CN105007259B - Cloud platform big data access method - Google Patents

Cloud platform big data access method Download PDF

Info

Publication number
CN105007259B
CN105007259B CN201510279993.5A CN201510279993A CN105007259B CN 105007259 B CN105007259 B CN 105007259B CN 201510279993 A CN201510279993 A CN 201510279993A CN 105007259 B CN105007259 B CN 105007259B
Authority
CN
China
Prior art keywords
user
node
cloud platform
identity
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510279993.5A
Other languages
Chinese (zh)
Other versions
CN105007259A (en
Inventor
唐明亮
刘剑秋
吴麒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Public Medical Information Services Co Ltd In West China Chengdu
Original Assignee
Public Medical Information Services Co Ltd In West China Chengdu
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Public Medical Information Services Co Ltd In West China Chengdu filed Critical Public Medical Information Services Co Ltd In West China Chengdu
Priority to CN201510279993.5A priority Critical patent/CN105007259B/en
Publication of CN105007259A publication Critical patent/CN105007259A/en
Application granted granted Critical
Publication of CN105007259B publication Critical patent/CN105007259B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a kind of cloud platform big data access method, this method includes:Cloud platform server produces key parameter, select security node, user adds system by security node, security node performs key with user and exchanged, security node is private key and token corresponding to user produces, user verifies to message, then decrypts and obtains private key, other nodes in cloud platform determine whether user has legal identity.The method of the present invention can efficiently solve the problem of disabled user is attacked by network logical address, the safety of safeguards system, suitable for cloud storage system.

Description

Cloud platform big data access method
Technical field
The present invention relates to big data safety, more particularly to a kind of cloud platform big data access method.
Background technology
Cloud storage system for big data ensures that the height of service provided can by the management of cloud platform and operating mechanism By property;On the other hand provide that cost is cheap and capacity is huge by the way that all storage resources for being contributed of participation users are collected Memory space, effectively to meet the Internet, applications of high speed development in extensive property, high efficiency, high reliability, Highly Scalable Demand in terms of property and high performance-price ratio.The userbase and data scale of cloud system are all very huge, and with so that it faces More complicated safety problem.User is the user of system.User's authorization control mechanism is the first of cloud storage system safety Road defence line, for determine user whether can accessing system, and once determine to login, it will be that each login user point With a unique identity, to be able to verify that the legal identity of the user in system scope.Only possess legal identity User can participate in system operation, use system provide service.On user's authorization control in the prior art, illegally User can be with multiple different identity accessing systems, and each identity is associated with the identity got, so as to Multiple disabled users can be formed.So, it is illegal to use if be not any limitation as to the identity quantity that user can obtain Family can the easily quite node of most, even whole system in control system.In addition, when system allows user During its identity of unrestricted choice, disabled user will purposely go to select the identity that can control significant data space. In this case, that is, the identity for allowing users to obtain is very limited, and system also takes data redundancy storage strategy, Multiple disabled users by joint, remain able to easily obtain the identity of memory node corresponding to data trnascription, from And data are polluted.Meanwhile disabled user can also select suitable identity by joint, with the possibility of maximum To make them appear in the routing table of legitimate node, so as to control access of the legitimate node to system.
The content of the invention
To solve the problems of above-mentioned prior art, the present invention proposes a kind of cloud platform big data access method, Including:
Cloud platform server produces the addition of integer group G that two ranks are prime number p0And G1, and a Bilinear map e:G0× G0→G1;From galois field GF (2p) one random element s of middle selection0As master key, and it is Q to calculate its public key0=s0P0, its In, P0For G0Generation member;Hash function H is pre-selected1, H2With SHA-1 cryptographic Hash functions H3;By key parameter (G0, G1, E, P0, Q0, H1, H2) be distributed;
Cloud platform server selects security node P, security node P to obtain identity ID at cloud platform serverPWith Private key SP, security node P is from galois field GF (2p) one random element s of middle selectionPAs its master key, and calculate public key QP =sPP0, user Q gets security node P address by cloud platform server, and then adds system by security node P;
User Q sends its network logical address LA to security node PQ;Security node P is by way of readjustment to user Q Verified to determine that user Q possesses LA reallyQ, then security node P and user Q perform key and exchange, produce one symmetrically Key KP·Q, transmission is encrypted to follow-up caused private key, and protect the integrality of transmission message;
Security node P is that user Q distributes identity IDQMoment T is produced with itQ, for private key S corresponding to its generationQ, and One token of generation is used for other node verifications user Q identity, i.e.,:
1) the identity ID for producing user Q is obtainedQAt the time of TQ, and the identity for calculating user Q is IDQ=H3 (LAQ, TQ);
2) public key for calculating user Q is PQ=H1(IDQ);
3) private key for calculating user Q is SQ=SP+sPPQ, and utilize KP·QEncrypt to obtain E (SQ, KP·Q);
4) computational token is TokQ=SP+sPH2(IDQ, TQ);
5) (ID is sent to user QQ, TQ, QP, TokQ, E (SQ, KP·Q));
After user Q receives message, message is verified, then utilizes KP·QDecrypt to obtain SQ
When user Q and other node Rs contact, (ID is sent toQ, IDP, TQ, QP, TokQ), node R is to cloud platform service Device determines whether IDP is security node, if it is not, refusal user Q;Otherwise, node R calculates and judges e (P0, TokQ)=e (Q0, PP)·e(QP, H2(IDQ, TQ)) whether set up, if set up, it is determined that user Q has a legal identity, node R establish with User Q contact;Otherwise, user Q is refused;
After user Q effective identity is expired, contact node P updates its key pair, and user Q sends (LA to node PQ, TQ, TokQ), P verifies to user Q, if by checking, P to user Q send renewal after identity, the moment, private key and Token, if P has been moved off system, user Q is obtained the address of new security node by cloud platform server, is sent to (LAQ, IDP, TQ, QP, TokQ), new security node will be Q more new keys pair.
The present invention compared with prior art, has advantages below:
The method of the present invention can efficiently solve the problem of disabled user is attacked by network logical address, ensure The safety of system, suitable for cloud storage system.
Brief description of the drawings
Fig. 1 is the flow chart of cloud platform big data access method according to embodiments of the present invention.
Embodiment
Retouching in detail to one or more embodiment of the invention is hereafter provided together with the accompanying drawing for illustrating the principle of the invention State.The present invention is described with reference to such embodiment, but the invention is not restricted to any embodiment.The scope of the present invention is only by right Claim limits, and the present invention covers many replacements, modification and equivalent.Illustrate in the following description many details with Thorough understanding of the present invention is just provided.These details are provided for exemplary purposes, and without in these details Some or all details can also realize the present invention according to claims.
Fig. 1 is cloud platform big data access method flow chart according to embodiments of the present invention.The present invention is directed to cloud storage system The characteristics of system, the present invention utilize the authorization control mechanism in cloud storage, and identity is efficiently distributed for user security, and effectively Resist rogue attacks in ground.The public key of user can be exported directly from his identity, and its private key can be by a series of Key parameter, which calculates, to be produced.In the first embodiment, cloud platform server is patrolled for the user of each accessing system based on its network Collect address and distribute an identity, and produce for it and distribute the key pair corresponding to the identity, there is legal identity User be arranged to a node in system;In user's accessing system, it is verified by way of readjustment, user is only Can receive during the connection to network logical address be considered as just the network logical address rightful holder, only Identity can be just allocated by the user of checking by having, so as to prevent disabled user from being got largely by forging network logical address System identity start rogue attacks.
In a further embodiment, graded encryption technology is introduced, effectively to reduce the expense of cloud platform server.Yun Ping Platform server can save multiple safety in system are distributed to for the work that user distributes identity and produces corresponding private key Put to complete, so that system possesses good scalability.Further embodiment is based on network logical address and port numbers Identity is distributed for user.Meanwhile in order to prevent the disabled user using conversion address from being obtained by using multiple port numbers Substantial amounts of identity, crypto-operation is added when distributing private key for user, identity mark is obtained so as to effectively limit disabled user The speed and rogue attacks of knowledge.
In the cryptosystem that the present invention applies, public key is produced by simple data object, such as the data object can To be network logical address;Then the private key for encrypting, decrypting, signing and verifying is produced by a series of key parameter. The generation of private key is responsible for by a safe third party for being referred to as key generator.Pass through this building mode, it is not necessary to distribute The key of other forms, user's can encryption data or checking signature.Except the certificate management of complexity works, greatly reduce The expense of system.In order to reduce the computing cost of key generator, tree can be formed by multistage key generator so that Private key is produced and can completed by multistage key generator.
The present invention is based on the cloud storage system architecture being made up of cloud platform server and multiple users.Arbitrary network Logical address can be forged by disabled user, and any data propagated in network can be eavesdropped by disabled user, but one The quantity and computing capability for the active block logical address that individual disabled user can get are limited.It is described in detail below The operation of the method for the present invention is formed, the user for being embodied as accessing system distributes legal identity, and resists to the illegal of system Attack.
In the first embodiment, cloud platform server distributes a random identity mark for the user of each accessing system Know, and private key corresponding to generation, User Identity and its private key are bound.This method includes system initialization and user Login two stages.
Initial phase:Cloud platform server performs following operation and produces protocol cipher parameter.
1) the addition of integer group G that two ranks are prime number p is produced0And G1, and a Bilinear map e:G0×G0→G1, its In, P0For G0Generation member.
2) from galois field GF (2p) one random element s of middle selection0As master key, and it is Q to calculate its public key0= s0P0
3) hash function H is pre-selected1, H2With SHA-1 cryptographic Hash functions H3
4) key parameter (G is distributed0, G1, e, P0, Q0, H1, H2)。
When user's N accessing systems, its network logical address LA is sent to cloud platform server firstN.Cloud platform service Device is verified by way of readjustment to N, i.e., to LANEstablish a connection, the response of request will all be connected by this into Row transmission, so that it is determined that N possesses LA reallyN
Then cloud platform server performs key with N and exchanged, and produces a symmetric key KN, for follow-up caused private Transmission is encrypted in key, and protects the integrality of transmission message.
Cloud platform server performs operation.Identity ID is distributed for user NNMoment T is produced with itN, TNRepresent IDN's Effective time scope, it is private key SN corresponding to its generation, and generating a token makes other nodes in system be able to verify that user N Identity so that user N turns into an efficient system node, i.e.,:
1) the identity ID for producing user N is obtainedNAt the time of TN, and calculate IDN=H3(LAN, TN);
2) public key for calculating user N is PN=H1(IDN);
3) private key for calculating user N is SN=s0PN, and utilize KNEncrypt to obtain E (SN, KN)。
4) computational token is TokN=s0H2(IDN, TN);
5) (ID is sent to user NN, TN, TokN, E (SN, KN)).After user N receives message, message is verified, so K is utilized afterwardsNDecrypt to obtain SN
When other users node M contacts in N and system, (ID is sent toN, TN, TokN).M is calculated and is judged e (P0, TokN)=e (Q0, H2(IDN, TN)) whether set up, if set up, illustrate that N has legal identity, M foundation contacts with N's;Otherwise, N will be refused.
After N effective identity is expired, it needs to contact cloud platform server to update its key pair.N takes to cloud platform Be engaged in device transmission (LAN, TN, TokN), cloud platform server is verified to it, if by checking, cloud platform server will be to it Send identity, moment, private key and the token after renewal.Therefore only need just can directly to lead by the identity of node Go out its public key.Agreement can not only be that user distributes a random identity, and at the time of by defining identity simultaneously Control its period of validity.
In further second embodiment, cloud platform server will be that user distributes identity and produces corresponding private key Work distribute to multiple security nodes in system to complete, so as to effectively reduce cloud platform server expense.First, cloud Platform Server selects some security nodes, and these nodes obtain identity by first embodiment at cloud platform server Mark and private key;Then, these nodes are respectively that the user of accessing system distributes a random identity, and are produced correspondingly Private key.Second embodiment is based on first embodiment, it is assumed that selected security node P is obtained at cloud platform server Identity IDPWith private key SP, P will be from galois field GF (2p) one random element s of middle selectionPAs its master key, and calculate QP=sPP0.User Q contact cloud platform servers get P address, and then contact P and add system.
It is the first stage that user logins process first.Q sends its network logical address LA to PQ;The side that P passes through readjustment Formula is verified to Q to determine that Q possesses LA reallyQ.Then P performs key with Q and exchanged, and produces a symmetric key KP·Q, it is used for Transmission is encrypted to follow-up caused private key, and protects the integrality of transmission message.
P performs operation and distributes identity ID for QQMoment T is produced with itQ, for private key S corresponding to its generationQ, and generate One token makes other nodes in system be able to verify that Q identity, so that Q turns into an efficient system node, i.e.,:
1) the identity ID for producing user Q is obtainedQAt the time of TQ, and the identity for calculating Q is IDQ=H3(LAQ, TQ);
2) public key for calculating user Q is PQ=H1(IDQ);
3) private key for calculating user Q is SQ=SP+sPPQ, and utilize KP·QEncrypt to obtain E (SQ, KP·Q)。
4) computational token is TokQ=SP+sPH2(IDQ, TQ);
5) (ID is sent to user QQ, TQ, QP, TokQ, E (SQ, KP·Q))。
After Q receives message, message is verified, then utilizes KP·QDecrypt to obtain SQ
When other node Rs contact in Q and system, (ID is sent toQ, IDP, TQ, QP, TokQ).R is to cloud platform server Determine whether IDP is security node, if it is not, Q will be refused;Otherwise, R is calculated and is judged e (P0, TokQ)=e (Q0, PP)·e (QP, H2(IDQ, TQ)) whether set up, if set up, illustrate that Q has legal identity, R foundation contacts with Q's;Otherwise, will refuse Q。
After Q effective identity is expired, it needs contact P to update its key pair.Q sends (LA to PQ, TQ, TokQ), P pairs It is verified, if by checking, P will be sent to identity, moment, private key and token after updating.Pay attention to, now If P has been moved off system, Q will be got the address of new security node by cloud platform server, be sent to (LAQ, IDP, TQ, QP, TokQ), new security node will be Q more new keys pair.
Compared to first embodiment, cloud platform server can will distribute identity for user and produce the work of corresponding private key Multiple security nodes in system are distributed to complete, so as to effectively reduce its expense.In system start-up phase, number of nodes When less, cloud platform server can be using the scheme of first embodiment come work;When security node quantity gradually increases in system When more, security node can be progressively distributed in work.
By network address translation, can just multiple host be set to network using a network logical address.If based on this Network logical address is that user produces identity, and the user of multiple accessing systems makes system by with same identity Can not normal operation.3rd embodiment can solve the problem, make the main frame of network internal in accessing system, it is necessary to provide simultaneously The public network logical address and port numbers that it is used, cloud platform server will be that user produces identity mark according to these information Know.Because the port numbers that different main frames use are different, different bodies can also be possessed by changing each user inside address network Part mark.3rd embodiment is expanded based on first embodiment, and system initialisation phase is identical.
Disabled user can get multiple identity using multiple different port numbers, in order to solve the problem, In the third embodiment, process will be logined to user in first embodiment to expand, and will be specially:
Cloud platform server produces a crypto-operation H (IDN||TN||PZN), wherein " | | " it is character string concatenation operation Symbol, and utilize KN⊕PZNE (S SN are encrypted to obtainN, KN⊕PZN), wherein, H is cryptographic Hash function, PZNIt is pre- for length Determine the random number of bit;Most rear line N sends (IDN, TN, TokN, H (IDN||TN||PZN), E (SN, KN⊕PZN))。
After user N receives message and it is verified, it is necessary first to determine PZN, according to cryptographic Hash function list To irreversible property, user N can only be by the method for exhaustion come Brute Force H (IDN||TN||PZN), to obtain PZN;Followed by KN⊕PZNDecryption obtains SN.Pay attention to, by the PZ for selecting different lengthNThe difficulty of decryption computing can be controlled. The phase III of process is finally logined in user, 3rd embodiment is identical with first embodiment.When user N contacts cloud platform service When device updates its key pair, cloud platform server will produce new crypto-operation, and user could obtain after only cracking the computing New private key.
By making the user of network internal to pay certain calculation cost when obtaining private key, so as to effectively limit Disabled user obtains the speed of identity, limits rogue attacks.
Fourth embodiment is similar with 3rd embodiment, is provided to solve the problems, such as using conversion address strap to come in a network And propose.Unlike, fourth embodiment is the expansion to second embodiment, and system initialization process is still identical, with Process is logined at family, and changing the main frame inside address network needs to provide public network logical address and port numbers simultaneously, safety section Point is that user produces identity, remaining operation all same in the stage according to these information.
Process is logined in user, security node produces a crypto-operation H (IDQ||TQ||PZQ), PZQIt is predetermined for length The random number of bit;And utilize KP·Q⊕PZQTo SQE (S are encrypted to obtainQ, KP·Q⊕PZQ);After most (ID is sent to QQ, TQ, QP, TokQ, H (IDQ||TQ||PZQ), E (SQ, KP·Q⊕PZQ))。
After user Q receives message, and it is verified, pass through method of exhaustion Brute Force H (ID firstQ||TQ||PZQ), To obtain PZQ;Followed by KP·Q⊕PZQDecryption obtains SQ;Process is logined for end user, fourth embodiment is implemented with second Example is identical.When Q contact security nodes update its key pair, security node will produce new crypto-operation, and user only cracks New private key could be obtained after the computing.
In another aspect of this invention, performing the component architecture of the inventive method alternatively includes cloud platform server, number According to the owner, data set provider and the data user by authorizing.Data owner is controlled to the various power of data, point Public keys is sent out, instruction data set provider, which uploads, gathers data coming and by public-key encryption.Data owner can With oneself processing combined data or other users are authorized to use encryption data.Each data set provider can contribute fraction number According to.Data owner or authorized user can be complete data analysis or data mining task and with cloud platform server interaction.
For gathered data, data owner will generate a n dimension random vectors b0, and b0∈ galois fields GF (2p)。b0 Utilize public-key encryption, i.e. E (b0)=(E (b01) ..., E (b0n)), then it is distributed to data set provider.
Data set provider i is by its matrix AiPart row submit to cloud storage in an encrypted form.In addition, they will be utilized Following similar shape algorithm calculates E (Aib0) result, and be submitted to data owner.Assuming that AiA certain behavior a, then:
E(Aib0) in number of elements it is identical with the quantity for the row that supplier will submit to cloud platform server, and the number Amount is usually 1.Finally, data owner collects all E (Aib0), it is decrypted to find Ab0
In order to protect the security for the plaintext vector for submitting to cloud platform server, authorized data user must hold Line number step, to be ready for perturbation motion method.Then, client cooperates with the expansion of cloud platform server, in iteration Complete security matrix vector multiplication computing.
Data user by mandate will receive E (b from data owner0)、E(Ab0) and decruption key, then select m Individual n ties up random vector, and sends it to cloud platform server, wherein m smaller (such as m=5).These random vectors will be used for Vector { b is disturbed and protected during each iterationi}.The present invention is denoted as seed random vector { si, wherein i=1 ..., m, si ∈ galois fields GF (2p)。
To each random vector si, safe A is carried out in accordance with the following steps in cloud platform serverisiCalculate.For result Vector (Aisi)jJ-th of element, have:
Wherein, sikRepresent vector siK-th of element, AjkRepresenting matrix A (j, k) individual element.By E (Asi) send back Client, give over to by decryption and handle later.After the preparatory stage, the user by mandate retains random vector S={ siAnd Result vector As=(Asi), i=1 ..., m.
Iteration phase is from random vector b0Start, perform bk+1=Abk/||Abk| | and other described in dominant eigenvalue Inexpensive step.Had to b in each iterationiSecrecy, otherwise, it will leakage characteristic vector.Profit is protected with the following method Protect the privacy calculated.
From E (A) and biIn calculate E (Abi).By biBefore being sent to cloud platform server, the present invention devises one kind and disturbed Dynamic method protects bi.Basic ideas are to use a random vector ri, and bi is sent into cloud platform server.
b’i=bi+ri mod q
Wherein, q represents larger random prime numbers, and q is sufficiently large to include all numerical value in application domain.Utilize the preparatory stage The seed random vector of generation designs ri
Wherein, i=1 ..., k, αilAnd βijRandomly choosed from q.Calculated in preparatory stage and previous steps {AskAnd { Abj, j<I }, and AriFor:
Client sets b 'i=bi+riMod q, calculate E (Abi) afterwards and result is returned.Client decryption E (Abi) to obtain Obtain Abi.Then there is Abi=Abi-AriMod q, can be to calculate b during next iterationi+1=Abi/||Abi||。
Client is using the vector b being disturbed ' i passes to distributed-computation program, cloud platform server meter as parameter Calculate and return to Abi.Cloud platform server is described below calculates E (Abi) when distributed computing method.Mapping function uses above-mentioned Vector multiplication calculating formula, and send the result represented using line number.It will be exported and mapped according to line number, split and sorted, then Corresponding distributed node is sent to, data segment is write disk by distributed node.
In summary, method of the invention can efficiently solve what disabled user was attacked by network logical address Problem, the safety of safeguards system, suitable for cloud storage system.
Obviously, can be with general it should be appreciated by those skilled in the art, above-mentioned each module of the invention or each step Computing system realize that they can be concentrated in single computing system, or be distributed in multiple computing systems and formed Network on, alternatively, they can be realized with the program code that computing system can perform, it is thus possible to they are stored Performed within the storage system by computing system.So, the present invention is not restricted to any specific hardware and software combination.
It should be appreciated that the above-mentioned embodiment of the present invention is used only for exemplary illustration or explains the present invention's Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention is any Modification, equivalent substitution, improvement etc., should be included in the scope of the protection.In addition, appended claims purport of the present invention Covering the whole changes fallen into scope and border or this scope and the equivalents on border and repairing Change example.

Claims (1)

  1. A kind of 1. cloud platform big data access method, it is characterised in that including:
    Cloud platform server produces the addition of integer group G that two ranks are prime number p0And G1, and a Bilinear map e:G0×G0→ G1;From galois field GF (2p) one random element s of middle selection0As master key, and it is Q to calculate its public key0=s0P0, wherein, P0For G0Generation member;Hash function H is pre-selected1, H2With SHA-1 cryptographic Hash functions H3;By key parameter (G0, G1, e, P0, Q0, H1, H2) it is distributed to user;
    Cloud platform server selects security node P, security node P to obtain identity ID at cloud platform serverPAnd private key SP, security node P is from galois field GF (2p) one random element s of middle selectionPAs its master key, and calculate public key QP= sPP0, user Q gets security node P address by cloud platform server, and then adds system by security node P;
    User Q sends its network logical address LA to security node PQ;Security node P is tested user Q by way of readjustment Card, i.e., to LAQA connection is established, the response to request will be all transmitted by the connection, to determine that user Q possesses really LAQ, then security node P and user Q perform key and exchange, one symmetric key K of generationP·Q, follow-up caused private key is carried out Encrypted transmission, and protect the integrality of transmission message;
    Security node P is that user Q distributes identity IDQMoment T is produced with itQ, for private key S corresponding to its generationQ, and generate One token is used for other node verifications user Q identity, i.e.,:
    1) the identity ID for producing user Q is obtainedQAt the time of TQ, and the identity for calculating user Q is IDQ=H3(LAQ, TQ);
    2) public key for calculating user Q is PQ=H1(IDQ);
    3) private key for calculating user Q is SQ=SP+sPPQ, and utilize KP·QEncrypt to obtain E (SQ, KP·Q);
    4) computational token is TokQ=SP+sPH2(IDQ, TQ);
    5) (ID is sent to user QQ, TQ, QP, TokQ, E (SQ, KP·Q));
    After user Q receives message, message is verified, then utilizes KP·QDecrypt to obtain SQ
    When user Q and other node Rs contact, (ID is sent toQ, IDP, TQ, QP, TokQ), node R is true to cloud platform server Determine whether IDP is security node, if it is not, refusal user Q;Otherwise, node R calculates and judges e (P0, TokQ)=e (Q0, PP)·e(QP, H2(IDQ, TQ)) whether set up, if set up, it is determined that user Q has legal identity, and node R is established and user Q Contact;Otherwise, user Q is refused;
    After user Q effective identity is expired, contact node P updates its key pair, and user Q sends (LA to node PQ, TQ, TokQ), P verifies to user Q, if by checking, P to user Q send renewal after identity, the moment, private key and Token, if P has been moved off system, user Q is obtained the address of new security node by cloud platform server, is sent to (LAQ, IDP, TQ, QP, TokQ), new security node will be Q more new keys pair.
CN201510279993.5A 2015-05-27 2015-05-27 Cloud platform big data access method Active CN105007259B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510279993.5A CN105007259B (en) 2015-05-27 2015-05-27 Cloud platform big data access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510279993.5A CN105007259B (en) 2015-05-27 2015-05-27 Cloud platform big data access method

Publications (2)

Publication Number Publication Date
CN105007259A CN105007259A (en) 2015-10-28
CN105007259B true CN105007259B (en) 2018-03-02

Family

ID=54379782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510279993.5A Active CN105007259B (en) 2015-05-27 2015-05-27 Cloud platform big data access method

Country Status (1)

Country Link
CN (1) CN105007259B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611749A (en) * 2012-01-12 2012-07-25 电子科技大学 Cloud-storage data safety auditing method
CN102984156A (en) * 2012-11-30 2013-03-20 无锡赛思汇智科技有限公司 Verifiable distributed privacy data comparing and sorting method and device
CN103067374A (en) * 2012-12-26 2013-04-24 电子科技大学 Data safety audit method based on identification

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611749A (en) * 2012-01-12 2012-07-25 电子科技大学 Cloud-storage data safety auditing method
CN102984156A (en) * 2012-11-30 2013-03-20 无锡赛思汇智科技有限公司 Verifiable distributed privacy data comparing and sorting method and device
CN103067374A (en) * 2012-12-26 2013-04-24 电子科技大学 Data safety audit method based on identification

Also Published As

Publication number Publication date
CN105007259A (en) 2015-10-28

Similar Documents

Publication Publication Date Title
Fu et al. NPP: A new privacy-aware public auditing scheme for cloud data sharing with group users
CN108885741B (en) Tokenization method and system for realizing exchange on block chain
JP4790731B2 (en) Derived seed
CN104320393B (en) The controllable efficient attribute base proxy re-encryption method of re-encryption
CN103563288B (en) Single-round password-based key exchange protocols
CN110933033B (en) Cross-domain access control method for multiple Internet of things domains in smart city environment
JP2017517229A (en) Network authentication system using dynamic key generation
CN110365469B (en) Data integrity verification method in cloud storage supporting data privacy protection
CN107332858B (en) Cloud data storage method
CN107465681B (en) Cloud computing big data privacy protection method
CN109711184A (en) Block chain data access control method and device based on attribute encryption
CN105208007A (en) Data sharing system
CN110390203B (en) Strategy hidden attribute-based encryption method capable of verifying decryption authority
CN101282216B (en) Method for switching three-partner key with privacy protection based on password authentication
Li et al. Provably secure unbounded multi‐authority ciphertext‐policy attribute‐based encryption
MacKenzie et al. Delegation of cryptographic servers for capture-resilient devices
Zhou et al. Novel generic construction of leakage-resilient PKE scheme with CCA security
CN110933052A (en) Encryption and policy updating method based on time domain in edge environment
CN108809996B (en) Integrity auditing method for duplicate deletion stored data with different popularity
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN104935582B (en) Big data storage method
CN112601221A (en) Internet of things dynamic NTRU access authentication method based on time information
CN111541668A (en) Energy Internet of things information safe transmission and storage method based on block chain
AlMeghari et al. A proposed authentication and group-key distribution model for data warehouse signature, DWS framework
Zhang et al. Privacy‐friendly weighted‐reputation aggregation protocols against malicious adversaries in cloud services

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant