CN106549963A - Safe storage system based on HDFS - Google Patents

Safe storage system based on HDFS Download PDF

Info

Publication number
CN106549963A
CN106549963A CN201610969083.4A CN201610969083A CN106549963A CN 106549963 A CN106549963 A CN 106549963A CN 201610969083 A CN201610969083 A CN 201610969083A CN 106549963 A CN106549963 A CN 106549963A
Authority
CN
China
Prior art keywords
prime
key
cloud storage
file
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610969083.4A
Other languages
Chinese (zh)
Inventor
谢航
肖创柏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201610969083.4A priority Critical patent/CN106549963A/en
Publication of CN106549963A publication Critical patent/CN106549963A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

Cloud storage technical field is belonged to based on the storage system of the safety of HDFS.With the continuous development of networking, data are being in volatile growth, and now network attack means emerge in an endless stream, and based on this, how these data of the storage of highly effective and safe become a urgent problem.The present invention replaces CRC32 to do data check using SHA256 algorithms, and the successful of such collision attack greatly will be reduced;Then, in terms of Information Security, HDFS does not then have the process of correlation, so for the problem of network data security, the present invention proposes the method that combines based on two kinds of algorithms of aes algorithm and RSA Algorithm to guarantee the confidentiality of data, data is encrypted using aes algorithm, then the key of AES is encrypted using RSA Algorithm, the safety of data is so not only increased, and the too long of time can't be consumed on enciphering rate.Test result indicate that, the method can effectively realize the transmission and storage of data safety.

Description

Safe storage system based on HDFS
Technical field
The invention belongs to cloud storage technical field, is related to a kind of storage system of the safety based on HDFS.
Background technology
In the Second Committee World Wide Web conference in December, 2015, mention in " 13 " period, China will be real energetically Apply network power strategy, national big data strategy, " the Internet+" action plan, it can be seen that the weight of the Internet and big data The property wanted.Nowadays, daily life has been got involved deeply in the Internet, embodies in the past year and must be especially apparent.One carries Network, its not just brush circle of friends, net purchase commodity, also includes welcoming the data economy of great development because of mobile Internet.People Network behavior can produce mass data, and these data are analyzed and can produce huge value, so to magnanimity number According to storage be necessary.Cloud storage then provides conveniently condition for data storage, and it reduces storage sea The cost of amount data, because which can utilize very cheap server, therefore, cloud storage becomes domestic and international each big cloud service The service that business is developed first.
But, incident is the problem of data safety.Cloud storage system-the HDFS of Hadoop, no data add The function of close aspect, data often occur in the form of plaintext during server is transferred to, and this is in secure data area Cause great hidden danger.Therefore, it is badly in need of now a kind of cloud storage system for adding secret algorithm.
In a network environment, information security faces two big basic attacks:Passive aggression and active attack.Tackle passive aggression Main method be encryption and decryption technology, and the method for tackling active attack is exactly authentication techniques.So will realize safe Cloud storage system must consider encryption and problem of both certification simultaneously.
Encryption technology is to improve the information privacy of network communicating system, the major technique for preventing transmitted data on network from leaking Means.At present, widely used two kinds of encryption systems are symmetric key encryption system and asymmetric-key encryption system.It is symmetrical close Key encryption system speed is fast, efficiency high, is the effective method of encryption mass data in network communicating system.Using symmetrical During key cryptosystem planned network communication encryption scheme, it is necessary to consider that the safety of key.
Authentication techniques are to provide communicating pair identity and Content of Communication, the skill of process trust guarantee in network communicating system Art means.Currently, in fields such as financial transaction, ecommerce, electronic mail, the confirmations of phone user information, the network information is led to Relatively frequently, the authenticity of data integrity validation and Data Source is all critically important security service to letter.Therefore, to certification The research and practice of technology are an important contents of filed of network information security.The application of authentication techniques is mainly recognized including identity Card, message authentication and digital signature.Message authentication is the basic fundamental of checking information source and content, mainly solves data logical Integrity issue in letter and storing process, to guarantee information not by rogue attacks and distort.So being not difficult to find out, message authentication It is the topmost application of authentication techniques, it has vital meaning to Network Communicate Security, is filed of network information security In highly pay close attention to and study problem.
The content of the invention
The safety problem of user data cannot be ensured for existing HDFS, the invention discloses a kind of improved aes algorithm, The invention also discloses a kind of cloud storage encryption method, while a kind of method of cloud storage data integrity certification is also disclosed, The invention also discloses the combining encryption method cloud storage system corresponding with integrated authentication.By said method, to transmission Data processed, greatly ensure that the safety of data.
Technical scheme is as follows:
The invention discloses a kind of cloud storage encryption system, which specifically includes cloud storage security client and cloud storage service Device end;The cloud storage security client is used to define key seed on the client, obtains symmetric cryptography according to key seed The key of algorithm, is then encrypted for file by the key of symmetric encipherment algorithm, forms the user file of encryption.It is objective afterwards The session key that family end the reception server end transmits, carries out adding to the key of symmetric encipherment algorithm by the session key It is close, the ciphertext form of the key of symmetric encipherment algorithm is formed, is transmitted for server end in order to safety;The cloud storage service For being attached with server end, after successful connection, server end is client transmissions session key, that is, non-right at device end Claim the public key or private key of AES.
Further, above-mentioned file symmetric encipherment algorithm adopts improved aes algorithm, rivest, shamir, adelman to adopt RSA Algorithm, client and server end is connected by Socket methods.
1. wherein aes algorithm is related to 4 kinds of operations:Byte substitution, row displacement, row are obscured and InvAddRoundKey, and its feature exists In:Byte substitution is to complete a byte to the mapping of another byte by S boxes, by the S boxes byte group of one 16x16 Into matrix representing, by tabling look-up step of be capable of achieving.
2. system as claimed in claim 3, obscures the two steps for row displacement and row and merges into an operation step Suddenly;If the state after byte substitution is
Through row displacement and the state arranged after obscuring conversion it is
So,
The calculating process of each element in matrix is as follows:
Thus, the form for being write as a vector transformation is
In this calculating process, relate only toWithComputing,Computing by moving to left a realization,Computing is led to CrossRealized with itself again afterwards;Computing by clear packets after 16 byte cycles move to left one,Computing elder generation 16 byte cycles after by clear packets move to left one, carry out xor operation with data itself again afterwards.
AES encryption process is related to 4 kinds of operations:Byte substitution, row displacement, row are obscured and InvAddRoundKey, with AES-128 are Example, will carry out the round transformation of 10 wheels, and except last wheel does not enter in addition to ranks obscure, before remaining, 9 wheels have all once carried out 4 changes Change, the present invention is optimized for its ciphering process, it is therefore an objective to improve the enciphering rate of aes algorithm.
It is the optimization to byte substitution first, the major function of byte substitution is to complete a byte in addition by S boxes The mapping of one byte, different from intrinsic implementation (by byte in GF (2N) ask in domain its multiplication inverse and one imitative Penetrate conversion to realize), as the step is a kind of conversion of non-linear byte-oriented, it is that 8 bit binary datas are converted to Another 8 different bit binary data, requires to correspond here, when implementing, by the displacement of one 16x16 of S boxes Table representing, by tabling look-up step of be capable of achieving, it is to avoid complicated multiplying.
The invention discloses a kind of system of cloud storage data integrity certification, which specifically includes cloud storage security client With cloud storage service device end;The cloud storage security client is used to allow the selected needs of user to be sent to service on the client The file at device end, is processed to this document using hash algorithm, to form the cryptographic Hash of this document.Afterwards, using institute before The session key that the server end for obtaining is transmitted, the cryptographic Hash of the file to being formed just now are encrypted, and form a Jing The cryptographic Hash that rivest, shamir, adelman was processed is crossed, to ensure the safety during server is transferred to.The cloud is deposited Storage server end calculates cryptographic Hash to which in server end every time after receive user file.Then by with client The cryptographic Hash sent is compared to the integrity for verifying message, if being proved to be successful, preserves file and is uploaded to HDFS, if checking Failure, then abandon file.
There is disclosed herein the cloud storage of a kind of combination cloud storage encipherment scheme and cloud storage data integrity certificate scheme Security system.User is selected on cloud storage security client to be needed to be sent to the file of server end, using hash algorithm pair This document is processed, to form the cryptographic Hash of this document.Afterwards, user chooses whether customization on cloud storage security client The key seed of oneself, client generate the key of symmetric encipherment algorithm according to the selection of user, and are calculated using symmetric cryptography The file that the secret key pair user of method is to be uploaded is encrypted, and forms the user file of an encryption.Subsequently, cloud storage security client End is attached with cloud storage service device end, and after successful connection, server end is client transmissions session key.At this moment, Yun Cun The session key that storage security client the reception server end transmits, using key of the session key to symmetric encipherment algorithm It is encrypted, forms the cryptograph files of the key of symmetric encipherment algorithm, transmits for server end in order to safety.Meanwhile, cloud Storage security client is encrypted to the cryptographic Hash of this document by the session key, forms the cryptograph files of cryptographic Hash.This When by the compression of cryptograph files boil down to one of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption This compressed package is uploaded to cloud storage service device end by cloud storage security client by bag.At cloud storage service device end, exist every time After receiving the compressed package that client sends, this compressed package is decompressed, and using the private key or public key of rivest, shamir, adelman The cryptograph files of the ciphertext and cryptographic Hash of the key of symmetric encipherment algorithm are decrypted, obtain the key of symmetric encipherment algorithm with And the cryptographic Hash of user file.The user file encrypted using the secret key pair of symmetric encipherment algorithm afterwards is decrypted, and obtains bright The file of text, is reused hash algorithm and calculates cryptographic Hash to the file of plaintext, compared by the cryptographic Hash sent with client Relatively verifying the integrity of message.Cryptographic Hash twice is compared, if matching, is proved to be successful, preserve file and on HDFS is reached, the file that user uploads otherwise is abandoned.
By the technical scheme using the above, advantage of the invention is that:This method is using based on integrity and confidentiality Algorithm building safe cloud storage system, on the one hand consider systematic function, the encryption to file employs improved AES Symmetric encipherment algorithm, the encryption to session key employ RSA rivest, shamir, adelmans, and only enter in cloud storage security client Row cryptographic calculation, is only decrypted computing at cloud storage service device end.
Description of the drawings
Structural representations of the Fig. 1 for cloud storage system.
Fig. 2 realizes schematic flow sheet for cloud storage encryption.
Fig. 3 realizes schematic flow sheet for cloud storage integrated authentication.
Fig. 4 realizes schematic flow sheet for cloud storage system.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, it is once with reference to drawings and Examples, right The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, and It is not used in the restriction present invention.
3., the invention discloses a kind of improved aes algorithm, its particular content is as follows:AES encryption process is related to 4 Plant operation:Byte substitution, row displacement, row are obscured and InvAddRoundKey, and byte substitution is to complete a byte to other one by S boxes The mapping of individual byte, the matrix that S boxes are constituted with the byte of a 16x16 is representing
By step of be capable of achieving of tabling look-up, it is to avoid complicated multiplying.
4. also have and be aiming at obscuring the two steps and being optimized in row displacement and row, it is of the invention by the two steps An operating procedure is merged into, can further be simplified and be realized process.The ultimate principle of this optimization is as follows, if through byte State after replacement is
Through row displacement and the state arranged after obscuring conversion it is
So,
The calculating process of each element in matrix is as follows:
Thus, the form for being write as a vector transformation is
In this calculating process, relate only toWithComputing,Computing can by moving to left a realization,Fortune Calculation can pass throughRealized with itself again afterwards (Computing by clear packets after 16 byte cycles move to left one,Computing first by clear packets after 16 byte cycles move to left one, carry out xor operation with data itself again afterwards).This The conversion of step merges to be intended being referred to as row-column transform, and line to be replaced displacement and row are obscured the two steps, realize AES encryption process Optimization.
5. a kind of cloud storage encryption system, which specifically includes cloud storage security client and cloud storage service device end;It is described Cloud storage security client is used to define key seed on the client, obtains the secret of symmetric encipherment algorithm according to key seed Key, is then encrypted for file by the key of symmetric encipherment algorithm, forms the user file of encryption.Client is received afterwards The session key that server end is transmitted, is encrypted to the key of symmetric encipherment algorithm by the session key, and it is right to be formed Claim the ciphertext form of the key of AES, transmit for server end in order to safety;The cloud storage service device end is used for Be attached with server end, after successful connection, server end be client transmissions session key, that is, asymmetric encryption calculate The public key or private key of method.
6. cloud storage encryption method as claimed in claim 5, it is characterised in that file symmetric encipherment algorithm is using improving Aes algorithm, rivest, shamir, adelman adopts RSA Algorithm, and client and server end is connected by Socket methods.
7. a kind of system of cloud storage data integrity certification, which specifically includes cloud storage security client and cloud storage clothes Business device end;The cloud storage security client is used for permission user on the client to be selected needs the text for being sent to server end Part, is processed to this document using hash algorithm, to form the cryptographic Hash of this document.Afterwards, clothes resulting before are utilized The session key that business device end transmits, the cryptographic Hash of the file to being formed just now are encrypted, and form one through asymmetric The cryptographic Hash that AES was processed, to ensure the safety during server is transferred to.The cloud storage service device Hold and cryptographic Hash is calculated to which in server end every time after receive user file.Then the Kazakhstan by sending with client Uncommon value is compared to the integrity for verifying message, if being proved to be successful, preserves file and is uploaded to HDFS, if authentication failed, Abandon file.
8. there is disclosed herein the cloud of a kind of combination cloud storage encipherment scheme and cloud storage data integrity certificate scheme is deposited Storage security system.User is selected on cloud storage security client to be needed to be sent to the file of server end, using hash algorithm This document is processed, to form the cryptographic Hash of this document.Afterwards, user chooses whether fixed on cloud storage security client The key seed of oneself is made, client generates the key of symmetric encipherment algorithm according to the selection of user, and uses symmetric cryptography The file that the secret key pair user of algorithm is to be uploaded is encrypted, and forms the user file of an encryption.Subsequently, cloud storage safety visitor Family end is attached with cloud storage service device end, and after successful connection, server end is client transmissions session key.At this moment, cloud The session key that storage security client the reception server end transmits, using the session key to the secret of symmetric encipherment algorithm Key is encrypted, and forms the cryptograph files of the key of symmetric encipherment algorithm, transmits for server end in order to safety.Meanwhile, Cloud storage security client is encrypted to the cryptographic Hash of this document by the session key, forms the cryptograph files of cryptographic Hash. Now by one compression of cryptograph files boil down to of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption This compressed package is uploaded to cloud storage service device end by cloud storage security client by bag.At cloud storage service device end, exist every time After receiving the compressed package that client sends, this compressed package is decompressed, and using the private key or public key of rivest, shamir, adelman The cryptograph files of the ciphertext and cryptographic Hash of the key of symmetric encipherment algorithm are decrypted, obtain the key of symmetric encipherment algorithm with And the cryptographic Hash of user file.The user file encrypted using the secret key pair of symmetric encipherment algorithm afterwards is decrypted, and obtains bright The file of text, is reused hash algorithm and calculates cryptographic Hash to the file of plaintext, compared by the cryptographic Hash sent with client Relatively verifying the integrity of message.Cryptographic Hash twice is compared, if matching, is proved to be successful, preserve file and on HDFS is reached, the file that user uploads otherwise is abandoned.
The main part composition as shown in Figure 1 of cloud storage encryption and integrity verification system in the present invention, it is as follows in detail:
(1) cloud storage security client:Realization is docked with cloud storage service device end.Possess encryption function, including plaintext The encryption of file and the encryption of session key.Also there is function simultaneously that generate file Hash codes, including using secure hash pair The calculating evaluation of clear text file.
(2) cloud storage service device end:With store function, it is responsible for the storage of the data file that user uploads;With decryption Function, including the decryption to cryptograph files and the decryption of session key;With the function of generating file Hash codes, including using peace Hash full the calculating evaluation to clear text file;Function with the checking of file Hash codes, including to from cloud storage security client The Hash codes for receiving regenerate the comparison of file Hash codes with cloud storage service device end.
Based on AES (data encryption adopt algorithm be often DES and AES, with the development of hardware and network, The probability that DES algorithms are cracked is increasing, and the required time is also fewer and feweri.And aes algorithm is calculated compared to DES Method, with more preferable safety, efficiency and motility.The key used by symmetric cryptography we can pass through asymmetric The mode of encryption sends, although asymmetric encryption is safer, but compares with symmetric cryptography, and the speed that it encrypts is non- It is often slow, so the present invention still encrypts message using symmetric encipherment algorithm.Therefore, present invention employs improved aes algorithm and The mode that RSA Algorithm combines) and message authentication function (the conventional method of message authentication has CRC, MD5 and SHA1, wherein, CRC Multinomial is linear structure, it is easy to reach CRC collisions by change data mode.With the raising of Computing ability, The probability that MD5 and SHA1 find collision is also increasing.Therefore, the present invention use safer SHA256 algorithms) cloud After the completion of storage system builds, user sends connection request, Yun Cun to cloud storage service device end by cloud storage security client Storage server end produces client public key and private key, and by session key, the key of symmetric encipherment algorithm is carried out adding for user It is close, to ensure the confidentiality of data.
User carries out the process of cloud storage encryption as shown in Fig. 2 its detailed step is as follows:
Step one:User chooses whether that on cloud storage security client the key seed for customizing oneself is (fixed using oneself The password of justice forms key), using the key seed made by oneself, unique key is generated, if not using key seed, uploaded every time File all generates a random key.
Step 2:Cloud storage security client generates the key of improved symmetric encipherment algorithm AES according to the selection of user.
Step 3:Cloud storage security client is carried out using the secret key pair user of improved aes algorithm file to be uploaded Encryption, forms the user file of an encryption.
Step 4:Cloud storage security client is attached using Socket methods with cloud storage service device end, is connected into After work(, server end is client transmissions session key, that is, the public key or private key of rivest, shamir, adelman RSA.
Step 5:The session key that cloud storage security client the reception server end transmits.
Step 6:Cloud storage security client by the session key to the key of symmetric encipherment algorithm (improved AES's Key) it is encrypted, the ciphertext form of the key of symmetric encipherment algorithm is formed, is transmitted for server end in order to safety.
User carries out the process of cloud storage integrated authentication as shown in figure 3, its detailed step is as follows:
Step one:User is selected on cloud storage security client to be needed to be sent to the file of server end, using Hash Algorithm SHA256 is processed to this document, to form the cryptographic Hash of this document.
Step 2:Using obtained by during file encryption session key (public key of rivest, shamir, adelman RSA or It is private key), the cryptographic Hash that previous step is generated is encrypted, a Hash processed through rivest, shamir, adelman is formed Value, to ensure the safety during server is transferred to.
Step 3:At cloud storage service device end, every time after the user file that client sends is received, using Hash Algorithm SHA256 calculates cryptographic Hash to which.
Step 4:It is compared to verify the integrity of message by the cryptographic Hash sent with client.
Step 5:Cryptographic Hash twice is compared, if matching, is proved to be successful, preserved file and be uploaded to HDFS, otherwise abandons the file that user uploads.
There is disclosed herein the cloud storage of a kind of combination cloud storage encipherment scheme and cloud storage data integrity certificate scheme Security system, its storing process is as shown in figure 4, detailed step is as follows:
Step one:User is selected on cloud storage security client to be needed to be sent to the file of server end, using Hash Algorithm SHA256 is processed to this document, to form the cryptographic Hash of this document.
Step 2:User chooses whether that on cloud storage security client the key seed for customizing oneself is (fixed using oneself The password of justice forms key), using the key seed made by oneself, unique key is generated, if not using key seed, uploaded every time File all generates a random key.
Step 3:Cloud storage security client generates the key of the improved AES of symmetric encipherment algorithm according to the selection of user.
Step 4:Cloud storage security client is carried out using the secret key pair user of improved aes algorithm file to be uploaded Encryption, forms the user file of an encryption.
Step 5:Cloud storage security client is attached using Socket methods with cloud storage service device end, is connected into After work(, server end is client transmissions session key, that is, the public key or private key of rivest, shamir, adelman RSA.
Step 6:The session key that cloud storage security client the reception server end transmits.
Step 7:Cloud storage security client by the session key to the key of symmetric encipherment algorithm (improved AES's Key) it is encrypted, the cryptograph files of the key of symmetric encipherment algorithm are formed, is transmitted for server end in order to safety.
Step 8:Cloud storage security client is encrypted to the cryptographic Hash of this document by the session key, is formed and is breathed out The cryptograph files of uncommon value.
Step 9:By the cryptograph files pressure of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption It is condensed to a compressed package.
Step 10:This compressed package is uploaded to into cloud storage service device end by cloud storage security client.
Step 11:At cloud storage service device end, every time after the compressed package that client sends is received, this pressure is decompressed Contracting is wrapped, and the private key or public key using RSA is carried out to the ciphertext of key and the cryptograph files of cryptographic Hash of symmetric encipherment algorithm Decryption, obtains the cryptographic Hash of the key and user file of symmetric encipherment algorithm.
Step 12:The user file encrypted using the secret key pair of symmetric encipherment algorithm is decrypted, and obtains the text of plaintext Part.
Step 13:Cryptographic Hash is calculated to the file of plaintext using hash algorithm SHA256.
Step 14:It is compared to verify the integrity of message by the cryptographic Hash sent with client.
Step 15:Cryptographic Hash twice is compared, if matching, is proved to be successful, preserved file and be uploaded to HDFS, otherwise abandons the file that user uploads.
The coefficient gone out given in the above embodiments and parameter, are available to those skilled in the art to realize or use Invention, invention is not limited and only takes aforementioned disclosed numerical value, in the case of the thought without departing from invention, the technology of this area Personnel can make various modifications or adjustment to above-described embodiment, thus the protection domain of invention is not by above-described embodiment institute Limit, and should be the maximum magnitude for meeting the inventive features that claims are mentioned.

Claims (6)

1. a kind of cloud storage encryption system, including cloud storage security client and cloud storage service device end;It is characterized in that:It is described Cloud storage security client is used to define key seed on the client, obtains the secret of symmetric encipherment algorithm according to key seed Key, is then encrypted for file by the key of symmetric encipherment algorithm, forms the user file of encryption;Client is received afterwards The session key that server end is transmitted, is encrypted to the key of symmetric encipherment algorithm by the session key, and it is right to be formed Claim the ciphertext form of the key of AES, transmit for server end in order to safety;The cloud storage service device end is used for Be attached with server end, after successful connection, server end be client transmissions session key, that is, asymmetric encryption calculate The public key or private key of method.
2. the system as claimed in claim 1, it is characterised in that:Symmetric encipherment algorithm adopts aes algorithm, rivest, shamir, adelman Using RSA Algorithm, client and server end is connected by Socket methods.
3. system as claimed in claim 2, wherein aes algorithm are related to 4 kinds of operations:Byte substitution, row displacement, row obscure and InvAddRoundKey, it is characterised in that:Byte substitution is to complete a byte to the mapping of another byte by S boxes, and S boxes are used The matrix of the byte composition of one 16x16 representing, by tabling look-up step of be capable of achieving.
4. system as claimed in claim 3, for row displacement and row are obscured the two steps and merge into an operating procedure;If State after byte substitution is
S = s 0 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 s 10 s 11 s 12 s 13 s 14 s 15
Through row displacement and the state arranged after obscuring conversion it is
S ′ = s 0 ′ s 1 ′ s 2 ′ s 3 ′ s 4 ′ s 5 ′ s 6 ′ s 7 ′ s 8 ′ s 9 ′ s 10 ′ s 11 ′ s 12 ′ s 13 ′ s 14 ′ s 15 ′
So,
The calculating process of each element in matrix is as follows:
s 0 ′ = 02 s 0 + 03 s 5 + 01 s 10 + 01 s 15 s 1 ′ = 02 s 1 + 03 s 6 + 01 s 11 + 01 s 12 s 2 ′ = 02 s 2 + 03 s 7 + 01 s 8 + 01 s 13 s 3 ′ = 02 s 3 + 03 s 4 + 01 s 9 + 01 s 14 s 4 ′ = 01 s 0 + 02 s 5 + 03 s 10 + 01 s 15 s 5 ′ = 01 s 1 + 02 s 6 + 03 s 11 + 01 s 12 . . . . . . s 14 ′ = 03 s 2 + 01 s 7 + 01 s 8 + 02 s 13 s 15 ′ = 03 s 3 + 01 s 4 + 01 s 9 + 02 s 14
Thus, the form for being write as a vector transformation is
s 0 ′ s 1 ′ s 2 ′ s 3 ′ s 4 ′ s 5 ′ s 6 ′ s 7 ′ s 8 ′ s 9 ′ s 10 ′ s 11 ′ s 12 ′ s 13 ′ s 14 ′ s 15 ′ = 02 00 00 00 00 03 00 00 00 00 01 00 00 00 00 01 00 02 00 00 00 00 03 00 00 00 00 01 01 00 00 00 00 00 02 00 00 00 00 03 01 00 00 00 00 01 00 00 00 00 00 02 03 00 00 00 00 01 00 00 00 00 01 00 01 00 00 00 00 02 00 00 00 00 03 00 00 00 00 01 00 01 00 00 00 00 02 00 00 00 00 03 01 00 00 00 00 00 01 00 00 00 00 02 03 00 00 00 00 01 00 00 00 00 00 01 02 00 00 00 00 03 00 00 00 00 01 00 01 00 00 00 00 01 00 00 00 00 02 00 00 00 00 03 00 01 00 00 00 00 01 00 00 00 00 02 03 00 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 03 00 00 00 00 00 01 01 00 00 00 00 02 00 00 00 00 03 00 03 00 00 00 00 01 00 00 00 00 01 00 00 00 00 02 00 03 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 00 03 00 00 00 00 01 01 00 00 00 00 02 00 00 00 00 00 03 01 00 00 00 00 01 00 00 00 00 02 00 s 0 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 s 10 s 11 s 12 s 13 s 14 s 15
In this calculating process, relate only toWithComputing,Computing by moving to left a realization,Computing passes through Carry out with itself again afterwardsRealize;Computing by clear packets after 16 byte cycles move to left one,Computing first will be in plain text 16 byte cycles after packet move to left one, carry out xor operation with data itself again afterwards.
5. a kind of system of cloud storage data integrity certification, including cloud storage security client and cloud storage service device end;Its It is characterised by:The cloud storage security client is used for permission user on the client to be selected needs the text for being sent to server end Part, is processed to this document using hash algorithm, to form the cryptographic Hash of this document;Afterwards, clothes resulting before are utilized The session key that business device end transmits, the cryptographic Hash of the file to being formed just now are encrypted, and form one through asymmetric The cryptographic Hash that AES was processed;The cloud storage service device end in server end every time after receive user file, Cryptographic Hash is calculated to which;Then the cryptographic Hash by sending with client is compared to the integrity for verifying message, if checking Success, preserves file and is uploaded to HDFS, if authentication failed, abandon file.
6. a kind of cloud storage security system, it is characterised in that:User selectes needs on cloud storage security client and is sent to clothes The file at business device end, is processed to this document using hash algorithm, to form the cryptographic Hash of this document;Afterwards, user is in cloud Choose whether to customize the key seed of oneself on storage security client, client generates symmetric cryptography according to the selection of user and calculates The key of method, and be encrypted using the secret key pair user of symmetric encipherment algorithm file to be uploaded, form an encryption User file;Subsequently, cloud storage security client is attached with cloud storage service device end, and after successful connection, server end is Client transmissions session key;At this moment, the session key that cloud storage security client the reception server end transmits, using should Session key is encrypted to the key of symmetric encipherment algorithm, forms the cryptograph files of the key of symmetric encipherment algorithm;Meanwhile, cloud Storage security client is encrypted to the cryptographic Hash of this document by the session key, forms the cryptograph files of cryptographic Hash;This When by the compression of cryptograph files boil down to one of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption This compressed package is uploaded to cloud storage service device end by cloud storage security client by bag;At cloud storage service device end, exist every time After receiving the compressed package that client sends, this compressed package is decompressed, and using the private key or public key of rivest, shamir, adelman The cryptograph files of the ciphertext and cryptographic Hash of the key of symmetric encipherment algorithm are decrypted, obtain the key of symmetric encipherment algorithm with And the cryptographic Hash of user file;The user file encrypted using the secret key pair of symmetric encipherment algorithm afterwards is decrypted, and obtains bright The file of text, is reused hash algorithm and calculates cryptographic Hash to the file of plaintext, compared by the cryptographic Hash sent with client Relatively verifying the integrity of message;Cryptographic Hash twice is compared, if matching, is proved to be successful, preserve file and on HDFS is reached, the file that user uploads otherwise is abandoned.
CN201610969083.4A 2016-11-05 2016-11-05 Safe storage system based on HDFS Pending CN106549963A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610969083.4A CN106549963A (en) 2016-11-05 2016-11-05 Safe storage system based on HDFS

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610969083.4A CN106549963A (en) 2016-11-05 2016-11-05 Safe storage system based on HDFS

Publications (1)

Publication Number Publication Date
CN106549963A true CN106549963A (en) 2017-03-29

Family

ID=58394538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610969083.4A Pending CN106549963A (en) 2016-11-05 2016-11-05 Safe storage system based on HDFS

Country Status (1)

Country Link
CN (1) CN106549963A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107180252A (en) * 2017-05-10 2017-09-19 杨明艳 A kind of police field identity characteristic gathers the manufacture method and equipment of product
CN109376543A (en) * 2018-08-28 2019-02-22 浙江工业大学 A kind of database encryption method based on aes algorithm
CN109936450A (en) * 2017-12-15 2019-06-25 国网冀北电力有限公司 Real-time perception towards regulation operation data mixes encryption and decryption method and device
CN111079158A (en) * 2019-11-21 2020-04-28 支付宝(杭州)信息技术有限公司 Data storage and reading method and device
CN111224943A (en) * 2019-11-21 2020-06-02 天津天睿科技有限公司 Internet encryption data transmission method
CN112968910A (en) * 2021-03-30 2021-06-15 中国建设银行股份有限公司 Replay attack prevention method and device
CN114285615A (en) * 2021-12-16 2022-04-05 南京瀚元科技有限公司 Encryption method and system for new energy data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102394894A (en) * 2011-11-28 2012-03-28 武汉大学 Network virtual disk file safety management method based on cloud computing
US20140047422A1 (en) * 2012-08-07 2014-02-13 Nec Laboratories America, Inc. Compiler-guided software accelerator for iterative hadoop jobs
CN104184740A (en) * 2014-09-04 2014-12-03 中电长城网际系统应用有限公司 Credible transmission method, credible third party and credible transmission system
CN104852922A (en) * 2015-05-26 2015-08-19 陈彬 Big data encrypting and decrypting method based on distributed file system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102394894A (en) * 2011-11-28 2012-03-28 武汉大学 Network virtual disk file safety management method based on cloud computing
US20140047422A1 (en) * 2012-08-07 2014-02-13 Nec Laboratories America, Inc. Compiler-guided software accelerator for iterative hadoop jobs
CN104184740A (en) * 2014-09-04 2014-12-03 中电长城网际系统应用有限公司 Credible transmission method, credible third party and credible transmission system
CN104852922A (en) * 2015-05-26 2015-08-19 陈彬 Big data encrypting and decrypting method based on distributed file system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
余琦,凌捷: "基于HDFS的云存储安全技术研究", 《计算机工程与设计》 *
贾旭: "AES算法的安全性分析及其优化改进", 《CNKI》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107180252A (en) * 2017-05-10 2017-09-19 杨明艳 A kind of police field identity characteristic gathers the manufacture method and equipment of product
CN109936450A (en) * 2017-12-15 2019-06-25 国网冀北电力有限公司 Real-time perception towards regulation operation data mixes encryption and decryption method and device
CN109936450B (en) * 2017-12-15 2022-06-14 国网冀北电力有限公司 Real-time perception mixed encryption and decryption method and device for regulating and controlling running data
CN109376543A (en) * 2018-08-28 2019-02-22 浙江工业大学 A kind of database encryption method based on aes algorithm
CN111079158A (en) * 2019-11-21 2020-04-28 支付宝(杭州)信息技术有限公司 Data storage and reading method and device
CN111224943A (en) * 2019-11-21 2020-06-02 天津天睿科技有限公司 Internet encryption data transmission method
CN111079158B (en) * 2019-11-21 2022-04-12 支付宝(杭州)信息技术有限公司 Data storage and reading method and device
CN112968910A (en) * 2021-03-30 2021-06-15 中国建设银行股份有限公司 Replay attack prevention method and device
CN112968910B (en) * 2021-03-30 2022-12-27 中国建设银行股份有限公司 Replay attack prevention method and device
CN114285615A (en) * 2021-12-16 2022-04-05 南京瀚元科技有限公司 Encryption method and system for new energy data

Similar Documents

Publication Publication Date Title
CN101075874B (en) Certifying method and system
EP3862956B1 (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
CN106549963A (en) Safe storage system based on HDFS
CN103731261B (en) Secret key distribution method under encrypted repeating data deleted scene
CN102082790B (en) Method and device for encryption/decryption of digital signature
CN103986583B (en) A kind of dynamic encrypting method and its cryptographic communication system
CN101931529B (en) Data encryption method, data decryption method and nodes
CN102811125B (en) Certificateless multi-receiver signcryption method with multivariate-based cryptosystem
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
CN102739401B (en) Private key safety management method based on identity public key cryptography system
CN103036684B (en) Identity-based encryption (IBE) data encryption system and method capable of lowering damages of master key crack and disclosure
CN113300856B (en) Heterogeneous mixed signcryption method capable of proving safety
CN101977112A (en) Public key cipher encrypting and decrypting method based on neural network chaotic attractor
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
CN110519226B (en) Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate
CN105391554A (en) Method and system for realizing fingerprint matching by using ciphertext
CN110120939A (en) A kind of encryption method and system of the deniable authentication based on heterogeneous system
CN104243494A (en) Data processing method
CN110113150A (en) The encryption method and system of deniable authentication based on no certificate environment
CN109104271A (en) A kind of methods, devices and systems of digital signature
CN103493428B (en) Data encryption
CN101001142A (en) Encipher-decipher method based on iterative random number generator
CN106713349A (en) Inter-group proxy re-encryption method capable of resisting selected ciphertext attack
CN112003707A (en) Quantum computation attack resistant block chain digital signature encryption method and system
CN104184736B (en) A kind of method and system realizing secure cloud and calculate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170329

RJ01 Rejection of invention patent application after publication