CN107332858B - Cloud data storage method - Google Patents

Cloud data storage method Download PDF

Info

Publication number
CN107332858B
CN107332858B CN201710665859.8A CN201710665859A CN107332858B CN 107332858 B CN107332858 B CN 107332858B CN 201710665859 A CN201710665859 A CN 201710665859A CN 107332858 B CN107332858 B CN 107332858B
Authority
CN
China
Prior art keywords
user
group
authentication
data
reading
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710665859.8A
Other languages
Chinese (zh)
Other versions
CN107332858A (en
Inventor
刘颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen gelonghui Information Technology Co., Ltd
Original Assignee
Shenzhen Gelonghui Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Gelonghui Information Technology Co Ltd filed Critical Shenzhen Gelonghui Information Technology Co Ltd
Priority to CN201710665859.8A priority Critical patent/CN107332858B/en
Publication of CN107332858A publication Critical patent/CN107332858A/en
Application granted granted Critical
Publication of CN107332858B publication Critical patent/CN107332858B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a cloud data storage method, which comprises the following steps: a plurality of authentication servers are arranged in a cloud storage platform, key distribution and feature authentication transactions are carried out in a grading mode, and a root authentication server signs the next-level authentication server. The invention provides a cloud data storage method, which enhances the security read policy control of environment and policy constraints, reduces the computation cost of a write user on the premise of ensuring the security, and meets the application requirements of various cross-cloud and cross-level data policies.

Description

Cloud data storage method
Technical Field
The invention relates to secure cloud storage, in particular to a cloud data storage method.
Background
The cloud data storage platform stores the computing resources in a configurable computing resource sharing pool, and reads the computing resources through a convenient and on-demand network. And the security becomes a key problem restricting the development of the cloud storage. Cloud storage service providers provide services in cloud storage, and users are in a passive position, so that serious asymmetry of information control is caused. The cloud storage transfers the information to a cloud storage service provider, and an enterprise cannot comprehensively control the information and the storage details of the cloud storage service provider; the cloud storage is specific to multi-party users, and the cloud service provider cannot present key information in the storage to the owner in consideration of self security. On the other hand, inter-domain interoperation in a cloud storage platform realizes sharing of inter-domain resources and services, but how to ensure security of management objects in a domain, that is, how to safely realize sharing of inter-domain interoperation subject-object information, set a read policy, and strictly perform read check is an urgent problem to be solved. In the prior art, roles in different domains establish an association relationship through the role mapping between domains by extension on the basis of a traditional authorization management model, but potential safety hazards are easily caused by the transmission of the role mapping between domains.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a cloud data storage method, which comprises the following steps:
a plurality of authentication servers are arranged in a cloud storage platform, key distribution and feature authentication transactions are carried out in a grading mode, and a root authentication server signs the next-level authentication server.
Preferably, the server for hierarchical authentication includes a plurality of hierarchical sub-authentication servers, and performs identity authentication on the user through a symmetric key certificate mechanism, completes addition and deletion of the user, and performs authorization reading control on the ciphertext.
Preferably, an authentication level tree is provided for the writing user, so that the writing user sets a read policy according to the authentication level tree provided by the sub-authentication server, and the data is encrypted and then stored in the cloud server.
Preferably, the root authentication server comprises a public key infrastructure, PKI.
Preferably, the users of the cloud storage system further include a reading user, and the reading user is a user requesting to read the data stored in the cloud server.
Preferably, when the reading user reads the cloud server storage data, the reading user communicates with the authentication server, sends a reading request, judges the generated reading strategy after passing identity authentication, sends a ciphertext to the reading user after meeting a preset condition, and decrypts the data to obtain the data if the characteristics of the reading user accord with the reading structure.
Compared with the prior art, the invention has the following advantages:
the invention provides a cloud data storage method, which enhances the security read policy control of environment and policy constraints, reduces the computation cost of a write user on the premise of ensuring the security, and meets the application requirements of various data policies across clouds.
Drawings
Fig. 1 is a flowchart of a cloud data storage method according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the invention provides a cloud data storage method. Fig. 1 is a flowchart of a cloud data storage method according to an embodiment of the present invention.
The invention sets a hierarchical authentication server in a cloud storage platform, which comprises a root authentication server CGS, a partition authentication server RGS and a sub authentication server SGS, and carries out key distribution and feature authentication transaction hierarchy, and the root CGS signs the next authentication server; establishing a Feature Management Module (FMM) and maintaining a global user feature list; on the basis of reading control of a user main body role and an authority file owner and environment and data resource characteristic description in a cloud storage platform security framework, an authentication server sets an authorized reading strategy and a constraint control strategy, and cross-domain data reading and user privacy protection among clouds are met.
The hierarchical authentication server comprises a public key infrastructure PKI and also acts as a root authentication server CGS. The feature management module FMM maintains a feature list within the whole system for the cloud environment, responding to requests for cross-regional feature lists by the authentication server CGS. And the multiple hierarchical sub-authentication servers SGS perform identity authentication on the user through a symmetric key certificate mechanism, provide an authentication level tree for the write user, complete addition and deletion of new users, and perform authorized reading control on the ciphertext for authorized reading of the ciphertext. The users of the cloud storage system comprise a writing user and a reading user. The writing user sets a reading strategy according to the authentication level tree provided by the sub authentication server SGS, and the data is encrypted and then stored in the cloud server. The reading user is a user requesting to read the data stored in the cloud server.
For data distribution, firstly writing a service request that a user requests data encryption and uploading to an authentication server after passing identity authentication; then, writing a feature structure list pushed by a user according to the authentication server, completing the definition of a reading strategy, encrypting data according to the strategy and uploading the encrypted data to the cloud server; for data reading, a reading user communicates with an authentication server, sends a reading request, judges the generated reading strategy by a strategy point after identity authentication, sends a ciphertext to the reading user after meeting a preset condition, and decrypts to obtain data if the characteristics of the reading user accord with a reading structure.
And uploading the encrypted data to the cloud server, and further comprising the following file creation process.
(1) Writing a user generated random number r1And forming a request packet by the ID of the user and the ID of the group where the user is located, signing by using a private key of the group where the user is located, encrypting by using a public key of a CGS (certificate server) where the user is located, and sending the CGS in the cloud where the user is located. The concrete expression is as follows:
ECGS(Ecom(r1,UID,filequery),groupID)
after receiving the request, the CGS acquires the group identifier groupID from the packet, searches for and acquires the public key of the corresponding group, and acquires the random number r after decrypting by using the group public key and the CGS1Then generates a random number r from within itself2Constructing a request packet by using the UID of the user and all ID sets in the group, signing by using a private key of a CGS (certificate server), encrypting by using a public key of a sub-certificate server in the domain, and transmitting to the sub-certificate server; the concrete expression is as follows:
ESGS(ECGS(r1,r2,UID,groupID)
the sub authentication server SGS decrypts the ciphertext by using the private key and decrypts the decryption result and the random number r1And constructing a response packet together, and encrypting the response packet by using the SGS private key of the sub-authentication server to return to the write user. The concrete description is as follows:
ESGS(r1,HASH(UID||r2))
the write user uses the SGS private key to decrypt and verify r1And completing the authentication of the data owner.
(2) The files are firstly classified according to the read authority, and the same classification is divided into a file cluster. For a single file encryption process, a write user provides a data encryption uploading request to a sub-authentication server SGS where the write user is located according to the characteristics of a read file, security policy check is carried out, the security policy check comprises user level role judgment and data distribution security level associated permission judgment, if the set characteristics of a group exceed the range, the sub-authentication server SGS forwards the request to a previous authentication server CGS, the authentication server CGS communicates with a characteristic management module FMM to obtain an associated characteristic list, and the write user characteristic list is returned;
when the write user sets the read strategy: the authentication server obtains the public parameters and the private key of the system according to the user role, the authority and the file security level in the cloud storage server; then writing a reading structure appointed by a user, limiting the authority of the user, and recording the permission information in an XML file mode; writing user set environment and strategy constraint conditions to generate a constraint control strategy; symmetrically encrypting the file, and encrypting the data file to form a ciphertext by using the generated random number as a symmetric key; and (5) encrypting by adopting a characteristic encryption algorithm to obtain a ciphertext. All elements of the authentication level feature space of the authentication server and the write user read policy feature space are mapped onto the authentication level tree. The write user creates a read policy tree through a spanning tree algorithm.
When a reading user requests authentication from an authentication server, the reading user constructs a request packet comprising the UID and the belonged group ID, the group private key is used for signing, and the CGS public key is encrypted and then sent to the CGS.
The authentication server obtains the group ID from the encryption packet, obtains a corresponding group public key and the private decryption of the authentication server through inquiry, reads the identity verification of the user, uses the private key of the authentication server to sign if the identity verification is correct and legal, then uses the public key of the authentication server to encrypt and send the user ID, and the corresponding packet is ESGS(ECGS(UID))。
And after the authentication of the authentication server is passed, the security policy is judged. The specific process is as follows:
a user requests a request for reading data from a policy execution unit; the strategy execution unit collects a user data reading request and evaluation information and sends the user data reading request and the evaluation information to the decision unit; the decision unit judges whether the system environment meets the read request according to the constraint control file, and if any one of the system environment does not meet the read request, the decision unit rejects the read request; the decision unit informs the policy execution unit of the decision result.
And if the decision result received by the strategy execution unit judges that the conditions are met, decrypting. The decryption process is as follows:
the authentication server firstly executes a private key generation algorithm to generate a private key, then the private key and the ciphertext are sent to the user together, and the user receives the private key and decrypts the private key to obtain a plaintext.
The authentication server generates a private key. Aiming at different users, the authentication server generates the private key of the user through the encryption of a certificate mechanism.
Read user decipher ciphertext. When the user reads the ciphertext data, after judging that the control constraint condition is met according to the security strategy, the authentication server sends the user ciphertext and the private key corresponding to the user, and the user reads the decryption algorithm for decryption. If the read node is a non-leaf node in the authentication level tree, the decryption function needs to be repeatedly executed until reaching the leaf node.
When the user deleting operation is carried out, the system sends a related request to the CGS, and after the CGS receives the request, the CGS modifies the feature ID set of the related group user and informs the corresponding sub-authentication server SGS. And after receiving the request, the SGS generates a new ciphertext, regenerates the corresponding private key and sends the private key to other users in the affected group, thereby ensuring the security of the ciphertext.
In the identity authentication of the reading user of another preferred embodiment, the invention installs a digital certificate plug-in at the user end. And the identity confirmation is realized by using the digital certificate and the dynamic password.
(1) In the initialization phase, the read user u sends a connection request to the policy execution unit p and sends an IDupAnd INuSaid IDupIndicating the identity identifier, IN, of the user u IN the policy enforcement unit puSecurity attribute information representing user u;
after receiving the request, the policy execution unit p checks the integrity of the information and the uniqueness of the identifier; after the examination, the strategy execution unit p randomly generates a random integer N and sends N to u;
after receiving the random integer N, the reading user sets the password PW by himselfupObtaining the security certificate ST through N times of hash algorithmupAnd sends it to p:
STup=HASH(PWup)N
wherein the password PWupIndicates that the user u uses the password in the policy enforcement unit p, receives the security credential STupThereafter, storage N, STupAnd INu
(2) A registration stage: the read user u sends a registration request to the cloud storage platform b, wherein the request comprises an IDubAnd INu(ii) a The IDubRepresenting the identity identifier of the user u in the cloud storage platform b;
after receiving the request, the cloud storage platform b performs a series of checks, and then sends a message MG to the user u.
After receiving MG, reading password PW set by user uubObtaining the security certificate ST through 1 hash algorithmubAnd secure credentials STubAnd sending the data to the cloud storage platform b.
STub=HASH(PWub)
The reading user u sends a login request to the cloud storage platform b, and the cloud storage platform receives the login request and then sends the login request to the cloud storage platform according to the slave IDubQuerying reserved Security credentials STubAnd sends a message MG to the user.
(3) Verification phase
Reading user u sends ID to cloud storage platform bupThe policy enforcement unit p is used for establishing a trust relationship between the cloud storage platform b and the policy enforcement unit p;
after receiving the request, the cloud storage platform sends the IDupForwarding to a strategy execution unit p;
the policy enforcement unit p bases on the IDupInquiring and reading information of the user u, returning a random integer N stored last time, if the random integer N is verified for the first time, returning a random integer established during initialization, sending N-1 to the cloud storage platform b, and forwarding the random integer N to the user u by the cloud storage platform b;
user u receives random integer N-1 and puts password PW of user uupObtaining the security certificate ST through N-1 times of hash algorithmupAnd sending the data to the cloud storage platform b and the policy execution unit p:
STup=HASH(PWup)N-1
the policy execution unit p calls the security token ST 'stored by the user u last time'upVerification of STupAnd HASH (ST'up) Whether they are equal; if the verification is equal, establishing a trust relationship and sending a success message, and if the verification fails, sending a failure message;
establishing a trust relationship between the cloud storage platform Rb and the policy execution unit p; policy enforcement unit p uses new security credentials STupReplace original security voucher ST'upAnd replacing the original random integer N with a new random integer N-1.
In the hierarchical key distribution of the present invention, the symmetric encryption key corresponding to each group can be calculated by the user in the group in a key agreement manner. The users in the low-level group regard the high-level group as virtual members in the group. Upon a change in the user sharing rights, the data owner and the users in the corresponding high-level group distribute the system public parameters needed to compute new symmetric encryption keys for the users in the relevant low-level group. After obtaining these parameters, the users in each group get a new symmetric encryption key.
U is used hereinafterijRepresents a group ViUser U injAnd will UjIdentity use ID ofijIs shown. The data owner randomly selects the master key if the current ViFor the root node in the read path, then the data owner sets ViCorresponding level value di1. Node ViThe corresponding secret-related information is H1(ki). Wherein H1For hash operations, kiIs a preset public parameter. If node ViIs a non-root node of the read path, there is a longest path from a root node to the node. Data owner will diThe number of nodes on the longest path is set. Node ViThe corresponding secret-related information is a pass H1(H1…(H1(ki) ) is prepared with H) is prepared with1(ki) Carry out diAnd (4) performing secondary hash operation.
If one user UjTo join group ViThe user must make an authorization request to the data owner to obtain group ViThe corresponding secret-related information, and its authorization key pair in the system. After the authorization is completed, the user UjThe authorized key pairs are pkij=H2(IDij)kij,H2Is another hash operation. k is a radical ofijIs a preset public parameter.
Let Vi1…VinIs node ViAll direct predecessors in the read path, once the public information corresponding to these nodes and group V are obtainediPublic key corresponding to other user, user UjGroup V can be calculatediCorresponding symmetric encryption key ki
Let ViAnd VjAre two nodes in the read path, when the new group VtIs added to ViAnd VjIn time of, if group VtIf there are no group members, the data owner performs the following operations to complete group VtAdding (A):
1. calculating VtCorresponding secret-related information st. Next, the data owner calculates VtCorresponding symmetric encryption key ktAnd public information dt=di+1;
2. The data owner updates the public information of these groups and broadcasts to the system.
3. After receiving the broadcast message, the group Vt, Vi, V is referred tojEach user in the group recalculates the symmetric encryption key corresponding to the group in which the user is located and the symmetric encryption keys corresponding to all the low-level groups.
When an original group is deleted, the secret-related information corresponding to each group in the system is not updated.
New user identity IDi,t+1Requesting to join group V from an authentication serveriWhen it is in use, toObtaining a group ViAnd the user needs to send an authorization request to a data owner firstly according to the corresponding confidential information, the symmetric encryption key and the authorization key pair. After the data owner completes the authorization of the user, the data owner will
Figure BDA0001371753690000091
Addition to ViCorresponding public information. The data owner then broadcasts a message to the system.
Group V receives the broadcast messageiUser U injRecalculating ViCorresponding public information.
Preferably, for each group, the authentication server assigns two secret-involved non-zero vectors to it. The product of one secret-related non-zero vector and the corresponding row in the parameter matrix is the symmetric encryption key corresponding to the group. If the two groups have a hierarchical relationship, the high-level group directly calculates the symmetric encryption key corresponding to the low-level group through vector multiplication. The specific treatment process comprises the following steps:
the data owner first interacts with the authentication server and obtains system public parameters. The data owner then generates a finite field and a random function F. Then, the data owner initializes the hierarchical structure of the groups and generates and distributes two-dimensional secret-related non-zero vectors (Y) for each groupi,Zi). And finally, calculating a parameter matrix in the system public parameters by the data owner through the action of the random function F on the secret-related non-zero vector. Secret-involved non-zero vector Z for each groupiThe inner product with the corresponding public vector is its corresponding symmetric encryption key kij. If two groups ViAnd VjWithout a hierarchical relationship, the vector inner products associated with each are zero. If the intermediate key has a hierarchical relationship, the inner product of the secret non-zero vector of the high-level group and the public vector of the low-level group corresponds to an indirect key. Through further calculation, the users in the high-level group can obtain the symmetric encryption keys corresponding to the low-level group.
The parameter matrix is obtained by the following process:
the data owner is a group ViRandomly selecting a non-zero vector Yi=(yi,1,yi,2) And Zi=(zi,1,zi,2) As secret-related information. All secret-related non-zero vectors YiMapping to a new vector W by a random function Fi
Data owner will ZiConversion to an n-dimensional vector Xi. For i ═ 1, 2, let xi,1=zi,1、xi,2=zi,23 … n, xi,1=zi,1、xi,2=zi,iAnd x for j ≠ 1, ii,j0; obtaining a set X of n-dimensional vectors1=(x1,1,x1,2,0,…,0);X2=(x2,1,x2,2,0,…,0);Xn=(xn,1,0,…,0,xn,n);
Computing matrices
Figure BDA0001371753690000101
Test X1,X2…XnWhether or not they are linearly related. If linearly related, reselect Z1,Z2…Zn. Otherwise, selecting a symmetric encryption key for each class and calculating a parameter matrix A. I.e. for each group ViThe data owner randomly chooses its symmetric encryption key ki,j
Definition Kj=(kj,1,kj,2,…kj,n) And K ═ K1,…,Kn]TThen X × a ═ K;
solving the equation set in the step to obtain A ═ X-1×K;
Data owner will ((Y) through secure channeli,Zi),ki,j) Send to group ViAnd sends F and a to the cloud service provider.
In summary, the cloud data storage method provided by the invention enhances the security read policy control of environment and policy constraints, reduces the computation cost of a write user on the premise of ensuring security, and meets the application requirements of various data policies across clouds and across grades.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (6)

1. A cloud data storage method is characterized by comprising the following steps:
setting a plurality of authentication servers in a cloud storage platform, performing key distribution and characteristic authentication transaction grading, and signing a next-level authentication server by a root authentication server; the cross-domain data reading and user privacy protection among clouds are realized through an authorized reading strategy and a constraint control strategy set by an authentication server;
the key distribution is performed in a hierarchical manner, and the method further comprises the following steps:
the symmetric encryption key corresponding to each group can be calculated by the users in the group in a key agreement mode; the user in the low-level group regards the high-level group as a virtual member in the group; once the user sharing authority is changed, the data owner and the users in the corresponding high-level group distribute system public parameters required for calculating a new symmetric encryption key for the users in the related low-level group; after obtaining the parameters, the users in each group obtain a new symmetric encryption key;
using UijRepresents a group ViUser U injAnd will UjIdentity use ID ofijIs represented by (a); the data owner randomly selects the master key if the current ViFor the root node in the read path, then the data owner sets ViCorresponding level value di1 is ═ 1; node ViThe corresponding secret-related information is H1(ki) (ii) a Wherein H1For hash operations, kiIs preset public parameters; if node ViIf the node is a non-root node of the read path, a longest path from a certain root node to the node exists; data owner will diSetting the number of nodes on the longest path; node ViThe corresponding secret-related information is a pass H1(H1…(H1(ki) ) is prepared with H) is prepared with1(ki) Carry out diPerforming secondary hash operation;
if one user UjTo join group ViThe user must make an authorization request to the data owner to obtain group ViCorresponding secret-related information and an authorization key pair in the system; after the authorization is completed, the user UjThe authorized key pairs are pkij=H2(IDij)kij,H2Is another hash operation; k is a radical ofijIs preset public parameters;
let Vi1…VinIs node ViAll direct predecessors in the read path, once the public information corresponding to these nodes and group V are obtainediPublic key corresponding to other user, user UjGroup V can be calculatediCorresponding symmetric encryption key ki
Let ViAnd VjAre two nodes in the read path, when the new group VtIs added to ViAnd VjIn time of, if group VtIn the middle do not have any roleWhich group member, the data owner performs the following operations to complete group VtAdding (A):
calculating VtCorresponding secret-related information st(ii) a Next, the data owner calculates VtCorresponding symmetric encryption key ktAnd public information dt=di+1;
The data owner updates the public information of the groups and broadcasts the public information to the system;
after receiving the broadcast message, the group V is concernedt,Vi,VjEach user in the group recalculates the symmetric encryption key corresponding to the group in which the user is located and the symmetric encryption keys corresponding to all the low-level groups;
when an original group is deleted, secret-related information corresponding to each group in the system is not updated; new user identity IDi,t+1Requesting to join group V from an authentication serveriTo obtain group ViThe user needs to send an authorization request to a data owner firstly; after the data owner completes the authorization of the user, H2(IDi,t+1)ki,t+1Addition to ViCorresponding public information; then the data owner broadcasts the message to the system;
group V receives the broadcast messageiUser U injRecalculating ViCorresponding public information.
2. The method of claim 1, wherein the server for hierarchical authentication comprises a plurality of hierarchical sub-authentication servers, and the identity authentication is performed on the user through a symmetric key certificate mechanism, so that the addition and deletion of the user are completed, and the authorized reading control is performed on the ciphertext.
3. The method according to claim 1, wherein an authentication level tree is provided for a writing user, so that the writing user sets a read policy according to the authentication level tree provided by a sub-authentication server, and data is encrypted and then stored in a cloud server.
4. The method of claim 1, wherein the root authentication server comprises a Public Key Infrastructure (PKI).
5. The method of claim 3, wherein the users of the cloud storage system further comprise a read user, the read user being a user requesting to read cloud server storage data.
6. The method according to claim 5, wherein when the reading user reads the cloud server storage data, the reading user communicates with the authentication server, sends a reading request, judges the generated reading strategy after passing identity authentication, sends a ciphertext to the reading user after meeting a preset condition, and decrypts the data to obtain the data if the characteristics of the reading user accord with a reading structure.
CN201710665859.8A 2017-08-07 2017-08-07 Cloud data storage method Active CN107332858B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710665859.8A CN107332858B (en) 2017-08-07 2017-08-07 Cloud data storage method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710665859.8A CN107332858B (en) 2017-08-07 2017-08-07 Cloud data storage method

Publications (2)

Publication Number Publication Date
CN107332858A CN107332858A (en) 2017-11-07
CN107332858B true CN107332858B (en) 2020-08-28

Family

ID=60225892

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710665859.8A Active CN107332858B (en) 2017-08-07 2017-08-07 Cloud data storage method

Country Status (1)

Country Link
CN (1) CN107332858B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483200A (en) * 2017-10-18 2017-12-15 成都鼎智汇科技有限公司 Cloud computing big data method for secret protection
CN107493305A (en) * 2017-10-18 2017-12-19 成都鼎智汇科技有限公司 Data ciphering method
CN107749880A (en) * 2017-10-18 2018-03-02 成都鼎智汇科技有限公司 Cloud date storage method
CN110493002B (en) * 2018-06-25 2020-05-08 北京白山耘科技有限公司 Method, device and system for renewing certificate
CN109325361B (en) * 2018-09-11 2021-08-03 陕西师范大学 Searchable public key encryption method supporting inner product operation
CN109951288B (en) * 2019-01-22 2020-08-28 中国科学院信息工程研究所 Hierarchical signature method and system based on SM9 digital signature algorithm
CN109981614B (en) * 2019-03-12 2020-04-17 华南农业大学 Data encryption method, data decryption method, data query method and data query device based on user group
CN113472835B (en) * 2020-08-17 2024-09-03 海信集团控股股份有限公司 Data reading and uploading method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594229A (en) * 2009-06-30 2009-12-02 华南理工大学 A kind of trusted network connection system and method based on combined public key
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102263787A (en) * 2011-07-08 2011-11-30 西安电子科技大学 Dynamic distributed certification authority (CA) configuration method
US8386785B2 (en) * 2008-06-18 2013-02-26 Igt Gaming machine certificate creation and management

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030014629A1 (en) * 2001-07-16 2003-01-16 Zuccherato Robert J. Root certificate management system and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8386785B2 (en) * 2008-06-18 2013-02-26 Igt Gaming machine certificate creation and management
CN101594229A (en) * 2009-06-30 2009-12-02 华南理工大学 A kind of trusted network connection system and method based on combined public key
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN102263787A (en) * 2011-07-08 2011-11-30 西安电子科技大学 Dynamic distributed certification authority (CA) configuration method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于PKI的身份认证协议的研究与实现;陈军;《中国优秀硕士学位论文全文数据库 信息科技辑》;20081215(第6期);第30-32页 *
陈军.基于PKI的身份认证协议的研究与实现.《中国优秀硕士学位论文全文数据库 信息科技辑》.2008,(第6期),第I139-146页. *

Also Published As

Publication number Publication date
CN107332858A (en) 2017-11-07

Similar Documents

Publication Publication Date Title
CN107332858B (en) Cloud data storage method
CN107465681B (en) Cloud computing big data privacy protection method
CN110099043B (en) Multi-authorization-center access control method supporting policy hiding and cloud storage system
Xue et al. RAAC: Robust and auditable access control with multiple attribute authorities for public cloud storage
Michalas The lord of the shares: Combining attribute-based encryption and searchable encryption for flexible data sharing
CN104901942B (en) A kind of distributed access control method based on encryption attribute
WO2016197770A1 (en) Access control system and access control method thereof for cloud storage service platform
Rasheed et al. Adaptive group-based zero knowledge proof-authentication protocol in vehicular ad hoc networks
CN110933033B (en) Cross-domain access control method for multiple Internet of things domains in smart city environment
Hoang et al. Privacy-preserving blockchain-based data sharing platform for decentralized storage systems
CN107395609B (en) Data encryption method
CN113922957A (en) Virtual cloud wallet based on privacy protection calculation
EP3817320B1 (en) Blockchain-based system for issuing and validating certificates
Wu et al. A fine-grained cross-domain access control mechanism for social internet of things
Merdassi et al. A new LTMA-ABE location and time access security control scheme for mobile cloud
CN115604030A (en) Data sharing method and device, electronic equipment and storage medium
CN107483200A (en) Cloud computing big data method for secret protection
Piechotta et al. A secure dynamic collaboration environment in a cloud context
Salunke et al. Secure data sharing in distributed cloud environment
Arya et al. An authentication approach for data sharing in cloud environment for dynamic group
Dongare et al. Panda: Public auditing for shared data with efficient user revocation in the cloud
Avizheh et al. Privacy-Preserving Resource Sharing Using Permissioned Blockchains: (The Case of Smart Neighbourhood)
CN107493305A (en) Data ciphering method
Divya et al. A combined data storage with encryption and keyword based data retrieval using SCDS-TM model in cloud
Kumar et al. Securing cloud access with enhanced attribute-based cryptography

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200803

Address after: 33b, building 4, Dachong Business Center (phase III), Dachong community, Yuehai street, Nanshan District, Shenzhen City, Guangdong Province

Applicant after: Shenzhen gelonghui Information Technology Co., Ltd

Address before: 610000 Sichuan city of Chengdu province high tech Zone Kyrgyzstan Road No. 666 Building 2 floor 13 No. 2

Applicant before: CHENGDU HUIZHI YUANJING TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant