CN104079539B - A kind of data confidentiality storage method and client - Google Patents
A kind of data confidentiality storage method and client Download PDFInfo
- Publication number
- CN104079539B CN104079539B CN201310105415.0A CN201310105415A CN104079539B CN 104079539 B CN104079539 B CN 104079539B CN 201310105415 A CN201310105415 A CN 201310105415A CN 104079539 B CN104079539 B CN 104079539B
- Authority
- CN
- China
- Prior art keywords
- clouds
- encrypted volume
- volume file
- encrypted
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
This application provides a kind of data confidentiality storage method and client;Methods described includes:After encrypted volume file is created or after the user cipher of change encrypted volume file, the cleartext information of the summary of the encrypted volume file is exported;Using user cipher and the summary key of different salt figures generation at least three;Respectively with the cleartext information of the derived summary of different summary key encryption institutes, at least three parts summaries encrypted are obtained;Replace the summary and backup summary of the encrypted volume file locally respectively with the summary of two parts of encryptions;The summary of 3rd part of encryption is synchronized to high in the clouds, the summary of encrypted volume file beyond the clouds is used as.The application can be effectively protected and secure synchronization to the sensitive data of user.
Description
Technical field
The present invention relates to network field, more particularly to a kind of data confidentiality storage method and client.
Background technology
In today of information-based high speed development, the security of data is increasingly subject to pay attention to;How user need for confidentiality is protected
Sensitive data, as a research emphasis in data storage.
The protection to sensitive data is based primarily upon TrueCrypt technologies at present, and TrueCrypt is the storage an increased income peace
Full scheme, for creating and safeguarding a real-time encrypted volume.The whole file system of the encrypted volume is all encrypted, and user only has defeated
Entering correct password could open.General operation step is as follows:
Install first after program and driving, a file is created as content container, after user cipher input is correct
Driving can load this file as a drive letter, and user can be carried out with other disks under the disk without two different files
Operation, the actually content of the disk storage are encryption, because driving is there is provided real-time encrypted (real-time encrypted to refer to that file is deposited
Rapid encryption, a kind of technology decrypted rapidly before loading before storage) operation, user, which is not felt by, uses difference.When user has used
The drive can be unloaded after finishing.
65536 bytes that TrueCrypt encrypted volume files start are referred to as Header (summary), contain salt figure, data
Area's key, the information such as sector-size;65536 bytes of file end are a backup Header;Middle content is data field
Content.The real key storage to data field encryption and decryption is in Header, and user key is only used for decrypting Header.Here
The loading and unloading of encrypted volume are required for completing by driving.
The defect of current data confidentiality storage scheme focus primarily upon it is following some:
Some schemes are only capable of providing the secrecy of local file content;Need to enter sensitive data when user there are multiple devices
When row is synchronous, above scheme can not meet the demand of this kind of user.This means user needs to use U when these equipment are synchronous
Disk, the mode such as Email attachment carries out the synchronization of sensitive data, and this is extremely unsafe mode in itself.
Although the sensitive data in local safety box can be synchronized to high in the clouds by other scheme automatically, only to sensitive number
According to provide local protection, the i.e. storage of sensitive data beyond the clouds be stored in clear or simple encryption (decryption means also beyond the clouds, this
Mean that high in the clouds can untie user's sensitive document), with the storage indistinction of ordinary file beyond the clouds, at this moment high in the clouds storage turns into
Security vulnerabilities.
In the processing for sharing sensitive data, current scheme can generate one and share link or sensitive data is direct
It is delivered to by participator;After being received by participator and password is not needed just to be able to access that sharing data, but no mode ensures only
Have that correct recipient can receive corresponding file and this document is delivered to secure memory location, such as when sharing link quilt
Any individual takes, and he can even access the sensitive content in browser.
In the processing of data recovery, current scheme can be repaired for the impaired situations of one of Header,
Recover if Header and backup Header are damaged to need to import external source Header, and if now without backing up Header in time
Then the encrypted volume can not be recovered.Recover sensitive data, i.e. key position without any means substantially if data field is damaged to damage
It is bad that entirety can be caused unavailable.
The content of the invention
The application technical problem to be solved is how the sensitive data of user to be effectively protected and secure synchronization.
In order to solve the above problems, this application provides a kind of data confidentiality storage method, including:
After encrypted volume file is created or after the user cipher of change encrypted volume file, the summary of the encrypted volume file is exported
Cleartext information;
Using user cipher and the summary key of different salt figures generation at least three;
Respectively with the cleartext information of the derived summary of different summary key encryption institutes, obtain at least three parts encrypt pluck
Will;
Replace the summary and backup summary of the encrypted volume file locally respectively with the summary of two parts of encryptions;3rd part is added
Close summary is synchronized to high in the clouds, is used as the summary of encrypted volume file beyond the clouds.
Further, described method also includes:
Calculate the check value of the summary of each encryption respectively using checking algorithm;Preserve the verification of local summary and backup summary
Value, high in the clouds is synchronized to by the check value that high in the clouds is made a summary;
The summary of encrypted volume file is judged respectively using the check value of local summary and backup summary and whether backs up summary
Damage.
Further, described method also includes:
When there is one to damage in the summary and backup summary for judging encrypted volume file, untied and do not damaged using user cipher
Summary, the cleartext information made a summary;
The cleartext information of the key re-encrypted summary of making a summary produced using the user cipher and salt figure, after encryption
The summary that summary covering is damaged.
Further, described method also includes:
When the summary and backup summary that judge encrypted volume file are all damaged, high in the clouds summary is obtained;Use user cipher solution
Open high in the clouds summary, the cleartext information made a summary;
Two summary keys are generated respectively using the user cipher and two kinds of new salt figures, the summary obtained by encrypting respectively
Cleartext information, obtains the summary of two parts of encryptions, is covered each by encrypted volume document and backup is made a summary.
Further, described method also includes:
When the data field of encrypted volume file is damaged, the summary of the corresponding encrypted volume file in high in the clouds is obtained;It is close using user
Code unties acquired summary, and the encrypted volume file of data field blank is being locallyd create according to the cleartext information of obtained summary;
The corresponding encrypted volume file in high in the clouds is loaded as synchronisation source, the sensitive data in high in the clouds is synchronized to created local
In the data field of encrypted volume file.
Further, described method also includes:
When creating encrypted volume file, if it is determined that the miscellaneous equipment of the user account had created encrypted volume file, then
High in the clouds summary is obtained, high in the clouds summary, the cleartext information made a summary are decrypted using user cipher;Believed according to the plaintext of the summary
Breath creates encrypted volume file.
Further, encrypted volume file is created using initial password;
Methods described also includes:
After encrypted volume document creation, export initial password summary calculates initial password summary using checking algorithm
Check value, high in the clouds is sent collectively to by the check value and initial password summary;The initial password summary refers to by described first
Summary after the summary key encryption of beginning password and salt figure generation.
Further, described method also includes:
Find high in the clouds summary than local when receiving the summary new information of high in the clouds push, or when loading encrypted volume file
When the version of summary and backup summary is new, high in the clouds summary is obtained;High in the clouds summary is decrypted using newest user cipher, plucked
The cleartext information wanted;Two summary keys are generated using the newest user cipher and different salt figures;Use what is generated respectively
Two summary keys encrypt the cleartext information of the summary, obtain the summary of two encryptions;With two summaries encrypted difference more
New local summary and backup summary.
Further, described method also includes:
Positive closing local encrypted volume when disconnecting when receiving the summary new information of high in the clouds push or with network
File.
Further, described method also includes:
When needing to deliver sensitive data to user is specified after loading encrypted volume file, the temporary key of generation is used to encrypt
Sensitive data to be sent, high in the clouds is sent to by the sensitive data and temporary key after encryption;
When needing to receive sensitive data after loading encrypted volume file, input after the temporary key obtained from high in the clouds from high in the clouds
Receive sensitive data;It is stored in after decrypting the sensitive data using the temporary key in the encrypted volume file.
Present invention also provides a kind of client, including:
Export module, for after encrypted volume file is created or after the user cipher of change encrypted volume file, export should to add
The cleartext information of the summary of close volume file;
Key production module, for using user cipher and the summary key of different salt figures generation at least three;
Encrypting module, for the derived cleartext information made a summary of different summary key encryption institutes, obtaining at least respectively
The summary of three parts of encryptions;
Update module, for replacing the local summary of the encrypted volume file respectively with the summaries of two parts of encryptions and backup is plucked
Will;The summary of 3rd part of encryption is synchronized to high in the clouds, the summary of encrypted volume file beyond the clouds is used as.
Further, described client also includes:
Computing module, the check value of the summary for calculating each encryption respectively using checking algorithm;
The update module is additionally operable to preserve the check value of local summary and backup summary, and the check value that high in the clouds is made a summary is same
Walk to high in the clouds;
Judge module, for the check value using local summary and backup summary judge respectively encrypted volume file summary and
Whether backup summary damages.
Further, described client also includes:
There is one in data recovery module, the summary and backup summary for judging encrypted volume file when the judge module
During damage, unspoiled summary is untied using user cipher, the cleartext information made a summary;Indicate that the key production module makes
Summary key is produced with user cipher and salt figure;Indicate that the summary that the encrypting module is produced using the key production module is close
The cleartext information of key re-encrypted summary;The summary damaged with the summary covering after encryption.
Further, described client also includes:
Data recovery module, for judging that the summary and backup summary of encrypted volume file are all damaged when the judge module
When, obtain high in the clouds summary;High in the clouds is untied using user cipher to make a summary, the cleartext information made a summary;Indicate the key generation
Module generates two summary keys respectively using the user cipher and two kinds of new salt figures;Indicate that the encrypting module is used described close
Two summary keys that key generation module is produced encrypt the cleartext information of resulting summary respectively;With the summary point of two parts of encryptions
Fu Gai not encrypted volume document and backup summary.
Further, described client also includes:
Data recovery module, for when the data field damage of encrypted volume file, obtaining the corresponding encrypted volume file in high in the clouds
Summary;Acquired summary is untied using user cipher, data field is being locallyd create according to the cleartext information of obtained summary
The encrypted volume file of blank;The corresponding encrypted volume file in high in the clouds is loaded as synchronisation source, the sensitive data in high in the clouds is synchronized to institute
In the data field of the local cipher volume file of establishment.
Further, described client also includes:
Creation module, for when creating encrypted volume file, if it is determined that the miscellaneous equipment of the user account had been created
Encrypted volume file, then obtain high in the clouds summary, and high in the clouds summary, the cleartext information made a summary are decrypted using user cipher;According to
The cleartext information of the summary creates encrypted volume file.
Further, the creation module is additionally operable to create encrypted volume file using initial password;
The export module is additionally operable to after encrypted volume document creation, export initial password summary;The initial password is plucked
Refer to by the summary after the summary key encryption of the initial password and salt figure generation;
The computing module is additionally operable to calculate the check value of initial password summary using checking algorithm;
The update module is additionally operable to initial password summary and its check value being sent collectively to high in the clouds.
Further, the update module is additionally operable to when receiving the summary new information of high in the clouds push, or when loading adds
When finding that high in the clouds summary is newer than the version of local summary and backup summary during close volume file, high in the clouds summary is obtained;Using newest
User cipher decrypts high in the clouds summary, the cleartext information made a summary;Indicate the key production module using described newest
User cipher and different salt figures generate two summary keys;Indicate the encrypting module respectively with two generated summary keys
The cleartext information of the summary is encrypted, the summary of two encryptions is obtained;With the summaries of two encryptions update respectively local summary and
Backup summary.
Further, described client also includes:
The update module is strong when being additionally operable to when receiving the summary new information of high in the clouds push or being disconnected with network
System closes local encrypted volume file.
Further, described client also includes:
Sending module, for when needing to deliver sensitive data to user is specified after loading encrypted volume file, using generation
Temporary key encrypt sensitive data to be sent, the sensitive data and temporary key after encryption are sent to high in the clouds;
Receiving module, for when needing to receive sensitive data after loading encrypted volume file, inputting from facing that high in the clouds is obtained
When key after from high in the clouds receive sensitive data;The encrypted volume is stored in after decrypting the sensitive data using the temporary key
In file.
At least one embodiment of the application is re-synchronised to high in the clouds after carrying out local cipher for sensitive data, and high in the clouds can not
It is decrypted, it is ensured that the safe memory requirement in high in the clouds, be effectively protected therefore, it is possible to the sensitive data to user, wrapped
Include the local data of subscriber's main station and high in the clouds corresponding data;The same of sensitive data can also be carried out between user's distinct device
Step.The prioritization scheme of the application ensures only have correct recipient to have the right to receive corresponding file, and can be by sensitive data point
The secure memory location of other side is enjoyed or is delivered to, realization reliably shares delivery.The another prioritization scheme of the application possesses powerful
Data recovery capabilities, anyway Header, which damages, to be successfully recovered, and anyway encrypted volume data field is damaged
High in the clouds sensitive data can be in local recovery success.The another prioritization scheme of the application is when creating using predetermined close first time
Code allows user to have the ability to recover safety box content when forgetting Password or auditing, so as to improve sensitive number as initial password
According to recovery capability.Certainly, implementing any product of the application must be not necessarily required to while reaching all the above advantage.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the data confidentiality storage method of embodiment one;
Fig. 2 is the schematic flow sheet of safety box synchronization in embodiment one;
Fig. 3 is the schematic flow sheet of safety box loading in embodiment one;
Fig. 4 is the schematic flow sheet of encrypted volume renewal in embodiment one;
Fig. 5 is the schematic flow sheet of dilatation/capacity reducing in embodiment one;
Fig. 6 is the schematic flow sheet that encrypted volume is local and high in the clouds is repaired in embodiment one;
Fig. 7 is the schematic flow sheet that encrypted volume is integrally repaired in embodiment one;
Fig. 8 is the schematic flow sheet for delivering sensitive data;
Fig. 9 is the schematic block diagram of client in embodiment two.
Embodiment
The technical scheme of the application is described in detail below in conjunction with drawings and Examples.
If it should be noted that not conflicting, each feature in the embodiment of the present application and embodiment can be tied mutually
Close, within the protection domain of the application.In addition, though logical order is shown in flow charts, but in some situations
Under, can be with the step shown or described by being performed different from order herein.
Embodiment one, a kind of data confidentiality storage method, as shown in figure 1, including:
S101, when create encrypted volume file after or change encrypted volume file user cipher after, export the encrypted volume file
Summary cleartext information;
S102, key of being made a summary using user cipher and different salt figure generations at least three;
S103, respectively with the cleartext information of the derived summary of different summary key encryption institutes, obtain at least three parts and encrypt
Summary;
S104, replace the local summary of the encrypted volume file and backup summary respectively with the summaries of two parts of encryptions;By
The summary of three parts of encryptions is synchronized to high in the clouds, is used as the summary of encrypted volume file beyond the clouds.
In the present embodiment, because high in the clouds summary is locally to use user cipher encrypted, therefore it can not decrypt beyond the clouds
The summary, and then the data in encrypted volume file data area can not be untied, it is ensured that the safety storage in high in the clouds.
In the present embodiment, encrypted volume can use TrueCrypt form, naturally it is also possible to using other existing or self-defined
Form;In each form used, encrypted volume file includes data field, summary (Header) and backup Header in itself;
Header is used to preserve data field key, salt figure and sector-size of encrypted volume file etc..In the present embodiment, for producing summary
The salt figure of key is different, result in summary key and also differs;So while the information preserved is consistent, but because summary key
It is different, therefore the content that the Header encrypted is showed is different.
In the present embodiment, the summary that a new encryption is had after user cipher change is synchronized to high in the clouds, will cover high in the clouds
The Header (i.e. old user cipher and the encrypted Header of the summary key of salt figure generation) preserved before;That is cloud
The corresponding Header of user cipher has and only a in end, to ensure what is only encrypted using newest user cipher and salt figure
Header is present in high in the clouds.High in the clouds can push summary new information and give the encryption after summary of encrypted volume file is updated
Roll up all devices of file owning user account.
In a kind of alternative of the present embodiment, methods described can also include:
Calculate the check value of the summary of each encryption respectively using checking algorithm;Preserve the verification of local summary and backup summary
Value, high in the clouds is synchronized to by the check value that high in the clouds is made a summary;
The summary of encrypted volume file is judged respectively using the check value of local summary and backup summary and whether backs up summary
Damage.
Repaired if whether the summary of encrypted volume file is damaged;The check value of high in the clouds summary can be used for judging to pass
Whether it is damaged when defeated, if then being retransmitted.
The checking algorithm can be, but not limited to as MD5 (Message Digest 5 the 5th edition), can also be sha (secure hash
Algorithm), RIPEMD (raw integrity verification message summary) etc..
In a kind of embodiment of this alternative, methods described can also include:
When there is one to damage in the summary and backup summary for judging encrypted volume file, untied and do not damaged using user cipher
Summary, the cleartext information made a summary;The summary key re-encrypted summary produced using the user cipher and salt figure
Cleartext information, the summary damaged is covered with the summary after encryption.
In a kind of embodiment of this alternative, methods described can also include:
When the summary and backup summary that judge encrypted volume file are all damaged, high in the clouds summary is obtained;Use user cipher solution
Open high in the clouds summary, the cleartext information made a summary;Two summary keys are generated respectively using the user cipher and two kinds of new salt figures,
The cleartext information of summary obtained by encrypting respectively, obtains the summary of two parts of encryptions, is covered each by encrypted volume document and standby
Part summary.
In a kind of alternative of the present embodiment, methods described can also include:
When the data field of encrypted volume file is damaged, the summary of the corresponding encrypted volume file in high in the clouds is obtained;It is close using user
Code unties acquired summary, and the encrypted volume file of data field blank is being locallyd create according to the cleartext information of obtained summary;
The corresponding encrypted volume file in high in the clouds is loaded as synchronisation source, the sensitive data in high in the clouds is synchronized to created local
In the data field of encrypted volume file.In a kind of alternative of the present embodiment, methods described can also include:
When creating encrypted volume file, if it is determined that the miscellaneous equipment of the user account had created encrypted volume file, then
High in the clouds summary is obtained, high in the clouds summary, the cleartext information made a summary are decrypted using user cipher;Believed according to the plaintext of the summary
Breath creates encrypted volume file.
Can be in login user account high in the clouds active inquiry whether the user account created encrypted volume file (
Created in other equipment or created excessive because the reasons such as refitting system cause to be not present in this equipment), or create
When go to high in the clouds to be inquired about.
In a kind of alternative of the present embodiment, methods described can also include:
Find high in the clouds summary than local when receiving the summary new information of high in the clouds push, or when loading encrypted volume file
When the version of summary and backup summary is new, high in the clouds summary is obtained;High in the clouds summary is decrypted using newest user cipher, plucked
The cleartext information wanted;Two summary keys are generated using the newest user cipher and different salt figures;Use what is generated respectively
Two summary keys encrypt the cleartext information of the summary, obtain the summary of two encryptions;With two summaries encrypted difference more
New local summary and backup summary.
The newest user cipher can be actively entered by user or need used time pop-up dialogue box to require user's input.
In a kind of alternative of the present embodiment, methods described can also include:
Positive closing local encrypted volume when disconnecting when receiving the summary new information of high in the clouds push or with network
File.
So when an equipment be in it is dangerous in the state of (such as be stolen) when, can be by belonging to same user account
Another equipment on change the user cipher of encrypted volume file, the encrypted volume text for have loaded in the dangerous equipment of positive closing
Part, it is ensured that data safety.
In a kind of alternative of the present embodiment, encrypted volume file is created using initial password;Methods described also includes:
After encrypted volume document creation, export initial password summary calculates initial password summary using checking algorithm
After check value, the check value and initial password summary are sent collectively to high in the clouds;The initial password summary refers to by described
Summary after the summary key encryption of initial password and salt figure generation.
In a kind of alternative of the present embodiment, methods described can also include:
When needing to deliver sensitive data to user is specified after loading encrypted volume file, the temporary key of generation is used to encrypt
Sensitive data to be sent, high in the clouds is sent to by the sensitive data and temporary key after encryption;
When needing to receive sensitive data after loading encrypted volume file, input after the temporary key obtained from high in the clouds from high in the clouds
Receive sensitive data;It is stored in after decrypting the sensitive data using the temporary key in the encrypted volume file.
In the alternative, delivery service (what file, whom is delivered to) can be selected as the client of sender, so
High in the clouds generation temporary key, and temporary key can be sent to recipient by way of mobile phone or mail afterwards;When recipient makes
It is saved into temporary key decryption encryption data behind the encrypted volume data field of oneself, high in the clouds can delete what is encrypted using temporary key
Sensitive data.
Below the present embodiment is described in detail with the example of several specific application scenarios;With insurance in these application scenarios
Case is illustrated as encrypted volume file;In actual applications, title during encrypted volume file is not only limited in safety box, also
Close disk, cloud disk, file safety cabinet, virtual disk etc. can be included, what its essence was just as.Checking algorithm is actual by taking MD5 as an example
Using when not limited to this.
(1) safety box synchronizing process.
Main to include safety box the establishment in equipment, the synchronization of summary, necessary information is stored in the process of lane database
Etc..As shown in Fig. 2 including step 201~208.
201st, after User logs in account, opening safety box function is selected, it is meant that he is wished in local opening safety case
Service.At this moment client first judge it is local whether existing safety box, if entering loading process (follow-up to introduce) in the presence of if.If no
In the presence of need to then locally create safety box.
202nd, whether guarantor had been created in other equipment before the user account being inquired about to high in the clouds for this client
Dangerous case, specifically inquires about high in the clouds with the presence or absence of the corresponding Header of this user account or user's safety box id of this user account
Whether (mark) be existing, and if illustrating in the presence of if, this user account created safety box, into step 206;If not depositing
Then illustrating it is currently that the user account creates safety box for the first time, into step 203.It is noted herein that, it is same to use
Safety box Header of the family account in distinct device is essentially identical, such as data field key agreement, this be in order to it is synchronous with it is quick
Feel the encrypted transmission of data and consider.Therefore only need to preserve a user Header beyond the clouds and (specifically refer to here by user
The Header of the key encryption of password and salt figure generation).
If the 203, user creates safety box for the first time, then the position for selecting safety box encrypted volume file to preserve is needed, plus
Close Volume Space size and user cipher (being used for encrypting Header) etc..Then used according to the path size of selection initial close
Code (such as 1234) be encrypted volume file establishment (create result be one meet user require and encrypted volume file format rule
The file of model), and export initial password Header (i.e.:The summary key encryption generated using initial password and salt figure
Header), calculating the corresponding Md5 values of the Header, (derived mean will calculate portion independently of encrypted volume file
Header data).Then the Header and backup Header of encrypted volume are updated using user cipher, i.e., first will be derived initial close
The Header decryption of code obtains original Header (i.e. Header cleartext information), then with plucking that user cipher and salt figure are generated
Want key to encrypt the original Header, the Header and backup Header of encrypted volume are replaced with the Header after encryption.After replacement
Actual content inside Header is constant, and the only summary key change for encrypting Header causes what Header showed
Content change, this summary key is that Header salt figures and user cipher are mixed, and the Header after encryption is with ciphertext form
Present.In addition, producing a summary key using user cipher and another salt figure, encryption Header (is obtained after encrypting here
Header is hereafter referred to as user cipher Header) and the corresponding Md5 values of Header of encryption are calculated, afterwards by initial password
Header, user cipher Header and each self-corresponding Md5 values are synchronized to high in the clouds.
If the purpose for preserving the Header of initial password is that user forgets have audit demand to be wanted after user cipher or later
Ask when checking safety box data, can apply recovering using initial password, now initial password Header can be used more in client
New encrypted volume allows user to use initial password (such as 1234) to access encrypted volume file, and can then change encryption
Rolling up the user cipher of file, (initial password Header only has useful in such cases, and high in the clouds Header generally refers to using
Family password Header).It is noted herein that each version of the Header of preservation identical information is different, because salt
Value or user cipher difference can all cause different for the summary key of encrypting Header.Encrypted volume text after such as updating
Part Header, the information for backing up Header and being synchronized to tri- preservations of user cipher Header in high in the clouds are consistent, but because
Key for encrypting Header is different so that presentation content is different.
204th, when high in the clouds receives the Header that user account creates the required submission of safety box for the first time, cloud is judged immediately
Whether end can assign new safety box id, and (i.e. whether user's safety box id is existing, and possible user is firm in another equipment
Just create successfully, id is existing under this situation), if preserving the information of client submission if id can be assigned and returning to safety box
id。
If the 205, returning to safety box id successes, the visitor of the equipment (hereinafter referred to as device A) of first establishment encrypted volume file
Family end can preserve this id and relevant information, including:Encrypted volume path, size and encrypted volume Header are corresponding with backup Header
Md5 values when in local data base (herein Md5 values be used for load safety box when judge whether safety box Header is damaged, tool
Body refers to the description of follow-up loading procedure), into step 207.If not returning to safety box id successfully, illustrate this time to create
Safety box operation failure is built, encrypted volume file is deleted, and satellite information is not preserved in local data base.
If the 206, the user account has successfully created safety box in other equipment, this equipment only need to be same from high in the clouds
The corresponding Header of the user account is walked, the correct user cipher of user's choosing input is treated, Header is decrypted rear and selects
Local safety box storage location, client can automatically create out one automatically according to the information included inside the Header after decryption
Sleazy encrypted volume file.
If likewise, user next open first establishment encrypted volume file equipment outside miscellaneous equipment (after
Text is referred to as equipment B), now high in the clouds can the existing safety box of PUSH message explanation create, ask the user whether to be synchronized to and originally set
It is standby, it is also to carry out the step, i.e. high in the clouds to send the corresponding Header of client relative users account, user to if selecting to agree to
Input after correct user cipher and decrypt the Header of high in the clouds transmission, and an empty encryption is created according to the Header after decryption
File is rolled up to specified location.
207th, after user has successfully created safety box encrypted volume, if now he thinks that the user cipher of oneself is dangerous
When, he can select to change the user cipher of safety box, and this process can use new user cipher and two kinds of salt figures group respectively
The new summary key of synthesis, is encrypted, and replace the Header and backup Header of encrypted volume to Header respectively.I.e. user changes
Password not changes data field password, but for encrypting Header summary password.Then again by a new user cipher and
What another salt figure was generated makes a summary the encrypted Header data syn-chronizations of key to high in the clouds, and high in the clouds preservation is old before covering
User cipher Header, that is to say, that the corresponding Header of user cipher has in high in the clouds and only a (version number shows
Header newness degree), it is only correctly with ensureing that the Header of only newest user cipher is present.
208th, assume that user changes after user cipher success on device B, if safety box is in unlatching in device A at this moment
State, high in the clouds can push the information of safety box high in the clouds Header renewals immediately, the information can inspire in device A safety box immediately by
(i.e. the corresponding drive of safety box is unloaded by driving, it is contemplated that user changes the motivation of user cipher, and safety box is forced to close for closing
Close is for security concern).If user needs opening safety case, client understands the synchronous newest Header in high in the clouds that get off,
Now user's input change on device B after user cipher after enter encrypted volume local update process and (can in detail be situated between follow-up
Continue), then by opening safety case in safety box loading procedure.User, which is changed in device A in user cipher, equipment B, to be insured
Situation when case is in opening is also the same.
It can also be arranged to:If needing the stage for inputting user cipher to repeatedly input mistake in user exceedes pre-determined number,
Client also can positive closing and local data base remove user account exempt from step on information (such as token and
RefreshToken), the reason for doing so is that possible someone controls the main frame of user and attempts to obtain the access of safety box
Power, now closing client, which makes it operate the authority of client all, (can not so not exempt to step on into web terminal or by modification
Delete the purpose that local data reaches modification high in the clouds data).
It can in addition contain be arranged to:Safety box only with high in the clouds UNICOM in the state of could normal operating;There is no network company
Connect or safety box is not read or written safety box when reaching scheduled duration and can closed automatically.Local data is waited to protect existing
In dangerous scheme, it is contemplated that hacker obtains subscriber's main station control, and now safety box is in open mode or knows that user is close
It is have accessed if code with regard to sensitive data can be obtained.And now user has no idea effectively to protect the sensitive data of oneself.
And in the present example, if hacker obtains a user equipment, there is no network connection safety box to close automatically when he takes away
Close, or this equipment is connected with high in the clouds, now user changes the equipment inspection that this is acquired after user cipher in other equipment
Automatic closing can equally be forced by measuring high in the clouds Header version updatings message, and to be loaded into again, must to input newest user close
Code.Here user's modification user cipher needs to input old user cipher and new user cipher simultaneously.If hacker passes through modification
The mode of user cipher prevents user's positive closing safety box, and user can use the function of disabling safety box so that safety box is vertical
Fail (the safety box positive closing on all devices), the function needs user to provide the personal information of oneself to carry out to high in the clouds
Checking.
(2) safety box loading procedure.As shown in figure 3, including step 301~306.
301st, user selects opening safety box function and inputted after user cipher, first in client meeting reading database
Safety box information, including size, path and front and rear Md5 values.
302nd, client judge current path with the presence or absence of matching encrypted volume file, if in the presence of if on current path
Encrypted volume file carries out loading operation;If otherwise needing user to select corresponding path, client determines whether legal
Encrypted volume file, if this document meets the routing information of Policy Updates database, and to the corresponding encrypted volume file in newest path
Carry out loading operation.
303rd, client judges whether current crypto volume file is in the same size with data-base recording, if inconsistent directly enter
Enter the overall repair process of encrypted volume file (can subsequently be discussed in detail), overall reparation end may proceed to perform step 304.If one
Cause then directly to perform step 304.
304th, client asks high in the clouds Header version informations to high in the clouds, and compare the version of return with it is local Header editions
This, if high in the clouds Header is newer than local, local update operation (can subsequently be discussed in detail) is carried out to encrypted volume file, this
Ground may proceed to perform step 305 after updating.Step 305 is directly performed if version is the same;During due to local update Header
Also high in the clouds (step 207 seen above) can be sent to, thus be typically not in local Header versions than high in the clouds news,
If there is can continue to perform step 305, and synchronized with reference to step 207 above, 208.
305th, client reads encrypted volume file Header and backup Header data fields content and calculates Md5 values, will count
Calculate result with the Md5 values that database is preserved to be compared, step 306 is carried out if all matching;Enter encryption if thering is one to mismatch
The local repair process of volume summary;Enter encrypted volume summary high in the clouds repair process if both mismatching.(this and TrueCrypt
Difference, TrueCrypt is first to attempt to solve Header in loading, backup Header is solved if Header is inextricable, if backup
Header, which can be untied, illustrates that Header has been damaged but TrueCrypt does not make automatic reparation).
306th, client starts loading encrypted volume file as drive, enters if loading failure and if not being code error and adds
The overall repair process of close volume file.Current process terminates if success.
(3) safety box sensitive data synchronizing process.
Safety box sensitive data synchronizing process starts from after safety box encrypted volume loads successfully, after safety box is encrypted successfully
For a new synchronisation source of cloud disk multisource synchronization.Here the problem of is that the file inside encrypted volume drive is read or write
Enter be in the form of plaintext, but high in the clouds storage be ciphertext form.It can use and be draped over one's shoulders in patent application 201210157295.4
The scheme of dew carries out the increment synchronization of sensitive data.Here increment synchronization is referred to after local sensitive data is changed, to repairing
The contents fragment changed is encrypted and is transferred to high in the clouds storage, while high in the clouds updates file structure;Or high in the clouds sensitive data version
During renewal, the file of latest edition is fused to after the contents fragment decryption that high in the clouds change is locally-downloaded with local content, is finally protected
In the presence of in local safety box.
Sensitive data synchronizing process remaining issues is exactly the local cipher of sensitive data, here focus on sensitive number
The algorithm and key used according to encryption, this example uses AES encryption algorithm, and key is generated from encrypted volume data key,
Plereme for encryption and decryption is blocks of files, therefore the distinct device of same user can be solved during synchronization
It is close, because the data key of encrypted volume is all identical in distinct device.
The blocks of files of transmission is needed in being calculated first in increment synchronization, if entering after downloading then download this document block to it
Row decryption, is encrypted and then uploads if uploading and reading its blocks of files content.
(4) safety box local cipher volume renewal process.
It is found that high in the clouds Header versions are newer than local under safety box opening or during loading safety box
(high in the clouds is received under such as opening and pushes the message that Header updates), local safety box can enter renewal process.Such as Fig. 4 institutes
Show, including step 401~404.
401st, client obtains high in the clouds Header and corresponding Md5 values to high in the clouds application.
402nd, client calculate from high in the clouds return Header data Md5 values, and judge and from high in the clouds obtain whether
Unanimously, if it is not, then applying retransmitting high in the clouds Header and corresponding Md5 values, return to step 402.If consistent, step 403 is carried out.
403rd, client uses new user cipher solution Header, then compares the encrypted volume included in the Header of high in the clouds big
The small encryption volume size preserved with local data base, it is only user cipher modification that explanation, which updates, if matching, carries out step
404;If mismatch explanation user has carried out dilatation/capacity reducing operation in other equipment to encrypted volume, it can now enter local guarantor
The dilatation of dangerous case/capacity reducing process;Step 404 is carried out after the completion of dilatation/capacity reducing.
404th, the local Header of encrypted volume is updated using new user cipher.
(5) safety box local cipher volume dilatation/capacity reducing process.
Dilatation/capacity reducing process of safety box local cipher volume has two schemes to complete.
Scheme one is operated for dilatation:By changing file system parameter and directly modification encrypted volume file (in backup
Random data is inserted before Header and expands capacity), this scheme need not load encrypted volume file.
Scheme two:This scheme is needed to load encrypted volume file, and dilatation, capacity reducing operation can be used for simultaneously.As shown in figure 5, bag
Include step 501~504.
501st, a new encrypted volume file is created according to high in the clouds Header first and loaded.
502nd, old encrypted volume is loaded.
503rd, the content inside old encrypted volume is replicated or is moved in new encrypted volume after two encrypted volumes are loaded into, is completed
Two encrypted volumes are unloaded afterwards.
504th, delete old encrypted volume file and update the data relevant information inside storehouse simultaneously.
(6) encrypted volume repair process.
(1) repair process when local Header corrupted datas as shown in fig. 6, including step 601~606.
601st, when client calculates encrypted volume file Header and backup Header Md5 values, and find result of calculation and
When the Md5 values that database is preserved are different, judge whether difference of the Header and backup Header Md5 values with preservation;If
Only one of which is different, then into step 602;If both different, into step 604.
602nd, the local repair process of encrypted volume, is Header or backup according to local Md5 multilevel iudges are stored in
Header is damaged (i.e.:It is that a Header or tail Header is damaged), which is exactly which is damaged with the difference preserved;
603rd, unspoiled Header, and the summary key reconsul produced with user cipher and salt figure are untied using user cipher
The Header is newly encrypted, Header is damaged with the Header coverings after encryption.
The local repair process of encrypted volume terminates.
604th, encrypted volume high in the clouds repair process, client obtains high in the clouds Header and corresponding Md5 values to high in the clouds application.
605th, client calculate from high in the clouds return Header data Md5 values, and judge and from high in the clouds obtain whether
Unanimously, if otherwise application retransmits high in the clouds Header and corresponding Md5 values, return to step 605.If consistent, step 606 is carried out.
606th, client unties high in the clouds Header using user cipher, and is added using user cipher and two kinds of new salt figure generations
Key is simultaneously encrypted after Header, and Header and backup Header that local cipher rolls up file are covered each by with the Header of encryption
Data field.
Encrypted volume high in the clouds repair process terminates.
(2) the overall repair process of encrypted volume.
Such case occurs in the case where encrypted volume data field has been damaged, and the reparation of sensitive data here is for synchronous
For successful sensitive data, if just by sensitive data write safety box not etc. synchronously complete immediately destruction encrypted volume file be
The sensitive data can not be recovered.As shown in fig. 7, comprises step 701~703.
701st, it is corresponding Md5 values that client can obtain high in the clouds Header to high in the clouds application.
702nd, client calculate from high in the clouds return Header data Md5 values, and judge and from high in the clouds obtain whether
Unanimously, if otherwise application retransmits high in the clouds Header and corresponding Md5 values, return to step 702.If consistent, step 703 is carried out.
703rd, client uses user cipher solution high in the clouds Header, then prompts the user whether to repair sensitive data, if not
Then loading operation is cancelled;Data assurance case is loaded if selecting to repair, is being locallyd create according to the cleartext information of obtained summary
The encrypted volume file of data field blank;Client using the corresponding encrypted volume file in high in the clouds as new synchronisation source, high in the clouds is sensitive
Data syn-chronization is into the local safety box created, and overall repair process successfully terminates if synchronously completing.
(7) safety box sensitive data delivery process.
Sensitive data is related to when user 1 needs and delivers some sensitive data to user 2 to deliver;In order to ensure sensitive number
It is safe according to the destination of delivery, user 2 must possess safety box, the sensitive data can be sent to the guarantor of the equipment of user 2
In dangerous case.As shown in figure 8, including step 801~808.
801st, user 1 loads the safety box of oneself, and selects sensitive data to be delivered to user 2 by client 1.Client
1 random generation temporary key, encrypts wait after the sensitive data delivered, uploads this document by preparation the step of synchronous sensitive document
To high in the clouds, but now encryption key is temporary key, is not the encryption key of user's sensitive data.
802nd, this encryption file and temporary key are sent to high in the clouds by client 1.
803rd, when the client 2 that user 2 has equipment is connected to high in the clouds, this delivery information of high in the clouds active push;It can also use
Family 2 opens active inquiry after client 2 whether there is such delivery information.
804th, whether the prompting of client 2 user 2 receives, and waits the selection result of user 2;
805th, client 2 returns to the message received to high in the clouds if user 2 selects to receive.
806th, temporary key is sent to user 2 by high in the clouds by way of SMS or mail.
807th, the prompting user 2 of client 2 of user 2 inputs the user cipher of the temporary key and the safety box of user 2.If
All right, the client 2 of user 2 can receive sensitive data to high in the clouds application.
808th, the sensitive data to be delivered after the client 1 of high in the clouds transmission user 1 is encrypted using the temporary key is to use
The client 2 at family 2;Client 2 is decrypted the sensitive data using temporary key and preserved into the safety box of oneself;Delete in last high in the clouds
Except the sensitive data to be delivered.
Embodiment two, a kind of client, as shown in figure 9, including:
Export module 91, for after encrypted volume file is created or after the user cipher of change encrypted volume file, export should
The cleartext information of the summary of encrypted volume file;
Key production module 92, for using user cipher and the summary key of different salt figures generation at least three;
Encrypting module 93, for the derived cleartext information made a summary of different summary key encryption institutes, obtain respectively to
The summary of few three parts of encryptions;
Update module 94, for replacing the local summary of the encrypted volume file and backup respectively with the summaries of two parts of encryptions
Summary;The summary of 3rd part of encryption is synchronized to high in the clouds, the summary of encrypted volume file beyond the clouds is used as.
In a kind of alternative of the present embodiment, described client can also include:
Computing module, the check value of the summary for calculating each encryption respectively using checking algorithm;
Judge module, for the check value using local summary and backup summary judge respectively encrypted volume file summary and
Whether backup summary damages;
The update module 94 is additionally operable to preserve the check value of local summary and backup summary, the check value that high in the clouds is made a summary
It is synchronized to high in the clouds.
The checking algorithm can be, but not limited to as MD5 (Message Digest 5 the 5th edition), can also be sha (secure hash
Algorithm), RIPEMD (raw integrity verification message summary) etc..
In a kind of embodiment of the alternative, described client also includes:
There is one in data recovery module, the summary and backup summary for judging encrypted volume file when the judge module
During damage, unspoiled summary is untied using user cipher, the cleartext information made a summary indicates the key production module 92
Summary key is produced using user cipher and salt figure;Indicate that the encrypting module 93 uses plucking that the key production module is produced
Want the cleartext information of key cryptographic digest again;The summary damaged with the summary covering after encryption.
In a kind of embodiment of the alternative, the data recovery module can be also used for when the judge module is sentenced
When the summary and backup summary of disconnected encrypted volume file are all damaged, high in the clouds summary is obtained;High in the clouds is untied using user cipher to make a summary, and is obtained
To the cleartext information of summary;Indicate that the key production module 92 generates two respectively using the user cipher and two kinds of new salt figures
Summary key;Indicate that two summary keys that the encrypting module 93 is produced using the key production module encrypt gained respectively
The cleartext information of the summary arrived;Encrypted volume document is covered each by with the summary of two parts of encryptions and backup is made a summary.
In a kind of embodiment of the alternative, the data recovery module can be also used for the number when encrypted volume file
When being damaged according to area, the summary of the corresponding encrypted volume file in high in the clouds is obtained;Acquired summary is untied using user cipher, according to
To the cleartext information of summary localling create the encrypted volume file of data field blank;The corresponding encrypted volume file in high in the clouds is loaded to make
For synchronisation source, in the data field that the sensitive data in high in the clouds is synchronized to created local cipher volume file.
In a kind of alternative of the present embodiment, described client also includes:
Creation module, for when creating encrypted volume file, if it is determined that the user account had created encrypted volume file,
High in the clouds summary is then obtained, high in the clouds summary, the cleartext information made a summary are decrypted using user cipher;According to the plaintext of the summary
Information creating encrypted volume file.
Can be in login user account high in the clouds active inquiry whether the user account created encrypted volume file (
Created in other equipment or created excessive because the reasons such as refitting system cause to be not present in this equipment), or create
When go to high in the clouds to be inquired about.
In a kind of alternative of the present embodiment, the update module 94 is additionally operable to when the summary for receiving high in the clouds push updates
During message, or when finding that high in the clouds summary is newer than the version of local summary and backup summary when loading encrypted volume file, obtain cloud
End summary;High in the clouds summary, the cleartext information made a summary are decrypted using newest user cipher;Indicate the key generation mould
Block 92 generates two summary keys using the newest user cipher and different salt figures;Indicate that the encrypting module 93 is used respectively
The two summary keys generated encrypt the cleartext information of the summary, obtain the summary of two encryptions;With two encryption pluck
Local summary and backup summary are updated respectively.
The newest user cipher can be actively entered by user or need used time pop-up dialogue box to require user's input.
In a kind of alternative of the present embodiment, the update module 94 is additionally operable to when the summary for receiving high in the clouds push updates
Positive closing local encrypted volume file when being disconnected during message or with network.
So when an equipment be in it is dangerous in the state of (such as be stolen) when, can be by belonging to same user account
Another equipment on change encrypted volume file user cipher, the encrypted volume file come in the dangerous equipment of positive closing, it is ensured that
Data safety.
In a kind of alternative of the present embodiment, described client also includes:
Sending module, for when needing to deliver sensitive data to user is specified after loading encrypted volume file, using generation
Temporary key encrypt sensitive data to be sent, the sensitive data and temporary key after encryption are sent to high in the clouds;
Receiving module, for when needing to receive sensitive data after loading encrypted volume file, inputting from facing that high in the clouds is obtained
When key after from high in the clouds receive sensitive data;The encrypted volume is stored in after decrypting the sensitive data using the temporary key
In file.
In the alternative, sending module can select delivery service (what file, whom is delivered to), and then high in the clouds is generated
Temporary key, and temporary key can be sent to recipient by way of mobile phone or mail;Debit waiting keeps delivery
After code data, high in the clouds can delete the sensitive data encrypted using temporary key.
In a kind of alternative of the present embodiment, the creation module is additionally operable to create encrypted volume text using initial password
Part;
The export module 91 is additionally operable to after encrypted volume document creation, export initial password summary;The initial password
Summary refers to by the summary after the summary key encryption of the initial password and salt figure generation;
The computing module is additionally operable to calculate the check value of initial password summary using checking algorithm;
The update module 94 is additionally operable to initial password summary and its check value being sent collectively to high in the clouds.
Certainly, the application can also have other various embodiments, ripe in the case of without departing substantially from the application spirit and its essence
Various corresponding changes and deformation, but these corresponding changes and change ought can be made according to the application by knowing those skilled in the art
Shape should all belong to the protection domain of claims hereof.
Claims (20)
1. a kind of data confidentiality storage method, it is characterised in that including:
When create encrypted volume file after or change encrypted volume file user cipher after, export the encrypted volume file summary it is bright
Literary information;
Using user cipher and the summary key of different salt figures generation at least three;
Respectively with the cleartext information of the derived summary of different summary key encryption institutes, at least three parts summaries encrypted are obtained;
Replace the summary and backup summary of the encrypted volume file locally respectively with the summary of two parts of encryptions;3rd part is encrypted
Summary is synchronized to high in the clouds, is used as the summary of encrypted volume file beyond the clouds.
2. the method as described in claim 1, it is characterised in that also include:
Calculate the check value of the summary of each encryption respectively using checking algorithm;The check value of local summary and backup summary is preserved,
The check value that high in the clouds is made a summary is synchronized to high in the clouds;
Whether the summary and backup summary for judging encrypted volume file respectively using the check value of local summary and backup summary damage.
3. method as claimed in claim 2, it is characterised in that also include:
When there is one to damage in the summary and backup summary for judging encrypted volume file, unspoiled pluck is untied using user cipher
Will, the cleartext information made a summary;
The cleartext information of the key re-encrypted summary of making a summary produced using the user cipher and salt figure, with the summary after encryption
Cover the summary damaged.
4. method as claimed in claim 2, it is characterised in that also include:
When the summary and backup summary that judge encrypted volume file are all damaged, high in the clouds summary is obtained;Cloud is untied using user cipher
End summary, the cleartext information made a summary;
Two summary keys, the plaintext of the summary obtained by encrypting respectively are generated respectively using the user cipher and two kinds of new salt figures
Information, obtains the summary of two parts of encryptions, is covered each by encrypted volume document and backup is made a summary.
5. the method as described in claim 1, it is characterised in that also include:
When the data field of encrypted volume file is damaged, the summary of the corresponding encrypted volume file in high in the clouds is obtained;Use user cipher solution
Acquired summary is opened, the encrypted volume file of data field blank is being locallyd create according to the cleartext information of obtained summary;
The corresponding encrypted volume file in high in the clouds is loaded as synchronisation source, the sensitive data in high in the clouds is synchronized to created local cipher
In the data field for rolling up file.
6. the method as described in claim 1, it is characterised in that also include:
When creating encrypted volume file, if it is determined that the miscellaneous equipment of user account had created encrypted volume file, then cloud is obtained
End summary, high in the clouds summary, the cleartext information made a summary are decrypted using user cipher;Created according to the cleartext information of the summary
Encrypted volume file.
7. the method as described in claim 1, it is characterised in that:
Encrypted volume file is created using initial password;
Methods described also includes:
After encrypted volume document creation, export initial password summary calculates the verification of initial password summary using checking algorithm
Value, high in the clouds is sent collectively to by the check value and initial password summary;The initial password summary refers to by described initial close
Summary after the summary key encryption that code and salt figure are generated.
8. the method as described in claim 1, it is characterised in that also include:
Find high in the clouds summary than local summary when receiving the summary new information of high in the clouds push, or when loading encrypted volume file
And backup summary version it is new when, obtain high in the clouds summary;High in the clouds summary is decrypted using newest user cipher, made a summary
Cleartext information;Two summary keys are generated using the newest user cipher and different salt figures;Generated two are used respectively
Key of making a summary encrypts the cleartext information of the summary, obtains the summary of two encryptions;This is updated respectively with the summary of two encryptions
Make a summary and backup summary on ground.
9. the method as described in claim 1, it is characterised in that also include:
Positive closing local encrypted volume text when disconnecting when receiving the summary new information of high in the clouds push or with network
Part.
10. the method as described in claim 1, it is characterised in that also include:
It is pending using the temporary key encryption of generation when needing to deliver sensitive data to user is specified after loading encrypted volume file
The sensitive data sent, high in the clouds is sent to by the sensitive data and temporary key after encryption;
When needing to receive sensitive data after loading encrypted volume file, input after the temporary key obtained from high in the clouds from high in the clouds reception
Sensitive data;It is stored in after decrypting the sensitive data using the temporary key in the encrypted volume file.
11. a kind of client, it is characterised in that including:
Export module, for after encrypted volume file is created or after the user cipher of change encrypted volume file, exporting the encrypted volume
The cleartext information of the summary of file;
Key production module, for using user cipher and the summary key of different salt figures generation at least three;
Encrypting module, for the derived cleartext information made a summary of different summary key encryption institutes, obtaining at least three parts respectively
The summary of encryption;
Update module, for replacing the summary and backup summary of the encrypted volume file locally respectively with the summary of two parts of encryptions;
The summary of 3rd part of encryption is synchronized to high in the clouds, the summary of encrypted volume file beyond the clouds is used as.
12. client as claimed in claim 11, it is characterised in that also include:
Computing module, the check value of the summary for calculating each encryption respectively using checking algorithm;
The update module is additionally operable to preserve the check value of local summary and backup summary, and the check value that high in the clouds is made a summary is synchronized to
High in the clouds;
Judge module, summary and the backup of encrypted volume file are judged for the check value using local summary and backup summary respectively
Whether summary damages.
13. client as claimed in claim 12, it is characterised in that also include:
There is a damage in data recovery module, the summary and backup summary for judging encrypted volume file when the judge module
When, unspoiled summary is untied using user cipher, the cleartext information made a summary;Indicate that the key production module uses use
Family password and salt figure produce summary key;Indicate the summary key reconsul that the encrypting module is produced using the key production module
The cleartext information of new cryptographic digest;The summary damaged with the summary covering after encryption.
14. client as claimed in claim 12, it is characterised in that also include:
Data recovery module, during for judging that the summary and backup summary of encrypted volume file are all damaged when the judge module, is obtained
High in the clouds is taken to make a summary;High in the clouds is untied using user cipher to make a summary, the cleartext information made a summary;Indicate that the key production module makes
Generate two summary keys respectively with the user cipher and two kinds of new salt figures;Indicate that the encrypting module is generated using the key
Two summary keys that module is produced encrypt the cleartext information of resulting summary respectively;It is covered each by with the summary of two parts of encryptions
Encrypted volume document and backup are made a summary.
15. client as claimed in claim 11, it is characterised in that also include:
Data recovery module, for when the data field damage of encrypted volume file, obtaining plucking for the corresponding encrypted volume file in high in the clouds
Will;Acquired summary is untied using user cipher, data field blank is being locallyd create according to the cleartext information of obtained summary
Encrypted volume file;The corresponding encrypted volume file in high in the clouds is loaded as synchronisation source, the sensitive data in high in the clouds is synchronized to and created
Local cipher volume file data field in.
16. client as claimed in claim 11, it is characterised in that also include:
Creation module, for when creating encrypted volume file, if it is determined that the miscellaneous equipment of user account had created encrypted volume
File, then obtain high in the clouds summary, and high in the clouds summary, the cleartext information made a summary are decrypted using user cipher;According to the summary
Cleartext information create encrypted volume file.
17. client as claimed in claim 11, it is characterised in that also include:
Creation module, computing module;
The creation module is used to create encrypted volume file using initial password;
The export module is additionally operable to after encrypted volume document creation, export initial password summary;The initial password is made a summary
Refer to the summary after the summary key encryption generated by the initial password and salt figure;
The computing module is used for the check value that initial password summary is calculated using checking algorithm;
The update module is additionally operable to initial password summary and its check value being sent collectively to high in the clouds.
18. client as claimed in claim 11, it is characterised in that:
The update module is additionally operable to when receiving the summary new information of high in the clouds push, or found when loading encrypted volume file
When high in the clouds summary is newer than the version of local summary and backup summary, high in the clouds summary is obtained;Should using newest user cipher decryption
High in the clouds is made a summary, the cleartext information made a summary;Indicate that the key production module uses the newest user cipher and difference
Salt figure generates two summary keys;Indicate that the encrypting module encrypts the summary with two generated summary keys respectively
Cleartext information, obtains the summary of two encryptions;Local summary and backup summary are updated respectively with the summary of two encryptions.
19. client as claimed in claim 11, it is characterised in that also include:
The update module is additionally operable to when receiving the summary new information of high in the clouds push or forces to close when disconnecting with network
Close local encrypted volume file.
20. client as claimed in claim 11, it is characterised in that also include:
Sending module, for when needing to deliver sensitive data to user is specified after loading encrypted volume file, using facing for generation
When key encrypt sensitive data to be sent, the sensitive data and temporary key after encryption are sent to high in the clouds;
Receiving module, for when load encrypted volume file after need receive sensitive data when, input from high in the clouds obtain it is interim close
After key sensitive data is received from high in the clouds;The encrypted volume file is stored in after decrypting the sensitive data using the temporary key
In.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310105415.0A CN104079539B (en) | 2013-03-28 | 2013-03-28 | A kind of data confidentiality storage method and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310105415.0A CN104079539B (en) | 2013-03-28 | 2013-03-28 | A kind of data confidentiality storage method and client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104079539A CN104079539A (en) | 2014-10-01 |
| CN104079539B true CN104079539B (en) | 2017-09-08 |
Family
ID=51600588
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310105415.0A Active CN104079539B (en) | 2013-03-28 | 2013-03-28 | A kind of data confidentiality storage method and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104079539B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107577516B (en) | 2017-07-28 | 2020-08-14 | 华为技术有限公司 | Virtual machine password resetting method, device and system |
| CN107948152B (en) * | 2017-11-23 | 2021-05-14 | 腾讯科技(深圳)有限公司 | Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment |
| CN111723383B (en) * | 2019-03-22 | 2024-03-19 | 阿里巴巴集团控股有限公司 | Data storage and verification method and device |
| CN110119508B (en) * | 2019-03-29 | 2023-03-24 | 腾讯科技(深圳)有限公司 | Chat message filtering method, system and equipment |
| CN110311789B (en) * | 2019-06-28 | 2022-09-13 | 北京创鑫旅程网络技术有限公司 | Data secure transmission method and device |
| CN115664646B (en) * | 2022-09-28 | 2023-09-15 | 成都海泰方圆科技有限公司 | Data backup method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101271497A (en) * | 2008-04-30 | 2008-09-24 | 李硕 | Electric document anti-disclosure system and its implementing method |
| CN101655893A (en) * | 2009-10-10 | 2010-02-24 | 郑界涵 | Manufacture method of intelligent blog lock, Blog access control method and system thereof |
| CN102065098A (en) * | 2010-12-31 | 2011-05-18 | 网宿科技股份有限公司 | Method and system for synchronizing data among network nodes |
| CN102291391A (en) * | 2011-07-21 | 2011-12-21 | 西安百盛信息技术有限公司 | Safe transmission method for data in cloud service platform |
| CN102483792A (en) * | 2009-11-23 | 2012-05-30 | 富士通株式会社 | Method and apparatus for sharing documents |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8229910B2 (en) * | 2007-03-05 | 2012-07-24 | International Business Machines Corporation | Apparatus, system, and method for an inline display of related blog postings |
-
2013
- 2013-03-28 CN CN201310105415.0A patent/CN104079539B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101271497A (en) * | 2008-04-30 | 2008-09-24 | 李硕 | Electric document anti-disclosure system and its implementing method |
| CN101655893A (en) * | 2009-10-10 | 2010-02-24 | 郑界涵 | Manufacture method of intelligent blog lock, Blog access control method and system thereof |
| CN102483792A (en) * | 2009-11-23 | 2012-05-30 | 富士通株式会社 | Method and apparatus for sharing documents |
| CN102065098A (en) * | 2010-12-31 | 2011-05-18 | 网宿科技股份有限公司 | Method and system for synchronizing data among network nodes |
| CN102291391A (en) * | 2011-07-21 | 2011-12-21 | 西安百盛信息技术有限公司 | Safe transmission method for data in cloud service platform |
Non-Patent Citations (1)
| Title |
|---|
| 《基于虚拟存储的容灾数据备份关键技术研究》;康潇文;《中国优秀硕士学位论文全文数据库》;20100715;第3.3.2-3.3.3节,第4.3.2-4.3.4节、图3.15, 图3.18,图3.19、表4.2 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104079539A (en) | 2014-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104079539B (en) | A kind of data confidentiality storage method and client | |
| CN1717893B (en) | Device keys | |
| EP3361408B1 (en) | Verifiable version control on authenticated and/or encrypted electronic documents | |
| KR20210061426A (en) | Double-encrypted secret portion allowing assembly of the secret using a subset of the double-encrypted secret portion | |
| CN101589398A (en) | Upgrading a memory card that has security mechanisms that prevent copying of secure content and applications | |
| JP2009087035A (en) | Encryption client device, encryption package distribution system, encryption container distribution system, encryption management server device, solftware module management device and software module management program | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN102882923A (en) | Secure storage system and method for mobile terminal | |
| CN110784463A (en) | File storage and access method and system based on block chain | |
| GB2567146A (en) | Method and system for secure storage of digital data | |
| CN101276624A (en) | Content processing apparatus and encryption processing method | |
| CN111385084A (en) | Key management method and device for digital assets and computer readable storage medium | |
| CN105872848A (en) | Credible two-way authentication method applicable to asymmetric resource environment | |
| US9350736B2 (en) | System and method for isolating mobile data | |
| KR100910075B1 (en) | A data processing apparatus, a method and a recording medium having computer program recorded thereon for processing data | |
| US9460295B2 (en) | Deleting information to maintain security level | |
| EP2676218A1 (en) | Secure management and personalization of unique code signing keys | |
| CN114189337A (en) | Firmware burning method, device, equipment and storage medium | |
| CN101106451B (en) | A data transmission method and device | |
| CN108494724A (en) | Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method | |
| CN109670338A (en) | A kind of method and system of data whole process encryption | |
| CN110287725B (en) | Equipment, authority control method thereof and computer readable storage medium | |
| CN114584318A (en) | Access control method of certificate and secret key, electronic equipment and storage medium | |
| CN113553611A (en) | File encryption storage method and system, user terminal, cloud platform and storage medium | |
| CN111709047A (en) | Information management system and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211108 Address after: Room 507, floor 5, building 3, No. 969, Wenyi West Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province Patentee after: ZHEJIANG TMALL TECHNOLOGY Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Patentee before: ALIBABA GROUP HOLDING Ltd. |