CN105356997A - Security distributed data management method based on public cloud - Google Patents

Security distributed data management method based on public cloud Download PDF

Info

Publication number
CN105356997A
CN105356997A CN201510476859.4A CN201510476859A CN105356997A CN 105356997 A CN105356997 A CN 105356997A CN 201510476859 A CN201510476859 A CN 201510476859A CN 105356997 A CN105356997 A CN 105356997A
Authority
CN
China
Prior art keywords
file
public cloud
subfile
block
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510476859.4A
Other languages
Chinese (zh)
Other versions
CN105356997B (en
Inventor
李西明
张列
郭玉彬
黄琼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China Agricultural University
Original Assignee
South China Agricultural University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China Agricultural University filed Critical South China Agricultural University
Priority to CN201510476859.4A priority Critical patent/CN105356997B/en
Publication of CN105356997A publication Critical patent/CN105356997A/en
Application granted granted Critical
Publication of CN105356997B publication Critical patent/CN105356997B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a security distributed data management method based on a public cloud. The security distributed data management method comprises the following steps: assuming that m public cloud spaces exist, extracting a storage directory structure on a local computer, encrypting all files in a directory, dividing each encrypted file into m blocks, sharing and dividing key secrets into m blocks, respectively sending the files and the key blocks into the m public cloud spaces, and sharing directory tree secrets into the m public cloud spaces. In the event of searching a specific file and downloading a file, a directory tree is fetched and restored from any n public cloud spaces at first, wherein n is less than m; the file is searched from the directory tree; then, sub-file blocks and sub-key blocks are continuously fetched from the n public cloud spaces according to the searching result; the file blocks are combined; simultaneously, a key is recovered; and finally, an original file is obtained by decrypting the file. By means of the technical scheme provided by the invention, data information in any insufficient n public cloud spaces is insufficient to recover the original file; therefore, the data information security is increased; and the risk in leaking user data information is reduced.

Description

Based on the distributed data management method of the safety of public cloud
Technical field
The present invention relates to the public cloud space memory technology of data, particularly a kind of distributed data management method of the safety based on public cloud.
Background technology
Along with the continuous maturation of cloud computing technology, the file storage that cloud is stored as user provides almost limitless memory capacity, provides the automatic synchronizing function between distinct device, provides data sharing channel between different user simultaneously.Cloud product gets more and more on the market, and user shifts a large amount of in cloud public cloud gradually.
But cloud memory technology is brought quick with simultaneously easily to user, the problem of data safeties such as privacy compromise are also following.Such as, in September, 2014, foreign hacker doubts the leak of the iCould cloud disc system with Apple, causes Hollywood Nude Picture Scandal event.Depend on particular cloud service provider and also bring loss of data potential safety hazard.Just domestic, afternoon on June 6th, 2015, because service provider's " farsighted river science and technology " machine room meets with Thunderstorm Weather and causes power failure, the unexpected cycle power of the whole hardware device in high official position Guangdong 1 district, cause high official position official website and control desk cannot access, be deployed in the customer service of GD1 in short-term temporarily unavailable, meanwhile, another family cloud service provider LeanCloud also there occurs the service disruption situation reaching 4 hours.From the world; data statistics according to the tracking website CloudHarmony of specialty shows; Amazon EC2 serves; shut down 2.41 hours in 2014; the Azure cloud platform of Microsoft's operation shows also quite general in availability; experienced by 92 service stopping accidents altogether, amount to 39.77 hours, its storage platform service has 141 stopping accidents to amount to 10.97 hours.
In existing cloud memory technology, mainly contain following two kinds of storage modes:
(1) stored in clear, use the cloud dish of stored in clear, namely can read all the elements after disabled user's steal files, public cloud space also arbitrarily can obtain user data.
(2) cryptographic storage, use the cloud dish of cryptographic storage, disabled user is difficult to steal data, but public cloud space still also exists the possibility obtaining user data.
Summary of the invention
Main purpose of the present invention is to overcome the shortcoming of prior art with not enough, and the safety problem existing for storing for above-mentioned cloud of withdrawing deposit, the present invention proposes a kind of distributed data management method of the safety based on public cloud.
In order to achieve the above object, the present invention is by the following technical solutions:
Based on the distributed data management method of the safety of public cloud, comprise the steps:
S1, by the storage directory in public cloud space tree extract, as a file, each byte is used as secret S;
S2, each byte of use Shamir privacy share algorithm to file are decomposed, and obtain the byte after m decomposition, write in the individual newly-built file of m by this m byte respectively with the form of additional write;
S3, after each byte of directory tree file is decomposed and write newly-built file, obtain a directory tree subfile, then m newly-built directory tree subfile is stored in m public cloud space respectively;
S4, need recover catalog set file time, then from any n public cloud space, fetch directory tree subfile, from this n, directory tree subfile is byte-by-byte reads out, secret as son, polynomial interopolation algorithm is used to carry out secret reconstruction, obtain each byte of directory tree file originally, then merge and obtain directory tree file originally;
S5, after privacy share directory tree, when public cloud space is arrived in needs upload file, first directory tree subfile after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to upload operation by files passe, upgrade directory tree after uploading, finally utilize Shamir privacy share algorithm to be decomposed by directory tree and upload in m public cloud space, override original directory tree subfile;
S6, when needs are from public cloud space download file, first fetch from any n public cloud space decompose after directory tree file, recover storage directory tree, then according to directory tree, carry out file download operation;
S7, when needs deleted file, first directory tree subfile after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to directory tree, find document location, spatially delete the corresponding piecemeal of encrypt file and counterpart keys piecemeal m public cloud, after deletion, upgrade directory tree, finally utilize Shamir privacy share algorithm to be decomposed by directory tree to upload in m public cloud space, override original directory tree subfile.
Preferably, described Shamir privacy share algorithm is specially:
A secret sharing scheme comprises a believable secret distribution person and m participant, secret distribution person is by secret for secret S partition m the son that will share, and be distributed to this m participant by safe lane, each participant is made only to know the son secret of oneself and not know that the son of other participants is secret, secret distribution person defines some authorized subsets simultaneously, makes the participant's associating in these set can recover shared secret S.
Preferably, in step S2, use Shamir privacy share algorithm to the concrete steps that file decomposes is:
S21, input secret S, and input parameter n, m;
S22, arbitrarily generation n-1 random number a 1..., a n-1, with seasonal a 0=S;
S23, structure n-1 order polynomial f (x)=a 0+ a 1x+a 2x 2+ ...+a n-1x n-1;
S24, arbitrarily generation m random number x 1..., x m, be recorded in this locality;
S25, by x 1..., x msubstitute in polynomial f (x) and calculate f (x 1) ... f (x m);
S26, output f (x 1) ... f (x m).
Preferably, in step S4, the concrete steps using Shamir privacy share algorithm to carry out secret reconstruction are:
S41, input data f (x 1) ... f (x n);
S42, fetch f (x from this locality i) corresponding x i;
S43, equationof structure group:
a 0 + a 1 x 1 + ... + a n - 1 x 1 n - 1 = f ( x 1 )
a 0 + a 1 x 2 + ... + a n - 1 x 2 n - 1 = f ( x 2 )
......
a 0 + a 1 x n + ... + a n - 1 x n n - 1 = f ( x n )
Now there is n equation group, n unknown number, i.e. a 0a 1..., a n-1;
S44, separate above-mentioned equation group, obtain coefficient a 0a 1..., a n-1, S=a 0;
S45, output S.
Preferably, in step S5, when upload file, after having carried out directory tree management, adopt the file block algorithm based on key decomposition theory, uploaded in m public cloud space; The described file block algorithm based on key decomposition theory is as follows:
Setting a cryptographic system is <M, C, K, P>, wherein M is plaintext space, C is the cryptogram space, K is key space, the space that P forms for participant, discusses encryption key distribution to m people, allow wherein any n people to recover key, this can not recover key to be less than n people;
In m participant, any n-1 participant can not recover key, and key space K is regarded as a vector space, then its dimension is for key space arbitrary key vector K in K i can with the element P in participant vector space P i(i=1,2 ..., m) carry out linear expression, i.e. K ibelong to certain the several participant in the P of participant space, owing to requiring only to need n participant to recover key, then for participant vector space P, its base vector number is n, K ican represent with n vector, obviously n vector can obtain key K arbitrarily i, and because m is the number of base vector, being then less than m vector all can not obtain key K i;
File is used as key K in key decomposition theory, and in m public cloud space, key K can not be recovered in any n-1 public cloud space, then file division can be become block subfile block K i, i=1,2 ..., by K ithat distributes in m public cloud space is several, the subfile group that must possess arbitrarily wherein n public cloud space is made to recover original, all original can not be recovered less than n group subfile arbitrarily, so any leakage less than n group subfile is also not enough to leak original, and any m-n group subfile is damaged still can recover original;
Be labeled as to every block subfile block be C to m public cloud free token 1, C 2..., C m, get the combination of its n-1: C 1c 2... C n-2c n-1, C 1c 2... C n-2c n..., C m-n+2c m-n+3... C m, total individual combination; Make these combination respectively with correspondence, as K 1with C 1c 2... C n-2c n-1correspondence, its meaning is C 1c 2... C n-2c n-1this n-1 public cloud space does not all have storage file block K 1.
Preferably, described file division step is as follows:
S511, an input file;
S512, input partitioning parameters n and m, and calculation document dividing number
S513, log file name file_name, obtain file size file_size, and calculate every block subfile size, block_size=file_size/block_num;
S514, in units of subfile block size block_size, file division is become block, every block marks according to the order of sequence;
S515, according to blocks of files to public cloud space storage scheme, blocks of files is carried out packet memory to the different public cloud space of m.
Preferably, the step of described recovery original is as follows:
S521, basis, to fixed parameter n, fetch n group subfile group from any n public cloud space;
S522, from n group subfile group, give whole subfile block for change, remove the subfile block repeated;
S523, to this individual sub-blocks of files sorts;
S524, a newly-built file, run after fame with original name file_name;
S525, by the content of subfile block according to the order of sequence with add form write back in this file.
Preferably, in step S5, when upload file, after having carried out directory tree management, adopt the kept secure technology based on privacy share, uploaded in m public cloud space, operate as follows:
S531, the file that will upload to be encrypted;
Key decomposition is stored in m public cloud space by S532, employing Shamir privacy share algorithm;
S533, the file after encryption is carried out to physical segmentation and becomes block;
S534, according to subfile block distributed store scheme by segmentation after subfile block carry out distributed store.
Preferably, in step S6, when download file, after having carried out directory tree management, only need fetch subfile block from any n public cloud space, original can be recovered back, be specially:
S61, from any n public cloud space, fetch subfile block group, remove iteron blocks of files;
Physics merging is carried out after the sequence of S62, antithetical phrase blocks of files;
S63, from any n public cloud space, fetch sub-key, recover key;
S64, according to key, the file after being combined is decrypted, and recovers original.
Preferably, the step of deleted file is as follows:
S71, from m public cloud space, fetch directory tree piecemeal, in m public cloud space, delete subfile block group and counterpart keys piecemeal;
S72, upgrade this block directory block, upload new directory tree and be chunked in m public cloud space, override original directory tree subfile.
Compared with prior art, tool has the following advantages and beneficial effect in the present invention:
1, any data message less than n public cloud space is not enough to recover original in the present invention, ensure that user data information can not be stolen to single public cloud space and disabled user, improve the fail safe of data message, greatly reduce user data information disclosure risk.And arbitrarily break down and still can recover original in m-n public cloud space, even if ensure that to break down in any m-n public cloud space, user data information also can not be lost and damage, and improves the reliability of storage.
2, the present invention has carried out encryption piecemeal to file, to single service and disabled user, the data that user uploads are all the data blocks after original encryption segmentation, and can not take total data, the problem thus divulge a secret in solution public cloud space, improves the fail safe of data.
3, file block is stored m public cloud space by the present invention, and appoints and get n public cloud space and can recover data, can to a certain degree prevent the loss of data because public cloud space fault causes.
Accompanying drawing explanation
Fig. 1 is the flow chart of the distributed data management method of the safety that the present invention is based on public cloud;
Fig. 2 is public cloud space of the present invention storage node composition;
Fig. 3 is the flow chart of privacy share algorithm of the present invention;
Blocks of files distribution derivation schematic diagram when Fig. 4 is m=5, n=3 in the present embodiment;
The storage and distribution schematic diagram of subfile block 1 when Fig. 5 is m=5, n=3 in the present embodiment.
Embodiment
Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited thereto.
Embodiment
In the present embodiment, set existing m public cloud space, utilize algorithm in this paper, the file encryption segmentation that user will be able to store at arbitrary equipment is stored in this m public cloud space.When file fetched by needs, then from wherein n public cloud space, fetch subfile block, recover original by algorithm.The technical scheme sight application of the present embodiment as shown in Figure 1, in the stage of uploading, first the file that will store is encrypted, then by the file block after encryption, employing the invention provides in this m of algorithm distributed store public cloud space, simultaneously by encryption key privacy share in this m public cloud space.In download phase, only need get arbitrarily subfile block and the sub-key in wherein n public cloud space, by subfile merged block file, then recover key by sub-key, carry out file decryption.
Below in conjunction with technical scheme, the present invention is further elaborated:
For privacy share public cloud space storage directory tree structure: in order to the content stored public cloud spatial concealment, not only want hidden file itself, also want hidden file bibliographic structure.Therefore need the storage directory in public cloud space tree to extract, as file, utilize Shamir privacy share algorithm to decompose in m public cloud space.Final for public cloud space, storage be a pile insignificant file at random, as shown in Figure 2.
For directory tree, as a file, its each byte can be used as secret S, use Shamir privacy share algorithm to decompose, obtain the byte after m decomposition, this m byte is write in the individual newly-built file of m respectively with the form of additional write.After each byte of directory tree file is decomposed and write newly-built file, m newly-built directory tree subfile is stored and point to be clipped in m public cloud space.When needing recover catalog to set file, then from any n public cloud space, fetch directory tree subfile, from this n, directory tree subfile is byte-by-byte reads out, secret as son, then use Shamir privacy share algorithm to carry out secret reconstruction, finally obtain directory tree file originally.
In the present embodiment Shamir privacy share algorithm and thought as follows:
A secret sharing scheme comprises a believable secret distribution person and m participant, secret distribution person is by secret for secret S partition m the son that will share, and be distributed to this m participant by safe lane, make each participant only know the son secret of oneself and not know that the son of other participants is secret.Secret distribution person defines some authorized subsets simultaneously, makes the participant's associating in these set can recover shared secret S, as shown in Figure 3.The key of secret sharing scheme is how better to design secret fractionation mode and reset mode, and several participants are together cooperated could Restore Secret message.The more important thing is, when in wherein any respective range, participant is gone wrong, secret still can completely be recovered simultaneously.This cryptographic technique by Secret sharing storage can stop secret too concentrated, reaches and diversifies risks and inbreak-tolerated object.
(the n of Shamir, m) (m>n) privacy share algorithm utilizes the polynomial f (x) of finite field secret S to be resolved into m son secret, distribute to m participant, here public cloud space is as participant.Each participant does not know that the son that other participants hold is secret.Only know that wherein at least n participant takes out sub-secret and together cooperate and just could can recover secret S, any hold sub-secret less than n participant all cannot Restore Secret S.
For n-1 order polynomial f (x) of in finite field, secret S is taken as f (0), by f (x i) (i=1 ..., m) distribute to m participant, then wherein n participant can utilize f (x arbitrarily i) reconstruct f (x), then obtain f (0) by f (x), Restore Secret.
It is as follows that Shamir privacy share algorithm decomposes secret step:
Step1: input secret S, and input parameter n, m.
Step2: generate n-1 random number a arbitrarily 1..., a n-1, with seasonal a 0=S.
Step3: structure n-1 order polynomial f (x)=a 0+ a 1x+a 2x 2+ ...+a n-1x n-1.
Step4: generate m random number x arbitrarily 1..., x m, be recorded in this locality.
Step5: by x 1..., x msubstitute in polynomial f (x) and calculate f (x 1) ... f (x m).
Step6: export f (x 1) ... f (x m).
Shamir privacy share algorithm Restore Secret step is as follows:
Step1: input data f (x 1) ... f (x n).
Step2: fetch f (x from this locality i) corresponding x i.
Step3: equationof structure group:
a 0 + a 1 x 1 + ... + a n - 1 x 1 n - 1 = f ( x 1 )
a 0 + a 1 x 2 + ... + a n - 1 x 2 n - 1 = f ( x 2 )
......
a 0 + a 1 x n + ... + a n - 1 x n n - 1 = f ( x n )
Now there is n equation group, n unknown number, i.e. a 0a 1..., a n-1.
Step4: separate above-mentioned equation group, obtains coefficient a 0a 1..., a n-1, S=a 0.
Step5: export S.
After privacy share directory tree, when public cloud space is arrived in needs upload file, first directory tree file after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to the upload operation hereafter introduced by files passe, upgrade directory tree after uploading, finally utilize Shamir privacy share algorithm to be decomposed by directory tree and upload in m public cloud space, override original directory tree file.When needs are from public cloud space download file, first fetch directory tree file after decomposing from any n public cloud space, recover storage directory tree, then according to directory tree, carry out file download operation.
Storage file:
When upload file, after having carried out directory tree management, adopt the file block algorithm based on key decomposition theory, uploaded in m public cloud space.
File block algorithm based on key decomposition theory is as follows:
Setting a cryptographic system is <M, C, K, P>, wherein M is plaintext space, C is the cryptogram space, K is key space (encryption and decryption key space), and the space that P forms for participant, discusses encryption key distribution to m people, allow wherein any n people to recover key, this can not recover key to be less than n people.
In m participant, any n-1 participant can not recover key, and key space K is regarded as a vector space, then its dimension is for key space arbitrary key vector K in K i can with the element P in participant vector space P i(i=1,2 ..., m) carry out linear expression, i.e. K ibelong to certain the several participant in the P of participant space.Owing to requiring only to need n participant to recover key, then for participant vector space P, its base vector number is n, K ican represent with n vector.Obviously n vector can obtain key K arbitrarily i, and because m is the number of base vector, being then less than m vector all can not obtain key K i.
File is used as key K in key decomposition theory, and in m public cloud space, key K can not be recovered in any n-1 public cloud space, then file division can be become block subfile block K i by K ithat distributes in m public cloud space is several, the subfile group that must possess arbitrarily wherein n public cloud space is made to recover original, all original can not be recovered less than n group subfile arbitrarily, so any leakage less than n group subfile is also not enough to leak original, and any m-n group subfile is damaged still can recover original.
Be labeled as to every block subfile block be C to m public cloud free token 1, C 2..., C m, get the combination of its n-1: C 1c 2... C n-2c n-1, C 1c 2... C n-2c n..., C m-n+2c m-n+3... C m, total individual combination.Make these combination respectively with correspondence, as K 1with C 1c 2... C n-2c n-1correspondence, its meaning is C 1c 2... C n-2c n-1this n-1 public cloud space does not all have storage file block K 1.Be easy to like this obtain the distribution scheme of blocks of files to public cloud space, as shown in table 1.
Table 1 blocks of files is to public cloud space storage and distribution scheme table
File division step is as follows:
Step1: input a file.
Step2: input partitioning parameters n and m, and calculation document dividing number
Step3: log file name file_name, obtain file size file_size, and calculate every block subfile size.block_size=file_size/block_num。
Step4: in units of subfile block size block_size, file division is become block, every block marks according to the order of sequence.
Step5: according to blocks of files to public cloud space storage scheme, carries out packet memory to the individual different public cloud space of m by blocks of files.
Represent file division algorithm in order to vivider, existing with m=5, n=3 for object lesson.Now file division will be become block to combine is stored in 5 public cloud spaces, and must fetch subfile group from wherein any 3 public cloud spaces could recovery file, and any 2 sub-file group all can not recovery file, and blocks of files distribution is derived as follows.
5 public cloud spaces, get combination of two, and the corresponding one piece of subfile block of any combination, represents that this public cloud Spatial Coupling does not store this subfile block, then file needs to be divided into as shown in Figure 4.Be easy to the storage and distribution obtaining subfile block 1 thus, as shown in Figure 5; And can the distribution scheme of all subfile blocks by deriving, as table 2.
Table 2 subfile block storage and distribution scheme table (m=5, n=3)
Can obtain in each public cloud space by upper table, the subfile block of storage, as shown in table 3.
Table 3 public cloud space stores subfile block table (m=5, n=3)
File recovery step is as follows:
Step1: according to fixed parameter n, fetch n group subfile group from any n public cloud space
Step2: give whole subfile block for change from n group subfile group, removes the subfile block repeated.
Step3: to this individual sub-blocks of files sorts.
Step4: a newly-built file, runs after fame with original name file_name.
Step5: the content of subfile block is write back in this file with the form added according to the order of sequence.
Be not difficult to find out by table 3, when m=5, n=3, the subfile group in any 2 public cloud spaces cannot recover original, to get public cloud space 1 and public cloud space 2, the subfile block fetched from the subfile group 2 public cloud spaces has: 2,3,4,5,6,7,8,9, has lacked subfile block 1.And the subfile group in any 3 public cloud spaces can recover original, subfile block 1 is lacked in the subfile group in public cloud space 1 and public cloud space 2, and in public cloud space 3, public cloud space 4 and public cloud space 5, all contain subfile block 1, namely this appoints from three public cloud spaces and gets one of them public cloud space, all can recover original with other subfile blocks in public cloud space 1, public cloud space 2.
When upload file, after having carried out directory tree management, adopt the kept secure technology based on privacy share, uploaded in m public cloud space, operate as follows.
Step1: the file that upload is encrypted.
Step2: adopt Shamir privacy share algorithm to be stored into by key decomposition in m public cloud space.
Step3: physical segmentation is carried out to the file after encryption and becomes block.
Step4: the subfile block after segmentation is carried out distributed store according to subfile block distributed store scheme.
When download file, after having carried out directory tree management, only need fetch subfile block from any n public cloud space, original can be recovered back by the technical program.
Step1: fetch subfile block group from any n public cloud space, removes iteron blocks of files.
Step2: carry out physics merging after the sequence of antithetical phrase blocks of files.
Step3: fetch sub-key from any n public cloud space, recovers key.
Step4: according to key, the file after being combined is decrypted, and recovers original.
Above-described embodiment is the present invention's preferably execution mode; but embodiments of the present invention are not restricted to the described embodiments; change, the modification done under other any does not deviate from Spirit Essence of the present invention and principle, substitute, combine, simplify; all should be the substitute mode of equivalence, be included within protection scope of the present invention.

Claims (10)

1., based on the distributed data management method of the safety of public cloud, it is characterized in that, comprise the steps:
S1, by the storage directory of local user tree extract, as a directory tree file, each byte is used as secret S;
S2, use Shamir privacy share algorithm decompose directory tree file, each byte is decomposed, obtains the byte after m decomposition, write in the individual newly-built file of m by this m byte respectively with the form of additional write;
S3, after each byte of directory tree file is decomposed and write newly-built file, m newly-built directory tree subfile is stored in m public cloud space respectively;
S4, need recover catalog set file time, then from the individual public cloud space of any n (n<m), fetch directory tree subfile, from this n, directory tree subfile is byte-by-byte reads out, secret as son, polynomial interopolation algorithm is used to carry out secret reconstruction, recover each byte, then obtain directory tree file originally;
S5, after privacy share directory tree, when public cloud space is arrived in needs upload file, first directory tree file after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to upload operation by files passe, upgrade directory tree after uploading, finally utilize Shamir privacy share algorithm to be decomposed by directory tree and upload in m public cloud space, override original directory tree subfile;
S6, when needs are from public cloud space download file, first fetch from any n public cloud space decompose after directory tree subfile, recover storage directory tree, then according to directory tree, carry out file download operation;
S7, when needs deleted file, first directory tree file after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to directory tree, find document location, spatially delete the corresponding piecemeal of encrypt file and counterpart keys piecemeal m public cloud, after deletion, upgrade directory tree, finally utilize Shamir privacy share algorithm to be decomposed by directory tree to upload in m public cloud space, override original directory tree file.
2. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, described Shamir privacy share algorithm is specially:
A secret sharing scheme comprises a believable secret distribution person and m participant, secret distribution person is by secret for secret S partition m the son that will share, and be distributed to this m participant by safe lane, each participant is made only to know the son secret of oneself and not know that the son of other participants is secret, secret distribution person defines some authorized subsets simultaneously, makes the participant's associating in these set can recover shared secret S.
3. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S2, use Shamir privacy share algorithm to the concrete steps that file decomposes is:
S21, input secret S, and input parameter n, m;
S22, arbitrarily generation n-1 random number a 1..., a n-1, with seasonal a 0=S;
S23, structure n-1 order polynomial f (x)=a 0+ a 1x+a 2x 2+ ...+a n-1x n-1;
S24, arbitrarily generation m random number x 1..., x m, be recorded in this locality;
S25, by x 1..., x msubstitute in polynomial f (x) and calculate f (x 1) ... f (x m);
S26, output f (x 1) ... f (x m).
4. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S4, the concrete steps using Shamir privacy share algorithm to carry out secret reconstruction are:
S41, input data f (x 1) ... f (x n);
S42, fetch f (x from this locality i) corresponding x i;
S43, equationof structure group:
a 0 + a 1 x 1 + ... + a n - 1 x 1 n - 1 = f ( x 1 )
a 0 + a 1 x 2 + ... + a n - 1 x 2 n - 1 = f ( x 2 )
......
a 0 + a 1 x n + ... + a n - 1 x n n - 1 = f ( x n )
Now there is n equation group, n unknown number, i.e. a 0a 1..., a n-1;
S44, separate above-mentioned equation group, obtain coefficient a 0a 1..., a n-1, S=a 0;
S45, output S.
5. the distributed data management method of the safety based on public cloud according to claim 4, is characterized in that, in step S5, when upload file, after having carried out directory tree management, adopt the file block algorithm based on key decomposition theory, uploaded in m public cloud space; The described file block algorithm based on key decomposition theory is as follows:
Setting a cryptographic system is <M, C, K, P>, wherein M is plaintext space, C is the cryptogram space, K is key space, the space that P forms for participant, discusses encryption key distribution to m people, allow wherein any n people to recover key, this can not recover key to be less than n people;
In m participant, any n-1 participant can not recover key, and key space K is regarded as a vector space, then its dimension is for key space arbitrary key vector in K can with the element P in participant vector space P i(i=1,2 ..., m) carry out linear expression, i.e. K ibelong to certain the several participant in the P of participant space, owing to requiring only to need n participant to recover key, then for participant vector space P, its base vector number is n, K ican represent with n vector, obviously n vector can obtain key K arbitrarily i, and because m is the number of base vector, being then less than m vector all can not obtain key K i;
File is used as key K in key decomposition theory, and in m public cloud space, key K can not be recovered in any n-1 public cloud space, then file division can be become block subfile block K i, i=1,2 ..., by K ithat distributes in m public cloud space is several, the subfile group that must possess arbitrarily wherein n public cloud space is made to recover original, all original can not be recovered less than n group subfile arbitrarily, so any leakage less than n group subfile is also not enough to leak original, and any m-n group subfile is damaged still can recover original;
Be labeled as to every block subfile block be C to m public cloud free token 1, C 2..., C m, get the combination of its n-1: C 1c 2... C n-2c n-1, C 1c 2... C n-2c n..., C m-n+2c m-n+3... C m, total individual combination; Make these combination respectively with correspondence, as K 1with C 1c 2... C n-2c n-1correspondence, its meaning is C 1c 2... C n-2c n-1this n-1 public cloud space does not all have storage file block K 1.
6. the distributed data management method of the safety based on public cloud according to claim 5, is characterized in that, described file division step is as follows:
S511, an input file;
S512, input partitioning parameters n and m, and calculation document dividing number
S513, log file name file_name, obtain file size file_size, and calculate every block subfile size, block_size=file_size/block_num;
S514, in units of subfile block size block_size, file division is become block, every block marks according to the order of sequence;
S515, according to blocks of files to public cloud space storage scheme, blocks of files is carried out packet memory to the different public cloud space of m.
7. the distributed data management method of the safety based on public cloud according to claim 5, is characterized in that, the step of described recovery original is as follows:
S521, basis, to fixed parameter n, fetch n group subfile group from any n public cloud space;
S522, from n group subfile group, give whole subfile block for change, remove the subfile block repeated;
S523, to this individual sub-blocks of files sorts;
S524, a newly-built file, run after fame with original name file_name;
S525, by the content of subfile block according to the order of sequence with add form write back in this file.
8. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S5, when upload file, after having carried out directory tree management, adopt the kept secure technology based on privacy share, uploaded in m public cloud space, operated as follows:
S531, the file that will upload to be encrypted;
Key decomposition is stored in m public cloud space by S532, employing Shamir privacy share algorithm;
S533, the file after encryption is carried out to physical segmentation and becomes block;
S534, according to subfile block distributed store scheme by segmentation after subfile block carry out distributed store.
9. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S6, when download file, after having carried out directory tree management, only need fetch subfile block from any n public cloud space, original can be recovered back, be specially:
S61, from any n public cloud space, fetch subfile block group, remove iteron blocks of files;
Physics merging is carried out after the sequence of S62, antithetical phrase blocks of files;
S63, from any n public cloud space, fetch sub-key, recover key;
S64, according to key, the file after being combined is decrypted, and recovers original.
10. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S7, when deleted file, respective file block and key block need be deleted in all m public cloud space, then carry out directory tree renewal, be specially:
S71, from m public cloud space, fetch directory tree subfile, in m public cloud space, delete subfile block group and counterpart keys piecemeal;
S72, upgrade this block directory block, upload in new directory tree piecemeal m public cloud space, override original directory tree subfile.
CN201510476859.4A 2015-08-06 2015-08-06 The distributed data management method of safety based on public cloud Active CN105356997B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510476859.4A CN105356997B (en) 2015-08-06 2015-08-06 The distributed data management method of safety based on public cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510476859.4A CN105356997B (en) 2015-08-06 2015-08-06 The distributed data management method of safety based on public cloud

Publications (2)

Publication Number Publication Date
CN105356997A true CN105356997A (en) 2016-02-24
CN105356997B CN105356997B (en) 2019-09-06

Family

ID=55332877

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510476859.4A Active CN105356997B (en) 2015-08-06 2015-08-06 The distributed data management method of safety based on public cloud

Country Status (1)

Country Link
CN (1) CN105356997B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254477A (en) * 2016-08-09 2016-12-21 华南农业大学 A kind of distributed data based on many public cloud is uploaded and method for down loading
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN107203723A (en) * 2017-04-06 2017-09-26 华南农业大学 File storage and its search method in many public clouds based on hash table method
CN108683509A (en) * 2018-05-15 2018-10-19 北京创世智链信息技术研究院 A kind of method for secure transactions, apparatus and system based on block chain
CN110968885A (en) * 2019-12-18 2020-04-07 支付宝(杭州)信息技术有限公司 Model training data storage method and device, electronic equipment and storage medium
CN111506546A (en) * 2020-04-08 2020-08-07 杭州天谷信息科技有限公司 High-security file cloud storage method
TWI704793B (en) * 2019-02-27 2020-09-11 財團法人工業技術研究院 Object sharing system and object sharing method
CN113067892A (en) * 2021-04-09 2021-07-02 北京理工大学 Method for realizing safe cloud synchronization and cloud storage by using public cloud
WO2021218885A1 (en) * 2020-04-28 2021-11-04 万维数码智能有限公司 Security and confidentiality protection method and system for data transmission
CN114553589A (en) * 2022-03-14 2022-05-27 杭州电子科技大学 Cloud file secure transmission method based on multi-level encryption

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685199A (en) * 2012-01-18 2012-09-19 吴昊 File safety storage method based on multiple network nodes
CN103023968A (en) * 2012-11-15 2013-04-03 中科院成都信息技术有限公司 Network distributed storage and reading method for file
CN104639661A (en) * 2015-03-13 2015-05-20 华存数据信息技术有限公司 Distributed storage system and storing and reading method for files

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685199A (en) * 2012-01-18 2012-09-19 吴昊 File safety storage method based on multiple network nodes
CN103023968A (en) * 2012-11-15 2013-04-03 中科院成都信息技术有限公司 Network distributed storage and reading method for file
CN104639661A (en) * 2015-03-13 2015-05-20 华存数据信息技术有限公司 Distributed storage system and storing and reading method for files

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
卢荣辉等: "一种基于密钥分解理论的文件安全分割算法", 《西安石油大学学报自然科学版》 *
范泉龙: "基于秘密共享的多云存储模型研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
雷红艳等: "基于Shamir秘密共享的隐私保护分类算法", 《计算机工程与设计》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254477B (en) * 2016-08-09 2019-07-09 华南农业大学 A kind of distributed data upload and method for down loading based on more public clouds
CN106254477A (en) * 2016-08-09 2016-12-21 华南农业大学 A kind of distributed data based on many public cloud is uploaded and method for down loading
CN107203723B (en) * 2017-04-06 2020-06-19 华南农业大学 File storage and retrieval method on multiple public clouds based on hash table method
CN107203723A (en) * 2017-04-06 2017-09-26 华南农业大学 File storage and its search method in many public clouds based on hash table method
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN106961336B (en) * 2017-04-18 2019-11-26 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithm
CN108683509A (en) * 2018-05-15 2018-10-19 北京创世智链信息技术研究院 A kind of method for secure transactions, apparatus and system based on block chain
US11240011B2 (en) 2019-02-27 2022-02-01 Industrial Technology Research Institute Object sharing system and object sharing method
TWI704793B (en) * 2019-02-27 2020-09-11 財團法人工業技術研究院 Object sharing system and object sharing method
CN110968885A (en) * 2019-12-18 2020-04-07 支付宝(杭州)信息技术有限公司 Model training data storage method and device, electronic equipment and storage medium
CN111506546A (en) * 2020-04-08 2020-08-07 杭州天谷信息科技有限公司 High-security file cloud storage method
WO2021218885A1 (en) * 2020-04-28 2021-11-04 万维数码智能有限公司 Security and confidentiality protection method and system for data transmission
CN113067892A (en) * 2021-04-09 2021-07-02 北京理工大学 Method for realizing safe cloud synchronization and cloud storage by using public cloud
CN113067892B (en) * 2021-04-09 2022-07-15 北京理工大学 Method for realizing safe cloud synchronization and cloud storage by using public cloud
CN114553589A (en) * 2022-03-14 2022-05-27 杭州电子科技大学 Cloud file secure transmission method based on multi-level encryption
CN114553589B (en) * 2022-03-14 2024-02-06 杭州电子科技大学 Cloud file secure transmission method based on multi-stage encryption

Also Published As

Publication number Publication date
CN105356997B (en) 2019-09-06

Similar Documents

Publication Publication Date Title
CN105356997A (en) Security distributed data management method based on public cloud
CN109150968B (en) Block chain distributed storage method based on secret sharing
CN105282171B (en) A kind of safe and reliable distributed cloud storage method
CN106100832A (en) Key management method based on convergent encryption in a kind of cloud storage data deduplication
CN103023635B (en) A kind of method of information back-up and device
CN104023027B (en) High in the clouds data definitiveness delet method based on ciphertext sampling burst
Li et al. Towards privacy-preserving storage and retrieval in multiple clouds
CN104584509A (en) An access control method, a device and a system for shared data
CN104331346A (en) Data protection method
CN106612320A (en) Encrypted data dereplication method for cloud storage
CN105245328A (en) User and file key generation and management method based on third party
CN104363215A (en) Encryption method and system based on attributes
CN102238003B (en) A kind of production method of root key
CN105100115A (en) Data storage method for privacy protection based on encryption password and data fractionation
CN103763362A (en) Safe distributed duplicated data deletion method
CN104331345B (en) A kind of data reconstruction method
CN107968780A (en) A kind of method for secret protection of mobile cloud storage shared data
CN102123143A (en) Method for storing data in network safely
CN105516340A (en) Cloud storage data recoverability verification method and system
CN104657494A (en) Access method for website database
CN111737770A (en) Key management method and application
Xiong et al. A secure document self-destruction scheme: an ABE approach
CN104660705B (en) A kind of site databases background process method
Xiong et al. A secure document self-destruction scheme with identity based encryption
Kim et al. Survey on Data Deduplication in Cloud Storage Environments.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant