CN106453384A - Security cloud disk system and security encryption method thereof - Google Patents

Abstract

The invention relates to a security cloud disk system and a security encryption method thereof. The security cloud disk system comprises a host microcomputer, a key, a cloud security management center and a cloud disk pool, wherein the cloud security management center comprises a server and a client, the server is connected with the host microcomputer through a network, the host microcomputer is matched and connected with the key, and is connected with the cloud disk pool through the client of the cloud security management center, the server comprises a key module, a user management module, a security module and a storage module, the client comprises an identity information module, a virtual disk module, an encryption and decryption module, a data partitioning coding module, a load balancing module, an information management module and a cloud disk management module, and the cloud disk pool comprises a plurality of private cloud disks or public cloud disks. The security cloud disk system has the effects of portability, capability of endowing a user with an active control right over data storage of the cloud disks and prominent security encryption performance.

Description

A kind of secure cloud disc system and its safe encryption method

Technical field

The invention belongs to field of computer technology, more particularly to a kind of secure cloud disc system and its safe encryption method.

Background technology

With information technology and the fast development of intelligent terminal, cloud disk is widely used in every field.Use using cloud disk Family can all produce mass data file daily, much be directed to the personal secret with enterprise or privacy, and therefore data safety is asked Topic is the key of cloud disk.At present, although mostly cloud disk has provided the user some security solutions, but cloud disk service end reality On be incredible, initiative is not in user's handss, and some professionals or manager can obtain data file, user easily In passive state, the generation of a large number of users leakage of data event is easily caused.Also there is user manually to the leading encryption of data, then Cloud disk is uploaded to, although so user is possessed of control power, as the data file after encryption still has by the possibility of Brute Force, And frequent access process causes the process of manual encrypting and decrypting complex, makes troubles.Simultaneously as mobile office etc. is needed Ask, user often accesses cloud disk on different computers or operating platform, this results in data file in transmission operating environment In cannot obtain reliable security isolation, there is obvious disclosure risk.The safety of the grasp cloud service for how allowing user real Initiative, safe handling that is not only efficient and convenient but also ensureing data, is pendulum in our important topic.

Content of the invention

The purpose of the present invention is for above-mentioned the deficiencies in the prior art, provides a kind of Mobile portable, user can be allowed to enjoy The active control power of cloud disk data storage, more safe and reliable secure cloud disc system and its safe encryption method.

The technical scheme for being adopted for realizing the purpose of the present invention is：A kind of secure cloud disc system, including mainframe micro, key Key, cloud security administrative center and cloud disk pond, wherein, the cloud security administrative center includes service end and client, and service end is led to Cross network to be connected with mainframe micro, mainframe micro and key Key are connected, mainframe micro by the client of cloud security administrative center with Cloud disk pond connects, and the service end includes cipher key module, user management module, security module and memory module, is mainly used in close Key information (KI) and the management of user's registration certification, the client includes identity information module, virtual disk module, encryption and decryption Module, data partition encoding module, load balancing module, information management module and cloud disk management module, are mainly used in data Process and the data access to cloud disk, the cloud disk pond includes some privately owned cloud disks or public's cloud disk, is mainly used in providing cloud Storage dilatation high in the clouds amount of memory, privately owned cloud disk is towards specific user and the cloud storage do not opened to the outside world, Gong Zhongyun Disk is the cloud storage for opening towards the public and to all groups.

The key Key is to include to be provided with the unique mark code of hardware（KID）Encryption chip, controller and memorizer shifting Dynamic storage device, using data and the information security of hardware cryptographic means protection user.

The mainframe micro be include central processing unit, EMMC internal memory, SSD memory, input/output port, WiFi module and The intelligent movable equipment of display module, is mainly used in use for key Key, the operation transmission of data provides safe and reliable row His sexual isolation's environment.

The cipher key module is mainly used in the key information (KI) of counterpart keys Key and the management of entry password, and participates in Cloud key is in the process of service end.

The user management module is mainly used in the authentication registration of user, user's unique mark（UID）, lawful authority, power The management of limit scope, time and number of times.

The security module, is mainly responsible for the safety guarantee of user management, key information (KI) and entry password, effectively anti- Reset, anti-tamper etc. attack.

The memory module, is mainly used in the storage of information database.

The identification management module, is mainly used in the accesses of the mobile device on mainframe micro such as identification management key Key and is permitted Can, intrusion of the illegal access device to system can be excluded.

The virtual disk module, loads and is deposited with mainframe micro EMMC internal memory, exit or close cancelling immediately, be responsible for User provides virtualized local logical memory space, is easy to user that data are carried out with local operation, and reducing frequently network please Ask, the absolute safety of user data operating environment can be improved, prevent the leakage of a state or party secret for causing because of virus or wooden horse.

The data split redundant module, process for carrying out piecemeal segmentation and coding redundancy to data storage, complete number Become, according to by random division, some fragmentation of data that number is different and differs in size, and some fragmentation of data that segmentation is produced are carried out Redundant is processed, and can effectively solve the problem that cloud disk loss of data, improves the reliability of cloud disk data storage.Meanwhile, it is also data Parallel transmission provides precondition, can be effectively improved the access efficiency of data.

The load balancing module, is mainly used in, by task reasonable distribution, making whole system load balance, so as to improve being Entirety ability of the system to data, monitor in real time can split situation according to the performance indications and data of cloud disk and network Distribution store tasks, optimize the utilization rate of different cloud disk storage resources, improve the efficiency that cloud disk simultaneously and concurrently accesses data, effectively Strengthening system integrally accesses the performance of data.

The encryption/decryption module, is mainly used in carrying out data storage encryption and decryption processing and participating in cloud key in client Process, provide the user in real time automatically file encryption-decryption and process, improve the safe confidentiality of data further.

Described information management module, is mainly used in the control information management of data, and control information is respectively file division letter Breath (FSEI) and file storage catalogue information (FSLI), by data storage data control information itself is carried out separating, with The control right transfer of data storage is realized, control information is stored in key Key, even if data storage sheet is let out in cloud disk end Dew, due to lacking corresponding control information, still can not use to data access, give up user deposit for cloud disk from technological layer The security concerns of storage data.

The cloud disk management module, is mainly used in being that privately owned cloud disk and public's cloud disk provide unified cloud disk interface, realizes cloud Pan Chi, is processed to the cloud disk of access system, is easy to the management of user data, can be according to user operation and each module of system Feedack carries out specific operation to specified single cloud disk or multiple cloud disks, can ensure data segmentation redundant module generation Fragmentation of data be stored in the different cloud storages of multiple cloud disks, ensure and will not find all broken of data in any one cloud disk Piece, ensures confidentiality and the privacy of storage data from mechanism.

The present invention furthermore provides a kind of safe encryption method based on secure cloud disc system, and the method includes following step Suddenly：

(1) unregistered key Key is inserted mainframe micro by user, and mainframe micro is by the client of cloud security administrative center to accessing Key Key be first identified management, recognize incorrect then refusal operation, identification correct then to cloud security administrative center service Registration request is initiated at end；

(2) log-on message that service end is provided to user is audited, and examination ＆ verification is by then uniquely indicating according to the hardware of key Key Code（KID）Produce user's unique mark UID and service end is stored in, while generating user's key message, user's key message bag Include but key information (KI), user profile P and entry password C is not limited only to, examination ＆ verification failure then hang up；

(3) service end does initializing set to key Key, and stores write user's key message to key Key, completes key The registration of Key；

(4) user completes the key Key of registration using step (3) and inserts mainframe micro, and mainframe micro passes through cloud security administrative center Client management is first identified to the key Key for accessing, recognize incorrect then refusal operation, identification is correct then to cloud security The service end of administrative center initiates logging request；

(5) logging request that service end is sent to client carries out the retrieval approval of user's key message and UID and KID, checks and approves By then entrance step (6), on the contrary then hang up；

(6) client obtains following information from key Key：The unique mark code KID of hardware, user profile P, hour of log-on T, have Effect phase E, random number R；

(7) client generates time stamp T u according to current time, and the information combination for obtaining in time stamp T u and step (6) is sentenced Disconnected user identity legitimacy, mismatches or expired, fails, and correctly then KID and user profile P are added by client by SM3 algorithm Close, generate and obtain key A, A=KID＆P；Pass through SM4 algorithm again by user profile P, hour of log-on T, effect duration E, time stamp T u Encrypt with random number R, generate and ciphertext B is obtained, B=A＆P＆T＆E＆Tu＆R, ciphertext B is sent jointly to by client together with protocol header Service end, includes KID information in the section protocol head；

(8) service end obtains KID by analysis protocol head, then by KID in corresponding user profile P of server side searches, services KID and user profile P are encrypted by end by SM3 algorithm, are generated and are obtained ciphering key, such as ciphering key=key A, and service end then passes through SM4 algorithm decrypting ciphertext B obtains user profile P, hour of log-on T, effect duration E, time stamp T u and random number R；As ciphering key ≠ close Key A, then fail；

(9) service end carries out verification judgement by time stamp T u for obtaining, and such as deviates current server time ± 3min and is then recognized For TIMEOUT, so as to failure, have not timed out, the effect duration E for being obtained according to service end judge whether expired, expired, fail, not User's unique mark UID that is expired, calling service end to store；

(10) service end generates new time stamp T s further according to current time, and service end does+n computing to random number R, obtain new with Machine number Rn, then pass through new random number R n of SM3 algorithm for encryption, generate and obtain key K, K=Rn；Again by SM4 algorithm by UID, new Random number R n and the encryption of new time stamp T s, obtain ciphertext D, D=K＆UID＆Rn＆Ts；Service end is by ciphertext D together with protocol header Service end is sent to, in the section protocol head, includes new random number R n information；

(11) client obtains new random number R n by analysis protocol head, and client passes through new random number R n of SM3 algorithm for encryption, raw Become to obtain key J；As key J=key K, client then passes through key K decrypting ciphertext D, obtains UID, new random number R n and new Time stamp T s, and-n computing is done to new random number R n, random number R is obtained, such as key J ≠ key K, then fail；

(12) client carries out verification judgement by new time stamp T s for obtaining, such as deviate the active client time ± 3min then by Think TIMEOUT, so as to failure, have not timed out, judge whether random number R changes, change and then fail, do not change then certification and lead to Cross, client obtains UID, the KID that UID is obtained with step (6) becomes ciphertext by sm3 algorithm for encryption, obtain cloud key V；

(13), when uploading data, the virtual disk module of cloud security administrative center produces a virtual logic on mainframe micro Disk, user is first operated to data on virtual logic magnetic disc temporarily, the data partition encoding of cloud security administrative center User data on virtual disk is randomly divided into module the fragmentation of data that several pieces differ in size, and per part of fragmentation of data is entered Row redundancy is processed, and information management module is while generate file division information (FSEI), then encryption/decryption module uses step (6) the cloud key V that step (12) real-time operation gets is encrypted to per part of fragmentation of data, then passes through cloud disk management module Connection cloud disk pond, the random dispersion after load balancing module process of the fragment file after per part of encryption is uploaded to multiple cloud disks parallel Different cloud storages on, information management module generate file storage catalogue information (FSLI), information management module pass through micro- master Machine completes number by the file division information (FSEI) of fragment file and file storage catalogue information (FSLI) write key Key According to upload；

（14）During downloading data, the data management module of cloud security administrative center obtains the file of fragment file from key Key Segmentation information (FSEI) and file storage catalogue information (FSLI), cloud disk management module connects cloud disk pond, stores further according to file Directory information (FSLI) is from the different cloud storages of multiple cloud disks by corresponding fragmentation of data after load balancing module process Download in virtual disk, the cloud key V that encryption/decryption module is got by step (6) step (12) real-time operation is to all Fragmentation of data be decrypted, the fragmentation of data for obtaining after deciphering is again through data partition encoding module according to file division information (FSEI) group is merged into row redundancy check, and verification is wrong, carries out redundancy process, then regenerates data clear text after verification is errorless Itself is simultaneously stored in virtual disk, completes the download of data.

A kind of secure cloud disc system for obtaining according to such scheme and its safe encryption method, user is only needed by key Data are directly uploaded by Key and mainframe micro operation client, and maltilevel security encryption measures are all automatically complete for user on backstage Become, key Key and mainframe micro, as user's controllable device, are completely believable, and mainframe micro is that key Key and user provide The transmission operating environment of security isolation, it is to avoid the unstable factor of access device and divulging a secret for causing.Key Key itself also has Standby hardware encryption measures, can effectively reduce the security risk that random use key Key brings.Multiple knowledge between each component in system Not Jiao Yan and verification process, improve relatedness and the safety of whole system, even if cloud security administrative center and cloud disk can Broken through or occurred by hacker to reveal, but as the height that cloud key is each component in system is participated in and by safe encryption method reality When computing obtain, even if obtaining KID and UID, correct cloud key can not be obtained, is unlikely verified, therefore Secure user data is higher.Meanwhile, cloud disk pond make use of the distributed nature of cloud storage and fully expand cloud disk storage right As number, data are after divided encryption, and dispersion is stored on the different cloud storages of multiple cloud disks, cause not only to crack all The difficulty of cloud disk is big, even and if crack successfully, as file division information (FSEI) and file storage catalogue information (FSLI) are On key Key, rest in user's handss, so the composition of fragmentation of data cannot be obtained completely, by Brute Force and obtain The probability of initial data is extremely low.Have and can allow user that the active control power to cloud disk data storage, and Mobile portable is enjoyed, The very prominent feature of safe encryption.

Description of the drawings

Fig. 1 is the structured flowchart of the present invention.

Fig. 2 is the register flow path figure of the present invention.

Fig. 3 is the login process figure of the present invention.

Fig. 4 is the safe encryption method flow chart of the present invention.

Fig. 5 is the upload data of the present invention and downloading data flow chart.

Specific embodiment

With reference to embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited In this.

Referring to Fig. 1, a kind of secure cloud disc system of the present invention, the system includes mainframe micro 2, key Key1, cloud security pipe Reason center 3 and cloud disk pond 4, wherein, the cloud security administrative center 3 includes service end 3-1 and client 3-2, and service end 3-1 is led to Cross network to be connected with mainframe micro 2, mainframe micro 2 and key Key1 are connected, client of the mainframe micro 2 by cloud security administrative center End 3-2 is connected with cloud disk pond, and service end 3-1 includes cipher key module, user management module, security module and memory module, It is mainly used in the management of key information (KI) and user's registration certification, client 3-2 includes identity information module, virtual magnetic Disk module, encryption/decryption module, data partition encoding module, load balancing module, information management module and cloud disk management module, main It is used for the process to data and the data access to cloud disk.The key Key1 includes to be installed with the unique mark code of hardware （KID）Encryption chip, controller and memorizer, using data and the information security of hardware cryptographic means protection user.Described Mainframe micro 2 includes central processing unit, EMMC internal memory, SSD memory, input/output port, WiFi module and display module, mainly Safe and reliable exclusiveness isolation environment is provided for the operation transmission of the use for key Key, data.The cloud disk pond includes Some privately owned cloud disks or public's cloud disk, are mainly used in providing cloud storage dilatation high in the clouds amount of memory, privately owned cloud disk be towards Specific user and the cloud storage that does not open to the outside world, public's cloud disk is the cloud storage for opening towards the public and to all groups.

The cipher key module is mainly used in the key information (KI) of counterpart keys Key and the management of entry password, and participates in Cloud key is in the process of service end.

The user management module is mainly used in the authentication registration of user, user's unique mark（UID）, lawful authority, power The management of limit scope, time and number of times.

The security module, is mainly responsible for the safety guarantee of user management, key information (KI) and entry password, effectively anti- Reset, anti-tamper etc. attack.

The memory module, is mainly used in the storage of information database.

The identification management module, is mainly used in the accesses of the mobile device on mainframe micro such as identification management key Key and is permitted Can, intrusion of the illegal access device to system can be excluded.

The virtual disk module, loads and is deposited with mainframe micro EMMC internal memory, exit or close cancelling immediately, be responsible for User provides virtualized local logical memory space, is easy to user that data are carried out with local operation, and reducing frequently network please Ask, the absolute safety of user data operating environment can be improved, prevent the leakage of a state or party secret for causing because of virus or wooden horse.

The data split redundant module, process for carrying out piecemeal segmentation and coding redundancy to data storage, complete number Become, according to by random division, some fragmentation of data that number is different and differs in size, and some fragmentation of data that segmentation is produced are carried out Redundant is processed, and can effectively solve the problem that cloud disk loss of data, improves the reliability of cloud disk data storage.Meanwhile, it is also data Parallel transmission provides precondition, can be effectively improved the access efficiency of data.

The load balancing module, is mainly used in, by task reasonable distribution, making whole system load balance, so as to improve being Entirety ability of the system to data, monitor in real time can split situation according to the performance indications and data of cloud disk and network Distribution store tasks, optimize the utilization rate of different cloud disk storage resources, improve the efficiency that cloud disk simultaneously and concurrently accesses data, effectively Strengthening system integrally accesses the performance of data.

The encryption/decryption module, is mainly used in carrying out data storage encryption and decryption processing and participating in cloud key in client Process, provide the user in real time automatically file encryption-decryption and process, improve the safe confidentiality of data further.

Described information management module, is mainly used in the control information management of data, and control information is respectively file division letter Breath (FSEI) and file storage catalogue information (FSLI), by data storage data control information itself is carried out separating, with The control right transfer of data storage is realized, control information is stored in key Key, even if data storage sheet is let out in cloud disk end Dew, due to lacking corresponding control information, still can not use to data access, give up user deposit for cloud disk from technological layer The security concerns of storage data.

The cloud disk management module, is mainly used in being that privately owned cloud disk and public's cloud disk provide unified cloud disk interface, realizes cloud Pan Chi, is processed to the cloud disk of access system, is easy to the management of user data, can be according to user operation and each module of system Feedack carries out specific operation to specified single cloud disk or multiple cloud disks, can ensure data segmentation redundant module generation Fragmentation of data be stored in the different cloud storages of multiple cloud disks, ensure and will not find all broken of data in any one cloud disk Piece, ensures confidentiality and the privacy of storage data from mechanism.

Referring to Fig. 2, Fig. 3, Fig. 4, Fig. 5, a kind of safe encryption method based on secure cloud disc system, comprise the following steps：

As Fig. 2, during registration, unregistered key Key is inserted mainframe micro by user, visitor of the mainframe micro by cloud security administrative center Family end is first identified management to the key Key for accessing, and recognizes incorrect then refusal operation, and identification is correct then to be managed to cloud security The service end at center initiates registration request；The log-on message that service end is provided to user is audited, and examination ＆ verification passes through then according to close The unique mark code of the hardware of key Key（KID）Produce user's unique mark UID and service end is stored in, while generating user's key Information, user's key message includes but are not limited to key information (KI), user profile P and entry password C, in examination ＆ verification failure then Only operate；Service end does initializing set to key Key, and stores write user's key message to key Key, obtains registered Key Key, complete registration.

As Fig. 3, during login, user by registered key Key and inserts mainframe micro, during mainframe micro is managed by cloud security The client of the heart is first identified management to the key Key for accessing, and recognizes incorrect then hang up, and identification is correct then to Yunan County The service end of full administrative center initiates logging request；The logging request that service end is sent to client carry out user's key message and UID and KID matched authorization, checks and approves and passes through then to log in complete, on the contrary then hang up.

As Fig. 4, during safe cryptographic calculation, client obtains following user's key message from key Key：Hardware is uniquely marked Show a yard KID, user profile P, hour of log-on T, effect duration E, random number R；Client generates time stamp T u according to current time, and The information for obtaining in time stamp T u and step (6) is combined and judges user identity legitimacy, mismatch or expired, fail, correctly Then KID and user profile P are encrypted by client by SM3 algorithm, are generated and are obtained key A, A=KID＆P；Again will by SM4 algorithm User profile P, hour of log-on T, effect duration E, time stamp T u and random number R encryption, generate and obtain ciphertext B, B=A＆P＆T＆E＆Tu＆ R, ciphertext B is sent jointly to service end together with protocol header by client, includes KID information in the section protocol head；Service end is led to Cross analysis protocol head and KID is obtained, then pass through KID in corresponding user profile P of server side searches, service end will by SM3 algorithm KID and the encryption of user profile P, generate and obtain ciphering key, such as ciphering key=key A, and service end then passes through SM4 algorithm decrypting ciphertext B Obtain user profile P, hour of log-on T, effect duration E, time stamp T u and random number R；As ciphering key ≠ key A, then fail；Service Holding carries out verification judgement by time stamp T u for obtaining, and such as deviateing current server time ± 3min is then considered as TIMEOUT, So as to failure, have not timed out, according to service end obtain effect duration E judge whether expired, expired, fail, not out of date, call User's unique mark UID of service end storage；Service end generates new time stamp T s further according to current time, and service end is to random number R does+n computing, obtains new random number R n, then passes through new random number R n of SM3 algorithm for encryption, generates and obtain key K, K=Rn；Lead to again Cross SM4 algorithm UID, new random number R n and new time stamp T s is encrypted, obtain ciphertext D, D=K＆UID＆Rn＆Ts；Service end will be close Literary D sends jointly to service end together with protocol header, includes new random number R n information in the section protocol head；Client is by parsing Protocol header obtains new random number R n, and client passes through new random number R n of SM3 algorithm for encryption, generates and obtains key J；As key J=is close Key K, client then passes through key K decrypting ciphertext D, obtains UID, new random number R n and new time stamp T s, and to new random number R n - n computing is done, random number R is obtained, such as key J ≠ key K, then fail；Client is verified by new time stamp T s for obtaining Judge, such as deviateing active client time ± 3min is then considered as TIMEOUT, so as to failure, has not timed out then and judges random number R Whether change, change and then fail, do not change, certification passes through, and client obtains UID, the KID that UID is obtained with step (6) leads to Cross sm3 algorithm for encryption and become ciphertext, finally give cloud key V.

As Fig. 5, when uploading data, the virtual disk module of cloud security administrative center produce on mainframe micro one virtual Logic magnetic disc, user is first operated to data on virtual logic magnetic disc temporarily, the data segmentation of cloud security administrative center User data on virtual disk is randomly divided into coding module the fragmentation of data that several pieces differ in size, and to every number according to broken Piece carries out redundancy process, and information management module is while generate file division information (FSEI), then encryption/decryption module is using real-time The cloud key V that computing gets is encrypted to per part of fragmentation of data, then by cloud disk management module connect cloud disk pond, will per part plus Fragment file after close random dispersion after load balancing module process is uploaded on the different cloud storages of multiple cloud disks parallel, Information management module generates file storage catalogue information (FSLI), and information management module passes through mainframe micro by the file of fragment file In segmentation information (FSEI) and file storage catalogue information (FSLI) write key Key, the upload of data is completed.Downloading data When, the data management module of cloud security administrative center obtain from key Key the file division information (FSEI) of fragment file and File storage catalogue information (FSLI), cloud disk management module network connection cloud disk pond, further according to file storage catalogue information (FSLI) from the different cloud storages of multiple cloud disks, corresponding fragmentation of data is downloaded to void after load balancing module process Intend in disk, the cloud key V that encryption/decryption module is got by real-time operation is decrypted to all of fragmentation of data, after deciphering To fragmentation of data through data partition encoding module, row redundancy check, school are merged into according to file division information (FSEI) group again Test wrong, carry out redundancy process, verify errorless after then regenerate data clear text itself and be stored in virtual disk, for Family uses or copies, and after user exits or closes, virtual disk is unloaded automatically and cleared data.

The method have the characteristics that be not only simple using key Key and mainframe micro as security terminal, but by its with Cloud security administrative center and cloud disk pond composition system, the component of whole system is indispensable during safety encryption.Which is excellent Even if point is that cloud security administrative center and cloud disk end can be broken through by hacker or occur revealing, KID and UID is therefrom obtained, But DecryptDecryption process being participated in due to lacking key Key and mainframe micro, still cannot obtain complete safe encryption method, not complete Safe encryption method cannot obtain correct cloud key, therefore user data can not possibly be obtained, and vice versa, and while broken In solution the system, the probability of all component is not high.Also, cloud disk pond make use of the distributed nature of cloud storage, further dilatation The terminal quantity of cloud storage, data are after divided encryption, and dispersion is stored on the different cloud storages of multiple cloud disks, causes The difficulty for not only cracking all cloud disks is big, even and if cracking successfully, file division information (FSEI) and file storage catalogue information (FSLI) it is stored on key Key, rests in user's handss, therefore also cannot obtains the composition of fragmentation of data completely, by sudden and violent Power crack and obtain initial data probability extremely low.With Mobile portable, user can be allowed to enjoy the master of cloud disk data storage Dynamic control, it is to avoid leaking data, the very prominent effect of safe encryption.

Technical scheme is not restricted in the range of embodiment of the present invention.The not detailed description of the present invention Technology contents be known technology.

Claims (4)

1. a kind of secure cloud disc system, it is characterised in that：Including mainframe micro, key Key, cloud security administrative center and cloud disk pond, Wherein, the cloud security administrative center includes service end and client, and service end is connected with mainframe micro by network, mainframe micro and Key Key is connected, and mainframe micro is connected with cloud disk pond by the client of cloud security administrative center, and the service end includes close Key module, user management module, security module and memory module, the client includes identity information module, virtual disk mould Block, encryption/decryption module, data partition encoding module, load balancing module, information management module and cloud disk management module, the cloud Pan Chi includes some privately owned cloud disks or public's cloud disk.

2. a kind of secure cloud disc system according to claim 1, it is characterised in that：The key Key is to include to be provided with firmly The unique mark code of part（KID）Encryption chip, controller and memorizer movable storage device.

3. a kind of secure cloud disc system according to claim 1, it is characterised in that：The mainframe micro is to include central authorities' process Device, EMMC internal memory, SSD memory, input/output port, the intelligent movable equipment of WiFi module and display module.

4. a kind of secure cloud disc system according to claim 1, it is characterised in that：Also provide a kind of based on safe cloud disk system The safe encryption method of system, the method is comprised the following steps：

(1) unregistered key Key is inserted mainframe micro by user, and mainframe micro is by the client of cloud security administrative center to accessing Key Key be first identified management, recognize incorrect then refusal operation, identification correct then to cloud security administrative center service Registration request is initiated at end；

(2) log-on message that service end is provided to user is audited, and examination ＆ verification is by then uniquely marking according to the hardware of key Key Show code（KID）Produce user's unique mark UID and service end is stored in, while generating user's key message, user's key message Include but are not limited to key information (KI), user profile P and entry password C, examination ＆ verification failure then hang up；

(3) service end does initializing set to key Key, and stores write user's key message to key Key, completes key The registration of Key；

(4) user completes the key Key of registration using step (3) and inserts mainframe micro, and mainframe micro passes through cloud security administrative center Client management is first identified to the key Key for accessing, recognize incorrect then refusal operation, identification is correct then to cloud security The service end of administrative center initiates logging request；

(5) logging request that service end is sent to client carries out the retrieval approval of user's key message and UID and KID, checks and approves By then entrance step (6), on the contrary then hang up；

(6) client obtains following information from key Key：The unique mark code KID of hardware, user profile P, hour of log-on T, Effect duration E, random number R；

(7) client generates time stamp T u according to current time, and the information combination for obtaining in time stamp T u and step (6) is sentenced Disconnected user identity legitimacy, mismatches or expired, fails, and correctly then KID and user profile P are added by client by SM3 algorithm Close, generate and obtain key A, A=KID＆P；Pass through SM4 algorithm again by user profile P, hour of log-on T, effect duration E, time stamp T u Encrypt with random number R, generate and ciphertext B is obtained, B=A＆P＆T＆E＆Tu＆R, ciphertext B is sent jointly to by client together with protocol header Service end, includes KID information in the section protocol head；

(8) service end obtains KID by analysis protocol head, then by KID in corresponding user profile P of server side searches, services KID and user profile P are encrypted by end by SM3 algorithm, are generated and are obtained ciphering key, such as ciphering key=key A, and service end then passes through SM4 algorithm decrypting ciphertext B obtains user profile P, hour of log-on T, effect duration E, time stamp T u and random number R；As ciphering key ≠ close Key A, then fail；

(9) service end carries out verification judgement by time stamp T u for obtaining, and such as deviates current server time ± 3min and is then recognized For TIMEOUT, so as to failure, have not timed out, the effect duration E for being obtained according to service end judge whether expired, expired, fail, not User's unique mark UID that is expired, calling service end to store；

(10) service end generates new time stamp T s further according to current time, and service end does+n computing to random number R, obtain new with Machine number Rn, then pass through new random number R n of SM3 algorithm for encryption, generate and obtain key K, K=Rn；Again by SM4 algorithm by UID, new Random number R n and the encryption of new time stamp T s, obtain ciphertext D, D=K＆UID＆Rn＆Ts；Service end is by ciphertext D together with protocol header Service end is sent to, in the section protocol head, includes new random number R n information；

(11) client obtains new random number R n by analysis protocol head, and client passes through new random number R n of SM3 algorithm for encryption, raw Become to obtain key J；As key J=key K, client then passes through key K decrypting ciphertext D, obtains UID, new random number R n and new Time stamp T s, and-n computing is done to new random number R n, random number R is obtained, such as key J ≠ key K, then fail；

(12) client carries out verification judgement by new time stamp T s for obtaining, such as deviate the active client time ± 3min then by Think TIMEOUT, so as to failure, have not timed out, judge whether random number R changes, change and then fail, do not change then certification and lead to Cross, client obtains UID, the KID that UID is obtained with step (6) becomes ciphertext by sm3 algorithm for encryption, obtain cloud key V；

(13), when uploading data, the virtual disk module of cloud security administrative center produces a virtual logic on mainframe micro Disk, user is first operated to data on virtual logic magnetic disc temporarily, the data partition encoding of cloud security administrative center User data on virtual disk is randomly divided into module the fragmentation of data that several pieces differ in size, and per part of fragmentation of data is entered Row redundancy is processed, and information management module is while generate file division information (FSEI), then encryption/decryption module uses step (6) the cloud key V that step (12) real-time operation gets is encrypted to per part of fragmentation of data, then passes through cloud disk management module Connection cloud disk pond, the random dispersion after load balancing module process of the fragment file after per part of encryption is uploaded to multiple cloud disks parallel Different cloud storages on, information management module generate file storage catalogue information (FSLI), information management module pass through micro- master Machine completes number by the file division information (FSEI) of fragment file and file storage catalogue information (FSLI) write key Key According to upload；

（14）During downloading data, the data management module of cloud security administrative center obtains the file of fragment file from key Key Segmentation information (FSEI) and file storage catalogue information (FSLI), cloud disk management module connects cloud disk pond, stores further according to file Directory information (FSLI) is from the different cloud storages of multiple cloud disks by corresponding fragmentation of data after load balancing module process Download in virtual disk, the cloud key V that encryption/decryption module is got by step (6) step (12) real-time operation is to all Fragmentation of data be decrypted, the fragmentation of data for obtaining after deciphering is again through data partition encoding module according to file division information (FSEI) group is merged into row redundancy check, and verification is wrong, carries out redundancy process, then regenerates data clear text after verification is errorless Itself is simultaneously stored in virtual disk, completes the download of data.