CN108566277B - Data storage position-based data copy deleting method in cloud storage - Google Patents

Data storage position-based data copy deleting method in cloud storage Download PDF

Info

Publication number
CN108566277B
CN108566277B CN201711402587.9A CN201711402587A CN108566277B CN 108566277 B CN108566277 B CN 108566277B CN 201711402587 A CN201711402587 A CN 201711402587A CN 108566277 B CN108566277 B CN 108566277B
Authority
CN
China
Prior art keywords
cloud storage
data
storage server
user
verifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711402587.9A
Other languages
Chinese (zh)
Other versions
CN108566277A (en
Inventor
宗跃
张俊伟
马建峰
王丹丹
杨超
李兴华
商磊
崔文璇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201711402587.9A priority Critical patent/CN108566277B/en
Publication of CN108566277A publication Critical patent/CN108566277A/en
Application granted granted Critical
Publication of CN108566277B publication Critical patent/CN108566277B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Abstract

The invention discloses a data copy deleting method based on a data storage position in cloud storage, which comprises the following implementation steps: the user generates a challenge and sends the challenge to the verifier, the verifier sends corresponding messages to the cloud storage server at different moments respectively, the cloud storage server calculates the verification evidence and returns the verification evidence to the verifier, the verifier judges whether the cloud storage server is located at a position designated by the user according to the moment when the cloud storage server returns the verification evidence and the content of the verification evidence, if the cloud storage server is located at the position designated by the user, the cloud storage server stores user data and deletes a data copy, and if not, the user does not send the data. The invention can delete the data copy with the storage position meeting certain geographical position conditions, thereby improving the safety and meeting the individual requirements of users.

Description

Data storage position-based data copy deleting method in cloud storage
Technical Field
The invention belongs to the technical field of information security, and further relates to a data copy deleting method based on a data storage position in cloud storage in the technical field of network information security. The method can be applied to a cloud storage application scene, and for the cloud storage server meeting a certain geographic position condition, the security duplicate removal technology in cloud computing is applied to delete the user data duplicate stored in the cloud storage server, so that the data security in the transmission and storage process is ensured while the data duplicate is deleted.
Background
Data deduplication is a process of clearing data redundancy, and is a lossless compression mode of data. With the continuous development of cloud computing, the problem of cloud computing security is increasingly highlighted. Under the condition that the cloud server is not trusted by the user, the user needs to encrypt the file before uploading the file to the cloud storage server, but the use of the deduplication technology is seriously influenced by data encryption. Since deduplication and encryption are contradictory, deduplication is to save storage space, and encryption is to make ciphertext unrecognizable in a large amount of random data. Therefore, the cloud storage server must implement a combination of data encryption and deduplication technologies to achieve efficient storage.
A method for deleting data copies is disclosed in the paper "Secure and Efficient Cloud data reduction" With Randomized Tag "(IEEE TRANSACTION INFORMATION FOR TRANSICSAND SECURITY, VOL,12, NO.3, MARCH 2017) published by Tao Jiang, Xiiaofeng Chen. The method firstly uses a convergence encryption CE method to encrypt user data by taking the hash value of a data block as a convergence key. Secondly, the same data are subjected to Hash operation to generate the same data cipher text, then the same tag value is generated, before a user stores a certain data in a cloud storage server, the cloud storage server judges whether the tag value identical to the tag value of the data exists or not, then whether the data are stored in the cloud storage server or not is determined according to the judgment result, if the tag value identical to the tag value of the data exists in the cloud storage server, the user does not need to send the data cipher text to the cloud storage server, and only one pointer is added to indicate an owner of the data; if the same tag value as that of the data does not exist in the cloud storage server, the user directly sends the data ciphertext to the cloud storage server, and the cloud storage server stores the data ciphertext. The method solves the contradiction problem of encryption and de-duplication. However, the method still has the disadvantages that collusion attack of enemies cannot be resisted, and keys can be leaked, so that data leakage is caused.
The patent document applied by Nanjing university of science and engineering, "client secure deduplication of ciphertext data in cloud storage" (patent application No. 201610539947.9, publication No. CN 105939191A) discloses a method for secure deduplication of ciphertext clients in cloud storage. The method constructs a safe key generation protocol based on the blind signature, realizes the secondary encryption of the convergence key, ensures the security of the key, and provides a new ownership proving method based on the signature on the basis. The method can ensure that a user proves that the user really has a certain file at the cloud end to the cloud server in a safer and more efficient mode, and can simultaneously realize the duplicate removal of the ciphertext file. However, the method still has the disadvantages that the personalized requirements of the user cannot be met, the data of the storage position at the designated position of the user is deleted, the verification of the position cannot be supported, and the legality of the data storage position is ensured.
Sometimes, according to the personalized requirements of users, only data with storage locations meeting certain geographical location conditions can be deleted. From the perspective of a user, due to certain specific requirements or limitations of certain laws and regulations, data must be stored within a certain geographical location range, and from the perspective of a cloud storage server, in order to save storage space, improve system performance, reduce software and hardware maintenance costs, it is necessary to delete redundant data. However, there are representative protocols that can secure the data storage location, such as: the Lost protocol and the geoprodo protocol cannot support data deduplication; the existing scheme for deleting the data copy cannot support the verification of the position. Therefore, a method for simultaneously supporting data storage location verification and secure deduplication, that is, a data copy deleting method based on a data storage location in cloud storage, needs to be designed to implement that only data meeting a certain location attribute can delete a data copy.
Disclosure of Invention
The invention aims to provide a data copy deleting method based on a data storage position in cloud storage, aiming at the defects of the prior art. According to the method, the position of the cloud storage server is judged by using the position password, and the position password is applied to the deleted data copy, so that the personalized requirements of users are met, and the safety is improved.
The cloud storage server receives the verification evidence and sends the verification evidence to the verifier, the verifier judges whether the cloud storage server is located at a position designated by the user according to the time when the cloud storage server returns the verification evidence and the content of the verification evidence, and if the cloud storage server is located at the position designated by the user according to the personalized requirements of the user, the cloud storage server stores user data and deletes a data copy, otherwise, the user does not send the data.
The invention deletes the data copy for the user data with the data storage position at the appointed position, comprising the following steps:
(1) generating a key and a label:
(1a) calculating the hash value of each original text of the data to be encrypted by the user, and taking each hash value as a convergence key;
(1b) a user encrypts a data original text to be encrypted by using a convergence key to generate a corresponding data ciphertext, calculates a hash value of each data ciphertext, and takes each hash value as a label;
(1c) the user and the cloud storage server negotiate together to generate a negotiation key;
(2) the user creates a challenge:
(2a) the user encrypts the convergence key by using the negotiation key to generate a ciphertext and sends the ciphertext to the trusted third-party key management server;
(2b) a trusted third party key management server generates a random parameter;
(2c) the trusted third party key management server calculates the hash value of the XOR result after carrying out XOR calculation on the random parameter and the received ciphertext, and takes the obtained hash value as the challenge H;
(2d) a user generates a challenge Z by utilizing a pseudo random function PRF;
(3) the user issues a challenge:
the user sends two challenges H and Z to the verifier through a secure secret channel;
(4) the cloud storage server calculates verification evidence:
(4a) the first verifier generates two random numbers;
(4b) the first verifier sends the generated two random numbers to the rest of the verifiers;
(4c) the user sends the negotiation key to a second verifier;
(4d) except the first tester, the other testers respectively generate two random strings;
(4e) each verifier generates two strings with very high minimum entropy, except the first verifier;
(4f) a user designates a data storage position in a cloud storage network;
(4g) each verifier calculates the time required for the message it sends to be transmitted to a designated data storage location;
(4h) setting a time T, wherein the value of the time T is more than or equal to the maximum value of the time required for transmitting the messages sent by all inspectors to the specified data storage position;
(4i) within the time of subtracting the difference value of the time required for transmitting the message sent by the verifier to the designated data storage position from the set time T, the first verifier sends two generated random numbers to the cloud storage server, the second verifier sends the negotiation key and the information string generated by the negotiation key to the cloud storage server, and each of the rest verifiers sends the information string generated by the negotiation key to the cloud storage server;
(4j) at a set time T, the cloud storage server calculates a verification evidence r and a verification evidence s by using an exclusive OR method;
(5) the cloud storage server calculates an encryption key:
at a set time T, the cloud storage server generates a pseudo-random string with high minimum entropy by using the received information string and the negotiation key through multiple pseudo-random iterative computations, wherein the number of pseudo-random computations is equal to a value obtained by subtracting 1 from the number of inspectors, and the generated pseudo-random string with high minimum entropy is used as an encryption key;
(6) verifying the cloud storage server position by the verifier:
(6a) the cloud storage server sends the verification evidence to all the inspectors;
(6b) each inspector respectively records the time of receiving the verification evidence sent by the cloud storage server;
(6c) adding the set time T and the time required for transmitting the message sent by each inspector to the designated data storage position to obtain the time when the inspector should receive the verification evidence;
(7) judging whether the cloud storage server is located at a specified position, if so, successfully verifying, and executing the step (8), otherwise, unsuccessfully verifying, and executing the step (12);
(8) deleting the data copy:
(8a) the first verifier feeds back a signal of 'deleting data copies' to the user, and simultaneously feeds back a signal of 'duplicate removal checking' to the cloud storage server;
(8b) the user sends the label of the data to be encrypted to the cloud storage server;
(9) checking whether a label identical to that of the data to be encrypted exists in the cloud storage server; if yes, executing the step (10), otherwise, executing the step (11);
(10) the user increases the pointer:
the user does not send the ciphertext to the cloud storage server, and a pointer pointing to the user is added;
(11) the cloud storage server stores the ciphertext:
(11a) the cloud storage server sends the generated encryption key to the user;
(11b) a user encrypts data to be encrypted by using an encryption key to obtain a ciphertext;
(10c) the user sends the ciphertext to the cloud storage server;
(11d) the cloud storage server stores the received ciphertext;
(12) the user does not send data:
(12a) the first inspector feeds back a signal of 'not sending data' to the user, and simultaneously feeds back a signal of 'not meeting the position requirement' to the cloud storage server;
(12b) the user does not send data to be encrypted.
Compared with the prior art, the invention has the following advantages:
first, since the present invention, in the steps of the cloud storage server calculating the proof of authentication and the verifier verifying the location of the cloud storage server, each verifier sends a message to the cloud storage server, and records the moment when the cloud storage server returns the verification evidence and the content of the verification evidence, verifies the location of the data storage by using a plurality of verifiers together, because a plurality of verifiers are used, if any verifier fails to verify, the cloud storage server is not located at the specified position, and only if all verifiers successfully verify, the cloud storage server can be located at the specified position, therefore, the collusion attack of a plurality of enemies aiming at the position verification can be resisted, the problem that the prior art can not resist the collusion attack of the enemies is overcome, the invention can better ensure the safety of data in the transmission and storage processes while deleting the data copy.
Secondly, in the step of verifying the position of the cloud storage server by the verifier, the cloud storage server sends the verification evidence to all the verifiers, the position information of the cloud storage server is used as the only evidence for verification, if the cloud storage server is not located at the designated position, the verification cannot be passed, and the problem that the data storage position verification cannot be supported in the prior art is solved, so that whether the data storage position is located at the designated position or not can be accurately verified, the verification can be passed only when the cloud storage server is located at the designated position, the legality of the data storage position is ensured, the data copy can be deleted only when the user data is stored at the designated position, and the safety of the data storage position is better ensured.
Thirdly, in the step of calculating the encryption key by the cloud storage server, the cloud storage server generates a pseudo-random string by using the received information string and the negotiation key through pseudo-random iterative calculation for a plurality of times, the generated pseudo-random string is used as the encryption key, and when the cloud storage server stores a ciphertext and is positioned at an appointed position, the cloud storage server sends the generated encryption key to the user, so that the user can obtain the key only when the data storage position is at the appointed position, the problem that the key is possibly leaked in the encryption process in the prior art, and further the data original text is leaked is solved, so that the user can obtain the encryption key only when the data storage position meets the requirements, and the security of the encryption key is better ensured.
Fourthly, in the step of deleting the data copy, the user sends the label of the data to be encrypted to the cloud storage server at the designated position, and the user does not send the data to the cloud storage server at the non-designated position, so that the personalized requirements of the user are met.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a schematic diagram of the present invention user generating convergence keys, labels and challenges;
FIG. 3 is a schematic illustration of data storage location verification in accordance with the present invention;
FIG. 4 is a flow chart of verifying a cloud storage server location in accordance with the present invention;
FIG. 5 is a flow chart of the data storage of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The specific implementation steps of the present invention are further described with reference to fig. 1.
Step 1, generating a key and a label.
And the user calculates the hash value of each original text of the data to be encrypted, and each hash value is used as a convergence key.
And the user encrypts the data original text to be encrypted by using the convergence key to generate a corresponding data ciphertext, calculates the hash value of each data ciphertext and takes each hash value as a label.
And the user and the cloud storage server negotiate together to generate a negotiation key.
Step 2, the user creates a challenge.
As shown in fig. 2, the specific steps of the user to generate the challenge are as follows:
and the user encrypts the convergence key by using the negotiation key to generate a ciphertext and sends the ciphertext to the trusted third-party key management server.
The trusted third party key management server generates a random parameter.
And the trusted third party key management server calculates the hash value of the XOR result after carrying out XOR calculation on the random parameter and the received ciphertext, and takes the obtained hash value as the challenge H.
The user generates a challenge Z using a pseudo-random function PRF.
The process of generating the convergence key, the label and the challenge by the user in the above 2 steps of the present invention is further explained with reference to the schematic diagram of generating the convergence key, the label and the challenge by the user in fig. 2. There are three entities in FIG. 2: the system comprises a user, a trusted third party key management server and a cloud storage server. The method comprises the steps that a user carries out Hash calculation on data to obtain a convergence key, wherein the Hash calculation can utilize Hash functions such as SHA-1 and SHA-256, due to the particularity of the Hash functions, the same data to be encrypted generate the same Hash values through Hash calculation, namely the same convergence key is generated, then the data is encrypted by the convergence key to obtain a data ciphertext, the obtained data ciphertext is calculated by the Hash function to obtain a label, the user negotiates with a cloud storage server to generate a negotiation key, the convergence key is encrypted by the negotiation key to obtain a ciphertext, the ciphertext is sent to a trusted third party key management server, the trusted third party key management server generates a random number after receiving the ciphertext, a challenge H is generated, the challenge H is returned to the user, and the user generates a challenge Z by utilizing a pseudo-random function.
The specific implementation method of the challenge Z is as follows: user selection of parameters c, k, l and function f: {0,1}c×{0,1}k→{0,1}lGenerating a challenge Z ═ fWWhere c denotes the length of the input data, k denotes a key, l denotes the length of the output data, W denotes a key of length k, W ∈ {0,1}kSelecting a secret key W, and outputting a challenge Z with a fixed length of l after the secret key W is processed by a pseudo-random function PRF.
And 3, the user sends out a challenge.
The user issues two challenges H and Z to the verifier over a secure secret channel.
And 4, calculating the verification evidence by the cloud storage server.
The first verifier generates two random numbers.
The first verifier sends the generated two random numbers to the remaining verifiers.
The user sends the negotiated key to the second verifier.
Except for the first verifier, the remaining verifiers each generate two random strings.
Except for the first verifier, each verifier generates two strings with very high minimum entropy. The method of generating two strings with very high minimum entropy is as follows: except for a first verifier, each verifier takes two random numbers generated by the first verifier and two random strings generated by the verifier as input of a pseudo-random function, calculates to obtain two pseudo-random numbers by using the pseudo-random function, and performs exclusive OR operation on the two pseudo-random numbers, a challenge H and a challenge Z respectively to obtain two information strings with high minimum entropy.
A user specifies a data storage location in a cloud storage network.
Each verifier calculates the time it takes for the message it sends to be transmitted to the specified data storage location.
And setting the time T, wherein the value of the time T is more than or equal to the maximum value of the time required for all the messages sent by the examiners to be transmitted to the specified data storage position.
Within the time of subtracting the difference of the time required for transmitting the message sent by the verifier to the designated data storage position from the set time T, the first verifier sends the two generated random numbers to the cloud storage server, the second verifier sends the negotiation key and the information string generated by the negotiation key to the cloud storage server, and each of the rest verifiers sends the information string generated by the other verifiers to the cloud storage server.
At a set time T, the cloud storage server calculates a verification evidence r and a verification evidence s by using an exclusive OR method. The XOR method comprises the following steps: and at the time T of the set time, the cloud storage server performs exclusive OR operation on the exclusive OR result and the information string after performing exclusive OR operation on the received pseudo-random number and the received two random numbers generated by the first verifier.
And 5, the cloud storage server calculates the encryption key.
At a set time T, the cloud storage server generates a pseudo-random string with high minimum entropy through pseudo-random iterative computation for multiple times by using the received information string and the negotiation key, wherein the number of pseudo-random computations is equal to a value obtained by subtracting 1 from the number of inspectors, and the generated pseudo-random string with high minimum entropy is used as an encryption key. The pseudo-random iterative computation comprises the following specific steps:
the method comprises the following steps that firstly, a cloud storage server takes a negotiation key and a random string generated by a second verifier as input of a pseudo-random function, and a pseudo-random number is calculated by the aid of the pseudo-random function;
secondly, the calculation result and a random string generated by a third checker are used as the input of a pseudo-random function, and a pseudo-random number is calculated by the pseudo-random function;
thirdly, taking the calculation result and a random string generated by a fourth verifier as the input of a pseudo-random function, and calculating a pseudo-random number by using the pseudo-random function;
and repeating the steps until the random string generated by each checker is used as the input of the pseudorandom function, and stopping iteration.
And 6, verifying the position of the cloud storage server by the verifier.
The cloud storage server sends the proof of verification to all verifiers.
And each verifier records the moment of receiving the verification evidence sent by the cloud storage server.
And adding the set time T and the time required for the message sent by each verifier to be transmitted to the designated data storage position to obtain the time when the verifier receives the verification evidence.
The process of verifying the data storage location in the present invention is further described with reference to the schematic diagram of data storage location verification shown in FIG. 3. Assuming that 4 examiners, namely, an examiner 1, an examiner 2, an examiner 3 and an examiner 4 are provided, the examiner 1 sends two random numbers generated by the examiner 1, namely, a random number 1 and a random number 2, to the cloud storage server at a setting time T minus a time required for a message sent by the examiner 1 to be transmitted to a designated data storage location, the examiner 2 sends a negotiation key and two information strings generated by the examiner 2, namely, an information string 1.1 and an information string 1.2, to the cloud storage server at a setting time T minus a time required for a message sent by the examiner 3 to be transmitted to a designated data storage location, the examiner 3 sends two information strings generated by the examiner 3, namely, an information string 2.1 and an information string 2.2, to the cloud storage server at a setting time T minus a time required for a message sent by the examiner 3 to be transmitted to a designated data storage location, within the time of subtracting the difference of the time required for transmitting the message sent by the verifier 4 to the designated data storage position from the set time T, the verifier 4 sends two information strings generated by the verifier 4, namely the information string 3.1 and the information string 3.2 to the cloud storage server, so that the messages sent by all the verifiers can reach the cloud storage server at the designated position at the set time T at the same time, and at the set time T, the cloud storage server calculates a verification evidence by using an exclusive-or method according to the received messages and returns the verification evidence to the verifier.
Step 7 is further described below with reference to the flowchart of fig. 4 for verifying the location of the cloud storage server.
And 7, judging whether the cloud storage server is located at the specified position, if so, successfully verifying, and executing the step 8, otherwise, failing to verify, and executing the step 12. The position at the designated position refers to a position where the cloud storage area server is located when the following three conditions are simultaneously met:
condition 1, the time recorded by each verifier is equal to the time when the proof of verification should be received;
condition 2, verifying that the hash value of the evidence r is equal to the hash value of the challenge H;
conditional 3, verify that the hash value of the proof s is equal to the hash value of the challenge Z.
Step 8, step 9, step 10, step 11, and step 12 will be further described with reference to the data storage flowchart of fig. 5.
And 8, deleting the data copy.
The first verifier feeds back a signal of 'deleting data copy' to the user, and simultaneously feeds back a signal of 'deduplication checking' to the cloud storage server.
And the user sends the label of the data to be encrypted to the cloud storage server.
And 9, checking whether a label identical to that of the data to be encrypted exists in the cloud storage server, if so, executing the step 10, and otherwise, executing the step 11.
Step 10, the user increments the pointer.
And the user does not send the ciphertext to the cloud storage server and adds a pointer pointing to the user.
And step 11, the cloud storage server stores the ciphertext.
And the cloud storage server sends the generated encryption key to the user.
And the user encrypts the data to be encrypted by using the encryption key to obtain a ciphertext.
And the user sends the ciphertext to the cloud storage server.
And the cloud storage server stores the received ciphertext.
Step 12, the user does not send data.
The first verifier feeds back a signal of 'not sending data' to the user, and simultaneously feeds back a signal of 'not meeting the position requirement' to the cloud storage server.
The user does not send data to be encrypted.

Claims (4)

1. A method for deleting data copies based on data storage positions in cloud storage is characterized in that the method deletes user data copies at specified positions of the data storage positions, and comprises the following steps:
(1) generating a key and a label:
(1a) calculating the hash value of each original text of the data to be encrypted by the user, and taking each hash value as a convergence key;
(1b) a user encrypts a data original text to be encrypted by using a convergence key to generate a corresponding data ciphertext, calculates a hash value of each data ciphertext, and takes each hash value as a label;
(1c) the user and the cloud storage server negotiate together to generate a negotiation key;
(2) the user creates a challenge:
(2a) the user encrypts the convergence key by using the negotiation key to generate a ciphertext and sends the ciphertext to the trusted third-party key management server;
(2b) a trusted third party key management server generates a random parameter;
(2c) the trusted third party key management server calculates the hash value of the XOR result after carrying out XOR calculation on the random parameter and the received ciphertext, and takes the obtained hash value as the challenge H;
(2d) a user generates a challenge Z by utilizing a pseudo random function PRF;
(3) the user issues a challenge:
the user sends two challenges H and Z to the verifier through a secure secret channel;
(4) the cloud storage server calculates verification evidence:
(4a) the first verifier generates two random numbers;
(4b) the first verifier sends the generated two random numbers to the rest of the verifiers;
(4c) the user sends the negotiation key to a second verifier;
(4d) except the first tester, the other testers respectively generate two random strings;
(4e) each verifier generates two strings with very high minimum entropy, except the first verifier;
(4f) a user designates a data storage position in a cloud storage network;
(4g) each verifier calculates the time required for the message it sends to be transmitted to a designated data storage location;
(4h) setting a time T, wherein the value of the time T is more than or equal to the maximum value of the time required for transmitting the messages sent by all inspectors to the specified data storage position;
(4i) within the time of subtracting the difference value of the time required for transmitting the message sent by the verifier to the designated data storage position from the set time T, the first verifier sends two generated random numbers to the cloud storage server, the second verifier sends the negotiation key and the information string generated by the negotiation key to the cloud storage server, and each of the rest verifiers sends the information string generated by the negotiation key to the cloud storage server;
(4j) at a set time T, the cloud storage server calculates a verification evidence r and a verification evidence s by using an exclusive OR method;
the exclusive or method is as follows: at a set time T, the cloud storage server performs exclusive OR operation on an exclusive OR result and an information string by using the received pseudo-random number and the two received random numbers generated by the first verifier;
(5) the cloud storage server calculates an encryption key:
at a set time T, the cloud storage server generates a pseudo-random string with high minimum entropy by using the received information string and the negotiation key through multiple pseudo-random iterative computations, wherein the number of pseudo-random computations is equal to a value obtained by subtracting 1 from the number of inspectors, and the generated pseudo-random string with high minimum entropy is used as an encryption key;
(6) verifying the cloud storage server position by the verifier:
(6a) the cloud storage server sends the verification evidence to all the inspectors;
(6b) each inspector respectively records the time of receiving the verification evidence sent by the cloud storage server;
(6c) adding the set time T and the time required for transmitting the message sent by each inspector to the designated data storage position to obtain the time when the inspector should receive the verification evidence;
(7) judging whether the cloud storage server is located at a specified position, if so, successfully verifying, and executing the step (8), otherwise, unsuccessfully verifying, and executing the step (12);
(8) deleting the data copy:
(8a) the first verifier feeds back a signal of 'deleting data copies' to the user, and simultaneously feeds back a signal of 'duplicate removal checking' to the cloud storage server;
(8b) the user sends the label of the data to be encrypted to the cloud storage server;
(9) checking whether a label identical to that of the data to be encrypted exists in the cloud storage server, if so, executing the step (10), otherwise, executing the step (11);
(10) the user increases the pointer:
the user does not send the ciphertext to the cloud storage server, and a pointer pointing to the user is added;
(11) the cloud storage server stores the ciphertext:
(11a) the cloud storage server sends the generated encryption key to the user;
(11b) a user encrypts data to be encrypted by using an encryption key to obtain a ciphertext;
(10c) the user sends the ciphertext to the cloud storage server;
(11d) the cloud storage server stores the received ciphertext;
(12) the user does not send data:
(12a) the first inspector feeds back a signal of 'not sending data' to the user, and simultaneously feeds back a signal of 'not meeting the position requirement' to the cloud storage server;
(12b) the user does not send data to be encrypted.
2. The method for deleting data copies based on data storage positions in cloud storage according to claim 1, wherein the method for generating two information strings with very high minimum entropy in step (4e) is as follows: except for a first verifier, each verifier takes two random numbers generated by the first verifier and two random strings generated by the verifier as input of a pseudo-random function, calculates to obtain two pseudo-random numbers by using the pseudo-random function, and performs exclusive OR operation on the two pseudo-random numbers, a challenge H and a challenge Z respectively to obtain two information strings with high minimum entropy.
3. The method for deleting data copies in cloud storage based on data storage locations according to claim 1, wherein the specific steps of the pseudo-random iterative computation in the step (5) are as follows:
the method comprises the following steps that firstly, a cloud storage server takes a negotiation key and a random string generated by a second verifier as input of a pseudo-random function, and a pseudo-random number is calculated by the aid of the pseudo-random function;
secondly, the calculation result and a random string generated by a third checker are used as the input of a pseudo-random function, and a pseudo-random number is calculated by the pseudo-random function;
thirdly, taking the calculation result and a random string generated by a fourth verifier as the input of a pseudo-random function, and calculating a pseudo-random number by using the pseudo-random function;
and repeating the steps until the random string generated by each checker is used as the input of the pseudorandom function, and stopping iteration.
4. The method for deleting data copies in cloud storage based on data storage locations according to claim 1, wherein the location specified in step (7) is a location where the cloud storage server is located when the following three conditions are satisfied simultaneously:
condition 1, the time recorded by each verifier is equal to the time when the proof of verification should be received;
condition 2, verifying that the hash value of the evidence r is equal to the hash value of the challenge H;
conditional 3, verify that the hash value of the proof s is equal to the hash value of the challenge Z.
CN201711402587.9A 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage Active CN108566277B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711402587.9A CN108566277B (en) 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711402587.9A CN108566277B (en) 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage

Publications (2)

Publication Number Publication Date
CN108566277A CN108566277A (en) 2018-09-21
CN108566277B true CN108566277B (en) 2020-04-21

Family

ID=63530392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711402587.9A Active CN108566277B (en) 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage

Country Status (1)

Country Link
CN (1) CN108566277B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116361201B (en) * 2023-06-02 2023-08-11 宜宾邦华智慧科技有限公司 Method and system for destroying stored data of mobile phone

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104052819A (en) * 2014-06-27 2014-09-17 西安电子科技大学 Method for verifying integrity of cloud data stored in multiple geographic positions
CN104869124A (en) * 2015-06-05 2015-08-26 飞天诚信科技股份有限公司 Authentication method based on geographic position information
CN105323074A (en) * 2015-11-17 2016-02-10 西安电子科技大学 Trusted verification method for geographic position of terminal equipment
CN106100832A (en) * 2016-06-12 2016-11-09 广东工业大学 Key management method based on convergent encryption in a kind of cloud storage data deduplication

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20120072909A (en) * 2010-12-24 2012-07-04 주식회사 케이티 Distribution storage system with content-based deduplication function and object distributive storing method thereof, and computer-readable recording medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104052819A (en) * 2014-06-27 2014-09-17 西安电子科技大学 Method for verifying integrity of cloud data stored in multiple geographic positions
CN104869124A (en) * 2015-06-05 2015-08-26 飞天诚信科技股份有限公司 Authentication method based on geographic position information
CN105323074A (en) * 2015-11-17 2016-02-10 西安电子科技大学 Trusted verification method for geographic position of terminal equipment
CN106100832A (en) * 2016-06-12 2016-11-09 广东工业大学 Key management method based on convergent encryption in a kind of cloud storage data deduplication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Secure Deduplication with Efficient and Reliable Convergent Key Management;Jin Li等;《IEEE Transactions on Parallel and Distributed Systems》;20131108;全文 *

Also Published As

Publication number Publication date
CN108566277A (en) 2018-09-21

Similar Documents

Publication Publication Date Title
CN109559122B (en) Block chain data transmission method and block chain data transmission system
US9800416B2 (en) Distributed validation of digitally signed electronic documents
US9698993B2 (en) Hashing prefix-free values in a signature scheme
US8694467B2 (en) Random number based data integrity verification method and system for distributed cloud storage
CA2792575C (en) Multiple hashing in a cryptographic scheme
US10103888B2 (en) Method of performing keyed-hash message authentication code (HMAC) using multi-party computation without Boolean gates
CN109194466A (en) A kind of cloud data integrity detection method and system based on block chain
CA2792572C (en) Hashing prefix-free values in a certificate scheme
CN110213042A (en) A kind of cloud data duplicate removal method based on no certification agency re-encryption
CN111970114A (en) File encryption method, system, server and storage medium
CN103595696A (en) Method and device for file ownership certification
US8954728B1 (en) Generation of exfiltration-resilient cryptographic keys
CN113259317B (en) Cloud storage data deduplication method based on identity agent unencrypted
CN108809996B (en) Integrity auditing method for duplicate deletion stored data with different popularity
CN108566277B (en) Data storage position-based data copy deleting method in cloud storage
CN116318654A (en) SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution
CN113656818B (en) Trusted-free third party cloud storage ciphertext deduplication method and system meeting semantic security
CN104426665A (en) Timestamp encryption method of data protective platform
Capkun et al. Rosen: Robust and selective non-repudiation (for tls)
Abbdal et al. Secure third party auditor for ensuring data integrity in cloud storage
Gupta Integrity auditing with attribute based ECMRSA algorithm for cloud data outsourcing
KR101605766B1 (en) Secret key generation method and deduplication method
CN114760072B (en) Signature and signature verification method, device and storage medium
CN115879136B (en) Cloud data protection method
CN107147615A (en) Ownership certification and the key transmission method of entropy are not lost under ciphertext duplicate removal scene

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant