CN104348870A - Data management method and system of cloud storage system based on trusted timestamp - Google Patents
Data management method and system of cloud storage system based on trusted timestamp Download PDFInfo
- Publication number
- CN104348870A CN104348870A CN201310334945.2A CN201310334945A CN104348870A CN 104348870 A CN104348870 A CN 104348870A CN 201310334945 A CN201310334945 A CN 201310334945A CN 104348870 A CN104348870 A CN 104348870A
- Authority
- CN
- China
- Prior art keywords
- tsa
- cloud storage
- storage system
- timestamp
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a data management method and system of a cloud storage system based on a trusted timestamp. The method mainly includes the following steps: the cloud storage system receives a data processing request which is sent by a user client and carries the trusted timestamp signed through use of a TSA certificate; and the cloud storage system verifies the trusted timestamp and the TSA certificate and after the trusted timestamp and the TSA certificate pass the verification, the cloud storage system receives the data processing request and the user client executes a data operation instruction corresponding to the data processing request. Through the third-party trusted timestamp, the cloud storage system is capable of carrying out effective management and audit on user data and carrying out verification and recording and filing on data operation records of a user so that the security of user operations and the authenticity of cloud storage data are guaranteed and it is achieved that the data security of the user is guaranteed while the complexity of the service procedure of the cloud storage system is not increased.
Description
Technical field
The present invention relates to technical field of data administration, particularly relate to a kind of data managing method and system of the cloud storage system based on trusted timestamp.
Background technology
Cloud storage is to a cloud computing extension conceptually, it refers to by functions such as cluster application, grid or distributed file systems, various dissimilar memory device a large amount of in network is gathered collaborative work by application software, a system of data storage and Operational Visit function is externally provided jointly.The core that cloud stores is the store and management of large data, cloud storage system is by providing polytype interface, dissimilar application service can be provided, as network hard disc, remote data backup application platform, IPTV and video-on-demand applications platform etc. for user.Meanwhile, the user that cloud stores can pass through the multiple subscriber equipmenies such as PC, mobile phone, mobile multimedia, realizes concentrated storage and the resources sharing of the contents such as data, document, picture and video and audio.
But cloud storage system also exists the problem of data security.At the server end of cloud storage system, because a large amount of data all store on the server, present stage technology cannot reach the ability of all data being carried out to encrypted private key.Because cloud storage system is generally all arranged in the Internet, need open specific port to access to user, store a large amount of user data in simultaneity factor, very easily become the target of hacker.When cloud storage system is invaded, user data will occur and leak, the dangerous situation such as to be tampered, therefore the safety problem of server is most important.
And at the user side of system that cloud stores, common employing simple authentication method in active user's terminal, namely adopts the mode of account encrypted code to carry out debarkation authentication, adopt form expressly to transmit simultaneously.Obviously, there is safety problem in this mechanism, and password just maliciously may be monitored with plaintext version transmission and even distort.In this mechanism, cloud storage system can not be examined and record the data operating record of user.
Therefore, develop and a kind ofly ensure that between subscriber equipment and cloud storage system, the method for data communications security is a problem demanding prompt solution.
Summary of the invention
The embodiment provides a kind of data managing method and system of the cloud storage system based on trusted timestamp, to realize ensureing data communications security between subscriber equipment and cloud storage system, and the data operating record of user is examined.
Based on a data managing method for the cloud storage system of trusted timestamp, comprising:
Cloud storage system receives the data processing request of carrying trusted timestamp that user terminal sends, and the described trusted timestamp certificate of authoritative trusted time stamping authority TSA is signed;
The certificate of described cloud storage system to described trusted timestamp and TSA is verified, after the certification authentication of described trusted timestamp and TSA is passed through, described cloud storage system accepts described data processing request, and described user terminal performs data manipulation instruction corresponding to described data processing request.
Described cloud storage system receive user terminal send carry the data processing request of trusted timestamp before, comprising:
Described user terminal generates the digest value of data manipulation instruction corresponding to described data processing request, encapsulates described digest value according to timestamp solicitation message form;
Utilize the digital certificate of described user terminal between described TSA and described user terminal, set up SSL SSL escape way;
Described user terminal sends the timestamp solicitation message of the digest value after carrying encapsulation to described TSA by described SSL escape way;
The legitimacy of described TSA to described timestamp solicitation message checks, in described inspection by rear, described TSA generates timestamp corresponding to described digest value, with the certificate of described TSA, described timestamp is signed, the timestamp after signature is sent to described user terminal by described SSL escape way.
The described digital certificate of described user terminal that utilizes sets up SSL escape way between described TSA and described user terminal, comprising:
Described user terminal sends the connection request carrying the PKIX PKI digital certificate of user to TSA, after described TSA receives described connection request, send the certification verification request carrying described PKI digital certificate to Light Directory Access Protocol ldap directory server;
After described ldap directory server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described PKI digital certificate, described in described ldap directory server authentication, whether the term of validity of PKI certificate is expired, verify whether described PKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described PKI certificate, scaling option be effective;
Described ldap directory server, after all checkings of described PKI digital certificate are all passed through, sends the qualified notice of checking to described TSA; After all checkings of described PKI digital certificate are not all pass through, send the defective notice of checking to described TSA.
After described TSA receives the qualified notice of checking of described ldap directory server transmission, between described TSA and described user terminal, use the SSL escape way of described PKI certificate foundation for transmitting data.
After described cloud storage system receives described data processing request, the certificate of described trusted timestamp and TSA is verified, comprising:
After described cloud storage system receives described data processing request, obtain the timestamp and TSA certificate that carry in described data processing request;
Described cloud storage system sends described TSA certificate to ldap server, described ldap server carries out validation verification to described TSA certificate, after the validation verification of described TSA certificate passes through, described ldap server sends TSA certificate validity to described cloud storage system and is verified information;
Described cloud storage system receives after described TSA certificate validity is verified information, described timestamp is sent to TSA, described TSA carries out validation verification to described timestamp, after the validation verification of described timestamp passes through, described TSA sends free stamp validation verification to described cloud storage system and passes through information.
Described cloud storage system accepts described data processing request, and described user terminal performs data manipulation instruction corresponding to described data processing request, comprising:
Described cloud storage system accepts described data processing request, to described user terminal to transmit data processing response, after described user terminal receives the response of described data processing, perform the data manipulation instruction that described data processing request is corresponding, this data manipulation instruction comprises data upload, download, inquiry, amendment or at least one item in deleting;
The data operating record of described user terminal and corresponding timestamp store by described cloud storage system.
Based on a data management system for the cloud storage system of trusted timestamp, comprising: user terminal and cloud storage system,
Described user terminal, for sending the data processing request of carrying trusted timestamp to described cloud storage system, the described trusted timestamp certificate of authoritative trusted time stamping authority TSA is signed; After described cloud storage system accepts described data processing request, perform the data manipulation instruction that described data processing request is corresponding;
Described cloud storage system, for receive user terminal send carry the data processing request of trusted timestamp after, the certificate of described trusted timestamp and TSA is verified, after the certification authentication of described trusted timestamp and TSA is passed through, accepts described data processing request.
Described system also comprises TSA,
Described user terminal, specifically for generating the digest value of data manipulation instruction corresponding to described data processing request, encapsulates described digest value according to timestamp solicitation message form; Utilize the digital certificate of described user terminal between described TSA and described user terminal, set up SSL SSL escape way; Sent the timestamp solicitation message of the digest value after carrying encapsulation to TSA by described SSL escape way;
Described TSA, specifically for checking the legitimacy of described timestamp solicitation message, in described inspection by rear, generate the timestamp that described digest value is corresponding, with the certificate of described TSA, described timestamp is signed, the timestamp after signature is sent to described user terminal by described SSL escape way.
Described system also comprises ldap directory server:
Described user terminal, specifically for sending the connection request carrying the PKI digital certificate of user to TSA;
Described TSA, after receiving described connection request, sends the certification verification request carrying described PKI digital certificate to ldap directory server;
Described ldap directory server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described PKI digital certificate, verify that whether the term of validity of described PKI certificate is expired, verify whether described PKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described PKI certificate, scaling option be effective;
After all checkings of described PKI digital certificate are all passed through, send the qualified notice of checking to described TSA; After all checkings of described PKI digital certificate are not all pass through, send the defective notice of checking to described TSA.
Described TSA, after receiving the qualified notice of checking that described ldap directory server sends, between described TSA and described user terminal, uses described PKI certificate to set up SSL escape way for transmitting data.
Described cloud storage system, after receiving described data processing request, obtains the timestamp and TSA certificate that carry in described data processing request; Described TSA certificate is sent to ldap server;
Described ldap server, specifically for carrying out validation verification to described TSA certificate, after the validation verification of described TSA certificate passing through, sending TSA certificate validity to described cloud storage system and being verified information;
Described cloud storage system, specifically for receiving after described TSA certificate validity is verified information, sends described timestamp to TSA;
Described TSA, specifically for carrying out validation verification to described timestamp, after the validation verification of described timestamp passing through, sending free stamp validation verification to described cloud storage system and passing through information.
Described cloud storage system, specifically for accepting described data processing request, to described user terminal to transmit data processing response; The data operating record of described user terminal and corresponding timestamp are stored;
Described user terminal, after receiving the response of described data processing, performs the data manipulation instruction that described data processing request is corresponding, and this data manipulation instruction comprises data upload, download, inquiry, amendment or at least one item in deleting.
The technical scheme provided as can be seen from the embodiment of the invention described above, the embodiment of the present invention to be communicated with the validity that authentication of users operates by cloud storage system and TSA, by third party's trusted timestamp, cloud storage system can effectively manage user data and audit, can to examine the data operating record of user and record is put on record, ensure the fail safe of user operation and the authenticity of cloud storage data, reach the data security ensureing user while not increasing the service procedure complexity of cloud storage system, that the safety management of cloud storage system is effectively supplemented and optimized.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The data managing method of a kind of cloud storage system based on trusted timestamp that Fig. 1 provides for the embodiment of the present invention one realize principle schematic;
The process chart of the data managing method of a kind of cloud storage system based on trusted timestamp that Fig. 2 provides for the embodiment of the present invention one;
A kind of structural representation realizing the system 300 of cloud storage system data communications security based on PKI that Fig. 3 provides for the embodiment of the present invention three, in figure, user terminal 310, cloud storage system 320, TSA330 and ldap directory server 340.
Embodiment
For ease of the understanding to the embodiment of the present invention, be further explained explanation below in conjunction with accompanying drawing for several specific embodiment, and each embodiment does not form the restriction to the embodiment of the present invention.
Trusted timestamp is by national time service central authority, and by TSA(Time Stamp Authority, authoritative trusted time stamping authority) tool signing and issuing valid can prove electronic message (e-file) a time point be that existed, complete, can verify, the electronic certificate that possesses legal effect.Any mechanism comprises TSA oneself can not modify to ensure the authority of time to the time.Trusted timestamp is mainly used in e-file anti-tamper and deny afterwards, determines the correct time that e-file produces.The fields such as trusted timestamp extensive use ecommerce now, electronic government documents, intellectual property, health care, for ensureing the legal effect problem of electronic data file.
PKI(Public Key Infrastructure) be by using public key technique and digital certificate to guarantee system information safety and a kind of system of responsible checking digital certificate holder identity, being widely used in the fields such as Web bank, ecommerce, E-Government.One intactly PKI system be by CA(Certification Authority, certification authority), KMC, registration body, directory service and safety certification application software, certificate application service etc. part composition, wherein CA occupy core status in PKI system.
LDAP(Lightweight Directory Access Protocol, Light Directory Access Protocol) LIST SERVER is used for each generic attribute of storage object and information, it define one to be used for issuing the agreement of directory information to many different resources, make various application can obtain corresponding information by standard interface LIST SERVER.In PKI platform, ldap directory server is mainly used in issuing certificate information and CRL(Certificate Revocation List, CRL), by this LIST SERVER, application system can inquire certificate information and the certificate status of user.
Embodiment one
What this embodiment offers a kind of data managing method of the cloud storage system based on trusted timestamp realizes principle schematic as shown in Figure 1, and concrete handling process as shown in Figure 2, comprises following treatment step:
Step S210, the digital certificate of user terminal is utilized between TSA and user terminal, to set up SSL(SecureSocketsLayer, SSL) escape way.
User terminal initiates to carry the connection request of the PKI digital certificate of user to TSA, carries certificate DN(Distinct Name, unique identification in above-mentioned PKI digital certificate), the content such as the term of validity, scaling option.After TSA receives described connection request, obtain the PKI digital certificate carried in described connection request, send the certification verification request carrying described PKI digital certificate to ldap directory server.
After described ldap directory server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described PKI digital certificate.Described in described ldap directory server authentication, whether the term of validity of PKI certificate is expired, verifies whether described PKI certificate is issued by appointment CA, verifies that whether the unique identification of described PKI certificate, scaling option be effective;
Described ldap directory server, after all checkings of described PKI digital certificate are all passed through, sends the qualified notice of checking to described TSA; After all checkings of described PKI digital certificate are not all pass through, send the defective notice of checking to described TSA.
After TSA receives the qualified notice of above-mentioned checking, between described TSA and described user terminal, use the SSL escape way of described PKI certificate foundation for transmitting data.
TSA refuses the connection request of above-mentioned user terminal after receiving the defective notice of above-mentioned checking.
Those skilled in the art will be understood that the application type of above-mentioned SSL escape way is only citing; other data transmission security channel types that are existing or that may occur from now on are as being applicable to the embodiment of the present invention; also within scope should being included in, and this is contained at this with way of reference.
Step S220, user terminal send the timestamp solicitation message of the digest value after carrying encapsulation to TSA by SSL escape way, the timestamp after signature is sent to user terminal by SSL escape way by TSA.
User terminal generates the digest value of data manipulation instruction corresponding to described data processing request, encapsulates described digest value according to timestamp solicitation message form.Above-mentioned data manipulation instruction can comprise data upload, download, inquiry, amendment or at least one item in deleting.User terminal sends the timestamp solicitation message of the digest value after carrying encapsulation to TSA by SSL escape way.
After described TSA receives above-mentioned timestamp solicitation message, the legitimacy of described timestamp solicitation message is checked, after the validity checking of described timestamp solicitation message is passed through, described TSA generates timestamp corresponding to described digest value, with the certificate of described TSA, described timestamp is signed, the timestamp after signature is sent to described user terminal by described SSL escape way.After the validity checking of above-mentioned timestamp solicitation message is not passed through, described TSA refuses the timestamp solicitation message of above-mentioned user terminal.
Step S230, user terminal send the data processing request of carrying trusted timestamp to cloud storage system, the described trusted timestamp certificate of authoritative trusted time stamping authority TSA is signed.
Step S240, the described cloud storage system certificate to described trusted timestamp and TSA is verified.
After described cloud storage system receives described data processing request, obtain the timestamp and TSA certificate that carry in described data processing request.
Described cloud storage system sends described TSA certificate to ldap server, described ldap server carries out validation verification to described TSA certificate, after the validation verification of described TSA certificate passes through, described ldap server sends TSA certificate validity to described cloud storage system and is verified information.After the validation verification of described TSA certificate is obstructed, described ldap server sends the checking of TSA certificate validity not by information to described cloud storage system, and cloud storage system refuses the data processing request of above-mentioned user terminal.
Described cloud storage system receives after described TSA certificate validity is verified information, and send described timestamp to TSA, described TSA carries out validation verification to described timestamp.After the validation verification of described timestamp passes through, described TSA passes through information to described cloud storage system transmitting time stamp validation verification.
After the validation verification of described timestamp is obstructed, described TSA sends free stamp validation verification by information to described cloud storage system, and cloud storage system refuses the data processing request of above-mentioned user terminal.
Step S250, after the certification authentication of described trusted timestamp and TSA is passed through, described cloud storage system accepts described data processing request, and described user terminal performs data manipulation instruction corresponding to described data processing request.
Described cloud storage system accepts described data processing request, to described user terminal to transmit data processing response, after described user terminal receives the response of described data processing, perform the data manipulation instruction that described data processing request is corresponding, this data manipulation instruction comprises data upload, download, inquiry, amendment or at least one item in deleting;
The data operating record of described user terminal and corresponding timestamp store by described cloud storage system.
Embodiment two
This embodiment offers a kind of data management system of the cloud storage system based on trusted timestamp, its structural representation as shown in Figure 3, comprising: user terminal, cloud storage system, TSA and ldap directory server,
Described user terminal, for sending the data processing request of carrying trusted timestamp to cloud storage system, the described trusted timestamp certificate of authoritative trusted time stamping authority TSA is signed; After described cloud storage system accepts described data processing request, perform the data manipulation instruction that described data processing request is corresponding
Described cloud storage system, for receive user terminal send carry the data processing request of trusted timestamp after, the certificate of described trusted timestamp and TSA is verified, after the certification authentication of described trusted timestamp and TSA is passed through, accepts described data processing request.
Concrete described user terminal, specifically for generating the digest value of data manipulation instruction corresponding to described data processing request, encapsulates described digest value according to timestamp solicitation message form; The digital certificate of described user terminal is utilized to set up SSL escape way between described TSA and described user terminal; Sent the timestamp solicitation message of the digest value after carrying encapsulation to TSA by described SSL escape way;
Described TSA, specifically for checking the legitimacy of described timestamp solicitation message, in described inspection by rear, generate the timestamp that described digest value is corresponding, with the certificate of described TSA, described timestamp is signed, the timestamp after signature is sent to described user terminal by described SSL escape way.
Concrete, described user terminal, specifically for sending the connection request carrying the PKI digital certificate of user to TSA;
Described TSA, after receiving described connection request, sends the certification verification request carrying described PKI digital certificate to ldap directory server;
Described ldap directory server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described PKI digital certificate, verify that whether the term of validity of described PKI certificate is expired, verify whether described PKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described PKI certificate, scaling option be effective;
After all checkings of described PKI digital certificate are all passed through, send the qualified notice of checking to described TSA; After all checkings of described PKI digital certificate are not all pass through, send the defective notice of checking to described TSA.
Described TSA, after receiving the qualified notice of checking that described ldap directory server sends, between described TSA and described user terminal, uses described PKI certificate to set up SSL escape way for transmitting data.
Concrete, described cloud storage system, after receiving described data processing request, obtains the timestamp and TSA certificate that carry in described data processing request; Described TSA certificate is sent to ldap server;
Described ldap server, specifically for carrying out validation verification to described TSA certificate, after the validation verification of described TSA certificate passing through, sending TSA certificate validity to described cloud storage system and being verified information;
Described cloud storage system, specifically for receiving after described TSA certificate validity is verified information, sends described timestamp to TSA;
Described TSA, specifically for carrying out validation verification to described timestamp, after the validation verification of described timestamp passes through, passes through information to described cloud storage system transmitting time stamp validation verification.
Concrete, described cloud storage system, specifically for accepting described data processing request, to described user terminal to transmit data processing response; The data operating record of described user terminal and corresponding timestamp are stored;
Described user terminal, after receiving the response of described data processing, performs the data manipulation instruction that described data processing request is corresponding, and this data manipulation instruction comprises data upload, download, inquiry, amendment or at least one item in deleting.
Carry out the detailed process of the data management of the cloud storage system based on trusted timestamp by the system of the embodiment of the present invention and preceding method embodiment similar, repeat no more herein.
In sum, the embodiment of the present invention to be communicated with the validity that authentication of users operates by cloud storage system and TSA, by third party's trusted timestamp, cloud storage system can effectively manage user data and audit, can to examine the data operating record of user and record is put on record, ensure the fail safe of user operation and the authenticity of cloud storage data, reaching the data security ensureing user while not increasing the service procedure complexity of cloud storage system, is effectively supplement the safety management of cloud storage system and optimize.
The embodiment of the present invention using the record of third party's trusted timestamp as believable electronic evidence, can provide service for business such as follow-up security audit, judicial evidence collections to the data operating record of user.
The embodiment of the present invention, for the operation of user data, mainly for the uploading of user data, is downloaded, to be inquired about and deletion action carries out managing and auditing.The operation of workload mainly between user and TSA increased, and for cloud storage system, then the link of the authentication of users operation information just increased, can not increase the operation that other are extra.This point is comparatively large for daily visit capacity, cloud storage system is particularly important comparatively frequently in data manipulation, both can not increase too much workload, can improve again the fail safe of data management further.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for device or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.Apparatus and system embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (10)
1. based on a data managing method for the cloud storage system of trusted timestamp, it is characterized in that, comprising:
Cloud storage system receives the data processing request of carrying trusted timestamp that user terminal sends, and the described trusted timestamp certificate of authoritative trusted time stamping authority TSA is signed;
The certificate of described cloud storage system to described trusted timestamp and TSA is verified, after the certification authentication of described trusted timestamp and TSA is passed through, described cloud storage system accepts described data processing request, and described user terminal performs data manipulation instruction corresponding to described data processing request.
2. the data managing method of the cloud storage system based on trusted timestamp according to claim 1, is characterized in that, described cloud storage system receive user terminal send carry the data processing request of trusted timestamp before, comprising:
Described user terminal generates the digest value of data manipulation instruction corresponding to described data processing request, encapsulates described digest value according to timestamp solicitation message form;
Utilize the digital certificate of described user terminal between described TSA and described user terminal, set up SSL SSL escape way;
Described user terminal sends the timestamp solicitation message of the digest value after carrying encapsulation to described TSA by described SSL escape way;
The legitimacy of described TSA to described timestamp solicitation message checks, in described inspection by rear, described TSA generates timestamp corresponding to described digest value, with the certificate of described TSA, described timestamp is signed, the timestamp after signature is sent to described user terminal by described SSL escape way.
3. the data managing method of the cloud storage system based on trusted timestamp according to claim 2, is characterized in that, the described digital certificate of described user terminal that utilizes sets up SSL escape way between described TSA and described user terminal, comprising:
Described user terminal sends the connection request carrying the PKIX PKI digital certificate of user to TSA, after described TSA receives described connection request, send the certification verification request carrying described PKI digital certificate to Light Directory Access Protocol ldap directory server;
After described ldap directory server receives described certification verification request, obtain unique identification, the term of validity, the scaling option of described PKI digital certificate, described in described ldap directory server authentication, whether the term of validity of PKI certificate is expired, verify whether described PKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described PKI certificate, scaling option be effective;
Described ldap directory server, after all checkings of described PKI digital certificate are all passed through, sends the qualified notice of checking to described TSA; After all checkings of described PKI digital certificate are not all pass through, send the defective notice of checking to described TSA.
After described TSA receives the qualified notice of checking of described ldap directory server transmission, between described TSA and described user terminal, use the SSL escape way of described PKI certificate foundation for transmitting data.
4. the data managing method of the cloud storage system based on trusted timestamp according to claim 1,2 or 3, it is characterized in that, after described cloud storage system receives described data processing request, the certificate of described trusted timestamp and TSA is verified, comprising:
After described cloud storage system receives described data processing request, obtain the timestamp and TSA certificate that carry in described data processing request;
Described cloud storage system sends described TSA certificate to ldap server, described ldap server carries out validation verification to described TSA certificate, after the validation verification of described TSA certificate passes through, described ldap server sends TSA certificate validity to described cloud storage system and is verified information;
Described cloud storage system receives after described TSA certificate validity is verified information, described timestamp is sent to TSA, described TSA carries out validation verification to described timestamp, after the validation verification of described timestamp passes through, described TSA sends free stamp validation verification to described cloud storage system and passes through information.
5. the data managing method of the cloud storage system based on trusted timestamp according to claim 4, it is characterized in that, described cloud storage system accepts described data processing request, and described user terminal performs data manipulation instruction corresponding to described data processing request, comprising:
Described cloud storage system accepts described data processing request, to described user terminal to transmit data processing response, after described user terminal receives the response of described data processing, perform the data manipulation instruction that described data processing request is corresponding, this data manipulation instruction comprises data upload, download, inquiry, amendment or at least one item in deleting;
The data operating record of described user terminal and corresponding timestamp store by described cloud storage system.
6. based on a data management system for the cloud storage system of trusted timestamp, it is characterized in that, comprising: user terminal and cloud storage system,
Described user terminal, for sending the data processing request of carrying trusted timestamp to described cloud storage system, the described trusted timestamp certificate of authoritative trusted time stamping authority TSA is signed; After described cloud storage system accepts described data processing request, perform the data manipulation instruction that described data processing request is corresponding;
Described cloud storage system, for receive user terminal send carry the data processing request of trusted timestamp after, the certificate of described trusted timestamp and TSA is verified, after the certification authentication of described trusted timestamp and TSA is passed through, accepts described data processing request.
7. the data management system of the cloud storage system based on trusted timestamp according to claim 6, is characterized in that, described system also comprises TSA,
Described user terminal, specifically for generating the digest value of data manipulation instruction corresponding to described data processing request, encapsulates described digest value according to timestamp solicitation message form; Utilize the digital certificate of described user terminal between described TSA and described user terminal, set up SSL SSL escape way; Sent the timestamp solicitation message of the digest value after carrying encapsulation to TSA by described SSL escape way;
Described TSA, specifically for checking the legitimacy of described timestamp solicitation message, in described inspection by rear, generate the timestamp that described digest value is corresponding, with the certificate of described TSA, described timestamp is signed, the timestamp after signature is sent to described user terminal by described SSL escape way.
8. the data management system of the cloud storage system based on trusted timestamp according to claim 7, is characterized in that, described system also comprises ldap directory server:
Described user terminal, specifically for sending the connection request carrying the PKI digital certificate of user to TSA;
Described TSA, after receiving described connection request, sends the certification verification request carrying described PKI digital certificate to ldap directory server;
Described ldap directory server, after receiving described certification verification request, obtain unique identification, the term of validity, the scaling option of described PKI digital certificate, verify that whether the term of validity of described PKI certificate is expired, verify whether described PKI certificate is issued by appointment authentication center CA, verifies that whether the unique identification of described PKI certificate, scaling option be effective;
After all checkings of described PKI digital certificate are all passed through, send the qualified notice of checking to described TSA; After all checkings of described PKI digital certificate are not all pass through, send the defective notice of checking to described TSA.
Described TSA, after receiving the qualified notice of checking that described ldap directory server sends, between described TSA and described user terminal, uses described PKI certificate to set up SSL escape way for transmitting data.
9. the data management system of the cloud storage system based on trusted timestamp according to claim 6,7 or 8, is characterized in that:
Described cloud storage system, after receiving described data processing request, obtains the timestamp and TSA certificate that carry in described data processing request; Described TSA certificate is sent to ldap server;
Described ldap server, specifically for carrying out validation verification to described TSA certificate, after the validation verification of described TSA certificate passing through, sending TSA certificate validity to described cloud storage system and being verified information;
Described cloud storage system, specifically for receiving after described TSA certificate validity is verified information, sends described timestamp to TSA;
Described TSA, specifically for carrying out validation verification to described timestamp, after the validation verification of described timestamp passing through, sending free stamp validation verification to described cloud storage system and passing through information.
10. the data management system of the cloud storage system based on trusted timestamp according to claim 9, is characterized in that:
Described cloud storage system, specifically for accepting described data processing request, to described user terminal to transmit data processing response; The data operating record of described user terminal and corresponding timestamp are stored;
Described user terminal, after receiving the response of described data processing, performs the data manipulation instruction that described data processing request is corresponding, and this data manipulation instruction comprises data upload, download, inquiry, amendment or at least one item in deleting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310334945.2A CN104348870A (en) | 2013-08-02 | 2013-08-02 | Data management method and system of cloud storage system based on trusted timestamp |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310334945.2A CN104348870A (en) | 2013-08-02 | 2013-08-02 | Data management method and system of cloud storage system based on trusted timestamp |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104348870A true CN104348870A (en) | 2015-02-11 |
Family
ID=52503660
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310334945.2A Pending CN104348870A (en) | 2013-08-02 | 2013-08-02 | Data management method and system of cloud storage system based on trusted timestamp |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104348870A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376259A (en) * | 2015-12-15 | 2016-03-02 | 上海斐讯数据通信技术有限公司 | Time-sharing control multi-party server certificate verification method and system |
| CN105933315A (en) * | 2016-04-21 | 2016-09-07 | 浪潮集团有限公司 | Network service security communication method, device and system |
| CN106169954A (en) * | 2016-08-01 | 2016-11-30 | 浪潮集团有限公司 | A kind of cloud service auditing system based on digital signature and timestamp and method |
| CN106330465A (en) * | 2016-11-21 | 2017-01-11 | 航天信息股份有限公司 | Processing method, server and system for distributed timestamp |
| WO2017016318A1 (en) * | 2014-11-05 | 2017-02-02 | 祝国龙 | Credible label generation and verification method and system based on asymmetric cryptographic algorithm |
| CN107612875A (en) * | 2016-08-31 | 2018-01-19 | 中国洛阳电子装备试验中心 | A kind of safe cloud data transfer control method |
| CN110768952A (en) * | 2019-09-09 | 2020-02-07 | 中国科学院上海微系统与信息技术研究所 | Data verification method, device and system and storage medium |
| CN111406398A (en) * | 2019-11-13 | 2020-07-10 | 支付宝(杭州)信息技术有限公司 | Managing trust points in an account book system |
| CN111737365A (en) * | 2020-07-22 | 2020-10-02 | 百度在线网络技术(北京)有限公司 | Storage certificate processing method, device, equipment and storage medium |
| CN112564840A (en) * | 2020-12-01 | 2021-03-26 | 中国计量科学研究院 | Time credibility calibration system for traffic monitoring network and operation method thereof |
| CN112583772A (en) * | 2019-09-30 | 2021-03-30 | 重庆傲雄在线信息技术有限公司 | Data acquisition and storage platform |
| CN113486318A (en) * | 2021-07-08 | 2021-10-08 | 上海瓶钵信息科技有限公司 | Biometric authentication system, biometric authentication method, biometric authentication device, and biometric authentication medium |
| CN114598549A (en) * | 2022-03-25 | 2022-06-07 | 杭州迪普科技股份有限公司 | Client SSL certificate verification method and device |
| TWI824173B (en) * | 2020-08-26 | 2023-12-01 | 中華電信股份有限公司 | A method of mixing public blockchains with private blockchains and computer readable medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050091492A1 (en) * | 2003-10-27 | 2005-04-28 | Benson Glenn S. | Portable security transaction protocol |
| CN1615632A (en) * | 2002-01-12 | 2005-05-11 | 英特尔公司 | Mechanism for supporting wired and wireless methods for client and server side authentication |
| US20100198712A1 (en) * | 2009-02-02 | 2010-08-05 | Trustifi, Inc. | Certified Email System and Method |
| CN101931631A (en) * | 2010-09-15 | 2010-12-29 | 北京数字证书认证中心有限公司 | Method for digital signatures capable of establishing reliable correspondence with handwritten signatures |
| CN103152182A (en) * | 2013-03-08 | 2013-06-12 | 新疆君盾信息技术有限公司 | Method for authenticating and validating electronic data |
-
2013
- 2013-08-02 CN CN201310334945.2A patent/CN104348870A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1615632A (en) * | 2002-01-12 | 2005-05-11 | 英特尔公司 | Mechanism for supporting wired and wireless methods for client and server side authentication |
| US20050091492A1 (en) * | 2003-10-27 | 2005-04-28 | Benson Glenn S. | Portable security transaction protocol |
| US20100198712A1 (en) * | 2009-02-02 | 2010-08-05 | Trustifi, Inc. | Certified Email System and Method |
| CN101931631A (en) * | 2010-09-15 | 2010-12-29 | 北京数字证书认证中心有限公司 | Method for digital signatures capable of establishing reliable correspondence with handwritten signatures |
| CN103152182A (en) * | 2013-03-08 | 2013-06-12 | 新疆君盾信息技术有限公司 | Method for authenticating and validating electronic data |
Non-Patent Citations (2)
| Title |
|---|
| 余勇 等: "《电力时间戳系统的设计》", 《电力信息化》 * |
| 张旺俏: "《电子病历共享系统安全方案设计》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017016318A1 (en) * | 2014-11-05 | 2017-02-02 | 祝国龙 | Credible label generation and verification method and system based on asymmetric cryptographic algorithm |
| CN105376259A (en) * | 2015-12-15 | 2016-03-02 | 上海斐讯数据通信技术有限公司 | Time-sharing control multi-party server certificate verification method and system |
| CN105376259B (en) * | 2015-12-15 | 2019-06-28 | 上海斐讯数据通信技术有限公司 | The verification method and system of the multi-party server certificate of Time-sharing control |
| CN105933315B (en) * | 2016-04-21 | 2019-08-30 | 浪潮集团有限公司 | A kind of network service safe communication means, device and system |
| CN105933315A (en) * | 2016-04-21 | 2016-09-07 | 浪潮集团有限公司 | Network service security communication method, device and system |
| CN106169954A (en) * | 2016-08-01 | 2016-11-30 | 浪潮集团有限公司 | A kind of cloud service auditing system based on digital signature and timestamp and method |
| CN107612875A (en) * | 2016-08-31 | 2018-01-19 | 中国洛阳电子装备试验中心 | A kind of safe cloud data transfer control method |
| CN106330465A (en) * | 2016-11-21 | 2017-01-11 | 航天信息股份有限公司 | Processing method, server and system for distributed timestamp |
| CN106330465B (en) * | 2016-11-21 | 2020-10-13 | 航天信息股份有限公司 | Distributed timestamp processing method, server and system |
| CN110768952A (en) * | 2019-09-09 | 2020-02-07 | 中国科学院上海微系统与信息技术研究所 | Data verification method, device and system and storage medium |
| CN110768952B (en) * | 2019-09-09 | 2021-07-27 | 中国科学院上海微系统与信息技术研究所 | Data verification method, device and system and storage medium |
| CN112583772B (en) * | 2019-09-30 | 2022-07-15 | 重庆傲雄在线信息技术有限公司 | Data acquisition and storage platform |
| CN112583772A (en) * | 2019-09-30 | 2021-03-30 | 重庆傲雄在线信息技术有限公司 | Data acquisition and storage platform |
| US11314731B2 (en) | 2019-11-13 | 2022-04-26 | Alipay (Hangzhou) Information Technology Co., Ltd. | Managing trust points in ledger systems |
| CN111406398A (en) * | 2019-11-13 | 2020-07-10 | 支付宝(杭州)信息技术有限公司 | Managing trust points in an account book system |
| CN111406398B (en) * | 2019-11-13 | 2022-08-26 | 支付宝(杭州)信息技术有限公司 | Managing trust points in an account book system |
| CN111737365B (en) * | 2020-07-22 | 2021-08-17 | 百度在线网络技术(北京)有限公司 | Storage certificate processing method, device, equipment and storage medium |
| US20210272108A1 (en) * | 2020-07-22 | 2021-09-02 | Baidu Online Network Technology (Beijing ) Co., Ltd. | Method and apparatus of processing deposit, and storage medium |
| CN111737365A (en) * | 2020-07-22 | 2020-10-02 | 百度在线网络技术(北京)有限公司 | Storage certificate processing method, device, equipment and storage medium |
| TWI824173B (en) * | 2020-08-26 | 2023-12-01 | 中華電信股份有限公司 | A method of mixing public blockchains with private blockchains and computer readable medium |
| CN112564840A (en) * | 2020-12-01 | 2021-03-26 | 中国计量科学研究院 | Time credibility calibration system for traffic monitoring network and operation method thereof |
| CN113486318A (en) * | 2021-07-08 | 2021-10-08 | 上海瓶钵信息科技有限公司 | Biometric authentication system, biometric authentication method, biometric authentication device, and biometric authentication medium |
| CN114598549A (en) * | 2022-03-25 | 2022-06-07 | 杭州迪普科技股份有限公司 | Client SSL certificate verification method and device |
| CN114598549B (en) * | 2022-03-25 | 2023-07-07 | 杭州迪普科技股份有限公司 | Customer SSL certificate verification method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104348870A (en) | Data management method and system of cloud storage system based on trusted timestamp | |
| US8842841B2 (en) | Cryptographic method and system | |
| US20200084027A1 (en) | Systems and methods for encryption of data on a blockchain | |
| US8788811B2 (en) | Server-side key generation for non-token clients | |
| US8799981B2 (en) | Privacy protection system | |
| CN108933667B (en) | Management method and management system of public key certificate based on block chain | |
| CN111292041B (en) | Electronic contract generation method, device, equipment and storage medium | |
| US9160535B2 (en) | Truly anonymous cloud key broker | |
| US20030093678A1 (en) | Server-side digital signature system | |
| US20110296171A1 (en) | Key recovery mechanism | |
| US8578170B2 (en) | Bundle verification | |
| KR101974062B1 (en) | Electronic Signature Method Based on Cloud HSM | |
| CN104348846A (en) | WPKI (wireless public key infrastructure)-based method and system for realizing data communication security of cloud storage system | |
| EP1353470B1 (en) | Method for deployment of a workable public key infrastructure | |
| AU2014274590B2 (en) | Cryptographic Method and System | |
| CN115345617A (en) | Method and device for generating non-homogeneous general evidence | |
| CN104158662A (en) | XAdEs-based multi-user electronic voucher and implementation method | |
| Bakhtina et al. | A decentralised public key infrastructure for X-Road | |
| CN106257483A (en) | The processing method of electronic data, equipment and system | |
| US20200242213A1 (en) | Method and system for digital rights management | |
| CN113691495B (en) | Network account sharing and distributing system and method based on asymmetric encryption | |
| EP4307153A1 (en) | Tamper-evident storage of media streams | |
| US20240048380A1 (en) | Cryptography-as-a-Service | |
| CA2665445C (en) | Bundle verification | |
| CN116055105A (en) | Cloud storage data processing method, device and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150211 |