CN106453384B - Secure cloud disk system and secure encryption method thereof - Google Patents

Secure cloud disk system and secure encryption method thereof Download PDF

Info

Publication number
CN106453384B
CN106453384B CN201610985283.9A CN201610985283A CN106453384B CN 106453384 B CN106453384 B CN 106453384B CN 201610985283 A CN201610985283 A CN 201610985283A CN 106453384 B CN106453384 B CN 106453384B
Authority
CN
China
Prior art keywords
key
cloud
module
information
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610985283.9A
Other languages
Chinese (zh)
Other versions
CN106453384A (en
Inventor
鹤荣育
杨启超
常朝稳
代向东
孙万忠
易青松
吴绍浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610985283.9A priority Critical patent/CN106453384B/en
Publication of CN106453384A publication Critical patent/CN106453384A/en
Application granted granted Critical
Publication of CN106453384B publication Critical patent/CN106453384B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Abstract

The invention relates to a secure cloud disk system and a secure encryption method thereof, comprising a micro host, a Key Key, a cloud security management center and a cloud disk pool, wherein the cloud security management center comprises a server and a client, the server is connected with the micro host through a network, the micro host is connected with the Key Key in a matched manner, the micro host is connected with the cloud disk pool through the client of the cloud security management center, the server comprises a Key module, a user management module, a security module and a storage module, the client comprises an identity information module, a virtual disk module, an encryption and decryption module, a data segmentation coding module, a load balancing module, an information management module and a Yun Panguan management module, and the cloud disk pool comprises a plurality of private cloud disks or public cloud disks. The cloud disk storage system has the advantages of portability, capability of enabling users to enjoy active control right of cloud disk storage data, and outstanding security confidentiality.

Description

Secure cloud disk system and secure encryption method thereof
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a secure cloud disk system and a secure encryption method thereof.
Background
With the rapid development of information technology and intelligent terminals, cloud disks are widely applied to various fields. Users using cloud disks generate a large number of data files every day, and many of them involve personal and enterprise confidentiality or privacy, so that data security issues are key to cloud disks. At present, although most cloud disks provide some security solutions for users, the cloud disk server is actually not trusted, the initiative is not in the hands of the users, some professionals or administrators can easily acquire data files, and the users are in a passive state, so that a large number of user data leakage events are easy to occur. The data is encrypted manually by a user and then uploaded to the cloud disk, so that although the user has control right, the encrypted data file is still possibly cracked by violence, and the manual encryption and decryption process is complex due to the frequent access process, so that inconvenience is brought. Meanwhile, due to the requirements of mobile office and the like, users often access the cloud disk on different computers or operation platforms, so that the data files cannot be reliably and safely isolated in a transmission operation environment, and obvious leakage risks exist. How to enable users to truly master the security initiative of cloud services, which is a great topic of us, is quick and convenient, and ensures the security use of data.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a safe cloud disk system which is portable and mobile, can enable a user to enjoy active control right of cloud disk storage data, and is safer and more reliable, and a safe encryption method thereof.
The technical scheme adopted for realizing the purpose of the invention is as follows: the cloud security management center comprises a server side and a client side, the server side is connected with the micro host machine through a network, the micro host machine is connected with the Key Key in a matched mode, the micro host machine is connected with the cloud disk pool through the client side of the cloud security management center, the server side comprises a Key module, a user management module, a security module and a storage module, the Key module, the user management module, the security module and the storage module are mainly used for managing Key Information (KI) and user registration authentication, the client side comprises an identity information module, a virtual disk module, an encryption and decryption module, a data segmentation coding module, a load balancing module, an information management module and a Yun Panguan management module, the cloud security management module is mainly used for processing data and accessing data of the cloud disk, the cloud disk pool comprises a plurality of private cloud disks or public cloud disks, the cloud disks are mainly used for providing cloud storage and expanding the quantity of memories, the private cloud disks are cloud memories facing specific users and are cloud memories not open to the outside, and the public cloud disks are cloud memories facing the public and open to all people.
The Key Key is a mobile storage device comprising an encryption chip provided with a hardware unique identification code (KID), a controller and a memory, and adopts a hardware encryption means to protect the data and information security of a user.
The micro host is mobile intelligent equipment comprising a central processing unit, an EMMC memory, an SSD memory, an input/output port, a WiFi module and a display module, and is mainly used for providing a safe and reliable exclusive isolation environment for Key use and data operation transmission.
The Key module is mainly used for managing Key Information (KI) and login passwords corresponding to the Key Key and participating in the processing of the cloud Key at the server.
The user management module is mainly used for the management of registration authentication, unique User Identification (UID), legal authority, authority range, time and times of the user.
The security module is mainly responsible for the security assurance of user management, key Information (KI) and login passwords, and effectively prevents replay, tamper resistance and other attacks.
The storage module is mainly used for storing the information database.
The identification management module is mainly used for identifying and managing access permissions of mobile equipment such as a Key Key and the like on the micro-host, and can eliminate intrusion of illegal access equipment to the system.
The virtual disk module is loaded and registered in the EMMC memory of the micro host computer, is withdrawn or closed immediately, is responsible for providing virtualized local logic storage space for a user, is convenient for the user to perform local operation on data, reduces frequent network requests, can improve the absolute safety of the data operation environment of the user, and prevents the leakage event caused by viruses or Trojan horses.
The data segmentation redundancy module is used for conducting block segmentation and coding redundancy processing on stored data, the whole data are randomly segmented into a plurality of data fragments with different parts and different sizes, redundancy processing is conducted on the plurality of data fragments generated by segmentation, cloud disk data loss can be effectively solved, and reliability of the cloud disk stored data is improved. Meanwhile, preconditions are provided for parallel transmission of data, and the data access efficiency can be effectively improved.
The load balancing module is mainly used for reasonably distributing tasks to balance the load of the whole system, so that the overall processing capacity of the system to data is improved, storage tasks can be monitored in real time and distributed according to performance indexes of the cloud disk and the network and the data segmentation condition, the utilization rate of storage resources of different cloud disks is optimized, the efficiency of synchronous parallel data access of the cloud disk is improved, and the overall data access performance of the system is effectively enhanced.
The encryption and decryption module is mainly used for encrypting and decrypting the stored data and participating in the processing of the cloud key at the client, and provides real-time automatic file encryption and decryption processing for the user, so that the security confidentiality of the data is further improved.
The information management module is mainly used for control information management of data, wherein the control information is file segmentation information (FSEI) and file storage directory information (FSLI) respectively, and the control right transfer of the stored data is realized by separating the stored data from the data control information, and the control information is stored in a Key Key, so that even if the stored data is leaked at a cloud disk end, the stored data cannot be accessed and used due to the lack of the corresponding control information, and the safety doubt of a user on the stored data of the cloud disk is eliminated from the technical aspect.
The Yun Panguan management module is mainly used for providing a unified cloud disk interface for private cloud disks and public cloud disks, realizing cloud disk pools, processing cloud disks of an access system, facilitating management of user data, carrying out specific operation on a specified single cloud disk or a plurality of cloud disks according to user operation and information fed back by each module of the system, guaranteeing that data fragments generated by a data segmentation redundancy module are stored in different cloud memories of the plurality of cloud disks, guaranteeing that all fragments of data cannot be found on any cloud disk, and guaranteeing confidentiality and privacy of stored data in a mechanism.
The invention further provides a secure encryption method based on a secure cloud disk system, which comprises the following steps:
(1) The user inserts the unregistered Key Key into the micro-host, the micro-host firstly identifies and manages the accessed Key Key through the client of the cloud security management center, the operation is refused if the identification is incorrect, and a registration request is initiated to the server of the cloud security management center if the identification is correct;
(2) The server side audits the registration information provided by the user, if the audit passes, a user unique identifier UID is generated according to a hardware unique identification code (KID) of a Key Key and stored in the server side, meanwhile, user Key information is generated, the user Key information comprises but is not limited to Key Information (KI), user information P and login password C, and if the audit fails, the operation is stopped;
(3) The server performs initialization setting on the Key Key, and writes user Key information into the Key Key storage to complete the registration of the Key Key;
(4) The user completes the registered Key Key in the step (3) and inserts the micro-host, the micro-host firstly identifies and manages the accessed Key Key through the client of the cloud security management center, the operation is refused if the identification is incorrect, and a login request is initiated to the server of the cloud security management center if the identification is correct;
(5) The server performs search approval of user key information, UID and KID on the login request sent by the client, if the user key information passes the search approval, the step (6) is entered, and otherwise, the operation is stopped;
(6) The client acquires the following information from the Key Key: the hardware unique marking code KID, user information P, registration time T, validity period E and random number R;
(7) The client generates a time stamp Tu according to the current time, combines the time stamp Tu with the information obtained in the step (6) to judge the validity of the user identity, fails when the user identity is not matched or is out of date, and encrypts the KID and the user information P through an SM3 algorithm to generate a key A, wherein A=KID & P; encrypting user information P, registration time T, validity period E, time stamp Tu and random number R by an SM4 algorithm to generate ciphertext B, wherein B=A & P & T & E & Tu & R, and the client sends the ciphertext B to the server together with a protocol header, and the protocol header contains KID information;
(8) The server obtains the KID through analyzing the protocol header, then searches corresponding user information P in the server through the KID, encrypts the KID and the user information P through an SM3 algorithm to generate a key C, and if the key C=the key A, the server decrypts the ciphertext B through an SM4 algorithm to obtain the user information P, the registration time T, the validity period E, the timestamp Tu and the random number R; if the key C is not equal to the key A, the failure is caused;
(9) The server side performs verification judgment through the obtained time stamp Tu, if the time deviates from the current server time by +/-3 min, the server side is considered to be overtime request, so that the server side fails, if not overtime, whether the server side is overdue is judged according to the validity period E obtained by the server side, if overdue, the server side fails, and if not overdue, the user unique identifier UID stored by the server side is called;
(10) The server generates a new time stamp Ts according to the current time, the server performs +n operation on the random number R to obtain a new random number Rn, encrypts the new random number Rn through an SM3 algorithm to generate a key K, and K=Rn; encrypting the UID, the new random number Rn and the new time stamp Ts through an SM4 algorithm to obtain a ciphertext D, wherein D=K & UID & Rn & Ts; the server sends the ciphertext D and the protocol header to the client, wherein the section of protocol header contains new random number Rn information;
(11) The client obtains a new random number Rn by analyzing the protocol header, encrypts the new random number Rn by an SM3 algorithm, and generates an obtained secret key J; if the key J=the key K, the client decrypts the ciphertext D through the key K to obtain the UID, the new random number Rn and the new time stamp Ts, performs-n operation on the new random number Rn to obtain the random number R, and if the key J is not equal to the key K, fails;
(12) The client performs verification judgment through the obtained new timestamp Ts, if the client deviates from the current client by +/-3 min, the client is considered to be overtime request, so that the client fails, if not overtime, whether the random number R is changed or not is judged, if not, the client fails, authentication is passed, the client obtains the UID, and the UID and the KID obtained in the step (6) are encrypted into ciphertext through an sm3 algorithm to obtain a cloud key V;
(13) When uploading data, a virtual disk module of a cloud security management center generates a virtual logic disk on a micro host, a user firstly carries out temporary operation on the data on the virtual logic disk, a data segmentation coding module of the cloud security management center randomly divides the user data on the virtual disk into a plurality of data fragments with different sizes, carries out redundancy processing on each data fragment, an information management module simultaneously generates file segmentation information (FSEI), then an encryption and decryption module encrypts each data fragment by using a cloud Key V obtained by the real-time operation in the step (6), then the cloud disk management module is connected with a cloud disk pool, each encrypted fragment file is randomly dispersed and parallelly uploaded to different cloud memories of a plurality of cloud disks after being processed by a load balancing module, and an information management module generates file storage directory information (FSLI) and writes the file segmentation information (FSEI) and the file storage directory information (FSLI) of the fragment file into the Key through the micro host to finish uploading the data;
(14) When downloading data, the data management module of the cloud security management center obtains file segmentation information (FSEI) and file storage directory information (FSLI) of fragment files from the Key Key, the Yun Panguan management module is connected with the cloud disk pool, corresponding data fragments are downloaded into the virtual disk from different cloud memories of a plurality of cloud disks after being processed by the load balancing module according to the file storage directory information (FSLI), the encryption and decryption module decrypts all the data fragments through the cloud Key V obtained by the real-time operation in the step (6), the data fragments obtained after decryption are combined by the data segmentation encoding module according to the file segmentation information (FSEI) and are subjected to redundancy check, redundancy processing is performed when the redundancy processing is checked, the data definition is regenerated and stored in the virtual disk after the redundancy processing is checked, and the data downloading is completed.
According to the secure cloud disk system and the secure encryption method thereof, which are obtained by the scheme, a user only needs to directly upload data through the Key Key and the micro-host operation client, multiple secure encryption measures are automatically completed for the user in the background, the Key Key and the micro-host are used as user controllable devices and are completely trusted, and the micro-host provides a secure isolated transmission operation environment for the Key Key and the user, so that secret leakage caused by unstable factors of access devices is avoided. The Key Key also has hardware encryption measures, so that the safety risk brought by randomly using the Key Key can be effectively reduced. The correlation and the security of the whole system are improved by multiple identification verification and authentication processes among all components in the system, and even if a cloud security management center and a cloud disk can be broken by a hacker or leak, because a cloud key is obtained by high participation of all components in the system and real-time operation through a secure encryption method, even if KID and UID are obtained, the correct cloud key cannot be obtained, and verification is less likely to pass, so that the user data security is higher. Meanwhile, the cloud disk pool utilizes the distributed characteristic of cloud storage and fully expands the number of cloud disk storage objects, data is stored on different cloud memories of a plurality of cloud disks in a scattered mode after being segmented and encrypted, so that difficulty in cracking all cloud disks is high, and even if cracking is successful, as file segmentation information (FSEI) and file storage directory information (FSLI) are mastered on a Key Key, the composition of data fragments cannot be completely acquired, and the possibility of cracking and acquiring original data through violence is extremely low. The cloud disk data storage system has the characteristics that a user can enjoy active control right on cloud disk data storage, the cloud disk data storage system is portable, and safety confidentiality is very outstanding.
Drawings
Fig. 1 is a block diagram of the structure of the present invention.
Fig. 2 is a registration flow chart of the present invention.
Fig. 3 is a login flow chart of the present invention.
Fig. 4 is a flow chart of the secure encryption method of the present invention.
Fig. 5 is a flow chart of uploading data and downloading data of the present invention.
Description of the embodiments
The present invention will be described in further detail with reference to examples and drawings, but embodiments of the present invention are not limited thereto.
Referring to fig. 1, the system comprises a micro host 2, a Key1, a cloud security management center 3 and a cloud disk pool 4, wherein the cloud security management center 3 comprises a server 3-1 and a client 3-2, the server 3-1 is connected with the micro host 2 through a network, the micro host 2 is cooperatively connected with the Key1, the micro host 2 is connected with the cloud disk pool through the client 3-2 of the cloud security management center, the server 3-1 comprises a Key module, a user management module, a security module and a storage module, and is mainly used for managing Key Information (KI) and user registration authentication, and the client 3-2 comprises an identity information module, a virtual disk module, an encryption and decryption module, a data segmentation coding module, a load balancing module, an information management module and a Yun Panguan management module, and is mainly used for processing data and accessing data of the cloud disk. The Key Key1 comprises an encryption chip, a controller and a memory which are fixedly provided with a hardware unique identification code (KID), and adopts a hardware encryption means to protect the data and information security of a user. The micro-host 2 comprises a central processing unit, an EMMC memory, an SSD memory, an input/output port, a WiFi module and a display module, and is mainly used for providing a safe and reliable exclusive isolation environment for the use of a Key Key and the operation transmission of data. The cloud disk pool comprises a plurality of private cloud disks or public cloud disks, and is mainly used for providing cloud storage and expanding the number of cloud storage, wherein the private cloud disks are cloud storage which are oriented to specific users and are not open to the outside, and the public cloud disks are cloud storage which are oriented to the public and are open to all people.
The Key module is mainly used for managing Key Information (KI) and login passwords corresponding to the Key Key and participating in the processing of the cloud Key at the server.
The user management module is mainly used for the management of registration authentication, unique User Identification (UID), legal authority, authority range, time and times of the user.
The security module is mainly responsible for the security assurance of user management, key Information (KI) and login passwords, and effectively prevents replay, tamper resistance and other attacks.
The storage module is mainly used for storing the information database.
The identification management module is mainly used for identifying and managing access permissions of mobile equipment such as a Key Key and the like on the micro-host, and can eliminate intrusion of illegal access equipment to the system.
The virtual disk module is loaded and registered in the EMMC memory of the micro host computer, is withdrawn or closed immediately, is responsible for providing virtualized local logic storage space for a user, is convenient for the user to perform local operation on data, reduces frequent network requests, can improve the absolute safety of the data operation environment of the user, and prevents the leakage event caused by viruses or Trojan horses.
The data segmentation redundancy module is used for conducting block segmentation and coding redundancy processing on stored data, the whole data are randomly segmented into a plurality of data fragments with different parts and different sizes, redundancy processing is conducted on the plurality of data fragments generated by segmentation, cloud disk data loss can be effectively solved, and reliability of the cloud disk stored data is improved. Meanwhile, preconditions are provided for parallel transmission of data, and the data access efficiency can be effectively improved.
The load balancing module is mainly used for reasonably distributing tasks to balance the load of the whole system, so that the overall processing capacity of the system to data is improved, storage tasks can be monitored in real time and distributed according to performance indexes of the cloud disk and the network and the data segmentation condition, the utilization rate of storage resources of different cloud disks is optimized, the efficiency of synchronous parallel data access of the cloud disk is improved, and the overall data access performance of the system is effectively enhanced.
The encryption and decryption module is mainly used for encrypting and decrypting the stored data and participating in the processing of the cloud key at the client, and provides real-time automatic file encryption and decryption processing for the user, so that the security confidentiality of the data is further improved.
The information management module is mainly used for control information management of data, wherein the control information is file segmentation information (FSEI) and file storage directory information (FSLI) respectively, and the control right transfer of the stored data is realized by separating the stored data from the data control information, and the control information is stored in a Key Key, so that even if the stored data is leaked at a cloud disk end, the stored data cannot be accessed and used due to the lack of the corresponding control information, and the safety doubt of a user on the stored data of the cloud disk is eliminated from the technical aspect.
The Yun Panguan management module is mainly used for providing a unified cloud disk interface for private cloud disks and public cloud disks, realizing cloud disk pools, processing cloud disks of an access system, facilitating management of user data, carrying out specific operation on a specified single cloud disk or a plurality of cloud disks according to user operation and information fed back by each module of the system, guaranteeing that data fragments generated by a data segmentation redundancy module are stored in different cloud memories of the plurality of cloud disks, guaranteeing that all fragments of data cannot be found on any cloud disk, and guaranteeing confidentiality and privacy of stored data in a mechanism.
Referring to fig. 2, 3, 4 and 5, a secure encryption method based on a secure cloud disk system includes the following steps: as shown in fig. 2, when registering, a user inserts an unregistered Key into a micro-host, the micro-host firstly performs identification management on the accessed Key through a client of a cloud security management center, if the identification is incorrect, the operation is refused, and if the identification is correct, a registration request is initiated to a server of the cloud security management center; the server side audits the registration information provided by the user, if the audit passes, a user unique identifier UID is generated according to a hardware unique identification code (KID) of a Key Key and stored in the server side, meanwhile, user Key information is generated, the user Key information comprises but is not limited to Key Information (KI), user information P and login password C, and if the audit fails, the operation is stopped; the server side performs initialization setting on the Key Key, writes Key information of a user into the Key Key storage to obtain a registered Key Key, and completes registration.
As shown in fig. 3, when logging in, a user inserts the registered Key into a micro host, the micro host firstly identifies and manages the accessed Key through a client of a cloud security management center, if the identification is incorrect, the operation is stopped, and if the identification is correct, a login request is initiated to a server of the cloud security management center; and the server performs matching approval of the user key information and the UID and the KID on the login request sent by the client, if the approval passes, the login is completed, and otherwise, the operation is stopped.
As shown in fig. 4, during secure encryption operation, the client obtains the following Key information of the user from the Key: the hardware unique marking code KID, user information P, registration time T, validity period E and random number R; the client generates a time stamp Tu according to the current time, combines the time stamp Tu with the information obtained in the step (6) to judge the validity of the user identity, fails when the user identity is not matched or is out of date, and encrypts the KID and the user information P through an SM3 algorithm to generate a key A, wherein A=KID & P; encrypting user information P, registration time T, validity period E, time stamp Tu and random number R by an SM4 algorithm to generate ciphertext B, wherein B=A & P & T & E & Tu & R, and the client sends the ciphertext B to the server together with a protocol header, and the protocol header contains KID information; the server obtains the KID through analyzing the protocol header, then searches corresponding user information P in the server through the KID, encrypts the KID and the user information P through an SM3 algorithm to generate a key C, and if the key C=the key A, the server decrypts the ciphertext B through an SM4 algorithm to obtain the user information P, the registration time T, the validity period E, the timestamp Tu and the random number R; if the key C is not equal to the key A, the failure is caused; the server side performs verification judgment through the obtained time stamp Tu, if the time deviates from the current server time by +/-3 min, the server side is considered to be overtime request, so that the server side fails, if not overtime, whether the server side is overdue is judged according to the validity period E obtained by the server side, if overdue, the server side fails, and if not overdue, the user unique identifier UID stored by the server side is called; the server generates a new time stamp Ts according to the current time, the server performs +n operation on the random number R to obtain a new random number Rn, encrypts the new random number Rn through an SM3 algorithm to generate a key K, and K=Rn (SM 3); encrypting the UID, the new random number Rn and the new time stamp Ts through an SM4 algorithm to obtain a ciphertext D, wherein D=K & UID & Rn & Ts; the server sends the ciphertext D and the protocol header to the client, wherein the section of protocol header contains new random number Rn information; the client obtains a new random number Rn by analyzing the protocol header, encrypts the new random number Rn by an SM3 algorithm, and generates an obtained secret key J; if the key J=the key K, the client decrypts the ciphertext D through the key K to obtain the UID, the new random number Rn and the new time stamp Ts, performs-n operation on the new random number Rn to obtain the random number R, and if the key J is not equal to the key K, fails; the client performs verification judgment through the obtained new timestamp Ts, if the client deviates from the current client by +/-3 min, the client is considered to be overtime request, so that the client fails, if not overtime, whether the random number R is changed or not is judged, if not, the client fails, authentication is passed, the client obtains the UID, the UID and the KID obtained in the step (6) are encrypted into ciphertext through an sm3 algorithm, and finally the cloud key V is obtained.
As shown in fig. 5, when uploading data, the virtual disk module of the cloud security management center generates a virtual logical disk on the micro-host, the user performs temporary operation on the data on the virtual logical disk, the data segmentation encoding module of the cloud security management center randomly divides the user data on the virtual disk into a plurality of data fragments with different sizes, performs redundancy processing on each data fragment, the information management module simultaneously generates file segmentation information (FSEI), then the encryption and decryption module encrypts each data fragment by using the cloud Key V obtained by the real-time operation, then connects the cloud disk pool through the cloud disk management module, processes each encrypted fragment file through the load balancing module, and then randomly distributes and parallelly uploads the processed fragment file to different cloud memories of a plurality of cloud disks, and the information management module generates file storage directory information (FSLI) to write the file segmentation information (FSEI) and the file storage directory information (FSLI) of the fragment file into the Key through the micro-host, thereby completing uploading of the data. When downloading data, the data management module of the cloud security management center obtains file segmentation information (FSEI) and file storage directory information (FSLI) of fragment files from the Key Key, the Yun Panguan management module is connected with the cloud disk pool in a network mode, corresponding data fragments are downloaded into the virtual disk from different cloud memories of a plurality of cloud disks after being processed by the load balancing module according to the file storage directory information (FSLI), the encryption and decryption module decrypts all the data fragments through the cloud Key V obtained through real-time operation, the decrypted data fragments are combined and subjected to redundancy check through the data segmentation encoding module according to the file segmentation information (FSEI), redundancy processing is carried out when errors are checked, the data plaintext is regenerated and stored in the virtual disk after the errors are checked, the data plaintext is used or copied by a user, and the virtual disk is automatically unloaded and cleared after the user exits or closes the virtual disk.
The invention is characterized in that the Key Key and the micro host are not only used as security terminals, but also are combined with a cloud security management center and a cloud disk pool to form a system, and components of the whole system are indispensable in the security encryption process. The method has the advantages that even if a cloud security management center and a cloud disk end can be broken or leaked by a hacker, the KID and the UID are obtained from the cloud security management center and the cloud disk end, a complete security encryption method cannot be obtained due to the fact that a Key Key and a micro host are lost to participate in a decryption process, a correct cloud Key cannot be obtained without the complete security encryption method, so that user data cannot be obtained, and vice versa, and the possibility of simultaneously breaking all components in the system is low. In addition, the cloud disk pool further expands the number of terminals of cloud storage by utilizing the distributed characteristic of cloud storage, and after being segmented and encrypted, data are stored on different cloud memories of a plurality of cloud disks in a scattered mode, so that difficulty in cracking all cloud disks is high, even if cracking is successful, file segmentation information (FSEI) and file storage directory information (FSLI) are stored on a Key Key, and are mastered in a user, therefore, the composition of data fragments cannot be completely acquired, and the possibility of cracking and acquiring original data through violence is extremely low. The cloud disk storage system has the advantages of portability, capability of enabling users to enjoy active control right of cloud disk storage data, avoidance of data leakage and outstanding security encryption.
The technical scheme of the invention is not limited to the scope of the embodiments of the invention. The technical content that is not described in detail in the invention is known in the prior art.

Claims (2)

1. A secure encryption method based on a secure cloud disk system is characterized by comprising the following steps: the cloud disk system comprises a micro-host, a Key Key, a cloud security management center and a cloud disk pool, wherein the Key Key is mobile storage equipment comprising an encryption chip provided with a hardware unique marking code KID, a controller and a memory, the cloud security management center comprises a service end and a client, the service end is connected with the micro-host through a network, the micro-host is matched and connected with the Key Key, the micro-host is connected with the cloud disk pool through the client of the cloud security management center, the service end comprises a Key module, a user management module, a security module and a storage module, the client comprises an identity information module, a virtual disk module, an encryption and decryption module, a data segmentation coding module, a load balancing module, an information management module and a Yun Panguan management module, and the cloud disk pool comprises a plurality of private cloud disks or public cloud disks;
the security encryption method based on the security cloud disk system comprises the following steps:
(1) The user inserts the unregistered Key Key into the micro-host, the micro-host firstly identifies and manages the accessed Key Key through the client of the cloud security management center, the operation is refused if the identification is incorrect, and a registration request is initiated to the server of the cloud security management center if the identification is correct;
(2) The server side checks the registration information provided by the user, if the verification passes, a user unique identifier UID is generated according to a hardware unique identifier KID of the Key Key and is stored in the server side, meanwhile, user Key information is generated, the user Key information comprises but is not limited to the Key information KI, the user information P and a login password C, and if the verification fails, the operation is stopped;
(3) The server performs initialization setting on the Key Key, and writes user Key information into the Key Key storage to complete the registration of the Key Key;
(4) The user completes the registered Key Key in the step (3) and inserts the micro-host, the micro-host firstly identifies and manages the accessed Key Key through the client of the cloud security management center, the operation is refused if the identification is incorrect, and a login request is initiated to the server of the cloud security management center if the identification is correct;
(5) The server performs search approval of user key information, UID and KID on the login request sent by the client, if the user key information passes the search approval, the step (6) is entered, and otherwise, the operation is stopped;
(6) The client acquires the following information from the Key Key: the hardware unique marking code KID, user information P, registration time T, validity period E and random number R;
(7) The client generates a time stamp Tu according to the current time, combines the time stamp Tu with the information obtained in the step (6) to judge the validity of the user identity, fails to check if the user identity is not matched or expired, and encrypts the KID and the user information P through an SM3 algorithm if the user identity is correct to generate a key A; encrypting user information P, registration time T, validity period E, time stamp Tu and random number R by an SM4 algorithm to generate ciphertext B, and sending the ciphertext B together with a protocol header to a server by a client, wherein the protocol header comprises KID information;
(8) The server obtains the KID through analyzing the protocol header, searches corresponding user information P in the server through the KID, encrypts the KID and the user information P through an SM3 algorithm to generate a key C, and decrypts the ciphertext B through an SM4 algorithm to obtain the user information P, the registration time T, the validity period E, the timestamp Tu and the random number R if the key C=the key A; if the key C is not equal to the key A, the verification fails;
(9) The server side performs verification judgment through the obtained time stamp Tu, if the time deviates from the current server time by +/-3 min, the time stamp Tu is considered as a timeout request, so that verification fails, if not, whether the time stamp Tu is out of date is judged according to the validity period E obtained by the server side, if so, the verification fails, and if not, the unique user identifier UID stored by the server side is called;
(10) The server generates a new time stamp Ts according to the current time, the server performs +n operation on the random number R to obtain a new random number Rn, encrypts the new random number Rn through an SM3 algorithm, and generates a key K; encrypting the UID, the new random number Rn and the new time stamp Ts by an SM4 algorithm to obtain a ciphertext D; the server sends the ciphertext D and the protocol header to the client, wherein the section of protocol header contains new random number Rn information;
(11) The client obtains a new random number Rn by analyzing the protocol header, encrypts the new random number Rn by an SM3 algorithm, and generates an obtained secret key J; if the secret key J=the secret key K, the client decrypts the ciphertext D through the secret key K to obtain the UID, the new random number Rn and the new time stamp Ts, performs-n operation on the new random number Rn to obtain the random number R, and if the secret key J is not equal to the secret key K, verification fails;
(12) The client performs verification judgment through the obtained new timestamp Ts, if the client deviates from the current client time by +/-3 min, the client is considered as a timeout request, so that verification fails, if not, whether the random number R is changed or not is judged, if the random number R is changed, verification fails, if not, authentication passes, the client obtains the UID, and the UID and the KID obtained in the step (6) are encrypted into ciphertext through an sm3 algorithm to obtain a cloud key V;
(13) When uploading data, the virtual disk module of the cloud security management center generates a virtual logic disk on the micro host, a user firstly carries out temporary operation on the data on the virtual logic disk, the data segmentation coding module of the cloud security management center randomly divides the user data on the virtual disk into a plurality of data fragments with different sizes, carries out redundancy processing on each data fragment, the information management module simultaneously generates file segmentation information FSEI, then the encryption and decryption module encrypts each data fragment by using the cloud Key V obtained by the real-time operation in the step (6), then the cloud disk management module is connected with a cloud disk pool, each encrypted fragment file is randomly dispersed and parallelly uploaded to different cloud memories of a plurality of cloud disks after being processed by the load balancing module, the information management module generates file storage directory information FSLI, and the information management module writes the file segmentation information FSEI and the file storage directory information FSLI of the fragment file into the Key Key through the micro host to finish uploading the data;
(14) When downloading data, the data management module of the cloud security management center obtains file segmentation information FSEI and file storage directory information FSLI of the fragment files from the Key Key, the Yun Panguan management module is connected with the cloud disk pool, corresponding data fragments are downloaded into the virtual disk from different cloud memories of a plurality of cloud disks after being processed by the load balancing module according to the file storage directory information FSLI, the encryption and decryption module decrypts all the data fragments through the cloud Key V obtained through the real-time operation in the step (6), the data fragments obtained after decryption are combined by the data segmentation encoding module according to the file segmentation information FSEI and are subjected to redundancy check, redundancy processing is performed if errors are checked, the data plaintext is regenerated and stored in the virtual disk after the errors are checked, and the data downloading is completed.
2. The security encryption method based on the security cloud disk system according to claim 1, wherein: the micro-host is a mobile intelligent device comprising a central processing unit, an EMMC memory, an SSD memory, an input/output port, a WiFi module and a display module.
CN201610985283.9A 2016-11-09 2016-11-09 Secure cloud disk system and secure encryption method thereof Active CN106453384B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610985283.9A CN106453384B (en) 2016-11-09 2016-11-09 Secure cloud disk system and secure encryption method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610985283.9A CN106453384B (en) 2016-11-09 2016-11-09 Secure cloud disk system and secure encryption method thereof

Publications (2)

Publication Number Publication Date
CN106453384A CN106453384A (en) 2017-02-22
CN106453384B true CN106453384B (en) 2023-05-16

Family

ID=58208062

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610985283.9A Active CN106453384B (en) 2016-11-09 2016-11-09 Secure cloud disk system and secure encryption method thereof

Country Status (1)

Country Link
CN (1) CN106453384B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106788983B (en) * 2017-03-01 2020-07-10 北京同有飞骥科技股份有限公司 Communication data encryption method and device based on client/server mode
CN107590395B (en) * 2017-08-15 2020-06-02 国家电网有限公司 Multilayer data encryption method, device, equipment and system suitable for cloud environment
CN107493287A (en) * 2017-08-25 2017-12-19 天津中新智冠信息技术有限公司 Industry control network data security system
CN108900510A (en) * 2018-06-29 2018-11-27 平安科技(深圳)有限公司 Off-line data storage method, device, computer equipment and storage medium
CN110874485A (en) * 2018-08-31 2020-03-10 洪绍御 Smart data distributed storage system and method thereof
CN110032414B (en) * 2019-03-06 2023-06-06 联想企业解决方案(新加坡)有限公司 Apparatus and method for secure user authentication in remote console mode
CN110263556A (en) * 2019-05-22 2019-09-20 广东安创信息科技开发有限公司 A kind of encryption and decryption method and system of OA system data
CN113037770B (en) * 2021-03-29 2022-09-06 武汉华工安鼎信息技术有限责任公司 Industrial control data safety system and method based on storage virtualization
CN113067892B (en) * 2021-04-09 2022-07-15 北京理工大学 Method for realizing safe cloud synchronization and cloud storage by using public cloud
CN114189511B (en) * 2021-12-06 2024-01-09 成都傲梅科技有限公司 Multi-cloud combination method based on third party cloud
CN114466015B (en) * 2022-01-25 2024-03-15 柏域信息科技(上海)有限公司 Data storage system and method based on multi-cloud architecture
CN114500073B (en) * 2022-02-11 2024-04-12 浪潮云信息技术股份公司 User data cutting method and system supporting privacy protection in cloud storage system
CN114567479B (en) * 2022-02-28 2022-11-15 中国科学院软件研究所 Intelligent equipment safety control reinforcement and monitoring early warning method
CN116760546B (en) * 2023-08-18 2023-10-31 湖南省通信建设有限公司 Modularized password service method based on cloud environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN103973440A (en) * 2014-05-13 2014-08-06 东方斯泰克信息技术研究院(北京)有限公司 File cloud security management method and system based on CPK
CN105450636A (en) * 2015-11-06 2016-03-30 长春智信创联科技有限公司 Cloud computing management system and management method of cloud computing management system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201716734U (en) * 2010-07-21 2011-01-19 郑州信大捷安信息技术有限公司 Usb safe storage encryption device
EP2947811A4 (en) * 2013-06-05 2016-04-06 Huawei Tech Co Ltd Method, server, host and system for protecting data security
CN104378206B (en) * 2014-10-20 2017-09-12 中国科学院信息工程研究所 A kind of virtual desktop safety certifying method and system based on USB Key
CN105100076A (en) * 2015-07-03 2015-11-25 浪潮电子信息产业股份有限公司 Cloud data security system based on USB Key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN103973440A (en) * 2014-05-13 2014-08-06 东方斯泰克信息技术研究院(北京)有限公司 File cloud security management method and system based on CPK
CN105450636A (en) * 2015-11-06 2016-03-30 长春智信创联科技有限公司 Cloud computing management system and management method of cloud computing management system

Also Published As

Publication number Publication date
CN106453384A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
CN106453384B (en) Secure cloud disk system and secure encryption method thereof
JP6941146B2 (en) Data security service
US20200213283A1 (en) Key rotation techniques
Kaaniche et al. A secure client side deduplication scheme in cloud storage environments
CN106888084B (en) Quantum fort machine system and authentication method thereof
US11372993B2 (en) Automatic key rotation
CA2899027C (en) Data security service
US20080133905A1 (en) Apparatus, system, and method for remotely accessing a shared password
CN111954211B (en) Novel authentication key negotiation system of mobile terminal
US9529733B1 (en) Systems and methods for securely accessing encrypted data stores
CN103888429A (en) Virtual machine starting method, correlation devices and systems
CN106936579A (en) Cloud storage data storage and read method based on trusted third party agency
US10785193B2 (en) Security key hopping
US11245684B2 (en) User enrollment and authentication across providers having trusted authentication and identity management services
Sayler et al. Tutamen: A Next-Generation Secret-Storage Platform
Ullah et al. TCLOUD: A Trusted Storage Architecture for Cloud Computing
WO2017206698A1 (en) Device management method and system based on active template library (atl), and financial self-service device
CN104935606A (en) Terminal login method in cloud computing network
KR101327193B1 (en) A user-access trackable security method for removable storage media
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
Raja et al. An enhanced study on cloud data services using security technologies
Devi et al. Privacy Preserving and Proficient Identity Search Techniques for Cloud Data Safety
CN117313144A (en) Sensitive data management method and device, storage medium and electronic equipment
KR20230089559A (en) Blockchain-based fido authentication system
CN116760540A (en) Quantum key migration method, system and medium based on Kerberos protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant