CN104980401B - Nas server date safety storing system, secure storage and read method - Google Patents
Nas server date safety storing system, secure storage and read method Download PDFInfo
- Publication number
- CN104980401B CN104980401B CN201410141431.XA CN201410141431A CN104980401B CN 104980401 B CN104980401 B CN 104980401B CN 201410141431 A CN201410141431 A CN 201410141431A CN 104980401 B CN104980401 B CN 104980401B
- Authority
- CN
- China
- Prior art keywords
- file
- user
- nas server
- certificate
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of nas server date safety storing system, secure storage method of data and read method, belong to technical field of network storage.System of the present invention includes permission server and nas server, user is when logging in the secure storage of nas server progress file or reading, firstly the need of the user certificate obtained to permission server for logging in nas server, afterwards when signing in nas server progress file reading, nas server can need the file that reads be encrypted user by type ciphertext generating means module, and generation and the matched type ciphertext of user right are simultaneously sent to user;When carrying out file storage, stored again after being also encrypted according to file type.It is able to ensure that attacker can not also obtain confidential data from logining from the background even if using administrator right account by the present invention, improves the security of nas server storage.
Description
Technical field
The present invention relates to the Network storage technology in computer realm, and in particular to a kind of nas server data safety is deposited
Storage system, secure storage method of data and read method.
Background technology
As computer technology and Internet technology continue to develop, information explosion, the computer number of every field are brought
According to all being increased in a manner of geometric progression, the single-deck capacity of external memory particularly hard disk develops into mesh from more than ten years first few hundred MB
Preceding several TB, storage mode also from the unit single hard disk mode before more than ten years till now with NAS (Network
Attached Storage:Network attached storage), SAN (storage area network) and virtualize mode data it is centrally stored.
With the development of data storage technology, the centrally stored of data also brings huge security risk, and except disaster tolerance, backup is outer,
Needed to be considered is exactly the leakage problem of confidential data;Conventional cryptography software is only absorbed in personal computer terminal, and is absorbed in
The such mass data storages of NAS are encrypted less;Present invention is primarily directed in use encrypted method protection NAS storage servers
On confidential data it is not compromised;Ensure also obtain from logining from the background using server administrators' rights account even if attacker
Obtain confidential data;Even if the copied files directly from hard disk, the clear data of secret can not be also obtained;It is of the invention acceptable online
Transparent encrypted file, rights encryption file and outgoing encryption file are generated for user, the fiber crops handled in terminal are saved for user
It is tired, it is more conducive to the centrally stored workflow of file data.
The content of the invention
For defect existing in the prior art, it is an object of the invention to provide a kind of nas server data safety to deposit
Storage system, secure storage and read method, realize the secure storage of NAS mass datas, improve NAS storage server confidential datas
Centrally stored security.
To achieve the above object, the technical solution adopted by the present invention is as follows:
A kind of nas server date safety storing system, including:
Permission server, for generating file security strategy and user certificate according to user right, and by file security plan
Nas server is slightly sent to, user certificate is sent to user;The file security strategy includes strategy number, needs to protect
File directory or file type and the access rights of file;The user certificate includes user information and certificate corresponds to
Strategy number;
Nas server, secure storage and the reading according to user are carried out for the write request according to user to file
Ask to send the file asked to user;The nas server includes file protection device, and file protection device includes:
User certificate detection module, for detecting the completeness and efficiency of user certificate;
Security strategy matching module, for corresponding file in the strategy number matching nas server in user certificate
Security strategy, and the file security strategy matched is sent to catalogue virtualization modules;
Catalogue virtualization modules, it is matched virtual with its user right for being fictionalized according to file security strategy for user
Catalogue and file access strategy;The virtual directory is used to record and the matched fileinfo of user right;
The nas server further includes file encryption-decryption device.
Further, a kind of nas server date safety storing system as described above, the file encryption-decryption device bag
Include:
Global encryption/decryption module, for user ask read file be decrypted, obtain in plain text, and for
The file of family request write-in is encrypted, and obtains ciphertext;
Type ciphertext generation module, it is bright for being decrypted according to file output encryption policy to global encryption/decryption module
Text is encrypted, and obtains type ciphertext, and type ciphertext is sent to user;The type ciphertext includes common text in plain text
Part, transparent encrypted file, rights encryption file and outgoing encryption file.
Further, a kind of nas server date safety storing system as described above, the file encryption-decryption device is also
Including:
File type arbiter, for differentiating the type for the file for needing to store;
File index maker, for generating the index information for the file for needing to store;The index information includes text
Type, title and the size of part.
Further, a kind of nas server date safety storing system as described above, the file protection device also wrap
Include:
File index storehouse, for save file index information;
File index enquiry module, for the read requests according to user, user is inquired about in file index storehouse and asks to read
The index information of the file taken.
Further, a kind of nas server date safety storing system as described above, the permission server include:
User accesses application device, initiates to access to permission server for user and applies, and leads in user identification confirmation
Later user right is matched for user;
User authentication device, the user identity of permission server is signed in for confirmation;
File security strategy generating device, for generating file security strategy corresponding with user right according to user right
And user certificate.
Further, a kind of nas server date safety storing system as described above, the permission server also wrap
Include:
Global user list, for preserving the User ID of nas server whole user;
Rights database, for preserving the user right of nas server whole user;
Role Users group:For the user in global user list to be grouped.
Further, a kind of nas server date safety storing system as described above, user right are divided into four grades,
User right grade is different, and user is different to the reading authority of file in nas server;Highest weight limits the use of family and possesses common plaintext
File, transparent encrypted file, rights encryption file and outgoing encrypt the reading authority of file, and that takes second place possesses transparent encryption text
Part, rights encryption file and outgoing encryption file reading authority, third possess rights encryption file and outgoing encryption text
The reading authority of part, least privilege user possess the reading authority of outgoing encryption file.
A kind of nas server secure storage method of data, comprises the following steps:
(1) user logs on permission server, and permission server matches user right for user, and is given birth to according to user right
Into file security strategy and user certificate;The file security strategy includes strategy number, needs file directory to be protected or text
The access rights of part type and file;The user certificate includes user information and the corresponding strategy number of certificate;
(2) the file security strategy is sent to nas server by permission server, and user certificate is sent to use
Family;
(3) user certificate is subjected to local association computing, generation user local certificate;User local certificate includes
The strategy number identical with user certificate;
(4) user logs in nas server, plan of the nas server in the certificate of user local by user local certificate
Contracted notation matches corresponding file security strategy in nas server, and is fictionalized for user according to file security strategy and used with it
The virtual directory and file access strategy of family permission match;The virtual directory is used to record to be believed with the matched file of user right
Breath;
(5) user sends file write request to nas server, and place is encrypted to file to be written in nas server
Reason, and the file after processing is stored to nas server.
Further, a kind of nas server secure storage method of data as described above, in step (5), nas server pair
File to be written is encrypted, and the File after processing is stored to the tool in nas server external memory device
Body mode includes:
1) differentiate the file type of file to be written, and generate the index information of file;
2) file to be written is encrypted by global encryption/decryption module, the storage of encrypted file is serviced to NAS
In device.
A kind of nas server data safe reading method, comprises the following steps:
(1) user logs on permission server, and permission server matches user right for user, and is given birth to according to user right
Into file security strategy and user certificate;The file security strategy includes strategy number, needs file directory to be protected or text
The access rights of part type and file;The user certificate includes user information and the corresponding strategy number of certificate;
(2) the file security strategy is sent to nas server by permission server, and user certificate is sent to use
Family;
(3) user certificate is subjected to local association computing, generation user local certificate;User local certificate includes
The strategy number identical with user certificate;
(4) user logs in nas server by user local certificate, and initiates file read request to nas server;
(5) nas server reads the encryption data of respective file according to the read requests of user from nas server, and leads to
Cross ciphering and deciphering device to be handled the ciphertext data of reading accordingly, the file generated after processing is then sent to user.
Further, a kind of nas server data safe reading method as described above, in step (5), from nas server
The encryption data of respective file is read, and is handled the ciphertext data of reading accordingly by ciphering and deciphering device, then will
The concrete mode that the file generated after processing is sent to user includes:
1) file for asking to read to user by global encryption/decryption module is decrypted, the plaintext after being decrypted;
2) plaintext after decryption is encrypted by type ciphertext generation module, obtains type ciphertext, and type is close
Text is sent to user;The type ciphertext adds including common clear text file, transparent encrypted file, rights encryption file and outgoing
Ciphertext part.
Effect of the invention is that:The present invention is absorbed in using the secret in encrypted method protection NAS storage servers
Data are not compromised, can generate the file of 4 types for user online, eliminate user in the intractable trouble of terminal, more
Added with centrally stored beneficial to file data.
Brief description of the drawings
Fig. 1 and Fig. 2 is a kind of structure diagram of nas server date safety storing system in embodiment;
Fig. 3 is the structure diagram of permission server in embodiment;
Fig. 4 is the structure diagram of file protection device in embodiment;
Fig. 5 is the structure diagram of file ciphering and deciphering device in embodiment;
Fig. 6 is output file Permission Levels schematic diagram in embodiment;
Fig. 7 is a kind of flow chart of nas server secure storage method of data in embodiment;
Fig. 8 is a kind of flow chart of nas server data safe reading method in embodiment;
Fig. 9 is safe nas server application system structure diagram in embodiment.
Embodiment
With reference to Figure of description, the present invention is described in further detail with embodiment.
A kind of figures 1 and 2 show that structure of nas server date safety storing system in the specific embodiment of the invention
Block diagram, by that can be seen in figure, which mainly includes 10 permission server 20 of user terminal and nas server 30, user terminal
10 effect be user by its logon rights server 20 and nas server 30, therefore, by user terminal in present embodiment
10 are directly known as user.
Permission server 20 is mainly used for generating file security strategy and user certificate according to user right, and file is pacified
Full strategy is sent to nas server, and user certificate is sent to user;The file security strategy includes strategy number, needs
Whether the file directory or file type of protection, the access rights of file, file encrypt, generate ciphertext type and use
Encryption Algorithm etc.;The user information of the user certificate including certificate, period of validity, encryption key, key length and
The corresponding strategy number of certificate.The structure diagram of permission server 20 in present embodiment is as shown in figure 3, main include global use
Family list, rights database (the global authority library shown in figure), Role Users group, user access application device, user authentication
Device and file security strategy generating device etc., wherein:
Global user list is used for the User ID for preserving nas server whole user;
Rights database is used for the user right for preserving nas server whole user;
Role Users group is used to the user in global user list being grouped;
User accesses application device and is used for user to permission server initiation access application, and passes through in user identification confirmation
Afterwards user right is matched for user;
User authentication device is used to confirm the user identity for signing in permission server;
File security strategy generating device is used to generate file security strategy corresponding with user right according to user right
And user certificate.
Nas server 30 is used to carry out secure storage and the reading according to user to file according to the write request of user
Ask to transmit file to user;Nas server includes file protection device and file encryption-decryption device.
The structure diagram of file protection device is as shown in figure 4, the device mainly includes user certificate detection module, safe plan
Slightly matching module, catalogue virtualization modules, file index enquiry module and file index storehouse.
User certificate detection module is used for the completeness and efficiency for detecting user certificate;
Security strategy matching module is used for corresponding file peace in the strategy number matching nas server in user certificate
Full strategy, and file security strategy is sent to catalogue virtualization modules;
Catalogue virtualization modules are used to be fictionalized for user according to file security strategy matched virtual with its user right
Catalogue and file access strategy;The virtual directory is used to record and the matched fileinfo of user right;
File index storehouse, for save file index information;
File index enquiry module, for the read requests according to user, user is inquired about in file index storehouse and asks to read
The index information of the file taken.
The structure diagram of file encryption-decryption device is as shown in figure 5, the device is mainly close including global encryption/decryption module, type
Literary generation module, file type arbiter and file index maker.
Global encryption/decryption module be used for user ask read file be decrypted, obtain in plain text, and for
The file of family request write-in is encrypted, and obtains ciphertext;
Type ciphertext generation module is used to decrypt global encryption/decryption module according to file output encryption policy bright
Text is encrypted, and obtains type ciphertext, and type ciphertext is sent to user;The type ciphertext includes common text in plain text
Part, transparent encrypted file, rights encryption file and outgoing encryption file.
File type arbiter, for differentiating the type for the file for needing to store;
File index maker, for generating the index information for the file for needing to store;The index information includes text
Type, title and the size of part.
Before nas server 30 is logged in, user needs to sign in the acquisition of permission server 20 NAS nas server user
Use certificate (user certificate in present embodiment).After user signs in permission server 20, by user authentication device to user
It is authenticated, and accesses application device to user and initiate access request, user accesses application device and retrieved by Role Users group
Global user list, rights database and global profile index database match the file and authority of user-accessible, and will matching
The file and authority of the user-accessible gone out submit to the rules of competence, and the rules of competence are first to the file and authority of user-accessible
Conflict inspection is carried out, and the authority to there is conflict is handled according to minimum right principle, prevents the authority of conflict from exporting, its
Secondary file and authority according to user out file type requests, further filtering user-accessible, by the authority number after filtering
According to file security strategy generating device is given, file security strategy generating device will be according to filtering permission build file security strategy
With user certificate, file security strategy is sent to nas server by permission server, and user certificate is sent to user.
Wherein, when user accesses the file and authority of application device matching user-accessible, first by retrieving global use
Family list and rights database match user right, match the file of user-accessible according to user right afterwards, and lead to
Cross retrieval global profile index database to pick out the file of user-accessible from existing file, for example, user-accessible
The file of DOC and XLS types, this just needs to pick out the file of DOC and XLS types from existing file.Authority is advised
It is then the module filtered to the user right matched, such as the user right matched has two kinds, one kind is that user can
All xsl files of read and write access, another kind are that user-readable accesses some xsl files, at this moment the rules of competence to user this
Two kinds of authorities are filtered, and filter out write access authority of the user to some xsl files.
Nas server user takes user certificate, is associated computing using locally associated Certification program, generation can make
User local certificate (mainly prevents attacker from forging user certificate by network monitoring), and user takes user local certificate
Afterwards, agreement http (hypertext transfer protocol)/ftp (File Transfer Protocol)/smb (Server Message can be passed through
Block)/nfs (network File System) signs in nas server, and nas server is by catalogue virtualization modules
The user for submitting user local certificate provides a virtual directory, and nas server user is local by being write to this virtual directory
Certificate file inputs certificate information, and the virtual directory on nas server sends the certificate to the certificate inspection in file protection device
Survey module, certificate detection device detection certificate and user matching degree with prevent forge certificate;It will be used by the certificate of detection
The strategy number of certificate matches the file security strategy that permission server submits to nas server, matches the file security come
Strategy will input to catalogue virtualization modules, catalogue virtualization apparatus according to file security strategy again for active user fictionalize with
The file access strategy of its permission match, afterwards, user can be given according to file access strategy, and text is sent to nas server
Part (storage request) obtains file (read requests).
When user is to nas server initiation file read request, nas server please to user by global encryption/decryption module
Ask the file of reading to be decrypted, the plaintext after being decrypted, then by type ciphertext generation module to the plaintext after decryption into
Row encryption, obtains type ciphertext, and type ciphertext is sent to user;The type ciphertext include common clear text file, thoroughly
Bright encryption file, rights encryption file and outgoing encryption 4 kinds of file types of file, wherein reading the power that type of encryption file needs
Rank is limited as shown in fig. 6, the common authority highest needed in plain text, transparent encrypted file take second place, third, outgoing adds authority
The authority that ciphertext part needs is minimum.
User passes through file type arbiter and differentiates text to be written first to during nas server initiation file storage request
The file type of part, and the index information of file is generated, then file to be written is encrypted by global encryption/decryption module, will
Encrypted file storage is into nas server external memory device
User right is divided into four grades in present embodiment, and user right grade is different, and user is to nas server Chinese
The reading authority of part is different;Highest weight limits the use of family and possesses common clear text file, transparent encrypted file, rights encryption file and outgoing
The reading authority of file is encrypted, that takes second place possesses the reading power of transparent encrypted file, rights encryption file and outgoing encryption file
Limit, the reading authority for possessing rights encryption file and outgoing encryption file third, least privilege user only possess outgoing and add
The reading authority of ciphertext part.
Fig. 7 shows a kind of flow chart of nas server secure storage method of data in the specific embodiment of the invention, should
Method comprises the following steps:
Step S11:Permission server generates user certificate and file security strategy according to user right;
Step S12:File security strategy is sent to nas server by permission server, and user certificate is sent to user;
Nas server user needs acquisition nas server to use certificate before nas server is logged in, and user is by stepping on
Record permission server obtains the certificate.After user logs on permission server, permission server carries out identity to user first to be recognized
Card, by rear, the global user list of permission server retrieval and rights database match user right, Zhi Hougen for user for certification
Corresponding with its authority file security strategy and user certificate are generated according to user right;Wherein, the file security strategy bag
Include strategy number, needing file directory to be protected, (file directory refers to the directory name of storage file, needs to protect for setting in batch
The file of shield, the file being stored under this document catalogue will all be protected accordingly) or file type, the access right of file
Whether limit, file are encrypted, the Encryption Algorithm of the ciphertext type that generates and use etc.;The user certificate includes the use of certificate
Family information, period of validity, encryption key, the length of key and the corresponding strategy number of certificate.
Permission server is sent to NAS services after generation file security strategy and user certificate, by file security strategy
Device, user is sent to by user certificate.
Step S13:Local user's certificate is generated according to user certificate;
Attacker forges user certificate by network monitoring in order to prevent, and user receives the user of permission server transmission
After certificate, local association computing is carried out to user certificate using locally associated Certification program, it is local to generate the user that can be used
Certificate;User local certificate includes the strategy number identical with user certificate.
Step S14:User logs in nas server, nas server for user's generation and the virtual directory of its permission match and
File access strategy;
Step S15:User sends file write request to nas server, is written into file storage to nas server.
User logs in nas server by user local certificate, and nas server is examined by user certificate detection module first
Validity and the integrality of user certificate are surveyed to prevent from forging certificate, detects the strategy number in the certificate of user local after passing through
Corresponding file security strategy in nas server is matched, and is fictionalized for user according to file security strategy and is weighed with its user
Limit matched virtual directory and file access strategy;The virtual directory is used to record and the matched fileinfo of user right,
Afterwards, the file for needing to store is transmitted to nas server by http/ftp/smb/nfs and is stored by user.File is deposited
The concrete mode stored up in nas server includes:
1) differentiate the file type of file to be written, and generate the index information of file;
2) file to be written is encrypted by global encryption/decryption module, the storage of encrypted file is serviced to NAS
In device.
Http/ftp/smb/nfs agreements transfer the file to the file encryption-decryption device file encryption-decryption on nas server
Device start to process file, transfers the file to file type discrimination module, file type discriminating gear by file be determined as with
Under possible type, text and binary file etc., afterwards file index maker start to make file on more detailed rope
Draw, such as can resolution file document, file integrality summary, file size and other important file identifications etc., file
The document data write-in file index storehouse of generation, global encryption/decryption module are used global encryption policy pair by index maker
File is encrypted;Encrypted file is stored in nas server or in the external memory device of nas server, and file is write
Enter to complete, the file index newly write will be synchronized to authority server.
Fig. 8 shows a kind of flow chart of nas server data safe reading method, this method in present embodiment
Comprise the following steps:
Step S21:Permission server generates user certificate and file security strategy according to user right;
Step S22:File security strategy is sent to nas server by permission server, and user certificate is sent to user;
Nas server user needs acquisition nas server to use certificate before nas server is logged in, and user is by stepping on
Record permission server obtains the certificate.After user logs on permission server, permission server carries out identity to user first to be recognized
Card, by rear, the global user list of permission server retrieval and rights database match user right, Zhi Hougen for user for certification
Corresponding with its authority file security strategy and user certificate are generated according to user right;Wherein, the file security strategy bag
Include strategy number, need file directory to be protected or ciphertext that whether file type, the access rights of file, file are encrypted, generated
Type and the Encryption Algorithm of use etc.;The user information of the user certificate including certificate, period of validity, encryption key,
The corresponding strategy number of length and certificate of key.
Permission server is sent to NAS services after generation file security strategy and user certificate, by file security strategy
Device, user is sent to by user certificate.
Step S23:Local user's certificate is generated according to user certificate;
Attacker forges user certificate by network monitoring in order to prevent, and user receives the user of permission server transmission
After certificate, local association computing is carried out to user certificate using locally associated Certification program, it is local to generate the user that can be used
Certificate;User local certificate includes the strategy number identical with user certificate.
Certainly, user had logged on nas server before, obtained user certificate, and was logging on nas server
When, then step S21-S23 need not be repeated, is directly entered using local user's certificate in next step.
Step S24:User logs in nas server, nas server for user's generation and the virtual directory of its permission match and
File access strategy;
Step S25:User sends file read request to nas server, obtains the file of needs.
User logs in nas server by user local certificate, and nas server is examined by user certificate detection module first
Validity and the integrality of user certificate are surveyed to prevent from forging certificate, detects the strategy number in the certificate of user local after passing through
Corresponding file security strategy in nas server is matched, and is fictionalized for user according to file security strategy and is weighed with its user
Limit matched virtual directory and file access strategy;The virtual directory is used to record and the matched fileinfo of user right,
Afterwards, user initiates file read request by http/ftp/smb/nfs to nas server, obtains the file of its needs.This
Nas server sends the file to the concrete mode of user and includes in embodiment:
1) file for asking to read to user by global encryption/decryption module is decrypted, the plaintext after being decrypted;
2) plaintext after decryption is encrypted by type ciphertext generation module, obtains type ciphertext, and type is close
Text is sent to user;The type ciphertext adds including common clear text file, transparent encrypted file, rights encryption file and outgoing
Ciphertext part.
User initiates file to nas server using http/ftp/smb/nfs and reads request, and file (ciphertext) is input to
Global encryption/decryption module in file protection device, global encryption/decryption module untie the text of user's request according to global decryption policy
Part, decrypted clear data are input to type ciphertext generation module;Type ciphertext generation module exports encryption plan according to file
Slightly output type ciphertext, and type ciphertext is sent to user by one of agreement http/ftp/smb/nfs.
Wherein, it is effectively bright can effectively to prevent that attacker from obtaining from network attack for transparent encrypted file, rights encryption file
Text.After user takes transparent ciphertext, data can be read by local certificate solution open file;When user takes outgoing document
Afterwards, outgoing document is included from decryption program and control of authority program, and user can only open file under due authority and read number
According to.
Furthermore, it is necessary to explanation, nas server date safety storing system of the invention can directly lead to except user
Http/ftp/smb/nfs protocol access and nas server safe to use are crossed, safe nas server is also used as other application
The background storage server of server, at this time, other application server then equivalent to user, the flow of which as shown in figure 9,
It is specific as follows:
(1) user establishes in permission server for application server can use power of the clear data as output file
Limit gauge is then (the certainly specific rules of competence can specifically be set as needed, this at be merely illustrative);
(2) application server logs in safe nas server as user, and certificate file, peace are write to safe nas server
Full nas server establishes virtual directory for application server;
(3) its data is write safe nas server by application server;
(4) the application server file of write-in is encrypted safe nas server using overall situation encryption plan road, so may be used
Effectively to prevent when safe nas server is shut down, attack steals data using the mode of diskcopy by force;
(5) when application server needs to read file, safe nas server just provides common plaintext for application server
File.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and scope.In this way, if these modifications and changes of the present invention belongs to the scope of the claims in the present invention and its equivalent technology
Within, then the present invention is also intended to comprising including these modification and variations.
Claims (11)
1. a kind of nas server date safety storing system, including:
Permission server, for generating file security strategy and user certificate according to user right, and file security strategy is sent out
Nas server is given, user certificate is sent to user;The file security strategy includes strategy number, needs text to be protected
The access rights of part catalogue or file type and file;The user certificate includes user information and the corresponding plan of certificate
Contracted notation;
Nas server, secure storage and the read requests according to user are carried out for the write request according to user to file
The file of request is sent to user;The nas server includes file protection device, and file protection device includes:
User certificate detection module, for detecting the completeness and efficiency of user certificate;
Security strategy matching module, for corresponding file security in the strategy number matching nas server in user certificate
Strategy, and the file security strategy matched is sent to catalogue virtualization modules;
Catalogue virtualization modules, for being fictionalized and the matched virtual directory of its user right for user according to file security strategy
With file access strategy;The virtual directory is used to record and the matched fileinfo of user right;
The nas server further includes file encryption-decryption device.
2. a kind of nas server date safety storing system as claimed in claim 1, it is characterised in that the file adds
Decryption device includes:
Global encryption/decryption module, the file for asking to read to user are decrypted, and obtain in plain text, and for being asked to user
Ask the file of write-in to be encrypted, obtain ciphertext;
Type ciphertext generation module, for according to file export encryption policy to the plaintext that global encryption/decryption module is decrypted into
Row encryption, obtains type ciphertext, and type ciphertext is sent to user;The type ciphertext include common clear text file, thoroughly
Bright encryption file, rights encryption file and outgoing encryption file.
A kind of 3. nas server date safety storing system as claimed in claim 1 or 2, it is characterised in that the file
Ciphering and deciphering device further includes:
File type arbiter, for differentiating the type for the file for needing to store;
File index maker, for generating the index information for the file for needing to store;The index information includes file
Type, title and size.
4. a kind of nas server date safety storing system as claimed in claim 3, it is characterised in that the file is protected
Protection unit further includes:
File index storehouse, for save file index information;
File index enquiry module, for the read requests according to user, inquires about what user's request was read in file index storehouse
The index information of file.
A kind of 5. nas server date safety storing system as claimed in claim 1 or 2, it is characterised in that the authority
Server includes:
User accesses application device, initiates to permission server to access application for user, and pass through in user identification confirmation rear
User right is matched for user;
User authentication device, the user identity of permission server is signed in for confirmation;
File security strategy generating device, for generating file security strategy corresponding with user right and use according to user right
Family certificate.
A kind of 6. nas server date safety storing system as claimed in claim 5, it is characterised in that the authority clothes
Business device further includes:
Global user list, for preserving the User ID of nas server whole user;
Rights database, for preserving the user right of nas server whole user;
Role Users group:For the user in global user list to be grouped.
7. a kind of nas server date safety storing system as claimed in claim 2, it is characterised in that user right is divided into
Four grades, user right grade is different, and user is different to the reading authority of file in nas server;Highest weight limits the use of family and gathers around
There is the reading authority of common clear text file, transparent encrypted file, rights encryption file and outgoing encryption file, that takes second place possesses
The reading authority of bright encryption file, rights encryption file and outgoing encryption file, third possess rights encryption file and outer
The reading authority of hair encryption file, least privilege user possess the reading authority of outgoing encryption file.
8. a kind of nas server secure storage method of data, comprises the following steps:
(1) user logs on permission server, and permission server matches user right for user, and generates text according to user right
Part security strategy and user certificate;The file security strategy includes strategy number, needs file directory to be protected or files classes
The access rights of type and file;The user certificate includes user information and the corresponding strategy number of certificate;
(2) the file security strategy is sent to nas server by permission server, and user certificate is sent to user;
(3) user certificate is subjected to local association computing, generation user local certificate;User local certificate include with
Identical strategy number in the certificate of family;
(4) user logs in nas server, strategy number of the nas server in the certificate of user local by user local certificate
Corresponding file security strategy in nas server is matched, and is fictionalized for user according to file security strategy and is weighed with its user
Limit matched virtual directory and file access strategy;The virtual directory is used to record and the matched fileinfo of user right;
(5) user sends file write request to nas server, and file to be written is encrypted in nas server, and
By the file storage after processing to nas server.
A kind of 9. nas server secure storage method of data as claimed in claim 8, it is characterised in that in step (5), NAS
File to be written is encrypted in server, and the file after processing is stored to the concrete mode in nas server
Including:
1) differentiate the file type of file to be written, and generate the index information of file;
2) file to be written is encrypted by global encryption/decryption module, by the storage of encrypted file into nas server.
10. a kind of nas server data safe reading method, comprises the following steps:
(1) user logs on permission server, and permission server matches user right for user, and generates text according to user right
Part security strategy and user certificate;The file security strategy includes strategy number, needs file directory to be protected or files classes
The access rights of type and file;The user certificate includes user information and the corresponding strategy number of certificate;
(2) the file security strategy is sent to nas server by permission server, and user certificate is sent to user;
(3) user certificate is subjected to local association computing, generation user local certificate;User local certificate include with
Identical strategy number in the certificate of family;
(4) user logs in nas server by user local certificate, and initiates file read request to nas server;
(5) nas server reads the encryption data of respective file according to the read requests of user from nas server, and by adding
Decryption device is handled the ciphertext data of reading accordingly, and the file generated after processing then is sent to user.
A kind of 11. nas server data safe reading method as claimed in claim 10, it is characterised in that in step (5),
The encryption data of respective file is read from nas server, and is carried out the ciphertext data of reading accordingly by ciphering and deciphering device
Processing, then the file generated after processing is sent to the concrete mode of user includes:
1) file for asking to read to user by global encryption/decryption module is decrypted, the plaintext after being decrypted;
2) plaintext after decryption is encrypted by type ciphertext generation module, obtains type ciphertext, and type ciphertext is sent out
Give user;The type ciphertext includes common clear text file, transparent encrypted file, rights encryption file and outgoing encryption text
Part.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410141431.XA CN104980401B (en) | 2014-04-09 | 2014-04-09 | Nas server date safety storing system, secure storage and read method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410141431.XA CN104980401B (en) | 2014-04-09 | 2014-04-09 | Nas server date safety storing system, secure storage and read method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104980401A CN104980401A (en) | 2015-10-14 |
CN104980401B true CN104980401B (en) | 2018-05-01 |
Family
ID=54276511
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410141431.XA Active CN104980401B (en) | 2014-04-09 | 2014-04-09 | Nas server date safety storing system, secure storage and read method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104980401B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106686035B (en) * | 2015-11-10 | 2020-11-24 | 北京京东尚科信息技术有限公司 | Method and device for realizing customized FTP server based on Apache FtpServer |
CN105656949A (en) * | 2016-04-01 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Access control method and system of network file system |
CN108885671B (en) | 2016-11-16 | 2021-06-22 | 华为技术有限公司 | Directory deletion method and device and storage server |
CN108616502B (en) * | 2018-03-12 | 2020-11-06 | 广东睿江云计算股份有限公司 | Web safe storage method |
CN108616546A (en) * | 2018-07-05 | 2018-10-02 | 郑州云海信息技术有限公司 | A kind of safety device, system and method improving nfs server safety |
CN111262821A (en) * | 2018-12-01 | 2020-06-09 | 星际空间(天津)科技发展有限公司 | Authentication method based on micro-service |
CN109918355B (en) * | 2019-03-05 | 2020-12-15 | 杭州前云数据技术有限公司 | Virtual metadata mapping system and method for implementing NAS based on object storage service |
CN111953632A (en) * | 2019-05-15 | 2020-11-17 | 颜学用 | Authentication login method of NAS (network attached storage) equipment, mobile terminal and server |
CN112242899B (en) * | 2019-07-17 | 2022-09-09 | 科大国盾量子技术股份有限公司 | NAS storage system and method for encrypting and decrypting storage file by using quantum key |
CN111711656A (en) * | 2020-05-15 | 2020-09-25 | 山东省计算中心(国家超级计算济南中心) | Network edge storage device with safety function |
CN115270189B (en) * | 2022-08-10 | 2023-05-26 | 深圳市乐凡信息科技有限公司 | Data reading method, device, equipment and storage medium based on identity authority |
CN116126812B (en) * | 2023-02-27 | 2024-02-23 | 开元数智工程咨询集团有限公司 | Method and system for storing and integrating engineering industry files |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014133A (en) * | 2010-11-26 | 2011-04-13 | 清华大学 | Method for implementing safe storage system in cloud storage environment |
CN102571771A (en) * | 2011-12-23 | 2012-07-11 | 华中科技大学 | Safety authentication method of cloud storage system |
CN103327002A (en) * | 2013-03-06 | 2013-09-25 | 西安电子科技大学 | Cloud storage access control system based on attribute |
CN103490899A (en) * | 2013-09-27 | 2014-01-01 | 浪潮齐鲁软件产业有限公司 | Application cloud safety certification method based on third-party service |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8745384B2 (en) * | 2011-08-11 | 2014-06-03 | Cisco Technology, Inc. | Security management in a group based environment |
US9274864B2 (en) * | 2011-10-04 | 2016-03-01 | International Business Machines Corporation | Accessing large amounts of data in a dispersed storage network |
CN102546764B (en) * | 2011-12-20 | 2014-06-04 | 华中科技大学 | Safe access method of cloud storage system |
CN103209189A (en) * | 2013-04-22 | 2013-07-17 | 哈尔滨工业大学深圳研究生院 | Distributed file system-based mobile cloud storage safety access control method |
-
2014
- 2014-04-09 CN CN201410141431.XA patent/CN104980401B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102014133A (en) * | 2010-11-26 | 2011-04-13 | 清华大学 | Method for implementing safe storage system in cloud storage environment |
CN102571771A (en) * | 2011-12-23 | 2012-07-11 | 华中科技大学 | Safety authentication method of cloud storage system |
CN103327002A (en) * | 2013-03-06 | 2013-09-25 | 西安电子科技大学 | Cloud storage access control system based on attribute |
CN103490899A (en) * | 2013-09-27 | 2014-01-01 | 浪潮齐鲁软件产业有限公司 | Application cloud safety certification method based on third-party service |
Non-Patent Citations (2)
Title |
---|
Secure Overlay Cloud Storage with Access Control and Assured Deletion;Yang Tang,Patrick P.C. Lee,John C.S. Lui,Radia Perlman;《IEEE Transactions on Dependable and Secure Computing》;20120703;全文 * |
网络存储中保障数据安全的高效方法研究;陈兰香;《中国博士学位论文全文数据库信息科技辑》;20111115(第11期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN104980401A (en) | 2015-10-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104980401B (en) | Nas server date safety storing system, secure storage and read method | |
KR102545407B1 (en) | Distributed document and entity validation engine | |
CN108765240B (en) | Block chain-based inter-institution customer verification method, transaction supervision method and device | |
CN104205123B (en) | Systems and methods for secure third-party data storage | |
AU2013201602B2 (en) | Registry | |
CN103609059B (en) | The system and method shared for secure data | |
CN102629403B (en) | USB (Universal Serial Bus) flash disk authorization method and system based on ATM (Automatic Teller Machine) equipment | |
KR20190075793A (en) | Authentication System for Providing Instant Access Using Block Chain | |
CN106936771A (en) | A kind of secure cloud storage method and system based on graded encryption | |
CN202663444U (en) | Cloud safety data migration model | |
CN102664928A (en) | Data secure access method used for cloud storage and user terminal system | |
CN104038478A (en) | Embedded platform identity authentication trusted network connection method and system | |
CN107871081A (en) | A kind of computer information safe system | |
Mohan et al. | An authentication technique for accessing de-duplicated data from private cloud using one time password | |
CN107454048A (en) | The processing method and processing device of information, the authentication method of information, apparatus and system | |
CN111046405B (en) | Data processing method, device, equipment and storage medium | |
CN115239336A (en) | Credible electronic evidence storing and certification and alliance system based on block chain | |
CN106991332A (en) | The method and device that a kind of mass data is stored safely | |
Sasikumar et al. | A secure big data storage framework based on blockchain consensus mechanism with flexible finality | |
CN104468491A (en) | Virtual desktop system and method based on secure channel | |
CN106529216B (en) | Software authorization system and software authorization method based on public storage platform | |
CN107743120A (en) | A kind of detachable encryption examination question data transmission system and method | |
CN107273725A (en) | A kind of data back up method and system for classified information | |
CN116432193A (en) | Financial database data protection transformation method and financial data protection system thereof | |
Sumathi | Secure blockchain based data storage and integrity auditing in cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |