CN107404476A - The guard method of data safety and device in big data cloud environment - Google Patents

The guard method of data safety and device in big data cloud environment Download PDF

Info

Publication number
CN107404476A
CN107404476A CN201710468716.8A CN201710468716A CN107404476A CN 107404476 A CN107404476 A CN 107404476A CN 201710468716 A CN201710468716 A CN 201710468716A CN 107404476 A CN107404476 A CN 107404476A
Authority
CN
China
Prior art keywords
data
node
management
big data
operation node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710468716.8A
Other languages
Chinese (zh)
Other versions
CN107404476B (en
Inventor
何华
张洁
何中天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Eastern Prism Technology Corp Ltd
Original Assignee
Beijing Eastern Prism Technology Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Eastern Prism Technology Corp Ltd filed Critical Beijing Eastern Prism Technology Corp Ltd
Priority to CN201710468716.8A priority Critical patent/CN107404476B/en
Publication of CN107404476A publication Critical patent/CN107404476A/en
Application granted granted Critical
Publication of CN107404476B publication Critical patent/CN107404476B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a kind of guard method of data safety in big data cloud environment and device, methods described to include:Equipment in big data cloud environment is divided into data memory node, data management node, process operation node, management of process node and information security node, data memory node stores out of order data file, data management node realizes the mapping of filename, data slice sequence number and authentication code, process operation node runs miscellaneous service process to handle big data, management of process node storage process information, realize the scheduling and certification of process, the generation of information security node and storage of public keys certificate.Utilize the present invention; can be from data fragmentation, the out of order protection system with building big data safety in authentication code, process certification of data slice; the confidentiality and integrality, the authenticity of process of data can be ensured, effectively prevent the assault stolen with altered data, personation process.

Description

The guard method of data safety and device in big data cloud environment
Technical field
The present invention relates to technical field of network security, and in particular to the protection of data safety in a kind of big data cloud environment Method and apparatus.
Background technology
With cloud computing and the fast development of big data technology, big data cloud environment can both provide high performance parallel data Processing, can also provide mass data storage, and big data cloud environment stores government, enterprise and personal letter more and more Breath, the value of big data are increasingly valued by people, excavated by big data, can reveal that government, enterprise with individual's Management, operation or behavior pattern, the importance of big data cloud environment is increasingly notable, and evil backstage manipulator is stretched to big number by increasing hacker According to cloud environment, steal, altered data, network swindle is carried out by Social Engineering, fake site carries out phishing.
In the big data cloud environment of the present invention following technology is related generally in the guard method of data safety and device:Number According to burst and out of order technology, authentication code technology, session key agreement technology, signature technology, ageing technology and public key certificate skill Art.
At present, for the protection technique of big data cloud environment data safety, mainly using CRC technology, it The advantages of be technology maturation, defect is can only to carry out error correction to data.The present invention is using data fragmentation, out of order technology and encryption number It can ensure to high-performance the confidentiality of data according to piece sequence number, data integrity ensure that using authentication code technology, using session Key agreement ensure that the confidentiality of communication with ageing technology, prevent session to reset, using signature technology and public key certificate Technology ensure that the authenticity of process identity, overcome shortcoming present in CRC technical method, can it is many-sided, Quickly and efficiently ensure the confidentiality and integrality, the authenticity of process of big data.
The content of the invention
A kind of the shortcomings that core of inventive method is to overcome prior art, there is provided data safety in big data cloud environment Guard method and device, enabling confidentiality that is many-sided, quickly and efficiently ensureing big data and integrality, process it is true Reality, a safety, available big data cloud environment are provided for the network user.
The purpose of the present invention is achieved through the following technical solutions:
The guard method of data safety, comprises the following steps in a kind of big data cloud environment:
A, the process in process operation node writes safely big data in data memory node;
B, the process in process operation node reads safely big data in data memory node;
C, the process in process operation node is created safely with moving in another process operation node.
Preferably, the step A includes:
Process in A1, process operation node treats data storage burst, calculates the authentication code of data slice, and carry out out of order place Reason;
File after processing is sent to data memory node by the process in A2, process operation node;
Process in A3, process operation node is to information security node application encryption key;
Encryption key is sent to application process by A4, information security node;
A5, the process encryption data piece sequence number in process operation node and its authentication code are simultaneously sent to data management node.
Safety is read big data method information needed including filename, data slice, data slice sequence number, authentication code and encrypted close Key.
Preferably, the step B includes:
Process in B1, process operation node is to information security node application decruption key;
Decruption key is sent to application process by B2, information security node;
Process in B3, process operation node sends request for data piece sequence number to data management node and its authentication code ciphertext please Ask;
Data slice sequence number and its authentication code ciphertext are sent to the process in process operation node by B4, data management node;
B5, the process ciphertext data piece sequence number in process operation node and its authentication code;
Process in B6, process operation node is sent to data memory node reads request of data;
The process that B7, data memory node are run to process in node sends the file comprising out of order data slice and its authentication code;
Process in B8, process operation node calculates authentication code, the integrality for verifying data slice and data slice is ranked up.
Safety is write big data method information needed including filename, data slice, data slice sequence number, authentication code and decrypted close Key.
Preferably, the step C includes:
When C1, process operation node create process, process fingerprint, session key agreement parameter and wound are sent to management of process node Build process requested;
C2, management of process node matching process fingerprint, assess process and data correlation and process operation node resource can With property, if by,;
C3, management of process node send public key certificate application to information security node;
C4, the authenticity in information security node verification solicitation message source are with ageing, and Generate Certificate information, and are sent after encrypting Give management of process node;
C5, management of process node are decrypted, and the authenticity of verification process certificate with it is ageing;
C6, management of process node use session key process private key, by process public key certificate, session key agreement parameter with Process private key ciphertext is sent to the process in process operation node;
During process migration in C7, process operation node, by process name, new process run nodal information and migrating processes ask and Its signature is sent to management of process node;
C8, management of process node verification process authenticity, assess correlation and process the operation node resources of process and data Availability, if by,;
C9, management of process node will migrate mandate, timestamp and management of process node signature and be sent in process operation node Process;
Process migration process in C10, process operation node, mandate will be migrated and be sent to new process operation node;
New process operation node verification migration authorizes, enables process.
Safety create with the method information needed of migrating processes include process name, process fingerprint, session key agreement parameter, Timestamp, process public key certificate, process private key, new process operation nodal information authorize with migration.
The protection device of data safety in a kind of big data cloud environment, it is characterised in that including:
Data confidentiality and integrity protection, including data slice decompose with sequence, data slice authentication code calculate, data slice sequence number with Authentication code encryption and decryption;
Process authenticity is protected, including process identity registration and process identity certification.
Information bank include data memory node in big data, the filename in data management node, data slice sequence number and Ciphertext, the filename in information security node, shared key, process name, process fingerprint, the session key agreement ginseng of its authentication code Number, process public key certificate, process private key, process operation nodal information, migration authorization message.
Data confidentiality and integrity protection module, when safety writes big data, by data fragmentation, it is out of order processing, Encryption data piece sequence number ensures the confidentiality of big data, and decryption ciphertext and data slice and its sequence number are verified when reading big data Authentication code ensures the integrality of big data;Process authenticity protection module, pass through process fingerprint application public key in the process of establishment Certificate carries out identity registration, obtains migration mandate after the authenticity of oneself identity is verified in migrating processes, is then migrated.
Instant invention overcomes the shortcomings that prior art it can be seen from technical scheme provided by the invention more than, there is provided one The guard method of data safety and device in kind big data cloud environment, enabling many-side, quickly and efficiently ensure big data Confidentiality and integrality, the authenticity of process, provide a safety, available big data cloud environment for the network user.
Brief description of the drawings
Fig. 1 is a kind of networking schematic diagram of data security protecting device in big data cloud environment;
Fig. 2 is the system structure diagram of the inventive method;
Fig. 3 is the timing diagram that the inventive method process reads safely big data;
Fig. 4 is the timing diagram that the inventive method process writes safely big data;
Fig. 5 is the timing diagram that the inventive method process is created and migrated safely.

Claims (6)

1. the guard method of data safety in a kind of big data cloud environment, it is characterised in that comprise the following steps:
A, the process in process operation node writes safely big data in data memory node;
B, the process in process operation node reads safely big data in data memory node;
C, the process in process operation node is created safely with moving in another process operation node.
2. the guard method of data safety in a kind of big data cloud environment according to claim 1, it is characterised in that described Step A includes:
Process in A1, process operation node treats data storage burst, calculates the authentication code of data slice, and carry out out of order place Reason;
File after processing is sent to data memory node by the process in A2, process operation node;
Process in A3, process operation node is to information security node application encryption key;
Encryption key is sent to application process by A4, information security node;
A5, the process encryption data piece sequence number in process operation node and its authentication code are simultaneously sent to data management node.
Safety, which reads big data method information needed, includes filename, data slice, data slice sequence number, authentication code and encryption key.
3. the guard method of data safety in a kind of big data cloud environment according to claim 1, it is characterised in that described Step B includes:
Process in B1, process operation node is to information security node application decruption key;
Decruption key is sent to application process by B2, information security node;
Process in B3, process operation node sends request for data piece sequence number to data management node and its authentication code ciphertext please Ask;
Data slice sequence number and its authentication code ciphertext are sent to the process in process operation node by B4, data management node;
B5, the process ciphertext data piece sequence number in process operation node and its authentication code;
Process in B6, process operation node is sent to data memory node reads request of data;
The process that B7, data memory node are run to process in node sends the file comprising out of order data slice and its authentication code;
Process in B8, process operation node calculates authentication code, the integrality for verifying data slice and data slice is ranked up.
Safety, which writes big data method information needed, includes filename, data slice, data slice sequence number, authentication code and decruption key.
4. the guard method of data safety in a kind of big data cloud environment according to claim 1, it is characterised in that described Step C includes:
When C1, process operation node create process, process fingerprint, session key agreement parameter and wound are sent to management of process node Build process requested;
C2, management of process node matching process fingerprint, assess process and data correlation and process operation node resource can With property, if by,;
C3, management of process node send public key certificate application to information security node;
C4, the authenticity in information security node verification solicitation message source are with ageing, and Generate Certificate information, and are sent after encrypting Give management of process node;
C5, management of process node are decrypted, and the authenticity of verification process certificate with it is ageing;
C6, management of process node use session key process private key, by process public key certificate, session key agreement parameter with Process private key ciphertext is sent to the process in process operation node;
During process migration in C7, process operation node, by process name, new process run nodal information and migrating processes ask and Its signature is sent to management of process node;
C8, management of process node verification process authenticity, assess correlation and process the operation node resources of process and data Availability, if by,;
C9, management of process node will migrate mandate, timestamp and management of process node signature and be sent in process operation node Process;
Process migration process in C10, process operation node, mandate will be migrated and be sent to new process operation node;
C11, the operation node verification migration of new process authorize, enable process.
Safety creates includes process name, process fingerprint, session key agreement parameter, time with the method information needed of migrating processes Stamp, process public key certificate, process private key, new process operation nodal information authorize with migration.
A kind of 5. protection device of data safety in big data cloud environment, it is characterised in that including:
Data confidentiality and integrity protection, including data slice decompose with sequence, data slice authentication code calculate, data slice sequence number with Authentication code encryption and decryption;
Process authenticity is protected, including process identity registration and process identity certification.
Information bank includes the big data in data memory node, the filename in data management node, data slice sequence number and its recognized Demonstrate,prove the ciphertext of code, the filename in information security node, shared key, process name, process fingerprint, session key agreement parameter, Process public key certificate, process private key, process operation nodal information, migration authorization message.
6. data confidentiality and integrity protection module, when safety writes big data, by data fragmentation, out of order processing plus Ciphertext data piece sequence number ensures the confidentiality of big data, and decryption ciphertext and recognizing for data slice and its sequence number is verified when reading big data Demonstrate,prove the integrality that code ensures big data;Process authenticity protection module, demonstrate,proved in the process of establishment by process fingerprint application public key Book carries out identity registration, obtains migration mandate after the authenticity of oneself identity is verified in migrating processes, is then migrated.
CN201710468716.8A 2017-06-20 2017-06-20 Method and device for protecting data security in big data cloud environment Active CN107404476B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710468716.8A CN107404476B (en) 2017-06-20 2017-06-20 Method and device for protecting data security in big data cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710468716.8A CN107404476B (en) 2017-06-20 2017-06-20 Method and device for protecting data security in big data cloud environment

Publications (2)

Publication Number Publication Date
CN107404476A true CN107404476A (en) 2017-11-28
CN107404476B CN107404476B (en) 2020-11-10

Family

ID=60404847

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710468716.8A Active CN107404476B (en) 2017-06-20 2017-06-20 Method and device for protecting data security in big data cloud environment

Country Status (1)

Country Link
CN (1) CN107404476B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108021677A (en) * 2017-12-07 2018-05-11 成都博睿德科技有限公司 The control method of cloud computing distributed search engine
CN108647230A (en) * 2018-03-29 2018-10-12 深圳市网心科技有限公司 Distributed storage method, electronic device and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383707A (en) * 2007-09-03 2009-03-11 郑建德 Light-weight authentication system and key algorithm
CN101483866A (en) * 2009-02-11 2009-07-15 中兴通讯股份有限公司 WAPI terminal certificate managing method, apparatus and system
US20100268936A1 (en) * 2007-06-25 2010-10-21 Hideki Matsushima Information security device and information security system
CN103473037A (en) * 2012-06-06 2013-12-25 索尼公司 Information processing apparatus, information processing method, and program
CN104636673A (en) * 2015-03-10 2015-05-20 四川中科腾信科技有限公司 Safe data storage method under big data background
CN105760781A (en) * 2016-03-02 2016-07-13 四川师范大学 Storage method, restoration method and operation method of ordered and derivable large-data files
EP3055965A1 (en) * 2013-10-08 2016-08-17 Commissariat à l'Énergie Atomique et aux Énergies Alternatives Method and device for the secure authentication and execution of programs
CN106169993A (en) * 2016-06-28 2016-11-30 北京华大领创智能科技有限公司 A kind of safety certifying method, equipment and server
CN106453390A (en) * 2016-11-11 2017-02-22 北京邮电大学 Cloud storage system
CN106612320A (en) * 2016-06-14 2017-05-03 四川用联信息技术有限公司 Encrypted data dereplication method for cloud storage

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100268936A1 (en) * 2007-06-25 2010-10-21 Hideki Matsushima Information security device and information security system
CN101383707A (en) * 2007-09-03 2009-03-11 郑建德 Light-weight authentication system and key algorithm
CN101483866A (en) * 2009-02-11 2009-07-15 中兴通讯股份有限公司 WAPI terminal certificate managing method, apparatus and system
CN103473037A (en) * 2012-06-06 2013-12-25 索尼公司 Information processing apparatus, information processing method, and program
EP3055965A1 (en) * 2013-10-08 2016-08-17 Commissariat à l'Énergie Atomique et aux Énergies Alternatives Method and device for the secure authentication and execution of programs
CN104636673A (en) * 2015-03-10 2015-05-20 四川中科腾信科技有限公司 Safe data storage method under big data background
CN105760781A (en) * 2016-03-02 2016-07-13 四川师范大学 Storage method, restoration method and operation method of ordered and derivable large-data files
CN106612320A (en) * 2016-06-14 2017-05-03 四川用联信息技术有限公司 Encrypted data dereplication method for cloud storage
CN106169993A (en) * 2016-06-28 2016-11-30 北京华大领创智能科技有限公司 A kind of safety certifying method, equipment and server
CN106453390A (en) * 2016-11-11 2017-02-22 北京邮电大学 Cloud storage system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李建平 等: ""借助文件加解密技术对企业数据安全共享的研究与实现"", 《第三届信息化创新克拉玛依国际学术论坛论文集》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108021677A (en) * 2017-12-07 2018-05-11 成都博睿德科技有限公司 The control method of cloud computing distributed search engine
CN108647230A (en) * 2018-03-29 2018-10-12 深圳市网心科技有限公司 Distributed storage method, electronic device and storage medium
CN108647230B (en) * 2018-03-29 2021-10-08 深圳市网心科技有限公司 Distributed storage method, electronic device, and storage medium

Also Published As

Publication number Publication date
CN107404476B (en) 2020-11-10

Similar Documents

Publication Publication Date Title
EP3661120B1 (en) Method and apparatus for security authentication
CN114154135B (en) Internet of vehicles communication security authentication method, system and equipment based on state cryptographic algorithm
US10601801B2 (en) Identity authentication method and apparatus
More et al. Third party public auditing scheme for cloud storage
CN109687965B (en) Real-name authentication method for protecting user identity information in network
CN104935568A (en) Interface authentication signature method facing cloud platform
CN110784491A (en) Internet of things safety management system
CN107359998B (en) A kind of foundation and operating method of portable intelligent password management system
CN106850566B (en) Method and device for verifying data consistency
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
CN105471584A (en) Identity authentication method based on quantum key encryption
CN105656862B (en) Authentication method and device
CN106027456A (en) Apparatus and method for authenticating network devices
WO2015003503A1 (en) Network device, terminal device and information security improving method
CN110401615A (en) A kind of identity identifying method, device, equipment, system and readable storage medium storing program for executing
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
CN103414699A (en) Authentication method for client certificate, server and client
CN112487380A (en) Data interaction method, device, equipment and medium
JP6533542B2 (en) Secret key replication system, terminal and secret key replication method
CN110572392A (en) Identity authentication method based on HyperLegger network
CN107404476A (en) The guard method of data safety and device in big data cloud environment
CN102629928A (en) Implementation method for safety link of internet lottery ticket system based on public key
CN104811421A (en) Secure communication method and secure communication device based on digital rights management
CN111404680B (en) Password management method and device
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant