CN105356997A - Security distributed data management method based on public cloud - Google Patents
Security distributed data management method based on public cloud Download PDFInfo
- Publication number
- CN105356997A CN105356997A CN201510476859.4A CN201510476859A CN105356997A CN 105356997 A CN105356997 A CN 105356997A CN 201510476859 A CN201510476859 A CN 201510476859A CN 105356997 A CN105356997 A CN 105356997A
- Authority
- CN
- China
- Prior art keywords
- file
- public cloud
- subfile
- block
- space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a security distributed data management method based on a public cloud. The security distributed data management method comprises the following steps: assuming that m public cloud spaces exist, extracting a storage directory structure on a local computer, encrypting all files in a directory, dividing each encrypted file into m blocks, sharing and dividing key secrets into m blocks, respectively sending the files and the key blocks into the m public cloud spaces, and sharing directory tree secrets into the m public cloud spaces. In the event of searching a specific file and downloading a file, a directory tree is fetched and restored from any n public cloud spaces at first, wherein n is less than m; the file is searched from the directory tree; then, sub-file blocks and sub-key blocks are continuously fetched from the n public cloud spaces according to the searching result; the file blocks are combined; simultaneously, a key is recovered; and finally, an original file is obtained by decrypting the file. By means of the technical scheme provided by the invention, data information in any insufficient n public cloud spaces is insufficient to recover the original file; therefore, the data information security is increased; and the risk in leaking user data information is reduced.
Description
Technical field
The present invention relates to the public cloud space memory technology of data, particularly a kind of distributed data management method of the safety based on public cloud.
Background technology
Along with the continuous maturation of cloud computing technology, the file storage that cloud is stored as user provides almost limitless memory capacity, provides the automatic synchronizing function between distinct device, provides data sharing channel between different user simultaneously.Cloud product gets more and more on the market, and user shifts a large amount of in cloud public cloud gradually.
But cloud memory technology is brought quick with simultaneously easily to user, the problem of data safeties such as privacy compromise are also following.Such as, in September, 2014, foreign hacker doubts the leak of the iCould cloud disc system with Apple, causes Hollywood Nude Picture Scandal event.Depend on particular cloud service provider and also bring loss of data potential safety hazard.Just domestic, afternoon on June 6th, 2015, because service provider's " farsighted river science and technology " machine room meets with Thunderstorm Weather and causes power failure, the unexpected cycle power of the whole hardware device in high official position Guangdong 1 district, cause high official position official website and control desk cannot access, be deployed in the customer service of GD1 in short-term temporarily unavailable, meanwhile, another family cloud service provider LeanCloud also there occurs the service disruption situation reaching 4 hours.From the world; data statistics according to the tracking website CloudHarmony of specialty shows; Amazon EC2 serves; shut down 2.41 hours in 2014; the Azure cloud platform of Microsoft's operation shows also quite general in availability; experienced by 92 service stopping accidents altogether, amount to 39.77 hours, its storage platform service has 141 stopping accidents to amount to 10.97 hours.
In existing cloud memory technology, mainly contain following two kinds of storage modes:
(1) stored in clear, use the cloud dish of stored in clear, namely can read all the elements after disabled user's steal files, public cloud space also arbitrarily can obtain user data.
(2) cryptographic storage, use the cloud dish of cryptographic storage, disabled user is difficult to steal data, but public cloud space still also exists the possibility obtaining user data.
Summary of the invention
Main purpose of the present invention is to overcome the shortcoming of prior art with not enough, and the safety problem existing for storing for above-mentioned cloud of withdrawing deposit, the present invention proposes a kind of distributed data management method of the safety based on public cloud.
In order to achieve the above object, the present invention is by the following technical solutions:
Based on the distributed data management method of the safety of public cloud, comprise the steps:
S1, by the storage directory in public cloud space tree extract, as a file, each byte is used as secret S;
S2, each byte of use Shamir privacy share algorithm to file are decomposed, and obtain the byte after m decomposition, write in the individual newly-built file of m by this m byte respectively with the form of additional write;
S3, after each byte of directory tree file is decomposed and write newly-built file, obtain a directory tree subfile, then m newly-built directory tree subfile is stored in m public cloud space respectively;
S4, need recover catalog set file time, then from any n public cloud space, fetch directory tree subfile, from this n, directory tree subfile is byte-by-byte reads out, secret as son, polynomial interopolation algorithm is used to carry out secret reconstruction, obtain each byte of directory tree file originally, then merge and obtain directory tree file originally;
S5, after privacy share directory tree, when public cloud space is arrived in needs upload file, first directory tree subfile after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to upload operation by files passe, upgrade directory tree after uploading, finally utilize Shamir privacy share algorithm to be decomposed by directory tree and upload in m public cloud space, override original directory tree subfile;
S6, when needs are from public cloud space download file, first fetch from any n public cloud space decompose after directory tree file, recover storage directory tree, then according to directory tree, carry out file download operation;
S7, when needs deleted file, first directory tree subfile after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to directory tree, find document location, spatially delete the corresponding piecemeal of encrypt file and counterpart keys piecemeal m public cloud, after deletion, upgrade directory tree, finally utilize Shamir privacy share algorithm to be decomposed by directory tree to upload in m public cloud space, override original directory tree subfile.
Preferably, described Shamir privacy share algorithm is specially:
A secret sharing scheme comprises a believable secret distribution person and m participant, secret distribution person is by secret for secret S partition m the son that will share, and be distributed to this m participant by safe lane, each participant is made only to know the son secret of oneself and not know that the son of other participants is secret, secret distribution person defines some authorized subsets simultaneously, makes the participant's associating in these set can recover shared secret S.
Preferably, in step S2, use Shamir privacy share algorithm to the concrete steps that file decomposes is:
S21, input secret S, and input parameter n, m;
S22, arbitrarily generation n-1 random number a
1..., a
n-1, with seasonal a
0=S;
S23, structure n-1 order polynomial f (x)=a
0+ a
1x+a
2x
2+ ...+a
n-1x
n-1;
S24, arbitrarily generation m random number x
1..., x
m, be recorded in this locality;
S25, by x
1..., x
msubstitute in polynomial f (x) and calculate f (x
1) ... f (x
m);
S26, output f (x
1) ... f (x
m).
Preferably, in step S4, the concrete steps using Shamir privacy share algorithm to carry out secret reconstruction are:
S41, input data f (x
1) ... f (x
n);
S42, fetch f (x from this locality
i) corresponding x
i;
S43, equationof structure group:
......
Now there is n equation group, n unknown number, i.e. a
0a
1..., a
n-1;
S44, separate above-mentioned equation group, obtain coefficient a
0a
1..., a
n-1, S=a
0;
S45, output S.
Preferably, in step S5, when upload file, after having carried out directory tree management, adopt the file block algorithm based on key decomposition theory, uploaded in m public cloud space; The described file block algorithm based on key decomposition theory is as follows:
Setting a cryptographic system is <M, C, K, P>, wherein M is plaintext space, C is the cryptogram space, K is key space, the space that P forms for participant, discusses encryption key distribution to m people, allow wherein any n people to recover key, this can not recover key to be less than n people;
In m participant, any n-1 participant can not recover key, and key space K is regarded as a vector space, then its dimension is
for key space
arbitrary key vector K in K
i can with the element P in participant vector space P
i(i=1,2 ..., m) carry out linear expression, i.e. K
ibelong to certain the several participant in the P of participant space, owing to requiring only to need n participant to recover key, then for participant vector space P, its base vector number is n, K
ican represent with n vector, obviously n vector can obtain key K arbitrarily
i, and because m is the number of base vector, being then less than m vector all can not obtain key K
i;
File is used as key K in key decomposition theory, and in m public cloud space, key K can not be recovered in any n-1 public cloud space, then file division can be become
block subfile block K
i, i=1,2 ...,
by K
ithat distributes in m public cloud space is several, the subfile group that must possess arbitrarily wherein n public cloud space is made to recover original, all original can not be recovered less than n group subfile arbitrarily, so any leakage less than n group subfile is also not enough to leak original, and any m-n group subfile is damaged still can recover original;
Be labeled as to every block subfile block
be C to m public cloud free token
1, C
2..., C
m, get the combination of its n-1: C
1c
2... C
n-2c
n-1, C
1c
2... C
n-2c
n..., C
m-n+2c
m-n+3... C
m, total
individual combination; Make these combination respectively with
correspondence, as K
1with C
1c
2... C
n-2c
n-1correspondence, its meaning is C
1c
2... C
n-2c
n-1this n-1 public cloud space does not all have storage file block K
1.
Preferably, described file division step is as follows:
S511, an input file;
S512, input partitioning parameters n and m, and calculation document dividing number
S513, log file name file_name, obtain file size file_size, and calculate every block subfile size, block_size=file_size/block_num;
S514, in units of subfile block size block_size, file division is become block, every block marks according to the order of sequence;
S515, according to blocks of files to public cloud space storage scheme, blocks of files is carried out packet memory to the different public cloud space of m.
Preferably, the step of described recovery original is as follows:
S521, basis, to fixed parameter n, fetch n group subfile group from any n public cloud space;
S522, from n group subfile group, give whole subfile block for change, remove the subfile block repeated;
S523, to this
individual sub-blocks of files sorts;
S524, a newly-built file, run after fame with original name file_name;
S525, by the content of subfile block according to the order of sequence with add form write back in this file.
Preferably, in step S5, when upload file, after having carried out directory tree management, adopt the kept secure technology based on privacy share, uploaded in m public cloud space, operate as follows:
S531, the file that will upload to be encrypted;
Key decomposition is stored in m public cloud space by S532, employing Shamir privacy share algorithm;
S533, the file after encryption is carried out to physical segmentation and becomes block;
S534, according to subfile block distributed store scheme by segmentation after subfile block carry out distributed store.
Preferably, in step S6, when download file, after having carried out directory tree management, only need fetch subfile block from any n public cloud space, original can be recovered back, be specially:
S61, from any n public cloud space, fetch subfile block group, remove iteron blocks of files;
Physics merging is carried out after the sequence of S62, antithetical phrase blocks of files;
S63, from any n public cloud space, fetch sub-key, recover key;
S64, according to key, the file after being combined is decrypted, and recovers original.
Preferably, the step of deleted file is as follows:
S71, from m public cloud space, fetch directory tree piecemeal, in m public cloud space, delete subfile block group and counterpart keys piecemeal;
S72, upgrade this block directory block, upload new directory tree and be chunked in m public cloud space, override original directory tree subfile.
Compared with prior art, tool has the following advantages and beneficial effect in the present invention:
1, any data message less than n public cloud space is not enough to recover original in the present invention, ensure that user data information can not be stolen to single public cloud space and disabled user, improve the fail safe of data message, greatly reduce user data information disclosure risk.And arbitrarily break down and still can recover original in m-n public cloud space, even if ensure that to break down in any m-n public cloud space, user data information also can not be lost and damage, and improves the reliability of storage.
2, the present invention has carried out encryption piecemeal to file, to single service and disabled user, the data that user uploads are all the data blocks after original encryption segmentation, and can not take total data, the problem thus divulge a secret in solution public cloud space, improves the fail safe of data.
3, file block is stored m public cloud space by the present invention, and appoints and get n public cloud space and can recover data, can to a certain degree prevent the loss of data because public cloud space fault causes.
Accompanying drawing explanation
Fig. 1 is the flow chart of the distributed data management method of the safety that the present invention is based on public cloud;
Fig. 2 is public cloud space of the present invention storage node composition;
Fig. 3 is the flow chart of privacy share algorithm of the present invention;
Blocks of files distribution derivation schematic diagram when Fig. 4 is m=5, n=3 in the present embodiment;
The storage and distribution schematic diagram of subfile block 1 when Fig. 5 is m=5, n=3 in the present embodiment.
Embodiment
Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited thereto.
Embodiment
In the present embodiment, set existing m public cloud space, utilize algorithm in this paper, the file encryption segmentation that user will be able to store at arbitrary equipment is stored in this m public cloud space.When file fetched by needs, then from wherein n public cloud space, fetch subfile block, recover original by algorithm.The technical scheme sight application of the present embodiment as shown in Figure 1, in the stage of uploading, first the file that will store is encrypted, then by the file block after encryption, employing the invention provides in this m of algorithm distributed store public cloud space, simultaneously by encryption key privacy share in this m public cloud space.In download phase, only need get arbitrarily subfile block and the sub-key in wherein n public cloud space, by subfile merged block file, then recover key by sub-key, carry out file decryption.
Below in conjunction with technical scheme, the present invention is further elaborated:
For privacy share public cloud space storage directory tree structure: in order to the content stored public cloud spatial concealment, not only want hidden file itself, also want hidden file bibliographic structure.Therefore need the storage directory in public cloud space tree to extract, as file, utilize Shamir privacy share algorithm to decompose in m public cloud space.Final for public cloud space, storage be a pile insignificant file at random, as shown in Figure 2.
For directory tree, as a file, its each byte can be used as secret S, use Shamir privacy share algorithm to decompose, obtain the byte after m decomposition, this m byte is write in the individual newly-built file of m respectively with the form of additional write.After each byte of directory tree file is decomposed and write newly-built file, m newly-built directory tree subfile is stored and point to be clipped in m public cloud space.When needing recover catalog to set file, then from any n public cloud space, fetch directory tree subfile, from this n, directory tree subfile is byte-by-byte reads out, secret as son, then use Shamir privacy share algorithm to carry out secret reconstruction, finally obtain directory tree file originally.
In the present embodiment Shamir privacy share algorithm and thought as follows:
A secret sharing scheme comprises a believable secret distribution person and m participant, secret distribution person is by secret for secret S partition m the son that will share, and be distributed to this m participant by safe lane, make each participant only know the son secret of oneself and not know that the son of other participants is secret.Secret distribution person defines some authorized subsets simultaneously, makes the participant's associating in these set can recover shared secret S, as shown in Figure 3.The key of secret sharing scheme is how better to design secret fractionation mode and reset mode, and several participants are together cooperated could Restore Secret message.The more important thing is, when in wherein any respective range, participant is gone wrong, secret still can completely be recovered simultaneously.This cryptographic technique by Secret sharing storage can stop secret too concentrated, reaches and diversifies risks and inbreak-tolerated object.
(the n of Shamir, m) (m>n) privacy share algorithm utilizes the polynomial f (x) of finite field secret S to be resolved into m son secret, distribute to m participant, here public cloud space is as participant.Each participant does not know that the son that other participants hold is secret.Only know that wherein at least n participant takes out sub-secret and together cooperate and just could can recover secret S, any hold sub-secret less than n participant all cannot Restore Secret S.
For n-1 order polynomial f (x) of in finite field, secret S is taken as f (0), by f (x
i) (i=1 ..., m) distribute to m participant, then wherein n participant can utilize f (x arbitrarily
i) reconstruct f (x), then obtain f (0) by f (x), Restore Secret.
It is as follows that Shamir privacy share algorithm decomposes secret step:
Step1: input secret S, and input parameter n, m.
Step2: generate n-1 random number a arbitrarily
1..., a
n-1, with seasonal a
0=S.
Step3: structure n-1 order polynomial f (x)=a
0+ a
1x+a
2x
2+ ...+a
n-1x
n-1.
Step4: generate m random number x arbitrarily
1..., x
m, be recorded in this locality.
Step5: by x
1..., x
msubstitute in polynomial f (x) and calculate f (x
1) ... f (x
m).
Step6: export f (x
1) ... f (x
m).
Shamir privacy share algorithm Restore Secret step is as follows:
Step1: input data f (x
1) ... f (x
n).
Step2: fetch f (x from this locality
i) corresponding x
i.
Step3: equationof structure group:
......
Now there is n equation group, n unknown number, i.e. a
0a
1..., a
n-1.
Step4: separate above-mentioned equation group, obtains coefficient a
0a
1..., a
n-1, S=a
0.
Step5: export S.
After privacy share directory tree, when public cloud space is arrived in needs upload file, first directory tree file after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to the upload operation hereafter introduced by files passe, upgrade directory tree after uploading, finally utilize Shamir privacy share algorithm to be decomposed by directory tree and upload in m public cloud space, override original directory tree file.When needs are from public cloud space download file, first fetch directory tree file after decomposing from any n public cloud space, recover storage directory tree, then according to directory tree, carry out file download operation.
Storage file:
When upload file, after having carried out directory tree management, adopt the file block algorithm based on key decomposition theory, uploaded in m public cloud space.
File block algorithm based on key decomposition theory is as follows:
Setting a cryptographic system is <M, C, K, P>, wherein M is plaintext space, C is the cryptogram space, K is key space (encryption and decryption key space), and the space that P forms for participant, discusses encryption key distribution to m people, allow wherein any n people to recover key, this can not recover key to be less than n people.
In m participant, any n-1 participant can not recover key, and key space K is regarded as a vector space, then its dimension is
for key space
arbitrary key vector K in K
i can with the element P in participant vector space P
i(i=1,2 ..., m) carry out linear expression, i.e. K
ibelong to certain the several participant in the P of participant space.Owing to requiring only to need n participant to recover key, then for participant vector space P, its base vector number is n, K
ican represent with n vector.Obviously n vector can obtain key K arbitrarily
i, and because m is the number of base vector, being then less than m vector all can not obtain key K
i.
File is used as key K in key decomposition theory, and in m public cloud space, key K can not be recovered in any n-1 public cloud space, then file division can be become
block subfile block K
i by K
ithat distributes in m public cloud space is several, the subfile group that must possess arbitrarily wherein n public cloud space is made to recover original, all original can not be recovered less than n group subfile arbitrarily, so any leakage less than n group subfile is also not enough to leak original, and any m-n group subfile is damaged still can recover original.
Be labeled as to every block subfile block
be C to m public cloud free token
1, C
2..., C
m, get the combination of its n-1: C
1c
2... C
n-2c
n-1, C
1c
2... C
n-2c
n..., C
m-n+2c
m-n+3... C
m, total
individual combination.Make these combination respectively with
correspondence, as K
1with C
1c
2... C
n-2c
n-1correspondence, its meaning is C
1c
2... C
n-2c
n-1this n-1 public cloud space does not all have storage file block K
1.Be easy to like this obtain the distribution scheme of blocks of files to public cloud space, as shown in table 1.
Table 1 blocks of files is to public cloud space storage and distribution scheme table
File division step is as follows:
Step1: input a file.
Step2: input partitioning parameters n and m, and calculation document dividing number
Step3: log file name file_name, obtain file size file_size, and calculate every block subfile size.block_size=file_size/block_num。
Step4: in units of subfile block size block_size, file division is become block, every block marks according to the order of sequence.
Step5: according to blocks of files to public cloud space storage scheme, carries out packet memory to the individual different public cloud space of m by blocks of files.
Represent file division algorithm in order to vivider, existing with m=5, n=3 for object lesson.Now file division will be become block to combine is stored in 5 public cloud spaces, and must fetch subfile group from wherein any 3 public cloud spaces could recovery file, and any 2 sub-file group all can not recovery file, and blocks of files distribution is derived as follows.
5 public cloud spaces, get combination of two, and the corresponding one piece of subfile block of any combination, represents that this public cloud Spatial Coupling does not store this subfile block, then file needs to be divided into
as shown in Figure 4.Be easy to the storage and distribution obtaining subfile block 1 thus, as shown in Figure 5; And can the distribution scheme of all subfile blocks by deriving, as table 2.
Table 2 subfile block storage and distribution scheme table (m=5, n=3)
Can obtain in each public cloud space by upper table, the subfile block of storage, as shown in table 3.
Table 3 public cloud space stores subfile block table (m=5, n=3)
File recovery step is as follows:
Step1: according to fixed parameter n, fetch n group subfile group from any n public cloud space
Step2: give whole subfile block for change from n group subfile group, removes the subfile block repeated.
Step3: to this
individual sub-blocks of files sorts.
Step4: a newly-built file, runs after fame with original name file_name.
Step5: the content of subfile block is write back in this file with the form added according to the order of sequence.
Be not difficult to find out by table 3, when m=5, n=3, the subfile group in any 2 public cloud spaces cannot recover original, to get public cloud space 1 and public cloud space 2, the subfile block fetched from the subfile group 2 public cloud spaces has: 2,3,4,5,6,7,8,9, has lacked subfile block 1.And the subfile group in any 3 public cloud spaces can recover original, subfile block 1 is lacked in the subfile group in public cloud space 1 and public cloud space 2, and in public cloud space 3, public cloud space 4 and public cloud space 5, all contain subfile block 1, namely this appoints from three public cloud spaces and gets one of them public cloud space, all can recover original with other subfile blocks in public cloud space 1, public cloud space 2.
When upload file, after having carried out directory tree management, adopt the kept secure technology based on privacy share, uploaded in m public cloud space, operate as follows.
Step1: the file that upload is encrypted.
Step2: adopt Shamir privacy share algorithm to be stored into by key decomposition in m public cloud space.
Step3: physical segmentation is carried out to the file after encryption and becomes block.
Step4: the subfile block after segmentation is carried out distributed store according to subfile block distributed store scheme.
When download file, after having carried out directory tree management, only need fetch subfile block from any n public cloud space, original can be recovered back by the technical program.
Step1: fetch subfile block group from any n public cloud space, removes iteron blocks of files.
Step2: carry out physics merging after the sequence of antithetical phrase blocks of files.
Step3: fetch sub-key from any n public cloud space, recovers key.
Step4: according to key, the file after being combined is decrypted, and recovers original.
Above-described embodiment is the present invention's preferably execution mode; but embodiments of the present invention are not restricted to the described embodiments; change, the modification done under other any does not deviate from Spirit Essence of the present invention and principle, substitute, combine, simplify; all should be the substitute mode of equivalence, be included within protection scope of the present invention.
Claims (10)
1., based on the distributed data management method of the safety of public cloud, it is characterized in that, comprise the steps:
S1, by the storage directory of local user tree extract, as a directory tree file, each byte is used as secret S;
S2, use Shamir privacy share algorithm decompose directory tree file, each byte is decomposed, obtains the byte after m decomposition, write in the individual newly-built file of m by this m byte respectively with the form of additional write;
S3, after each byte of directory tree file is decomposed and write newly-built file, m newly-built directory tree subfile is stored in m public cloud space respectively;
S4, need recover catalog set file time, then from the individual public cloud space of any n (n<m), fetch directory tree subfile, from this n, directory tree subfile is byte-by-byte reads out, secret as son, polynomial interopolation algorithm is used to carry out secret reconstruction, recover each byte, then obtain directory tree file originally;
S5, after privacy share directory tree, when public cloud space is arrived in needs upload file, first directory tree file after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to upload operation by files passe, upgrade directory tree after uploading, finally utilize Shamir privacy share algorithm to be decomposed by directory tree and upload in m public cloud space, override original directory tree subfile;
S6, when needs are from public cloud space download file, first fetch from any n public cloud space decompose after directory tree subfile, recover storage directory tree, then according to directory tree, carry out file download operation;
S7, when needs deleted file, first directory tree file after decomposing is fetched from any n public cloud space, recovery storage directory is set, then according to directory tree, find document location, spatially delete the corresponding piecemeal of encrypt file and counterpart keys piecemeal m public cloud, after deletion, upgrade directory tree, finally utilize Shamir privacy share algorithm to be decomposed by directory tree to upload in m public cloud space, override original directory tree file.
2. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, described Shamir privacy share algorithm is specially:
A secret sharing scheme comprises a believable secret distribution person and m participant, secret distribution person is by secret for secret S partition m the son that will share, and be distributed to this m participant by safe lane, each participant is made only to know the son secret of oneself and not know that the son of other participants is secret, secret distribution person defines some authorized subsets simultaneously, makes the participant's associating in these set can recover shared secret S.
3. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S2, use Shamir privacy share algorithm to the concrete steps that file decomposes is:
S21, input secret S, and input parameter n, m;
S22, arbitrarily generation n-1 random number a
1..., a
n-1, with seasonal a
0=S;
S23, structure n-1 order polynomial f (x)=a
0+ a
1x+a
2x
2+ ...+a
n-1x
n-1;
S24, arbitrarily generation m random number x
1..., x
m, be recorded in this locality;
S25, by x
1..., x
msubstitute in polynomial f (x) and calculate f (x
1) ... f (x
m);
S26, output f (x
1) ... f (x
m).
4. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S4, the concrete steps using Shamir privacy share algorithm to carry out secret reconstruction are:
S41, input data f (x
1) ... f (x
n);
S42, fetch f (x from this locality
i) corresponding x
i;
S43, equationof structure group:
......
Now there is n equation group, n unknown number, i.e. a
0a
1..., a
n-1;
S44, separate above-mentioned equation group, obtain coefficient a
0a
1..., a
n-1, S=a
0;
S45, output S.
5. the distributed data management method of the safety based on public cloud according to claim 4, is characterized in that, in step S5, when upload file, after having carried out directory tree management, adopt the file block algorithm based on key decomposition theory, uploaded in m public cloud space; The described file block algorithm based on key decomposition theory is as follows:
Setting a cryptographic system is <M, C, K, P>, wherein M is plaintext space, C is the cryptogram space, K is key space, the space that P forms for participant, discusses encryption key distribution to m people, allow wherein any n people to recover key, this can not recover key to be less than n people;
In m participant, any n-1 participant can not recover key, and key space K is regarded as a vector space, then its dimension is
for key space
arbitrary key vector in K
can with the element P in participant vector space P
i(i=1,2 ..., m) carry out linear expression, i.e. K
ibelong to certain the several participant in the P of participant space, owing to requiring only to need n participant to recover key, then for participant vector space P, its base vector number is n, K
ican represent with n vector, obviously n vector can obtain key K arbitrarily
i, and because m is the number of base vector, being then less than m vector all can not obtain key K
i;
File is used as key K in key decomposition theory, and in m public cloud space, key K can not be recovered in any n-1 public cloud space, then file division can be become
block subfile block K
i, i=1,2 ...,
by K
ithat distributes in m public cloud space is several, the subfile group that must possess arbitrarily wherein n public cloud space is made to recover original, all original can not be recovered less than n group subfile arbitrarily, so any leakage less than n group subfile is also not enough to leak original, and any m-n group subfile is damaged still can recover original;
Be labeled as to every block subfile block
be C to m public cloud free token
1, C
2..., C
m, get the combination of its n-1: C
1c
2... C
n-2c
n-1, C
1c
2... C
n-2c
n..., C
m-n+2c
m-n+3... C
m, total
individual combination; Make these combination respectively with
correspondence, as K
1with C
1c
2... C
n-2c
n-1correspondence, its meaning is C
1c
2... C
n-2c
n-1this n-1 public cloud space does not all have storage file block K
1.
6. the distributed data management method of the safety based on public cloud according to claim 5, is characterized in that, described file division step is as follows:
S511, an input file;
S512, input partitioning parameters n and m, and calculation document dividing number
S513, log file name file_name, obtain file size file_size, and calculate every block subfile size, block_size=file_size/block_num;
S514, in units of subfile block size block_size, file division is become block, every block marks according to the order of sequence;
S515, according to blocks of files to public cloud space storage scheme, blocks of files is carried out packet memory to the different public cloud space of m.
7. the distributed data management method of the safety based on public cloud according to claim 5, is characterized in that, the step of described recovery original is as follows:
S521, basis, to fixed parameter n, fetch n group subfile group from any n public cloud space;
S522, from n group subfile group, give whole subfile block for change, remove the subfile block repeated;
S523, to this
individual sub-blocks of files sorts;
S524, a newly-built file, run after fame with original name file_name;
S525, by the content of subfile block according to the order of sequence with add form write back in this file.
8. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S5, when upload file, after having carried out directory tree management, adopt the kept secure technology based on privacy share, uploaded in m public cloud space, operated as follows:
S531, the file that will upload to be encrypted;
Key decomposition is stored in m public cloud space by S532, employing Shamir privacy share algorithm;
S533, the file after encryption is carried out to physical segmentation and becomes block;
S534, according to subfile block distributed store scheme by segmentation after subfile block carry out distributed store.
9. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S6, when download file, after having carried out directory tree management, only need fetch subfile block from any n public cloud space, original can be recovered back, be specially:
S61, from any n public cloud space, fetch subfile block group, remove iteron blocks of files;
Physics merging is carried out after the sequence of S62, antithetical phrase blocks of files;
S63, from any n public cloud space, fetch sub-key, recover key;
S64, according to key, the file after being combined is decrypted, and recovers original.
10. the distributed data management method of the safety based on public cloud according to claim 1, is characterized in that, in step S7, when deleted file, respective file block and key block need be deleted in all m public cloud space, then carry out directory tree renewal, be specially:
S71, from m public cloud space, fetch directory tree subfile, in m public cloud space, delete subfile block group and counterpart keys piecemeal;
S72, upgrade this block directory block, upload in new directory tree piecemeal m public cloud space, override original directory tree subfile.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510476859.4A CN105356997B (en) | 2015-08-06 | 2015-08-06 | The distributed data management method of safety based on public cloud |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510476859.4A CN105356997B (en) | 2015-08-06 | 2015-08-06 | The distributed data management method of safety based on public cloud |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105356997A true CN105356997A (en) | 2016-02-24 |
CN105356997B CN105356997B (en) | 2019-09-06 |
Family
ID=55332877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510476859.4A Active CN105356997B (en) | 2015-08-06 | 2015-08-06 | The distributed data management method of safety based on public cloud |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105356997B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106254477A (en) * | 2016-08-09 | 2016-12-21 | 华南农业大学 | A kind of distributed data based on many public cloud is uploaded and method for down loading |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
CN107203723A (en) * | 2017-04-06 | 2017-09-26 | 华南农业大学 | File storage and its search method in many public clouds based on hash table method |
CN108683509A (en) * | 2018-05-15 | 2018-10-19 | 北京创世智链信息技术研究院 | A kind of method for secure transactions, apparatus and system based on block chain |
CN110968885A (en) * | 2019-12-18 | 2020-04-07 | 支付宝(杭州)信息技术有限公司 | Model training data storage method and device, electronic equipment and storage medium |
CN111506546A (en) * | 2020-04-08 | 2020-08-07 | 杭州天谷信息科技有限公司 | High-security file cloud storage method |
TWI704793B (en) * | 2019-02-27 | 2020-09-11 | 財團法人工業技術研究院 | Object sharing system and object sharing method |
CN113067892A (en) * | 2021-04-09 | 2021-07-02 | 北京理工大学 | Method for realizing safe cloud synchronization and cloud storage by using public cloud |
WO2021218885A1 (en) * | 2020-04-28 | 2021-11-04 | 万维数码智能有限公司 | Security and confidentiality protection method and system for data transmission |
CN114553589A (en) * | 2022-03-14 | 2022-05-27 | 杭州电子科技大学 | Cloud file secure transmission method based on multi-level encryption |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102685199A (en) * | 2012-01-18 | 2012-09-19 | 吴昊 | File safety storage method based on multiple network nodes |
CN103023968A (en) * | 2012-11-15 | 2013-04-03 | 中科院成都信息技术有限公司 | Network distributed storage and reading method for file |
CN104639661A (en) * | 2015-03-13 | 2015-05-20 | 华存数据信息技术有限公司 | Distributed storage system and storing and reading method for files |
-
2015
- 2015-08-06 CN CN201510476859.4A patent/CN105356997B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102685199A (en) * | 2012-01-18 | 2012-09-19 | 吴昊 | File safety storage method based on multiple network nodes |
CN103023968A (en) * | 2012-11-15 | 2013-04-03 | 中科院成都信息技术有限公司 | Network distributed storage and reading method for file |
CN104639661A (en) * | 2015-03-13 | 2015-05-20 | 华存数据信息技术有限公司 | Distributed storage system and storing and reading method for files |
Non-Patent Citations (3)
Title |
---|
卢荣辉等: "一种基于密钥分解理论的文件安全分割算法", 《西安石油大学学报自然科学版》 * |
范泉龙: "基于秘密共享的多云存储模型研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
雷红艳等: "基于Shamir秘密共享的隐私保护分类算法", 《计算机工程与设计》 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106254477B (en) * | 2016-08-09 | 2019-07-09 | 华南农业大学 | A kind of distributed data upload and method for down loading based on more public clouds |
CN106254477A (en) * | 2016-08-09 | 2016-12-21 | 华南农业大学 | A kind of distributed data based on many public cloud is uploaded and method for down loading |
CN107203723B (en) * | 2017-04-06 | 2020-06-19 | 华南农业大学 | File storage and retrieval method on multiple public clouds based on hash table method |
CN107203723A (en) * | 2017-04-06 | 2017-09-26 | 华南农业大学 | File storage and its search method in many public clouds based on hash table method |
CN106961336A (en) * | 2017-04-18 | 2017-07-18 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithms |
CN106961336B (en) * | 2017-04-18 | 2019-11-26 | 北京百旺信安科技有限公司 | A kind of key components trustship method and system based on SM2 algorithm |
CN108683509A (en) * | 2018-05-15 | 2018-10-19 | 北京创世智链信息技术研究院 | A kind of method for secure transactions, apparatus and system based on block chain |
US11240011B2 (en) | 2019-02-27 | 2022-02-01 | Industrial Technology Research Institute | Object sharing system and object sharing method |
TWI704793B (en) * | 2019-02-27 | 2020-09-11 | 財團法人工業技術研究院 | Object sharing system and object sharing method |
CN110968885A (en) * | 2019-12-18 | 2020-04-07 | 支付宝(杭州)信息技术有限公司 | Model training data storage method and device, electronic equipment and storage medium |
CN111506546A (en) * | 2020-04-08 | 2020-08-07 | 杭州天谷信息科技有限公司 | High-security file cloud storage method |
WO2021218885A1 (en) * | 2020-04-28 | 2021-11-04 | 万维数码智能有限公司 | Security and confidentiality protection method and system for data transmission |
CN113067892A (en) * | 2021-04-09 | 2021-07-02 | 北京理工大学 | Method for realizing safe cloud synchronization and cloud storage by using public cloud |
CN113067892B (en) * | 2021-04-09 | 2022-07-15 | 北京理工大学 | Method for realizing safe cloud synchronization and cloud storage by using public cloud |
CN114553589A (en) * | 2022-03-14 | 2022-05-27 | 杭州电子科技大学 | Cloud file secure transmission method based on multi-level encryption |
CN114553589B (en) * | 2022-03-14 | 2024-02-06 | 杭州电子科技大学 | Cloud file secure transmission method based on multi-stage encryption |
Also Published As
Publication number | Publication date |
---|---|
CN105356997B (en) | 2019-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105356997A (en) | Security distributed data management method based on public cloud | |
CN109150968B (en) | Block chain distributed storage method based on secret sharing | |
CN105282171B (en) | A kind of safe and reliable distributed cloud storage method | |
CN106100832A (en) | Key management method based on convergent encryption in a kind of cloud storage data deduplication | |
CN103023635B (en) | A kind of method of information back-up and device | |
CN104023027B (en) | High in the clouds data definitiveness delet method based on ciphertext sampling burst | |
Li et al. | Towards privacy-preserving storage and retrieval in multiple clouds | |
CN104584509A (en) | An access control method, a device and a system for shared data | |
CN104331346A (en) | Data protection method | |
CN106612320A (en) | Encrypted data dereplication method for cloud storage | |
CN105245328A (en) | User and file key generation and management method based on third party | |
CN104363215A (en) | Encryption method and system based on attributes | |
CN102238003B (en) | A kind of production method of root key | |
CN105100115A (en) | Data storage method for privacy protection based on encryption password and data fractionation | |
CN103763362A (en) | Safe distributed duplicated data deletion method | |
CN104331345B (en) | A kind of data reconstruction method | |
CN107968780A (en) | A kind of method for secret protection of mobile cloud storage shared data | |
CN102123143A (en) | Method for storing data in network safely | |
CN105516340A (en) | Cloud storage data recoverability verification method and system | |
CN104657494A (en) | Access method for website database | |
CN111737770A (en) | Key management method and application | |
Xiong et al. | A secure document self-destruction scheme: an ABE approach | |
CN104660705B (en) | A kind of site databases background process method | |
Xiong et al. | A secure document self-destruction scheme with identity based encryption | |
Kim et al. | Survey on Data Deduplication in Cloud Storage Environments. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |