CN107919966B - Computer network safety controller - Google Patents

Computer network safety controller Download PDF

Info

Publication number
CN107919966B
CN107919966B CN201810019974.2A CN201810019974A CN107919966B CN 107919966 B CN107919966 B CN 107919966B CN 201810019974 A CN201810019974 A CN 201810019974A CN 107919966 B CN107919966 B CN 107919966B
Authority
CN
China
Prior art keywords
user
file
hard disk
processing unit
central processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810019974.2A
Other languages
Chinese (zh)
Other versions
CN107919966A (en
Inventor
李家斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zibo Vocational Institute
Original Assignee
Zibo Vocational Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zibo Vocational Institute filed Critical Zibo Vocational Institute
Priority to CN201810019974.2A priority Critical patent/CN107919966B/en
Publication of CN107919966A publication Critical patent/CN107919966A/en
Application granted granted Critical
Publication of CN107919966B publication Critical patent/CN107919966B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to the field of computer safety equipment, and discloses a computer network safety controller, which is provided with: the system comprises a network card, a relay, a hard disk reading and monitoring module, a secret hard disk, a relay driver, a network data monitoring module, a central processing unit, a non-secret hard disk, a single chip microcomputer and an electric control power supply; the network card, the relay, the hard disk reading monitoring module and the secret hard disk are sequentially and electrically connected; the relay is electrically connected with the relay driver; the network data monitoring module is electrically connected with the central processing unit; the central processing unit is electrically connected with the non-confidential hard disk and the singlechip; the singlechip is electrically connected with the electric control power supply. The invention realizes the security of the computer secret hard disk through the relay selective function, thereby simplifying the structure, improving the computer network security, having low manufacturing cost and high security, effectively preventing the network from invading and stealing the resources of the local hard disk, having good practical value and being very worthy of popularization and use.

Description

Computer network safety controller
Technical Field
The invention belongs to the field of computer safety equipment, and particularly relates to a computer network safety controller.
Background
With the rapid development of computer technology and network technology, computers have become indispensable tools in people's work and life. In addition, with the development of the internet, most computers have access to the network. Therefore, the information security of the computer is also seriously threatened. Such as network information theft, information attack, and virus propagation. In order to prevent potential safety hazards brought by the network, large enterprises are provided with local area network switches and firewalls. However, this approach is too costly for small businesses or personal computers to implement. Therefore, most of the computer network security controllers in the prior art implement network security of a computer by selectively operating a plurality of hard disks through setting a plurality of relays or double-pole double-throw switches. However, the network security controller in the prior art has many internal devices and a complex structure.
In a computer network security encryption scheme, different users encrypt their own data with different keys, and therefore, the same data from different users have different ciphertext forms, which makes deletion of duplicate data difficult to achieve. Convergent encryption provides a viable way to implement deduplication. It uses a convergent key in encrypting/decrypting a copy of data, the key being generated by computing an encrypted hash of the contents of the copy of data. After key generation and data encryption, the user retains the key and sends the ciphertext into the cloud. Since deterministic encryption is employed, the same copy of the data will yield the same convergence key and the same ciphertext.
To prevent unauthorized access, a secure provable data possession protocol is used to provide proof that the user really owns and appears with that file in duplicate. After certification, the server will assign a pointer to each of these users with the same file, and the users do not need to upload the same file. The user can download the encrypted file using the pointer provided by the server, which can only be decrypted by the corresponding data owner using the convergence key. Thus, the converged encryption technique may enable deduplication of ciphertext by the cloud and may prevent access to files by unauthorized users by providing proof of ownership. However, previous deduplication systems do not support hierarchical-authority duplicate checking, but such duplicate checking is important in many applications. For example, in a company, many different rights will be assigned to employees. For cost-effective and efficient management, data will be transferred to storage server providers (singlechips) in the public cloud, also using deduplication technology to keep only one copy of the same file. Also, for privacy reasons, some files will be encrypted and only some users with specified rights will be allowed to make repeated checks, thereby achieving access control.
Conventional deduplication systems are based on a convergence property that, while providing some degree of confidentiality for data, does not support different authority deduplication. In other words, in a deduplication system based on convergent encryption techniques, the issues regarding differential grants are not considered. This is because data deduplication and checking of copies of different rights are inherently contradictory.
To demonstrate the deficiencies of the prior art, the present inventors first designed one such deduplication system using the aforementioned token generator TagGen (F, kp). Suppose there are n users in the system, and their set of permissions is P ═ P1,``````,ps-selecting a kp for each P in P, for a set of owning permissionsPUIs assigned a key set kpξ}Pξ∈PU
Uploading a file: imagine a set of owning permissions PUThe data owner U wants to upload the file F and associate the file with the set of owning permissions
Figure BDA0001543227340000021
Is shared, and for each P ∈ PFThe user calculates and sends a file token phi F, k to a public cloud storage service provider (singlechip)p=TagGen(F,kp)
If the duplicate copies are found in the single chip microcomputer, the user can prove the ownership of the file, and if the file passes the verification, the user can be assigned a pointer which indicates that the file is allowed to be accessed.
If no duplicate copies are found, the user will utilize the convergence key kf=KeyGenCE(F) Computing an encrypted File CF=EncCE(kFF) and uploading (C)F,{φF,kp}) to the single chip, wherein the convergence key is stored locally at the user.
File retrieval: suppose a user wishes to download file F, first sends a file name and a download request to the single chip. After receiving the file name and the request, the single chip microcomputer firstly verifies whether the user has the authority to download the file F. If the verification fails, the single chip microcomputer returns a request to the user to be refused, and the information of the failure is downloaded. If the verification is successful, the singlechip returns the corresponding ciphertext C to the userF. User receives CFAnd then using the locally stored key kFAnd decrypting to obtain the original file F.
Constructing such a deduplication system with an authorization mechanism according to the above method has some serious security problems:
first, each user will get a set of private keys { kp according to their own rightsξ}Pξ∈PUMarked as PU. The user can utilize this private key set to generate a file token for a repeatability check. However, uploading on a fileIn the process, the user needs to calculate the right P to be owned by other usersFThe user of (1) is a shared file token. To generate these tokens, the user needs to know PFOf (2), that is to say PFCan only be from PUSelecting. This limitation makes deduplication systems with authorization mechanisms less widely applicable and limiting.
Secondly, the above deduplication system cannot resist collusion attacks initiated by users. Since users with the same rights will get the same private key. Therefore, it is possible for the user to collude as a new right P*Generating a set of privileged private keys, with the privilege P*And does not belong to any one of the users participating in the collusion. For example, a set of owning rights
Figure BDA0001543227340000031
The user and another user have a set of permissions
Figure BDA0001543227340000032
Collude to produce a new set of rights
Figure BDA0001543227340000033
This structure itself presents a threat of being vulnerable to brute force cracking, which will decrypt the file as a known file. Therefore, the deduplication system cannot protect the designated files. One key reason is that conventional convergent encryption systems can only protect the semantic security of non-deterministic files.
In summary, the problems of the prior art are as follows: the network safety controller in the prior art has more internal devices and a complex structure, and can not meet the requirements of users.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a computer network security controller.
The invention is realized in this way, a computer network security controller is provided with:
the system comprises a network card, a relay, a hard disk reading and monitoring module, a secret hard disk, a relay driver, a network data monitoring module, a central processing unit, a non-secret hard disk, a single chip microcomputer and an electric control power supply.
The network card, the relay, the hard disk reading monitoring module and the secret hard disk are sequentially and electrically connected; the relay is electrically connected to the relay driver;
the network data monitoring module is electrically connected with the central processing unit; the central processing unit is electrically connected with the non-confidential hard disk and the singlechip; the single chip microcomputer is electrically connected with the electric control power supply.
A secret key generating unit is arranged in the secret hard disk and is connected with a network data monitoring module; the generation method of the key generation unit comprises the following steps:
and (3) public key generation: the public key consists of a finite field k, an addition and multiplication structure thereof and n quadratic polynomial;
and (3) private key generation: private key routing
Figure BDA0001543227340000041
Randomly chosen r linearly independent z1,…,zr∈k[x1,…,x2l]One point set P and two reversible affine transformations L1And L2And their inverse compositions;
the encryption process is to give (x) the plaintext M1′,…,xn') is encrypted with the selected public key to form a ciphertext Z' ═ Z (Z)1′,…,zn′);
The decryption process is the reverse process of encryption, and the secret key used for decryption is a selected private key;
the network data monitoring module carries out user identity certification on the data generated by the key generation unit in the central processing unit;
after the identity certificate passes, the central processing unit searches the corresponding authority of the user in a list stored by the central processing unit; otherwise, carrying out user identity certification on the central processing unit by the user and sending the hash function to the central processing unit; meanwhile, the user sends a request file token to the central processing unit;
the user obtains a token of the user right corresponding to the file and sends the token to the single chip microcomputer, and the single chip microcomputer returns a signature to the user after receiving the file token;
the user sends the authority set of the file and/or the data and the signature to the central processing unit privately;
the central processing unit verifies the signature, and after the signature passes, the central processing unit calculates a file token for each file and/or data authority set and returns the file token to the user;
and the user calculates the encrypted file and/or data by using the convergence key and uploads the ciphertext and the access strategy to the singlechip.
Further, the user obtains the file token and sends the file token to the single chip microcomputer, and when finding that the duplicate copy exists, the method further comprises the following steps:
the user and the single chip cloud verify ownership of the file and/or data at the same time;
after the ownership verification, the single chip microcomputer allocates a pointer of the file and/or data to the user and returns a signature to the user;
the user sends the authority set of the file and/or data and the signature to the central processor;
the central processing unit verifies the signature, and after the signature passes, the central processing unit calculates the file authority which is not possessed by each user to obtain a file token and returns the file token to the user;
and the user uploads the file token of the file and/or the data to the central processing unit, and sets the authority set of the file and/or the data.
Further, the process of center map reconstruction includes the steps of:
firstly, selecting r as a smaller integer, and randomly selecting r linear independent equations
Figure BDA0001543227340000051
K mapping Z2l→krThe determination is as follows:
Z(x1,…,x2l)=(z1(x1,…,x2l),…,zr(x1,…,x2l)),
secondly, 2l polynomials of total degree 2 are randomly selected
Figure BDA0001543227340000052
Mapping
Figure BDA0001543227340000053
The determination is as follows:
then, a perturbation map F is defined*:k2l→k2lIs composed of
Figure BDA0001543227340000061
And Z in combination:
wherein f is1 *,…,f2l *∈k[x1,…,x2l],
Finally, mapping F with internal perturbation*Perturbing the original center mapping
Figure BDA0001543227340000062
The new public key maps to:
Figure BDA0001543227340000063
the public key generation comprises the following steps:
A1. selecting a finite field k and an addition and multiplication structure thereof;
A2. 2l quadratic polynomial sets were chosen:
f1(x1,…,x2l),…,f2l(x1,…,x2l)∈k[x1,…,x2l];
the private key generation comprises the following steps:
B1. selecting a mapping
Figure BDA0001543227340000064
I.e. two random numbers alpha1,α2
B2. Randomly selecting r linearly independent z1,…,zr∈k[x1,…,xn];
B3. Selecting a point set P, P being all mappings
Figure BDA0001543227340000065
The set of images and pre-images of (a), namely:
Figure BDA0001543227340000066
the point set P is composed of 2l quadratic polynomials selected randomly
Figure BDA0001543227340000067
Determining;
B4. selecting two reversible affine transformations L1And L2And their inverse;
the encryption process comprises the following steps:
C1. given message M ═ x1′,…,xn′);
C2. Encrypting the plaintext by using the selected public key, wherein the encrypted ciphertext is as follows:
Z′=(z1′,…,zn') wherein
Figure BDA0001543227340000068
i=1,2,…,n。
The decryption process comprises the following steps:
D1. after obtaining the ciphertext Z' ═ Z1′,…,z2l') thereafter, first calculate:
Y′=L2 -1(Z′)=(y1′,…,y2l′);
D2. for each point (μ, λ) in the set of points P, calculate:
Figure BDA0001543227340000071
then verify Z (y)1″,…,y2lμ), if not, discarding the set of values; otherwise, carrying out the next step;
D3. and finally, calculating:
M′=L1 -1(y1″,…,y2l″)=(m1′,…,m2l′),
if there is only one unique group (m)1′,…,m2l') then M' must be the corresponding plaintext if more than one set (M) is available1′,…,m2l') the unique plaintext is determined using a Hash function or adding a validation equation.
Further, the non-secret hard disk is a mobile hard disk or a read-only hard disk.
Further, the model of the relay is RM35TF 30.
Further, the electric control power supply is controlled to be disconnected through a single chip microcomputer.
The invention realizes the security of the computer secret hard disk through the relay selective function, thereby simplifying the structure, improving the computer network security, having low manufacturing cost and high security, effectively preventing the network from invading and stealing the resources of the local hard disk, having good practical value and being very worthy of popularization and use.
On one hand, the hybrid cloud system architecture is used, so that higher safety is provided; on the other hand, the invention can ensure the safety of the file of which the information can be predicted.
Drawings
FIG. 1 is a schematic structural diagram of a computer network security controller according to an embodiment of the present invention;
in the figure: 1. a network card; 2. a relay; 3. a hard disk reading monitoring module; 4. a secret hard disk; 5. a relay driver; 6. a network data monitoring module; 7. a central processing unit; 8. a non-secure hard disk; 9. a single chip microcomputer; 10. an electrically controlled power supply.
Detailed Description
In order to further understand the contents, features and effects of the present invention, the following embodiments are illustrated and described in detail with reference to the accompanying drawings.
The structure of the present invention will be described in detail below with reference to the accompanying drawings.
As shown in fig. 1, a computer network security controller provided by an embodiment of the present invention includes: the system comprises a network card 1, a relay 2, a hard disk reading monitoring module 3, a secret hard disk 4, a relay driver 5, a network data monitoring module 6, a central processing unit 7, a non-secret hard disk 8, a single chip microcomputer 9 and an electric control power supply 10.
The network card 1, the relay 2, the hard disk reading monitoring module 3 and the confidential hard disk 4 are sequentially and electrically connected; the relay 2 is electrically connected to the relay driver 5; the network data monitoring module 6 is electrically connected to the central processor 7; the central processing unit 7 is electrically connected with the non-confidential hard disk 8 and the singlechip 9; the single chip microcomputer 9 is electrically connected to the electric control power supply 10.
The non-secret hard disk 8 is a mobile hard disk or a read-only hard disk.
The relay 2 is of the type RM35TF 30.
The electric control power supply 10 is controlled to be disconnected by the singlechip 9.
A secret key generating unit is arranged in the secret hard disk and is connected with a network data monitoring module; the generation method of the key generation unit comprises the following steps:
and (3) public key generation: the public key consists of a finite field k, an addition and multiplication structure thereof and n quadratic polynomial;
and (3) private key generation: the private key is mapped F to r linearly independent z randomly selected1,…,zr∈k[x1,…,x2l]One point set P and two reversible affine transformations L1And L2And their inverse compositions;
the encryption process is to give (x) the plaintext M1′,…,xn') use the selectionThe public key is taken and encrypted to form a ciphertext Z' ═ Z1′,…,zn′);
The decryption process is the reverse process of encryption, and the secret key used for decryption is a selected private key;
the network data monitoring module carries out user identity certification on the data generated by the key generation unit in the central processing unit;
after the identity certificate passes, the central processing unit searches the corresponding authority of the user in a list stored by the central processing unit; otherwise, carrying out user identity certification on the central processing unit by the user and sending the hash function to the central processing unit; meanwhile, the user sends a request file token to the central processing unit;
the user obtains a token of the user right corresponding to the file and sends the token to the single chip microcomputer, and the single chip microcomputer returns a signature to the user after receiving the file token;
the user sends the authority set of the file and/or the data and the signature to the central processing unit privately;
the central processing unit verifies the signature, and after the signature passes, the central processing unit calculates a file token for each file and/or data authority set and returns the file token to the user;
and the user calculates the encrypted file and/or data by using the convergence key and uploads the ciphertext and the access strategy to the singlechip.
The user obtains the file token and sends the file token to the single chip microcomputer, and when finding that the duplicate copy exists, the method further comprises the following steps:
the user and the single chip cloud verify ownership of the file and/or data at the same time;
after the ownership verification, the single chip microcomputer allocates a pointer of the file and/or data to the user and returns a signature to the user;
the user sends the authority set of the file and/or data and the signature to the central processor;
the central processing unit verifies the signature, and after the signature passes, the central processing unit calculates the file authority which is not possessed by each user to obtain a file token and returns the file token to the user;
and the user uploads the file token of the file and/or the data to the central processing unit, and sets the authority set of the file and/or the data.
Further, the process of center map reconstruction includes the steps of:
firstly, selecting r as a smaller integer, and randomly selecting r linear independent equations
Figure BDA0001543227340000091
K mapping Z2l→krThe determination is as follows:
Z(x1,…,x2l)=(z1(x1,…,x2l),…,zr(x1,…,x2l)),
secondly, 2l polynomials of total degree 2 are randomly selected
Figure BDA0001543227340000101
Mapping
Figure BDA0001543227340000102
The determination is as follows:
then, a perturbation map F is defined*:k2l→k2lIs composed of
Figure BDA0001543227340000103
And Z in combination:
wherein f is1 *,…,f2l *∈k[x1,…,x2l],
Finally, mapping F with internal perturbation*Perturbing the original center mapping
Figure BDA0001543227340000104
The new public key maps to:
Figure BDA0001543227340000105
the public key generation comprises the following steps:
A1. selecting a finite field k and an addition and multiplication structure thereof;
A2. 2l quadratic polynomial sets were chosen:
f1(x1,…,x2l),…,f2l(x1,…,x2l)∈k[x1,…,x2l];
the private key generation comprises the following steps:
B1. selecting a mapping
Figure BDA0001543227340000106
I.e. two random numbers alpha1,α2
B2. Randomly selecting r linearly independent z1,…,zr∈k[x1,…,xn];
B3. Selecting a point set P, P being all mappings
Figure BDA0001543227340000107
The set of images and pre-images of (a), namely:
Figure BDA0001543227340000108
the point set P is composed of 2l quadratic polynomials selected randomly
Figure BDA0001543227340000109
Determining;
B4. selecting two reversible affine transformations L1And L2And their inverse;
the encryption process comprises the following steps:
C1. given message M ═ x1′,…,xn′);
C2. Encrypting the plaintext by using the selected public key, wherein the encrypted ciphertext is as follows:
Z′=(z1′,…,zn') wherein
Figure BDA0001543227340000111
i=1,2,…,n。
The decryption process comprises the following steps:
D1. after obtaining the ciphertext Z' ═ Z1′,…,z2l') thereafter, first calculate:
Y′=L2 -1(Z′)=(y1′,…,y2l′);
D2. for each point (μ, λ) in the set of points P, calculate:
Figure BDA0001543227340000112
then verify Z (y)1″,…,y2lμ), if not, discarding the set of values; otherwise, carrying out the next step;
D3. and finally, calculating:
M′=L1 -1(y1″,…,y2l″)=(m1′,…,m2l′),
if there is only one unique group (m)1′,…,m2l') then M' must be the corresponding plaintext if more than one set (M) is available1′,…,m2l') the unique plaintext is determined using a Hash function or adding a validation equation.
The non-secret hard disk is a mobile hard disk or a read-only hard disk.
The model of the relay is RM35TF 30.
The electric control power supply is controlled to be disconnected by the singlechip.
In the initialization state, when the coil of the relay 2 loses power, the network card 1 connected with the normally open contact of the relay 2 does not work, and the confidential hard disk 4 connected with the normally closed contact of the relay 2 can work normally. At this time, data transmission is possible between the secure hard disk 4 and the central processing unit 7. After the data transmission of the confidential hard disk 4 is completed and the confidential hard disk needs to be connected with a network, the relay driver 5 can drive the coil of the relay 2 to be electrified, the relay 2 is in a suction state, the normally open contact of the relay is connected and the normally closed contact of the relay is disconnected, so that the network card 1 connected with the normally open contact of the relay 2 starts to work, and the confidential hard disk connected with the normally closed contact of the relay stops working. Therefore, only one of the network card 1 and the confidential hard disk 4 can work normally all the time, and the safety of information needing to be confidential is guaranteed. When the computer works normally, the computer body adopts a self-contained hard disk to read and write data normally, the network data monitoring module 6 monitors whether an external network IP reads local data in real time, the hard disk data reading and monitoring module 3 monitors whether the hard disk has read and write behaviors in real time and sends monitored information to the single chip microcomputer 9, the single chip microcomputer 9 judges, and once the external network IP is judged to read the local hard disk data, the single chip microcomputer 9 cuts off the power supply by controlling an electric control power supply to prevent confidential information from being lost.
The invention realizes the security of the computer security hard disk through the relay selective function, thereby simplifying the structure, improving the computer network security, having low manufacturing cost and high security, effectively preventing the network from invading and stealing the resources of the local hard disk, having good practical value and being very worthy of popularization and use.
Example one
A binary relationship R { (p, p ') } is defined first, given two permissions p and p', and p 'match if and only if R (p, p') is 1.
System setting: suppose there are n users in the system, and their set of permissions is P ═ P1,``````,psFor each piSelecting a symmetric key by e P
Figure BDA0001543227340000121
Set of keys
Figure BDA0001543227340000122
Will be sent into the private cloud. In addition, an identity is also definedOther protocols piof and Verify respectively represent algorithms for certification and verification. Also, assume that each user U also has a secret key skUUsed for identity recognition with the server. Suppose user U has permission set PUAnd also initiates the PoW protocol "PoW" to prove ownership of the file. The central processor will maintain a table storing the public information pk for each userUAnd corresponding set of permissions PU. The file storage system of the storage server is set to be ^ T
Uploading a file: suppose a data owner wants to upload a file F and have that file belong to the right of ownership PF={pjOther users of. The data owner needs to perform an interaction before performing a repeatability check in the single chip microcomputer and before performing the repeatability check in the private cloud. Specifically, the data owner needs to perform an identity authentication to prove the consistency with the private key sk. If the verification is passed, the central processor finds the corresponding authority P of the data owner in the stored listU. The user calculates phi F taggen (F) and sends it to the central processor, which returns to the user a message for each p τ that matches R (p, p τ) 1
Figure BDA0001543227340000131
Wherein P ∈ PU. Then, the user will interact with the single chip microcomputer and send a file token to the single chip microcomputer
Figure BDA0001543227340000132
If the duplicate copies are found, the user needs to operate the PoW protocol 'POW' simultaneously with the single chip microcomputer to prove ownership of the file. If the ownership verification is passed, the user will be provided with a pointer to the file. At the same time, a certificate from the single-chip will be returned, which may be based on
Figure BDA0001543227340000133
And a signature of the timestamp. The user then sends to the central processor a set of permissions P for the file FF={pjAnd the signatures described above. After receiving the request, the CPU firstly verifies the signature to the single chip microcomputer, and if the signature passes the verification, the CPU verifies each pj∈PF-PUComputing
Figure BDA0001543227340000134
And returned to the user. The user also uploads the tokens of these files F to the central processor at the same time, and then the authority set of this file will be set to pF
If no duplicate copies are found, the single chip will also return a certificate, which is also based on
Figure BDA0001543227340000135
And a signature of the timestamp. User sends authority set P about file F to central processorF={pjAnd the signatures described above. After receiving the request, the CPU firstly verifies the signature to the single chip microcomputer, and if the signature passes the verification, the CPU verifies each pj∈PFComputing
Figure BDA0001543227340000136
And returned to the user. Finally, the user will utilize the convergence key kF=KeyGenCE(F) Computing an encrypted File CF=EncCE(kFF) and uploading
Figure BDA0001543227340000137
And PF
And (3) file filtering: the user downloads his own files as in the first previous attempt. That is, after receiving the encrypted data from the single chip microcomputer, the user can use the convergence secret key kFTo decrypt the most original file.
The invention is further improved to resist the threat brought by brute force cracking:
the method for deleting the repeated data based on different authorities comprises a singlechip, a central processing unit and a plurality of users with different authorities, and comprises the following steps:
s1, the user uploads files and/or data to the single chip microcomputer and shares the files and/or data with other users;
s2, the user carries out user identification at the central processor and sends the H (F) to the central processor;
after the identity certification is passed in S3, all two file label sets satisfying p τ with R (p, p τ) ═ 1 are subjected to
Figure BDA0001543227340000141
And
Figure BDA0001543227340000142
will be fed back to the user;
s4 user receiving label
Figure BDA0001543227340000143
And
Figure BDA0001543227340000144
then, the signature is sent to the singlechip interacting with the singlechip, and the singlechip returns the signature after receiving the label;
s5 the user sending the signature and the set of file and/or data permissions to the central processor to request uploading of files and/or data;
s6 the CPU receives the request and verifies the signature, and after passing the request, the CPU verifies the signature for each pjE.g. P calculation
Figure BDA0001543227340000145
And
Figure BDA0001543227340000146
and returning the calculated result to the user;
s7 the user calculates the encryption C of the file and/or dataFEncSE (k, F), user upload
Figure BDA0001543227340000147
It should be further noted that when the duplicate copies are found, the method further includes that the user and the single chip microcomputer verify ownership of the files and/or data at the same time, and after the verification is passed, the user is assigned a pointer of the files and/or data.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications, equivalent variations and modifications made to the above embodiment according to the technical spirit of the present invention are within the scope of the technical solution of the present invention.

Claims (3)

1. A computer network security controller, characterized in that the computer network security controller is provided with: the system comprises a network card, a relay, a hard disk reading and monitoring module, a secret hard disk, a relay driver, a network data monitoring module, a central processing unit, a non-secret hard disk, a single chip microcomputer and an electric control power supply;
the network card, the relay, the hard disk reading monitoring module and the secret hard disk are sequentially and electrically connected; the relay is electrically connected to the relay driver;
the network data monitoring module is electrically connected with the central processing unit; the central processing unit is electrically connected with the non-confidential hard disk and the singlechip; the single chip microcomputer is electrically connected with the electric control power supply;
a secret key generating unit is arranged in the secret hard disk and is connected with a network data monitoring module; the generation method of the key generation unit comprises the following steps:
and (3) public key generation: the public key consists of a finite field k, an addition and multiplication structure thereof and n quadratic polynomial;
and (3) private key generation: private key routing
Figure FDA0002931899440000011
Randomly chosen r linearly independent z1,…,zr∈k[x1,…,x2l]One point set P and two reversible imitationsTransformation of ray L1And L2And their inverse compositions;
the encryption process is to give (x) the plaintext M1′,…,xn') is encrypted with the selected public key to form a ciphertext Z' ═ Z (Z)1′,…,zn′);
The decryption process is the reverse process of encryption, and the secret key used for decryption is a selected private key;
the network data monitoring module carries out user identity certification on the data generated by the key generation unit in the central processing unit;
after the identity certificate passes, the central processing unit searches the corresponding authority of the user in a list stored by the central processing unit; otherwise, carrying out user identity certification on the central processing unit by the user and sending the hash function to the central processing unit; meanwhile, the user sends a request file token to the central processing unit;
the user obtains a token of the user right corresponding to the file and sends the token to the single chip microcomputer, and the single chip microcomputer returns a signature to the user after receiving the file token;
the user sends the authority set of the file and/or the data and the signature to the central processing unit privately;
the central processing unit verifies the signature, and after the signature passes, the central processing unit calculates a file token for each file and/or data authority set and returns the file token to the user;
the user calculates the encrypted file and/or data by using the convergence key and uploads the ciphertext and the access strategy to the single chip microcomputer;
the user obtains the file token and sends the file token to the single chip microcomputer, and when finding that the duplicate copy exists, the method further comprises the following steps:
the user and the single chip microcomputer simultaneously verify the ownership of the file and/or data;
after the ownership verification, the single chip microcomputer allocates a pointer of the file and/or data to the user and returns a signature to the user;
the user sends the authority set of the file and/or data and the signature to the central processor;
the central processing unit verifies the signature, and after the signature passes, the central processing unit calculates the file authority which is not possessed by each user to obtain a file token and returns the file token to the user;
the user uploads the file token of the file and/or the data to the central processing unit, and sets an authority set of the file and/or the data;
the process of map reconstruction includes the steps of:
firstly, selecting r as a smaller integer, and randomly selecting r linear independent equations
Figure FDA0002931899440000021
Figure FDA0002931899440000022
Figure FDA0002931899440000023
Mapping Z: k is a radical of2l→kγThe determination is as follows:
Z(x1,…,x2l)=(z1(x1,…,x2l),…,zr(x1,…,x2l)),
secondly, 2l polynomials of total degree 2 are randomly selected
Figure FDA0002931899440000031
Mapping
Figure FDA0002931899440000032
kr→k2lThe determination is as follows:
then, a perturbation map F is defined*:k2l→k2lIs composed of
Figure FDA0002931899440000033
And Z in combination:
wherein f is1 *,…,f2l *∈k[x1,…,x2l],
Finally, mapping F with internal perturbation*Perturbing the original mapping
Figure FDA0002931899440000034
The new public key maps to:
Figure FDA0002931899440000035
the public key generation comprises the following steps:
A1. selecting a finite field l and an addition and multiplication structure thereof;
A2. 2l quadratic polynomial sets were chosen:
f1(x1,…,x2l),…,f2l(x1,…,x2l)∈k[x1,…,x2l];
the private key generation comprises the following steps:
B1. selecting a mapping
Figure FDA0002931899440000036
I.e. two random numbers alpha1,α2
B2. Randomly selecting r linearly independent z1,…,zr∈k[x1,…,xn];
B3. Selecting a point set P, P being all mappings
Figure FDA0002931899440000037
kr→k2lThe set of images and pre-images of (a), namely:
Figure FDA0002931899440000038
the point set P is composed of 2l quadratic polynomials selected randomly
Figure FDA0002931899440000039
Determining;
B4. selecting two reversible affine transformations L1And L2And their inverse;
the encryption process comprises the following steps:
C1. given message M ═ x1′,…,xn′);
C2. Encrypting the plaintext by using the selected public key, wherein the encrypted ciphertext is as follows:
Z′=(z′1,…,z′n) Wherein
Figure FDA0002931899440000041
The decryption process comprises the following steps:
D1. after obtaining the ciphertext Z' (Z)1′,…,z2l') thereafter, first calculate:
Y′=L2 -1(Z′)=(y1′,…,y2l′);
D2. for each point (μ, λ) in the set of points P, calculate:
Figure FDA0002931899440000042
then verify Z (y)1″,…,y2lμ), if not, discarding the set of values; otherwise, carrying out the next step;
D3. and finally, calculating:
M′=L1 -1(y1″,…,y2l″)=(m1′,…,m2l′),
if there is only one unique group (m)1′,…,m2l') then M' must be the corresponding plaintext if more than one set (M) is available1′,…,m2l') the unique plaintext is determined using a Hash function or adding a validation equation.
2. The computer network security controller of claim 1, wherein the unsecure hard disk is a removable hard disk.
3. The computer network security controller of claim 1, wherein the electronically controlled power supply is controlled to be turned off by a single-chip microcomputer.
CN201810019974.2A 2018-01-09 2018-01-09 Computer network safety controller Active CN107919966B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810019974.2A CN107919966B (en) 2018-01-09 2018-01-09 Computer network safety controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810019974.2A CN107919966B (en) 2018-01-09 2018-01-09 Computer network safety controller

Publications (2)

Publication Number Publication Date
CN107919966A CN107919966A (en) 2018-04-17
CN107919966B true CN107919966B (en) 2021-06-15

Family

ID=61891391

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810019974.2A Active CN107919966B (en) 2018-01-09 2018-01-09 Computer network safety controller

Country Status (1)

Country Link
CN (1) CN107919966B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108521431A (en) * 2018-04-25 2018-09-11 信阳师范学院 A kind of information security of computer network system
CN109039602B (en) * 2018-07-26 2021-01-19 大连理工大学 Finite field symmetric key management method applied to intelligent substation
CN109214160A (en) * 2018-09-14 2019-01-15 温州科技职业学院 A kind of computer network authentication system and method, computer program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501227A (en) * 2013-10-23 2014-01-08 西安电子科技大学 Improved multi-variable public key cryptogram encryption and decryption scheme
CN105468999A (en) * 2015-11-17 2016-04-06 北京奇虎科技有限公司 Data security method and mobile hard disk
CN205594636U (en) * 2016-04-09 2016-09-21 新疆大学 Computer network security controller
CN106096368A (en) * 2016-06-16 2016-11-09 成都才智圣有科技有限责任公司 Computer data storage Anti-theft system
CN106096459A (en) * 2016-08-19 2016-11-09 黄广明 A kind of safety device for computer network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501227A (en) * 2013-10-23 2014-01-08 西安电子科技大学 Improved multi-variable public key cryptogram encryption and decryption scheme
CN105468999A (en) * 2015-11-17 2016-04-06 北京奇虎科技有限公司 Data security method and mobile hard disk
CN205594636U (en) * 2016-04-09 2016-09-21 新疆大学 Computer network security controller
CN106096368A (en) * 2016-06-16 2016-11-09 成都才智圣有科技有限责任公司 Computer data storage Anti-theft system
CN106096459A (en) * 2016-08-19 2016-11-09 黄广明 A kind of safety device for computer network

Also Published As

Publication number Publication date
CN107919966A (en) 2018-04-17

Similar Documents

Publication Publication Date Title
Riedel et al. A framework for evaluating storage system security
JP4857283B2 (en) Multipurpose content control by partitioning
JP4848039B2 (en) Memory system with multipurpose content control
JP4857284B2 (en) Control structure generation system for multi-purpose content control
EP2786292A1 (en) Methods and devices for securing keys for a non-secured, distributed environment with applications to virtualization and cloud-computing security and management
JP2008524755A5 (en)
JP2008524758A5 (en)
CN108632251B (en) Credible authentication method based on cloud computing data service and encryption algorithm thereof
CN107919966B (en) Computer network safety controller
CN113645039A (en) Communication information transmission system and method based on different authorities
CN114826702B (en) Database access password encryption method and device and computer equipment
Gajmal et al. Blockchain-based access control and data sharing mechanism in cloud decentralized storage system
Mahalakshmi et al. Effectuation of secure authorized deduplication in hybrid cloud
Bharat et al. A Secured and Authorized Data Deduplication in Hybrid Cloud with Public Auditing
WO2022212396A1 (en) Systems and methods of protecting secrets in use with containerized applications
Zeng et al. CloudSky: a controllable data self-destruction system for untrusted cloud storage networks
Idrissi et al. Security of mobile agent platforms using access control and cryptography
Nandini et al. Implementation of hybrid cloud approach for secure authorized deduplication
Venkatesh et al. Secure authorised deduplication by using hybrid cloud approach
Nadu MULTI AUTHORITY BASED INTEGRITY AUDITING AND PROOF OF STORAGE WITH DATA DEDUPLICATION IN CLOUD
Zhang et al. Improved CP-ABE Algorithm Based on Identity and Access Control
Kanimozhi et al. Secure Deduplication on Hybrid Cloud Storage with Key Management
Kamatchi et al. Data DEDUPLICATION Security with Dynamic Ownership Management
Mythili et al. Enhancing Role Based Access Control with Privacy in Cloud Computing.
Gapat et al. Securing data deduplication on hybrid cloud using asymmetric key algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant