CN105354507A - Data security confidentiality method under cloud environment - Google Patents

Data security confidentiality method under cloud environment Download PDF

Info

Publication number
CN105354507A
CN105354507A CN201510696609.1A CN201510696609A CN105354507A CN 105354507 A CN105354507 A CN 105354507A CN 201510696609 A CN201510696609 A CN 201510696609A CN 105354507 A CN105354507 A CN 105354507A
Authority
CN
China
Prior art keywords
control module
user
cloud
information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510696609.1A
Other languages
Chinese (zh)
Other versions
CN105354507B (en
Inventor
邵森龙
傅如毅
蒋行杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Yuanwang Software Co Ltd
Original Assignee
Zhejiang Yuanwang Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Yuanwang Software Co Ltd filed Critical Zhejiang Yuanwang Software Co Ltd
Priority to CN201510696609.1A priority Critical patent/CN105354507B/en
Publication of CN105354507A publication Critical patent/CN105354507A/en
Application granted granted Critical
Publication of CN105354507B publication Critical patent/CN105354507B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention discloses a data security confidentiality method under a cloud environment. The method is based on an independent third-party authentication and storage device and a terminal security detection program, wherein, the third-party authentication and storage device comprises a self-controlled chip and a memory; a program that runs on the self-controlled chip comprises a control module and a file system module; the memory comprises an encrypted memory area and an ordinary memory area; the control module accessed the encrypted memory area of the memory; the ordinary memory area comprises the terminal security detection program; the encrypted memory area comprises identity authentication information, a key and an algorithm software carrier; the key adopts an encryption mode of associating an AES (Advanced Encryption Standard) symmetric key with an RSA (Rivest Shamir Adleman) asymmetric key; and a fingerprint identifier is arranged on the third-party authentication and storage device. The data security confidentiality method under the cloud environment disclosed by the present invention guarantees data not to be stolen and tampered in the cloud environment, and improves security and confidentiality of user data in a terminal and a service terminal.

Description

Data security time slot scrambling under a kind of cloud environment
[technical field]
The present invention relates to a kind of method of protection information safety, the data security time slot scrambling particularly under a kind of cloud environment.
[background technology]
Cloud computing support user at an arbitrary position, use various terminal to obtain application service, requested resource is from " cloud ", instead of fixing tangible entity.That enterprise or personal user exist a large amount of private datas, as Enterprise business confidential data, corporate client information data, financial data, Private Banking's account and password, privacy photo etc.For the user using cloud computing service, " cloud " is just as a black box, because in cloud environment, user does not also know that its data are finally stored in where, data transmission procedure whether safety, does not know whether cloud service provider possesses special access right to obtain user data yet.In other words, the data under the uncontrollable cloud environment of user, this will inevitably cause the confidentiality of user to stored data, the worry of the safety problem such as integrality and user privacy.
Use cloud computing service how to guarantee the security of the data of user under cloud environment user simultaneously, namely how to ensure that in the middle of network transmission process, data are not stolen and distort; How to ensure that user's sensitive data cannot be leaked out when obtaining data by cloud computing service business; As with guarantee calling party through strict purview certification and be legal data access, ensure that user at any time can the data having access to self of safety, become with calculation services evolution in the middle of problem in the urgent need to address.
[summary of the invention]
The object of the invention is to overcome above-mentioned the deficiencies in the prior art, the time slot scrambling of the data security under a kind of cloud environment be provided, its be intended to solve in prior art use that information privacy in cloud computing service process is strong, data are easily by the technical matters of leaking.
For achieving the above object, the present invention proposes the data security time slot scrambling under a kind of cloud environment, it is based on one independently Third Party Authentication and memory device and terminal security trace routine, described Third Party Authentication and memory device comprise automatic control chip and storer, the routine package that described automatic control chip runs is containing control module and file system module, described storer comprises cryptographic storage district and general memory area, described control module is by calling the cryptographic storage district of file system module access storer, described general memory area comprises terminal security trace routine, described cryptographic storage district comprises authentication information, key and algorithm software carrier, described key adopts the cipher mode of AES symmetric key and the associating of RSA unsymmetrical key, described Third Party Authentication and memory device are also provided with Fingerprint Identification Unit, its concrete steps are as follows:
A) original state: Third Party Authentication and memory device and cloud access terminal equipment are communicated to connect by usb protocol, the control module on automatic control chip is run;
B) password authentification: after Third Party Authentication and memory device are connected with cloud access terminal devices communicating, automatic spring Third Party Authentication and memory device password authentification frame, wait for the input of user, and password transmission user inputted is to control module, control module calls the cryptographic storage district of file system mould access storer, the password input user and the device password of Third Party Authentication and storage device configurations are compared, if be consistent, then go to step E), if do not conformed to, the then information of feedback cipher authentication error, go to step C), if the number of times that password authentification does not conform to reaches N 1secondary, go to step D),
C) authentication failed: Third Party Authentication and memory device be pop-up device password authentification frame again, waits for the input of user, returns back to step B);
D) access unsuccessfully: control module checks Third Party Authentication and the predetermined configuration information of memory device, if configuration information is format, then authentication password resets to defaults by control module, and call the All Files that file system module removes memory inside, automatically close after ejecting the too much caution frame of errors number simultaneously, disconnect the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, return back to steps A), if configuration information is not for format, then information too much for errors number is fed back to user by ejecting caution frame on Third Party Authentication and memory device by control module, go to step W),
E) initialization apparatus: after user cipher is proved to be successful, Third Party Authentication and memory device load general memory area automatically, and initialization automatic control chip, program in cryptographic storage district and file, by control module, automatic control chip checks whether cloud access terminal equipment exists safety detection program, if exist, then go to step G), if do not exist, then go to step F);
F) safety detection program is installed: automatic control chip calls file system module access general memory area by control module, and security of operation trace routine, cloud service access terminal equipment completes the Auto-mounting of safety detection program, goes to step I);
G) security strategy is upgraded: automatic control chip upgrades the total inspection strategy of cloud service access terminal device systems by control module, goes to step I after having upgraded);
I) safety inspection: user's security of operation trace routine carries out safety inspection to access terminal system, and judge whether terminal system meets secure access baseline, if meet, then go to step K), if do not meet, then go to step J);
J) terminal system security hardening: safety detection program carries out making safe early warning and security hardening by oneself in terminal system, returns back to step I);
K) purview certification: control module is according to the information meeting secure access baseline, eject the certification frame of user identity purview certification, user inputs authentication information in certification frame, the preset authentication information of authentication information and cryptographic storage district is compared by control module, if conformed to, then goes to step M), if do not conformed to, then feed back the information of authentication mistake, go to step L), if the number of times of authentication reaches N 2secondary, then go to step W);
L) authentification failure: control module ejects authentication frame again according to the information of authentification failure, waits for user's input, returns back to step K);
M) Cloud Server logs in: control module is according to the successful information of authentication, user login information checking frame is ejected in cloud service terminal, wait for user's input, the log-on message that user inputs by control module carries out ratio with former configuration information, if conformed to, then goes to step P), if do not conformed to, then feed back the information of log-on message authentication error, go to step O), if the number of times of log-on message checking reaches N 3secondary, then go to step W);
O) login failure: again eject user login information checking frame according to the information of authentication failed, wait for user's input, return back to step M);
P) access Cloud Server: after user logins successfully, call file system mould by the control module of Third Party Authentication and memory device and directly access resource in cloud computing server;
Q) Data Encryption Transmission: user calls file system module access cryptographic storage district by control module, adopt the PKI of RSA unsymmetrical key and executing arithmetic software carrier carries out asymmetric encryption process to AES symmetric key together with the significant data in cryptographic storage district, AES symmetric key and significant data are existed with ciphertext form, and sends to the cloud processor module of Cloud Server by trusted channel;
R) market demand process: use the handling procedure in cloud processor module to carry out application process to the significant data in ciphertext;
S) symmetric cryptography process: the encrypting module using Cloud Server, the significant data after adopting AES symmetric key to run the process of symmetric encipherment algorithm correspondence is encrypted again, and data are existed with the ciphertext form of superencipher;
T) data store: control module directly accesses the cloud stores processor module of Cloud Server, carries out the stores service of cloud data and file, the ciphertext of superencipher is stored in cloud computing data storage server;
U) exit Cloud Server: after having stored, user exits Cloud Server;
V) log: after user's complete operation, control module is organized into log information according to the transmitting procedure of the information such as operating process, file data of user, and by the record space in this log information write storer;
W) end operation: the information that control module receives, directly controls Third Party Authentication and memory device and cloud access terminal equipment and disconnects and communicating to connect.
As preferably, described Fingerprint Identification Unit is connected with automatic control chip, and communicates with control module, and the fingerprint that described Fingerprint Identification Unit is recorded and user bind.
As preferably, described step B) in N 1value>=3.
As preferably, described step K) in N 2value>=3.
As preferably, described step M) in N 3value>=3.
As preferably, described step I) in safety inspection object comprise the OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. of cloud access terminal equipment.
As preferably, described step Q) in trusted channel comprise http protocol, VPN passage.
As preferably, the PKI of described RSA unsymmetrical key and the private key of RSA unsymmetrical key match, and the private key of RSA unsymmetrical key is only user to be owned.
As preferably, described step W) in the information that receives of control module comprise the information, the identity purview certification number of times that do not format and reach N 2secondary information and log-on message checking number of times reach N 3secondary information.
Beneficial effect of the present invention: compared with prior art, the method for protecting of a kind of cloud service access terminal provided by the invention, step is reasonable, independently Third Party Authentication and memory device is adopted to manage authentication information and key, and data are carried out to the encryption of data in cloud service terminal and service end, data are existed with the form of encrypted cipher text under cloud environment, avoid data to exist and easy stolen situation about stealing with plaintext version with non-, improve the security of data in cloud environment, ensure the data ownership of user.Before access Cloud Server, terminal device system being carried out to safety detection, carried out automatic early-warning and security hardening process to the security of terminal system, laying foundation for security for using cloud computing service; Data are first through asymmetric encryption process, after again through the encrypting module symmetric cryptography process of Cloud Server, ensure that the data in transmission and Cloud Server exist with the form of ciphertext all the time, prevent data from being leaked in terminal, service end, stealing and unauthorized access, further increase the security of data, ensure the safe reliability under user data cloud environment.
Feature of the present invention and advantage will be described in detail by reference to the accompanying drawings by embodiment.
[accompanying drawing explanation]
Fig. 1 is the schematic flow sheet of the embodiment of the present invention.
[embodiment]
For making the object, technical solutions and advantages of the present invention clearly understand, below by accompanying drawing and embodiment, the present invention is further elaborated.But should be appreciated that, specific embodiment described herein, only in order to explain the present invention, is not limited to scope of the present invention.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring concept of the present invention.
Consult Fig. 1, the embodiment of the present invention provides the time slot scrambling of the data security under a kind of cloud environment, it is based on one independently Third Party Authentication and memory device and terminal security trace routine, described Third Party Authentication and memory device comprise automatic control chip and storer, the routine package that described automatic control chip runs is containing control module and file system module, described storer comprises cryptographic storage district and general memory area, described control module is by calling the cryptographic storage district of file system module access storer, described general memory area comprises terminal security trace routine, described cryptographic storage district comprises authentication information, key and algorithm software carrier, described key adopts the cipher mode of AES symmetric key and the associating of RSA unsymmetrical key, described Third Party Authentication and memory device are also provided with Fingerprint Identification Unit.
Usually, ordinary mobile storage is only containing general memory area, and the file of the storage of its inside serviced terminal operating system directly can be resolved and operates, and movable storage device does not have the function of keeping secret to data, namely the data of device memory storage are easily leaked or are stolen, therefore, in order to avoid appealing the generation of situation, Third Party Authentication in the embodiment of the present invention and memory device carry automatic control chip, and this Third Party Authentication and memory device comprise cryptographic storage district and general memory area, vital document or data are all stored in cryptographic storage district, visit or resolve data in cryptographic storage district and file by automatic control chip, in addition authentication information is comprised in cryptographic storage district, key, significant data etc., the automatic control chip of Third Party Authentication and memory device is utilized directly to access, by important information, key and data are isolated with cloud service access terminal system physical, guarantee the situation generation that important information is not stolen and leaks, significantly reduce the worry degree of user.
Its concrete steps are as follows:
A) original state: Third Party Authentication and memory device and cloud access terminal equipment are communicated to connect by usb protocol, the control module on automatic control chip is run.
B) password authentification: after Third Party Authentication and memory device are connected with cloud access terminal devices communicating, automatic spring Third Party Authentication and memory device password authentification frame, wait for the input of user, and password transmission user inputted is to control module, control module calls the cryptographic storage district of file system mould access storer, the password input user and the device password of Third Party Authentication and storage device configurations are compared, if be consistent, then go to step E), if do not conformed to, the then information of feedback cipher authentication error, go to step C), if the number of times that password authentification does not conform to reaches N 1secondary, go to step D).
In embodiments of the present invention, user needs can run this equipment by the device password checking of Third Party Authentication and storage device configurations, i.e. step B) limit in the first step of cloud service terminal as before use cloud computing service, it prevents disabled user from directly accessing the memory block of Third Party Authentication and memory device, simultaneously control module can after Third Party Authentication and memory device and cloud service access terminal equipment disconnect and communicating, what still retain password authentification does not meet number of times, disabled user is avoided constantly to attempt password verify by disconnecting Third Party Authentication and memory device and access terminal equipment.
Wherein, N 1value>=3, in an embodiment of the present invention, N 1value get 5.
C) authentication failed: Third Party Authentication and memory device be pop-up device password authentification frame again, waits for the input of user, returns back to step B).
D) access unsuccessfully: control module checks Third Party Authentication and the predetermined configuration information of memory device, if configuration information is format, then authentication password resets to defaults by control module, and call the All Files that file system module removes memory inside, automatically close after ejecting the too much caution frame of errors number simultaneously, disconnect the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, return back to steps A), if configuration information is not for format, then information too much for errors number is fed back to user by ejecting caution frame on Third Party Authentication and memory device by control module, go to step W).
In embodiments of the present invention, the information of configuration is set in the control chip fabrication phase by the producer, also can be carried out adjusting and setting according to the significance level storing data by user.If user's configuration information is format, then the vital document in the memory block of Third Party Authentication and memory device or data will be formatd by control module, prevent internal data from being stolen by disabled user, avoid unnecessary loss.
E) initialization apparatus: after user cipher is proved to be successful, Third Party Authentication and memory device load general memory area automatically, and initialization automatic control chip, program in cryptographic storage district and file, by control module, automatic control chip checks whether cloud access terminal equipment exists safety detection program, if exist, then go to step G), if do not exist, then go to step F).
F) safety detection program is installed: automatic control chip calls file system module access general memory area by control module, and security of operation trace routine, cloud service access terminal equipment completes the Auto-mounting of safety detection program, goes to step I).
G) security strategy is upgraded: automatic control chip upgrades the total inspection strategy of cloud service access terminal device systems by control module, goes to step I after having upgraded).
I) safety inspection: user's security of operation trace routine carries out safety inspection to access terminal system, and judge whether terminal system meets secure access baseline, if meet, then go to step K), if do not meet, then go to step J).
Wherein, safety inspection object comprises the OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. of cloud access terminal equipment.
J) terminal system security hardening: safety detection program carries out making safe early warning and security hardening by oneself in terminal system, returns back to step I).
In embodiments of the present invention, step e) to step J) limit at the second step of cloud service terminal as before use cloud computing service, control chip initialization apparatus also resolves the security of terminal system, until there is security checking program in terminal system, by the safety inspection of security checking program, reinforce the security performance of terminal system, to be allowed for access next step operation until terminal system meets secure access baseline.
Further, Third Party Authentication and memory device carry terminal security trace routine, if access terminal equipment is without security checking program, then control module runs terminal security trace routine, and program self-analytic data also completes installation.
Further, safety detection program carries out the safety detection of OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. to access terminal.
K) purview certification: control module is according to the information meeting secure access baseline, eject the certification frame of user identity purview certification, user inputs authentication information in certification frame, the preset authentication information of authentication information and cryptographic storage district is compared by control module, if conformed to, then goes to step M), if do not conformed to, then feed back the information of authentication mistake, go to step L), if the number of times of authentication reaches N 2secondary, then go to step W).
Wherein, N 2value>=3, in an embodiment of the present invention, N 2value get 4.
L) authentification failure: control module ejects authentication frame again according to the information of authentification failure, waits for user's input, returns back to step K).
In embodiments of the present invention, step K) as using the 3rd step restriction before cloud computing service, prevent disabled user by front twice limiting access file or data, user needs file or the data that can be accessed cryptographic storage district by purview certification, and will be warned by purview certification, the number of times of authentification failure can be write down by control module simultaneously, and Third Party Authentication and memory device and access terminal equipment disconnect communicate to connect time, this number of times still retains, avoid disabled user by disconnecting the connection of Third Party Authentication and memory device and access terminal equipment to remove authentification failure record, thus prevent disabled user from constantly attempting purview certification.
Further, Third Party Authentication and memory device are provided with Fingerprint Identification Unit, and described Fingerprint Identification Unit is connected with control chip, and communicates with control module, and authentication information and user bind, and namely authentication information is the finger print information of user.
M) Cloud Server logs in: control module is according to the successful information of authentication, user login information checking frame is ejected in cloud service terminal, wait for user's input, the log-on message that user inputs by control module carries out ratio with former configuration information, if conformed to, then goes to step P), if do not conformed to, then feed back the information of log-on message authentication error, go to step O), if the number of times of log-on message checking reaches N 3secondary, then go to step W).
O) login failure: again eject user login information checking frame according to the information of authentication failed, wait for user's input, return back to step M).
In embodiments of the present invention, step M) as using front the 4th step restriction at service terminal of cloud computing service, it accesses the data in cryptographic storage district after preventing disabled user from breaking through first three step restriction, if login authentication number of times is greater than N 3secondary, control module can third party's movable storage device and hardware platform disconnect communicate after still retain and verify number of times, and login authentication record can not be removed after third party's movable storage device and hardware platform disconnect by force, avoid the continuous logon attempt of disabled user.
Wherein, N 3value>=3, in an embodiment of the present invention, N 3value get 4.
P) access Cloud Server: after user logins successfully, call file system mould by the control module of Third Party Authentication and memory device and directly access resource in cloud computing server.
Q) Data Encryption Transmission: user calls file system module access cryptographic storage district by control module, adopt the PKI of RSA unsymmetrical key and executing arithmetic software carrier carries out asymmetric encryption process to AES symmetric key together with the significant data in cryptographic storage district, AES symmetric key and significant data are existed with ciphertext form, and sends to the cloud processor module of Cloud Server by trusted channel.
Wherein, trusted channel comprises http protocol, VPN passage.
In cloud service terminal, by the PKI of RSA unsymmetrical key, AES symmetric key is joined with significant data asymmetric encryption process together, guarantee significant data transmission process in and exist with the form of ciphertext all the time in Cloud Server, guarantee data safe enough.
Further, the PKI of RSA unsymmetrical key and the private key of RSA unsymmetrical key match, and the private key of RSA unsymmetrical key is only user to be owned.And if only if, and user adopts the data deciphering of private key pair encryption, could operate further, and private key is only user owns, and has enough confidentiality, has ensured the security of data further.
R) market demand process: use the handling procedure in cloud processor module to carry out application process to the significant data in ciphertext.
S) symmetric cryptography process: the encrypting module using Cloud Server, the significant data after adopting AES symmetric key to run the process of symmetric encipherment algorithm correspondence is encrypted again, and data are existed with the ciphertext form of superencipher.
T) data store: control module directly accesses the cloud stores processor module of Cloud Server, carries out the stores service of cloud data and file, the ciphertext of superencipher is stored in cloud computing data storage server.
When data are in Cloud Server, again be encrypted by symmetric encipherment algorithm, exist with the ciphertext form of superencipher when making data finally in Cloud Server, further enhance privacy degrees and the safe coefficient of data, the situation that user does not need worry significant data in which position of cloud computing data storage server, whether can be stolen.
Further, first to the process of important data acquisition RSA asymmetric encryption, RSA rivest, shamir, adelman intensity is complicated, security is high, can ensure that significant data and AES symmetric key are not stolen, symmetric cryptography is being carried out in Cloud Server, encryption Environmental security now, and AES symmetric key and significant data are all with the ciphertext form that not can read, security strengthens greatly.
U) exit Cloud Server: after having stored, user exits Cloud Server.
V) log: after user's complete operation, control module is organized into log information according to the transmitting procedure of the information such as operating process, file data of user, and by the record space in this log information write storer.
W) end operation: the information that control module receives, directly controls Third Party Authentication and memory device and cloud access terminal equipment and disconnects and communicating to connect.
In embodiments of the present invention, encrypted cipher text, by after superencipher, is stored in the storage server of cloud data and file by data, ensure user data permanent storage, disabled user cannot steal, and also cannot access even if steal, and has ensured the reliability and security of data in cloud environment.
Further, user is after exiting Cloud Server, log information recording gets off by control module, and log information is write separately by control module in the record space in storer, in case the 3rd people or poisoning intrusion conduct interviews to the file in cryptographic storage district or data, or when being deleted, user can by checking the log information of control module inside, understand transmission path and the time of file or data, and give for change in time, avoid unnecessary loss.
Closer, control module can according to the information that receives, comprises the information, the identity purview certification number of times that do not format and reach N 2secondary information and log-on message checking number of times reach N 3secondary information, disconnects in time the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, and possibility data be stolen general most zero.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement or improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1. the data security time slot scrambling under a cloud environment, it is characterized in that: it is based on one independently Third Party Authentication and memory device and terminal security trace routine, described Third Party Authentication and memory device comprise automatic control chip and storer, the routine package that described automatic control chip runs is containing control module and file system module, described storer comprises cryptographic storage district and general memory area, described control module is by calling the cryptographic storage district of file system module access storer, described general memory area comprises terminal security trace routine, described cryptographic storage district comprises authentication information, key and algorithm software carrier, described key adopts the cipher mode of AES symmetric key and the associating of RSA unsymmetrical key, described Third Party Authentication and memory device are also provided with Fingerprint Identification Unit, its concrete steps are as follows:
A) original state: Third Party Authentication and memory device and cloud access terminal equipment are communicated to connect by usb protocol, the control module on automatic control chip is run;
B) password authentification: after Third Party Authentication and memory device are connected with cloud access terminal devices communicating, automatic spring Third Party Authentication and memory device password authentification frame, wait for the input of user, and password transmission user inputted is to control module, control module calls the cryptographic storage district of file system mould access storer, the password input user and the device password of Third Party Authentication and storage device configurations are compared, if be consistent, then go to step E), if do not conformed to, the then information of feedback cipher authentication error, go to step C), if the number of times that password authentification does not conform to reaches N 1secondary, go to step D),
C) authentication failed: Third Party Authentication and memory device be pop-up device password authentification frame again, waits for the input of user, returns back to step B);
D) access unsuccessfully: control module checks Third Party Authentication and the predetermined configuration information of memory device, if configuration information is format, then authentication password resets to defaults by control module, and call the All Files that file system module removes memory inside, automatically close after ejecting the too much caution frame of errors number simultaneously, disconnect the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, return back to steps A), if configuration information is not for format, then information too much for errors number is fed back to user by ejecting caution frame on Third Party Authentication and memory device by control module, go to step W),
E) initialization apparatus: after user cipher is proved to be successful, Third Party Authentication and memory device load general memory area automatically, and initialization automatic control chip, program in cryptographic storage district and file, by control module, automatic control chip checks whether cloud access terminal equipment exists safety detection program, if exist, then go to step G), if do not exist, then go to step F);
F) safety detection program is installed: automatic control chip calls file system module access general memory area by control module, and security of operation trace routine, cloud service access terminal equipment completes the Auto-mounting of safety detection program, goes to step I);
G) security strategy is upgraded: automatic control chip upgrades the total inspection strategy of cloud service access terminal device systems by control module, goes to step I after having upgraded);
I) safety inspection: user's security of operation trace routine carries out safety inspection to access terminal system, and judge whether terminal system meets secure access baseline, if meet, then go to step K), if do not meet, then go to step J);
J) terminal system security hardening: safety detection program carries out making safe early warning and security hardening by oneself in terminal system, returns back to step I);
K) purview certification: control module is according to the information meeting secure access baseline, eject the certification frame of user identity purview certification, user inputs authentication information in certification frame, the preset authentication information of authentication information and cryptographic storage district is compared by control module, if conformed to, then goes to step M), if do not conformed to, then feed back the information of authentication mistake, go to step L), if the number of times of authentication reaches N 2secondary, then go to step W);
L) authentification failure: control module ejects authentication frame again according to the information of authentification failure, waits for user's input, returns back to step K);
M) Cloud Server logs in: control module is according to the successful information of authentication, user login information checking frame is ejected in cloud service terminal, wait for user's input, the log-on message that user inputs by control module carries out ratio with former configuration information, if conformed to, then goes to step P), if do not conformed to, then feed back the information of log-on message authentication error, go to step O), if the number of times of log-on message checking reaches N 3secondary, then go to step W);
O) login failure: again eject user login information checking frame according to the information of authentication failed, wait for user's input, return back to step M);
P) access Cloud Server: after user logins successfully, call file system mould by the control module of Third Party Authentication and memory device and directly access resource in cloud computing server;
Q) Data Encryption Transmission: user calls file system module access cryptographic storage district by control module, adopt the PKI of RSA unsymmetrical key and executing arithmetic software carrier carries out asymmetric encryption process to AES symmetric key together with the significant data in cryptographic storage district, AES symmetric key and significant data are existed with ciphertext form, and sends to the cloud processor module of Cloud Server by trusted channel;
R) market demand process: use the handling procedure in cloud processor module to carry out application process to the significant data in ciphertext;
S) symmetric cryptography process: the encrypting module using Cloud Server, the significant data after adopting AES symmetric key to run the process of symmetric encipherment algorithm correspondence is encrypted again, and data are existed with the ciphertext form of superencipher;
T) data store: control module directly accesses the cloud stores processor module of Cloud Server, carries out the stores service of cloud data and file, the ciphertext of superencipher is stored in cloud computing data storage server;
U) exit Cloud Server: after having stored, user exits Cloud Server;
V) log: after user's complete operation, control module is organized into log information according to the transmitting procedure of the information such as operating process, file data of user, and by the record space in this log information write storer;
W) end operation: the information that control module receives, directly controls Third Party Authentication and memory device and cloud access terminal equipment and disconnects and communicating to connect.
2. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described Fingerprint Identification Unit is connected with automatic control chip, and communicates with control module, the fingerprint that described Fingerprint Identification Unit is recorded and user bind.
3. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step B) middle N 1value>=3.
4. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step K) middle N 2value>=3.
5. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step M) middle N 3value>=3.
6. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step I) in safety inspection object comprise the OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. of cloud access terminal equipment.
7. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step Q) in trusted channel comprise http protocol, VPN passage.
8. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: the PKI of described RSA unsymmetrical key and the private key of RSA unsymmetrical key match, and the private key of RSA unsymmetrical key is only user to be owned.
9. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step W) in the information that receives of control module comprise the information, the identity purview certification number of times that do not format and reach N 2secondary information and log-on message checking number of times reach N 3secondary information.
CN201510696609.1A 2015-10-23 2015-10-23 A kind of data safety time slot scrambling under cloud environment Active CN105354507B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510696609.1A CN105354507B (en) 2015-10-23 2015-10-23 A kind of data safety time slot scrambling under cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510696609.1A CN105354507B (en) 2015-10-23 2015-10-23 A kind of data safety time slot scrambling under cloud environment

Publications (2)

Publication Number Publication Date
CN105354507A true CN105354507A (en) 2016-02-24
CN105354507B CN105354507B (en) 2018-09-11

Family

ID=55330478

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510696609.1A Active CN105354507B (en) 2015-10-23 2015-10-23 A kind of data safety time slot scrambling under cloud environment

Country Status (1)

Country Link
CN (1) CN105354507B (en)

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656945A (en) * 2016-03-28 2016-06-08 北京天地和兴科技有限公司 Industrial control host safe storage verifying method and system
CN105847305A (en) * 2016-06-21 2016-08-10 新昌县七星街道明盛模具厂 Safe processing and accessing method of cloud resource
CN105871931A (en) * 2016-06-21 2016-08-17 新昌县七星街道明盛模具厂 Safety processing and accessing method of cloud service terminal
CN105956496A (en) * 2016-06-21 2016-09-21 新昌县七星街道明盛模具厂 Security and secrecy method for sharing storage files
CN106169035A (en) * 2016-06-28 2016-11-30 西安建筑科技大学 A kind of high-security mobile storage system and method
CN106612272A (en) * 2016-07-12 2017-05-03 四川用联信息技术有限公司 Verification and recovery algorithm for data tampering in cloud storage
CN107273148A (en) * 2016-04-04 2017-10-20 恩智浦有限公司 The renewal driving migration of data
CN107438071A (en) * 2017-07-28 2017-12-05 北京信安世纪科技有限公司 cloud storage security gateway and access method
CN107770195A (en) * 2017-11-27 2018-03-06 甘肃万维信息技术有限责任公司 Based on the cross-domain identity authorization system of cloud environment and its application method
CN108256302A (en) * 2018-01-10 2018-07-06 四川阵风科技有限公司 Data Access Security method and device
CN108491735A (en) * 2018-03-07 2018-09-04 京信通信系统(中国)有限公司 Nor Flash method for secure storing, device and equipment
CN108710361A (en) * 2018-05-30 2018-10-26 广州明珞软控信息技术有限公司 A kind of security procedure inspection method and system
CN108965222A (en) * 2017-12-08 2018-12-07 翟红鹰 Identity identifying method, system and computer readable storage medium
CN109308417A (en) * 2017-07-27 2019-02-05 阿里巴巴集团控股有限公司 Unlocking method and device based on trust computing
CN109324839A (en) * 2018-09-21 2019-02-12 郑州云海信息技术有限公司 A kind of server processing method and device
CN109951844A (en) * 2019-01-31 2019-06-28 维沃移动通信有限公司 A kind of information protecting method and device
CN110234110A (en) * 2019-06-26 2019-09-13 恒宝股份有限公司 A kind of mobile network's automatic switching method
CN110311974A (en) * 2019-06-28 2019-10-08 东北大学 A kind of cloud storage service method based on asynchronous message
CN110535832A (en) * 2019-08-05 2019-12-03 慧镕电子系统工程股份有限公司 A kind of domestic server platform framework for data encryption
CN111382422A (en) * 2018-12-28 2020-07-07 卡巴斯基实验室股份制公司 System and method for changing password of account record under threat of illegal access to user data
CN111737739A (en) * 2020-06-11 2020-10-02 国网河北省电力有限公司建设公司 Information identification early warning communication system and method based on two-dimension code physical isolation
CN111786958A (en) * 2020-06-10 2020-10-16 刘录占 Industrial data safety protection system based on industrial internet technology
CN111787271A (en) * 2020-07-31 2020-10-16 平安信托有限责任公司 Video conference control method, device, equipment and computer readable storage medium
CN111859378A (en) * 2020-07-31 2020-10-30 中国工商银行股份有限公司 Processing method and device for protecting data model
CN111881445A (en) * 2020-08-07 2020-11-03 武汉空心科技有限公司 Working platform file sharing encryption method based on feedback correction function
CN111950002A (en) * 2020-08-04 2020-11-17 珠海市鸿瑞信息技术股份有限公司 Encryption terminal management system based on power distribution network
CN112613011A (en) * 2020-12-29 2021-04-06 北京天融信网络安全技术有限公司 USB flash disk system authentication method and device, electronic equipment and storage medium
CN112738219A (en) * 2020-12-28 2021-04-30 中国第一汽车股份有限公司 Program running method, program running device, vehicle and storage medium
CN112968859A (en) * 2020-11-27 2021-06-15 长威信息科技发展股份有限公司 Encryption storage system for work privacy data
CN113010875A (en) * 2021-03-17 2021-06-22 紫光国芯微电子股份有限公司 Information isolation method, memory card and mobile terminal
CN113315786A (en) * 2021-06-25 2021-08-27 郑州信源信息技术股份有限公司 Security authentication method and system
CN113572849A (en) * 2021-07-29 2021-10-29 中国联合网络通信集团有限公司 File access system and method
CN114389879A (en) * 2022-01-13 2022-04-22 重庆东电通信技术有限公司 Internet of things terminal data management and control system
CN116305330A (en) * 2023-05-22 2023-06-23 西安晟昕科技股份有限公司 Safety management method for CPU hardware
CN117951737A (en) * 2024-01-08 2024-04-30 广州市蓝粤网络科技有限公司 Encryption storage management key card for time-space correlation chip of confidential data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102567683A (en) * 2011-12-31 2012-07-11 曙光信息产业股份有限公司 Cloud computing system and cloud computing realizing method
CN103491080A (en) * 2013-09-12 2014-01-01 深圳市文鼎创数据科技有限公司 Information safety protecting method and system
CN103532966A (en) * 2013-10-23 2014-01-22 成都卫士通信息产业股份有限公司 Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop
CN104378206A (en) * 2014-10-20 2015-02-25 中国科学院信息工程研究所 Virtualization desktop safety certification method and system based on USB-Key
CN104394214A (en) * 2014-11-26 2015-03-04 成都卫士通信息产业股份有限公司 Method and system for protecting desktop cloud service through access control

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102567683A (en) * 2011-12-31 2012-07-11 曙光信息产业股份有限公司 Cloud computing system and cloud computing realizing method
CN103491080A (en) * 2013-09-12 2014-01-01 深圳市文鼎创数据科技有限公司 Information safety protecting method and system
CN103532966A (en) * 2013-10-23 2014-01-22 成都卫士通信息产业股份有限公司 Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop
CN104378206A (en) * 2014-10-20 2015-02-25 中国科学院信息工程研究所 Virtualization desktop safety certification method and system based on USB-Key
CN104394214A (en) * 2014-11-26 2015-03-04 成都卫士通信息产业股份有限公司 Method and system for protecting desktop cloud service through access control

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656945B (en) * 2016-03-28 2018-12-11 北京天地和兴科技有限公司 A kind of industrial control host secure storage verification method and system
CN105656945A (en) * 2016-03-28 2016-06-08 北京天地和兴科技有限公司 Industrial control host safe storage verifying method and system
CN107273148A (en) * 2016-04-04 2017-10-20 恩智浦有限公司 The renewal driving migration of data
US11050726B2 (en) 2016-04-04 2021-06-29 Nxp B.V. Update-driven migration of data
CN107273148B (en) * 2016-04-04 2022-01-11 恩智浦有限公司 Update driven migration of data
CN105847305A (en) * 2016-06-21 2016-08-10 新昌县七星街道明盛模具厂 Safe processing and accessing method of cloud resource
CN105871931A (en) * 2016-06-21 2016-08-17 新昌县七星街道明盛模具厂 Safety processing and accessing method of cloud service terminal
CN105956496A (en) * 2016-06-21 2016-09-21 新昌县七星街道明盛模具厂 Security and secrecy method for sharing storage files
CN106169035A (en) * 2016-06-28 2016-11-30 西安建筑科技大学 A kind of high-security mobile storage system and method
CN106612272A (en) * 2016-07-12 2017-05-03 四川用联信息技术有限公司 Verification and recovery algorithm for data tampering in cloud storage
CN109308417A (en) * 2017-07-27 2019-02-05 阿里巴巴集团控股有限公司 Unlocking method and device based on trust computing
CN107438071A (en) * 2017-07-28 2017-12-05 北京信安世纪科技有限公司 cloud storage security gateway and access method
CN107770195A (en) * 2017-11-27 2018-03-06 甘肃万维信息技术有限责任公司 Based on the cross-domain identity authorization system of cloud environment and its application method
CN107770195B (en) * 2017-11-27 2024-01-09 中电万维信息技术有限责任公司 Cross-domain identity authentication system based on cloud environment and application method thereof
CN108965222A (en) * 2017-12-08 2018-12-07 翟红鹰 Identity identifying method, system and computer readable storage medium
CN108965222B (en) * 2017-12-08 2021-12-07 普华云创科技(北京)有限公司 Identity authentication method, system and computer readable storage medium
CN108256302A (en) * 2018-01-10 2018-07-06 四川阵风科技有限公司 Data Access Security method and device
CN108256302B (en) * 2018-01-10 2020-05-29 四川阵风科技有限公司 Data security access method and device
CN108491735A (en) * 2018-03-07 2018-09-04 京信通信系统(中国)有限公司 Nor Flash method for secure storing, device and equipment
CN108710361A (en) * 2018-05-30 2018-10-26 广州明珞软控信息技术有限公司 A kind of security procedure inspection method and system
CN108710361B (en) * 2018-05-30 2020-07-28 广州明珞软控信息技术有限公司 Security program checking method and system
CN109324839A (en) * 2018-09-21 2019-02-12 郑州云海信息技术有限公司 A kind of server processing method and device
CN111382422A (en) * 2018-12-28 2020-07-07 卡巴斯基实验室股份制公司 System and method for changing password of account record under threat of illegal access to user data
CN111382422B (en) * 2018-12-28 2023-08-11 卡巴斯基实验室股份制公司 System and method for changing passwords of account records under threat of illegally accessing user data
CN109951844A (en) * 2019-01-31 2019-06-28 维沃移动通信有限公司 A kind of information protecting method and device
CN110234110A (en) * 2019-06-26 2019-09-13 恒宝股份有限公司 A kind of mobile network's automatic switching method
CN110311974A (en) * 2019-06-28 2019-10-08 东北大学 A kind of cloud storage service method based on asynchronous message
CN110535832A (en) * 2019-08-05 2019-12-03 慧镕电子系统工程股份有限公司 A kind of domestic server platform framework for data encryption
CN111786958A (en) * 2020-06-10 2020-10-16 刘录占 Industrial data safety protection system based on industrial internet technology
CN111786958B (en) * 2020-06-10 2022-08-19 正弦科技有限公司 Industrial data safety protection system based on industrial internet technology
CN111737739A (en) * 2020-06-11 2020-10-02 国网河北省电力有限公司建设公司 Information identification early warning communication system and method based on two-dimension code physical isolation
CN111787271A (en) * 2020-07-31 2020-10-16 平安信托有限责任公司 Video conference control method, device, equipment and computer readable storage medium
CN111859378A (en) * 2020-07-31 2020-10-30 中国工商银行股份有限公司 Processing method and device for protecting data model
CN111950002A (en) * 2020-08-04 2020-11-17 珠海市鸿瑞信息技术股份有限公司 Encryption terminal management system based on power distribution network
CN111950002B (en) * 2020-08-04 2022-08-09 珠海市鸿瑞信息技术股份有限公司 Encryption terminal management system based on power distribution network
CN111881445A (en) * 2020-08-07 2020-11-03 武汉空心科技有限公司 Working platform file sharing encryption method based on feedback correction function
CN112968859A (en) * 2020-11-27 2021-06-15 长威信息科技发展股份有限公司 Encryption storage system for work privacy data
CN112738219A (en) * 2020-12-28 2021-04-30 中国第一汽车股份有限公司 Program running method, program running device, vehicle and storage medium
CN112613011B (en) * 2020-12-29 2024-01-23 北京天融信网络安全技术有限公司 USB flash disk system authentication method and device, electronic equipment and storage medium
CN112613011A (en) * 2020-12-29 2021-04-06 北京天融信网络安全技术有限公司 USB flash disk system authentication method and device, electronic equipment and storage medium
CN113010875A (en) * 2021-03-17 2021-06-22 紫光国芯微电子股份有限公司 Information isolation method, memory card and mobile terminal
CN113315786A (en) * 2021-06-25 2021-08-27 郑州信源信息技术股份有限公司 Security authentication method and system
CN113572849A (en) * 2021-07-29 2021-10-29 中国联合网络通信集团有限公司 File access system and method
CN114389879A (en) * 2022-01-13 2022-04-22 重庆东电通信技术有限公司 Internet of things terminal data management and control system
CN116305330A (en) * 2023-05-22 2023-06-23 西安晟昕科技股份有限公司 Safety management method for CPU hardware
CN116305330B (en) * 2023-05-22 2023-08-04 西安晟昕科技股份有限公司 Safety management method for CPU hardware
CN117951737A (en) * 2024-01-08 2024-04-30 广州市蓝粤网络科技有限公司 Encryption storage management key card for time-space correlation chip of confidential data

Also Published As

Publication number Publication date
CN105354507B (en) 2018-09-11

Similar Documents

Publication Publication Date Title
CN105354507A (en) Data security confidentiality method under cloud environment
CN105847305A (en) Safe processing and accessing method of cloud resource
US9503433B2 (en) Method and apparatus for cloud-assisted cryptography
WO2015180691A1 (en) Key agreement method and device for verification information
CN110489996B (en) Database data security management method and system
US9225696B2 (en) Method for different users to securely access their respective partitioned data in an electronic apparatus
CN102984115B (en) A kind of network security method and client-server
CN105956496A (en) Security and secrecy method for sharing storage files
US8904195B1 (en) Methods and systems for secure communications between client applications and secure elements in mobile devices
CN100353787C (en) Security guarantee for memory data information of mobile terminal
US20120233456A1 (en) Method for securely interacting with a security element
WO2017166362A1 (en) Esim number writing method, security system, esim number server, and terminal
CN107066885A (en) Cross-platform credible middleware realizes system and implementation method
US20170026385A1 (en) Method and system for proximity-based access control
WO2021129003A1 (en) Password management method and related device
WO2015117523A1 (en) Access control method and device
CN104219077A (en) Information management system for middle and small-sized enterprises
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
CN101262669B (en) A secure guarantee method for information stored in a mobile terminal
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
US20140250499A1 (en) Password based security method, systems and devices
KR101680536B1 (en) Method for Service Security of Mobile Business Data for Enterprise and System thereof
KR20150073567A (en) The Method for Transmitting and Receiving the Secure Message Using the Terminal Including Secure Storage
CN103916404A (en) Data management method and system
WO2018121394A1 (en) Mobile terminal, alarm information acquisition and sending method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant