines the legitimacy of this user according to this write data requests,
And generate a token at random when corresponding data has write access authority to legal user to write data requests, and this is made
As the last-of-chain token of the corresponding token chain of the data in write data requests, random generation disturbs block and according to formulation in token to board
Rule, will disturb block insertion ciphertext data, and preserve the data obtaining;The chain structure that wherein token chain is made up of token,
Token before wherein chain token below can be derived, and token before cannot derive token below;
(6) client sends read data request to cloud storage end;
(7) cloud storage end determines the legitimacy of this user according to the user identity certificate in the read data request of client,
And when legal user has the read access authority to this data, this data is returned to client, search this data corresponding
Last-of-chain token in token chain, sends key request to security management center;
(8) power according to corresponding to whether this key request judges user in the corresponding data of read data request for the security management center
Limit reclaims in list, if not existing, decruption key corresponding to search request data, and decruption key, token are returned to client
End, subsequently into step (9), if existing, returns client refusal information on services to client, then process terminates;
(9) client waits and receives the information that cloud storage end and security management center return, if cloud storage end return information is
Request data message and security management center return information be decruption key and token, then go to step (10), else process tie
Bundle;
(10) client processes, using the token returning, the data returning, and rejects the interference block in data, obtains ciphertext data, profit
Obtain symmetric key with the ciphertext key in the decryption key decryption returned data of return, and utilize symmetric key decryption ciphertext number
According to obtain user's request initial data;
(11) client sends user right to security management center and reclaims request;
(12) security management center reclaims requests verification user identity certificate according to client user's authority, whether to judge user
Legal, if legal, go to step (13), otherwise return user identity certificate error message to client, then process terminates;
(13) security management center judges whether the user reclaiming authority is right in this user right recovery request corresponding data id institute
The authority answered reclaims in list, if user does not reclaim in list in authority, the user id insertion authority reclaiming authority is reclaimed
List, sends user right to cloud storage end and reclaims request, and returns user right recovery successful information, Ran Houzhuan to client
Enter step (14);If user reclaims in list in authority, return this user to client and reclaim prompting in list in authority
Information;
(14) token chain according to corresponding to user right reclaims request lookup wherein data id for the cloud storage end, and obtain last-of-chain order
Board, rejects the interference block in the data corresponding to data id using the last-of-chain token obtaining, and obtains close without interference process
Civilian data, using token create-rule, generates a new token at random, and is added into token chain, as new last-of-chain order
Board, the random ciphertext data generating interference block the rule according to formulation in new token, block insertion being disturbed to obtain, obtain simultaneously
Preserve new interference data, and return client user's authority and reclaim successful information.
2. access privilege recovery method according to claim 1 it is characterised in that
Encryption key requests include user identity certificate and corresponding data id of write data requests;
Write data requests include user identity certificate, packing after ciphertext data, ciphertext key, the corresponding data of write data requests
Metadata;
Read data request includes user identity certificate and corresponding data id of read data request;
User right reclaims request and includes user identity certificate, user right recovery corresponding data id of request and reclaim authority
User id.
3. access privilege recovery method according to claim 1 is it is characterised in that step (3) includes following sub-step
Rapid:
(3-1) according to the user identity certificate in encryption key requests, security management center judges whether user is legal, if closed
Rule proceeds to step (3-2), otherwise returns request failure information to user, and then process terminates;
(3-2) security management center judges that authority whether corresponding in the corresponding data of write data requests for this user reclaims list
In, if returning user's request failure information, otherwise proceeding to step (3-3), if wherein permissions list does not exist, representing and use
Family is not reclaimed in list in authority;
(3-3) security management center searches whether to find the corresponding encryption key of this data in local cipher key store, if looking for
To then proceeding to step (3-4), otherwise proceed to step (3-5);
(3-4) encryption key finding is returned to client by security management center, subsequently into step (4);
(3-5) security management center generates at random and preserves encryption key according to this data and using public and private key encryption mechanism, and
The encryption key of generation is returned to client, subsequently into step (4).
4. access privilege recovery method according to claim 1 exists it is characterised in that further comprising the steps of: client
Receive after the encryption key of security management center, send to security management center and be properly received response.
5. access privilege recovery method according to claim 1 is it is characterised in that step (5) includes following sub-step
Rapid:
(5-1) cloud storage end receives the write data requests from client, verifies user identity certificate, to judge whether user closes
Method, if not rule returns user identity certificate error message, then process terminates;If legal, go to step (5-2);
(5-2) cloud storage end judges whether user has the write access authority to the corresponding data of write data requests, if not weighing
Limit then returns user's no write access authority information, and then process terminates, if there being write access authority, goes to step (5-3);
(5-3) cloud storage end generates a token at random, and this token is corresponded to token chain as the data in write data requests
Last-of-chain token, random generate interference block and according to the rule formulated in token, will disturb block to insert ciphertext data, preservation obtains
Data, and to client return user written data successful information.
6. access privilege recovery method according to claim 1 is it is characterised in that step (7) includes following sub-step
Rapid:
(7-1) according to the user identity certificate in the read data request of client, cloud storage end judges whether user is legal,
If legal, go to step (7-2), otherwise return user identity certificate error message to client, then process terminates;
(7-2) cloud storage end judges that the corresponding data of read data request whether there is, and if existed; would go to step (7-3), otherwise to
Client returns request data not existence information, and then process terminates;
(7-3) cloud storage end judges whether user has the read access authority to this data, if having, this data is returned to visitor
Family end, searches the last-of-chain token in the corresponding token chain of this data, sends key request to security management center, and this request includes
Data id, last-of-chain token, user identity certificate;Otherwise return user's no read access authority information to client.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410213922.0A CN103973698B (en) | 2014-05-19 | 2014-05-19 | User access right revoking method in cloud storage environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410213922.0A CN103973698B (en) | 2014-05-19 | 2014-05-19 | User access right revoking method in cloud storage environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103973698A CN103973698A (en) | 2014-08-06 |
CN103973698B true CN103973698B (en) | 2017-01-25 |
Family
ID=51242744
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410213922.0A Active CN103973698B (en) | 2014-05-19 | 2014-05-19 | User access right revoking method in cloud storage environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103973698B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104901968B (en) * | 2015-06-10 | 2018-01-05 | 华中科技大学 | A kind of key management distribution method in safe cloud storage system |
CN104935588B (en) * | 2015-06-12 | 2017-11-24 | 华中科技大学 | A kind of hierarchical encryption management method of safe cloud storage system |
CN107612910A (en) * | 2017-09-19 | 2018-01-19 | 北京邮电大学 | A kind of distributed document data access method and system |
CN109218295A (en) * | 2018-08-22 | 2019-01-15 | 平安科技(深圳)有限公司 | Document protection method, device, computer equipment and storage medium |
CN111222034B (en) * | 2019-12-31 | 2023-05-16 | 湖南华菱涟源钢铁有限公司 | Data mobile display method and device and cloud server |
CN112818404B (en) * | 2021-02-26 | 2022-11-04 | 青岛大学 | Data access permission updating method, device, equipment and readable storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101383702A (en) * | 2008-10-06 | 2009-03-11 | 中兴通讯股份有限公司 | Method and system protecting cipher generating parameter in tracing region updating |
CN103326999A (en) * | 2012-12-14 | 2013-09-25 | 无锡华御信息技术有限公司 | File safety management system based on cloud service |
CN103441844A (en) * | 2013-07-31 | 2013-12-11 | 南京神盾信息技术有限公司 | Data safety and intranet monitoring system based on cloud storage |
-
2014
- 2014-05-19 CN CN201410213922.0A patent/CN103973698B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101383702A (en) * | 2008-10-06 | 2009-03-11 | 中兴通讯股份有限公司 | Method and system protecting cipher generating parameter in tracing region updating |
CN103326999A (en) * | 2012-12-14 | 2013-09-25 | 无锡华御信息技术有限公司 | File safety management system based on cloud service |
CN103441844A (en) * | 2013-07-31 | 2013-12-11 | 南京神盾信息技术有限公司 | Data safety and intranet monitoring system based on cloud storage |
Non-Patent Citations (1)
Title |
---|
《基于属性的分布式存储安全访问控制技术》;陈杰;《中国优秀硕士学位论文全文数据库 信息科技辑》;20131215(第S2期);第22-23、30-31页 * |
Also Published As
Publication number | Publication date |
---|---|
CN103973698A (en) | 2014-08-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10742422B1 (en) | Digital transaction signing for multiple client devices using secured encrypted private keys | |
US7975312B2 (en) | Token passing technique for media playback devices | |
US6915434B1 (en) | Electronic data storage apparatus with key management function and electronic data storage method | |
CN103973698B (en) | User access right revoking method in cloud storage environment | |
CN104009987B (en) | Fine-grained cloud platform security access control method based on user identity capacity | |
US11943350B2 (en) | Systems and methods for re-using cold storage keys | |
CN110324143A (en) | Data transmission method, electronic equipment and storage medium | |
CN103731395B (en) | The processing method and system of file | |
CN108737374A (en) | The method for secret protection that data store in a kind of block chain | |
CN105100076A (en) | Cloud data security system based on USB Key | |
CN106104562A (en) | Safety of secret data stores and recovery system and method | |
US10298551B1 (en) | Privacy-preserving policy enforcement for messaging | |
JP2007280180A (en) | Electronic document | |
US20150143107A1 (en) | Data security tools for shared data | |
US11570155B2 (en) | Enhanced secure encryption and decryption system | |
CN109274644A (en) | A kind of data processing method, terminal and watermark server | |
US11997075B1 (en) | Signcrypted envelope message | |
KR20210058313A (en) | Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment | |
CN114826702B (en) | Database access password encryption method and device and computer equipment | |
Garg et al. | Security on cloud computing using split algorithm along with cryptography and steganography | |
EP3455763B1 (en) | Digital rights management for anonymous digital content sharing | |
Shalabi et al. | Cryptographically enforced role-based access control for NoSQL distributed databases | |
EP3044720A1 (en) | Performing an operation on a data storage | |
US8755521B2 (en) | Security method and system for media playback devices | |
CN111541652B (en) | System for improving security of secret information keeping and transmission |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |