CN108683729A - A kind of environmental monitoring data safe storage system and method towards credible cloud - Google Patents

A kind of environmental monitoring data safe storage system and method towards credible cloud Download PDF

Info

Publication number
CN108683729A
CN108683729A CN201810453258.5A CN201810453258A CN108683729A CN 108683729 A CN108683729 A CN 108683729A CN 201810453258 A CN201810453258 A CN 201810453258A CN 108683729 A CN108683729 A CN 108683729A
Authority
CN
China
Prior art keywords
monitoring data
user
environmental monitoring
node
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810453258.5A
Other languages
Chinese (zh)
Other versions
CN108683729B (en
Inventor
韦鹏程
颜蓓
贺方成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Education
Original Assignee
Chongqing University of Education
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Education filed Critical Chongqing University of Education
Priority to CN201810453258.5A priority Critical patent/CN108683729B/en
Publication of CN108683729A publication Critical patent/CN108683729A/en
Application granted granted Critical
Publication of CN108683729B publication Critical patent/CN108683729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Abstract

The invention belongs to access, addressing or the distribution technique fields in storage system or architecture, disclose a kind of environmental monitoring data safe storage system and method towards credible cloud, each user corresponds to a con_ckb, is the conkeys for all containers that the user creates;User is needed to provide a user password User_key index of conckb, root node of the password as binary tree structure is derived from downwards child nodes by root node, left and right child node is calculated separately using hash algorithm SHA 256 in derivation history successively;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.The present invention realizes the prototype system of security mechanism;Calculating and the storage capacity for taking full advantage of cloud system, substantially increase the convenient degree that user uses, and user is not necessarily to voluntarily encryption, without relying on fixed client encryption and decryption.

Description

A kind of environmental monitoring data safe storage system and method towards credible cloud
Technical field
The invention belongs to access, addressing or the distribution technique fields in storage system or architecture, more particularly to A kind of environmental monitoring data safe storage system and method towards credible cloud.
Background technology
Currently, the prior art commonly used in the trade is such:With the arrival in Web2.0 epoch, got in people's life Carry out more storage demand (picture, video, web mails, filing, backup of magnanimity etc.), the data come are createed in the whole world daily Several hundred million growths is presented.It counts and shows according to IDC:Data between coming 10 years will increase by 44 times, will increase to the year two thousand twenty global metadata 35ZB is grown to, about 80% is unstructured data, and major part therein is inactive again.Under such demand driving, Cloud storage service is come into being one by one for a kind of novel storage service, it grows up along with cloud computing, can be to use Family or third-party application provide low cost, the storage resource of distribution according to need.Environmental monitoring data is that record designated area environment is each The data of item index can carry out effective Feedback to the present situation and future trend of local environment and therefore pacify to these data Full storage is very important, and current cloud storage service has been gradually introduced in the storage of environmental monitoring data, however In the popularization and application of cloud storage service, safety becomes its current maximum obstacle.Cloud storage service provides storage to the user Infrastructure and resource, full powers replace user to store and manage personal data this characteristics, make user to the number that is stored in the cloud According to nourishing " sense out of control ".In addition high in the clouds safety accident takes place frequently in recent years, according to Ministry of Industry and Information in 2012 to Chinese public cloud service observation Situation shows that user is exactly the safety and privacy concern of data to what the misgivings factor of cloud computing service ranked the first position, therefore protects The personal secrets for protecting user data in cloud storage are most important.
In conclusion problem of the existing technology is:Cloud storage service has been gradually introduced environmental monitoring number at present According to storage in, safety becomes current maximum obstacle, and user is made to nourish " sense out of control ", high in the clouds to the data being stored in the cloud Safety accident takes place frequently,
Invention content
In view of the problems of the existing technology, the present invention provides a kind of environmental monitoring datas towards credible cloud to deposit safely Storage system and method.
The invention is realized in this way a kind of environmental monitoring data method for secure storing towards credible cloud, it is described towards The each user of environmental monitoring data method for secure storing of credible cloud corresponds to a con_ckb, is all of user establishment The conkeys of containers;User is needed to provide a user password User_key, password conduct the index of conckb The root node of binary tree structure derives from downwards child nodes by root node, hash algorithm SHA-256 is used in derivation history successively To calculate separately left and right child node;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.
Further, in the environmental monitoring data method for secure storing towards credible cloud Swift by Ring from object Data are specifically included to dummy node, then to the mapping between storage device:
The data structure of Ring is first provided, is the information list for each storage device for participating in the Ring first, record is each Devid, zone, weight, IP of storage device:port、devicename、meta;Replica2part2dev_id, record The corresponding storage devices of each Partition;Record the carry digit of Partition, part_shift;Followed by object data arrives Dummy node:The dummy node that Ring is used is called Partition;The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift;
Dummy node is to storage device:Partition ensures that storage device storage data quantity is equal to the mapping between storage device Weighing apparatus;Storage device, which is found, for each Partition collects the Partition to be allocated, be denoted as (Parition_id, replica_id);For each storage device, based on the Partition quantity that weight calculation should get, according to from more to less Sequence;It is simultaneously Region, Zone, IP belonging to each device build oneself:port、Dev_id;Build whole hierarchical tree.
Further, the process of the mapping of the environmental monitoring data method for secure storing towards credible cloud is to store Certain object data copy, first find store this object data minimum number layer;Most hungry storage is found in layer again Equipment.
Further, the environmental monitoring data method for secure storing towards credible cloud specifically includes:Cryptographic Hash K (0,1) First parameter i of=User_key, K (i, j) indicate that the level number of binary tree, second parameter j indicate the index in i-th layer Number, as i=x, 1≤j≤2x;Then it obtains:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
Wherein | | | | it indicates connection, then passes through N=4 calculating, obtain 16 index values, make con_key_box_ The name of slice.Leftcof indicates that left connection, RightCof indicate that right connection, Hash indicate the cryptographic Hash of hash function
Another object of the present invention is to provide a kind of environmental monitoring data method for secure storing towards credible cloud The environmental monitoring data safe storage system towards credible cloud, the environmental monitoring data secure storage system towards credible cloud System includes:Client, server-side;
Swiftclient_module in client is responsible for providing PythonAPI, and swift provides the work(of command-line tool Energy;
The code file under bin catalogues in server-side is the startup script of service processes;Code file under etc catalogues It is the associated profile that service processes use;Swift catalogues are the core code of system, including agency service, tenant's management Service, container management service, object environment monitoring data management service and public calling module.
Further, the environmental monitoring data safe storage system towards credible cloud is divided into three parts:Client, agency Service node and memory node;
For client deployment on the local machine of service user, user passes through client operation environmental monitoring data;Generation Agency service is run on reason service node, is the window that server-side externally services, is responsible for receiving the request of client, be closed The authentication and authorization of method searches relative position of the environmental monitoring data on memory node, forwards the request to respective stored Node makes corresponding failure handling simultaneously for failure, failure;Tenant's management service, container tube are run on memory node Reason service and object environment monitoring data management service, are responsible for the management and storage of environmental monitoring data, operate in memory node On finger daemon be responsible for the reliabilty and availability of guarantee environment monitoring data in systems.
Another object of the present invention is to provide the environmental monitoring data secure storages towards credible cloud described in a kind of application The cloud storage service system of method.
In conclusion advantages of the present invention and good effect are:With the continuous growth of social demand, it is continuously created daily The data bulk come is increased rapidly with exponential.In face of such storage demand, the cloud storage system of object-oriented provides good Good solution, it be dedicated to concentrating provide to the user magnanimity, resilient expansion, the unstructured number of static state that persistence is high According to storage service.But safety becomes the biggest obstacle during its popularization and application, safety of the user to data in cloud Extremely worry with privacy, so the storage safety of protection user data is the premise of cloud storage service benign development.The present invention with The Swift mechanism for the Openstack cloud operating systems increased income is prototype, it is proposed that a kind of to protect cloud using encryption and cutting techniques The mechanism of environmental monitoring data storage safety is held, and realizes the prototype system of the security mechanism.The mechanism takes full advantage of cloud The calculating of end system and storage capacity have provided the on-demand security mechanism used to the user, have substantially increased user and use just Prompt degree, user are not necessarily to voluntarily encryption, without relying on fixed client encryption and decryption, only need to provide a user password UserJCey It can be used the powerful efficient encryption function in high in the clouds and key management functions, user friendly strong.
Description of the drawings
Fig. 1 is the environmental monitoring data safe storage system structural representation provided in an embodiment of the present invention towards credible cloud Figure;
In figure:1, client;2, server-side.
Fig. 2 is the environmental monitoring data method for secure storing flow chart provided in an embodiment of the present invention towards credible cloud.
Fig. 3 is fast source code skeleton schematic diagram provided in an embodiment of the present invention
Fig. 4 is the physical arrangement schematic diagram of swift provided in an embodiment of the present invention.
Fig. 5 is the long range mapping schematic diagram between copy provided in an embodiment of the present invention.
Fig. 6 is the structure schematic diagram of equipment hierarchical structure tree provided in an embodiment of the present invention.
Fig. 7 is level export schematic diagram provided in an embodiment of the present invention.
Fig. 8 is establishment user password title schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
In order to make the purpose , technical scheme and advantage of the present invention be clearer, with reference to embodiments, to the present invention It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to Limit the present invention.
Environmental monitoring data is the significant data that can reflect area surroundings present situation and future trend, storage to close weight It wants, currently, with the increase of data volume, cloud storage service is gradually introduced in environmental monitoring data storage, and in concrete application In the process, safety is the biggest obstacle encountered during cloud storage service promotes and applies.Amazon cloud services oneself become generally acknowledge in the industry The fact standard, core component Swift oneself become very popular cloud storage mechanism, but the mechanism exist be easy leakage user The deficiency of data, the present invention study the improvements in security method of environmental monitoring data memory mechanism in cloud, the present invention using it as prototype Environmental monitoring environmental monitoring data secure storage prototype system based on encryption and cutting techniques, and be tested.As a result table Bright, which can effectively reduce the risk that user information is revealed in cloud.
As shown in Figure 1, the environmental monitoring data safe storage system provided in an embodiment of the present invention towards credible cloud includes: Client 1, server-side 2.
As shown in Fig. 2, the environmental monitoring data method for secure storing provided in an embodiment of the present invention towards credible cloud includes Following steps:
S201:Each user corresponds to a con_ckb, is the conkeys for all containers that the user creates;
S202:User is needed to provide a user password User_key index of conckb, the password is as y-bend The root node of tree construction is derived from downwards child nodes by root node, is divided using hash algorithm SHA-256 in derivation history successively Left and right child node is not calculated;
S203:Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.
The application principle of the present invention is further described below in conjunction with the accompanying drawings.
1, source code frame and programming model
The present invention studies the secure storage mechanism of environmental monitoring data, and the present invention is directed to the spy of environmental monitoring data Point builds source code frame and programming model.In the model of framework of the present invention, Swift is to be based on python language developments , it is made of client-side program and serve end program two parts." swiftclient_module " in client-side program is responsible for PythonAPI is provided, " swift " provides the function of command-line tool.The major architectural of serve end program such as Fig. 3, under bin catalogues Code file be service processes startup script;Code file under etc catalogues is the relevant configuration text that service processes use Part;Swift catalogues are the core codes of system, include mainly agency service, tenant's management service, container management service, object Environmental monitoring data management service and public calling module.In system building and deployment, client-side program, which is mounted on service, to be made User side, such as the local of mirror image component or terminal user in OpenStack.Serve end program is disposed beyond the clouds, by system It builds personnel's Run Script and starts service.As shown in Figure 3.
2, the physical structure of system
The physical structure of system can be divided into three parts:Client, proxy service node and memory node are such as schemed.Client End is deployed on the local machine of service user, and user (uploads, download, update, deletes) environment by client operation and supervises Measured data;Agency service is run in proxy service node, is the window that server-side externally services, and is mainly responsible for reception client Request, carry out legal authentication and authorization, search relative position of the environmental monitoring data on memory node, forwarding is asked Respective stored node is sought, corresponding failure handling is made simultaneously for situations such as failure, failure;Rent is run on memory node Family management service, container management service and object environment monitoring data management service, are mainly responsible for the management of environmental monitoring data And storage, the finger daemon operated on memory node are responsible for the reliability of guarantee environment monitoring data in systems and be can be used Property.
Fig. 4 is the exemplary plot that Swift is built on a small scale.In order to preferably support large-scale concurrent requirements for access, in reality Proxy service node can have several in the application of border, while need to do one layer of load before request accesses proxy service node Equalizing layer.Certainly, memory node can also dynamically increase and decrease according to use demand, have extremely strong elastic zoom capabilities, and companion With the increase and decrease of memory node, system can realize data on the migration of the data " minimum " between each memory node and each memory node The work of amount of storage equilibrium.
3, improved consistency hash algorithm
The present invention introduces how Swift is realized by Ring from object data to dummy node in terms of two, then arrives storage Mapping between equipment.The data structure for first providing Ring, is made of three parts:It is each storage device for participating in the Ring first Information list, record devid, zone, weight, IP of each storage device:port、devicename、meta; Replica2part2dev_id records the corresponding storage devices of each Partition;The carry digit of Partition is recorded, part_shift.Followed by object data is to dummy node:The dummy node that Ring is used is called Partition, and Partition is one A concept in logic, can regard several virtual boxes as, and a Partition box can correspond to multiple object datas. The quantity of Partition is previously set by system building personnel according to system scale, typically the hundred of storage device quantity times. The path (account/container/object) of one object data can be computed (Hash and displacement) and obtain the object Some corresponding Partition of data.The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift
Followed by dummy node is to storage device:Partition should ensure that storage device is deposited to the mapping between storage device The equilibrium of data volume is stored up, considers the availability of data in system again, i.e., three of one data are backed up the storage being mapped to Equipment should be " maximum distance " in system, even if in Data Migration, the copy of same part data will still keep " farthest Distance storage ".As shown in Figure 5.
The core concept of storage device is found for each Partition is:Collect the Partition to be allocated, note For (Parition_id, replica_id);For each storage device, the Partition numbers that should be got based on weight calculation Amount, according to sorting from more to less;It is simultaneously Region, Zone, IP belonging to each device build oneself:port、Dev_id;Structure Build whole hierarchical tree, such as Fig. 6.
The process of mapping is the copy of certain object data to that will store, and first finds and stores this object data quantity most Few layer;Find the storage device of " most hungry " in this layer again.When system scale changes, number of devices increases and decreases When, the quantity that every equipment corresponds to Partition will change, and remap at this time to Partition and storage device To realize balance.
For specific application process if so, each user corresponds to a con_ckb in system, the inside is the institute that the user creates There is the conkeys of containers.User is needed to provide a user password User_key, the password index of conckb As the root node of binary tree structure, child nodes are derived from downwards by root node successively, hash algorithm is used in derivation history SHA-256 calculates separately left and right child node, finally obtains rope of the cryptographic Hash as con_key_box_slices of pth layer Draw.
Such as Fig. 7, specific algorithm step is, the present invention first enables cryptographic Hash K (0,1)=User_key, the first of K (i, j) A parameter i indicates that the level number of binary tree, second parameter j indicate the call number in i-th layer, as i=x, 1≤j≤2x;It connects The present invention to obtain:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j)) (1)
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j)) (2)
Wherein | | | | it indicates connection, then passes through N=4 calculating, obtain 16 index values, make con_key_box_ The name of slice.
The application effect of the present invention is explained in detail with reference to test.
1 test condition and purpose
Swift storage systems are built used here as 5 servers, wherein 1 is used as proxy service node, are left four works For storage service node.Two pieces of SATA hard discs of every storage server carry, one piece of disk are divided into two as system disk, another piece of disk What a area, outside access net and internal lan used is kilomega network.Such as following table.Computer uses 64 Ubimtu14.04LTS operating systems, on server deployment be added to the sec-Swift2.3.0 software systems conducts of security mechanism Experimental situation.
1 hardware test environment of table
Test the correct execution of security mechanism major function.User is when using cloud storage system, for different important journeys The environmental monitoring data of degree can on-demand memory mechanism safe to use.For environmental monitoring data to be protected, data are being uploaded Before, user needs offer user password first to create dedicated for the container of storage protection environmental monitoring data, is uploaded to this The object of container will be protected by security mechanism.Then, in user's operation (upload, download etc.) environmental monitoring data Shi Junxu provides user password, and system will execute management and protection to environmental monitoring data according to security mechanism.For being not required to Environmental monitoring data to be protected is executed according to the function that original system provides.For functional test, the present invention will provide operation examination Example, and in the form of daily record record security mechanism whole implementation procedures.
2 System Functional Test results
Present invention displaying software function first first completes registration for a new user newuser.Realize tenant Then the establishment of Newproject carries out the setting of username and password, such as Fig. 8:User newuser uploads downloaded object data Tmp.32K, user mechanism safe to use upload data before, need first to create the container for storing encryption data, then into Row uploads or downloaded object data manipulation, notices that the process of mechanism safe to use is required to user and provides user password User_ key.For example, user creates the container of the encrycon for storing encryption data, and the upload object data into the container Tmp.32K, similarly downloads tmp.32K from encrycon containers, and the process of mechanism safe to use is both needed to provide user password.It connects Establishment encrycon containers, the upload object data tmp.32K into container encrycon, the download pair from container encrycon Image data tmp.32K, after receiving user's mechanism safe to use and storing the request of data, the security mechanism on proxy server The course of work recorded by way of daily record.
Followed by security test as a result, being protected by data segmentation, data encryption technology and complete key managing project Protect the sensitive data of user.Thus critical data is increased in system.The data that system is laid special stress on protecting have obj_frags, con_ Obj_key-box and con_key_box-slices.User's sensitive data objfrags and con_obj_key_box are all made of AES-128 Encryption Algorithm encryptions, the ciphertext of formation are stored on memory node.For hereinbefore original system stored in clear Example getfilecontxt, if mechanism safe to use stores, user first creates a con container for encryption handling, to Upper transmitting file getfilecontxt, carries user password User_key in con in operation.Security mechanism is by getfilecontat Environmental monitoring data is divided into 10 pieces, checks 10 pieces of environmental monitoring datas with the shape of ciphertext in the corresponding storage device of the present invention Formula stores.
For con_key_box_slices obtained by privacy sharing algorithm process by Top layer key file con_ckb " encoding block ".Privacy sharing algorithm is the encryption algorithm that a kind of " perfect-security " reaches Information theoretical secure.It should Algorithm uses threshold value [m, n], i.e. environmental monitoring data D to pass through code conversion at N block environmental monitoring datas, at least through wherein M blocks can restore environmental monitoring data D, and be arbitrarily less than m block numbers according to the arbitrary portion information that cannot all disclose former data. The present invention provides proof procedure below:It is the distribution of privacy sharing first, using finite field gf (q), (q is prime number, q>N), it selects N different nonzero elements in finite field, it is disclosed to be denoted as U.At random generate m-1 element and m-1 order polynomials, Using finite field gf (q) (q is prime number, q > n), n different nonzero elements in finite field are selected, x is denoted asi, xiIt is open 's.M-1 element a is generated at random1,a2,...am-1And m-1 order polynomial f (x)=a0+a1x+...+am-1xm-1.For former ring Border monitoring data D, enables D=a0, for xi(1≤i≤n) is calculated:Obtained f (xi)(1≤i≤n) Environmental monitoring data block as after transform coding, i.e. con_key_box_slices.
In the recovery of key, the recovery process of former environmental monitoring data needs at least to know m block number evidences, i.e., appoints here and take N m blocks in the block:f(xi) (1≤i≤m), group of equations:
It is converted into matrix:
It due to generalized circular matrix, is reversible, so equation group has unique solution, you can calculate unknown number a0+a1x+...+ am-1To obtain former environmental monitoring data a0,D.And m-1 block number evidences are known for oneself, the m-1 equations for having m unknown number are solved, not Know that number there are infinite multiple solutions, and the possibility each solved is identical, therefore is unable to get about any of former environmental monitoring data D Information.To sum up, it is that con_key_box_slices made of [m, n] privacy sharing takes in attacker that the present invention, which is said by threshold value, It is perfectly safe in the case of less than m blocks.
3 system performance testing results
Time overhead test in ,-as user using the most frequent operation of cloud storage service be upload and download, therefore this Experiment makes comparison survey with regard to big data and small data mechanism safe to use and without using the expense of security mechanism operation data respectively Examination.Time due to completing data manipulation every time has certain randomness, so the present invention is to the same environmental monitoring data The same operation do altogether 10 times experiment, be averaged as a result, obtaining following table:
The time overhead of 2 small data of table compares
When mechanism safe to use uploads data [32K-128M], time overhead is substantially in 13s between 60s;It is safe to use When mechanism downloading data [32K-128M], time overhead is substantially in 2s between 20s.Although from can see decimal in Fig. 6-1 According to operating time multiplication, but since its radix is smaller, there is no generate for user experience for the time span increased Excessive influence, here it is considered herein that mechanism safe to use and the time overhead that generates is user can receive in use 's.
The storage capacity for giving full play to and being utilized high in the clouds of security mechanism, space expense are mainly derived from security mechanism Key management, here the present invention provide specific analysis.When user selects mechanism storage environment monitoring data D safe to use When, the proxy server for receiving user's request first encrypts it, and ciphertext is divided into n blocks etc. by environmental monitoring data dispenser The environmental monitoring data block of sizeTherefore the encryption of environmental monitoring data itself and segmentation (stripping) operation do not have Increase additional memory space.But encryption mechanism makes system need the management work of additional responsible key, increases two class keys Box;
First, object key box, each container corresponds to an object key box, and object key box is to be in Dictionary structure { the ObjectName of key-value forms:(key, vi, pad) }, often increase an object in container It is increased by one key-value pairs, therefore the object that the size container corresponding with its of each object key box includes Quantity is directly proportional.
Second is that container key box, a user corresponds to a container key box, and container key box is equally in key- Dictionary structure { the ContainerName of value forms:(key, vi, pad) }, user often creates a container, system Just one container key of generation, one key-value pairs of increase, therefore what the size of container key box and user created Container quantity is directly proportional.In addition to this, container key box needs to become con_key_box_ by privacy sharing The size of slices, each slice are identical as original data con_ckb, if some | con_keyboxcon|, then secondary container key Joint memory space needs nLcon.At the same time the space expense that key management is spent, reaches much smaller than data itself The storage capacity in cloud is made full use of to provide the purpose of secure storage mechanism.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention All any modification, equivalent and improvement etc., should all be included in the protection scope of the present invention made by within refreshing and principle.

Claims (7)

1. a kind of environmental monitoring data method for secure storing towards credible cloud, which is characterized in that the ring towards credible cloud Monitoring data method for secure storing each user in border corresponds to a con_ckb, is all containers that the user creates conkeys;User is needed to provide a user password User_key index of conckb, password is as binary tree structure Root node is derived from downwards child nodes by root node, is calculated separately using hash algorithm SHA-256 in derivation history successively Left and right child node;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.
2. the environmental monitoring data method for secure storing towards credible cloud as described in claim 1, which is characterized in that the face Into the environmental monitoring data method for secure storing of credible cloud Swift by Ring from object data to dummy node, then to storage Mapping between equipment specifically includes:
The data structure of Ring is first provided, is the information list for each storage device for participating in the Ring first, records each storage Devid, zone, weight, IP of equipment:port、devicename、meta;Replica2part2dev_id, record are each The corresponding storage devices of Partition;Record the carry digit of Partition, part_shift;Followed by object data is to dummy section Point:The dummy node that Ring is used is called Partition;The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift;
Dummy node is to storage device:Partition ensures that storage device storage data quantity is balanced to the mapping between storage device;For Each Partition finds storage device and collects the Partition to be allocated, and is denoted as (Parition_id, replica_ id);For each storage device, based on the Partition quantity that weight calculation should get, according to sorting from more to less;Together When for Region, Zone, IP belonging to each device build oneself:port、Dev_id;Build whole hierarchical tree.
3. the environmental monitoring data method for secure storing towards credible cloud as claimed in claim 2, which is characterized in that the face Process to the mapping of the environmental monitoring data method for secure storing of credible cloud is the copy of certain to be stored object data, first Find the layer for storing this object data minimum number;Most hungry storage device is found in layer again.
4. the environmental monitoring data method for secure storing towards credible cloud as described in claim 1, which is characterized in that the face It is specifically included to the environmental monitoring data method for secure storing of credible cloud:The of cryptographic Hash K (0,1)=User_key, K (i, j) One parameter i indicates that the level number of binary tree, second parameter j indicate the call number in i-th layer, as i=x, 1≤j≤2x; Then it obtains:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
Wherein | | | | it indicates connection, then passes through N=4 calculating, obtain 16 index values, make con_key_box_slice's Name.
5. a kind of ring towards credible cloud of the environmental monitoring data method for secure storing towards credible cloud as described in claim 1 Border monitoring data safe storage system, which is characterized in that the environmental monitoring data safe storage system packet towards credible cloud It includes:Client, server-side;
Swiftclient_module in client is responsible for providing PythonAPI, and swift provides the function of command-line tool;
The code file under bin catalogues in server-side is the startup script of service processes;Code file under etc catalogues is clothes The associated profile that business process uses;Swift catalogues are the core codes of system, including agency service, tenant's management service, Container management service, object environment monitoring data management service and public calling module.
6. the environmental monitoring data safe storage system towards credible cloud as claimed in claim 5, which is characterized in that the face It is divided into three parts to the environmental monitoring data safe storage system of credible cloud:Client, proxy service node and memory node;
For client deployment on the local machine of service user, user passes through client operation environmental monitoring data;Agency's clothes Agency service is run on business node, is the window that server-side externally services, is responsible for receiving the request of client, it is legal to carry out Authentication and authorization searches relative position of the environmental monitoring data on memory node, forwards the request to respective stored node, Corresponding failure handling is made simultaneously for failure, failure;Tenant's management service, container management service are run on memory node With object environment monitoring data management service, it is responsible for the management and storage of environmental monitoring data, operates in keeping on memory node Shield process is responsible for the reliabilty and availability of guarantee environment monitoring data in systems.
7. a kind of environmental monitoring data method for secure storing using towards credible cloud described in Claims 1 to 4 any one Cloud storage service system.
CN201810453258.5A 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud Active CN108683729B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810453258.5A CN108683729B (en) 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810453258.5A CN108683729B (en) 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud

Publications (2)

Publication Number Publication Date
CN108683729A true CN108683729A (en) 2018-10-19
CN108683729B CN108683729B (en) 2019-06-18

Family

ID=63805603

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810453258.5A Active CN108683729B (en) 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud

Country Status (1)

Country Link
CN (1) CN108683729B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361513A (en) * 2018-11-15 2019-02-19 桂林电子科技大学 A kind of user's Weight Value Distributed Methods for Shamir privacy sharing
CN113068128A (en) * 2021-03-18 2021-07-02 西安电子科技大学 User geographic position neighbor query method based on double cloud security computing protocol
CN114064207A (en) * 2021-11-10 2022-02-18 南京信易达计算技术有限公司 User data container storage method in cloud storage system based on customized LINUX architecture

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969391A (en) * 2010-10-27 2011-02-09 北京邮电大学 Cloud platform supporting fusion network service and operating method thereof
CN102143022A (en) * 2011-03-16 2011-08-03 北京邮电大学 Cloud measurement device and method for IP network
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102307221A (en) * 2011-03-25 2012-01-04 国云科技股份有限公司 Cloud storage system and implementation method thereof
CN102591970A (en) * 2011-12-31 2012-07-18 北京奇虎科技有限公司 Distributed key-value query method and query engine system
CN102609446A (en) * 2012-01-05 2012-07-25 厦门市美亚柏科信息股份有限公司 Distributed Bloom filter system and application method thereof
CN102891856A (en) * 2012-10-18 2013-01-23 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN102916811A (en) * 2012-10-18 2013-02-06 中国科学院信息工程研究所 Multielement entity identity certificate information storage method
CN103281400A (en) * 2013-06-18 2013-09-04 清华大学 Data segmenting, coding and recovering method used for cloud storage gateway
CN103618703A (en) * 2013-11-14 2014-03-05 中国人民武装警察部队工程大学 Cloud computing data security boundary protection method
CN104202361A (en) * 2014-08-13 2014-12-10 南京邮电大学 Cloud data protection method based on mobile agent

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969391A (en) * 2010-10-27 2011-02-09 北京邮电大学 Cloud platform supporting fusion network service and operating method thereof
CN102143022A (en) * 2011-03-16 2011-08-03 北京邮电大学 Cloud measurement device and method for IP network
CN102307221A (en) * 2011-03-25 2012-01-04 国云科技股份有限公司 Cloud storage system and implementation method thereof
CN102307185A (en) * 2011-06-27 2012-01-04 北京大学 Data isolation method used in storage cloud
CN102591970A (en) * 2011-12-31 2012-07-18 北京奇虎科技有限公司 Distributed key-value query method and query engine system
CN102609446A (en) * 2012-01-05 2012-07-25 厦门市美亚柏科信息股份有限公司 Distributed Bloom filter system and application method thereof
CN102891856A (en) * 2012-10-18 2013-01-23 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN102916811A (en) * 2012-10-18 2013-02-06 中国科学院信息工程研究所 Multielement entity identity certificate information storage method
CN103281400A (en) * 2013-06-18 2013-09-04 清华大学 Data segmenting, coding and recovering method used for cloud storage gateway
CN103618703A (en) * 2013-11-14 2014-03-05 中国人民武装警察部队工程大学 Cloud computing data security boundary protection method
CN104202361A (en) * 2014-08-13 2014-12-10 南京邮电大学 Cloud data protection method based on mobile agent

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361513A (en) * 2018-11-15 2019-02-19 桂林电子科技大学 A kind of user's Weight Value Distributed Methods for Shamir privacy sharing
CN109361513B (en) * 2018-11-15 2021-05-28 桂林电子科技大学 User weight distribution method for Shamir secret sharing
CN113068128A (en) * 2021-03-18 2021-07-02 西安电子科技大学 User geographic position neighbor query method based on double cloud security computing protocol
CN113068128B (en) * 2021-03-18 2021-11-23 西安电子科技大学 User geographic position neighbor query method based on double cloud security computing protocol
CN114064207A (en) * 2021-11-10 2022-02-18 南京信易达计算技术有限公司 User data container storage method in cloud storage system based on customized LINUX architecture

Also Published As

Publication number Publication date
CN108683729B (en) 2019-06-18

Similar Documents

Publication Publication Date Title
Attasena et al. Secret sharing for cloud data security: a survey
US11874819B2 (en) Systems and methods for data validation and assurance
CN108683729B (en) A kind of environmental monitoring data safe storage system and method towards credible cloud
TWI737172B (en) Computer system, computer program product and computer implement method for incremental decryption and integrity verification of a secure operating system image
Wang et al. Research on data security in big data cloud computing environment
CN110199283A (en) For the system and method that authentication platform is trusted in network function virtualized environment
CN116530050A (en) Secure computing resource deployment using homomorphic encryption
US20220182233A1 (en) Multi-phase protection for data-centric objects
Prajapati et al. Efficient Cross User Client Side Data Deduplication in Hadoop.
Kumar et al. Data security and encryption technique for cloud storage
US11356382B1 (en) Protecting integration between resources of different services using service-generated dependency tags
KR20200142588A (en) Retrieving personal information using low-linear public-key actions
Arfan Mobile cloud computing security using cryptographic hash function algorithm
US11455391B2 (en) Data leakage and misuse detection
Balamurugan et al. Common cloud architecture for cloud interoperability
Benard et al. A Review on Data Security and Emerging Threats in Cloud Computing
Jain et al. Bloom Filter in Cloud Storage for Efficient Data Membership Identification
Xie et al. A Situation Awareness System for the Information Security of Power Grid
Yi et al. Application of Authorization in Smart Grid based on the PasS Microservice architecture
Gupta et al. Hybrid Multi-User Based Cloud Data Security for Medical Decision Learning Patterns
Baligodugula et al. A Comparative Study of Secure and Efficient Data Duplication Mechanisms for Cloud-Based IoT Applications
Patil et al. A Review on Ensuring Data Security in Cloud
US20220405099A1 (en) Generating masks for formats including masking restrictions
Gupta et al. Blockchain Enabled Hadoop Distributed File System Framework for Secure and Reliable Traceability
Shen et al. Remote data authentication scheme based balance binary sort Merkle hash tree

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant