CN105354507A - Data security confidentiality method under cloud environment - Google Patents
Data security confidentiality method under cloud environment Download PDFInfo
- Publication number
- CN105354507A CN105354507A CN201510696609.1A CN201510696609A CN105354507A CN 105354507 A CN105354507 A CN 105354507A CN 201510696609 A CN201510696609 A CN 201510696609A CN 105354507 A CN105354507 A CN 105354507A
- Authority
- CN
- China
- Prior art keywords
- control module
- user
- cloud
- information
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a data security confidentiality method under a cloud environment. The method is based on an independent third-party authentication and storage device and a terminal security detection program, wherein, the third-party authentication and storage device comprises a self-controlled chip and a memory; a program that runs on the self-controlled chip comprises a control module and a file system module; the memory comprises an encrypted memory area and an ordinary memory area; the control module accessed the encrypted memory area of the memory; the ordinary memory area comprises the terminal security detection program; the encrypted memory area comprises identity authentication information, a key and an algorithm software carrier; the key adopts an encryption mode of associating an AES (Advanced Encryption Standard) symmetric key with an RSA (Rivest Shamir Adleman) asymmetric key; and a fingerprint identifier is arranged on the third-party authentication and storage device. The data security confidentiality method under the cloud environment disclosed by the present invention guarantees data not to be stolen and tampered in the cloud environment, and improves security and confidentiality of user data in a terminal and a service terminal.
Description
[technical field]
The present invention relates to a kind of method of protection information safety, the data security time slot scrambling particularly under a kind of cloud environment.
[background technology]
Cloud computing support user at an arbitrary position, use various terminal to obtain application service, requested resource is from " cloud ", instead of fixing tangible entity.That enterprise or personal user exist a large amount of private datas, as Enterprise business confidential data, corporate client information data, financial data, Private Banking's account and password, privacy photo etc.For the user using cloud computing service, " cloud " is just as a black box, because in cloud environment, user does not also know that its data are finally stored in where, data transmission procedure whether safety, does not know whether cloud service provider possesses special access right to obtain user data yet.In other words, the data under the uncontrollable cloud environment of user, this will inevitably cause the confidentiality of user to stored data, the worry of the safety problem such as integrality and user privacy.
Use cloud computing service how to guarantee the security of the data of user under cloud environment user simultaneously, namely how to ensure that in the middle of network transmission process, data are not stolen and distort; How to ensure that user's sensitive data cannot be leaked out when obtaining data by cloud computing service business; As with guarantee calling party through strict purview certification and be legal data access, ensure that user at any time can the data having access to self of safety, become with calculation services evolution in the middle of problem in the urgent need to address.
[summary of the invention]
The object of the invention is to overcome above-mentioned the deficiencies in the prior art, the time slot scrambling of the data security under a kind of cloud environment be provided, its be intended to solve in prior art use that information privacy in cloud computing service process is strong, data are easily by the technical matters of leaking.
For achieving the above object, the present invention proposes the data security time slot scrambling under a kind of cloud environment, it is based on one independently Third Party Authentication and memory device and terminal security trace routine, described Third Party Authentication and memory device comprise automatic control chip and storer, the routine package that described automatic control chip runs is containing control module and file system module, described storer comprises cryptographic storage district and general memory area, described control module is by calling the cryptographic storage district of file system module access storer, described general memory area comprises terminal security trace routine, described cryptographic storage district comprises authentication information, key and algorithm software carrier, described key adopts the cipher mode of AES symmetric key and the associating of RSA unsymmetrical key, described Third Party Authentication and memory device are also provided with Fingerprint Identification Unit, its concrete steps are as follows:
A) original state: Third Party Authentication and memory device and cloud access terminal equipment are communicated to connect by usb protocol, the control module on automatic control chip is run;
B) password authentification: after Third Party Authentication and memory device are connected with cloud access terminal devices communicating, automatic spring Third Party Authentication and memory device password authentification frame, wait for the input of user, and password transmission user inputted is to control module, control module calls the cryptographic storage district of file system mould access storer, the password input user and the device password of Third Party Authentication and storage device configurations are compared, if be consistent, then go to step E), if do not conformed to, the then information of feedback cipher authentication error, go to step C), if the number of times that password authentification does not conform to reaches N
1secondary, go to step D),
C) authentication failed: Third Party Authentication and memory device be pop-up device password authentification frame again, waits for the input of user, returns back to step B);
D) access unsuccessfully: control module checks Third Party Authentication and the predetermined configuration information of memory device, if configuration information is format, then authentication password resets to defaults by control module, and call the All Files that file system module removes memory inside, automatically close after ejecting the too much caution frame of errors number simultaneously, disconnect the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, return back to steps A), if configuration information is not for format, then information too much for errors number is fed back to user by ejecting caution frame on Third Party Authentication and memory device by control module, go to step W),
E) initialization apparatus: after user cipher is proved to be successful, Third Party Authentication and memory device load general memory area automatically, and initialization automatic control chip, program in cryptographic storage district and file, by control module, automatic control chip checks whether cloud access terminal equipment exists safety detection program, if exist, then go to step G), if do not exist, then go to step F);
F) safety detection program is installed: automatic control chip calls file system module access general memory area by control module, and security of operation trace routine, cloud service access terminal equipment completes the Auto-mounting of safety detection program, goes to step I);
G) security strategy is upgraded: automatic control chip upgrades the total inspection strategy of cloud service access terminal device systems by control module, goes to step I after having upgraded);
I) safety inspection: user's security of operation trace routine carries out safety inspection to access terminal system, and judge whether terminal system meets secure access baseline, if meet, then go to step K), if do not meet, then go to step J);
J) terminal system security hardening: safety detection program carries out making safe early warning and security hardening by oneself in terminal system, returns back to step I);
K) purview certification: control module is according to the information meeting secure access baseline, eject the certification frame of user identity purview certification, user inputs authentication information in certification frame, the preset authentication information of authentication information and cryptographic storage district is compared by control module, if conformed to, then goes to step M), if do not conformed to, then feed back the information of authentication mistake, go to step L), if the number of times of authentication reaches N
2secondary, then go to step W);
L) authentification failure: control module ejects authentication frame again according to the information of authentification failure, waits for user's input, returns back to step K);
M) Cloud Server logs in: control module is according to the successful information of authentication, user login information checking frame is ejected in cloud service terminal, wait for user's input, the log-on message that user inputs by control module carries out ratio with former configuration information, if conformed to, then goes to step P), if do not conformed to, then feed back the information of log-on message authentication error, go to step O), if the number of times of log-on message checking reaches N
3secondary, then go to step W);
O) login failure: again eject user login information checking frame according to the information of authentication failed, wait for user's input, return back to step M);
P) access Cloud Server: after user logins successfully, call file system mould by the control module of Third Party Authentication and memory device and directly access resource in cloud computing server;
Q) Data Encryption Transmission: user calls file system module access cryptographic storage district by control module, adopt the PKI of RSA unsymmetrical key and executing arithmetic software carrier carries out asymmetric encryption process to AES symmetric key together with the significant data in cryptographic storage district, AES symmetric key and significant data are existed with ciphertext form, and sends to the cloud processor module of Cloud Server by trusted channel;
R) market demand process: use the handling procedure in cloud processor module to carry out application process to the significant data in ciphertext;
S) symmetric cryptography process: the encrypting module using Cloud Server, the significant data after adopting AES symmetric key to run the process of symmetric encipherment algorithm correspondence is encrypted again, and data are existed with the ciphertext form of superencipher;
T) data store: control module directly accesses the cloud stores processor module of Cloud Server, carries out the stores service of cloud data and file, the ciphertext of superencipher is stored in cloud computing data storage server;
U) exit Cloud Server: after having stored, user exits Cloud Server;
V) log: after user's complete operation, control module is organized into log information according to the transmitting procedure of the information such as operating process, file data of user, and by the record space in this log information write storer;
W) end operation: the information that control module receives, directly controls Third Party Authentication and memory device and cloud access terminal equipment and disconnects and communicating to connect.
As preferably, described Fingerprint Identification Unit is connected with automatic control chip, and communicates with control module, and the fingerprint that described Fingerprint Identification Unit is recorded and user bind.
As preferably, described step B) in N
1value>=3.
As preferably, described step K) in N
2value>=3.
As preferably, described step M) in N
3value>=3.
As preferably, described step I) in safety inspection object comprise the OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. of cloud access terminal equipment.
As preferably, described step Q) in trusted channel comprise http protocol, VPN passage.
As preferably, the PKI of described RSA unsymmetrical key and the private key of RSA unsymmetrical key match, and the private key of RSA unsymmetrical key is only user to be owned.
As preferably, described step W) in the information that receives of control module comprise the information, the identity purview certification number of times that do not format and reach N
2secondary information and log-on message checking number of times reach N
3secondary information.
Beneficial effect of the present invention: compared with prior art, the method for protecting of a kind of cloud service access terminal provided by the invention, step is reasonable, independently Third Party Authentication and memory device is adopted to manage authentication information and key, and data are carried out to the encryption of data in cloud service terminal and service end, data are existed with the form of encrypted cipher text under cloud environment, avoid data to exist and easy stolen situation about stealing with plaintext version with non-, improve the security of data in cloud environment, ensure the data ownership of user.Before access Cloud Server, terminal device system being carried out to safety detection, carried out automatic early-warning and security hardening process to the security of terminal system, laying foundation for security for using cloud computing service; Data are first through asymmetric encryption process, after again through the encrypting module symmetric cryptography process of Cloud Server, ensure that the data in transmission and Cloud Server exist with the form of ciphertext all the time, prevent data from being leaked in terminal, service end, stealing and unauthorized access, further increase the security of data, ensure the safe reliability under user data cloud environment.
Feature of the present invention and advantage will be described in detail by reference to the accompanying drawings by embodiment.
[accompanying drawing explanation]
Fig. 1 is the schematic flow sheet of the embodiment of the present invention.
[embodiment]
For making the object, technical solutions and advantages of the present invention clearly understand, below by accompanying drawing and embodiment, the present invention is further elaborated.But should be appreciated that, specific embodiment described herein, only in order to explain the present invention, is not limited to scope of the present invention.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring concept of the present invention.
Consult Fig. 1, the embodiment of the present invention provides the time slot scrambling of the data security under a kind of cloud environment, it is based on one independently Third Party Authentication and memory device and terminal security trace routine, described Third Party Authentication and memory device comprise automatic control chip and storer, the routine package that described automatic control chip runs is containing control module and file system module, described storer comprises cryptographic storage district and general memory area, described control module is by calling the cryptographic storage district of file system module access storer, described general memory area comprises terminal security trace routine, described cryptographic storage district comprises authentication information, key and algorithm software carrier, described key adopts the cipher mode of AES symmetric key and the associating of RSA unsymmetrical key, described Third Party Authentication and memory device are also provided with Fingerprint Identification Unit.
Usually, ordinary mobile storage is only containing general memory area, and the file of the storage of its inside serviced terminal operating system directly can be resolved and operates, and movable storage device does not have the function of keeping secret to data, namely the data of device memory storage are easily leaked or are stolen, therefore, in order to avoid appealing the generation of situation, Third Party Authentication in the embodiment of the present invention and memory device carry automatic control chip, and this Third Party Authentication and memory device comprise cryptographic storage district and general memory area, vital document or data are all stored in cryptographic storage district, visit or resolve data in cryptographic storage district and file by automatic control chip, in addition authentication information is comprised in cryptographic storage district, key, significant data etc., the automatic control chip of Third Party Authentication and memory device is utilized directly to access, by important information, key and data are isolated with cloud service access terminal system physical, guarantee the situation generation that important information is not stolen and leaks, significantly reduce the worry degree of user.
Its concrete steps are as follows:
A) original state: Third Party Authentication and memory device and cloud access terminal equipment are communicated to connect by usb protocol, the control module on automatic control chip is run.
B) password authentification: after Third Party Authentication and memory device are connected with cloud access terminal devices communicating, automatic spring Third Party Authentication and memory device password authentification frame, wait for the input of user, and password transmission user inputted is to control module, control module calls the cryptographic storage district of file system mould access storer, the password input user and the device password of Third Party Authentication and storage device configurations are compared, if be consistent, then go to step E), if do not conformed to, the then information of feedback cipher authentication error, go to step C), if the number of times that password authentification does not conform to reaches N
1secondary, go to step D).
In embodiments of the present invention, user needs can run this equipment by the device password checking of Third Party Authentication and storage device configurations, i.e. step B) limit in the first step of cloud service terminal as before use cloud computing service, it prevents disabled user from directly accessing the memory block of Third Party Authentication and memory device, simultaneously control module can after Third Party Authentication and memory device and cloud service access terminal equipment disconnect and communicating, what still retain password authentification does not meet number of times, disabled user is avoided constantly to attempt password verify by disconnecting Third Party Authentication and memory device and access terminal equipment.
Wherein, N
1value>=3, in an embodiment of the present invention, N
1value get 5.
C) authentication failed: Third Party Authentication and memory device be pop-up device password authentification frame again, waits for the input of user, returns back to step B).
D) access unsuccessfully: control module checks Third Party Authentication and the predetermined configuration information of memory device, if configuration information is format, then authentication password resets to defaults by control module, and call the All Files that file system module removes memory inside, automatically close after ejecting the too much caution frame of errors number simultaneously, disconnect the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, return back to steps A), if configuration information is not for format, then information too much for errors number is fed back to user by ejecting caution frame on Third Party Authentication and memory device by control module, go to step W).
In embodiments of the present invention, the information of configuration is set in the control chip fabrication phase by the producer, also can be carried out adjusting and setting according to the significance level storing data by user.If user's configuration information is format, then the vital document in the memory block of Third Party Authentication and memory device or data will be formatd by control module, prevent internal data from being stolen by disabled user, avoid unnecessary loss.
E) initialization apparatus: after user cipher is proved to be successful, Third Party Authentication and memory device load general memory area automatically, and initialization automatic control chip, program in cryptographic storage district and file, by control module, automatic control chip checks whether cloud access terminal equipment exists safety detection program, if exist, then go to step G), if do not exist, then go to step F).
F) safety detection program is installed: automatic control chip calls file system module access general memory area by control module, and security of operation trace routine, cloud service access terminal equipment completes the Auto-mounting of safety detection program, goes to step I).
G) security strategy is upgraded: automatic control chip upgrades the total inspection strategy of cloud service access terminal device systems by control module, goes to step I after having upgraded).
I) safety inspection: user's security of operation trace routine carries out safety inspection to access terminal system, and judge whether terminal system meets secure access baseline, if meet, then go to step K), if do not meet, then go to step J).
Wherein, safety inspection object comprises the OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. of cloud access terminal equipment.
J) terminal system security hardening: safety detection program carries out making safe early warning and security hardening by oneself in terminal system, returns back to step I).
In embodiments of the present invention, step e) to step J) limit at the second step of cloud service terminal as before use cloud computing service, control chip initialization apparatus also resolves the security of terminal system, until there is security checking program in terminal system, by the safety inspection of security checking program, reinforce the security performance of terminal system, to be allowed for access next step operation until terminal system meets secure access baseline.
Further, Third Party Authentication and memory device carry terminal security trace routine, if access terminal equipment is without security checking program, then control module runs terminal security trace routine, and program self-analytic data also completes installation.
Further, safety detection program carries out the safety detection of OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. to access terminal.
K) purview certification: control module is according to the information meeting secure access baseline, eject the certification frame of user identity purview certification, user inputs authentication information in certification frame, the preset authentication information of authentication information and cryptographic storage district is compared by control module, if conformed to, then goes to step M), if do not conformed to, then feed back the information of authentication mistake, go to step L), if the number of times of authentication reaches N
2secondary, then go to step W).
Wherein, N
2value>=3, in an embodiment of the present invention, N
2value get 4.
L) authentification failure: control module ejects authentication frame again according to the information of authentification failure, waits for user's input, returns back to step K).
In embodiments of the present invention, step K) as using the 3rd step restriction before cloud computing service, prevent disabled user by front twice limiting access file or data, user needs file or the data that can be accessed cryptographic storage district by purview certification, and will be warned by purview certification, the number of times of authentification failure can be write down by control module simultaneously, and Third Party Authentication and memory device and access terminal equipment disconnect communicate to connect time, this number of times still retains, avoid disabled user by disconnecting the connection of Third Party Authentication and memory device and access terminal equipment to remove authentification failure record, thus prevent disabled user from constantly attempting purview certification.
Further, Third Party Authentication and memory device are provided with Fingerprint Identification Unit, and described Fingerprint Identification Unit is connected with control chip, and communicates with control module, and authentication information and user bind, and namely authentication information is the finger print information of user.
M) Cloud Server logs in: control module is according to the successful information of authentication, user login information checking frame is ejected in cloud service terminal, wait for user's input, the log-on message that user inputs by control module carries out ratio with former configuration information, if conformed to, then goes to step P), if do not conformed to, then feed back the information of log-on message authentication error, go to step O), if the number of times of log-on message checking reaches N
3secondary, then go to step W).
O) login failure: again eject user login information checking frame according to the information of authentication failed, wait for user's input, return back to step M).
In embodiments of the present invention, step M) as using front the 4th step restriction at service terminal of cloud computing service, it accesses the data in cryptographic storage district after preventing disabled user from breaking through first three step restriction, if login authentication number of times is greater than N
3secondary, control module can third party's movable storage device and hardware platform disconnect communicate after still retain and verify number of times, and login authentication record can not be removed after third party's movable storage device and hardware platform disconnect by force, avoid the continuous logon attempt of disabled user.
Wherein, N
3value>=3, in an embodiment of the present invention, N
3value get 4.
P) access Cloud Server: after user logins successfully, call file system mould by the control module of Third Party Authentication and memory device and directly access resource in cloud computing server.
Q) Data Encryption Transmission: user calls file system module access cryptographic storage district by control module, adopt the PKI of RSA unsymmetrical key and executing arithmetic software carrier carries out asymmetric encryption process to AES symmetric key together with the significant data in cryptographic storage district, AES symmetric key and significant data are existed with ciphertext form, and sends to the cloud processor module of Cloud Server by trusted channel.
Wherein, trusted channel comprises http protocol, VPN passage.
In cloud service terminal, by the PKI of RSA unsymmetrical key, AES symmetric key is joined with significant data asymmetric encryption process together, guarantee significant data transmission process in and exist with the form of ciphertext all the time in Cloud Server, guarantee data safe enough.
Further, the PKI of RSA unsymmetrical key and the private key of RSA unsymmetrical key match, and the private key of RSA unsymmetrical key is only user to be owned.And if only if, and user adopts the data deciphering of private key pair encryption, could operate further, and private key is only user owns, and has enough confidentiality, has ensured the security of data further.
R) market demand process: use the handling procedure in cloud processor module to carry out application process to the significant data in ciphertext.
S) symmetric cryptography process: the encrypting module using Cloud Server, the significant data after adopting AES symmetric key to run the process of symmetric encipherment algorithm correspondence is encrypted again, and data are existed with the ciphertext form of superencipher.
T) data store: control module directly accesses the cloud stores processor module of Cloud Server, carries out the stores service of cloud data and file, the ciphertext of superencipher is stored in cloud computing data storage server.
When data are in Cloud Server, again be encrypted by symmetric encipherment algorithm, exist with the ciphertext form of superencipher when making data finally in Cloud Server, further enhance privacy degrees and the safe coefficient of data, the situation that user does not need worry significant data in which position of cloud computing data storage server, whether can be stolen.
Further, first to the process of important data acquisition RSA asymmetric encryption, RSA rivest, shamir, adelman intensity is complicated, security is high, can ensure that significant data and AES symmetric key are not stolen, symmetric cryptography is being carried out in Cloud Server, encryption Environmental security now, and AES symmetric key and significant data are all with the ciphertext form that not can read, security strengthens greatly.
U) exit Cloud Server: after having stored, user exits Cloud Server.
V) log: after user's complete operation, control module is organized into log information according to the transmitting procedure of the information such as operating process, file data of user, and by the record space in this log information write storer.
W) end operation: the information that control module receives, directly controls Third Party Authentication and memory device and cloud access terminal equipment and disconnects and communicating to connect.
In embodiments of the present invention, encrypted cipher text, by after superencipher, is stored in the storage server of cloud data and file by data, ensure user data permanent storage, disabled user cannot steal, and also cannot access even if steal, and has ensured the reliability and security of data in cloud environment.
Further, user is after exiting Cloud Server, log information recording gets off by control module, and log information is write separately by control module in the record space in storer, in case the 3rd people or poisoning intrusion conduct interviews to the file in cryptographic storage district or data, or when being deleted, user can by checking the log information of control module inside, understand transmission path and the time of file or data, and give for change in time, avoid unnecessary loss.
Closer, control module can according to the information that receives, comprises the information, the identity purview certification number of times that do not format and reach N
2secondary information and log-on message checking number of times reach N
3secondary information, disconnects in time the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, and possibility data be stolen general most zero.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement or improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. the data security time slot scrambling under a cloud environment, it is characterized in that: it is based on one independently Third Party Authentication and memory device and terminal security trace routine, described Third Party Authentication and memory device comprise automatic control chip and storer, the routine package that described automatic control chip runs is containing control module and file system module, described storer comprises cryptographic storage district and general memory area, described control module is by calling the cryptographic storage district of file system module access storer, described general memory area comprises terminal security trace routine, described cryptographic storage district comprises authentication information, key and algorithm software carrier, described key adopts the cipher mode of AES symmetric key and the associating of RSA unsymmetrical key, described Third Party Authentication and memory device are also provided with Fingerprint Identification Unit, its concrete steps are as follows:
A) original state: Third Party Authentication and memory device and cloud access terminal equipment are communicated to connect by usb protocol, the control module on automatic control chip is run;
B) password authentification: after Third Party Authentication and memory device are connected with cloud access terminal devices communicating, automatic spring Third Party Authentication and memory device password authentification frame, wait for the input of user, and password transmission user inputted is to control module, control module calls the cryptographic storage district of file system mould access storer, the password input user and the device password of Third Party Authentication and storage device configurations are compared, if be consistent, then go to step E), if do not conformed to, the then information of feedback cipher authentication error, go to step C), if the number of times that password authentification does not conform to reaches N
1secondary, go to step D),
C) authentication failed: Third Party Authentication and memory device be pop-up device password authentification frame again, waits for the input of user, returns back to step B);
D) access unsuccessfully: control module checks Third Party Authentication and the predetermined configuration information of memory device, if configuration information is format, then authentication password resets to defaults by control module, and call the All Files that file system module removes memory inside, automatically close after ejecting the too much caution frame of errors number simultaneously, disconnect the communication connection of Third Party Authentication and memory device and cloud access terminal equipment, return back to steps A), if configuration information is not for format, then information too much for errors number is fed back to user by ejecting caution frame on Third Party Authentication and memory device by control module, go to step W),
E) initialization apparatus: after user cipher is proved to be successful, Third Party Authentication and memory device load general memory area automatically, and initialization automatic control chip, program in cryptographic storage district and file, by control module, automatic control chip checks whether cloud access terminal equipment exists safety detection program, if exist, then go to step G), if do not exist, then go to step F);
F) safety detection program is installed: automatic control chip calls file system module access general memory area by control module, and security of operation trace routine, cloud service access terminal equipment completes the Auto-mounting of safety detection program, goes to step I);
G) security strategy is upgraded: automatic control chip upgrades the total inspection strategy of cloud service access terminal device systems by control module, goes to step I after having upgraded);
I) safety inspection: user's security of operation trace routine carries out safety inspection to access terminal system, and judge whether terminal system meets secure access baseline, if meet, then go to step K), if do not meet, then go to step J);
J) terminal system security hardening: safety detection program carries out making safe early warning and security hardening by oneself in terminal system, returns back to step I);
K) purview certification: control module is according to the information meeting secure access baseline, eject the certification frame of user identity purview certification, user inputs authentication information in certification frame, the preset authentication information of authentication information and cryptographic storage district is compared by control module, if conformed to, then goes to step M), if do not conformed to, then feed back the information of authentication mistake, go to step L), if the number of times of authentication reaches N
2secondary, then go to step W);
L) authentification failure: control module ejects authentication frame again according to the information of authentification failure, waits for user's input, returns back to step K);
M) Cloud Server logs in: control module is according to the successful information of authentication, user login information checking frame is ejected in cloud service terminal, wait for user's input, the log-on message that user inputs by control module carries out ratio with former configuration information, if conformed to, then goes to step P), if do not conformed to, then feed back the information of log-on message authentication error, go to step O), if the number of times of log-on message checking reaches N
3secondary, then go to step W);
O) login failure: again eject user login information checking frame according to the information of authentication failed, wait for user's input, return back to step M);
P) access Cloud Server: after user logins successfully, call file system mould by the control module of Third Party Authentication and memory device and directly access resource in cloud computing server;
Q) Data Encryption Transmission: user calls file system module access cryptographic storage district by control module, adopt the PKI of RSA unsymmetrical key and executing arithmetic software carrier carries out asymmetric encryption process to AES symmetric key together with the significant data in cryptographic storage district, AES symmetric key and significant data are existed with ciphertext form, and sends to the cloud processor module of Cloud Server by trusted channel;
R) market demand process: use the handling procedure in cloud processor module to carry out application process to the significant data in ciphertext;
S) symmetric cryptography process: the encrypting module using Cloud Server, the significant data after adopting AES symmetric key to run the process of symmetric encipherment algorithm correspondence is encrypted again, and data are existed with the ciphertext form of superencipher;
T) data store: control module directly accesses the cloud stores processor module of Cloud Server, carries out the stores service of cloud data and file, the ciphertext of superencipher is stored in cloud computing data storage server;
U) exit Cloud Server: after having stored, user exits Cloud Server;
V) log: after user's complete operation, control module is organized into log information according to the transmitting procedure of the information such as operating process, file data of user, and by the record space in this log information write storer;
W) end operation: the information that control module receives, directly controls Third Party Authentication and memory device and cloud access terminal equipment and disconnects and communicating to connect.
2. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described Fingerprint Identification Unit is connected with automatic control chip, and communicates with control module, the fingerprint that described Fingerprint Identification Unit is recorded and user bind.
3. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step B) middle N
1value>=3.
4. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step K) middle N
2value>=3.
5. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step M) middle N
3value>=3.
6. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step I) in safety inspection object comprise the OS Type, port development situation, antivirus software installation situation, viral wooden horse situation etc. of cloud access terminal equipment.
7. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step Q) in trusted channel comprise http protocol, VPN passage.
8. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: the PKI of described RSA unsymmetrical key and the private key of RSA unsymmetrical key match, and the private key of RSA unsymmetrical key is only user to be owned.
9. the data security time slot scrambling under a kind of cloud environment as claimed in claim 1, is characterized in that: described step W) in the information that receives of control module comprise the information, the identity purview certification number of times that do not format and reach N
2secondary information and log-on message checking number of times reach N
3secondary information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510696609.1A CN105354507B (en) | 2015-10-23 | 2015-10-23 | A kind of data safety time slot scrambling under cloud environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510696609.1A CN105354507B (en) | 2015-10-23 | 2015-10-23 | A kind of data safety time slot scrambling under cloud environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105354507A true CN105354507A (en) | 2016-02-24 |
CN105354507B CN105354507B (en) | 2018-09-11 |
Family
ID=55330478
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510696609.1A Active CN105354507B (en) | 2015-10-23 | 2015-10-23 | A kind of data safety time slot scrambling under cloud environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105354507B (en) |
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105656945A (en) * | 2016-03-28 | 2016-06-08 | 北京天地和兴科技有限公司 | Industrial control host safe storage verifying method and system |
CN105847305A (en) * | 2016-06-21 | 2016-08-10 | 新昌县七星街道明盛模具厂 | Safe processing and accessing method of cloud resource |
CN105871931A (en) * | 2016-06-21 | 2016-08-17 | 新昌县七星街道明盛模具厂 | Safety processing and accessing method of cloud service terminal |
CN105956496A (en) * | 2016-06-21 | 2016-09-21 | 新昌县七星街道明盛模具厂 | Security and secrecy method for sharing storage files |
CN106169035A (en) * | 2016-06-28 | 2016-11-30 | 西安建筑科技大学 | A kind of high-security mobile storage system and method |
CN106612272A (en) * | 2016-07-12 | 2017-05-03 | 四川用联信息技术有限公司 | Verification and recovery algorithm for data tampering in cloud storage |
CN107273148A (en) * | 2016-04-04 | 2017-10-20 | 恩智浦有限公司 | The renewal driving migration of data |
CN107438071A (en) * | 2017-07-28 | 2017-12-05 | 北京信安世纪科技有限公司 | cloud storage security gateway and access method |
CN107770195A (en) * | 2017-11-27 | 2018-03-06 | 甘肃万维信息技术有限责任公司 | Based on the cross-domain identity authorization system of cloud environment and its application method |
CN108256302A (en) * | 2018-01-10 | 2018-07-06 | 四川阵风科技有限公司 | Data Access Security method and device |
CN108491735A (en) * | 2018-03-07 | 2018-09-04 | 京信通信系统(中国)有限公司 | Nor Flash method for secure storing, device and equipment |
CN108710361A (en) * | 2018-05-30 | 2018-10-26 | 广州明珞软控信息技术有限公司 | A kind of security procedure inspection method and system |
CN108965222A (en) * | 2017-12-08 | 2018-12-07 | 翟红鹰 | Identity identifying method, system and computer readable storage medium |
CN109308417A (en) * | 2017-07-27 | 2019-02-05 | 阿里巴巴集团控股有限公司 | Unlocking method and device based on trust computing |
CN109324839A (en) * | 2018-09-21 | 2019-02-12 | 郑州云海信息技术有限公司 | A kind of server processing method and device |
CN109951844A (en) * | 2019-01-31 | 2019-06-28 | 维沃移动通信有限公司 | A kind of information protecting method and device |
CN110234110A (en) * | 2019-06-26 | 2019-09-13 | 恒宝股份有限公司 | A kind of mobile network's automatic switching method |
CN110311974A (en) * | 2019-06-28 | 2019-10-08 | 东北大学 | A kind of cloud storage service method based on asynchronous message |
CN110535832A (en) * | 2019-08-05 | 2019-12-03 | 慧镕电子系统工程股份有限公司 | A kind of domestic server platform framework for data encryption |
CN111382422A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for changing password of account record under threat of illegal access to user data |
CN111737739A (en) * | 2020-06-11 | 2020-10-02 | 国网河北省电力有限公司建设公司 | Information identification early warning communication system and method based on two-dimension code physical isolation |
CN111786958A (en) * | 2020-06-10 | 2020-10-16 | 刘录占 | Industrial data safety protection system based on industrial internet technology |
CN111787271A (en) * | 2020-07-31 | 2020-10-16 | 平安信托有限责任公司 | Video conference control method, device, equipment and computer readable storage medium |
CN111859378A (en) * | 2020-07-31 | 2020-10-30 | 中国工商银行股份有限公司 | Processing method and device for protecting data model |
CN111881445A (en) * | 2020-08-07 | 2020-11-03 | 武汉空心科技有限公司 | Working platform file sharing encryption method based on feedback correction function |
CN111950002A (en) * | 2020-08-04 | 2020-11-17 | 珠海市鸿瑞信息技术股份有限公司 | Encryption terminal management system based on power distribution network |
CN112613011A (en) * | 2020-12-29 | 2021-04-06 | 北京天融信网络安全技术有限公司 | USB flash disk system authentication method and device, electronic equipment and storage medium |
CN112738219A (en) * | 2020-12-28 | 2021-04-30 | 中国第一汽车股份有限公司 | Program running method, program running device, vehicle and storage medium |
CN112968859A (en) * | 2020-11-27 | 2021-06-15 | 长威信息科技发展股份有限公司 | Encryption storage system for work privacy data |
CN113010875A (en) * | 2021-03-17 | 2021-06-22 | 紫光国芯微电子股份有限公司 | Information isolation method, memory card and mobile terminal |
CN113315786A (en) * | 2021-06-25 | 2021-08-27 | 郑州信源信息技术股份有限公司 | Security authentication method and system |
CN113572849A (en) * | 2021-07-29 | 2021-10-29 | 中国联合网络通信集团有限公司 | File access system and method |
CN114389879A (en) * | 2022-01-13 | 2022-04-22 | 重庆东电通信技术有限公司 | Internet of things terminal data management and control system |
CN116305330A (en) * | 2023-05-22 | 2023-06-23 | 西安晟昕科技股份有限公司 | Safety management method for CPU hardware |
CN117951737A (en) * | 2024-01-08 | 2024-04-30 | 广州市蓝粤网络科技有限公司 | Encryption storage management key card for time-space correlation chip of confidential data |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102567683A (en) * | 2011-12-31 | 2012-07-11 | 曙光信息产业股份有限公司 | Cloud computing system and cloud computing realizing method |
CN103491080A (en) * | 2013-09-12 | 2014-01-01 | 深圳市文鼎创数据科技有限公司 | Information safety protecting method and system |
CN103532966A (en) * | 2013-10-23 | 2014-01-22 | 成都卫士通信息产业股份有限公司 | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop |
CN104378206A (en) * | 2014-10-20 | 2015-02-25 | 中国科学院信息工程研究所 | Virtualization desktop safety certification method and system based on USB-Key |
CN104394214A (en) * | 2014-11-26 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | Method and system for protecting desktop cloud service through access control |
-
2015
- 2015-10-23 CN CN201510696609.1A patent/CN105354507B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102567683A (en) * | 2011-12-31 | 2012-07-11 | 曙光信息产业股份有限公司 | Cloud computing system and cloud computing realizing method |
CN103491080A (en) * | 2013-09-12 | 2014-01-01 | 深圳市文鼎创数据科技有限公司 | Information safety protecting method and system |
CN103532966A (en) * | 2013-10-23 | 2014-01-22 | 成都卫士通信息产业股份有限公司 | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop |
CN104378206A (en) * | 2014-10-20 | 2015-02-25 | 中国科学院信息工程研究所 | Virtualization desktop safety certification method and system based on USB-Key |
CN104394214A (en) * | 2014-11-26 | 2015-03-04 | 成都卫士通信息产业股份有限公司 | Method and system for protecting desktop cloud service through access control |
Cited By (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105656945B (en) * | 2016-03-28 | 2018-12-11 | 北京天地和兴科技有限公司 | A kind of industrial control host secure storage verification method and system |
CN105656945A (en) * | 2016-03-28 | 2016-06-08 | 北京天地和兴科技有限公司 | Industrial control host safe storage verifying method and system |
CN107273148A (en) * | 2016-04-04 | 2017-10-20 | 恩智浦有限公司 | The renewal driving migration of data |
US11050726B2 (en) | 2016-04-04 | 2021-06-29 | Nxp B.V. | Update-driven migration of data |
CN107273148B (en) * | 2016-04-04 | 2022-01-11 | 恩智浦有限公司 | Update driven migration of data |
CN105847305A (en) * | 2016-06-21 | 2016-08-10 | 新昌县七星街道明盛模具厂 | Safe processing and accessing method of cloud resource |
CN105871931A (en) * | 2016-06-21 | 2016-08-17 | 新昌县七星街道明盛模具厂 | Safety processing and accessing method of cloud service terminal |
CN105956496A (en) * | 2016-06-21 | 2016-09-21 | 新昌县七星街道明盛模具厂 | Security and secrecy method for sharing storage files |
CN106169035A (en) * | 2016-06-28 | 2016-11-30 | 西安建筑科技大学 | A kind of high-security mobile storage system and method |
CN106612272A (en) * | 2016-07-12 | 2017-05-03 | 四川用联信息技术有限公司 | Verification and recovery algorithm for data tampering in cloud storage |
CN109308417A (en) * | 2017-07-27 | 2019-02-05 | 阿里巴巴集团控股有限公司 | Unlocking method and device based on trust computing |
CN107438071A (en) * | 2017-07-28 | 2017-12-05 | 北京信安世纪科技有限公司 | cloud storage security gateway and access method |
CN107770195A (en) * | 2017-11-27 | 2018-03-06 | 甘肃万维信息技术有限责任公司 | Based on the cross-domain identity authorization system of cloud environment and its application method |
CN107770195B (en) * | 2017-11-27 | 2024-01-09 | 中电万维信息技术有限责任公司 | Cross-domain identity authentication system based on cloud environment and application method thereof |
CN108965222A (en) * | 2017-12-08 | 2018-12-07 | 翟红鹰 | Identity identifying method, system and computer readable storage medium |
CN108965222B (en) * | 2017-12-08 | 2021-12-07 | 普华云创科技(北京)有限公司 | Identity authentication method, system and computer readable storage medium |
CN108256302A (en) * | 2018-01-10 | 2018-07-06 | 四川阵风科技有限公司 | Data Access Security method and device |
CN108256302B (en) * | 2018-01-10 | 2020-05-29 | 四川阵风科技有限公司 | Data security access method and device |
CN108491735A (en) * | 2018-03-07 | 2018-09-04 | 京信通信系统(中国)有限公司 | Nor Flash method for secure storing, device and equipment |
CN108710361A (en) * | 2018-05-30 | 2018-10-26 | 广州明珞软控信息技术有限公司 | A kind of security procedure inspection method and system |
CN108710361B (en) * | 2018-05-30 | 2020-07-28 | 广州明珞软控信息技术有限公司 | Security program checking method and system |
CN109324839A (en) * | 2018-09-21 | 2019-02-12 | 郑州云海信息技术有限公司 | A kind of server processing method and device |
CN111382422A (en) * | 2018-12-28 | 2020-07-07 | 卡巴斯基实验室股份制公司 | System and method for changing password of account record under threat of illegal access to user data |
CN111382422B (en) * | 2018-12-28 | 2023-08-11 | 卡巴斯基实验室股份制公司 | System and method for changing passwords of account records under threat of illegally accessing user data |
CN109951844A (en) * | 2019-01-31 | 2019-06-28 | 维沃移动通信有限公司 | A kind of information protecting method and device |
CN110234110A (en) * | 2019-06-26 | 2019-09-13 | 恒宝股份有限公司 | A kind of mobile network's automatic switching method |
CN110311974A (en) * | 2019-06-28 | 2019-10-08 | 东北大学 | A kind of cloud storage service method based on asynchronous message |
CN110535832A (en) * | 2019-08-05 | 2019-12-03 | 慧镕电子系统工程股份有限公司 | A kind of domestic server platform framework for data encryption |
CN111786958A (en) * | 2020-06-10 | 2020-10-16 | 刘录占 | Industrial data safety protection system based on industrial internet technology |
CN111786958B (en) * | 2020-06-10 | 2022-08-19 | 正弦科技有限公司 | Industrial data safety protection system based on industrial internet technology |
CN111737739A (en) * | 2020-06-11 | 2020-10-02 | 国网河北省电力有限公司建设公司 | Information identification early warning communication system and method based on two-dimension code physical isolation |
CN111787271A (en) * | 2020-07-31 | 2020-10-16 | 平安信托有限责任公司 | Video conference control method, device, equipment and computer readable storage medium |
CN111859378A (en) * | 2020-07-31 | 2020-10-30 | 中国工商银行股份有限公司 | Processing method and device for protecting data model |
CN111950002A (en) * | 2020-08-04 | 2020-11-17 | 珠海市鸿瑞信息技术股份有限公司 | Encryption terminal management system based on power distribution network |
CN111950002B (en) * | 2020-08-04 | 2022-08-09 | 珠海市鸿瑞信息技术股份有限公司 | Encryption terminal management system based on power distribution network |
CN111881445A (en) * | 2020-08-07 | 2020-11-03 | 武汉空心科技有限公司 | Working platform file sharing encryption method based on feedback correction function |
CN112968859A (en) * | 2020-11-27 | 2021-06-15 | 长威信息科技发展股份有限公司 | Encryption storage system for work privacy data |
CN112738219A (en) * | 2020-12-28 | 2021-04-30 | 中国第一汽车股份有限公司 | Program running method, program running device, vehicle and storage medium |
CN112613011B (en) * | 2020-12-29 | 2024-01-23 | 北京天融信网络安全技术有限公司 | USB flash disk system authentication method and device, electronic equipment and storage medium |
CN112613011A (en) * | 2020-12-29 | 2021-04-06 | 北京天融信网络安全技术有限公司 | USB flash disk system authentication method and device, electronic equipment and storage medium |
CN113010875A (en) * | 2021-03-17 | 2021-06-22 | 紫光国芯微电子股份有限公司 | Information isolation method, memory card and mobile terminal |
CN113315786A (en) * | 2021-06-25 | 2021-08-27 | 郑州信源信息技术股份有限公司 | Security authentication method and system |
CN113572849A (en) * | 2021-07-29 | 2021-10-29 | 中国联合网络通信集团有限公司 | File access system and method |
CN114389879A (en) * | 2022-01-13 | 2022-04-22 | 重庆东电通信技术有限公司 | Internet of things terminal data management and control system |
CN116305330A (en) * | 2023-05-22 | 2023-06-23 | 西安晟昕科技股份有限公司 | Safety management method for CPU hardware |
CN116305330B (en) * | 2023-05-22 | 2023-08-04 | 西安晟昕科技股份有限公司 | Safety management method for CPU hardware |
CN117951737A (en) * | 2024-01-08 | 2024-04-30 | 广州市蓝粤网络科技有限公司 | Encryption storage management key card for time-space correlation chip of confidential data |
Also Published As
Publication number | Publication date |
---|---|
CN105354507B (en) | 2018-09-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105354507A (en) | Data security confidentiality method under cloud environment | |
CN105847305A (en) | Safe processing and accessing method of cloud resource | |
US9503433B2 (en) | Method and apparatus for cloud-assisted cryptography | |
WO2015180691A1 (en) | Key agreement method and device for verification information | |
CN110489996B (en) | Database data security management method and system | |
US9225696B2 (en) | Method for different users to securely access their respective partitioned data in an electronic apparatus | |
CN102984115B (en) | A kind of network security method and client-server | |
CN105956496A (en) | Security and secrecy method for sharing storage files | |
US8904195B1 (en) | Methods and systems for secure communications between client applications and secure elements in mobile devices | |
CN100353787C (en) | Security guarantee for memory data information of mobile terminal | |
US20120233456A1 (en) | Method for securely interacting with a security element | |
WO2017166362A1 (en) | Esim number writing method, security system, esim number server, and terminal | |
CN107066885A (en) | Cross-platform credible middleware realizes system and implementation method | |
US20170026385A1 (en) | Method and system for proximity-based access control | |
WO2021129003A1 (en) | Password management method and related device | |
WO2015117523A1 (en) | Access control method and device | |
CN104219077A (en) | Information management system for middle and small-sized enterprises | |
US20110154436A1 (en) | Provider Management Methods and Systems for a Portable Device Running Android Platform | |
CN101262669B (en) | A secure guarantee method for information stored in a mobile terminal | |
CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
US20140250499A1 (en) | Password based security method, systems and devices | |
KR101680536B1 (en) | Method for Service Security of Mobile Business Data for Enterprise and System thereof | |
KR20150073567A (en) | The Method for Transmitting and Receiving the Secure Message Using the Terminal Including Secure Storage | |
CN103916404A (en) | Data management method and system | |
WO2018121394A1 (en) | Mobile terminal, alarm information acquisition and sending method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |