CN106788994B - Key updating method suitable for cloud storage system - Google Patents
Key updating method suitable for cloud storage system Download PDFInfo
- Publication number
- CN106788994B CN106788994B CN201611110966.6A CN201611110966A CN106788994B CN 106788994 B CN106788994 B CN 106788994B CN 201611110966 A CN201611110966 A CN 201611110966A CN 106788994 B CN106788994 B CN 106788994B
- Authority
- CN
- China
- Prior art keywords
- key
- write
- bitmap
- upper layer
- updating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000008569 process Effects 0.000 claims abstract description 10
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a key updating method suitable for a cloud storage system, which comprises the following steps: initializing a secret key; updating a secret key; IO write flow; and IO reading process. The core idea of the invention is that after the key is updated, only the new key is used for the new write operation, the keys of other areas without write operation are not changed, because IO read-write takes the sector as the basic unit, we express the storage area in the way of bitmap, one bit represents one sector, and one key distributes one bitmap; the invention is mainly embodied in that: updating a key of the storage system in real time, wherein the service does not need to be interrupted after the key is updated, and 0 time window; after the secret key is updated, the read-write performance is not influenced; the resource occupation is less; the invention ensures that the key is changed regularly, is beneficial to the protection of data and provides a safer data protection mode for customers; after the secret key is updated, the continuity of the service is kept; the overhead is small, and the performance is improved.
Description
Technical Field
The invention relates to a storage encryption technology, in particular to a key updating method suitable for a cloud storage system.
Background
With the increasing development of cloud computing technology, the storage security of the server side faces a huge test. In order to solve the problem of storage security, data storage encryption technology is widely used, and a key is the core of storage encryption. In the conventional method, after the key is updated, terminal services are required, or after the key is updated, the performance is seriously reduced and the service life of a disk is reduced.
In the existing invention patent, "a key updating method for cloud storage and an implementation method for a cloud data auditing system" patent (patent number 201510192375.7, patent application date 2015, 4 and 22) introduces a key updating method for cloud storage: when the cloud user needs to update the key, the CA server is requested to generate a new key, and based on the file label and the data block label downloaded from the cloud server, and when the new key and the old key generate the new file label and the data block label and upload the new file label and the data block label to the cloud server, the new key and the old key are used for replacing the corresponding old file label and the corresponding data block label in the cloud server. Although the communication cost between the cloud server and the cloud user caused by the key change can be obviously reduced, the aspect of data privacy needs to be strengthened. The patent of 'multi-level authority management method facing cloud storage encrypted data sharing' (patent number is 201310044503.4, patent application date is 2013, 1 month and 4 days), introduces methods of attribute-based encryption, access control, authority management and the like, and provides a reliable method for access and multi-level authority management of shared ciphertext in a cloud storage environment. A patent (patent number 201410751081.9, and patent application date 2014 12, 9) of a cloud storage encryption system based on a domestic commercial cryptographic algorithm and an implementation method thereof introduces an encryption system designed in the field of cloud storage, and adds the domestic commercial cryptographic algorithm in the data transmission and storage processes to perform data encryption protection, but the cloud storage encryption system is deficient in updating keys in real time.
The invention provides an IO path optimization algorithm which does not need to interrupt service and has no performance reduction aiming at the updating of a storage key, which is part of key management and storage encryption and decryption.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a key updating method suitable for a cloud storage system, and to overcome the above-mentioned defects in the prior art, the present invention is mainly embodied in that: updating a key of the storage system in real time, wherein the service does not need to be interrupted after the key is updated, and 0 time window; after the secret key is updated, the read-write performance is not influenced; the resource occupation is less.
The invention solves the technical problems through the following technical scheme: a key updating method suitable for a cloud storage system is characterized by comprising the following steps:
initializing a secret key;
updating a secret key;
IO write flow;
an IO read process;
preferably, the key initialization step further comprises:
an administrator designates a storage area for a user through an administration end;
the key server generates a bitmap for the storage area according to the size of the sector;
a user specifies a key;
the key server generates a key, and the key corresponds to the bitmap and the storage area one by one;
preferably, the key updating step further comprises:
the user updates the key;
the key server generates a new bitmap and a new key, and the new key, the new bitmap and the storage area are in one-to-one correspondence;
preferably, the IO write flow step further includes:
the client side initiates a write operation;
encrypting the IO stream using the current key;
the encrypted IO stream is sent to a disk;
after the writing is successful, setting the corresponding area of the key bitmap as 1;
traversing other bitmaps and setting the area positions corresponding to the other bitmaps as 0;
calling an upper callback function;
preferably, the IO read flow step further includes:
the client initiates a read operation;
reading the encrypted IO stream from the disk;
traversing all bitmaps to find out a key corresponding to the read sector;
decrypting the data in segments using the key;
and returning the decrypted data to the upper layer application.
The positive progress effects of the invention are as follows: the invention ensures that the key is changed regularly, is beneficial to the protection of data and provides a safer data protection mode for customers; after the secret key is updated, the continuity of the service is kept; the overhead is small, and the performance is improved.
Drawings
FIG. 1 is a diagram of a key management and encryption system according to the present invention.
FIG. 2 is a flow chart of the key bitmap of the present invention.
Fig. 3 is a flow chart of key update according to the present invention.
FIG. 4 is a flowchart of the IO write process of the present invention.
FIG. 5 is a flowchart of the IO read process of the present invention.
Detailed Description
The following provides a detailed description of the preferred embodiments of the present invention with reference to the accompanying drawings.
As shown in fig. 1, the core idea of the present invention is that after a key is updated, a new key is used only for a new write operation, and keys of other areas without write operation are not changed, because IO read and write are based on sectors, we represent a storage area in a bitmap manner, one bit represents one sector, and one key allocates one bitmap;
the invention comprises the following steps:
initializing a secret key;
updating a secret key;
IO write flow;
and IO reading process.
FIG. 2 is a schematic diagram of bitmap and key storage, the bitmap being stored in a linked list at a key server;
the administrator appoints a storage area for the user through the management terminal, the key server generates a bitmap according to the size of the sector for the storage area, the user appoints a key, and the key server generates the key and corresponds to the bitmap and the storage area one by one.
FIG. 3 is a key update flow diagram;
step 301: updating a key for the new writing area;
step 302: a user designates a key, a key server generates a new key, and the new key is set as a current used key;
step 303: generating a bitmap according to the size of the storage area;
step 304: the old key is set to be a non-currently used key.
FIG. 4 is an IO write process flow diagram;
step 401: the client side initiates a write operation;
step 402: judging whether the data area is legal or not, if not, returning write back failure to the upper layer application, and if so, continuing to step 403;
step 403: searching a current effective key;
step 404: encrypting the IO stream using the key found in step 403;
step 405: sending the encrypted IO stream to a disk for writing operation;
step 406: judging whether the write operation is successful, if not, returning write back failure to the upper layer application, and if so, continuing to step 407;
step 407: setting the corresponding area of the key bitmap as 1;
step 408: traversing other bitmaps and setting the area positions corresponding to the other bitmaps as 0;
step 409: checking whether the bitmaps corresponding to the rest keys are all 0, if not, returning write failure to the upper layer, and if so, returning write success to the upper layer after deleting the current key and the bitmaps;
FIG. 5 is an IO read process flow diagram;
step 501: the client initiates a read operation;
step 502: judging whether the area is legal or not, if not, returning reading failure to the upper layer application, and if so, continuing to step 503;
step 503: reading the encrypted IO stream from the disk;
step 504: judging whether the reading is successful, if not, returning reading failure to the upper layer application, and if so, continuing the step 505;
step 505: traversing all bitmaps to find out a key corresponding to the read sector;
step 506: decrypting the data in segments and filling the data segments by using the key;
step 507: and returning the decrypted data to the upper layer application.
In summary, the present invention is mainly embodied in: updating a key of the storage system in real time, wherein the service does not need to be interrupted after the key is updated, and 0 time window; after the secret key is updated, the read-write performance is not influenced; the resource occupation is less. The invention ensures that the key is changed regularly, is beneficial to the protection of data and provides a safer data protection mode for customers; after the secret key is updated, the continuity of the service is kept; the overhead is small, and the performance is improved.
The above embodiments are described in further detail to solve the technical problems, technical solutions and advantages of the present invention, and it should be understood that the above embodiments are only examples of the present invention and are not intended to limit the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (3)
1. A key updating method suitable for a cloud storage system is characterized by comprising the following steps:
initializing a secret key;
updating a secret key;
IO write flow;
an IO read process;
the key update comprises:
step 301: updating a key for the new writing area;
step 302: a user designates a key, a key server generates a new key, and the new key is set as a current used key;
step 303: generating a bitmap according to the size of the storage area;
step 304: setting the old key as a non-current key;
the IO write flow includes:
step 401: the client side initiates a write operation;
step 402: judging whether the data area is legal or not, if not, returning write back failure to the upper layer application, and if so, continuing to step 403;
step 403: searching a current effective key;
step 404: encrypting the IO stream using the key found in step 403;
step 405: sending the encrypted IO stream to a disk for writing operation;
step 406: judging whether the write operation is successful, if not, returning write back failure to the upper layer application, and if so, continuing to step 407;
step 407: setting the corresponding area of the key bitmap as 1;
step 408: traversing other bitmaps and setting the area positions corresponding to the other bitmaps as 0;
step 409: checking whether the bitmaps corresponding to the rest keys are all 0, if not, returning write failure to the upper layer, and if so, returning write success to the upper layer after deleting the current key and the bitmaps;
the IO reading process includes:
step 501: the client initiates a read operation;
step 502: judging whether the area is legal or not, if not, returning reading failure to the upper layer application, and if so, continuing to step 503;
step 503: reading the encrypted IO stream from the disk;
step 504: judging whether the reading is successful, if not, returning reading failure to the upper layer application, and if so, continuing the step 505;
step 505: traversing all bitmaps to find out a key corresponding to the read sector;
step 506: decrypting the data in segments and filling the data segments by using the key;
step 507: and returning the decrypted data to the upper layer application.
2. The key updating method applicable to the cloud storage system according to claim 1, wherein the key initializing step further includes:
an administrator designates a storage area for a user through an administration end;
the key server generates a bitmap for the storage area according to the size of the sector;
a user specifies a key;
the key server generates a key and corresponds to the bitmap and the storage area one to one.
3. The key updating method applicable to the cloud storage system according to claim 1, wherein the key updating step further includes:
and the key server corresponds the new key, the new bitmap and the storage area one to one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611110966.6A CN106788994B (en) | 2016-12-06 | 2016-12-06 | Key updating method suitable for cloud storage system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611110966.6A CN106788994B (en) | 2016-12-06 | 2016-12-06 | Key updating method suitable for cloud storage system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106788994A CN106788994A (en) | 2017-05-31 |
CN106788994B true CN106788994B (en) | 2020-04-07 |
Family
ID=58874419
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611110966.6A Active CN106788994B (en) | 2016-12-06 | 2016-12-06 | Key updating method suitable for cloud storage system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106788994B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110909395B (en) * | 2018-09-14 | 2022-02-08 | 杭州海康存储科技有限公司 | Method and device for destroying data of nonvolatile storage device |
CN111262688B (en) * | 2018-11-30 | 2023-04-25 | 阿里巴巴集团控股有限公司 | Yun Cipan secret key replacement method and device |
CN111399770B (en) * | 2020-02-26 | 2023-07-11 | 平安科技(深圳)有限公司 | Data storage mode conversion method, device and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1936870A (en) * | 2005-09-23 | 2007-03-28 | 中国科学院计算技术研究所 | Hard-disc fan-area data enciphering and deciphering method and system |
CN102081575A (en) * | 2011-01-27 | 2011-06-01 | 北京深思洛克软件技术股份有限公司 | Dynamic distribution method and device of memory space of virtual disc |
CN102930223A (en) * | 2012-09-21 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting disk data |
CN104901968A (en) * | 2015-06-10 | 2015-09-09 | 华中科技大学 | Method for managing and distributing secret keys in secure cloud storage system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2013277948B9 (en) * | 2012-06-22 | 2018-02-15 | Commonwealth Scientific And Industrial Research Organisation | Homomorphic encryption for database querying |
-
2016
- 2016-12-06 CN CN201611110966.6A patent/CN106788994B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1936870A (en) * | 2005-09-23 | 2007-03-28 | 中国科学院计算技术研究所 | Hard-disc fan-area data enciphering and deciphering method and system |
CN102081575A (en) * | 2011-01-27 | 2011-06-01 | 北京深思洛克软件技术股份有限公司 | Dynamic distribution method and device of memory space of virtual disc |
CN102930223A (en) * | 2012-09-21 | 2013-02-13 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting disk data |
CN104901968A (en) * | 2015-06-10 | 2015-09-09 | 华中科技大学 | Method for managing and distributing secret keys in secure cloud storage system |
Also Published As
Publication number | Publication date |
---|---|
CN106788994A (en) | 2017-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3453135B1 (en) | System and method for encryption and decryption based on quantum key distribution | |
US7454021B2 (en) | Off-loading data re-encryption in encrypted data management systems | |
EP2831803B1 (en) | Systems and methods for secure third-party data storage | |
KR101613146B1 (en) | Method for encrypting database | |
US9256499B2 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
US8842838B2 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
US9064133B2 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
CN106788994B (en) | Key updating method suitable for cloud storage system | |
KR101648364B1 (en) | Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption | |
KR101580514B1 (en) | Method and apparatus for managing a password by using the seed key and computer readable recording medium applying the same | |
CN103973698A (en) | User access right revoking method in cloud storage environment | |
KR101919488B1 (en) | Method for implementing security system based on file management and data encryption and security system based on file management and data encryption | |
CN112733189A (en) | System and method for realizing file storage server side encryption | |
CN111786987A (en) | Task issuing method, device, system and equipment | |
US11818264B2 (en) | Zero-knowledge key escrow | |
CN108616528B (en) | Cloud storage method and system | |
CN112231779B (en) | Cross-platform data security protection method compatible with BitLocker encrypted disk | |
CN115396185A (en) | Scientific research data sharing system, method and medium based on encryption | |
US11310218B2 (en) | Password streaming | |
CN109933994B (en) | Data hierarchical storage method and device and computing equipment | |
CN111083140A (en) | Data sharing method under hybrid cloud environment | |
KR102556013B1 (en) | Method for encrypting cloud data and apparatus thereof | |
US20240048380A1 (en) | Cryptography-as-a-Service | |
US20240048532A1 (en) | Data exchange protection and governance system | |
CN117494195A (en) | Dynamic encryption and decryption method for database and related equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |