CN106936579A - Cloud storage data storage and read method based on trusted third party agency - Google Patents

Cloud storage data storage and read method based on trusted third party agency Download PDF

Info

Publication number
CN106936579A
CN106936579A CN201511025233.8A CN201511025233A CN106936579A CN 106936579 A CN106936579 A CN 106936579A CN 201511025233 A CN201511025233 A CN 201511025233A CN 106936579 A CN106936579 A CN 106936579A
Authority
CN
China
Prior art keywords
data
file
trusted
cloud storage
subscription client
Prior art date
Application number
CN201511025233.8A
Other languages
Chinese (zh)
Inventor
林文辉
张先强
Original Assignee
航天信息股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 航天信息股份有限公司 filed Critical 航天信息股份有限公司
Priority to CN201511025233.8A priority Critical patent/CN106936579A/en
Publication of CN106936579A publication Critical patent/CN106936579A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0823Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/10Network-specific arrangements or communication protocols supporting networked applications in which an application is distributed across nodes in the network
    • H04L67/1097Network-specific arrangements or communication protocols supporting networked applications in which an application is distributed across nodes in the network for distributed storage of data in a network, e.g. network file system [NFS], transport mechanisms for storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Abstract

The present invention relates to the communications field, a kind of cloud storage data storage based on trusted third party agency and read method are disclosed.Wherein, the cloud storage date storage method based on trusted third party agency includes:Trusted third party agency receives file encryption storage request from subscription client;Stored in response to the file encryption and asked, be the file allocation identification ID and return to the subscription client;File data and SM4 keys are received from the subscription client;The file data for being received is encrypted using the SM4 keys;And in cloud storage platform response after the data storage request checking user identity of the subscription client, the trusted third party agency sends to the cloud storage platform storage file data of encryption and the mark ID.By above-mentioned technical proposal, it is encrypted using SM4 key-pair file data by third-party agent, it is ensured that the security that data are stored in cloud storage platform, while improve data encryption speed.

Description

Cloud storage data storage and read method based on trusted third party agency

Technical field

The present invention relates to the communications field, in particular it relates to a kind of cloud storage based on trusted third party agency Data storage and read method.

Background technology

Cloud storage platform can be with three classes.One class is publicly-owned cloud storage, the icloud of such as apple, Baidu.com Disk, 360 cloud disks etc..The type cloud storage typically uses distributed storage technology, based on price Cheap memory node cluster builds, and can provide the user data isolation, the visit of simple encryption certification The service of asking.Equations of The Second Kind is private cloud storage, predominantly the self-built cloud of each enterprise or research institution inside Storage system, it is privately owned and safe that the type cloud storage mainly focuses on data, and publicly-owned because scale is smaller Cloud storage is contrasted, and relatively costly, security is preferable.An also class is mixing cloud storage, such application master If the data for different level of securitys set up cloud storage in corporate intranet, at the same Partial security rank compared with Low data storage sets up corresponding network company in public cloud between Intranet cloud storage and total cloud Connect and interface.

Although with cheap, the conveniently current extensive use of cloud storage service, its roll-over protective structure Structure is still not well established.Meanwhile, cloud storage platform service is mainly used in storing individual or the enterprise of magnanimity Data, this also results in cloud storage platform and is easier to turn into the intrusion target of hacker.Therefore, how to ensure Secure user data is current cloud storage platform problem in the urgent need to address in cloud storage.

The security of data includes three aspects of confidentiality, integrity, and availability.For these three aspects Substantial amounts of research is carried out both at home and abroad.Wherein data encryption is a kind of conventional method.Complete data After encryption, as long as user ensures that the key of oneself is not revealed, no matter data are in cloud storage still local equal Cannot be acquired.

Current general cloud storage Technology On Data Encryption includes following several classes.

1) access control:Access control is to realize user data confidentiality and carry out the important of secret protection One of means.Currently, there are simple access control technology in all kinds of cloud storage service providers, but it is pacified On the basis of full property is mainly reflected in service provider to its server cluster management and control, for a user It is that black box is accessed, it is impossible to be apparent from its internal mechanism.

2) multi-duplicate technology:By in different servers, different frames not even with computer room logarithm The reliability and redundancy of data are improved according to multiple copies are preserved.

3) key strategy:Because cloud storage service is not transparent enough for user, user cannot know certainly Where is oneself data presence, how to store.Therefore user key encryption data is a kind of elimination user misgivings A kind of important means, the key of user management oneself, it is ensured that oneself data safety, other people nothings Method is accessed.

It is the one of guarantee data safety using efficient encryption mechanism for the problem of data safety of cloud storage Plant appropriately selected.Attack Research currently for the most widely used RSA, AES encryption algorithm is got over Come more, such as heavy attack of limit key, Statistical Analysis Attacks, mathematical analysis is attacked.While with The application of cloud computing, high-performance computer, efficiency is cracked and is greatly improved, also result in and use The security of such AES is further reduced.

User can be first with the key of oneself by data encryption, so when data are stored in into cloud storage platform After store data into cloud platform.When user needs to read data, then encryption data is read into user Operation is decrypted under the running environment of oneself and with the key of oneself.This can greatly strengthen user data It is stored in the security of cloud storage platform.But there are two aspects.First, user is every time Needs oneself carry out corresponding encryption and decryption operation and could read data, and this does not meet the mesh that cloud storage is used , i.e., the data of oneself are checked whenever and wherever possible;Second, demand cannot be met in performance, if user Data volume is larger, and the client of user oneself cannot meet the performance requirement of encryption and decryption, and efficiency can become pole Its is low.

Regarding to the issue above, good solution is there is no in the prior art.

The content of the invention

It is an object of the invention to provide a kind of cloud storage data storage based on trusted third party agency and reading Method is taken, the method can guarantee data security while data storage convenience is provided a user with.

To achieve these goals, the present invention provides a kind of cloud storage data based on trusted third party agency Storage method, the method includes:Trusted third party agency receives file encryption storage from subscription client please Ask;Stored in response to the file encryption and asked, be the file allocation identification ID and return to the use Family client;File data and SM4 keys are received from the subscription client;It is close using the SM4 File data encryption of the key to being received;And in cloud storage platform response in the number of the subscription client After storage requests verification user identity, the trusted third party is acted on behalf of the file data encrypted and institute Mark ID is stated to send to cloud storage platform storage.

Further, the method also includes:The trusted third party agency receives from the subscription client Digital certificate based on SM2;According to the digital certificate authentication user identity;And to the use Family authentication is responded after passing through to file encryption storage request.

Further, the file data is that the subscription client uses the digital certificate based on SM2 To the file data generated after the file signature.

Further, it is described that the file signature is included:When the file is less than predetermined amount of data, The file is integrally signed;And when the file is more than the predetermined amount of data, to the file In be equal to the subscription data amount part sign.

Further, sent to the storage of cloud storage platform by the file data of encryption and the mark ID Afterwards, the method also includes:The trusted third party agency deletes the institute received from the subscription client State file data and the SM4 keys.

Another aspect of the present invention, there is provided a kind of cloud storage data based on trusted third party agency are read Method is taken, the method includes:Verified in the data read request of subscription client in cloud storage platform response After user identity, trusted third party agency receives file read request from the subscription client;Response In the file read request, the file data and mark ID encrypted are received from the cloud storage platform And according to the SM4 keys received from the subscription client to the file data decryption encrypted; And send to the subscription client file data of decryption and the mark ID.

Further, the method also includes:The trusted third party agency receives from the subscription client Digital certificate based on SM2;User identity is verified according to the digital certificate;And right The subscriber authentication is responded after passing through to the file read request.

Further, after the subscription client receives the file data of the decryption, using being based on File data sign test of the digital certificate of SM2 to the decryption;And determine number when sign test result is consistent According to correct.

Further, the file data sign test to the decryption includes:When the file data of the decryption is small When predetermined amount of data, to the file data entirety sign test of the decryption;And when the file of the decryption When data are more than the predetermined amount of data, to being equal to the subscription data amount in the file data of the decryption Part sign test.

Further, sent to the subscription client by the file data of decryption and the mark ID Afterwards, the method also includes:The trusted third party agency deletes the institute received from the subscription client State the file data of SM4 keys and the decryption.

By above-mentioned technical proposal, added using SM4 key-pair file data by third-party agent It is close, it is ensured that the security that data are stored in cloud storage platform, while improve data encryption speed.

Other features and advantages of the present invention will be described in detail in subsequent specific embodiment part.

Brief description of the drawings

Accompanying drawing is, for providing a further understanding of the present invention, and to constitute the part of specification, with Following specific embodiment is used to explain the present invention together, but is not construed as limiting the invention. In accompanying drawing:

Fig. 1 is the cloud storage data storage side based on trusted third party agency that embodiment of the present invention is provided Method flow chart;

Fig. 2 is the cloud storage digital independent side based on trusted third party agency that embodiment of the present invention is provided Method flow chart;

Fig. 3 is the cloud storage data storage product based on trusted third party agency that embodiment of the present invention is provided The system structure diagram that read method can be implemented;

Fig. 4 is that the cloud storage data based on trusted third party agency that example embodiment of the present invention is provided are deposited Method for storing flow chart.

Fig. 5 is that the cloud storage data based on trusted third party agency that example embodiment of the present invention is provided are read Take method flow diagram.

Specific embodiment

Specific embodiment of the invention is described in detail below in conjunction with accompanying drawing.It should be appreciated that Specific embodiment described herein is merely to illustrate and explain the present invention, and is not limited to this hair It is bright.

Because there is unsafe defect in existing commercial key algorithm, therefore for reply is current international The safety problem that commercial key algorithm occurs, China national Password Management office is proposed safer commercialization Cryptographic algorithm, including packet symmetric key algorithm SM4 and asymmetric key algorithm SM2, wherein SM2 The encryption rate and key strength of algorithm are superior to traditional RSA Algorithm.In embodiments of the present invention SM2 and SM4 algorithms will be quoted, will be explained herein.

Fig. 1 is the cloud storage data storage side based on trusted third party agency that embodiment of the present invention is provided Method flow chart.As shown in figure 1, the cloud based on trusted third party agency that embodiment of the present invention is provided is deposited Storage date storage method is comprised the following steps:

Step 101:Trusted third party agency receives file encryption storage request from subscription client;

Step 102:In response to the file encryption store ask, be the file allocation identification ID simultaneously Return to the subscription client;

Step 103:File data and SM4 keys are received from the subscription client;

Step 104:The file data for being received is encrypted using the SM4 keys;And

Step 105:Verified in the data storage request of the subscription client in cloud storage platform response and used After the identity of family, trusted third party agency by the file data of encryption and the mark ID send to The cloud storage platform storage.

By above-mentioned technical proposal, added using SM4 key-pair file data by third-party agent It is close, it is ensured that the security that data are stored in cloud storage platform, while improve data encryption speed.

In order to improve security that system uses, it is necessary to be verified to the identity of user.In the present invention Implementation method in, identity that can be at third-party agent and at cloud storage platform to user is tested Card.In embodiments, the above method can also include:Trusted third party is acted on behalf of from the user client End receives the digital certificate based on SM2;According to the digital certificate authentication user identity;And right The subscriber authentication is responded after passing through to file encryption storage request.In interchangeable reality Apply in mode, the above method can also include:Cloud storage platform is received from the subscription client and is based on The digital certificate of SM2;According to the digital certificate authentication user identity;And to the user identity File encryption storage request is responded after being verified.Above-mentioned file data can be the use Family client uses file data of the digital certificate to generation after the file signature for being based on SM2.

In embodiments, the operation signed to file can be carried out in subscription client.User visitor Family end may not have the ability signed to large-data documents, therefore, it can sign needs The data volume of name is configured.For example, can include to the file signature:When the file is less than pre- When determining data volume (for example, 2M), the file is integrally signed;And when the file is more than institute When stating predetermined amount of data, the part in the file equal to the subscription data amount is signed.

In embodiments, in order to ensure the security of data or SM4 keys, the 3rd should preferably be made Square agent platform deletes these data and SM4 keys after the treatment to file data has been carried out.Cause This, in embodiments, sends to cloud storage platform by the file data of encryption and the mark ID After storage, the method also includes:The trusted third party agency deletes and is received from the subscription client The file data and the SM4 keys.

Fig. 2 is the cloud storage digital independent side based on trusted third party agency that embodiment of the present invention is provided Method flow chart.As shown in Fig. 2 relative with the cloud storage date storage method acted on behalf of based on trusted third party Should, present invention also offers a kind of cloud storage method for reading data based on trusted third party agency, the party Method may comprise steps of:

Step 201:In cloud storage platform response user's body is verified in the data read request of subscription client After part, trusted third party agency receives file read request from the subscription client;

Step 202:In response to the file read request, receive what is encrypted from the cloud storage platform The SM4 keys that file data and mark ID and basis are received from the subscription client have been encrypted to described File data decryption;And

Step 203:The file data of decryption and the mark ID are sent to the subscription client.

By above-mentioned technical proposal, the file data of SM4 key pair encryptions is utilized by third-party agent It is decrypted, it is ensured that the security that data are stored in cloud storage platform, while improve data deciphering Speed.

It is in embodiments, corresponding with the cloud storage date storage method acted on behalf of based on trusted third party, In order to improve security that system uses, it is necessary to be verified to the identity of user.The above method may be used also To include:The trusted third party agency receives the digital certificate based on SM2 from the subscription client; User identity is verified according to the digital certificate;And after passing through to the subscriber authentication The file read request is responded.In embodiments, the above method can also include:It is described Cloud storage platform receives the digital certificate based on SM2 from the subscription client;According to the numeral card Book is verified to user identity;And the file is read after passing through to the subscriber authentication Request is responded.

In embodiments, corresponding to signature process, in reading process, when subscription client is received After the file data of the decryption, using the digital certificate based on SM2 to the file data of the decryption Sign test;And determine that data are correct when sign test result is consistent.Correspondingly, to the number of files of the decryption Include according to sign test:It is right when the file data of the decryption is less than predetermined amount of data (for example, 2M) The file data entirety sign test of the decryption;And when the file data of the decryption is more than the predetermined number During according to amount, to the part sign test in the file data of the decryption equal to the subscription data amount.

In embodiments, sent to user visitor by the file data of decryption and the mark ID After the end of family, the method also includes:The trusted third party agency deletes and is received from the subscription client The SM4 keys and the decryption file data.

Present invention is generally directed to the ease for use and data safety issue of cloud storage, it is proposed that one kind is based on can Believe the cloud storage data guard method of third-party agent encryption and decryption, the method passes through user, trusted third party The security of data is ensured with the mode of cloud storage platform tripartite cooperation, while not reducing user uses cloud The convenience of storage.

Fig. 3 is the cloud storage data storage product based on trusted third party agency that embodiment of the present invention is provided The system structure diagram that read method can be implemented.As shown in figure 3, the method that the present invention is provided can be with The system of implementation can include subscription client 301, trusted third party 302, cloud storage platform 303 3 Individual part.Wherein subscription client 301 is used to initiate the read-write requests of user data, while user client End 301 stores the digital certificate and SM4 keys based on the close algorithm of SM2 states of user.Trusted third party 302 are responsible for encrypting and decrypting user data operation using user SM4 keys, complete to add every time After decryption oprerations, user key is destroyed immediately by trusted third party 302, itself do not store any data or Person's key.Cloud storage platform 303 is responsible for the data after storage user encryption, and it only knows user's storage Filename and the corresponding encryption data of file name, itself cannot check user data content.

When user prepares in cloud storage 303 data storage of platform, subscription client 301 needs right first Data are signed, to verify whether data are tampered in subsequent read data.Secondly user needs Using the SM2 digital certificates for indicating user identity come with trusted third party 302, cloud storage platform 303 Authentication is carried out, authenticating user identification is ensured, while user is led to using certificate with trusted third party 302 Letter sends the SM4 keys for data encrypting and deciphering, prevents key data to be monitored in transmitting procedure and steals Take.And, it is necessary to generate an ID for unique mark to user data in the system of trusted third party 302 Number, by No. ID and data names associate, and No. ID and data name are sent to by subscription client 301 Cloud storage platform 303, while trusted third party 302 needs to obtain the SM4 of user by encrypted tunnel Key, and user data is encrypted based on the key, and encryption data is sent to cloud storage platform 303, last trusted third party 302 needs thoroughly to destroy user SM4 keys and user data, does not carry out Any storage.For cloud storage platform 303, it is also required to user's SM2 digital certificates first Verified, confirmed user identity.Under the premise of this, 303, cloud storage platform is responsible for storage number of users According to title and corresponding encryption data.

When user prepares to read data from cloud storage platform 303, subscription client 301 needs to be based on SM2 digital certificates carry out authentication with trusted third party 302, cloud storage platform 303, ensure user Authentication.After user identity is confirmed, user is communicated with sending with trusted third party 302 using certificate and used In the SM4 keys of data encrypting and deciphering, prevent key data to be monitored in transmitting procedure and steal, and After user receives the data to be read, user also needs to carry out sign test operation to data, prevents data from existing Illegally distorted in trusted third party 302 or cloud storage platform 303.And in trusted third party 302 In system, it is needed by receiving SM4 keys and cloud storage platform hair that subscription client 301 sends The user data and data ID for sending, are then decrypted operation using SM4 data keys, then will Ciphertext data and data ID are sent to subscription client 301 in the lump, and last trusted third party 302 needs User SM4 keys and user data are thoroughly destroyed, any storage is not carried out.For cloud storage platform For 303, it is also required to verify user's SM2 digital certificates first, confirms user identity.So Data ID and corresponding encryption data are sent to trusted third party 302 by cloud storage platform 303 afterwards, Follow-up data deciphering is carried out by trusted third party 302 and transmission is operated.In whole process, Yong Huke It is not related to specific user data transmission between family end 301 and cloud storage platform 303, but via credible Third party 302 completes the transmission of user data.

Below in conjunction with Fig. 4 and specific embodiment to using the method for providing of the invention by data storage Process to cloud storage platform is illustrated, and the process may comprise steps of:

Step 401:Whether subscription client preparation request, including checking client has the SM2 of user Digital certificate, SM4 keys and user prepare the data for uploading;

Step 402:Subscription client is signed according to the data file size to be uploaded to data. When data file is less than 2MB, whole file is signed, on the contrary 2MB before being extracted to data file Data are signed;

Step 403:Subscription client is initiated using the customer digital certificate based on SM2 to trusted third party Authentication and data encryption storage request;

Step 404:After trusted third party's checking user identity authority, if user has permission, with user Client sets up encrypted tunnel, is that the data file distribution unique ID number of user's request storage is identified, And return to subscription client by No. ID.If conversely, user's lack of competence, terminates this data storage Flow;

Step 405:Subscription client is initiated using the customer digital certificate based on SM2 to cloud storage platform Authentication and data encryption storage request;

Step 406:It is anti-to user if user has permission after cloud storage platform validation user identity authority Feedback allows the information that user operates.If conversely, user's lack of competence, terminates this data storage flow;

Step 407:Filename that subscription client will be stored and No. ID are sent to cloud storage platform;

Step 408:Subscription client sends the SM4 keys of data and user to trusted third party;

Step 409:Trusted third party carries out data encryption computing based on user SM4 keys;

Step 410:After trusted third party completes data encryption operation, by encryption data and data ID It is sent to cloud storage platform;

Step 411:User SM4 keys and corresponding use are destroyed after the data transfer is complete by trusted third party User data;

Step 412:Cloud storage platform is according to No. ID storage user data of data;

Step 413:Cloud storage platform informs user's successful information of its data storage;

Step 414:Complete a user storage data flow.

It is flat from cloud storage to the method provided using the present invention below in conjunction with Fig. 5 and specific embodiment The process that platform reads data is illustrated, and the process may comprise steps of:

Step 501:Whether subscription client preparation request, including checking client has the SM2 of user Digital certificate, SM4 keys and user prepare the data name for obtaining;

Step 502:Subscription client sends data read request to cloud storage platform, and using based on SM2 Digital certificate indicate user identity;

Step 503:After cloud storage platform validation user identity authority, if user has permission, cloud storage Data name and data ID are sent to subscription client by platform according to user's request.If conversely, with Family lack of competence, then terminate this digital independent flow;

Step 504:Subscription client sends file read request to trusted third party, and using based on SM2 Digital certificate indicate user identity;

Step 505:After trusted third party's checking user identity authority, if user has permission, with user Client sets up encrypted tunnel, to inform that user right is verified information.If conversely, user's lack of competence, Then terminate this digital independent flow;

Step 506:Subscription client sends data No. ID and SM4 using encrypted tunnel to trusted third party Key;

Step 507:Subscription client notifies that cloud storage platform sends user data to trusted third party;

Step 508:Cloud storage platform transmits data to trusted third party for No. ID according to data;

Step 509:Trusted third party carries out data deciphering based on user SM4 keys;

Step 510:After trusted third party's ciphertext data, data and data ID are sent to user visitor Family end;

Step 511:User SM4 keys and corresponding use are destroyed after the data transfer is complete by trusted third party User data;

Step 512:After subscription client receives the data to be read, sign test behaviour is carried out to receiving data Make.When data file is less than 2MB, sign test is carried out to whole file, otherwise data file is extracted Preceding 2MB data carry out sign test operation;

Step 513:If sign test result is errorless, show that the data that user reads are correct, be not tampered with; Otherwise, it means that user data is tampered, this event is fed back into cloud storage platform and trusted third party, Find out event and send reason.

Step 514:Terminate this digital independent flow.

By above-mentioned implementation method, it can be seen that the cloud based on trusted third party agency that the present invention is provided is deposited Storage data storage and read method have advantages below:

Carry out the encryption and decryption computing of user data by introducing trusted third party, it is to avoid to user data Encrypt and bring huge workload to subscription client, reduce to a certain extent and user is deposited using cloud Store up the influence of platform convenience.

Encipherment protection work for user data is completed by trusted third party, will not be deposited to existing cloud The normal operation for storing up platform produces any influence, while the technology can be integrated very well into what is runed Cloud storage platform, it is not necessary to transform existing cloud storage platform.

Identity is carried out in trusted third party and cloud storage platform using the SM2 digital certificates of user to test Card and cipher key delivery, significantly enhance the security of system.

User carries out signature sign test using the digital certificate of the close algorithm of SM2 states to data, can effectively prevent Only data are illegally distorted, and ensure secure user data.Carried out based on SM4 data keys simultaneously Encryption and decryption, improves the confidentiality of user data.

The preferred embodiment of the present invention is described in detail above in association with accompanying drawing, but, the present invention is not limited Detail in above-mentioned implementation method, in range of the technology design of the invention, can be to the present invention Technical scheme carry out various simple variants, these simple variants belong to protection scope of the present invention.

It is further to note that each particular technique described in above-mentioned specific embodiment is special Levy, in the case of reconcilable, can be combined by any suitable means.In order to avoid need not The repetition wanted, the present invention is no longer separately illustrated to various possible combinations.

Additionally, can also be combined between a variety of implementation methods of the invention, as long as its Without prejudice to thought of the invention, it should equally be considered as content disclosed in this invention.

Claims (10)

1. it is a kind of based on trusted third party agency cloud storage date storage method, it is characterised in that should Method includes:
Trusted third party agency receives file encryption storage request from subscription client;
Stored in response to the file encryption and asked, be the file allocation identification ID and return to the use Family client;
File data and SM4 keys are received from the subscription client;
The file data for being received is encrypted using the SM4 keys;And
Cloud storage platform response in the subscription client data storage request checking user identity it Afterwards, the file data of encryption and the mark ID are sent to the cloud and deposited by the trusted third party agency Storage platform storage.
2. method according to claim 1, it is characterised in that the method also includes:
The trusted third party agency receives the digital certificate based on SM2 from the subscription client;
According to the digital certificate authentication user identity;And
File encryption storage request is responded after passing through to the subscriber authentication.
3. method according to claim 1, it is characterised in that the file data is the use Family client uses file data of the digital certificate to generation after the file signature for being based on SM2.
4. method according to claim 3, it is characterised in that described to the file signature bag Include:
When the file is less than predetermined amount of data, the file is integrally signed;And
When the file is more than the predetermined amount of data, to being equal to the subscription data amount in the file Part signature.
5. method according to claim 1, it is characterised in that in the file data that will be encrypted and The mark ID is sent to the storage of cloud storage platform, and the method also includes:
The trusted third party agency deletes the file data and institute received from the subscription client State SM4 keys.
6. it is a kind of based on trusted third party agency cloud storage method for reading data, it is characterised in that should Method includes:
In cloud storage platform response after the data read request checking user identity of subscription client, can Letter third-party agent receives file read request from the subscription client;
In response to the file read request, received from the cloud storage platform file data encrypted and Mark ID is simultaneously according to the SM4 keys received from the subscription client to the file data encrypted Decryption;And
The file data of decryption and the mark ID are sent to the subscription client.
7. method according to claim 6, it is characterised in that the method also includes:
The trusted third party agency receives the digital certificate based on SM2 from the subscription client;
User identity is verified according to the digital certificate;And
The file read request is responded after passing through to the subscriber authentication.
8. method according to claim 6, it is characterised in that the subscription client is received After the file data of the decryption, using the digital certificate based on SM2 to the file data of the decryption Sign test;And
Determine that data are correct when sign test result is consistent.
9. method according to claim 8, it is characterised in that to the file data of the decryption Sign test includes:
When the file data of the decryption is less than predetermined amount of data, to the file data entirety of the decryption Sign test;And
When the file data of the decryption is more than the predetermined amount of data, to the file data of the decryption In be equal to the subscription data amount part sign test.
10. method according to claim 9, it is characterised in that in the file data that will be decrypted and The mark ID is sent to the subscription client, and the method also includes:
The trusted third party agency deletes the SM4 keys and institute received from the subscription client State the file data of decryption.
CN201511025233.8A 2015-12-30 2015-12-30 Cloud storage data storage and read method based on trusted third party agency CN106936579A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511025233.8A CN106936579A (en) 2015-12-30 2015-12-30 Cloud storage data storage and read method based on trusted third party agency

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511025233.8A CN106936579A (en) 2015-12-30 2015-12-30 Cloud storage data storage and read method based on trusted third party agency

Publications (1)

Publication Number Publication Date
CN106936579A true CN106936579A (en) 2017-07-07

Family

ID=59441962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511025233.8A CN106936579A (en) 2015-12-30 2015-12-30 Cloud storage data storage and read method based on trusted third party agency

Country Status (1)

Country Link
CN (1) CN106936579A (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010135412A2 (en) * 2009-05-19 2010-11-25 Security First Corp. Systems and methods for securing data in the cloud
US20110119481A1 (en) * 2009-11-16 2011-05-19 Microsoft Corporation Containerless data for trustworthy computing and data services
CN102821096A (en) * 2012-07-17 2012-12-12 华中科技大学 Distributed storage system and file sharing method thereof
CN103107995A (en) * 2013-02-06 2013-05-15 中电长城网际系统应用有限公司 Cloud computing environmental data secure storage system and method
CN103312690A (en) * 2013-04-19 2013-09-18 无锡成电科大科技发展有限公司 System and method for key management of cloud computing platform
CN103457733A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 Data sharing method and system under cloud computing environment
CN103731395A (en) * 2012-10-10 2014-04-16 中兴通讯股份有限公司 Processing method and system for files
CN103763319A (en) * 2014-01-13 2014-04-30 华中科技大学 Method for safely sharing mobile cloud storage light-level data
CN104717297A (en) * 2015-03-30 2015-06-17 上海交通大学 Safety cloud storage method and system
CN104935576A (en) * 2015-04-28 2015-09-23 广州大学 Data safe divided storage and assigned user sharing system
CN105025041A (en) * 2015-08-25 2015-11-04 北京百度网讯科技有限公司 File upload method, file upload apparatus and system

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010135412A2 (en) * 2009-05-19 2010-11-25 Security First Corp. Systems and methods for securing data in the cloud
US20110119481A1 (en) * 2009-11-16 2011-05-19 Microsoft Corporation Containerless data for trustworthy computing and data services
CN102821096A (en) * 2012-07-17 2012-12-12 华中科技大学 Distributed storage system and file sharing method thereof
CN103731395A (en) * 2012-10-10 2014-04-16 中兴通讯股份有限公司 Processing method and system for files
CN103107995A (en) * 2013-02-06 2013-05-15 中电长城网际系统应用有限公司 Cloud computing environmental data secure storage system and method
CN103312690A (en) * 2013-04-19 2013-09-18 无锡成电科大科技发展有限公司 System and method for key management of cloud computing platform
CN103457733A (en) * 2013-08-15 2013-12-18 中电长城网际系统应用有限公司 Data sharing method and system under cloud computing environment
CN103763319A (en) * 2014-01-13 2014-04-30 华中科技大学 Method for safely sharing mobile cloud storage light-level data
CN104717297A (en) * 2015-03-30 2015-06-17 上海交通大学 Safety cloud storage method and system
CN104935576A (en) * 2015-04-28 2015-09-23 广州大学 Data safe divided storage and assigned user sharing system
CN105025041A (en) * 2015-08-25 2015-11-04 北京百度网讯科技有限公司 File upload method, file upload apparatus and system

Similar Documents

Publication Publication Date Title
US9047475B2 (en) Secure data parser method and system
US9443097B2 (en) Systems and methods for securing data in motion
US8745384B2 (en) Security management in a group based environment
CN1832394B (en) Method and system for personal identity verification with secrecy
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US9432346B2 (en) Protocol for controlling access to encryption keys
US7231526B2 (en) System and method for validating a network session
JP5757536B2 (en) System and method for securing data in the cloud
JP5650348B2 (en) System and method for securing data in motion
CN102014133B (en) Method for implementing safe storage system in cloud storage environment
ES2581548T3 (en) Systems and procedures to ensure virtual machine computing environments
US9922207B2 (en) Storing user data in a service provider cloud without exposing user-specific secrets to the service provider
Barsoum et al. Enabling dynamic data and indirect mutual trust for cloud computing storage systems
CN101521569B (en) Method, equipment and system for realizing service access
CN105103488B (en) By the policy Enforcement of associated data
CN102685093B (en) A kind of identity authorization system based on mobile terminal and method
CN105071936A (en) Systems and methods for secure data sharing
US9112699B1 (en) System, processing device, computer program and method, to tranparently encrypt and store data objects such that owners of the data object and permitted viewers are able to view decrypted data objects after entering user selected passwords
CN102687133A (en) Containerless data for trustworthy computing and data services
CN1252198A (en) Administration and utilization of secret fresh random numbers in networked environment
US8462955B2 (en) Key protectors based on online keys
Yang et al. Provable data possession of resource-constrained mobile devices in cloud computing
JP2001326632A (en) Distribution group management system and method
CN1283827A (en) Universal electronic information network authentication system and method
CN103229450A (en) Systems and methods for secure multi-enant data storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination