CN106549963A - Safe storage system based on HDFS - Google Patents
Safe storage system based on HDFS Download PDFInfo
- Publication number
- CN106549963A CN106549963A CN201610969083.4A CN201610969083A CN106549963A CN 106549963 A CN106549963 A CN 106549963A CN 201610969083 A CN201610969083 A CN 201610969083A CN 106549963 A CN106549963 A CN 106549963A
- Authority
- CN
- China
- Prior art keywords
- prime
- key
- cloud storage
- file
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
Cloud storage technical field is belonged to based on the storage system of the safety of HDFS.With the continuous development of networking, data are being in volatile growth, and now network attack means emerge in an endless stream, and based on this, how these data of the storage of highly effective and safe become a urgent problem.The present invention replaces CRC32 to do data check using SHA256 algorithms, and the successful of such collision attack greatly will be reduced;Then, in terms of Information Security, HDFS does not then have the process of correlation, so for the problem of network data security, the present invention proposes the method that combines based on two kinds of algorithms of aes algorithm and RSA Algorithm to guarantee the confidentiality of data, data is encrypted using aes algorithm, then the key of AES is encrypted using RSA Algorithm, the safety of data is so not only increased, and the too long of time can't be consumed on enciphering rate.Test result indicate that, the method can effectively realize the transmission and storage of data safety.
Description
Technical field
The invention belongs to cloud storage technical field, is related to a kind of storage system of the safety based on HDFS.
Background technology
In the Second Committee World Wide Web conference in December, 2015, mention in " 13 " period, China will be real energetically
Apply network power strategy, national big data strategy, " the Internet+" action plan, it can be seen that the weight of the Internet and big data
The property wanted.Nowadays, daily life has been got involved deeply in the Internet, embodies in the past year and must be especially apparent.One carries
Network, its not just brush circle of friends, net purchase commodity, also includes welcoming the data economy of great development because of mobile Internet.People
Network behavior can produce mass data, and these data are analyzed and can produce huge value, so to magnanimity number
According to storage be necessary.Cloud storage then provides conveniently condition for data storage, and it reduces storage sea
The cost of amount data, because which can utilize very cheap server, therefore, cloud storage becomes domestic and international each big cloud service
The service that business is developed first.
But, incident is the problem of data safety.Cloud storage system-the HDFS of Hadoop, no data add
The function of close aspect, data often occur in the form of plaintext during server is transferred to, and this is in secure data area
Cause great hidden danger.Therefore, it is badly in need of now a kind of cloud storage system for adding secret algorithm.
In a network environment, information security faces two big basic attacks:Passive aggression and active attack.Tackle passive aggression
Main method be encryption and decryption technology, and the method for tackling active attack is exactly authentication techniques.So will realize safe
Cloud storage system must consider encryption and problem of both certification simultaneously.
Encryption technology is to improve the information privacy of network communicating system, the major technique for preventing transmitted data on network from leaking
Means.At present, widely used two kinds of encryption systems are symmetric key encryption system and asymmetric-key encryption system.It is symmetrical close
Key encryption system speed is fast, efficiency high, is the effective method of encryption mass data in network communicating system.Using symmetrical
During key cryptosystem planned network communication encryption scheme, it is necessary to consider that the safety of key.
Authentication techniques are to provide communicating pair identity and Content of Communication, the skill of process trust guarantee in network communicating system
Art means.Currently, in fields such as financial transaction, ecommerce, electronic mail, the confirmations of phone user information, the network information is led to
Relatively frequently, the authenticity of data integrity validation and Data Source is all critically important security service to letter.Therefore, to certification
The research and practice of technology are an important contents of filed of network information security.The application of authentication techniques is mainly recognized including identity
Card, message authentication and digital signature.Message authentication is the basic fundamental of checking information source and content, mainly solves data logical
Integrity issue in letter and storing process, to guarantee information not by rogue attacks and distort.So being not difficult to find out, message authentication
It is the topmost application of authentication techniques, it has vital meaning to Network Communicate Security, is filed of network information security
In highly pay close attention to and study problem.
The content of the invention
The safety problem of user data cannot be ensured for existing HDFS, the invention discloses a kind of improved aes algorithm,
The invention also discloses a kind of cloud storage encryption method, while a kind of method of cloud storage data integrity certification is also disclosed,
The invention also discloses the combining encryption method cloud storage system corresponding with integrated authentication.By said method, to transmission
Data processed, greatly ensure that the safety of data.
Technical scheme is as follows:
The invention discloses a kind of cloud storage encryption system, which specifically includes cloud storage security client and cloud storage service
Device end;The cloud storage security client is used to define key seed on the client, obtains symmetric cryptography according to key seed
The key of algorithm, is then encrypted for file by the key of symmetric encipherment algorithm, forms the user file of encryption.It is objective afterwards
The session key that family end the reception server end transmits, carries out adding to the key of symmetric encipherment algorithm by the session key
It is close, the ciphertext form of the key of symmetric encipherment algorithm is formed, is transmitted for server end in order to safety;The cloud storage service
For being attached with server end, after successful connection, server end is client transmissions session key, that is, non-right at device end
Claim the public key or private key of AES.
Further, above-mentioned file symmetric encipherment algorithm adopts improved aes algorithm, rivest, shamir, adelman to adopt
RSA Algorithm, client and server end is connected by Socket methods.
1. wherein aes algorithm is related to 4 kinds of operations:Byte substitution, row displacement, row are obscured and InvAddRoundKey, and its feature exists
In:Byte substitution is to complete a byte to the mapping of another byte by S boxes, by the S boxes byte group of one 16x16
Into matrix representing, by tabling look-up step of be capable of achieving.
2. system as claimed in claim 3, obscures the two steps for row displacement and row and merges into an operation step
Suddenly;If the state after byte substitution is
Through row displacement and the state arranged after obscuring conversion it is
So,
The calculating process of each element in matrix is as follows:
Thus, the form for being write as a vector transformation is
In this calculating process, relate only toWithComputing,Computing by moving to left a realization,Computing is led to
CrossRealized with itself again afterwards;Computing by clear packets after 16 byte cycles move to left one,Computing elder generation
16 byte cycles after by clear packets move to left one, carry out xor operation with data itself again afterwards.
AES encryption process is related to 4 kinds of operations:Byte substitution, row displacement, row are obscured and InvAddRoundKey, with AES-128 are
Example, will carry out the round transformation of 10 wheels, and except last wheel does not enter in addition to ranks obscure, before remaining, 9 wheels have all once carried out 4 changes
Change, the present invention is optimized for its ciphering process, it is therefore an objective to improve the enciphering rate of aes algorithm.
It is the optimization to byte substitution first, the major function of byte substitution is to complete a byte in addition by S boxes
The mapping of one byte, different from intrinsic implementation (by byte in GF (2N) ask in domain its multiplication inverse and one imitative
Penetrate conversion to realize), as the step is a kind of conversion of non-linear byte-oriented, it is that 8 bit binary datas are converted to
Another 8 different bit binary data, requires to correspond here, when implementing, by the displacement of one 16x16 of S boxes
Table representing, by tabling look-up step of be capable of achieving, it is to avoid complicated multiplying.
The invention discloses a kind of system of cloud storage data integrity certification, which specifically includes cloud storage security client
With cloud storage service device end;The cloud storage security client is used to allow the selected needs of user to be sent to service on the client
The file at device end, is processed to this document using hash algorithm, to form the cryptographic Hash of this document.Afterwards, using institute before
The session key that the server end for obtaining is transmitted, the cryptographic Hash of the file to being formed just now are encrypted, and form a Jing
The cryptographic Hash that rivest, shamir, adelman was processed is crossed, to ensure the safety during server is transferred to.The cloud is deposited
Storage server end calculates cryptographic Hash to which in server end every time after receive user file.Then by with client
The cryptographic Hash sent is compared to the integrity for verifying message, if being proved to be successful, preserves file and is uploaded to HDFS, if checking
Failure, then abandon file.
There is disclosed herein the cloud storage of a kind of combination cloud storage encipherment scheme and cloud storage data integrity certificate scheme
Security system.User is selected on cloud storage security client to be needed to be sent to the file of server end, using hash algorithm pair
This document is processed, to form the cryptographic Hash of this document.Afterwards, user chooses whether customization on cloud storage security client
The key seed of oneself, client generate the key of symmetric encipherment algorithm according to the selection of user, and are calculated using symmetric cryptography
The file that the secret key pair user of method is to be uploaded is encrypted, and forms the user file of an encryption.Subsequently, cloud storage security client
End is attached with cloud storage service device end, and after successful connection, server end is client transmissions session key.At this moment, Yun Cun
The session key that storage security client the reception server end transmits, using key of the session key to symmetric encipherment algorithm
It is encrypted, forms the cryptograph files of the key of symmetric encipherment algorithm, transmits for server end in order to safety.Meanwhile, cloud
Storage security client is encrypted to the cryptographic Hash of this document by the session key, forms the cryptograph files of cryptographic Hash.This
When by the compression of cryptograph files boil down to one of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption
This compressed package is uploaded to cloud storage service device end by cloud storage security client by bag.At cloud storage service device end, exist every time
After receiving the compressed package that client sends, this compressed package is decompressed, and using the private key or public key of rivest, shamir, adelman
The cryptograph files of the ciphertext and cryptographic Hash of the key of symmetric encipherment algorithm are decrypted, obtain the key of symmetric encipherment algorithm with
And the cryptographic Hash of user file.The user file encrypted using the secret key pair of symmetric encipherment algorithm afterwards is decrypted, and obtains bright
The file of text, is reused hash algorithm and calculates cryptographic Hash to the file of plaintext, compared by the cryptographic Hash sent with client
Relatively verifying the integrity of message.Cryptographic Hash twice is compared, if matching, is proved to be successful, preserve file and on
HDFS is reached, the file that user uploads otherwise is abandoned.
By the technical scheme using the above, advantage of the invention is that:This method is using based on integrity and confidentiality
Algorithm building safe cloud storage system, on the one hand consider systematic function, the encryption to file employs improved AES
Symmetric encipherment algorithm, the encryption to session key employ RSA rivest, shamir, adelmans, and only enter in cloud storage security client
Row cryptographic calculation, is only decrypted computing at cloud storage service device end.
Description of the drawings
Structural representations of the Fig. 1 for cloud storage system.
Fig. 2 realizes schematic flow sheet for cloud storage encryption.
Fig. 3 realizes schematic flow sheet for cloud storage integrated authentication.
Fig. 4 realizes schematic flow sheet for cloud storage system.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, it is once with reference to drawings and Examples, right
The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, and
It is not used in the restriction present invention.
3., the invention discloses a kind of improved aes algorithm, its particular content is as follows:AES encryption process is related to 4
Plant operation:Byte substitution, row displacement, row are obscured and InvAddRoundKey, and byte substitution is to complete a byte to other one by S boxes
The mapping of individual byte, the matrix that S boxes are constituted with the byte of a 16x16 is representing
By step of be capable of achieving of tabling look-up, it is to avoid complicated multiplying.
4. also have and be aiming at obscuring the two steps and being optimized in row displacement and row, it is of the invention by the two steps
An operating procedure is merged into, can further be simplified and be realized process.The ultimate principle of this optimization is as follows, if through byte
State after replacement is
Through row displacement and the state arranged after obscuring conversion it is
So,
The calculating process of each element in matrix is as follows:
Thus, the form for being write as a vector transformation is
In this calculating process, relate only toWithComputing,Computing can by moving to left a realization,Fortune
Calculation can pass throughRealized with itself again afterwards (Computing by clear packets after 16 byte cycles move to left one,Computing first by clear packets after 16 byte cycles move to left one, carry out xor operation with data itself again afterwards).This
The conversion of step merges to be intended being referred to as row-column transform, and line to be replaced displacement and row are obscured the two steps, realize AES encryption process
Optimization.
5. a kind of cloud storage encryption system, which specifically includes cloud storage security client and cloud storage service device end;It is described
Cloud storage security client is used to define key seed on the client, obtains the secret of symmetric encipherment algorithm according to key seed
Key, is then encrypted for file by the key of symmetric encipherment algorithm, forms the user file of encryption.Client is received afterwards
The session key that server end is transmitted, is encrypted to the key of symmetric encipherment algorithm by the session key, and it is right to be formed
Claim the ciphertext form of the key of AES, transmit for server end in order to safety;The cloud storage service device end is used for
Be attached with server end, after successful connection, server end be client transmissions session key, that is, asymmetric encryption calculate
The public key or private key of method.
6. cloud storage encryption method as claimed in claim 5, it is characterised in that file symmetric encipherment algorithm is using improving
Aes algorithm, rivest, shamir, adelman adopts RSA Algorithm, and client and server end is connected by Socket methods.
7. a kind of system of cloud storage data integrity certification, which specifically includes cloud storage security client and cloud storage clothes
Business device end;The cloud storage security client is used for permission user on the client to be selected needs the text for being sent to server end
Part, is processed to this document using hash algorithm, to form the cryptographic Hash of this document.Afterwards, clothes resulting before are utilized
The session key that business device end transmits, the cryptographic Hash of the file to being formed just now are encrypted, and form one through asymmetric
The cryptographic Hash that AES was processed, to ensure the safety during server is transferred to.The cloud storage service device
Hold and cryptographic Hash is calculated to which in server end every time after receive user file.Then the Kazakhstan by sending with client
Uncommon value is compared to the integrity for verifying message, if being proved to be successful, preserves file and is uploaded to HDFS, if authentication failed,
Abandon file.
8. there is disclosed herein the cloud of a kind of combination cloud storage encipherment scheme and cloud storage data integrity certificate scheme is deposited
Storage security system.User is selected on cloud storage security client to be needed to be sent to the file of server end, using hash algorithm
This document is processed, to form the cryptographic Hash of this document.Afterwards, user chooses whether fixed on cloud storage security client
The key seed of oneself is made, client generates the key of symmetric encipherment algorithm according to the selection of user, and uses symmetric cryptography
The file that the secret key pair user of algorithm is to be uploaded is encrypted, and forms the user file of an encryption.Subsequently, cloud storage safety visitor
Family end is attached with cloud storage service device end, and after successful connection, server end is client transmissions session key.At this moment, cloud
The session key that storage security client the reception server end transmits, using the session key to the secret of symmetric encipherment algorithm
Key is encrypted, and forms the cryptograph files of the key of symmetric encipherment algorithm, transmits for server end in order to safety.Meanwhile,
Cloud storage security client is encrypted to the cryptographic Hash of this document by the session key, forms the cryptograph files of cryptographic Hash.
Now by one compression of cryptograph files boil down to of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption
This compressed package is uploaded to cloud storage service device end by cloud storage security client by bag.At cloud storage service device end, exist every time
After receiving the compressed package that client sends, this compressed package is decompressed, and using the private key or public key of rivest, shamir, adelman
The cryptograph files of the ciphertext and cryptographic Hash of the key of symmetric encipherment algorithm are decrypted, obtain the key of symmetric encipherment algorithm with
And the cryptographic Hash of user file.The user file encrypted using the secret key pair of symmetric encipherment algorithm afterwards is decrypted, and obtains bright
The file of text, is reused hash algorithm and calculates cryptographic Hash to the file of plaintext, compared by the cryptographic Hash sent with client
Relatively verifying the integrity of message.Cryptographic Hash twice is compared, if matching, is proved to be successful, preserve file and on
HDFS is reached, the file that user uploads otherwise is abandoned.
The main part composition as shown in Figure 1 of cloud storage encryption and integrity verification system in the present invention, it is as follows in detail:
(1) cloud storage security client:Realization is docked with cloud storage service device end.Possess encryption function, including plaintext
The encryption of file and the encryption of session key.Also there is function simultaneously that generate file Hash codes, including using secure hash pair
The calculating evaluation of clear text file.
(2) cloud storage service device end:With store function, it is responsible for the storage of the data file that user uploads;With decryption
Function, including the decryption to cryptograph files and the decryption of session key;With the function of generating file Hash codes, including using peace
Hash full the calculating evaluation to clear text file;Function with the checking of file Hash codes, including to from cloud storage security client
The Hash codes for receiving regenerate the comparison of file Hash codes with cloud storage service device end.
Based on AES (data encryption adopt algorithm be often DES and AES, with the development of hardware and network,
The probability that DES algorithms are cracked is increasing, and the required time is also fewer and feweri.And aes algorithm is calculated compared to DES
Method, with more preferable safety, efficiency and motility.The key used by symmetric cryptography we can pass through asymmetric
The mode of encryption sends, although asymmetric encryption is safer, but compares with symmetric cryptography, and the speed that it encrypts is non-
It is often slow, so the present invention still encrypts message using symmetric encipherment algorithm.Therefore, present invention employs improved aes algorithm and
The mode that RSA Algorithm combines) and message authentication function (the conventional method of message authentication has CRC, MD5 and SHA1, wherein, CRC
Multinomial is linear structure, it is easy to reach CRC collisions by change data mode.With the raising of Computing ability,
The probability that MD5 and SHA1 find collision is also increasing.Therefore, the present invention use safer SHA256 algorithms) cloud
After the completion of storage system builds, user sends connection request, Yun Cun to cloud storage service device end by cloud storage security client
Storage server end produces client public key and private key, and by session key, the key of symmetric encipherment algorithm is carried out adding for user
It is close, to ensure the confidentiality of data.
User carries out the process of cloud storage encryption as shown in Fig. 2 its detailed step is as follows:
Step one:User chooses whether that on cloud storage security client the key seed for customizing oneself is (fixed using oneself
The password of justice forms key), using the key seed made by oneself, unique key is generated, if not using key seed, uploaded every time
File all generates a random key.
Step 2:Cloud storage security client generates the key of improved symmetric encipherment algorithm AES according to the selection of user.
Step 3:Cloud storage security client is carried out using the secret key pair user of improved aes algorithm file to be uploaded
Encryption, forms the user file of an encryption.
Step 4:Cloud storage security client is attached using Socket methods with cloud storage service device end, is connected into
After work(, server end is client transmissions session key, that is, the public key or private key of rivest, shamir, adelman RSA.
Step 5:The session key that cloud storage security client the reception server end transmits.
Step 6:Cloud storage security client by the session key to the key of symmetric encipherment algorithm (improved AES's
Key) it is encrypted, the ciphertext form of the key of symmetric encipherment algorithm is formed, is transmitted for server end in order to safety.
User carries out the process of cloud storage integrated authentication as shown in figure 3, its detailed step is as follows:
Step one:User is selected on cloud storage security client to be needed to be sent to the file of server end, using Hash
Algorithm SHA256 is processed to this document, to form the cryptographic Hash of this document.
Step 2:Using obtained by during file encryption session key (public key of rivest, shamir, adelman RSA or
It is private key), the cryptographic Hash that previous step is generated is encrypted, a Hash processed through rivest, shamir, adelman is formed
Value, to ensure the safety during server is transferred to.
Step 3:At cloud storage service device end, every time after the user file that client sends is received, using Hash
Algorithm SHA256 calculates cryptographic Hash to which.
Step 4:It is compared to verify the integrity of message by the cryptographic Hash sent with client.
Step 5:Cryptographic Hash twice is compared, if matching, is proved to be successful, preserved file and be uploaded to
HDFS, otherwise abandons the file that user uploads.
There is disclosed herein the cloud storage of a kind of combination cloud storage encipherment scheme and cloud storage data integrity certificate scheme
Security system, its storing process is as shown in figure 4, detailed step is as follows:
Step one:User is selected on cloud storage security client to be needed to be sent to the file of server end, using Hash
Algorithm SHA256 is processed to this document, to form the cryptographic Hash of this document.
Step 2:User chooses whether that on cloud storage security client the key seed for customizing oneself is (fixed using oneself
The password of justice forms key), using the key seed made by oneself, unique key is generated, if not using key seed, uploaded every time
File all generates a random key.
Step 3:Cloud storage security client generates the key of the improved AES of symmetric encipherment algorithm according to the selection of user.
Step 4:Cloud storage security client is carried out using the secret key pair user of improved aes algorithm file to be uploaded
Encryption, forms the user file of an encryption.
Step 5:Cloud storage security client is attached using Socket methods with cloud storage service device end, is connected into
After work(, server end is client transmissions session key, that is, the public key or private key of rivest, shamir, adelman RSA.
Step 6:The session key that cloud storage security client the reception server end transmits.
Step 7:Cloud storage security client by the session key to the key of symmetric encipherment algorithm (improved AES's
Key) it is encrypted, the cryptograph files of the key of symmetric encipherment algorithm are formed, is transmitted for server end in order to safety.
Step 8:Cloud storage security client is encrypted to the cryptographic Hash of this document by the session key, is formed and is breathed out
The cryptograph files of uncommon value.
Step 9:By the cryptograph files pressure of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption
It is condensed to a compressed package.
Step 10:This compressed package is uploaded to into cloud storage service device end by cloud storage security client.
Step 11:At cloud storage service device end, every time after the compressed package that client sends is received, this pressure is decompressed
Contracting is wrapped, and the private key or public key using RSA is carried out to the ciphertext of key and the cryptograph files of cryptographic Hash of symmetric encipherment algorithm
Decryption, obtains the cryptographic Hash of the key and user file of symmetric encipherment algorithm.
Step 12:The user file encrypted using the secret key pair of symmetric encipherment algorithm is decrypted, and obtains the text of plaintext
Part.
Step 13:Cryptographic Hash is calculated to the file of plaintext using hash algorithm SHA256.
Step 14:It is compared to verify the integrity of message by the cryptographic Hash sent with client.
Step 15:Cryptographic Hash twice is compared, if matching, is proved to be successful, preserved file and be uploaded to
HDFS, otherwise abandons the file that user uploads.
The coefficient gone out given in the above embodiments and parameter, are available to those skilled in the art to realize or use
Invention, invention is not limited and only takes aforementioned disclosed numerical value, in the case of the thought without departing from invention, the technology of this area
Personnel can make various modifications or adjustment to above-described embodiment, thus the protection domain of invention is not by above-described embodiment institute
Limit, and should be the maximum magnitude for meeting the inventive features that claims are mentioned.
Claims (6)
1. a kind of cloud storage encryption system, including cloud storage security client and cloud storage service device end;It is characterized in that:It is described
Cloud storage security client is used to define key seed on the client, obtains the secret of symmetric encipherment algorithm according to key seed
Key, is then encrypted for file by the key of symmetric encipherment algorithm, forms the user file of encryption;Client is received afterwards
The session key that server end is transmitted, is encrypted to the key of symmetric encipherment algorithm by the session key, and it is right to be formed
Claim the ciphertext form of the key of AES, transmit for server end in order to safety;The cloud storage service device end is used for
Be attached with server end, after successful connection, server end be client transmissions session key, that is, asymmetric encryption calculate
The public key or private key of method.
2. the system as claimed in claim 1, it is characterised in that:Symmetric encipherment algorithm adopts aes algorithm, rivest, shamir, adelman
Using RSA Algorithm, client and server end is connected by Socket methods.
3. system as claimed in claim 2, wherein aes algorithm are related to 4 kinds of operations:Byte substitution, row displacement, row obscure and
InvAddRoundKey, it is characterised in that:Byte substitution is to complete a byte to the mapping of another byte by S boxes, and S boxes are used
The matrix of the byte composition of one 16x16 representing, by tabling look-up step of be capable of achieving.
4. system as claimed in claim 3, for row displacement and row are obscured the two steps and merge into an operating procedure;If
State after byte substitution is
Through row displacement and the state arranged after obscuring conversion it is
So,
The calculating process of each element in matrix is as follows:
Thus, the form for being write as a vector transformation is
In this calculating process, relate only toWithComputing,Computing by moving to left a realization,Computing passes through
Carry out with itself again afterwardsRealize;Computing by clear packets after 16 byte cycles move to left one,Computing first will be in plain text
16 byte cycles after packet move to left one, carry out xor operation with data itself again afterwards.
5. a kind of system of cloud storage data integrity certification, including cloud storage security client and cloud storage service device end;Its
It is characterised by:The cloud storage security client is used for permission user on the client to be selected needs the text for being sent to server end
Part, is processed to this document using hash algorithm, to form the cryptographic Hash of this document;Afterwards, clothes resulting before are utilized
The session key that business device end transmits, the cryptographic Hash of the file to being formed just now are encrypted, and form one through asymmetric
The cryptographic Hash that AES was processed;The cloud storage service device end in server end every time after receive user file,
Cryptographic Hash is calculated to which;Then the cryptographic Hash by sending with client is compared to the integrity for verifying message, if checking
Success, preserves file and is uploaded to HDFS, if authentication failed, abandon file.
6. a kind of cloud storage security system, it is characterised in that:User selectes needs on cloud storage security client and is sent to clothes
The file at business device end, is processed to this document using hash algorithm, to form the cryptographic Hash of this document;Afterwards, user is in cloud
Choose whether to customize the key seed of oneself on storage security client, client generates symmetric cryptography according to the selection of user and calculates
The key of method, and be encrypted using the secret key pair user of symmetric encipherment algorithm file to be uploaded, form an encryption
User file;Subsequently, cloud storage security client is attached with cloud storage service device end, and after successful connection, server end is
Client transmissions session key;At this moment, the session key that cloud storage security client the reception server end transmits, using should
Session key is encrypted to the key of symmetric encipherment algorithm, forms the cryptograph files of the key of symmetric encipherment algorithm;Meanwhile, cloud
Storage security client is encrypted to the cryptographic Hash of this document by the session key, forms the cryptograph files of cryptographic Hash;This
When by the compression of cryptograph files boil down to one of the user file, the ciphertext of the key of symmetric encipherment algorithm and cryptographic Hash of encryption
This compressed package is uploaded to cloud storage service device end by cloud storage security client by bag;At cloud storage service device end, exist every time
After receiving the compressed package that client sends, this compressed package is decompressed, and using the private key or public key of rivest, shamir, adelman
The cryptograph files of the ciphertext and cryptographic Hash of the key of symmetric encipherment algorithm are decrypted, obtain the key of symmetric encipherment algorithm with
And the cryptographic Hash of user file;The user file encrypted using the secret key pair of symmetric encipherment algorithm afterwards is decrypted, and obtains bright
The file of text, is reused hash algorithm and calculates cryptographic Hash to the file of plaintext, compared by the cryptographic Hash sent with client
Relatively verifying the integrity of message;Cryptographic Hash twice is compared, if matching, is proved to be successful, preserve file and on
HDFS is reached, the file that user uploads otherwise is abandoned.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610969083.4A CN106549963A (en) | 2016-11-05 | 2016-11-05 | Safe storage system based on HDFS |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610969083.4A CN106549963A (en) | 2016-11-05 | 2016-11-05 | Safe storage system based on HDFS |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106549963A true CN106549963A (en) | 2017-03-29 |
Family
ID=58394538
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610969083.4A Pending CN106549963A (en) | 2016-11-05 | 2016-11-05 | Safe storage system based on HDFS |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106549963A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107180252A (en) * | 2017-05-10 | 2017-09-19 | 杨明艳 | A kind of police field identity characteristic gathers the manufacture method and equipment of product |
CN109376543A (en) * | 2018-08-28 | 2019-02-22 | 浙江工业大学 | A kind of database encryption method based on aes algorithm |
CN109936450A (en) * | 2017-12-15 | 2019-06-25 | 国网冀北电力有限公司 | Real-time perception towards regulation operation data mixes encryption and decryption method and device |
CN111079158A (en) * | 2019-11-21 | 2020-04-28 | 支付宝(杭州)信息技术有限公司 | Data storage and reading method and device |
CN111224943A (en) * | 2019-11-21 | 2020-06-02 | 天津天睿科技有限公司 | Internet encryption data transmission method |
CN112968910A (en) * | 2021-03-30 | 2021-06-15 | 中国建设银行股份有限公司 | Replay attack prevention method and device |
CN114285615A (en) * | 2021-12-16 | 2022-04-05 | 南京瀚元科技有限公司 | Encryption method and system for new energy data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
US20140047422A1 (en) * | 2012-08-07 | 2014-02-13 | Nec Laboratories America, Inc. | Compiler-guided software accelerator for iterative hadoop jobs |
CN104184740A (en) * | 2014-09-04 | 2014-12-03 | 中电长城网际系统应用有限公司 | Credible transmission method, credible third party and credible transmission system |
CN104852922A (en) * | 2015-05-26 | 2015-08-19 | 陈彬 | Big data encrypting and decrypting method based on distributed file system |
-
2016
- 2016-11-05 CN CN201610969083.4A patent/CN106549963A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
US20140047422A1 (en) * | 2012-08-07 | 2014-02-13 | Nec Laboratories America, Inc. | Compiler-guided software accelerator for iterative hadoop jobs |
CN104184740A (en) * | 2014-09-04 | 2014-12-03 | 中电长城网际系统应用有限公司 | Credible transmission method, credible third party and credible transmission system |
CN104852922A (en) * | 2015-05-26 | 2015-08-19 | 陈彬 | Big data encrypting and decrypting method based on distributed file system |
Non-Patent Citations (2)
Title |
---|
余琦,凌捷: "基于HDFS的云存储安全技术研究", 《计算机工程与设计》 * |
贾旭: "AES算法的安全性分析及其优化改进", 《CNKI》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107180252A (en) * | 2017-05-10 | 2017-09-19 | 杨明艳 | A kind of police field identity characteristic gathers the manufacture method and equipment of product |
CN109936450A (en) * | 2017-12-15 | 2019-06-25 | 国网冀北电力有限公司 | Real-time perception towards regulation operation data mixes encryption and decryption method and device |
CN109936450B (en) * | 2017-12-15 | 2022-06-14 | 国网冀北电力有限公司 | Real-time perception mixed encryption and decryption method and device for regulating and controlling running data |
CN109376543A (en) * | 2018-08-28 | 2019-02-22 | 浙江工业大学 | A kind of database encryption method based on aes algorithm |
CN111079158A (en) * | 2019-11-21 | 2020-04-28 | 支付宝(杭州)信息技术有限公司 | Data storage and reading method and device |
CN111224943A (en) * | 2019-11-21 | 2020-06-02 | 天津天睿科技有限公司 | Internet encryption data transmission method |
CN111079158B (en) * | 2019-11-21 | 2022-04-12 | 支付宝(杭州)信息技术有限公司 | Data storage and reading method and device |
CN112968910A (en) * | 2021-03-30 | 2021-06-15 | 中国建设银行股份有限公司 | Replay attack prevention method and device |
CN112968910B (en) * | 2021-03-30 | 2022-12-27 | 中国建设银行股份有限公司 | Replay attack prevention method and device |
CN114285615A (en) * | 2021-12-16 | 2022-04-05 | 南京瀚元科技有限公司 | Encryption method and system for new energy data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101075874B (en) | Certifying method and system | |
EP3862956B1 (en) | Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system | |
CN106549963A (en) | Safe storage system based on HDFS | |
CN103731261B (en) | Secret key distribution method under encrypted repeating data deleted scene | |
CN102082790B (en) | Method and device for encryption/decryption of digital signature | |
CN103986583B (en) | A kind of dynamic encrypting method and its cryptographic communication system | |
CN101931529B (en) | Data encryption method, data decryption method and nodes | |
CN102811125B (en) | Certificateless multi-receiver signcryption method with multivariate-based cryptosystem | |
US20110145576A1 (en) | Secure method of data transmission and encryption and decryption system allowing such transmission | |
CN102739401B (en) | Private key safety management method based on identity public key cryptography system | |
CN103036684B (en) | Identity-based encryption (IBE) data encryption system and method capable of lowering damages of master key crack and disclosure | |
CN113300856B (en) | Heterogeneous mixed signcryption method capable of proving safety | |
CN101977112A (en) | Public key cipher encrypting and decrypting method based on neural network chaotic attractor | |
CN110535626B (en) | Secret communication method and system for identity-based quantum communication service station | |
CN110519226B (en) | Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate | |
CN105391554A (en) | Method and system for realizing fingerprint matching by using ciphertext | |
CN110120939A (en) | A kind of encryption method and system of the deniable authentication based on heterogeneous system | |
CN104243494A (en) | Data processing method | |
CN110113150A (en) | The encryption method and system of deniable authentication based on no certificate environment | |
CN109104271A (en) | A kind of methods, devices and systems of digital signature | |
CN103493428B (en) | Data encryption | |
CN101001142A (en) | Encipher-decipher method based on iterative random number generator | |
CN106713349A (en) | Inter-group proxy re-encryption method capable of resisting selected ciphertext attack | |
CN112003707A (en) | Quantum computation attack resistant block chain digital signature encryption method and system | |
CN104184736B (en) | A kind of method and system realizing secure cloud and calculate |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170329 |
|
RJ01 | Rejection of invention patent application after publication |