CN106685980A - Cryptographic method of large files - Google Patents
Cryptographic method of large files Download PDFInfo
- Publication number
- CN106685980A CN106685980A CN201710023574.4A CN201710023574A CN106685980A CN 106685980 A CN106685980 A CN 106685980A CN 201710023574 A CN201710023574 A CN 201710023574A CN 106685980 A CN106685980 A CN 106685980A
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- information
- data
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000011218 segmentation Effects 0.000 claims description 28
- 230000008859 change Effects 0.000 claims description 15
- 238000006243 chemical reaction Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 5
- 230000003044 adaptive effect Effects 0.000 claims description 3
- 230000008901 benefit Effects 0.000 abstract description 2
- 238000004364 calculation method Methods 0.000 abstract description 2
- 230000006872 improvement Effects 0.000 description 4
- 239000000654 additive Substances 0.000 description 2
- 230000000996 additive effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 238000000205 computational method Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002372 labelling Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 239000000686 essence Substances 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000009394 selective breeding Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000010415 tropism Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a cryptographic method of large files and belongs to the field of information security. The method takes into consideration of the huge data of the large files, is not suitable for all the encryption, and different encryption methods have different advantages and disadvantages, so full homomorphic encryption can not solve all of the delegates calculations, and encryption costs a lot, some require the use of misleading encryption, and some require only common symmetric encryption, so appropriate encryption is selected by subsection, and only partial data is encrypted by rule or selection. At the same time, the optimal scheme of reducing key management and ensuring security is proposed. The method requires only a small number of keys for file encryption and decryption.
Description
Technical field
The invention belongs to information security field, is related to a kind of method being encrypted to big file.
Background technology
With the development of information technology, many services also tend to informationization, and digitized, people become increasingly dependent on data,
Data volume is also increasing.Correspondingly, some files are also increasing.Big data (big data, mega very popular at present
Data some files) are also very big, and some are stored in the form of stream-oriented file.Obviously often there are safe need in these files
Ask, needs are encrypted protection, but it is again substantially unpractical that substantial amounts of data are encrypted.Because in big data some
The value ratio of data is relatively low, without the need for being maintained secrecy.But due to its complicated variety, the value of some data may be very high,
Need to carry out different degrees of protection, for cloud computing and the encryption of big data aspect, re-encryption is acted on behalf of at present and homomorphism adds
Close, wherein it is that a kind of key between ciphertext is changed the mechanism to act on behalf of re-encryption, in this process, agent cannot get the bright of data
Literary information, so as to reduce leaking data risk.And corresponding to the two ciphertexts be in plain text it is the same, realize data be total to
Enjoy.The purpose of homomorphic cryptography is in order to storage ciphertext data on the server still can be calculated.Homomorphic cryptography is imitated
Rate is low, and redundancy is big, and using there is larger limitation in reality, above-mentioned encryption method is directly used in the large-scale data of encryption
It is unpractical, because amount of calculation is huge, and such as homomorphic cryptography often brings the extension of data, and cost is big, acts on behalf of again
Encryption is suitable only for the conversion of the key between specific user, also there is no need for all of data to carry out above-mentioned adding in reality
It is close.Homomorphic cryptography is relatively specific for the encryption of calculative data, but cost is higher.Encrypted with traditional encryption method
The problems such as these data there is also computationally intensive etc..And in reality, we are also wanted to for some data, after encryption, ciphertext
Significant wrong ciphertext can be decrypted as, or the key content of plaintext is replaced by word, word, the sentence that other mislead meaning
Son etc., to reach the effect of misleading, should avoid huge workload, and wherein important data are protected again, need to take
Certain flexible way.Consider in the present invention to be encrypted significant data, and inessential data are not processed.
The content of the invention
In view of the different demands of different pieces of information, the present invention devises a kind of selective encryption side for being directed to big file
Method.
Scheme 1:File is read out, sectional encryption is carried out to its data or content, if being not added with without the need for secrecy
It is close, needed, using different encryption methods, finally to save as ciphertext according to it if necessary to encryption.The general steps of encryption are such as
Under:
1st, file is read, obtains content, can be that directly data are encrypted, for word's etc for text
File, can be encrypted to the text that it is included, and carry out piecemeal to data or content as needed(Segmentation), such as piecemeal
Can be the files such as the SequenceFile in Hadoop(Stream-oriented file)In in a file, or xml document including
A characteristic value, or the unit such as paragraph, a sentence of word document, in form a data item, a line, one
Row etc..
2nd, encryption is chosen whether as needed, and which kind of cipher mode, this can be machine, or artificial
, such as the artificial selection of machine judgement or user is carried out according to the rule of setting, judge each data block of big file
(Section)Whether need to be encrypted, and be encrypted using which type of mode.
3rd, select existing key or produce key, each data block is encrypted according to the method for selecting, encryption can
To be directed to each piece of value, such as there is separator in some file formats, there is the record of length, if necessary to plaintext version,
Can not be encrypted.
4th, the ciphertext for obtaining each encryption of blocks of data, if it is desired, carry out necessary adaptive code conversion, than
As being byte arrays by typically encrypting obtain, generally need to be converted to character array and write file again(Decryption
When need to carry out contrary conversion), and a cryptograph files are connected as according to corresponding file format requirements, using corresponding
Form preserve last ciphertext, such as, if word document, for its content of text encryption, then the ciphertext of encryption is turned
The coding for being changed to character style is coupled together as text, is put into word document, then preserves word document, if streaming is literary
Part, is stored according to the form of stream-oriented file, if causing the change of length in encryption, then needs the file in final storage
In modify length value, the length information in file structure is adjusted correspondingly.Carry out necessary process and allow data
Meet the form of preservation, these ciphertext data are stored in cryptograph files, and whether data are encrypted, if encryption,
Information and parameter required for corresponding decryption will be stored, such as the positional information of data block(Such as starting and ending
Position or original position and length)What it is encrypted using mode, the key of encryption(Or the information that acquisition key needs)
And the length storage of various parameters, this part ciphertext or even plaintext is got up.For convenience, these information can be stored in table
In, these packets contain information A that can uniquely determine this segmentation(A characteristic in such as xml document, block is in a text
Original position and end position in part, the position in memorizer etc.), obtain the information that corresponding piece of key needs, such as it is close
Key K(This key is probably what is encrypted)Or storage information B of key(Such as, address or the position in certain form
Put), the algorithm of encryption and other decryption information needed(Such as block length, initial vector, encryption mode etc.), it is also possible to include
Other need the message of remarks.AES is also likely to be public key encryption algorithm etc., then need to deposit corresponding public key information.
Decryption is a contrary process, for each block number evidence, first determines whether whether it encrypts, if it is,
Decryption is then needed, the information such as its key are obtained.Data block is decrypted.
The Advantageous Effects of this programme have:Solve the defect that prior art is not suitable for big file encryption, it is to avoid
Encrypt unpractical problem completely.For different tuber is needed using different encryption methods according to different.
Scheme 2:On the basis of above scheme 1, it is contemplated that general logarithm value of homomorphic cryptography is meaningful, in table, can
Can certain string be all the data for needing to carry out homomorphic cryptography, it is easy to make a distinction, the general also easy area of the data in xml document
Point, but in text and word, need the numerical value for carrying out homomorphic cryptography to be mixed in text(Word)Or other
Data in, further the data such as numerical value and text can be carried out on the basis of previous segment separate encryption, numerical value encryption
When adopting homomorphic cryptography, so need to carry out the numerical value after homomorphic cryptography to be easy to look for when commission is calculated
To data, and substantial amounts of data can not carry out complexity, and the high homomorphic cryptography of redundancy is calculated.Still to protect after segmentation
Adaptability of the card to original file format, it is ensured that the reversibility of decryption, if such as word document, one is entered when segmentation
These numerical value and other data are carried out piecemeal by step, if SequenceFile files, can adopt two methods:A)
Similar to above, if including numerical value and other data in a record, further by each hop count value and other numbers
According to being split, the block for becoming different is encrypted, meanwhile, according to the form of SequenceFile files, these blocks are also set
A corresponding record is set to, a record originally is divided into multiple records;B)Each hop count value in each record
Split with other data, the block for becoming different is encrypted, meanwhile, the ciphertext after encryption is still coupled together, and becomes one
Individual record, and still stored according to the form of stream-oriented file, when encryption information is stored, in order to realize this kind of need
The differentiation of the ciphertext for carrying out acting on behalf of the data ciphertext of calculating and general text, the positional information of each block(Such as start bit
Put and length or original position and end position)It is recorded with cipher mode, is easy to decryption.Can also be initial using arranging
Splitting these blocks, these starting and ending labellings are the symbol for being not in ciphertext to the method for labelling and end mark,
Increase start mark and end mark before and after ciphertext.
Scheme 3:On the basis of scheme 1 or 2, it is considered to such as homomorphic cryptography, including full homomorphic cryptography, can not meet
Under all cloud computing backgrounds commission calculate needs, some calculate still can not by full homomorphic cryptography post processing, so, it is not
All problems can be solved, also there is no need to spend so big cost all to adopt homomorphic cryptography.In view of homomorphic cryptography sometimes
Both it is in need, but and cost is higher, for general data seem that big material is little if with the too big homomorphic cryptography of cost
With, work hard but get little result, except full homomorphic cryptography, the additive homomorphism and multiplicative homomorphic less than full homomorphic cryptography cost also has it to be suitable for
Scope, if it is possible to which the data encrypted with additive homomorphism are equally seemed using full homomorphic cryptography and worked hard but get little result.Preferably, adding
The selection of method is encrypted when close, all functions for being calculated are needed according to data judging the data being related to is
It is no to need to use homomorphic cryptography(Only one of which function needs to use homomorphic cryptography, and other functions all do not need homomorphism, are also considered as
Need to use homomorphic cryptography, that is, meet the needs for being possible to function, similarly hereinafter), need using which type of homomorphic cryptography, when it
His general encryption and non-full homomorphic cryptography are all infeasible, it is necessary to when using homomorphic cryptography, using full homomorphic cryptography, when complete same
When state is encrypted with non-full homomorphic cryptography, using non-full homomorphism(Half homomorphism)Encryption method, when common encryption is feasible,
The common encryption method of prioritizing selection, i.e., when various methods can achieve the goal, be from order preferentially, it is general to add
Close, half homomorphism encryption, full homomorphic cryptography.
Scheme 4:On the basis of above scheme 1,2 or 3, it is preferable that in encryption, asymmetrical encryption, including same
State is encrypted, and also weighs proxy-encrypted always minority because their cost is higher, therefore it is more can adopt symmetrical encryption,
It is unsafe to go to encrypt substantial amounts of data using identical encryption parameter in symmetric cryptography, so needing more key.Examine
Considering the symmetric cryptography of the mass data of big file needs to use substantial amounts of key, the complex management of a large amount of keys, in order to avoid
These defects, go to produce key here using unidirectional function.One-way function with positive calculating, but can in turn be inverted, and is stranded
It is difficult.Such as hash functions are exactly such function, and we are with the positional information of the data block of big file(This can be uniquely determined
Information A of segmentation), initial key or password(It is referred to as password, initial password)K is produced, and in reality, people often hold very much
Order of shutting up easy to remember, need not so preserve password, but key then needs encryption storage in addition.The encryption key of single split is by only
One determines this segmentation(Data block)Positional information A and K irreversible one-way function M(F(K, A))Produce, such as Hash
Function, i.e. HASH(F(K, A))Value, F is a function, can be simply to merge two data of KA, intercepts encrypted data chunk
The corresponding digit of key length of adopted symmetric encipherment algorithm, it is noted that if the length of key is more than the output of hash functions
Length, information above can be input into respectively multiple functions, HASH(F1(K, A)), HASH(F2(K, A)), or it is multiple not
Same one-way function(Such as hash functions)Value, as the encryption key of the data block for being positioned.Can certainly be this entirety
As an one-way function.Just can avoid going inversely to derive initial password by the key of block using unidirectional function, its
The key of his block, safety is good and convenient.If data block is needed using public key encryption method, above-mentioned product need not be used
Raw key, it is only necessary to decrypted using public key and private key encryption, if symmetric cryptography, then need to use what is produced above
Block encryption key.In some encryptions, such as some mislead the encryption of functions, sometimes also need to the encryption of two-layer, need compared with
Long key, can be gone to produce a pseudo-random sequence with the data for producing, such as can be produced using one-way function(May need
Intercept)The key of one stream cipher, key stream is produced by this key with stream cipher arithmetic, and intercepting in key stream needs
Misleading encryption each layer key.After producing key, it is encrypted according to the method for scheme 1,2,3.
In theory, we only need to store initial password, and record each piece of corresponding initial password just,
The encryption key of each segmentation but sometimes can also be alternatively encrypted for convenience.Multi-enciphering can be adopted, preferably
Public key encryption sectional encryption key can be used, and whether the sectional encryption key after public key encryption, segment information, segmentation are added
Information, type of coding of clear data needed for information, the decryption segmentation of close, segmentation the corresponding data block of encryption key etc.
Deng, store together, such as stored with form, we are referred to as encryption information table.
Scheme 5:On the basis of above scheme 4, it is possible to further be each user have oneself initial key or
Password, can also be collectively referred to as here password Ki, so he can encrypt and decrypt oneself responsible data block, encryption information
In being stored in encryption information table, if using multiple initial passwords, initial password K should be included in encryption information tablei(May
It is the K of encryptioni)Or KiInformation(Such as number, deposit position etc.).If single piece of key exposure, using new initial
Password produces key and goes to encrypt the block of leakage key, and updates encryption information table.
Scheme 6:The addition on the basis of above scheme 4 or 5 updates cipher key function, and sometimes password there may be and let out
Leakage, the situation of loss, if KiLose, need the block key for changing all of data block produced by it, decrypt again, then
Encrypted with new key, if single piece of key exposure, generally, be also required to change that according to the generation rule of key
Individual initial password Ki, due to using multiple initial passwords, initial password being included in encryption information table(Possibly encrypt
's)Or the information of initial password.It is therefore preferred that it is proposed that two schemes:A)Key is produced using new password to go to add
The block of close leakage key, and update encryption information table;B)When calculating block key, increase an information and change key number of times
Information, can be simply Null(It is empty), form as 1,2, or f(0), f(1), f(2)As long as can uniquely determine
The information of number of times is changed just, with unidirectional function M(F(K, A, f(N)))Block key is produced, it is also necessary in cipher key information table
The information of same correspondence change key number of times, or due to changing the data block of key always minority, can be to there is change key
Data block change number of times and corresponding data block information store elsewhere.
First judge whether data encrypt when data deciphering, decrypted according to the information of encryption information table.Can also be according to close
Code generates the block encryption key of segmentation to be used to decrypt.
Scheme 7:On the basis of above scheme 4 or 5, it is considered in some stream-oriented files of big data, actually one
Individual file includes many records, is effectively equivalent to a unique file, here or referred to as data block.When many, no
The data block that same user includes to certain part in large data files(Such as record)There are different encrypting and decrypting authorities, than
As a higher-level user can decrypt all of encrypted data chunk, and the user of low one-level can only then decrypt a part of data
Block, these users have a part of file oneself being solely responsible for decrypt, they manage file extent such as one tree,
Highest level user can regard tree root as, be responsible for All Files, and rank is lower, and responsible file is fewer.Give one example, one
Everyone manages the file of oneself to the people of individual section, and a section chief can consult the proprietary file of the section, and director can look into
All files for having section under its command are read, by that analogy, Jing is commonly present in such case reality.
At present big data is increasing, and many big datas are stored in a big stream-oriented file.This big file
Record may belong to different users, have different authorities, need to be encrypted with different key.When data volume is big,
Size of key is than larger, and to manage extremely complex.There are many key managing projects at present, if simply entered to key
Row encryption is stored, then size of key manages complexity than larger, and for this kind of encryption as one tree mentioned
The administration authority of key can not be controlled very well.In order to store less key, and the user to different stage gives not
Same authority, we still can produce key using one-way function.
Different records in big data tend to belong to different users, need to be encrypted with different keys, there is different peaces
Full rank, there is different access control rights.The present invention devises one kind using the unidirectional property of one-way function can meet need
The key wanted generates management method, and is applied to the encipherment protection of big file.
When having multi-stage user, by the initial password K of highest-level usersrWith reference to a certain unique letter of secondary advanced level user
Breath Bi(Can disclosed, or only highest-level users know, such as user's name, name, code name, numbering etc.,
But this information should be unique, not bear the same name)The initial password of time advanced level user is produced, computational methods are M(F(Kr,
Bi)), M()For one-way function, the initial password of the data as secondary advanced level user of appropriate length is intercepted;Further by secondary high
The initial password of level user produces in an identical manner again the initial password of low primary user;Until producing lowermost level user's
Initial password, then produces the encryption key of data block by the initial password of lowermost level user.
Therefore, therein data block very big in file(Such as record)Authority also tend to complexity, it may be possible to belong to above
The tree-like authority of the multi-stage user mentioned, then can adopt following encryption method:
1st, the authority of users at different levels is determined, according to above-mentioned method, highest-level users first produce an initial password K1, under
The initial password K of primary userr+1It is M to produce unidirectional function(F(Kr, B), B for user numbering, real estate step by step by that analogy
The initial password of raw multi-stage user.
2nd, the big file as needed to needing encryption carries out piecemeal(Segmentation), with SequenceFile in Hadoop etc.
One record of big file.
3rd, the rule according to setting or the selection of user, judge data block(Section)Whether need to be encrypted, and adopt
Which type of it is encrypted with mode.If data block is needed using public key encryption method, the key of generation need not be used,
Only need to be decrypted using public key and private key encryption, if symmetric cryptography, then need to produce block encryption key in next step.
4th, according to the positional information of data block(Uniquely determine information A of this segmentation)With the initial password of lowermost level user
KlThe encryption key of data block is produced, we are produced with initial password.Single split(Block)Encryption key by uniquely determining this
Individual segmentation(Data block)Information A and for this segmentation have encryption and decryption authority lowermost level user initial password KlCan not
Inverse function M(F(Kl, A))Produce, such as hash function, i.e. HASH(F(Kl, A))Value, F is a function(Can be simply by
Two data of K, A merge), intercept encrypted data chunk and adopt the corresponding digit of the key length of symmetric encipherment algorithm.Using list
The function of tropism just can avoid going inversely to derive initial password by the key of block, the key of other blocks, safety it is good and
It is convenient.
5th, to the block for needing to encrypt, data block is encrypted according to the method for selecting, the data for obtaining, encryption can be only
Each piece of value is directed to, such as has separator in some file formats, there is the record of length, can not be encrypted, encrypted
Afterwards length is changed, and makes corresponding modification.And whether data are encrypted, the letter if encryption, required for corresponding decryption
Breath and parameter will be stored, such as be encrypted using what mode, corresponding key information(The letter of key can be obtained
Breath, such as determine that this block belongs to certain first degree user, just obtains block key according to the generation rule of block key, in addition
It can be the deposit position of block key(Such as, address or the position in certain form), or the block key of encryption etc.
Deng.)And various parameters.For convenience, this example can be stored in these information in table, and these packets contain and uniquely determine this
The original position and end position of the information A---- data block of individual segmentation, can be close with the block of the information-encryption of recovery block key
Key, the algorithm and other information of encryption(Block length, initial vector, encryption mode, fill pattern etc.).
6th, the ciphertext of each encryption of blocks of data is connected as into a cryptograph files according to corresponding method, using corresponding
Form is preserved, such as, if word document, for the encryption of its content of text, then the text of encryption is also coupled together as
Text, is put into word document, then preserves document, if stream-oriented file, is stored according to the form of stream-oriented file, to text
Length information in part structure is adjusted correspondingly.
The advantage of this programme is to reduce to need the password or key of storage, and can control multistage authority.
Scheme 8:Increase key on the basis of above scheme 7(Password)More New function, sometimes key(Password)May deposit
In leakage, the situation of loss, if initial password loss at different levels, due to key(Password)Generation rule, need more
The block key for changing all of initial password and being produced by them, decrypts again, and further according to rule key is regenerated(User is close
Code)Encrypted with new block key, if single piece of key exposure, generally, it is also desirable to change initial password, due to
Using multiple initial passwords, initial password should be included in encryption information table(Possibly encrypt)Or the letter of initial password
Breath.This can bring larger cost, it is therefore preferred that it is proposed that in encryption information, increasing an information change key
Several information, can be simply Null(It is empty), form as 1,2, or f(0), f(1), f(2), only can be uniquely true
Periodical repair changes the information of number of times just, the initial password K of next stage userr+1It is M to produce unidirectional function(F(Kr, B, f(N))), B
For the numbering of user, the symmetric cryptographic key of data block adopts M(F(Ks, A, f(N)))Produce, A is the determination information of file, than
Such as positional information, the information of change key number of times also must be equally corresponded in cipher key information table, or due to changing key
Data block always minority, N and corresponding data block information are stored elsewhere.See on surface, functional form and front
Face it is different, increased the related contents of N, can regard be former one-way function further restriction.
If the initial password leakage of certain primary user A, from the initial password of the upper level user of user A user A is produced
New password (key), notice that wherein N Jia 1 on the basis of original, i.e. M(F(Kr, B, f(N+1))), so can ensure that close
Key is new, and due to unipolarity, can not mutually be derived from each other, will not be divulged a secret.
The key that directly can more renew when so key is lost, re-encrypted data block.Once divulge a secret, without the need for big
Area changes key(Password).
Specific embodiment
The section Example of the present invention is given below, example is served only for explaining the present invention, is not intended to limit this
Bright scope.
Embodiment 1 is the embodiment of this encryption method, and we are chosen as a example by SequenceFile files, and encrypting step is such as
Under:
1st, file is read, you can analyze each record and its length, with its one data block is recorded as.With the starting for recording
The location information of position and end position as data block.
2nd, the sensitivity of record is drawn according to the key word computation rule of setting, the record for reaching certain threshold value judges to need
Encrypt, while can be on earth symmetric cryptography according to rule determination, or public key encryption(Including some homomorphic cryptographies and agency
Re-encryption), if record of the user as needed to not reaching threshold value wants Choice encryption, then also encrypt the block.If file is not
Belong to both situations above, do not encrypt.
3rd, select existing key or produce key, each data block is encrypted according to the method for selecting, encryption can
To be directed to each piece of value, such as there is separator in some file formats, there is the record of length, if necessary to plaintext version, can
Not to be encrypted.If symmetric cryptography, need to produce block key, the various parameters of Choice encryption block, if asymmetric
Encryption, needs to produce or selects key-pair file to be encrypted, and whether file is encrypted, if encryption, key is used
Public key encryption, in being stored in encryption information table, includes the starting and ending positional information for uniquely determining this segmentation in table, public
The key of key encryption, the algorithm and block length of encryption, initial vector, encryption mode, correlative coding information etc..
4th, by the ciphertext of each encryption of blocks of data, in addition it is also necessary to carry out adaptive code conversion, such as added by general
Close obtain is byte arrays, should typically be converted to character array and write file again(Need to carry out when decryption contrary
Conversion), and a cryptograph files are connected as according to corresponding file format requirements, preserve last close using corresponding form
Text, is stored according to the form of stream-oriented file, if causing the change of length in encryption, then needs the file in final storage
In modify length value, the length information in file structure is adjusted correspondingly.These ciphertext data are stored in close
In file, and whether data are encrypted, if encryption, the information and parameter required for corresponding decryption will have been stored
Come, such as the positional information of data block(Such as starting and ending position or original position and length)What carried out using mode
The length storage of encryption, the key and various parameters of encryption, this part ciphertext or even plaintext is got up.For convenience, can be by
These information are stored in table, and these packets contain can uniquely determine this segmentation original position in one file and knot
Beam position, if encryption, the key K of encryption, the algorithm of encryption and other decryption information needed(Such as block length, initially to
Amount, encryption mode, fill pattern etc.), it is also possible to need the message of remarks including other.AES is also likely to be public key encryption
Algorithm etc., then need to deposit corresponding public key information.
Decryption is a contrary process, for each block number evidence, first determines whether whether it encrypts, if it is,
Decryption is then needed, the information such as its key are obtained.Data block is decrypted.
Embodiment 2 is the further improvement of the embodiment 1 of this encryption method, on the basis of embodiment 1, it is contemplated that file
In, text and numerical value are often mixed, and when numerical value and text are mixed, text and numerical value are isolated, respectively
From using suitable encryption method, such as initial segmentation, it is considered to which difference encryption needs, and is further segmented, logarithm
, using different encryption methods, logarithm value carries out homomorphic cryptography, and other data adopt general symmetric cryptography, so right for value and text
They are also segmented to isolate.For stream-oriented file, can be increased without recording number, homomorphism is carried out comprising in need in certain record
When the data of encryption, it is segmented before and after these data, numerical value adopts homomorphic cryptography, other are added using general
Close, the ciphertext of the multiple segmentations during is recorded is put together, but records the original position and each section for most starting a section
Length, these ciphertexts are put together, store according to the form of stream-oriented file, record same in encryption information table in addition
The corresponding index of numerical value after state encryption, symbol, code name or parameter.So it is easy to commission to transfer when calculating.
Embodiment 3 is the further improvement of the embodiment 1 of this encryption method, on the basis of embodiment 1, it would be desirable to homomorphism
The calculating function that the numerical value of encryption may relate to is analyzed and add judging whether the data being related to need to use homomorphism
It is close, need using which type of homomorphic cryptography, when some commission calculating are carried out, other general encryptions and non-full homomorphism add
It is close all not directly to calculate, when needing to use full homomorphic cryptography, using full homomorphic cryptography, when full homomorphic cryptography and non-complete same
State all feasible encryption when, using non-full homomorphism(Half homomorphism)Encryption method, when common encryption is feasible, prioritizing selection
Common encryption method, i.e., when various methods can achieve the goal, be from order preferentially, it is general encryption, half same
State encryption, full homomorphic cryptography.
Feasible just preferential general encryption is typically encrypted, typically encrypts infeasible, half homomorphism encryption is feasible i.e. same with half
State is encrypted, and otherwise uses full homomorphic cryptography.
Embodiment 4:Embodiment 4 is the further improvement of the embodiment 1 of this encryption method, on the basis of embodiment 1, uses
The starting and ending positional information of the data block of big file and the one-way function of password K produce block key.The encryption of single split
Key is segmented by this is uniquely determined(Data block)Positional information A and K hash function HASH(K‖A)Produce.AES
In also comprising a kind of with the encryption for misleading function, it needs longer key using the encryption of internal layer and outer layer encryption, we
The value produced with hash, as the key of stream cipher, produces a key stream, intercepts what foremost 128bit was encrypted as outer layer
Key, part below intercepts successively the encryption key of each key word that 8bit is encrypted as internal layer.After producing key,
According to can be encrypted according to the method for embodiment 1,2,3.The encryption key of each segmentation is encrypted for convenience.With public key plus
Close sectional encryption key, and by the sectional encryption key after public key encryption, segment information, segmentation whether encrypt, be segmented add
Information, type of coding of clear data needed for information, the decryption segmentation of the corresponding data block of key etc., is stored in one
Rise, such as stored with form.
Embodiment 5:On the basis of embodiment 4, the different block of big file belongs to different users, and each user has certainly
Own password Ki, so he can encrypt and decrypt oneself responsible data block, encryption information is also stored in encryption information table, such as
Fruit adopts multiple initial passwords, except comprising the information in embodiment 4, should also include initial encryption in encryption information table
Ki。
Embodiment 6:On the basis of embodiment 4,5, when calculating block key, increase an information and change key number of times
Information, for the first time, when lose second after key, lose third time after key again, a f is added respectively(N)Point
It is not Null(It is empty), information as 1,2, with unidirectional function HASH(K‖A‖f(N))Block key is produced, block is initially produced close
Key is HASH(K‖A), for the first time more new key is HASH(K‖A‖1), by that analogy, in cipher key information table before basis
On, also add the information of correspondence change key number of times.
Embodiment 7:On the basis of embodiment 5, it is considered to which the different records in big data tend to belong to different users, need
Encrypted with different keys, there are different level of securitys, there are different access control rights.
When the authority of the multi-stage user for having above-mentioned tree-shaped, by the initial password K of highest-level usersrWith reference to secondary
A certain unique number B of advanced level useriThe initial password of time advanced level user is produced, computational methods are HASH(Kr‖Bi)), intercept and close
Initial password of the data of suitable length as secondary advanced level user;Further by the initial password of secondary advanced level user with identical side
Formula produces again the initial password of low primary user;Initial password until producing lowermost level user, is then used by lowermost level
The initial password at family produces the encryption key of data block.Entire protocol is as follows:
1st, the authority of users at different levels is determined, according to above-mentioned method, highest-level users first produce an initial password K1, so
Afterwards according to Application way hash function SHA256(K1‖B), ‖ represents simple and merges connection, produce step by step multi-stage user just
Beginning password.
2nd, the big file as needed to needing encryption carries out piecemeal(Segmentation), with SequenceFile in Hadoop etc.
One record of big file.
3rd, the frequency and user for being occurred according to key word is selected on demand, judges data block(Section)Whether need to carry out to add
It is close, and be encrypted using which type of mode.If data block is needed using public key encryption method, product need not be used
Raw key, it is only necessary to decrypted using public key and private key encryption, if symmetric cryptography, then needs to produce block in next step
Encryption key.
4th, according to the positional information and the initial password K of lowermost level user of data blocklProduce the encryption key of data block.It is single
Individual segmentation(Block)Encryption key by HASH(F(Kl‖A))Value is produced, and is intercepted encrypted data chunk and is adopted symmetric encipherment algorithm
The corresponding digit of key length.
5th, to the block for needing to encrypt, data block is encrypted according to the method for selecting, the data for obtaining, encryption can be only
Each piece of value is directed to, and whether data are encrypted, if encryption, the information and parameter required for corresponding decryption is all
In being stored in encryption information table, including being encrypted using what mode, the block key of encryption, the original position of data block and
End position and other information(Block length, initial vector, encryption mode, fill pattern etc.).
6th, the ciphertext of each encryption of blocks of data is connected as into a cryptograph files according to corresponding method, using corresponding
Form is preserved, and the present embodiment is directed to stream-oriented file, is stored according to the form of stream-oriented file, to the length in file structure
Degree information is adjusted correspondingly.
Embodiment 8:Increase key on the basis of preceding embodiment 7(Password)More New function, when calculating one is increased
Individual information changes the information of key number of times, and as follows advanced level user's key is HASH(Kl‖A‖f(N)), f(N)Key is produced for the first time
For Null(It is empty), behind be respectively 1,2, the initial password K of next stage userr+1It is HASH to produce unidirectional function(Kr‖B‖f
(N)), B is the numbering of user, and the symmetric cryptographic key of data block adopts HASH(Ks‖A‖f(N))Produce, A is the position of file
Information, also must equally correspond to the information of change key number of times in cipher key information table.
If the initial password leakage of certain primary user A, from the initial password of the upper level user of user A user A is produced
New password (key), notice that wherein N Jia 1 on the basis of original, the password for updating for the first time is HASH(Kr‖B‖1), with this
Analogize.
Length is limited, it is impossible to illustrated one by one, embodiment also relative simplicity, the qualificationss and certain methods of above example
Presently preferred embodiments of the present invention can be the foregoing is only with combined crosswise, not to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvements made etc. should be included within the scope of the present invention.
Claims (8)
1. a kind of encryption method of big file, it is characterized by using following steps:1), file is read, obtains content, as needed
Piecemeal is carried out to data or content;
2), encryption is chosen whether as needed, and which kind of cipher mode;
3), select existing key or produce key, need encrypted content to be encrypted each data block according to the method for selecting;
4), the ciphertext for obtaining each encryption of blocks of data, if it is desired, carry out necessary adaptive code conversion, and
A cryptograph files are connected as according to corresponding file format requirements, the form that necessary process allows data fit to preserve is carried out,
It is stored in last cryptograph files using corresponding form, and whether data is encrypted, if encryption, to corresponding solution
Information and parameter required for close is stored.
2. the encryption method of file as claimed in claim 1 big, it is characterized by:Further need on the basis of previous segment
Carry out entrusting the numerical value of calculating to carry out continuation segmentation with nonnumeric data, corresponding form is still maintained after segmentation, number
Homomorphic cryptography is being adopted when value is encrypted, other data adopt non-homomorphic cryptography, and record the positional information of piecemeal.
3. the encryption method of file as claimed in claim 1 big, it is characterized by:In the selection of AES, according to data
The encryption method for needing all functions for being calculated to judge to need, on the premise of it can meet all functions calculating needs
It is from AES order preferentially:General encryption, half homomorphism encryption, full homomorphic cryptography.
4. the encryption method of file as claimed in claim 2 big, it is characterized by:The key of symmetric cryptographic algorithm encryption is by unidirectional
Function is generated, and the symmetric cryptographic key of single split can not by the positional information A's and initial password K for uniquely determining this segmentation
Inverse function M(F(K, A))Produce, F is a function, some mislead the encryption of function, sometimes also need to the encryption of two-layer, need
Key that will be longer, the function produces the key of a stream cipher, and by this key key stream is produced, and intercepts in key stream
Each layer key of the misleading encryption of needs.
5. the encryption method of file as claimed in claim 4 big, it is characterized by:There is the multiple initial passwords of multiple user's correspondences
Ki, different user encrypts and decrypts oneself responsible data block, and encryption information is also stored in encryption information table, encryption information table
In should include initial password KiOr KiInformation;When single piece of key exposure, key is produced using new initial password
Go to encrypt the block of leakage key, and update the encrypted message in encryption information table.
6. the encryption method of file as claimed in claim 4 big, it is characterized by:When calculating block key, increase a letter
The information of breath change key number of times, with unidirectional function M(F(K, A, f(N)))Produce block key, f(N)Initial value is sky, M(F(K,
A, f(N)))In the case where initial value is for sky, functional form is reduced to M(F(K, A)), also must be same right in cipher key information table
The information of key number of times should be changed.
7. the encryption method of file as claimed in claim 4 big, it is characterized by:When having multi-stage user, determine each
The authority of level user, first highest-level users produce an initial password K1, there is advanced level user to produce the password of next stage user,
The initial password K of next stage userr+1It is M to produce unidirectional function(F(Kr, B), B is the numbering of user, by that analogy step by step
The initial password of multi-stage user is produced, until the password of lowermost level user is produced, then using the password of these lowermost levels user
Produce the user have encryption and decryption authority data block symmetric cryptography block encryption key.
8. the encryption method of file as claimed in claim 7 big, it is characterized by:When calculating user cipher and block key,
Increase the information that an information changes key number of times, with unidirectional function M(F(K, A, f(N)))Block key is produced, with unidirectional
Function M(F(K, B, f(N)))Produce subordinate subscriber password, f(N)Initial value is sky, M(F(K, A, f(N)))It is empty feelings in initial value
Under condition, functional form is reduced to M(F(K, A)), the information of change key number of times, A also must be equally corresponded in cipher key information table
For the determination information of file, if the initial password leakage of certain primary user, from the initial password of the upper level user of the user
The new password of the user is produced, N Jia 1 on the basis of original.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710023574.4A CN106685980B (en) | 2017-01-13 | 2017-01-13 | Encryption method for large file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710023574.4A CN106685980B (en) | 2017-01-13 | 2017-01-13 | Encryption method for large file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106685980A true CN106685980A (en) | 2017-05-17 |
| CN106685980B CN106685980B (en) | 2019-12-20 |
Family
ID=58858837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710023574.4A Active CN106685980B (en) | 2017-01-13 | 2017-01-13 | Encryption method for large file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106685980B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222488A (en) * | 2017-06-16 | 2017-09-29 | 康美健康云服务有限公司 | A kind of image ciphering storage method |
| CN107343001A (en) * | 2017-07-04 | 2017-11-10 | 北京像素软件科技股份有限公司 | Data processing method and device |
| CN108900511A (en) * | 2018-06-29 | 2018-11-27 | 中兴通讯股份有限公司 | A kind of method, device and equipment of file encryption and decryption |
| CN110289945A (en) * | 2019-06-28 | 2019-09-27 | 深圳前海微众银行股份有限公司 | A kind of data ciphering method, device, equipment and medium |
| CN110704852A (en) * | 2019-09-26 | 2020-01-17 | 江苏方天电力技术有限公司 | Encryption system for RTOS system program image file |
| CN112948890A (en) * | 2021-03-31 | 2021-06-11 | 北京众享比特科技有限公司 | Fully homomorphic encryption retrieval method and system |
| CN113254966A (en) * | 2021-06-04 | 2021-08-13 | 王兆河 | Dynamic encryption method and ciphertext structure of medical digital image information |
| CN114329104A (en) * | 2021-12-23 | 2022-04-12 | 珠海市鸿瑞信息技术股份有限公司 | Message encryption transmission system and method based on electric power distribution |
| CN115664799A (en) * | 2022-10-25 | 2023-01-31 | 江苏海洋大学 | Data exchange method and system applied to information technology security |
| CN116545627A (en) * | 2023-06-25 | 2023-08-04 | 中电科新型智慧城市研究院有限公司 | Method, apparatus and computer readable storage medium for data encryption |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030037182A1 (en) * | 2001-08-15 | 2003-02-20 | Keith Bentley | Method and system for storing large data files |
| CN1643840A (en) * | 2002-03-13 | 2005-07-20 | 皇家飞利浦电子股份有限公司 | Polynomial-based multi-user key generation and authentication method and system |
| US20110184998A1 (en) * | 2010-01-22 | 2011-07-28 | Palahnuk Samuel L | Universally accessible encrypted internet file system for wired and wireless computing devices supplanting synchronization, backup and email file attachment |
| CN102148833A (en) * | 2011-04-18 | 2011-08-10 | 中国工商银行股份有限公司 | Method for transmitting data report, server, client and system |
| CN102404111A (en) * | 2011-12-28 | 2012-04-04 | 王勇 | Method for encrypting in sections by using uncertain encryption algorithm |
| CN104063334A (en) * | 2014-07-11 | 2014-09-24 | 中国人民公安大学 | Encryption method and system based on data attributions |
-
2017
- 2017-01-13 CN CN201710023574.4A patent/CN106685980B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030037182A1 (en) * | 2001-08-15 | 2003-02-20 | Keith Bentley | Method and system for storing large data files |
| CN1643840A (en) * | 2002-03-13 | 2005-07-20 | 皇家飞利浦电子股份有限公司 | Polynomial-based multi-user key generation and authentication method and system |
| US20110184998A1 (en) * | 2010-01-22 | 2011-07-28 | Palahnuk Samuel L | Universally accessible encrypted internet file system for wired and wireless computing devices supplanting synchronization, backup and email file attachment |
| CN102148833A (en) * | 2011-04-18 | 2011-08-10 | 中国工商银行股份有限公司 | Method for transmitting data report, server, client and system |
| CN102404111A (en) * | 2011-12-28 | 2012-04-04 | 王勇 | Method for encrypting in sections by using uncertain encryption algorithm |
| CN104063334A (en) * | 2014-07-11 | 2014-09-24 | 中国人民公安大学 | Encryption method and system based on data attributions |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222488A (en) * | 2017-06-16 | 2017-09-29 | 康美健康云服务有限公司 | A kind of image ciphering storage method |
| CN107343001A (en) * | 2017-07-04 | 2017-11-10 | 北京像素软件科技股份有限公司 | Data processing method and device |
| CN108900511A (en) * | 2018-06-29 | 2018-11-27 | 中兴通讯股份有限公司 | A kind of method, device and equipment of file encryption and decryption |
| CN108900511B (en) * | 2018-06-29 | 2022-05-06 | 中兴通讯股份有限公司 | File encryption and decryption method, device and equipment |
| CN110289945A (en) * | 2019-06-28 | 2019-09-27 | 深圳前海微众银行股份有限公司 | A kind of data ciphering method, device, equipment and medium |
| CN110289945B (en) * | 2019-06-28 | 2023-02-07 | 深圳前海微众银行股份有限公司 | Data encryption method, device, equipment and medium |
| CN110704852A (en) * | 2019-09-26 | 2020-01-17 | 江苏方天电力技术有限公司 | Encryption system for RTOS system program image file |
| CN112948890A (en) * | 2021-03-31 | 2021-06-11 | 北京众享比特科技有限公司 | Fully homomorphic encryption retrieval method and system |
| CN113254966A (en) * | 2021-06-04 | 2021-08-13 | 王兆河 | Dynamic encryption method and ciphertext structure of medical digital image information |
| CN114329104A (en) * | 2021-12-23 | 2022-04-12 | 珠海市鸿瑞信息技术股份有限公司 | Message encryption transmission system and method based on electric power distribution |
| CN115664799A (en) * | 2022-10-25 | 2023-01-31 | 江苏海洋大学 | Data exchange method and system applied to information technology security |
| CN116545627A (en) * | 2023-06-25 | 2023-08-04 | 中电科新型智慧城市研究院有限公司 | Method, apparatus and computer readable storage medium for data encryption |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106685980B (en) | 2019-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106685980A (en) | Cryptographic method of large files | |
| CN107135062A (en) | A kind of encryption method of improved big file | |
| CN108667595A (en) | A kind of compression encryption method of large data files | |
| Marwaha et al. | Visual cryptographic steganography in images | |
| CN104579646B (en) | Method, device and circuit that the limited monotonic transformation of clobber book and encryption and decryption thereof are applied | |
| CN107070649A (en) | A kind of big file selective cryptographic method for reducing write-in | |
| CN106888081B (en) | Wide coding of intermediate values within white-box implementations | |
| JPH07281596A (en) | Encrypting method and system | |
| CN105933345B (en) | It is a kind of that outsourcing attribute base encryption method can verify that based on linear privacy sharing | |
| CN106936820A (en) | The elongated amending method of data and its application in big data encryption | |
| CN115296817B (en) | Data access control method based on block chain technology and attribute encryption | |
| CN105100083A (en) | Attribute-based encryption method and attribute-based encryption system capable of protecting privacy and supporting user Undo | |
| Abusukhon et al. | A novel network security algorithm based on private key encryption | |
| CN106878013A (en) | A kind of encryption and decryption method and device of file | |
| Ahmad et al. | Distributed text-to-image encryption algorithm | |
| CN108306737A (en) | A kind of method of ether mill cryptographic algorithm production domesticization | |
| JP5689826B2 (en) | Secret calculation system, encryption apparatus, secret calculation apparatus and method, program | |
| Jamil et al. | Cyber Security for Medical Image Encryption using Circular Blockchain Technology Based on Modify DES Algorithm. | |
| Abusukhon et al. | Analyzing the efficiency of Text-to-Image encryption algorithm | |
| Veeraragavan et al. | Enhanced encryption algorithm (EEA) for protecting users' credentials in public cloud | |
| Salam et al. | ShiftMod cipher: A symmetrical cryptosystem scheme | |
| Mahmoud et al. | Encryption based on multilevel security for relational database EBMSR | |
| Corpuz et al. | Using a modified approach of blowfish algorithm for data security in cloud computing | |
| CN106712929A (en) | Encryption method for big data | |
| Kaur et al. | Multiphase and multiple encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170517 Assignee: Guilin Biqi Information Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000196 Denomination of invention: An encryption method for large files Granted publication date: 20191220 License type: Common License Record date: 20221125 Application publication date: 20170517 Assignee: Guilin Yinuo Yijin Information Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000204 Denomination of invention: An encryption method for large files Granted publication date: 20191220 License type: Common License Record date: 20221125 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170517 Assignee: Guilin Rongdian Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000443 Denomination of invention: An encryption method for large files Granted publication date: 20191220 License type: Common License Record date: 20221229 Application publication date: 20170517 Assignee: Guangxi Erbao Information Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000401 Denomination of invention: An encryption method for large files Granted publication date: 20191220 License type: Common License Record date: 20221226 |
|
| OL01 | Intention to license declared |