CN108683729B - A kind of environmental monitoring data safe storage system and method towards credible cloud - Google Patents

A kind of environmental monitoring data safe storage system and method towards credible cloud Download PDF

Info

Publication number
CN108683729B
CN108683729B CN201810453258.5A CN201810453258A CN108683729B CN 108683729 B CN108683729 B CN 108683729B CN 201810453258 A CN201810453258 A CN 201810453258A CN 108683729 B CN108683729 B CN 108683729B
Authority
CN
China
Prior art keywords
monitoring data
user
environmental monitoring
node
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810453258.5A
Other languages
Chinese (zh)
Other versions
CN108683729A (en
Inventor
韦鹏程
颜蓓
贺方成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Education
Original Assignee
Chongqing University of Education
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Education filed Critical Chongqing University of Education
Priority to CN201810453258.5A priority Critical patent/CN108683729B/en
Publication of CN108683729A publication Critical patent/CN108683729A/en
Application granted granted Critical
Publication of CN108683729B publication Critical patent/CN108683729B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to access, addressing or the distribution technique fields in storage system or architecture, disclose a kind of environmental monitoring data safe storage system and method towards credible cloud, the corresponding con_ckb of each user is the conkeys of all containers of user creation;User is needed to provide a user password User_key index of conckb, root node of the password as binary tree structure is successively derived from downwards child nodes by root node, calculated separately left and right child node using hash algorithm SHA-256 in derivation history;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.The present invention realizes the prototype system of security mechanism;The calculating and storage capacity for taking full advantage of cloud system substantially increase the convenient degree that user uses, and user is without voluntarily encryption, the client encryption and decryption without relying on fixation.

Description

A kind of environmental monitoring data safe storage system and method towards credible cloud
Technical field
The invention belongs to access, addressing or the distribution technique fields in storage system or architecture, more particularly to A kind of environmental monitoring data safe storage system and method towards credible cloud.
Background technique
Currently, the prior art commonly used in the trade is such thatWith the arrival in Web2.0 epoch, got in people's life Come more storage demands (picture, video, web mail, filing, backup of magnanimity etc.), the data come are createed in the whole world daily Several hundred million growths is presented.Count and show according to IDC: the data between coming 10 years will increase by 44 times, will increase to the year two thousand twenty global metadata 35ZB is grown to, about 80% is unstructured data, and major part therein is inactive again.Under such demand driving, Cloud storage service is come into being one by one for a kind of novel storage service, it is grown up along with cloud computing, can be to use Family or third-party application provide the storage resource of low cost, distribution according to need.Environmental monitoring data is that record designated area environment is each The data of index, can status to local environment and future trend carry out effective Feedback and therefore these data pacified Full storage is very important, and current cloud storage service has been gradually introduced in the storage of environmental monitoring data, however In the popularization and application of cloud storage service, safety becomes its current maximum obstacle.Cloud storage service provides storage for user Infrastructure and resource, full powers replace this characteristic of user's storage and management personal data, make user to the number being stored in the cloud According to nourishing " sense out of control ".In addition cloud safety accident takes place frequently in recent years, according to Ministry of Industry and Information in 2012 to Chinese public cloud service observation Situation shows that user is exactly the safety and privacy concern of data to what the misgivings factor of cloud computing service ranked the first position, therefore protects The personal secrets for protecting user data in cloud storage are most important.
In conclusion problem of the existing technology is:Cloud storage service has been gradually introduced environmental monitoring number at present According to storage in, safety becomes current maximum obstacle, and user is made to nourish " sense out of control ", cloud to the data being stored in the cloud Safety accident takes place frequently,
Summary of the invention
In view of the problems of the existing technology, the present invention provides a kind of environmental monitoring datas towards credible cloud to deposit safely Storage system and method.
The invention is realized in this way a kind of environmental monitoring data method for secure storing towards credible cloud, it is described towards The corresponding con_ckb of each user of the environmental monitoring data method for secure storing of credible cloud is all of user creation The conkeys of containers;User is needed to provide a user password User_key, password conduct the index of conckb The root node of binary tree structure successively derives from downwards child nodes by root node, uses hash algorithm SHA-256 in derivation history To calculate separately left and right child node;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.
Further, Swift passes through Ring from object in the environmental monitoring data method for secure storing towards credible cloud Data are specifically included to dummy node, then to the mapping between storage equipment:
The data structure of Ring is first provided, is the information list for participating in each storage equipment of the Ring first, record is each Store devid, zone, weight, IP:port, devicename, meta of equipment;Replica2part2dev_id, record The corresponding storage equipment of each Partition;Record the carry digit of Partition, part_shift;Followed by object data arrives Dummy node: the dummy node that Ring is used is called Partition;The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift;
Dummy node is to storage equipment: the mapping of Partition to storage equipment room guarantees that storage equipment storage data quantity is equal Weighing apparatus;Storage equipment, which is found, for each Partition collects the Partition to be allocated, be denoted as (Parition_id, replica_id);For each storage equipment, based on the Partition quantity that weight calculation should get, according to from more to less Sequence;It is simultaneously Region, Zone, IP:port, Dev_id belonging to each device build oneself;Construct whole hierarchical tree.
Further, the process of the mapping of the environmental monitoring data method for secure storing towards credible cloud is to store Certain object data copy, first find store this object data minimum number layer;Most hungry storage is found in layer again Equipment.
Further, the environmental monitoring data method for secure storing towards credible cloud specifically includes: cryptographic Hash K (0,1) First parameter i of=User_key, K (i, j) indicate the level number of binary tree, and second parameter j indicates the index in i-th layer Number, as i=x, 1≤j≤2x;Then it obtains:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
Wherein | | | | it indicates connection, then by N=4 calculating, obtains 16 index values, make con_key_box_ The name of slice.Leftcof indicates left connection, and RightCof indicates right connection, and Hash indicates the cryptographic Hash of hash function
Another object of the present invention is to provide described in one kind towards the environmental monitoring data method for secure storing of credible cloud The environmental monitoring data safe storage system towards credible cloud, the environmental monitoring data secure storage system towards credible cloud System includes: client, server-side;
Swiftclient_module in client is responsible for providing PythonAPI, and swift provides the function of command-line tool Energy;
The code file under bin catalogue in server-side is the starting script of service processes;Code file under etc catalogue It is the associated profile that service processes use;Swift catalogue is the core code of system, including agency service, tenant's management Service, container management service, object environment monitoring data management service and public calling module.
Further, the environmental monitoring data safe storage system towards credible cloud is divided into three parts: client, agency Service node and memory node;
For client deployment on the local machine of service user, user passes through client operation environmental monitoring data;Generation Agency service is run on reason service node, is the window that server-side externally services, is responsible for receiving the request of client, be closed The authentication and authorization of method searches relative position of the environmental monitoring data on memory node, forwards the request to respective stored Node makes corresponding failure handling simultaneously for failure, failure;Tenant's management service, container tube are run on memory node Reason service and object environment monitoring data management service, are responsible for the management and storage of environmental monitoring data, operate in memory node On finger daemon be responsible for the reliabilty and availability of guarantee environment monitoring data in systems.
Another object of the present invention is to provide described in a kind of application towards the environmental monitoring data secure storage of credible cloud The cloud storage service system of method.
In conclusion advantages of the present invention and good effect are as follows:With the continuous growth of social demand, it is continuously created daily The data bulk come is increased rapidly with exponential.In face of such storage demand, the cloud storage system of object-oriented provides good Good solution, it be dedicated to concentrating be user provide magnanimity, resilient expansion, static unstructured number that persistence is high According to storage service.But safety becomes the biggest obstacle during its popularization and application, safety of the user to data in cloud Extremely worry with privacy, so the storage safety of protection user data is the premise of cloud storage service benign development.The present invention with The Swift mechanism of the Openstack cloud operating system of open source is prototype, is proposed a kind of using encryption and cutting techniques protection cloud The mechanism of environmental monitoring data storage safety is held, and realizes the prototype system of the security mechanism.The mechanism takes full advantage of cloud The calculating and storage capacity of end system, the security mechanism used as needed is provided for user, is substantially increased user and is used just Prompt degree, user need to only provide a user password UserJCey without voluntarily encryption, the client encryption and decryption without relying on fixation It can be used the powerful efficient encryption function in cloud and key management functions, user friendly strong.
Detailed description of the invention
Fig. 1 is the environmental monitoring data safe storage system structural representation provided in an embodiment of the present invention towards credible cloud Figure;
In figure: 1, client;2, server-side.
Fig. 2 is the environmental monitoring data method for secure storing flow chart provided in an embodiment of the present invention towards credible cloud.
Fig. 3 is fast source code skeleton schematic diagram provided in an embodiment of the present invention
Fig. 4 is the physical structure schematic diagram of swift provided in an embodiment of the present invention.
Fig. 5 is the long range mapping schematic diagram between copy provided in an embodiment of the present invention.
Fig. 6 is the building schematic diagram of equipment hierarchical structure tree provided in an embodiment of the present invention.
Fig. 7 is level export schematic diagram provided in an embodiment of the present invention.
Fig. 8 is creation user password title schematic diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to embodiments, to the present invention It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to Limit the present invention.
Environmental monitoring data is the significant data for being able to reflect area surroundings status and future trend, storage to Guan Chong It wants, currently, with the increase of data volume, cloud storage service is gradually introduced in environmental monitoring data storage, and in concrete application In the process, safety is the biggest obstacle encountered during cloud storage service promotes and applies.Amazon cloud service oneself become generally acknowledge in the industry The fact standard, core component Swift oneself become very popular cloud storage mechanism, but the mechanism exist be easy leakage user The deficiency of data, the present invention study the improvements in security method of environmental monitoring data memory mechanism in cloud, the present invention using it as prototype Environmental monitoring environmental monitoring data secure storage prototype system based on encryption and cutting techniques, and be tested.As a result table Bright, which can be effectively reduced the risk that user information is revealed in cloud.
As shown in Figure 1, the environmental monitoring data safe storage system provided in an embodiment of the present invention towards credible cloud includes: Client 1, server-side 2.
As shown in Fig. 2, the environmental monitoring data method for secure storing provided in an embodiment of the present invention towards credible cloud includes Following steps:
S201: the corresponding con_ckb of each user is the conkeys of all containers of user creation;
S202: user is needed to provide a user password User_key index of conckb, the password is as y-bend The root node of tree construction is successively derived from downwards child nodes by root node, is divided in derivation history using hash algorithm SHA-256 Left and right child node is not calculated;
S203: index of the cryptographic Hash as con_key_box_slices of pth layer is obtained.
Application principle of the invention is further described with reference to the accompanying drawing.
1, source code frame and programming model
The present invention studies the secure storage mechanism of environmental monitoring data, and the present invention is directed to the spy of environmental monitoring data Point constructs source code frame and programming model.In the model of framework of the present invention, Swift is based on python language development , it is made of client-side program and serve end program two parts." swiftclient_module " in client-side program is responsible for PythonAPI is provided, " swift " provides the function of command-line tool.The major architectural of serve end program such as Fig. 3, under bin catalogue Code file be service processes starting script;Code file under etc catalogue is the relevant configuration text that service processes use Part;Swift catalogue is the core code of system, mainly includes agency service, tenant's management service, container management service, object Environmental monitoring data management service and public calling module.In system building and deployment, client-side program, which is mounted on service, to be made User side, such as the local of mirror image component or terminal user in OpenStack.Serve end program is disposed beyond the clouds, by system Build the starting service of personnel's Run Script.As shown in Figure 3.
2, the physical structure of system
The physical structure of system can be divided into three parts: client, proxy service node and memory node, such as scheme.Client End is deployed on the local machine of service user, and user (uploads, downloading, update, deletes) environment prison by client operation Measured data;Agency service is run in proxy service node, is the window that server-side externally services, is mainly responsible for reception client Request, carry out legal authentication and authorization, search relative position of the environmental monitoring data on memory node, forwarding is asked Respective stored node is sought, makes corresponding failure handling simultaneously for situations such as failure, failure;Rent is run on memory node Family management service, container management service and object environment monitoring data management service, are mainly responsible for the management of environmental monitoring data And storage, the finger daemon operated on memory node are responsible for the reliability of guarantee environment monitoring data in systems and be can be used Property.
Fig. 4 is the exemplary diagram that Swift is built on a small scale.In order to preferably support large-scale concurrent requirements for access, in reality Proxy service node can have several in the application of border, while need to do one layer of load before request accesses proxy service node Equalizing layer.Certainly, memory node can also dynamically increase and decrease according to use demand, have an extremely strong elastic zoom capabilities, and companion With the increase and decrease of memory node, system can realize data on the migration of the data " minimum " between each memory node and each memory node The work of amount of storage equilibrium.
3, improved consistency hash algorithm
The present invention introduces how Swift is realized from object data to dummy node by Ring in terms of two, then arrives storage Mapping between equipment.The data structure for first providing Ring, is made of three parts: being each storage equipment for participating in the Ring first Information list, record it is each storage equipment devid, zone, weight, IP:port, devicename, meta; Replica2part2dev_id records the corresponding storage equipment of each Partition;The carry digit of Partition is recorded, part_shift.Followed by object data is to dummy node: the dummy node that Ring is used is called Partition, and Partition is one A concept in logic, can regard several virtual boxes as, and a Partition box can correspond to multiple object datas. The quantity of Partition is previously set by system building personnel according to system scale, usually stores hundred times of number of devices. The path (account/container/object) of one object data can be computed (Hash and displacement) and obtain the object Some corresponding Partition of data.The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift
Followed by dummy node is to storage equipment: the mapping of Partition to storage equipment room should guarantee that storing equipment deposits The equilibrium of data volume is stored up, again in view of the availability of data in system, i.e., three of one data are backed up the storage being mapped to Equipment should be " maximum distance " in system, even if the copy of same part data will still keep " farthest in Data Migration Distance storage ".As shown in Figure 5.
It is for each Partition core concept for finding storage equipment: collects the Partition to be allocated, note For (Parition_id, replica_id);For each storage equipment, the Partition number that should be got based on weight calculation Amount, according to sorting from more to less;It is simultaneously Region, Zone, IP:port, Dev_id belonging to each device build oneself;Structure Build whole hierarchical tree, such as Fig. 6.
The process of mapping is the copy to certain object data that will be stored, and first finds and stores this object data quantity most Few layer;Find the storage equipment of " most hungry " in this layer again.When system scale changes, number of devices increases and decreases When, the quantity that every equipment corresponds to Partition will change, and remap at this time to Partition and storage equipment To realize balance.
Specific application method is if so, the corresponding con_ckb of each user, the inside are the institutes of user creation in system There is the conkeys of containers.User is needed to provide a user password User_key, the password index of conckb As the root node of binary tree structure, child nodes are successively derived from downwards by root node, use hash algorithm in derivation history SHA-256 calculates separately left and right child node, finally obtains rope of the cryptographic Hash as con_key_box_slices of pth layer Draw.
Such as Fig. 7, specific algorithm step is, the present invention first enables cryptographic Hash K (0,1)=User_key, the first of K (i, j) A parameter i indicates the level number of binary tree, and second parameter j indicates the call number in i-th layer, as i=x, 1≤j≤2x;It connects The present invention obtain:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j)) (1)
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j)) (2)
Wherein | | | | it indicates connection, then by N=4 calculating, obtains 16 index values, make con_key_box_ The name of slice.
Application effect of the invention is explained in detail below with reference to test.
1 test condition and purpose
Swift storage system is built used here as 5 servers, wherein 1 is used as proxy service node, is left four works For storage service node.Two pieces of SATA hard discs of every storage server carry, one piece of disk are divided into two as system disk, another piece of disk What a area, outside access net and internal lan used is kilomega network.Such as following table.Computer uses 64 Ubimtu14.04LTS operating system, deployment is added to the sec-Swift2.3.0 software systems conduct of security mechanism on server Experimental situation.
1 hardware test environment of table
Test the correct execution of security mechanism major function.User is when using cloud storage system, for different important journeys The environmental monitoring data of degree can use secure storage mechanism as needed.For environmental monitoring data to be protected, data are being uploaded Before, user needs to provide user password and first creates dedicated for the container of storage protection environmental monitoring data, is uploaded to this The object of container will be protected by security mechanism.Then, in user's operation (upload, downloading etc.) environmental monitoring data Shi Junxu provides user password, and system will execute management and protection to environmental monitoring data according to security mechanism.For being not required to Environmental monitoring data to be protected is executed according to the function that original system provides.For functional test, the present invention will provide operation examination Example, and in the form of log record security mechanism whole implementation procedures.
2 System Functional Test results
The present invention shows software function first, first completes registration for a new user newuser.Realize tenant Then the creation of Newproject carries out the setting of username and password, such as Fig. 8: user newuser uploads downloaded object data Tmp.32K, user using security mechanism upload data before, need first to create the container for storing encryption data, then into Row uploads or downloaded object data manipulation, notices that user is required to using the process of security mechanism provides user password User_ key.For example, user creates the container for storing the encrycon of encryption data, and the upload object data into the container Tmp.32K similarly downloads tmp.32K from encrycon container, is both needed to provide user password using the process of security mechanism.It connects Creation encrycon container, the upload object data tmp.32K into container encrycon, from container encrycon downloading pair Image data tmp.32K, the security mechanism after receiving request of the user using security mechanism storing data, on proxy server The course of work recorded by way of log.
Followed by security test as a result, being protected by data segmentation, data encryption technology and complete key managing project Protect the sensitive data of user.Critical data is increased in system thus.The data that system is laid special stress on protecting have obj_frags, con_ Obj_key-box and con_key_box-slices.User's sensitive data objfrags and con_obj_key_box are all made of AES-128 Encryption Algorithm encryption, the ciphertext of formation are stored on memory node.For hereinbefore original system stored in clear Example getfilecontxt, if being stored using security mechanism, user first creates the con container for encryption handling, to Transmitting file getfilecontxt is gone up in con, carries user password User_key in operation.Security mechanism is by getfilecontat Environmental monitoring data is divided into 10 pieces, and the present invention stores accordingly checks 10 pieces of environmental monitoring datas with the shape of ciphertext in equipment Formula storage.
It is to be obtained by Top layer key file con_ckb by privacy sharing algorithm process for con_key_box_slices " encoding block ".Privacy sharing algorithm is the encryption algorithm that a kind of " perfect-security " reaches Information theoretical secure.It should Algorithm uses threshold value [m, n], i.e. environmental monitoring data D passes through code conversion at N block environmental monitoring data, at least through wherein M block can restore environmental monitoring data D, and arbitrarily less than m block number according to the arbitrary portion information that cannot all disclose former data. The present invention provides proof procedure below: being the distribution of privacy sharing first, uses finite field gf (q) (q is prime number, q > n), selection N different nonzero elements in finite field, it is disclosed for being denoted as U.At random generate m-1 element and m-1 order polynomial, Using finite field gf (q) (q is prime number, q > n), n different nonzero elements in finite field are selected, x is denoted asi, xiIt is open 's.M-1 element a is generated at random1,a2,...am-1And m-1 order polynomial f (x)=a0+a1x+...+am-1xm-1.For former ring Border monitoring data D, enables D=a0, for xi(1≤i≤n) is calculated:Obtained f (xi)(1≤i≤n) Environmental monitoring data block as after transform coding, i.e. con_key_box_slices.
In the recovery of key, the recovery process of former environmental monitoring data needs at least to know m block number evidence, i.e., appoints here and take M block in n block: f (xi) (1≤i≤m), group of equations:
It is converted into matrix:
It due to generalized circular matrix, is reversible, so equation group has unique solution, unknown number a can be calculated0+a1x+...+ am-1To obtain former environmental monitoring data a0,D.And m-1 block number evidence is known for oneself, solution m-1 have the equation of m unknown number, not Know that number there are infinite multiple solutions, and a possibility that each solution is identical, therefore is unable to get about any of former environmental monitoring data D Information.To sum up, the present invention is said takes for con_key_box_slices made of [m, n] privacy sharing in attacker by threshold value It is perfectly safe in the case where less than m block.
3 system performance testing results
Time overhead test in ,-as user using the most frequent operation of cloud storage service be upload and downloading, therefore this Experiment makes comparison survey with regard to big data and small data using security mechanism and without using the expense of security mechanism operation data respectively Examination.Time due to completing data manipulation every time has certain randomness, so the present invention is to the same environmental monitoring data The same operation do altogether 10 times experiment, be averaged as a result, obtaining following table:
The time overhead of 2 small data of table compares
When uploading data [32K-128M] using security mechanism, time overhead is substantially in 13s between 60s;Using safe When mechanism downloading data [32K-128M], time overhead is substantially in 2s between 20s.Although from can see decimal in Fig. 6-1 According to operating time multiplication, but since its radix is smaller, there is no generate for user experience for the time span increased Excessive influence, here it is considered herein that the time overhead generated using security mechanism is that user can receive in use 's.
The storage capacity for giving full play to and being utilized cloud of security mechanism, space expense are mainly derived from security mechanism Key management, the present invention provides specific analysis here.When user's selection uses security mechanism storage environment monitoring data D When, the proxy server for receiving user's request first encrypts it, and ciphertext is divided into n block etc. by environmental monitoring data divider The environmental monitoring data block of sizeTherefore the encryption of environmental monitoring data itself and segmentation (stripping) operation do not have Have and increases additional memory space.But encryption mechanism makes system need the management work of additional responsible key, and it is close to increase two classes Key box;
First is that object key box, the corresponding object key box of each container, object key box is to be in The dictionary structure { ObjectName:(key, vi, pad) } of key-value form, one object of every increase in container It is increased by one key-value pairs, therefore the object that the size container corresponding with its of each object key box includes Quantity is directly proportional.
Second is that container key box, the corresponding container key box of a user, container key box is equally in key- The dictionary structure { ContainerName:(key, vi, pad) } of value form, user one container of every creation, system A container key is just generated, increases by one key-value pairs, therefore the size of container key box and user's creation Container quantity is directly proportional.In addition to this, container key box needs to become con_key_box_ by privacy sharing The size of slices, each slice are identical as original data con_ckb, if some | con_keyboxcon|, then secondary container key Joint memory space needs nLcon.The space expense that key management is spent at the same time, reaches much smaller than data itself The storage capacity in cloud is made full use of to provide the purpose of secure storage mechanism.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.

Claims (5)

1. a kind of environmental monitoring data method for secure storing towards credible cloud, which is characterized in that the ring towards credible cloud The corresponding con_ckb of each user of border monitoring data method for secure storing, is all containers of user creation conkeys;User is needed to provide a user password User_key index of con_ckb, password is as binary tree structure Root node, child nodes are successively derived from downwards by root node, are calculated separately in derivation history using hash algorithm SHA-256 Left and right child node;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer;
Swift is by Ring from object data to dummy section in the environmental monitoring data method for secure storing towards credible cloud Point, then specifically included to the mapping between storage equipment:
The data structure of Ring is first provided, is first the information list for participating in each storage equipment of the Ring, records each storage Devid, zone, weight, IP:port, devicename, meta of equipment;Replica2part2dev_id, record are each The corresponding storage equipment of Partition;Record the carry digit of Partition, part_shift;Followed by object data is to dummy section Point: the dummy node that Ring is used is called Partition;The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift;
Dummy node is to storage equipment: the mapping of Partition to storage equipment room guarantees that storage equipment storage data quantity is balanced;For Each Partition finds storage equipment and collects the Partition to be allocated, and is denoted as (Parition_id, replica_ id);For each storage equipment, based on the Partition quantity that weight calculation should get, according to sorting from more to less;Together When for Region, Zone, IP:port, Dev_id belonging to each device build oneself;Construct whole hierarchical tree.
2. as described in claim 1 towards the environmental monitoring data method for secure storing of credible cloud, which is characterized in that the face Process to the mapping of the environmental monitoring data method for secure storing of credible cloud is the copy of certain to be stored object data, first Find the layer for storing this object data minimum number;Most hungry storage equipment is found in layer again.
3. as described in claim 1 towards the environmental monitoring data method for secure storing of credible cloud, which is characterized in that the face It is specifically included to the environmental monitoring data method for secure storing of credible cloud: the of cryptographic Hash K (0,1)=User_key, K (i, j) One parameter i indicates the level number of binary tree, and second parameter j indicates the call number in i-th layer, as i=x, 1≤j≤2x; Then it obtains:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
Wherein | | | | it indicates connection, then by 4 calculating, obtains 16 index values, make the name of con_key_box_slice Word.
4. a kind of ring towards credible cloud of the environmental monitoring data method for secure storing towards credible cloud as described in claim 1 Border monitoring data safe storage system, which is characterized in that the environmental monitoring data safe storage system packet towards credible cloud It includes: client, server-side;
Swiftclient_module in client is responsible for providing PythonAPI, and swift provides the function of command-line tool;
The code file under bin catalogue in server-side is the starting script of service processes;Code file under etc catalogue is clothes The associated profile that business process uses;Swift catalogue is the core code of system, including agency service, tenant's management service, Container management service, object environment monitoring data management service and public calling module.
5. as claimed in claim 4 towards the environmental monitoring data safe storage system of credible cloud, which is characterized in that the face It is divided into three parts to the environmental monitoring data safe storage system of credible cloud: client, proxy service node and memory node;
For client deployment on the local machine of service user, user passes through client operation environmental monitoring data;Agency's clothes Agency service is run on business node, is the window that server-side externally services, is responsible for receiving the request of client, it is legal to carry out Authentication and authorization searches relative position of the environmental monitoring data on memory node, forwards the request to respective stored node, Corresponding failure handling is made simultaneously for failure, failure;Tenant's management service, container management service are run on memory node With object environment monitoring data management service, it is responsible for the management and storage of environmental monitoring data, operates in keeping on memory node Shield process is responsible for the reliabilty and availability of guarantee environment monitoring data in systems.
CN201810453258.5A 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud Active CN108683729B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810453258.5A CN108683729B (en) 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810453258.5A CN108683729B (en) 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud

Publications (2)

Publication Number Publication Date
CN108683729A CN108683729A (en) 2018-10-19
CN108683729B true CN108683729B (en) 2019-06-18

Family

ID=63805603

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810453258.5A Active CN108683729B (en) 2018-05-14 2018-05-14 A kind of environmental monitoring data safe storage system and method towards credible cloud

Country Status (1)

Country Link
CN (1) CN108683729B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361513B (en) * 2018-11-15 2021-05-28 桂林电子科技大学 User weight distribution method for Shamir secret sharing
CN113068128B (en) * 2021-03-18 2021-11-23 西安电子科技大学 User geographic position neighbor query method based on double cloud security computing protocol
CN114064207A (en) * 2021-11-10 2022-02-18 南京信易达计算技术有限公司 User data container storage method in cloud storage system based on customized LINUX architecture

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102591970A (en) * 2011-12-31 2012-07-18 北京奇虎科技有限公司 Distributed key-value query method and query engine system
CN102609446A (en) * 2012-01-05 2012-07-25 厦门市美亚柏科信息股份有限公司 Distributed Bloom filter system and application method thereof
CN102891856A (en) * 2012-10-18 2013-01-23 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN102916811A (en) * 2012-10-18 2013-02-06 中国科学院信息工程研究所 Multielement entity identity certificate information storage method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969391B (en) * 2010-10-27 2012-08-01 北京邮电大学 Cloud platform supporting fusion network service and operating method thereof
CN102143022B (en) * 2011-03-16 2013-09-25 北京邮电大学 Cloud measurement device and method for IP network
CN102307221A (en) * 2011-03-25 2012-01-04 国云科技股份有限公司 Cloud storage system and implementation method thereof
CN102307185B (en) * 2011-06-27 2015-02-25 北京大学 Data isolation method used in storage cloud
CN103281400A (en) * 2013-06-18 2013-09-04 清华大学 Data segmenting, coding and recovering method used for cloud storage gateway
CN103618703B (en) * 2013-11-14 2016-06-29 中国人民武装警察部队工程大学 A kind of cloud computing data security boundary protection method
CN104202361A (en) * 2014-08-13 2014-12-10 南京邮电大学 Cloud data protection method based on mobile agent

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102591970A (en) * 2011-12-31 2012-07-18 北京奇虎科技有限公司 Distributed key-value query method and query engine system
CN102609446A (en) * 2012-01-05 2012-07-25 厦门市美亚柏科信息股份有限公司 Distributed Bloom filter system and application method thereof
CN102891856A (en) * 2012-10-18 2013-01-23 中国科学院信息工程研究所 Safe access method between plural entity and plural entity identity relaying party
CN102916811A (en) * 2012-10-18 2013-02-06 中国科学院信息工程研究所 Multielement entity identity certificate information storage method

Also Published As

Publication number Publication date
CN108683729A (en) 2018-10-19

Similar Documents

Publication Publication Date Title
US10831933B2 (en) Container update system
US10698812B2 (en) Updating cache using two bloom filters
US20190266128A1 (en) Method and system for verification of deleted data for blockchains
US20200007344A1 (en) Systems and methods for data validation and assurance
US11061886B2 (en) Systems and methods for data validation and assurance
JP2020528609A (en) Intrusion detection and mitigation in data processing
US20200007343A1 (en) Systems and methods for data validation and assurance
CN108683729B (en) A kind of environmental monitoring data safe storage system and method towards credible cloud
CN110199283B (en) System and method for authenticating platform trust in a network functions virtualization environment
CN113661490B (en) Method and system for securely storing data
Dauterman et al. Snoopy: Surpassing the scalability bottleneck of oblivious storage
TWI737172B (en) Computer system, computer program product and computer implement method for incremental decryption and integrity verification of a secure operating system image
Wang et al. Research on data security in big data cloud computing environment
US10725771B2 (en) Artifact transformation in network devices
US11200218B2 (en) Providing consistent data masking using causal ordering
US20210124764A1 (en) Generating a data partitioning strategy for secure and efficient query processing
US20220385596A1 (en) Protecting integration between resources of different services using service-generated dependency tags
US11586598B2 (en) Data deduplication in data platforms
Bowers et al. Detecting suspicious file migration or replication in the cloud
US11455391B2 (en) Data leakage and misuse detection
US20220405099A1 (en) Generating masks for formats including masking restrictions
US11526534B2 (en) Replicating data changes through distributed invalidation
Jain et al. Bloom Filter in Cloud Storage for Efficient Data Membership Identification
Gupta et al. Blockchain Enabled Hadoop Distributed File System Framework for Secure and Reliable Traceability
US11880350B2 (en) Identifying resource lock ownership across a clustered computing environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant