CN108683729B - A kind of environmental monitoring data safe storage system and method towards credible cloud - Google Patents
A kind of environmental monitoring data safe storage system and method towards credible cloud Download PDFInfo
- Publication number
- CN108683729B CN108683729B CN201810453258.5A CN201810453258A CN108683729B CN 108683729 B CN108683729 B CN 108683729B CN 201810453258 A CN201810453258 A CN 201810453258A CN 108683729 B CN108683729 B CN 108683729B
- Authority
- CN
- China
- Prior art keywords
- monitoring data
- user
- environmental monitoring
- node
- storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to access, addressing or the distribution technique fields in storage system or architecture, disclose a kind of environmental monitoring data safe storage system and method towards credible cloud, the corresponding con_ckb of each user is the conkeys of all containers of user creation;User is needed to provide a user password User_key index of conckb, root node of the password as binary tree structure is successively derived from downwards child nodes by root node, calculated separately left and right child node using hash algorithm SHA-256 in derivation history;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.The present invention realizes the prototype system of security mechanism;The calculating and storage capacity for taking full advantage of cloud system substantially increase the convenient degree that user uses, and user is without voluntarily encryption, the client encryption and decryption without relying on fixation.
Description
Technical field
The invention belongs to access, addressing or the distribution technique fields in storage system or architecture, more particularly to
A kind of environmental monitoring data safe storage system and method towards credible cloud.
Background technique
Currently, the prior art commonly used in the trade is such thatWith the arrival in Web2.0 epoch, got in people's life
Come more storage demands (picture, video, web mail, filing, backup of magnanimity etc.), the data come are createed in the whole world daily
Several hundred million growths is presented.Count and show according to IDC: the data between coming 10 years will increase by 44 times, will increase to the year two thousand twenty global metadata
35ZB is grown to, about 80% is unstructured data, and major part therein is inactive again.Under such demand driving,
Cloud storage service is come into being one by one for a kind of novel storage service, it is grown up along with cloud computing, can be to use
Family or third-party application provide the storage resource of low cost, distribution according to need.Environmental monitoring data is that record designated area environment is each
The data of index, can status to local environment and future trend carry out effective Feedback and therefore these data pacified
Full storage is very important, and current cloud storage service has been gradually introduced in the storage of environmental monitoring data, however
In the popularization and application of cloud storage service, safety becomes its current maximum obstacle.Cloud storage service provides storage for user
Infrastructure and resource, full powers replace this characteristic of user's storage and management personal data, make user to the number being stored in the cloud
According to nourishing " sense out of control ".In addition cloud safety accident takes place frequently in recent years, according to Ministry of Industry and Information in 2012 to Chinese public cloud service observation
Situation shows that user is exactly the safety and privacy concern of data to what the misgivings factor of cloud computing service ranked the first position, therefore protects
The personal secrets for protecting user data in cloud storage are most important.
In conclusion problem of the existing technology is:Cloud storage service has been gradually introduced environmental monitoring number at present
According to storage in, safety becomes current maximum obstacle, and user is made to nourish " sense out of control ", cloud to the data being stored in the cloud
Safety accident takes place frequently,
Summary of the invention
In view of the problems of the existing technology, the present invention provides a kind of environmental monitoring datas towards credible cloud to deposit safely
Storage system and method.
The invention is realized in this way a kind of environmental monitoring data method for secure storing towards credible cloud, it is described towards
The corresponding con_ckb of each user of the environmental monitoring data method for secure storing of credible cloud is all of user creation
The conkeys of containers;User is needed to provide a user password User_key, password conduct the index of conckb
The root node of binary tree structure successively derives from downwards child nodes by root node, uses hash algorithm SHA-256 in derivation history
To calculate separately left and right child node;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer.
Further, Swift passes through Ring from object in the environmental monitoring data method for secure storing towards credible cloud
Data are specifically included to dummy node, then to the mapping between storage equipment:
The data structure of Ring is first provided, is the information list for participating in each storage equipment of the Ring first, record is each
Store devid, zone, weight, IP:port, devicename, meta of equipment;Replica2part2dev_id, record
The corresponding storage equipment of each Partition;Record the carry digit of Partition, part_shift;Followed by object data arrives
Dummy node: the dummy node that Ring is used is called Partition;The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift;
Dummy node is to storage equipment: the mapping of Partition to storage equipment room guarantees that storage equipment storage data quantity is equal
Weighing apparatus;Storage equipment, which is found, for each Partition collects the Partition to be allocated, be denoted as (Parition_id,
replica_id);For each storage equipment, based on the Partition quantity that weight calculation should get, according to from more to less
Sequence;It is simultaneously Region, Zone, IP:port, Dev_id belonging to each device build oneself;Construct whole hierarchical tree.
Further, the process of the mapping of the environmental monitoring data method for secure storing towards credible cloud is to store
Certain object data copy, first find store this object data minimum number layer;Most hungry storage is found in layer again
Equipment.
Further, the environmental monitoring data method for secure storing towards credible cloud specifically includes: cryptographic Hash K (0,1)
First parameter i of=User_key, K (i, j) indicate the level number of binary tree, and second parameter j indicates the index in i-th layer
Number, as i=x, 1≤j≤2x;Then it obtains:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
Wherein | | | | it indicates connection, then by N=4 calculating, obtains 16 index values, make con_key_box_
The name of slice.Leftcof indicates left connection, and RightCof indicates right connection, and Hash indicates the cryptographic Hash of hash function
Another object of the present invention is to provide described in one kind towards the environmental monitoring data method for secure storing of credible cloud
The environmental monitoring data safe storage system towards credible cloud, the environmental monitoring data secure storage system towards credible cloud
System includes: client, server-side;
Swiftclient_module in client is responsible for providing PythonAPI, and swift provides the function of command-line tool
Energy;
The code file under bin catalogue in server-side is the starting script of service processes;Code file under etc catalogue
It is the associated profile that service processes use;Swift catalogue is the core code of system, including agency service, tenant's management
Service, container management service, object environment monitoring data management service and public calling module.
Further, the environmental monitoring data safe storage system towards credible cloud is divided into three parts: client, agency
Service node and memory node;
For client deployment on the local machine of service user, user passes through client operation environmental monitoring data;Generation
Agency service is run on reason service node, is the window that server-side externally services, is responsible for receiving the request of client, be closed
The authentication and authorization of method searches relative position of the environmental monitoring data on memory node, forwards the request to respective stored
Node makes corresponding failure handling simultaneously for failure, failure;Tenant's management service, container tube are run on memory node
Reason service and object environment monitoring data management service, are responsible for the management and storage of environmental monitoring data, operate in memory node
On finger daemon be responsible for the reliabilty and availability of guarantee environment monitoring data in systems.
Another object of the present invention is to provide described in a kind of application towards the environmental monitoring data secure storage of credible cloud
The cloud storage service system of method.
In conclusion advantages of the present invention and good effect are as follows:With the continuous growth of social demand, it is continuously created daily
The data bulk come is increased rapidly with exponential.In face of such storage demand, the cloud storage system of object-oriented provides good
Good solution, it be dedicated to concentrating be user provide magnanimity, resilient expansion, static unstructured number that persistence is high
According to storage service.But safety becomes the biggest obstacle during its popularization and application, safety of the user to data in cloud
Extremely worry with privacy, so the storage safety of protection user data is the premise of cloud storage service benign development.The present invention with
The Swift mechanism of the Openstack cloud operating system of open source is prototype, is proposed a kind of using encryption and cutting techniques protection cloud
The mechanism of environmental monitoring data storage safety is held, and realizes the prototype system of the security mechanism.The mechanism takes full advantage of cloud
The calculating and storage capacity of end system, the security mechanism used as needed is provided for user, is substantially increased user and is used just
Prompt degree, user need to only provide a user password UserJCey without voluntarily encryption, the client encryption and decryption without relying on fixation
It can be used the powerful efficient encryption function in cloud and key management functions, user friendly strong.
Detailed description of the invention
Fig. 1 is the environmental monitoring data safe storage system structural representation provided in an embodiment of the present invention towards credible cloud
Figure;
In figure: 1, client;2, server-side.
Fig. 2 is the environmental monitoring data method for secure storing flow chart provided in an embodiment of the present invention towards credible cloud.
Fig. 3 is fast source code skeleton schematic diagram provided in an embodiment of the present invention
Fig. 4 is the physical structure schematic diagram of swift provided in an embodiment of the present invention.
Fig. 5 is the long range mapping schematic diagram between copy provided in an embodiment of the present invention.
Fig. 6 is the building schematic diagram of equipment hierarchical structure tree provided in an embodiment of the present invention.
Fig. 7 is level export schematic diagram provided in an embodiment of the present invention.
Fig. 8 is creation user password title schematic diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to embodiments, to the present invention
It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to
Limit the present invention.
Environmental monitoring data is the significant data for being able to reflect area surroundings status and future trend, storage to Guan Chong
It wants, currently, with the increase of data volume, cloud storage service is gradually introduced in environmental monitoring data storage, and in concrete application
In the process, safety is the biggest obstacle encountered during cloud storage service promotes and applies.Amazon cloud service oneself become generally acknowledge in the industry
The fact standard, core component Swift oneself become very popular cloud storage mechanism, but the mechanism exist be easy leakage user
The deficiency of data, the present invention study the improvements in security method of environmental monitoring data memory mechanism in cloud, the present invention using it as prototype
Environmental monitoring environmental monitoring data secure storage prototype system based on encryption and cutting techniques, and be tested.As a result table
Bright, which can be effectively reduced the risk that user information is revealed in cloud.
As shown in Figure 1, the environmental monitoring data safe storage system provided in an embodiment of the present invention towards credible cloud includes:
Client 1, server-side 2.
As shown in Fig. 2, the environmental monitoring data method for secure storing provided in an embodiment of the present invention towards credible cloud includes
Following steps:
S201: the corresponding con_ckb of each user is the conkeys of all containers of user creation;
S202: user is needed to provide a user password User_key index of conckb, the password is as y-bend
The root node of tree construction is successively derived from downwards child nodes by root node, is divided in derivation history using hash algorithm SHA-256
Left and right child node is not calculated;
S203: index of the cryptographic Hash as con_key_box_slices of pth layer is obtained.
Application principle of the invention is further described with reference to the accompanying drawing.
1, source code frame and programming model
The present invention studies the secure storage mechanism of environmental monitoring data, and the present invention is directed to the spy of environmental monitoring data
Point constructs source code frame and programming model.In the model of framework of the present invention, Swift is based on python language development
, it is made of client-side program and serve end program two parts." swiftclient_module " in client-side program is responsible for
PythonAPI is provided, " swift " provides the function of command-line tool.The major architectural of serve end program such as Fig. 3, under bin catalogue
Code file be service processes starting script;Code file under etc catalogue is the relevant configuration text that service processes use
Part;Swift catalogue is the core code of system, mainly includes agency service, tenant's management service, container management service, object
Environmental monitoring data management service and public calling module.In system building and deployment, client-side program, which is mounted on service, to be made
User side, such as the local of mirror image component or terminal user in OpenStack.Serve end program is disposed beyond the clouds, by system
Build the starting service of personnel's Run Script.As shown in Figure 3.
2, the physical structure of system
The physical structure of system can be divided into three parts: client, proxy service node and memory node, such as scheme.Client
End is deployed on the local machine of service user, and user (uploads, downloading, update, deletes) environment prison by client operation
Measured data;Agency service is run in proxy service node, is the window that server-side externally services, is mainly responsible for reception client
Request, carry out legal authentication and authorization, search relative position of the environmental monitoring data on memory node, forwarding is asked
Respective stored node is sought, makes corresponding failure handling simultaneously for situations such as failure, failure;Rent is run on memory node
Family management service, container management service and object environment monitoring data management service, are mainly responsible for the management of environmental monitoring data
And storage, the finger daemon operated on memory node are responsible for the reliability of guarantee environment monitoring data in systems and be can be used
Property.
Fig. 4 is the exemplary diagram that Swift is built on a small scale.In order to preferably support large-scale concurrent requirements for access, in reality
Proxy service node can have several in the application of border, while need to do one layer of load before request accesses proxy service node
Equalizing layer.Certainly, memory node can also dynamically increase and decrease according to use demand, have an extremely strong elastic zoom capabilities, and companion
With the increase and decrease of memory node, system can realize data on the migration of the data " minimum " between each memory node and each memory node
The work of amount of storage equilibrium.
3, improved consistency hash algorithm
The present invention introduces how Swift is realized from object data to dummy node by Ring in terms of two, then arrives storage
Mapping between equipment.The data structure for first providing Ring, is made of three parts: being each storage equipment for participating in the Ring first
Information list, record it is each storage equipment devid, zone, weight, IP:port, devicename, meta;
Replica2part2dev_id records the corresponding storage equipment of each Partition;The carry digit of Partition is recorded,
part_shift.Followed by object data is to dummy node: the dummy node that Ring is used is called Partition, and Partition is one
A concept in logic, can regard several virtual boxes as, and a Partition box can correspond to multiple object datas.
The quantity of Partition is previously set by system building personnel according to system scale, usually stores hundred times of number of devices.
The path (account/container/object) of one object data can be computed (Hash and displacement) and obtain the object
Some corresponding Partition of data.The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift
Followed by dummy node is to storage equipment: the mapping of Partition to storage equipment room should guarantee that storing equipment deposits
The equilibrium of data volume is stored up, again in view of the availability of data in system, i.e., three of one data are backed up the storage being mapped to
Equipment should be " maximum distance " in system, even if the copy of same part data will still keep " farthest in Data Migration
Distance storage ".As shown in Figure 5.
It is for each Partition core concept for finding storage equipment: collects the Partition to be allocated, note
For (Parition_id, replica_id);For each storage equipment, the Partition number that should be got based on weight calculation
Amount, according to sorting from more to less;It is simultaneously Region, Zone, IP:port, Dev_id belonging to each device build oneself;Structure
Build whole hierarchical tree, such as Fig. 6.
The process of mapping is the copy to certain object data that will be stored, and first finds and stores this object data quantity most
Few layer;Find the storage equipment of " most hungry " in this layer again.When system scale changes, number of devices increases and decreases
When, the quantity that every equipment corresponds to Partition will change, and remap at this time to Partition and storage equipment
To realize balance.
Specific application method is if so, the corresponding con_ckb of each user, the inside are the institutes of user creation in system
There is the conkeys of containers.User is needed to provide a user password User_key, the password index of conckb
As the root node of binary tree structure, child nodes are successively derived from downwards by root node, use hash algorithm in derivation history
SHA-256 calculates separately left and right child node, finally obtains rope of the cryptographic Hash as con_key_box_slices of pth layer
Draw.
Such as Fig. 7, specific algorithm step is, the present invention first enables cryptographic Hash K (0,1)=User_key, the first of K (i, j)
A parameter i indicates the level number of binary tree, and second parameter j indicates the call number in i-th layer, as i=x, 1≤j≤2x;It connects
The present invention obtain:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j)) (1)
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j)) (2)
Wherein | | | | it indicates connection, then by N=4 calculating, obtains 16 index values, make con_key_box_
The name of slice.
Application effect of the invention is explained in detail below with reference to test.
1 test condition and purpose
Swift storage system is built used here as 5 servers, wherein 1 is used as proxy service node, is left four works
For storage service node.Two pieces of SATA hard discs of every storage server carry, one piece of disk are divided into two as system disk, another piece of disk
What a area, outside access net and internal lan used is kilomega network.Such as following table.Computer uses 64
Ubimtu14.04LTS operating system, deployment is added to the sec-Swift2.3.0 software systems conduct of security mechanism on server
Experimental situation.
1 hardware test environment of table
Test the correct execution of security mechanism major function.User is when using cloud storage system, for different important journeys
The environmental monitoring data of degree can use secure storage mechanism as needed.For environmental monitoring data to be protected, data are being uploaded
Before, user needs to provide user password and first creates dedicated for the container of storage protection environmental monitoring data, is uploaded to this
The object of container will be protected by security mechanism.Then, in user's operation (upload, downloading etc.) environmental monitoring data
Shi Junxu provides user password, and system will execute management and protection to environmental monitoring data according to security mechanism.For being not required to
Environmental monitoring data to be protected is executed according to the function that original system provides.For functional test, the present invention will provide operation examination
Example, and in the form of log record security mechanism whole implementation procedures.
2 System Functional Test results
The present invention shows software function first, first completes registration for a new user newuser.Realize tenant
Then the creation of Newproject carries out the setting of username and password, such as Fig. 8: user newuser uploads downloaded object data
Tmp.32K, user using security mechanism upload data before, need first to create the container for storing encryption data, then into
Row uploads or downloaded object data manipulation, notices that user is required to using the process of security mechanism provides user password User_
key.For example, user creates the container for storing the encrycon of encryption data, and the upload object data into the container
Tmp.32K similarly downloads tmp.32K from encrycon container, is both needed to provide user password using the process of security mechanism.It connects
Creation encrycon container, the upload object data tmp.32K into container encrycon, from container encrycon downloading pair
Image data tmp.32K, the security mechanism after receiving request of the user using security mechanism storing data, on proxy server
The course of work recorded by way of log.
Followed by security test as a result, being protected by data segmentation, data encryption technology and complete key managing project
Protect the sensitive data of user.Critical data is increased in system thus.The data that system is laid special stress on protecting have obj_frags, con_
Obj_key-box and con_key_box-slices.User's sensitive data objfrags and con_obj_key_box are all made of
AES-128 Encryption Algorithm encryption, the ciphertext of formation are stored on memory node.For hereinbefore original system stored in clear
Example getfilecontxt, if being stored using security mechanism, user first creates the con container for encryption handling, to
Transmitting file getfilecontxt is gone up in con, carries user password User_key in operation.Security mechanism is by getfilecontat
Environmental monitoring data is divided into 10 pieces, and the present invention stores accordingly checks 10 pieces of environmental monitoring datas with the shape of ciphertext in equipment
Formula storage.
It is to be obtained by Top layer key file con_ckb by privacy sharing algorithm process for con_key_box_slices
" encoding block ".Privacy sharing algorithm is the encryption algorithm that a kind of " perfect-security " reaches Information theoretical secure.It should
Algorithm uses threshold value [m, n], i.e. environmental monitoring data D passes through code conversion at N block environmental monitoring data, at least through wherein
M block can restore environmental monitoring data D, and arbitrarily less than m block number according to the arbitrary portion information that cannot all disclose former data.
The present invention provides proof procedure below: being the distribution of privacy sharing first, uses finite field gf (q) (q is prime number, q > n), selection
N different nonzero elements in finite field, it is disclosed for being denoted as U.At random generate m-1 element and m-1 order polynomial,
Using finite field gf (q) (q is prime number, q > n), n different nonzero elements in finite field are selected, x is denoted asi, xiIt is open
's.M-1 element a is generated at random1,a2,...am-1And m-1 order polynomial f (x)=a0+a1x+...+am-1xm-1.For former ring
Border monitoring data D, enables D=a0, for xi(1≤i≤n) is calculated:Obtained f (xi)(1≤i≤n)
Environmental monitoring data block as after transform coding, i.e. con_key_box_slices.
In the recovery of key, the recovery process of former environmental monitoring data needs at least to know m block number evidence, i.e., appoints here and take
M block in n block: f (xi) (1≤i≤m), group of equations:
It is converted into matrix:
It due to generalized circular matrix, is reversible, so equation group has unique solution, unknown number a can be calculated0+a1x+...+
am-1To obtain former environmental monitoring data a0,D.And m-1 block number evidence is known for oneself, solution m-1 have the equation of m unknown number, not
Know that number there are infinite multiple solutions, and a possibility that each solution is identical, therefore is unable to get about any of former environmental monitoring data D
Information.To sum up, the present invention is said takes for con_key_box_slices made of [m, n] privacy sharing in attacker by threshold value
It is perfectly safe in the case where less than m block.
3 system performance testing results
Time overhead test in ,-as user using the most frequent operation of cloud storage service be upload and downloading, therefore this
Experiment makes comparison survey with regard to big data and small data using security mechanism and without using the expense of security mechanism operation data respectively
Examination.Time due to completing data manipulation every time has certain randomness, so the present invention is to the same environmental monitoring data
The same operation do altogether 10 times experiment, be averaged as a result, obtaining following table:
The time overhead of 2 small data of table compares
When uploading data [32K-128M] using security mechanism, time overhead is substantially in 13s between 60s;Using safe
When mechanism downloading data [32K-128M], time overhead is substantially in 2s between 20s.Although from can see decimal in Fig. 6-1
According to operating time multiplication, but since its radix is smaller, there is no generate for user experience for the time span increased
Excessive influence, here it is considered herein that the time overhead generated using security mechanism is that user can receive in use
's.
The storage capacity for giving full play to and being utilized cloud of security mechanism, space expense are mainly derived from security mechanism
Key management, the present invention provides specific analysis here.When user's selection uses security mechanism storage environment monitoring data D
When, the proxy server for receiving user's request first encrypts it, and ciphertext is divided into n block etc. by environmental monitoring data divider
The environmental monitoring data block of sizeTherefore the encryption of environmental monitoring data itself and segmentation (stripping) operation do not have
Have and increases additional memory space.But encryption mechanism makes system need the management work of additional responsible key, and it is close to increase two classes
Key box;
First is that object key box, the corresponding object key box of each container, object key box is to be in
The dictionary structure { ObjectName:(key, vi, pad) } of key-value form, one object of every increase in container
It is increased by one key-value pairs, therefore the object that the size container corresponding with its of each object key box includes
Quantity is directly proportional.
Second is that container key box, the corresponding container key box of a user, container key box is equally in key-
The dictionary structure { ContainerName:(key, vi, pad) } of value form, user one container of every creation, system
A container key is just generated, increases by one key-value pairs, therefore the size of container key box and user's creation
Container quantity is directly proportional.In addition to this, container key box needs to become con_key_box_ by privacy sharing
The size of slices, each slice are identical as original data con_ckb, if some | con_keyboxcon|, then secondary container key
Joint memory space needs nLcon.The space expense that key management is spent at the same time, reaches much smaller than data itself
The storage capacity in cloud is made full use of to provide the purpose of secure storage mechanism.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (5)
1. a kind of environmental monitoring data method for secure storing towards credible cloud, which is characterized in that the ring towards credible cloud
The corresponding con_ckb of each user of border monitoring data method for secure storing, is all containers of user creation
conkeys;User is needed to provide a user password User_key index of con_ckb, password is as binary tree structure
Root node, child nodes are successively derived from downwards by root node, are calculated separately in derivation history using hash algorithm SHA-256
Left and right child node;Obtain index of the cryptographic Hash as con_key_box_slices of pth layer;
Swift is by Ring from object data to dummy section in the environmental monitoring data method for secure storing towards credible cloud
Point, then specifically included to the mapping between storage equipment:
The data structure of Ring is first provided, is first the information list for participating in each storage equipment of the Ring, records each storage
Devid, zone, weight, IP:port, devicename, meta of equipment;Replica2part2dev_id, record are each
The corresponding storage equipment of Partition;Record the carry digit of Partition, part_shift;Followed by object data is to dummy section
Point: the dummy node that Ring is used is called Partition;The mapping of object data to dummy node is as follows:
md5('/account/container/object').digest())[0]>>self._part_shift;
Dummy node is to storage equipment: the mapping of Partition to storage equipment room guarantees that storage equipment storage data quantity is balanced;For
Each Partition finds storage equipment and collects the Partition to be allocated, and is denoted as (Parition_id, replica_
id);For each storage equipment, based on the Partition quantity that weight calculation should get, according to sorting from more to less;Together
When for Region, Zone, IP:port, Dev_id belonging to each device build oneself;Construct whole hierarchical tree.
2. as described in claim 1 towards the environmental monitoring data method for secure storing of credible cloud, which is characterized in that the face
Process to the mapping of the environmental monitoring data method for secure storing of credible cloud is the copy of certain to be stored object data, first
Find the layer for storing this object data minimum number;Most hungry storage equipment is found in layer again.
3. as described in claim 1 towards the environmental monitoring data method for secure storing of credible cloud, which is characterized in that the face
It is specifically included to the environmental monitoring data method for secure storing of credible cloud: the of cryptographic Hash K (0,1)=User_key, K (i, j)
One parameter i indicates the level number of binary tree, and second parameter j indicates the call number in i-th layer, as i=x, 1≤j≤2x;
Then it obtains:
LeftCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
RightCof ki,j=hash (k (i, j) | | (2*j) | | k (i, j))=k ((i+1), (2*j));
Wherein | | | | it indicates connection, then by 4 calculating, obtains 16 index values, make the name of con_key_box_slice
Word.
4. a kind of ring towards credible cloud of the environmental monitoring data method for secure storing towards credible cloud as described in claim 1
Border monitoring data safe storage system, which is characterized in that the environmental monitoring data safe storage system packet towards credible cloud
It includes: client, server-side;
Swiftclient_module in client is responsible for providing PythonAPI, and swift provides the function of command-line tool;
The code file under bin catalogue in server-side is the starting script of service processes;Code file under etc catalogue is clothes
The associated profile that business process uses;Swift catalogue is the core code of system, including agency service, tenant's management service,
Container management service, object environment monitoring data management service and public calling module.
5. as claimed in claim 4 towards the environmental monitoring data safe storage system of credible cloud, which is characterized in that the face
It is divided into three parts to the environmental monitoring data safe storage system of credible cloud: client, proxy service node and memory node;
For client deployment on the local machine of service user, user passes through client operation environmental monitoring data;Agency's clothes
Agency service is run on business node, is the window that server-side externally services, is responsible for receiving the request of client, it is legal to carry out
Authentication and authorization searches relative position of the environmental monitoring data on memory node, forwards the request to respective stored node,
Corresponding failure handling is made simultaneously for failure, failure;Tenant's management service, container management service are run on memory node
With object environment monitoring data management service, it is responsible for the management and storage of environmental monitoring data, operates in keeping on memory node
Shield process is responsible for the reliabilty and availability of guarantee environment monitoring data in systems.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810453258.5A CN108683729B (en) | 2018-05-14 | 2018-05-14 | A kind of environmental monitoring data safe storage system and method towards credible cloud |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810453258.5A CN108683729B (en) | 2018-05-14 | 2018-05-14 | A kind of environmental monitoring data safe storage system and method towards credible cloud |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108683729A CN108683729A (en) | 2018-10-19 |
CN108683729B true CN108683729B (en) | 2019-06-18 |
Family
ID=63805603
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810453258.5A Active CN108683729B (en) | 2018-05-14 | 2018-05-14 | A kind of environmental monitoring data safe storage system and method towards credible cloud |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108683729B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109361513B (en) * | 2018-11-15 | 2021-05-28 | 桂林电子科技大学 | User weight distribution method for Shamir secret sharing |
CN113068128B (en) * | 2021-03-18 | 2021-11-23 | 西安电子科技大学 | User geographic position neighbor query method based on double cloud security computing protocol |
CN114064207A (en) * | 2021-11-10 | 2022-02-18 | 南京信易达计算技术有限公司 | User data container storage method in cloud storage system based on customized LINUX architecture |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102591970A (en) * | 2011-12-31 | 2012-07-18 | 北京奇虎科技有限公司 | Distributed key-value query method and query engine system |
CN102609446A (en) * | 2012-01-05 | 2012-07-25 | 厦门市美亚柏科信息股份有限公司 | Distributed Bloom filter system and application method thereof |
CN102891856A (en) * | 2012-10-18 | 2013-01-23 | 中国科学院信息工程研究所 | Safe access method between plural entity and plural entity identity relaying party |
CN102916811A (en) * | 2012-10-18 | 2013-02-06 | 中国科学院信息工程研究所 | Multielement entity identity certificate information storage method |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101969391B (en) * | 2010-10-27 | 2012-08-01 | 北京邮电大学 | Cloud platform supporting fusion network service and operating method thereof |
CN102143022B (en) * | 2011-03-16 | 2013-09-25 | 北京邮电大学 | Cloud measurement device and method for IP network |
CN102307221A (en) * | 2011-03-25 | 2012-01-04 | 国云科技股份有限公司 | Cloud storage system and implementation method thereof |
CN102307185B (en) * | 2011-06-27 | 2015-02-25 | 北京大学 | Data isolation method used in storage cloud |
CN103281400A (en) * | 2013-06-18 | 2013-09-04 | 清华大学 | Data segmenting, coding and recovering method used for cloud storage gateway |
CN103618703B (en) * | 2013-11-14 | 2016-06-29 | 中国人民武装警察部队工程大学 | A kind of cloud computing data security boundary protection method |
CN104202361A (en) * | 2014-08-13 | 2014-12-10 | 南京邮电大学 | Cloud data protection method based on mobile agent |
-
2018
- 2018-05-14 CN CN201810453258.5A patent/CN108683729B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102591970A (en) * | 2011-12-31 | 2012-07-18 | 北京奇虎科技有限公司 | Distributed key-value query method and query engine system |
CN102609446A (en) * | 2012-01-05 | 2012-07-25 | 厦门市美亚柏科信息股份有限公司 | Distributed Bloom filter system and application method thereof |
CN102891856A (en) * | 2012-10-18 | 2013-01-23 | 中国科学院信息工程研究所 | Safe access method between plural entity and plural entity identity relaying party |
CN102916811A (en) * | 2012-10-18 | 2013-02-06 | 中国科学院信息工程研究所 | Multielement entity identity certificate information storage method |
Also Published As
Publication number | Publication date |
---|---|
CN108683729A (en) | 2018-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10831933B2 (en) | Container update system | |
US10698812B2 (en) | Updating cache using two bloom filters | |
US20190266128A1 (en) | Method and system for verification of deleted data for blockchains | |
US20200007344A1 (en) | Systems and methods for data validation and assurance | |
US11061886B2 (en) | Systems and methods for data validation and assurance | |
JP2020528609A (en) | Intrusion detection and mitigation in data processing | |
US20200007343A1 (en) | Systems and methods for data validation and assurance | |
CN108683729B (en) | A kind of environmental monitoring data safe storage system and method towards credible cloud | |
CN110199283B (en) | System and method for authenticating platform trust in a network functions virtualization environment | |
CN113661490B (en) | Method and system for securely storing data | |
Dauterman et al. | Snoopy: Surpassing the scalability bottleneck of oblivious storage | |
TWI737172B (en) | Computer system, computer program product and computer implement method for incremental decryption and integrity verification of a secure operating system image | |
Wang et al. | Research on data security in big data cloud computing environment | |
US10725771B2 (en) | Artifact transformation in network devices | |
US11200218B2 (en) | Providing consistent data masking using causal ordering | |
US20210124764A1 (en) | Generating a data partitioning strategy for secure and efficient query processing | |
US20220385596A1 (en) | Protecting integration between resources of different services using service-generated dependency tags | |
US11586598B2 (en) | Data deduplication in data platforms | |
Bowers et al. | Detecting suspicious file migration or replication in the cloud | |
US11455391B2 (en) | Data leakage and misuse detection | |
US20220405099A1 (en) | Generating masks for formats including masking restrictions | |
US11526534B2 (en) | Replicating data changes through distributed invalidation | |
Jain et al. | Bloom Filter in Cloud Storage for Efficient Data Membership Identification | |
Gupta et al. | Blockchain Enabled Hadoop Distributed File System Framework for Secure and Reliable Traceability | |
US11880350B2 (en) | Identifying resource lock ownership across a clustered computing environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |