CN108566277B - Data storage position-based data copy deleting method in cloud storage - Google Patents
Data storage position-based data copy deleting method in cloud storage Download PDFInfo
- Publication number
- CN108566277B CN108566277B CN201711402587.9A CN201711402587A CN108566277B CN 108566277 B CN108566277 B CN 108566277B CN 201711402587 A CN201711402587 A CN 201711402587A CN 108566277 B CN108566277 B CN 108566277B
- Authority
- CN
- China
- Prior art keywords
- cloud storage
- data
- storage server
- user
- verifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Abstract
The invention discloses a data copy deleting method based on a data storage position in cloud storage, which comprises the following implementation steps: the user generates a challenge and sends the challenge to the verifier, the verifier sends corresponding messages to the cloud storage server at different moments respectively, the cloud storage server calculates the verification evidence and returns the verification evidence to the verifier, the verifier judges whether the cloud storage server is located at a position designated by the user according to the moment when the cloud storage server returns the verification evidence and the content of the verification evidence, if the cloud storage server is located at the position designated by the user, the cloud storage server stores user data and deletes a data copy, and if not, the user does not send the data. The invention can delete the data copy with the storage position meeting certain geographical position conditions, thereby improving the safety and meeting the individual requirements of users.
Description
Technical Field
The invention belongs to the technical field of information security, and further relates to a data copy deleting method based on a data storage position in cloud storage in the technical field of network information security. The method can be applied to a cloud storage application scene, and for the cloud storage server meeting a certain geographic position condition, the security duplicate removal technology in cloud computing is applied to delete the user data duplicate stored in the cloud storage server, so that the data security in the transmission and storage process is ensured while the data duplicate is deleted.
Background
Data deduplication is a process of clearing data redundancy, and is a lossless compression mode of data. With the continuous development of cloud computing, the problem of cloud computing security is increasingly highlighted. Under the condition that the cloud server is not trusted by the user, the user needs to encrypt the file before uploading the file to the cloud storage server, but the use of the deduplication technology is seriously influenced by data encryption. Since deduplication and encryption are contradictory, deduplication is to save storage space, and encryption is to make ciphertext unrecognizable in a large amount of random data. Therefore, the cloud storage server must implement a combination of data encryption and deduplication technologies to achieve efficient storage.
A method for deleting data copies is disclosed in the paper "Secure and Efficient Cloud data reduction" With Randomized Tag "(IEEE TRANSACTION INFORMATION FOR TRANSICSAND SECURITY, VOL,12, NO.3, MARCH 2017) published by Tao Jiang, Xiiaofeng Chen. The method firstly uses a convergence encryption CE method to encrypt user data by taking the hash value of a data block as a convergence key. Secondly, the same data are subjected to Hash operation to generate the same data cipher text, then the same tag value is generated, before a user stores a certain data in a cloud storage server, the cloud storage server judges whether the tag value identical to the tag value of the data exists or not, then whether the data are stored in the cloud storage server or not is determined according to the judgment result, if the tag value identical to the tag value of the data exists in the cloud storage server, the user does not need to send the data cipher text to the cloud storage server, and only one pointer is added to indicate an owner of the data; if the same tag value as that of the data does not exist in the cloud storage server, the user directly sends the data ciphertext to the cloud storage server, and the cloud storage server stores the data ciphertext. The method solves the contradiction problem of encryption and de-duplication. However, the method still has the disadvantages that collusion attack of enemies cannot be resisted, and keys can be leaked, so that data leakage is caused.
The patent document applied by Nanjing university of science and engineering, "client secure deduplication of ciphertext data in cloud storage" (patent application No. 201610539947.9, publication No. CN 105939191A) discloses a method for secure deduplication of ciphertext clients in cloud storage. The method constructs a safe key generation protocol based on the blind signature, realizes the secondary encryption of the convergence key, ensures the security of the key, and provides a new ownership proving method based on the signature on the basis. The method can ensure that a user proves that the user really has a certain file at the cloud end to the cloud server in a safer and more efficient mode, and can simultaneously realize the duplicate removal of the ciphertext file. However, the method still has the disadvantages that the personalized requirements of the user cannot be met, the data of the storage position at the designated position of the user is deleted, the verification of the position cannot be supported, and the legality of the data storage position is ensured.
Sometimes, according to the personalized requirements of users, only data with storage locations meeting certain geographical location conditions can be deleted. From the perspective of a user, due to certain specific requirements or limitations of certain laws and regulations, data must be stored within a certain geographical location range, and from the perspective of a cloud storage server, in order to save storage space, improve system performance, reduce software and hardware maintenance costs, it is necessary to delete redundant data. However, there are representative protocols that can secure the data storage location, such as: the Lost protocol and the geoprodo protocol cannot support data deduplication; the existing scheme for deleting the data copy cannot support the verification of the position. Therefore, a method for simultaneously supporting data storage location verification and secure deduplication, that is, a data copy deleting method based on a data storage location in cloud storage, needs to be designed to implement that only data meeting a certain location attribute can delete a data copy.
Disclosure of Invention
The invention aims to provide a data copy deleting method based on a data storage position in cloud storage, aiming at the defects of the prior art. According to the method, the position of the cloud storage server is judged by using the position password, and the position password is applied to the deleted data copy, so that the personalized requirements of users are met, and the safety is improved.
The cloud storage server receives the verification evidence and sends the verification evidence to the verifier, the verifier judges whether the cloud storage server is located at a position designated by the user according to the time when the cloud storage server returns the verification evidence and the content of the verification evidence, and if the cloud storage server is located at the position designated by the user according to the personalized requirements of the user, the cloud storage server stores user data and deletes a data copy, otherwise, the user does not send the data.
The invention deletes the data copy for the user data with the data storage position at the appointed position, comprising the following steps:
(1) generating a key and a label:
(1a) calculating the hash value of each original text of the data to be encrypted by the user, and taking each hash value as a convergence key;
(1b) a user encrypts a data original text to be encrypted by using a convergence key to generate a corresponding data ciphertext, calculates a hash value of each data ciphertext, and takes each hash value as a label;
(1c) the user and the cloud storage server negotiate together to generate a negotiation key;
(2) the user creates a challenge:
(2a) the user encrypts the convergence key by using the negotiation key to generate a ciphertext and sends the ciphertext to the trusted third-party key management server;
(2b) a trusted third party key management server generates a random parameter;
(2c) the trusted third party key management server calculates the hash value of the XOR result after carrying out XOR calculation on the random parameter and the received ciphertext, and takes the obtained hash value as the challenge H;
(2d) a user generates a challenge Z by utilizing a pseudo random function PRF;
(3) the user issues a challenge:
the user sends two challenges H and Z to the verifier through a secure secret channel;
(4) the cloud storage server calculates verification evidence:
(4a) the first verifier generates two random numbers;
(4b) the first verifier sends the generated two random numbers to the rest of the verifiers;
(4c) the user sends the negotiation key to a second verifier;
(4d) except the first tester, the other testers respectively generate two random strings;
(4e) each verifier generates two strings with very high minimum entropy, except the first verifier;
(4f) a user designates a data storage position in a cloud storage network;
(4g) each verifier calculates the time required for the message it sends to be transmitted to a designated data storage location;
(4h) setting a time T, wherein the value of the time T is more than or equal to the maximum value of the time required for transmitting the messages sent by all inspectors to the specified data storage position;
(4i) within the time of subtracting the difference value of the time required for transmitting the message sent by the verifier to the designated data storage position from the set time T, the first verifier sends two generated random numbers to the cloud storage server, the second verifier sends the negotiation key and the information string generated by the negotiation key to the cloud storage server, and each of the rest verifiers sends the information string generated by the negotiation key to the cloud storage server;
(4j) at a set time T, the cloud storage server calculates a verification evidence r and a verification evidence s by using an exclusive OR method;
(5) the cloud storage server calculates an encryption key:
at a set time T, the cloud storage server generates a pseudo-random string with high minimum entropy by using the received information string and the negotiation key through multiple pseudo-random iterative computations, wherein the number of pseudo-random computations is equal to a value obtained by subtracting 1 from the number of inspectors, and the generated pseudo-random string with high minimum entropy is used as an encryption key;
(6) verifying the cloud storage server position by the verifier:
(6a) the cloud storage server sends the verification evidence to all the inspectors;
(6b) each inspector respectively records the time of receiving the verification evidence sent by the cloud storage server;
(6c) adding the set time T and the time required for transmitting the message sent by each inspector to the designated data storage position to obtain the time when the inspector should receive the verification evidence;
(7) judging whether the cloud storage server is located at a specified position, if so, successfully verifying, and executing the step (8), otherwise, unsuccessfully verifying, and executing the step (12);
(8) deleting the data copy:
(8a) the first verifier feeds back a signal of 'deleting data copies' to the user, and simultaneously feeds back a signal of 'duplicate removal checking' to the cloud storage server;
(8b) the user sends the label of the data to be encrypted to the cloud storage server;
(9) checking whether a label identical to that of the data to be encrypted exists in the cloud storage server; if yes, executing the step (10), otherwise, executing the step (11);
(10) the user increases the pointer:
the user does not send the ciphertext to the cloud storage server, and a pointer pointing to the user is added;
(11) the cloud storage server stores the ciphertext:
(11a) the cloud storage server sends the generated encryption key to the user;
(11b) a user encrypts data to be encrypted by using an encryption key to obtain a ciphertext;
(10c) the user sends the ciphertext to the cloud storage server;
(11d) the cloud storage server stores the received ciphertext;
(12) the user does not send data:
(12a) the first inspector feeds back a signal of 'not sending data' to the user, and simultaneously feeds back a signal of 'not meeting the position requirement' to the cloud storage server;
(12b) the user does not send data to be encrypted.
Compared with the prior art, the invention has the following advantages:
first, since the present invention, in the steps of the cloud storage server calculating the proof of authentication and the verifier verifying the location of the cloud storage server, each verifier sends a message to the cloud storage server, and records the moment when the cloud storage server returns the verification evidence and the content of the verification evidence, verifies the location of the data storage by using a plurality of verifiers together, because a plurality of verifiers are used, if any verifier fails to verify, the cloud storage server is not located at the specified position, and only if all verifiers successfully verify, the cloud storage server can be located at the specified position, therefore, the collusion attack of a plurality of enemies aiming at the position verification can be resisted, the problem that the prior art can not resist the collusion attack of the enemies is overcome, the invention can better ensure the safety of data in the transmission and storage processes while deleting the data copy.
Secondly, in the step of verifying the position of the cloud storage server by the verifier, the cloud storage server sends the verification evidence to all the verifiers, the position information of the cloud storage server is used as the only evidence for verification, if the cloud storage server is not located at the designated position, the verification cannot be passed, and the problem that the data storage position verification cannot be supported in the prior art is solved, so that whether the data storage position is located at the designated position or not can be accurately verified, the verification can be passed only when the cloud storage server is located at the designated position, the legality of the data storage position is ensured, the data copy can be deleted only when the user data is stored at the designated position, and the safety of the data storage position is better ensured.
Thirdly, in the step of calculating the encryption key by the cloud storage server, the cloud storage server generates a pseudo-random string by using the received information string and the negotiation key through pseudo-random iterative calculation for a plurality of times, the generated pseudo-random string is used as the encryption key, and when the cloud storage server stores a ciphertext and is positioned at an appointed position, the cloud storage server sends the generated encryption key to the user, so that the user can obtain the key only when the data storage position is at the appointed position, the problem that the key is possibly leaked in the encryption process in the prior art, and further the data original text is leaked is solved, so that the user can obtain the encryption key only when the data storage position meets the requirements, and the security of the encryption key is better ensured.
Fourthly, in the step of deleting the data copy, the user sends the label of the data to be encrypted to the cloud storage server at the designated position, and the user does not send the data to the cloud storage server at the non-designated position, so that the personalized requirements of the user are met.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a schematic diagram of the present invention user generating convergence keys, labels and challenges;
FIG. 3 is a schematic illustration of data storage location verification in accordance with the present invention;
FIG. 4 is a flow chart of verifying a cloud storage server location in accordance with the present invention;
FIG. 5 is a flow chart of the data storage of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The specific implementation steps of the present invention are further described with reference to fig. 1.
Step 1, generating a key and a label.
And the user calculates the hash value of each original text of the data to be encrypted, and each hash value is used as a convergence key.
And the user encrypts the data original text to be encrypted by using the convergence key to generate a corresponding data ciphertext, calculates the hash value of each data ciphertext and takes each hash value as a label.
And the user and the cloud storage server negotiate together to generate a negotiation key.
Step 2, the user creates a challenge.
As shown in fig. 2, the specific steps of the user to generate the challenge are as follows:
and the user encrypts the convergence key by using the negotiation key to generate a ciphertext and sends the ciphertext to the trusted third-party key management server.
The trusted third party key management server generates a random parameter.
And the trusted third party key management server calculates the hash value of the XOR result after carrying out XOR calculation on the random parameter and the received ciphertext, and takes the obtained hash value as the challenge H.
The user generates a challenge Z using a pseudo-random function PRF.
The process of generating the convergence key, the label and the challenge by the user in the above 2 steps of the present invention is further explained with reference to the schematic diagram of generating the convergence key, the label and the challenge by the user in fig. 2. There are three entities in FIG. 2: the system comprises a user, a trusted third party key management server and a cloud storage server. The method comprises the steps that a user carries out Hash calculation on data to obtain a convergence key, wherein the Hash calculation can utilize Hash functions such as SHA-1 and SHA-256, due to the particularity of the Hash functions, the same data to be encrypted generate the same Hash values through Hash calculation, namely the same convergence key is generated, then the data is encrypted by the convergence key to obtain a data ciphertext, the obtained data ciphertext is calculated by the Hash function to obtain a label, the user negotiates with a cloud storage server to generate a negotiation key, the convergence key is encrypted by the negotiation key to obtain a ciphertext, the ciphertext is sent to a trusted third party key management server, the trusted third party key management server generates a random number after receiving the ciphertext, a challenge H is generated, the challenge H is returned to the user, and the user generates a challenge Z by utilizing a pseudo-random function.
The specific implementation method of the challenge Z is as follows: user selection of parameters c, k, l and function f: {0,1}c×{0,1}k→{0,1}lGenerating a challenge Z ═ fWWhere c denotes the length of the input data, k denotes a key, l denotes the length of the output data, W denotes a key of length k, W ∈ {0,1}kSelecting a secret key W, and outputting a challenge Z with a fixed length of l after the secret key W is processed by a pseudo-random function PRF.
And 3, the user sends out a challenge.
The user issues two challenges H and Z to the verifier over a secure secret channel.
And 4, calculating the verification evidence by the cloud storage server.
The first verifier generates two random numbers.
The first verifier sends the generated two random numbers to the remaining verifiers.
The user sends the negotiated key to the second verifier.
Except for the first verifier, the remaining verifiers each generate two random strings.
Except for the first verifier, each verifier generates two strings with very high minimum entropy. The method of generating two strings with very high minimum entropy is as follows: except for a first verifier, each verifier takes two random numbers generated by the first verifier and two random strings generated by the verifier as input of a pseudo-random function, calculates to obtain two pseudo-random numbers by using the pseudo-random function, and performs exclusive OR operation on the two pseudo-random numbers, a challenge H and a challenge Z respectively to obtain two information strings with high minimum entropy.
A user specifies a data storage location in a cloud storage network.
Each verifier calculates the time it takes for the message it sends to be transmitted to the specified data storage location.
And setting the time T, wherein the value of the time T is more than or equal to the maximum value of the time required for all the messages sent by the examiners to be transmitted to the specified data storage position.
Within the time of subtracting the difference of the time required for transmitting the message sent by the verifier to the designated data storage position from the set time T, the first verifier sends the two generated random numbers to the cloud storage server, the second verifier sends the negotiation key and the information string generated by the negotiation key to the cloud storage server, and each of the rest verifiers sends the information string generated by the other verifiers to the cloud storage server.
At a set time T, the cloud storage server calculates a verification evidence r and a verification evidence s by using an exclusive OR method. The XOR method comprises the following steps: and at the time T of the set time, the cloud storage server performs exclusive OR operation on the exclusive OR result and the information string after performing exclusive OR operation on the received pseudo-random number and the received two random numbers generated by the first verifier.
And 5, the cloud storage server calculates the encryption key.
At a set time T, the cloud storage server generates a pseudo-random string with high minimum entropy through pseudo-random iterative computation for multiple times by using the received information string and the negotiation key, wherein the number of pseudo-random computations is equal to a value obtained by subtracting 1 from the number of inspectors, and the generated pseudo-random string with high minimum entropy is used as an encryption key. The pseudo-random iterative computation comprises the following specific steps:
the method comprises the following steps that firstly, a cloud storage server takes a negotiation key and a random string generated by a second verifier as input of a pseudo-random function, and a pseudo-random number is calculated by the aid of the pseudo-random function;
secondly, the calculation result and a random string generated by a third checker are used as the input of a pseudo-random function, and a pseudo-random number is calculated by the pseudo-random function;
thirdly, taking the calculation result and a random string generated by a fourth verifier as the input of a pseudo-random function, and calculating a pseudo-random number by using the pseudo-random function;
and repeating the steps until the random string generated by each checker is used as the input of the pseudorandom function, and stopping iteration.
And 6, verifying the position of the cloud storage server by the verifier.
The cloud storage server sends the proof of verification to all verifiers.
And each verifier records the moment of receiving the verification evidence sent by the cloud storage server.
And adding the set time T and the time required for the message sent by each verifier to be transmitted to the designated data storage position to obtain the time when the verifier receives the verification evidence.
The process of verifying the data storage location in the present invention is further described with reference to the schematic diagram of data storage location verification shown in FIG. 3. Assuming that 4 examiners, namely, an examiner 1, an examiner 2, an examiner 3 and an examiner 4 are provided, the examiner 1 sends two random numbers generated by the examiner 1, namely, a random number 1 and a random number 2, to the cloud storage server at a setting time T minus a time required for a message sent by the examiner 1 to be transmitted to a designated data storage location, the examiner 2 sends a negotiation key and two information strings generated by the examiner 2, namely, an information string 1.1 and an information string 1.2, to the cloud storage server at a setting time T minus a time required for a message sent by the examiner 3 to be transmitted to a designated data storage location, the examiner 3 sends two information strings generated by the examiner 3, namely, an information string 2.1 and an information string 2.2, to the cloud storage server at a setting time T minus a time required for a message sent by the examiner 3 to be transmitted to a designated data storage location, within the time of subtracting the difference of the time required for transmitting the message sent by the verifier 4 to the designated data storage position from the set time T, the verifier 4 sends two information strings generated by the verifier 4, namely the information string 3.1 and the information string 3.2 to the cloud storage server, so that the messages sent by all the verifiers can reach the cloud storage server at the designated position at the set time T at the same time, and at the set time T, the cloud storage server calculates a verification evidence by using an exclusive-or method according to the received messages and returns the verification evidence to the verifier.
Step 7 is further described below with reference to the flowchart of fig. 4 for verifying the location of the cloud storage server.
And 7, judging whether the cloud storage server is located at the specified position, if so, successfully verifying, and executing the step 8, otherwise, failing to verify, and executing the step 12. The position at the designated position refers to a position where the cloud storage area server is located when the following three conditions are simultaneously met:
condition 1, the time recorded by each verifier is equal to the time when the proof of verification should be received;
condition 2, verifying that the hash value of the evidence r is equal to the hash value of the challenge H;
conditional 3, verify that the hash value of the proof s is equal to the hash value of the challenge Z.
Step 8, step 9, step 10, step 11, and step 12 will be further described with reference to the data storage flowchart of fig. 5.
And 8, deleting the data copy.
The first verifier feeds back a signal of 'deleting data copy' to the user, and simultaneously feeds back a signal of 'deduplication checking' to the cloud storage server.
And the user sends the label of the data to be encrypted to the cloud storage server.
And 9, checking whether a label identical to that of the data to be encrypted exists in the cloud storage server, if so, executing the step 10, and otherwise, executing the step 11.
Step 10, the user increments the pointer.
And the user does not send the ciphertext to the cloud storage server and adds a pointer pointing to the user.
And step 11, the cloud storage server stores the ciphertext.
And the cloud storage server sends the generated encryption key to the user.
And the user encrypts the data to be encrypted by using the encryption key to obtain a ciphertext.
And the user sends the ciphertext to the cloud storage server.
And the cloud storage server stores the received ciphertext.
Step 12, the user does not send data.
The first verifier feeds back a signal of 'not sending data' to the user, and simultaneously feeds back a signal of 'not meeting the position requirement' to the cloud storage server.
The user does not send data to be encrypted.
Claims (4)
1. A method for deleting data copies based on data storage positions in cloud storage is characterized in that the method deletes user data copies at specified positions of the data storage positions, and comprises the following steps:
(1) generating a key and a label:
(1a) calculating the hash value of each original text of the data to be encrypted by the user, and taking each hash value as a convergence key;
(1b) a user encrypts a data original text to be encrypted by using a convergence key to generate a corresponding data ciphertext, calculates a hash value of each data ciphertext, and takes each hash value as a label;
(1c) the user and the cloud storage server negotiate together to generate a negotiation key;
(2) the user creates a challenge:
(2a) the user encrypts the convergence key by using the negotiation key to generate a ciphertext and sends the ciphertext to the trusted third-party key management server;
(2b) a trusted third party key management server generates a random parameter;
(2c) the trusted third party key management server calculates the hash value of the XOR result after carrying out XOR calculation on the random parameter and the received ciphertext, and takes the obtained hash value as the challenge H;
(2d) a user generates a challenge Z by utilizing a pseudo random function PRF;
(3) the user issues a challenge:
the user sends two challenges H and Z to the verifier through a secure secret channel;
(4) the cloud storage server calculates verification evidence:
(4a) the first verifier generates two random numbers;
(4b) the first verifier sends the generated two random numbers to the rest of the verifiers;
(4c) the user sends the negotiation key to a second verifier;
(4d) except the first tester, the other testers respectively generate two random strings;
(4e) each verifier generates two strings with very high minimum entropy, except the first verifier;
(4f) a user designates a data storage position in a cloud storage network;
(4g) each verifier calculates the time required for the message it sends to be transmitted to a designated data storage location;
(4h) setting a time T, wherein the value of the time T is more than or equal to the maximum value of the time required for transmitting the messages sent by all inspectors to the specified data storage position;
(4i) within the time of subtracting the difference value of the time required for transmitting the message sent by the verifier to the designated data storage position from the set time T, the first verifier sends two generated random numbers to the cloud storage server, the second verifier sends the negotiation key and the information string generated by the negotiation key to the cloud storage server, and each of the rest verifiers sends the information string generated by the negotiation key to the cloud storage server;
(4j) at a set time T, the cloud storage server calculates a verification evidence r and a verification evidence s by using an exclusive OR method;
the exclusive or method is as follows: at a set time T, the cloud storage server performs exclusive OR operation on an exclusive OR result and an information string by using the received pseudo-random number and the two received random numbers generated by the first verifier;
(5) the cloud storage server calculates an encryption key:
at a set time T, the cloud storage server generates a pseudo-random string with high minimum entropy by using the received information string and the negotiation key through multiple pseudo-random iterative computations, wherein the number of pseudo-random computations is equal to a value obtained by subtracting 1 from the number of inspectors, and the generated pseudo-random string with high minimum entropy is used as an encryption key;
(6) verifying the cloud storage server position by the verifier:
(6a) the cloud storage server sends the verification evidence to all the inspectors;
(6b) each inspector respectively records the time of receiving the verification evidence sent by the cloud storage server;
(6c) adding the set time T and the time required for transmitting the message sent by each inspector to the designated data storage position to obtain the time when the inspector should receive the verification evidence;
(7) judging whether the cloud storage server is located at a specified position, if so, successfully verifying, and executing the step (8), otherwise, unsuccessfully verifying, and executing the step (12);
(8) deleting the data copy:
(8a) the first verifier feeds back a signal of 'deleting data copies' to the user, and simultaneously feeds back a signal of 'duplicate removal checking' to the cloud storage server;
(8b) the user sends the label of the data to be encrypted to the cloud storage server;
(9) checking whether a label identical to that of the data to be encrypted exists in the cloud storage server, if so, executing the step (10), otherwise, executing the step (11);
(10) the user increases the pointer:
the user does not send the ciphertext to the cloud storage server, and a pointer pointing to the user is added;
(11) the cloud storage server stores the ciphertext:
(11a) the cloud storage server sends the generated encryption key to the user;
(11b) a user encrypts data to be encrypted by using an encryption key to obtain a ciphertext;
(10c) the user sends the ciphertext to the cloud storage server;
(11d) the cloud storage server stores the received ciphertext;
(12) the user does not send data:
(12a) the first inspector feeds back a signal of 'not sending data' to the user, and simultaneously feeds back a signal of 'not meeting the position requirement' to the cloud storage server;
(12b) the user does not send data to be encrypted.
2. The method for deleting data copies based on data storage positions in cloud storage according to claim 1, wherein the method for generating two information strings with very high minimum entropy in step (4e) is as follows: except for a first verifier, each verifier takes two random numbers generated by the first verifier and two random strings generated by the verifier as input of a pseudo-random function, calculates to obtain two pseudo-random numbers by using the pseudo-random function, and performs exclusive OR operation on the two pseudo-random numbers, a challenge H and a challenge Z respectively to obtain two information strings with high minimum entropy.
3. The method for deleting data copies in cloud storage based on data storage locations according to claim 1, wherein the specific steps of the pseudo-random iterative computation in the step (5) are as follows:
the method comprises the following steps that firstly, a cloud storage server takes a negotiation key and a random string generated by a second verifier as input of a pseudo-random function, and a pseudo-random number is calculated by the aid of the pseudo-random function;
secondly, the calculation result and a random string generated by a third checker are used as the input of a pseudo-random function, and a pseudo-random number is calculated by the pseudo-random function;
thirdly, taking the calculation result and a random string generated by a fourth verifier as the input of a pseudo-random function, and calculating a pseudo-random number by using the pseudo-random function;
and repeating the steps until the random string generated by each checker is used as the input of the pseudorandom function, and stopping iteration.
4. The method for deleting data copies in cloud storage based on data storage locations according to claim 1, wherein the location specified in step (7) is a location where the cloud storage server is located when the following three conditions are satisfied simultaneously:
condition 1, the time recorded by each verifier is equal to the time when the proof of verification should be received;
condition 2, verifying that the hash value of the evidence r is equal to the hash value of the challenge H;
conditional 3, verify that the hash value of the proof s is equal to the hash value of the challenge Z.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711402587.9A CN108566277B (en) | 2017-12-22 | 2017-12-22 | Data storage position-based data copy deleting method in cloud storage |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711402587.9A CN108566277B (en) | 2017-12-22 | 2017-12-22 | Data storage position-based data copy deleting method in cloud storage |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108566277A CN108566277A (en) | 2018-09-21 |
CN108566277B true CN108566277B (en) | 2020-04-21 |
Family
ID=63530392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711402587.9A Active CN108566277B (en) | 2017-12-22 | 2017-12-22 | Data storage position-based data copy deleting method in cloud storage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108566277B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116361201B (en) * | 2023-06-02 | 2023-08-11 | 宜宾邦华智慧科技有限公司 | Method and system for destroying stored data of mobile phone |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104052819A (en) * | 2014-06-27 | 2014-09-17 | 西安电子科技大学 | Method for verifying integrity of cloud data stored in multiple geographic positions |
CN104869124A (en) * | 2015-06-05 | 2015-08-26 | 飞天诚信科技股份有限公司 | Authentication method based on geographic position information |
CN105323074A (en) * | 2015-11-17 | 2016-02-10 | 西安电子科技大学 | Trusted verification method for geographic position of terminal equipment |
CN106100832A (en) * | 2016-06-12 | 2016-11-09 | 广东工业大学 | Key management method based on convergent encryption in a kind of cloud storage data deduplication |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20120072909A (en) * | 2010-12-24 | 2012-07-04 | 주식회사 케이티 | Distribution storage system with content-based deduplication function and object distributive storing method thereof, and computer-readable recording medium |
-
2017
- 2017-12-22 CN CN201711402587.9A patent/CN108566277B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104052819A (en) * | 2014-06-27 | 2014-09-17 | 西安电子科技大学 | Method for verifying integrity of cloud data stored in multiple geographic positions |
CN104869124A (en) * | 2015-06-05 | 2015-08-26 | 飞天诚信科技股份有限公司 | Authentication method based on geographic position information |
CN105323074A (en) * | 2015-11-17 | 2016-02-10 | 西安电子科技大学 | Trusted verification method for geographic position of terminal equipment |
CN106100832A (en) * | 2016-06-12 | 2016-11-09 | 广东工业大学 | Key management method based on convergent encryption in a kind of cloud storage data deduplication |
Non-Patent Citations (1)
Title |
---|
Secure Deduplication with Efficient and Reliable Convergent Key Management;Jin Li等;《IEEE Transactions on Parallel and Distributed Systems》;20131108;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN108566277A (en) | 2018-09-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109559122B (en) | Block chain data transmission method and block chain data transmission system | |
US9800416B2 (en) | Distributed validation of digitally signed electronic documents | |
US9698993B2 (en) | Hashing prefix-free values in a signature scheme | |
US8694467B2 (en) | Random number based data integrity verification method and system for distributed cloud storage | |
CA2792575C (en) | Multiple hashing in a cryptographic scheme | |
US10103888B2 (en) | Method of performing keyed-hash message authentication code (HMAC) using multi-party computation without Boolean gates | |
CN109194466A (en) | A kind of cloud data integrity detection method and system based on block chain | |
CA2792572C (en) | Hashing prefix-free values in a certificate scheme | |
CN110213042A (en) | A kind of cloud data duplicate removal method based on no certification agency re-encryption | |
CN111970114A (en) | File encryption method, system, server and storage medium | |
CN103595696A (en) | Method and device for file ownership certification | |
US8954728B1 (en) | Generation of exfiltration-resilient cryptographic keys | |
CN113259317B (en) | Cloud storage data deduplication method based on identity agent unencrypted | |
CN108809996B (en) | Integrity auditing method for duplicate deletion stored data with different popularity | |
CN108566277B (en) | Data storage position-based data copy deleting method in cloud storage | |
CN116318654A (en) | SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution | |
CN113656818B (en) | Trusted-free third party cloud storage ciphertext deduplication method and system meeting semantic security | |
CN104426665A (en) | Timestamp encryption method of data protective platform | |
Capkun et al. | Rosen: Robust and selective non-repudiation (for tls) | |
Abbdal et al. | Secure third party auditor for ensuring data integrity in cloud storage | |
Gupta | Integrity auditing with attribute based ECMRSA algorithm for cloud data outsourcing | |
KR101605766B1 (en) | Secret key generation method and deduplication method | |
CN114760072B (en) | Signature and signature verification method, device and storage medium | |
CN115879136B (en) | Cloud data protection method | |
CN107147615A (en) | Ownership certification and the key transmission method of entropy are not lost under ciphertext duplicate removal scene |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |