CN109145642B - Data storage method, terminal and database based on CPK digital seal - Google Patents

Data storage method, terminal and database based on CPK digital seal Download PDF

Info

Publication number
CN109145642B
CN109145642B CN201810916478.7A CN201810916478A CN109145642B CN 109145642 B CN109145642 B CN 109145642B CN 201810916478 A CN201810916478 A CN 201810916478A CN 109145642 B CN109145642 B CN 109145642B
Authority
CN
China
Prior art keywords
file
stored
database
key
integrity code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810916478.7A
Other languages
Chinese (zh)
Other versions
CN109145642A (en
Inventor
南相浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinshang Bochuang Beijing Technology Co ltd
Original Assignee
Jinshang Bochuang Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinshang Bochuang Beijing Technology Co ltd filed Critical Jinshang Bochuang Beijing Technology Co ltd
Priority to CN201810916478.7A priority Critical patent/CN109145642B/en
Publication of CN109145642A publication Critical patent/CN109145642A/en
Application granted granted Critical
Publication of CN109145642B publication Critical patent/CN109145642B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data storage method, a terminal and a database based on a CPK digital seal, relates to the technical field of computers and software thereof, and solves the contradiction between file confidentiality and file access. The method comprises the following steps: according to a private key of a storage person and a preset file attribute of a file to be stored, obtaining a digital seal corresponding to the file to be stored, wherein the digital seal comprises an identification of the storage person, an authenticity certificate of the identification, a file name, a file category, a file integrity code and an authenticity certificate of an encryption grade of the file to be stored, the file integrity code is used for providing an integrity certificate of the file name and the digital seal, and the file to be stored and the digital seal are sent to a database together for storage. The embodiment of the invention is suitable for processing when the file is stored.

Description

Data storage method, terminal and database based on CPK digital seal
Technical Field
The invention relates to the technical field of computers and software thereof, in particular to a data storage method, a terminal and a database based on a CPK digital seal.
Background
When mass data on the internet of things are stored, two storage modes are generally available, one is a text document, and the other is a table document. Therefore, the corresponding databases are also classified into two types, a document library and a relational library.
Document management of a document library generally adopts warehouse-type management, wherein documents comprise two types: one is for archive storage only and one is for access. The best method is for the encrypted saving of documents saved in an archive. For the documents participating in the access, if the documents are stored in an encrypted manner, the access is affected, so that a method which is a non-encryption means and can ensure the security of the stored data is urgently needed.
The file name table of the relational library, a table is composed of fields (columns) and records (rows). A table includes several records and a record includes several fields. The record, the table and the field all have names, namely record name, table name and field name. The table files in the relational database are mainly used for access and statistics, so the safety of database data cannot influence the retrieval efficiency.
Disclosure of Invention
The embodiment of the invention aims to provide a data storage method, a terminal and a database based on a CPK digital seal, which protect a document by using the CPK digital seal, ensure the security of the document, facilitate the access of a user to the document and solve the contradiction between the confidentiality and the access of the document.
In order to achieve the above object, an embodiment of the present invention provides a data storage method based on a CPK digital seal, where the method is applied to a terminal, and the method includes: obtaining a digital seal corresponding to a file to be stored according to a private key of a storage person and a preset file attribute of the file to be stored, wherein the digital seal comprises an identifier of the storage person, an authenticity certificate of the identifier, a file name, a file category, a file integrity code and an authenticity certificate of an encryption grade of the file to be stored, and the file integrity code is used for providing an integrity certificate of the file name and the digital seal; and sending the file to be stored and the digital seal to a database together for storage.
Further, the sending the file to be stored and the digital seal to a database together for storage includes: encrypting the file to be stored by using a preset secret key to obtain an encrypted file to be stored; generating a corresponding file integrity code according to the encrypted file to be stored; and sending the encrypted file to be stored and the digital seal to a database for storage, wherein the file integrity code included by the digital seal is a file integrity code corresponding to the encrypted file to be stored.
Further, when the file to be stored is a private text file, encrypting the file to be stored by using the preset key to obtain an encrypted file to be stored includes: according to Ekey(data)=code1,ENCALICEObtaining the encrypted file to be stored { beta, code1}, wherein E is an encryption function of a symmetric key, ENC is an encryption function of an asymmetric key, and data is the file to be storedKey is a preset key, code1 is the encryption of the file to be stored, ALICE is the public key of the depositor, and beta is the encryption of the preset key.
Further, when the file to be stored is a public text file, the encrypting the file to be stored by using the preset key to obtain the encrypted file to be stored includes: according to
Figure BDA0001763153530000021
Figure BDA0001763153530000022
Obtaining a file key FILekey, wherein common is a preset public key, filename is the file name of the file to be stored, ROLEkey is the preset key, and the level of the preset key corresponds to the encryption level of the file to be stored; according to the encryption level and EFILEkeyAnd obtaining the encrypted file code2 to be stored, wherein E is an encryption function of a symmetric key, and file is the file to be stored 2.
Further, when the file to be stored is a table file, the encrypting the file to be stored by using the preset key to obtain the encrypted file to be stored includes: according to
Figure BDA0001763153530000031
Figure BDA0001763153530000032
Figure BDA0001763153530000033
Figure BDA0001763153530000034
Respectively obtaining a recording key RECORDkey, a field key FIELDkey and a unit key ELEMENTTkey, wherein TABLEKE is a preset table key, ROLEKEY is the preset key, the preset key corresponds to the encryption level of the file to be stored, recordname is the record name to be encrypted in the file to be stored, fiThe eldname is a field name to be encrypted in the file to be stored; and encrypting a designated position in the file to be stored by using a designated key to obtain the encrypted file to be stored, wherein the designated position comprises a record, a field and a unit of the file to be stored, and the designated key comprises a record key, a field key and a unit key corresponding to the designated position.
Further, the digital stamp also includes the encrypted name of the designated location.
Further, when the file to be stored is an encrypted text file, the generating a corresponding file integrity code according to the encrypted file to be stored includes: and obtaining a file integrity code mac1 corresponding to the encrypted file to be stored according to hash (file) 1, wherein file is the encrypted file to be stored.
Further, when the file to be stored is an encrypted table file, the generating a corresponding file integrity code according to the encrypted file to be stored includes: according to
Figure BDA0001763153530000035
Obtaining a file integrity code mac2 corresponding to the encrypted file to be stored, wherein the field isiAnd the content of the ith field in the encrypted file to be stored is obtained.
Further, before the file to be stored and the digital seal are sent to a database together for storage, the method further includes: according to SIGalice(time1)=(s1,c1)=sign1,SIGalice(DB1) (s2, c2) ═ sign2, generate a message Msg ═ { alice, time1, sign1, DB1, sign2} requesting to establish a link, where SIG is the signature function, alice is the private key of said storage person, time1 is the time of signature, DB1 is the identity of the database, s1 and s2 are signature codes, c1 and c2 are verification codes, sign1 is used for marking (s1, c1) and representing the authenticity proof of the storage person, sign2 is used for marking (s2, c2) and representing the authenticity proof of the database, alice is the identity of said storage person; sending the message requesting to establish a link to the database,a provable link is established with the database.
Further, after the file to be stored and the digital seal are sent to a database together for storage, the method further includes: after establishing a verifiable link with the database, sending an ID certificate to the database in order to access a file authorized by the ID certificate, wherein the ID certificate comprises a digital signature of a private key of a key management center on an authority attribute of an accessing person, and the authority attribute comprises an access category and an authorization level.
Correspondingly, the embodiment of the invention also provides a data storage method based on the CPK digital seal, the method is applied to a database, and the method comprises the following steps: receiving a file to be stored and a corresponding digital seal sent by a terminal, wherein the digital seal comprises an identifier of a storage person, an authenticity certificate of the identifier, and an authenticity certificate of a file name, a file category, a file integrity code and an encryption level of the file to be stored, and the file integrity code is used for providing an integrity certificate of the file name and the digital seal; verifying the authenticity of the digital seal according to the identifier of the memory person and the combination matrix; and when the digital seal is verified to be true, storing the file to be stored, and updating the library integrity code of the database according to the file integrity code.
Further, the updating the library integrity code of the database according to the file integrity code comprises: according to
Figure BDA0001763153530000041
Obtaining an updated library integrity code MAC of the databasemWherein, macmFor said file integrity code, MACm-1Is the library integrity code of the database prior to updating.
Further, after the updating the library integrity code of the database according to the file integrity code, the method further comprises: according to SIGdb1(MACm) Generating and storing a digital signature of the library integrity code (s3, c3) (sign 3), wherein SIG is a signature function and db1 isPrivate key of the database, MACmFor the updated library integrity code of the database, s3 is a signature code, c3 is a verification code, sign3 is used for marking (s3, c 3).
Further, before the file to be stored and the corresponding digital seal sent by the receiving terminal, the method further includes: receiving a message for requesting to establish a link sent by the terminal, and verifying the authenticity of a storage person and a database in the message for requesting to establish the link according to the identification of the storage person and the combined matrix; and when the depositor and the database are verified to be true, sending an authenticity certificate of the database to the terminal, and establishing a certifiable link with the terminal.
Further, the receiving a message requesting to establish a link sent by the terminal, and verifying the authenticity of the depositor and the database in the message requesting to establish a link according to the identifier of the depositor and the combination matrix comprises: receiving a message Msg (alice, time1, sign1, DB1, sign 2) requesting to establish a link sent by the terminal, wherein alice is the identity of the storage person, time1 is the signature time, DB1 is the identity of the database, sign1 is used for marking (s1, c1) and representing the authenticity proof of the storage person, sign2 is used for marking (s2, c2) and representing the authenticity proof of the database, s1 and s2 are signature codes, and c1 and c2 are verification codes; according to VERALICE(time1,s1)=c1’,VERALICE(DB1, s2) ═ c2 ', where VER is a verification function and ALICE is the public key of the depositor, and a verification code c1 ' of the depositor authenticity proof and a verification code c2 ' of the database authenticity proof are obtained, respectively; verifying if c1 is the same as c1 ', c2 is the same as c 2', respectively, and determining if the depositor and database in the message requesting to establish a link are true.
Further, after the storing the file to be stored, the method further comprises: after establishing a certifiable link with the terminal, receiving an ID certificate sent by the terminal, wherein the ID certificate comprises a digital signature of a private key of a key management center on the authority attribute of an accessor, and the authority attribute comprises an access category and an authorization level; verifying the authenticity of the ID certificate according to a public key of a key management center; when the ID certificate is verified to be true, calling a file meeting the following two conditions at the same time for the visitor to access: the file category of the file corresponds to the access category, and the encryption level of the file is lower than or equal to the authorization level.
Correspondingly, the embodiment of the invention also provides a terminal, and the terminal is used for executing the data storage method based on the CPK digital seal.
Correspondingly, the embodiment of the invention also provides a database, and the database is used for executing the data storage method based on the CPK digital seal.
According to the technical scheme, the digital seal corresponding to the file to be stored is obtained according to the private key of a storage person and the preset file attribute of the file to be stored, the digital seal comprises the identification of the storage person, the authenticity certification of the identification, the file name, the file category, the file integrity code and the authenticity certification of the encryption level of the file to be stored, and the file integrity code is used for providing the integrity certification of the file name and the digital seal; and sending the file to be stored and the digital seal to a database together for storage. The embodiment of the invention provides security guarantee for the file to be stored by using the digital seal, thereby not only ensuring the security of the file, but also being convenient for the user to access the file and solving the contradiction between the confidentiality and the access of the file. In addition, the database updates the local database integrity code according to the stored file integrity code of the file to be stored, so that the data integrity is ensured, the replacement attack is prevented, and the file can be found in time when the file is lost.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention without limiting the embodiments of the invention. In the drawings:
fig. 1 is a schematic flowchart of a data storage method based on a CPK digital seal according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another data storage method based on a CPK digital stamp according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating embodiments of the invention, are given by way of illustration and explanation only, not limitation.
The digital signature is the core technology of the digital seal, but not the seal. It is only meaningful to construct a seal. In the physical world, only people and organizations can stamp the red seal or press the finger print, but in the network world, the red seal and the finger print do not work, and the digital seal can only play the role of the seal. Any entity of the digital seal can have, and the authenticity of the entity can be proved only by the seal form, such as: the software has a software seal, the communication address has an address seal, the bank account has an account seal, the telephone number has a number seal, etc. The seal is the main means for proving authenticity. There are many harsh requirements for forming a seal, and the key is the length of the digital signature and the operation speed. At present, only CPK can provide the shortest signature code and the fastest operation speed, and the method has good feasibility.
The retention density is 2128Under the conditions, the comparison between the signature length and the operation speed of the three public key systems is shown in table 1:
TABLE 1
Density of keeping SM9 256 CPK 256 PKI 2048
Signature length 96-65Byte 37Byte 768Byte
Signature speed 13 unit time 1 unit time 12 unit time
Verifying speed 25 unit time 2 unit time 24 unit time
As can be seen from table 1, the ECC256 is calculated once as an operation unit, and different systems are compared. Obviously, the signature length of PKI is too long, and the operation speed of SM9 is too slow. Therefore, in the embodiment of the invention, the CPK is used for carrying out digital signature to form the digital seal, so that the security of the file to be stored is ensured, and the processing speed is not influenced.
Note that the signature length and the calculation speed of the CPK under different key lengths can be set as shown in table 2, depending on the specific case.
TABLE 2
Secret keyLength of Signature code length Signature speed Verifying speed
112 bits 12 bytes 1.05 ms/time 1.43 ms/time
160 bits 25 bytes 1.42 ms/time 1.95 ms/time
192 bits 29 bytes 1.93 ms/time 2.61 ms/time
256 bits 37 bytes 3.16 ms/time 4.22 ms/time
The files to be stored mentioned in the embodiment of the invention comprise text files to be stored and table files to be stored. The text file is composed of a single data, and the table file is composed of a plurality of independent records. The embodiment of the invention provides digital seals corresponding to text files and form files obtained based on a CPK technology, and access control, storage control and access control of a database.
In addition, the operator (including the depositor and the visitor) holds the CPK-based ID certificate. The ID certificate, which specifies the operating rights, is defined by the key management centre KMC and comprises the personnel classes and the preset keys of the corresponding classes, as shown in table 3.
TABLE 3
Figure BDA0001763153530000081
As shown in table 3, the access category is the authority of the cardholder to access the file category, the authorization level is the level of the cardholder, and there are 5 levels in total:
and 5, stage: customer level, equivalent to 'inside'
4, level: middle manager level, equivalent to 'secret'
And 3, level: high level manager level, equivalent to 'secret'
And 2, stage: used by the Party politics, corresponding to 'absolute'
Level 1: system administrator level.
In addition, zero level can be provided, and the KMC can be applied by self according to the requirements of a card holder as a non-encryption level. Thus, a cardholder with a certain authorization level can operate files with corresponding file levels, and the authorization level is downward compatible, the authorization level of Zhang III of the cardholder is 3 as shown in Table 3, which is configured with all preset keys below 3 (inclusive), and can have the right to operate files with 3,4,5 levels. The relevant contents will be described in detail below.
Example one
Fig. 1 is a schematic flow chart of a data storage method based on a CPK digital stamp according to an embodiment of the present invention. As shown in fig. 1, the method is applied to a terminal, and the method includes the following steps:
step 101, obtaining a digital seal corresponding to a file to be stored according to a private key of a storage person and a preset file attribute of the file to be stored, wherein the digital seal comprises an identifier of the storage person, an authenticity certificate of the identifier, a file name, a file category, a file integrity code and an authenticity certificate of an encryption grade of the file to be stored, and the file integrity code is used for providing an integrity certificate of the file name and the digital seal; and
and 102, sending the file to be stored and the digital seal to a database for storage.
For different types of files to be stored, when step 101 is executed, the following processing modes exist:
firstly, when the file to be stored is a text file, the obtained digital stamp is shown in table 4:
TABLE 4
Figure BDA0001763153530000101
Wherein, the corresponding digital seal two-dimensional code is:
QR1 ═ time2, a, sign4, 3, sign5, time3, B, sign6, meeting summary, sign7, personnel, sign8, year 3, sign9, mac, sign10, public, sign11, encryption level, sign12 }.
The items 3 to 11 are all signatures made by using the private key of the storage person.
Item 2, creator of said file to be stored, according to SIGaTime2, (s4, c4) sign4, which gets the creator's signature on time2, provides proof of authenticity of the creator, where SIG is the signature function (same below) and a is the private key of creator a.
Item 3, the file level is the secret attribute of the file, and is classified into 5 levels, the private network and the public network are shared, and the levels are compatible in the following steps:
and 5, stage: customer level, equivalent to 'inside'
4, level: middle manager level, equivalent to 'secret'
And 3, level: high level manager level, equivalent to 'secret'
And 2, stage: used by the Party politics, corresponding to 'absolute'
Level 1: system administrator level.
According to SIGb(3) The signature of the storage person on the file level is obtained and the authenticity proof of the file level is provided, (s5, c5) ═ sign5, wherein B is the private key of the storage person B.
Item 5, according to SIGb(time3) (s6, c6) (-sign 6), which gets the depositor's signature over time, providing proof of authenticity of the depositor.
Item 6, according to SIGb(s7, c7) sign7, which gets the depositor's signature on the filename, providing proof of authenticity of the filename.
Item 7, according to SIGb(s8, c8) sign8, which obtains the signature of the file category from the depositor and provides the authenticity proof of the file category.
Item 8, according to SIGbThe signature of the depositor on the file confidentiality period is obtained (s9, c9) ═ sign9 (3 years), and the authenticity proof of the file confidentiality period is provided.
Item 9, according to SIGb(s10, c10) sign10, which gets the depositor's signature over the file integrity code of the file, providing proof of authenticity of the file integrity code. Obtaining a file integrity code mac1 corresponding to the file to be stored according to HASH (file ') ═ mac1, where file' is the file to be stored.
Item 10, according to SIGb(common) (s11, c11) sign11, which gets the depositor's signature on the file attribute, providing a proof of authenticity of the file attribute. The file attribute has public and private use, and the private file is not open to the outside and only the creator has access right.
Item 11, according to SIGb(3) A depositor's signature over the encryption level is obtained (s12, c12) ═ sign12, which provides proof of authenticity of the encryption level. Wherein the encryption level is consistent with the file level.
Wherein s4, s5, s6, s7, s8, s9, s10, s11 and s12 are signature codes, and c4, c5, c6, c7, c8, c9, c10, c11 and c12 are verification codes.
Secondly, when the file to be stored is a table file, the digital seal shown in table 5 is generated.
Wherein, the corresponding digital seal two-dimensional code is:
QR2 ═ time4, F, sign13, 3, sign14, time5, H, sign15, statistics, sign16, capital, sign17, year 3, sign18, mac, sign19, public, sign20, encryption rank, sign21, field name 1 }.
TABLE 5
Figure BDA0001763153530000121
Wherein, the 3 rd item to the 11 th item are all the signatures of the storage persons.
Item 2, creator of said file to be stored, according to SIGfTime4, (s13, c13) sign13, gets the creator's signature on time4, providing proof of authenticity of the creator, where F is the creator's F private key.
Item 3, the file rank is the security attribute of the file, and is also classified into 5 ranks, which are the same as the security attribute in the text file, and are not described herein again.
According to SIGh(3) The signature of the storage person on the file level is obtained and the authenticity proof of the file level is provided, (s14, c14) ═ sign14, where h is the private key of the storage person.
Item 5, according to SIGh(time5) (s15, c15) (-sign 15), which gets the depositor's signature over time, providing proof of authenticity of the depositor.
Item 6, according to SIGh(s16, c16) sign16, which gets the depositor's signature on the file name and provides a proof of authenticity of the file name.
Item 7, according to SIGhThe depositor's signature on the document domain is obtained (s17, c17) sign17, which provides a proof of authenticity of the document domain.
Item 8, according to SIGhThe signature of the depositor on the file confidentiality period is obtained (s18, c18) ═ sign18 (3 years), and the authenticity proof of the file confidentiality period is provided.
Item 9, according to SIGh(s19, c19) sign19, which gets the depositor's signature over the file integrity code of the file, providing proof of authenticity of the file integrity code. Wherein, according to
Figure BDA0001763153530000131
Obtaining a file integrity code mac2 corresponding to the file to be stored, wherein the field isi' is the ith field content in the file to be stored.
Item 10, according to SIGh(common) (s20, c20) sign20, which gets the depositor's signature on the file attribute, providing a proof of authenticity of the file attribute. The file attributes include a common table and a special table.
Item 11, according to SIGh(3) A depositor's signature over the encryption level is obtained (s21, c21) ═ sign21, which provides proof of authenticity of the encryption level. Wherein the encryption level is consistent with the file level.
For the item 13 that is the label of the name of the encrypted specified location when the file to be stored is encrypted by using the preset key, the item 13 shown in table 5 is the field name 1, that is, the field name 1 is encrypted.
Wherein s13, s14, s15, s16, s17, s18, s19, s20 and s21 are signature codes, and c13, c14, c15, c16, c17, c18, c19, c20 and c21 are verification codes.
In an embodiment of the present invention, when the file to be stored and the digital seal are sent to a database together for storage, a preset secret key is used to encrypt the file to be stored to obtain an encrypted file to be stored, after the file to be stored is encrypted, a file integrity code in the digital seal needs to be modified, that is, a corresponding file integrity code is generated according to the encrypted file to be stored, and then the encrypted file to be stored and the digital seal are sent to the database together for storage, at this time, the file integrity code included in the digital seal is a file integrity code corresponding to the encrypted file to be stored.
Aiming at different types of files to be stored, when the files to be stored are encrypted, the following processing modes are available:
first, when the file to be stored is a private text file, the file is pre-storedSetting a key to encrypt the file to be stored, and when the encrypted file to be stored is obtained, encrypting the file by using a public key of a depositor, for example, the depositor defines a preset key by key rG and according to Ekey(data)=code1,ENCALICEAnd (key) ═ beta, obtaining the encrypted file to be stored { beta, code1}, wherein E is an encryption function of a symmetric key, ENC is an encryption function of an asymmetric key, data is the file to be stored, key is the preset key, code1 is the encryption of the file to be stored, ALICE is the public key of the depositor, and beta is the encryption of the preset key.
Second, when the document to be stored is a public text document, the public scope includes a public scope of a private network and a public scope of a public network for the public text document. The private network is provided with a preset public key common 1 and the public network is provided with a preset public key common 2, both of which are given in the ID certificate held by the depositor. When the file to be stored is encrypted by using a preset secret key to obtain the encrypted file to be stored, the preset secret key is used for encrypting the file to be stored according to the file to be stored
Figure BDA0001763153530000141
Figure BDA0001763153530000142
Obtaining a file key FILekey, and then according to EFILEkey(file) code2, obtaining the encrypted file code2 to be stored. Where common is a preset public key, whether the preset public key is common 1 or common 2 may be determined according to whether the actual type of network is a private network or a public network. filename is the filename of the file to be stored, the route is the preset key, the level of the preset key corresponds to the encryption level of the file to be stored, for example, if the encryption level of the file to be stored is 3 levels, the level of the preset key is 3 levels. In addition, E is an encryption function of the symmetric key, and file is the file to be stored.
Thirdly, when the file to be stored is a table file, encrypting the file to be stored by using a preset key to obtain an encrypted file to be stored, and encrypting the file to be stored by using a grouped key with variable width, for example:
according to
Figure BDA0001763153530000151
Figure BDA0001763153530000152
Figure BDA0001763153530000153
Respectively obtaining a recording key RECORDkey, a field key FIELDkey and a unit key ELEMENTTkey, and then encrypting a specified position in the file to be stored by using a specified key to obtain the encrypted file to be stored, wherein the specified position comprises the record, the field and the unit of the file to be stored, and the specified key comprises the recording key, the field key and the unit key corresponding to the specified position.
The method comprises the steps that a TABLEKE is a preset table key, a ROLEKEY is the preset key, the preset key corresponds to the encryption level of a file to be stored, a recordname is a record name to be encrypted in the file to be stored, and a fieldname is a field name to be encrypted in the file to be stored. The preset table key is also given by an ID certificate held by the depositor.
After the file to be stored is encrypted, an encryption system, such as the encryption of a grouping key with a fixed width of a text file and the encryption of a grouping key with a variable width of a table file, can be indicated in a corresponding digital seal. In addition, the digital stamp corresponding to the table file to be stored may further include the name of the encrypted designated location, for example, when a record in the table file to be stored is encrypted, the record name is recorded in the digital stamp.
After the file to be stored is encrypted, the corresponding number of the file to be stored is correspondingly modifiedThe file integrity code in the word seal, that is, the corresponding file integrity code is generated according to the encrypted file to be stored, and the generation manner is the same as the file integrity code before encryption, for example, when the file to be stored is an encrypted text file, the file integrity code mac1 corresponding to the encrypted file to be stored is obtained according to hash (file) 1, where file is the encrypted file to be stored. In addition, when the file to be stored is an encrypted table file, the method is based on
Figure BDA0001763153530000161
Obtaining a file integrity code mac2 corresponding to the encrypted file to be stored, wherein the field isiAnd the content of the ith field in the encrypted file to be stored is obtained.
In another embodiment of the present invention, before the file to be stored and the digital seal are sent to a database together for storage, an authenticable link between the terminal and the database needs to be established. E.g. according to SIGalice(time1)=(s1,c1)=sign1,SIGalice(DB1) (s2, c2) ═ sign2, a message Msg ═ { alice, time1, sign1, DB1, sign2} is generated requesting to establish a link, where SIG is the signature function, alice is the private key of said storage person, time1 is the time of signature, DB1 is the identity of the database, s1 and s2 are signature codes, c1 and c2 are verification codes, sign1 is used for marking (s1, c1) and representing the proof of authenticity of the storage person, sign2 is used for marking (s2, c2) and representing the proof of authenticity of the database, alice is the identity of said storage person. And then the message requesting for establishing the link is sent to the database, after the database verifies that the message requesting for establishing the link is true, the database sends the authenticity certificate of the message, and after the verification of the terminal is obtained, the terminal and the database establish a provable link. For example, the database sends { db1, time6, sign22} to the terminal, where sign22 is used for a marker (s22, c22) representing the proof of authenticity of the database. Then the terminal is according to VERDB1(time6, s22) ═ c22 ', when the terminal verifies that c22 and c22 ' are the same, then the terminal and the terminal verify that c22 and c22 ' are the sameThe database establishes a provable link.
In another embodiment of the present invention, for the access control of the database, after the terminal establishes the certifiable link with the database, the terminal may send an ID certificate held by the visitor to the database so as to access the file authorized by the ID certificate, wherein the ID certificate includes a digital signature of a private key of a key management center on an authority attribute of the visitor, and the authority attribute includes an access category and an authorization level.
Through the embodiment, the encryption control of the file to be stored and the verifiable link between the terminal and the database are realized at one end of the terminal, and the security of the file in transmission is ensured. In addition, a file integrity code is provided, so that the loss of the file can be timely discovered, the integrity of the file is ensured, and replacement attack and data theft are prevented.
Example two
Correspondingly, fig. 2 is a schematic flow chart of a data storage method based on a CPK digital seal according to an embodiment of the present invention. As shown in fig. 2, the method is applied to a database, and the method comprises the following steps:
step 201, receiving a file to be stored and a corresponding digital seal sent by a terminal, wherein the digital seal comprises an identifier of a storage person, an authenticity certificate of the identifier, and an authenticity certificate of a file name, a file category, a file integrity code and an encryption grade of the file to be stored, and the file integrity code is used for providing an integrity certificate of the file name and the digital seal;
step 202, verifying the authenticity of the digital seal according to the identifier of the memory person and the combination matrix; and
and 203, when the digital seal is verified to be true, storing the file to be stored, and updating the library integrity code of the database according to the file integrity code.
The method comprises the steps that a storage person identifier and a creator identifier can be obtained according to a received digital seal or a two-dimensional code of the digital seal, and a public key of the storage person and a public key of the creator can be obtained according to a combined matrix, the storage person identifier and the creator identifier. The authenticity of the file attribute of the file to be stored in the digital stamp two-dimensional code QR1 or QR2 can be verified by utilizing the public key of the creator and the public key of the storage person.
When the received digital seal two-dimensional code is QR1, namely the received file to be stored is a text file,
according to VERA(time2,s4)=c4’,
VERB(3,s5)=c5’,
VERB(time3,s6)=c6’,
VERB(conference summary, s7) ═ c 7',
VERB(personnel, s8) ═ c 8',
VERB(3 years, s9) ═ c 9',
VERB(mac,s10)=c10’,
VERB(common, s11) ═ c 11',
VERB(3,s12)=c12’,
and if the verification codes of the authenticity proofs obtained above are verified, determining that the file attribute of the file to be stored is true, and storing the file to be stored. And otherwise, if the file attribute of the file to be stored is determined not to be true, the file to be stored is not stored.
When the received digital seal two-dimensional code is QR2, namely the received file to be stored is a table file,
according to VERF(time4,s13)=c13’,
VERH(3,s14)=c14’,
VERH(time5,s15)=c15’,
VERH(s 16) ═ c 16',
VERH(capital, s17) ═ c 17',
VERH(3 years, s18) ═ c 18',
VERH(mac,s19)=c19’,
VERH(public, s20) ═ c20’,
VERH(3,s21)=c21’,
And similarly, if the verification codes of the authenticity proofs obtained above are verified, determining that the file attribute of the file to be stored is true, and adding the table file into the locally stored table file in the database. And if the file attribute of the file to be stored is not determined to be true, the file to be stored is not stored.
In addition, if the file to be stored is an encrypted file, the file is directly stored in an encrypted form when being stored in the database, so that the security of the file in the database can be further ensured.
In addition, as the file is newly stored, the library integrity code of the database is updated according to the file integrity code. According to
Figure BDA0001763153530000181
Obtaining an updated library integrity code MAC of the databasemWherein, macmFor said file integrity code, MACm-1Is the library integrity code of the database prior to updating.
As shown in table 6, the correspondence between the file integrity codes and the library integrity codes stored in the database is provided.
Therefore, when the condition that whether the files stored in the database are lost or not is verified, the file integrity codes of the stored files can be linearly summed according to the storage sequence, and if the file j is lost, the calculation is carried out
Figure BDA0001763153530000192
And then judging whether the MAC 'is equal to the MACj +1, if so, indicating that the files from 1 to j +1 are not lost, and then continuously pushing backwards until the MAC' which is not equal to the recorded library integrity code is solved. If they are not equal, because
Figure BDA0001763153530000193
So the missing file is known as file j. For theThe text files stored in the database may determine whether there is a file loss based on the above derivation.
TABLE 6
Figure BDA0001763153530000191
For table files stored in a database, the possibility is provided for tracing and recovering lost records, since the file integrity code of a table is a linear sum of the record integrity codes. Take the bank billing shown in table 7 as an example:
TABLE 7
Payment party Cashier's party Amount of money mac MAC Balance of money
Record 1 Client1 Client2 RMB512 mac1 MAC1 Balance 1
Record 2 Client1 mac2 MAC2 Balance 2
Record 3 Client1 Client3 RMB600 mac3 MAC3 Balance 3
Assuming that record 2 is lost, then
Figure BDA0001763153530000201
While MAC' ≠ MAC3 because
Figure BDA0001763153530000202
Therefore, the lost record is known as record 2, and the amount of the record 2 can be obtained from the difference between the balances.
In addition, since the file integrity code in the table is the linear sum of the contents of the fields, taking the above table 7 as an example, an equation can be established:
Figure BDA0001763153530000203
in the above equation, if only the payee is unknown, it is obtained directly by solving the equation, and the lost record is recovered. If there are multiple unknowns, then a certain amount of exhaustion is required.
According to the embodiment, the table file is constructed in the form of the certification chain, the complete certification chain can recover lost data while the integrity of the data is protected, and the range of the event to be searched is greatly reduced.
In addition, to ensure the authenticity of the library integrity code, the library integrity code may also be digitally signed. For example, after the updating of the library integrity code of the database according to the file integrity code, according to SIGdb1(MACm) Generating and storing a digital signature of the library integrity code (s3, c3) (sign 3), wherein SIG is a signature function, db1 is a private key of the database, MACmFor the updated library integrity code of the database, s3 is a signature code, c3 is a verification code, sign3 is used for marking (s3, c 3).
Wherein the updated library integrity code and the digital signature on the updated library integrity code may be stored in a separate area in the database. For a table file stored in the database, an updated library integrity code and a digital signature of the updated library integrity code may be stored at the end of the table file.
In an embodiment of the present invention, before the database receives the file to be stored and the corresponding digital stamp sent by the terminal, a message requesting to establish a link sent by the terminal is received, the authenticity of the storage person and the database in the message requesting to establish a link is verified according to the identifier of the storage person and the combination matrix, and then when the storage person and the database are verified to be authentic, an authenticity certificate of the database is sent to the terminal, and a provable link is established with the terminal. And when the depositor and the database are verified not to be true, the database cannot be linked with the terminal.
Receiving a message Msg (alice, time1, sign1, DB1, sign 2) sent by the terminal and requesting to establish a link, wherein alice is the identity of the storage person, time1 is the signature time, DB1 is the identity of the database, sign1 is used for marking (s1, c1) and represents the authenticity proof of the storage person, and sign2 is used for marking (s2, c2)) And representing proof of authenticity of the database, s1 and s2 are signature codes, and c1 and c2 are verification codes. According to VERALICE(time1,s1)=c1’,VERALICE(DB1, s2) ═ c2 ', where VER is a verification function and ALICE is the public key of the depositor, and the verification code c1 ' of the depositor authenticity proof and the verification code c2 ' of the database authenticity proof are obtained, respectively. Then verify if c1 is the same as c1 ', c2 is the same as c 2', respectively, and determine if the depositor and database in the message requesting to establish a link are true. When the depositor and the database are verified to be true, { db1, time6 and sign22} are sent to the terminal, wherein sign22 is used for marking (s22, c22) to represent authenticity proof of the database, and after the terminal verifies that the database is true, the database and the terminal establish provable link.
In another embodiment of the present invention, after the database establishes the certifiable link with the terminal, the database receives an ID certificate sent by the terminal, where the ID certificate includes a digital signature of a private key of a key management center on an authority attribute of an accessing person, and the authority attribute includes an access category and an authorization level. The database verifies the authenticity of the ID certificate according to a public key of a key management center, and calls a file meeting the following two conditions simultaneously for the visitor to access when the ID certificate is verified to be true: the file category of the file corresponds to the access category, and the encryption level of the file is lower than or equal to the authorization level.
Wherein the ID certificate received by the database is QR3 ═ time, KMC, sign23, Zhang three, sign24, personnel, sign25, role3, sign26}, wherein, time is the signing time, KMC is the identification of the key management center, sign23 is used for marking (s23, c23), which represents the signature of the key management center to the time, Zhang III is the visitor, namely, a cardholder, sign24 is used for marking (s24, c24) to indicate the signature of the key management center on Zhang III, personnel is the access category of the ID certificate, sign25 is used for marking (s25, c25) to indicate the signature of the key management center on the access category, role3 is the level 3 authorization level, i.e., files having an encryption level less than or equal to the authorization level, sign26 is used to mark (s24, c24), indicating the signature of the authorization level by the key management center, in addition, s23, s24, s25 and s26 are signature codes, and c23, c24, c25 and c26 are verification codes.
The database obtains the public key of the key management center according to the identification and the combined matrix of the key management center, and then obtains the public key of the key management center according to the VERKMC(time,s23)=c23’,VERKMC(Zhangthree, s24) ═ c 24', VERKMC(personnel, s25) ═ c 25', VERKMC(role3, s26) ═ c26 ', a verification code is obtained, and whether c23 and c23 ', c24 and c24 ', c25 and c25 ', and c26 and c26 ' are the same or not is verified respectively, if the verification codes are the same, the ID certificate is verified to be true, and a file meeting the following two conditions at the same time is called for the visitor to access: the file category of the file corresponds to the access category, and the encryption level of the file is lower than or equal to the authorization level. If the access category of the ID certificate is personnel and the authorization level is 3 levels, the file category is called as personnel, and files with the levels of 3,4 and 5 are encrypted. In addition, if the file attribute in the file is public, the visitor can access the file, if the file attribute is private, only the creator is allowed to access the file, and if the visitor is not the creator of the file, the visitor cannot access the private file.
Through the embodiment, after the database receives the file to be stored and the corresponding digital seal sent by the terminal, the authenticity of the digital seal is verified according to the identifier of the storage person and the combination matrix, after the verification is passed, the file to be stored is directly stored locally, and the database integrity code of the database is updated according to the file integrity code. The security of the files stored in the database is guaranteed. In addition, the library integrity code of the database is updated according to the file integrity code, so that the file loss in the database can be found in time, and the library integrity code in the database forms a complete certification chain to prevent replacement attack and data theft.
Correspondingly, the embodiment of the invention also provides a terminal, and the terminal is used for executing the data storage method based on the CPK digital seal applied to the terminal.
Correspondingly, the embodiment of the invention also provides a database, wherein the database is used for executing the data storage method based on the CPK digital seal applied to the database.
Although the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the details of the above embodiments, and various simple modifications can be made to the technical solutions of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and the simple modifications all belong to the protection scope of the embodiments of the present invention.
It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, the embodiments of the present invention do not describe every possible combination.
Those skilled in the art will understand that all or part of the steps in the method according to the above embodiments may be implemented by a program, which is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In addition, any combination of various different implementation manners of the embodiments of the present invention is also possible, and the embodiments of the present invention should be considered as disclosed in the embodiments of the present invention as long as the combination does not depart from the spirit of the embodiments of the present invention.

Claims (14)

1. A data storage method based on a CPK digital seal is characterized in that the method is applied to a terminal and comprises the following steps:
according to a private key of a storage person and a preset file attribute of a file to be stored, obtaining a digital seal corresponding to the file to be stored, wherein the digital seal comprises an identifier of the storage person, an authenticity certificate of the identifier, a file name, a file category, a file integrity code and an authenticity certificate of an encryption grade of the file to be stored, the file integrity code is used for providing an integrity certificate of the file name and the digital seal, is also used for judging whether the file is lost or not, and can also be used for recovering lost contents in a form file; and
sending the file to be stored and the digital seal to a database for storage,
wherein, the sending the file to be stored and the digital seal to a database together for storage comprises:
encrypting the file to be stored by using a preset secret key to obtain an encrypted file to be stored;
generating a corresponding file integrity code according to the encrypted file to be stored;
sending the encrypted file to be stored and the digital seal to a database for storage, wherein the file integrity code included by the digital seal is a file integrity code corresponding to the encrypted file to be stored,
when the file to be stored is a text file, the generating a corresponding file integrity code according to the encrypted file to be stored includes:
obtaining a file integrity code mac1 corresponding to the encrypted file to be stored according to hash (file) 1, wherein file is the encrypted file to be stored;
when the file to be stored is a table file, the generating a corresponding file integrity code according to the encrypted file to be stored includes:
according to
Figure FDA0002699403730000011
Obtaining a file integrity code mac2 corresponding to the encrypted file to be stored, wherein the field isiFor the ith in the encrypted file to be storedThe contents of the fields.
2. The method according to claim 1, wherein when the file to be stored is a private text file, the encrypting the file to be stored by using the preset key to obtain the encrypted file to be stored comprises:
according to Ekey(data)=code1,ENCALICEAnd (key) ═ beta, obtaining the encrypted file to be stored { beta, code1}, wherein E is an encryption function of a symmetric key, ENC is an encryption function of an asymmetric key, data is the file to be stored, key is a preset key, code1 is the encryption of the file to be stored, ALICE is the public key of the storage person, and beta is the encryption of the preset key.
3. The method according to claim 1, wherein when the file to be stored is a public text file, the encrypting the file to be stored by using the preset key to obtain the encrypted file to be stored comprises:
according to
Figure FDA0002699403730000021
Obtaining a file key FILekey, wherein common is a preset public key, filename is the file name of the file to be stored, ROLEkey is the preset key, and the level of the preset key corresponds to the encryption level of the file to be stored;
according to EFILEkeyAnd obtaining the encrypted file code2 to be stored, wherein E is an encryption function of a symmetric key, and file is the file to be stored 2.
4. The method according to claim 1, wherein when the file to be stored is a table file, the encrypting the file to be stored by using the preset key to obtain the encrypted file to be stored comprises:
according to
Figure FDA0002699403730000022
Figure FDA0002699403730000023
Figure FDA0002699403730000024
Respectively obtaining a recording key RECORDkey, a field key FIELDkey and a unit key ELEMENTTkey, wherein TABLEKE is a preset table key, ROLEKEY is the preset key, the preset key corresponds to the encryption grade of the file to be stored, recordname is the record name to be encrypted in the file to be stored, and fieldname is the field name to be encrypted in the file to be stored;
and encrypting a designated position in the file to be stored by using a designated key to obtain the encrypted file to be stored, wherein the designated position comprises a record, a field and a unit of the file to be stored, and the designated key comprises a record key, a field key and a unit key corresponding to the designated position.
5. The method according to claim 4, wherein the digital stamp further includes a name of the encrypted specified location.
6. The method according to claim 1, wherein before said transmitting said file to be stored and said digital seal together to a database for storage, said method further comprises:
according to SIGalice(time1)=(s1,c1)=sign1,SIGalice(DB1) (s2, c2) ═ sign2, message Msg ═ { Alice, time1, sign1, DB1, sign2} is generated requesting to establish a link, where SIG is the signature function, Alice is the private key of the storage person, time1 is the time of signature, DB1 is the identity of the database, s1 and s2 are signature codes, c1 and c2 are verification codes, sign1 is used for marking (s1, c1) and represents the proof of authenticity of the storage person, sign2 is used for marking ═ 1, (c 1) is used for marking the proof of authenticity of the storage persons2, c2) and represents a proof of authenticity of the database, Alice being the identity of said depositor;
and sending the message requesting to establish the link to the database, and establishing a verifiable link with the database.
7. The method according to claim 1, wherein after said transmitting said file to be stored and said digital seal together to a database for storage, said method further comprises:
after establishing a verifiable link with the database, sending an ID certificate to the database in order to access a file authorized by the ID certificate, wherein the ID certificate comprises a digital signature of a private key of a key management center on an authority attribute of an accessing person, and the authority attribute comprises an access category and an authorization level.
8. A data storage method based on a CPK digital seal is characterized in that the method is applied to a database, and the method comprises the following steps:
receiving a file to be stored and a corresponding digital seal sent by a terminal, wherein the digital seal comprises an identifier of a storage person, an authenticity certificate of the identifier, a file name, a file category, a file integrity code and an encryption grade authenticity certificate of the file to be stored, the file integrity code is a file integrity code corresponding to the encrypted file to be stored, is used for providing an integrity certificate of the file name and the digital seal, is also used for judging whether the file is lost or not, and can also be used for recovering lost contents in a form file,
wherein, when the stored file is a text file, the file integrity code mac1 is obtained according to hash (file) mac1, wherein file is the encrypted stored file,
when the stored file is a table file, the file integrity code mac2 is based on
Figure FDA0002699403730000041
Obtained by a process of field iniAfter the encryptionThe ith field content in the storage file;
verifying the authenticity of the digital seal according to the identifier of the memory person and the combination matrix; and
when the digital seal is verified to be true, the file to be stored is stored, and the library integrity code of the database is updated according to the file integrity code,
wherein updating the library integrity code of the database according to the file integrity code comprises:
according to
Figure FDA0002699403730000042
Obtaining an updated library integrity code MAC of the databasemWherein, macmFor said file integrity code, MACm-1A library integrity code for the database prior to updating;
performing linear summation on file integrity codes of the stored files according to the storage sequence of the files in the database, and verifying whether the files stored in the database are lost or not;
for the table file stored in the database, based on the fact that the file integrity code in the table is the linear sum of the contents of the fields, whether each record has a loss condition is determined according to the linear sum of the contents of the fields in each record, and the lost record is recovered by utilizing the linear sum of the contents of the fields in each record.
9. The method of claim 8, wherein after said updating the library integrity code of the database in accordance with the file integrity code, the method further comprises:
according to SIGdb1(MACm) Generating and storing a digital signature of the library integrity code (s3, c3) (sign 3), wherein SIG is a signature function, db1 is a private key of the database, MACmFor the updated library integrity code of the database, s3 is a signature code, c3 is a verification code, sign3 is used for marking (s3, c 3).
10. The method according to claim 8, wherein before the file to be stored and the corresponding digital stamp sent by the receiving terminal, the method further comprises:
receiving a message for requesting to establish a link sent by the terminal, and verifying the authenticity of a storage person and a database in the message for requesting to establish the link according to the identification of the storage person and the combined matrix;
and when the depositor and the database are verified to be true, sending an authenticity certificate of the database to the terminal, and establishing a certifiable link with the terminal.
11. The method according to claim 10, wherein the receiving the message requesting to establish the link sent by the terminal, and verifying the authenticity of the depositor and the database in the message requesting to establish the link according to the identification of the depositor and the combination matrix comprises:
receiving a message Msg (Alice, time1, sign1, DB1, sign 2) requesting to establish a link sent by the terminal, wherein Alice is the identity of the storage person, time1 is the signature time, DB1 is the identity of the database, sign1 is used for marking (s1, c1) and representing the authenticity proof of the storage person, sign2 is used for marking (s2, c2) and representing the authenticity proof of the database, s1 and s2 are signature codes, and c1 and c2 are verification codes;
according to VERALICE(time1,s1)=c1’,VERALICE(DB1, s2) ═ c2 ', where VER is a verification function and ALICE is the public key of the depositor, and a verification code c1 ' of the depositor authenticity proof and a verification code c2 ' of the database authenticity proof are obtained, respectively;
verifying if c1 is the same as c1 ', c2 is the same as c 2', respectively, and determining if the depositor and database in the message requesting to establish a link are true.
12. The method of claim 8, wherein after said storing the file to be stored, the method further comprises:
after establishing a certifiable link with the terminal, receiving an ID certificate sent by the terminal, wherein the ID certificate comprises a digital signature of a private key of a key management center on the authority attribute of an accessor, and the authority attribute comprises an access category and an authorization level;
verifying the authenticity of the ID certificate according to a public key of a key management center;
when the ID certificate is verified to be true, calling a file meeting the following two conditions at the same time for the visitor to access:
the file category of the file corresponds to the access category, an
The encryption level of the file is lower than or equal to the authorization level.
13. A terminal, characterized in that the terminal is used for executing the data storage method based on the CPK digital stamp according to any one of claims 1 to 7.
14. A database for executing the CPK digital stamp-based data storage method according to any one of claims 8 to 12.
CN201810916478.7A 2018-08-13 2018-08-13 Data storage method, terminal and database based on CPK digital seal Active CN109145642B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810916478.7A CN109145642B (en) 2018-08-13 2018-08-13 Data storage method, terminal and database based on CPK digital seal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810916478.7A CN109145642B (en) 2018-08-13 2018-08-13 Data storage method, terminal and database based on CPK digital seal

Publications (2)

Publication Number Publication Date
CN109145642A CN109145642A (en) 2019-01-04
CN109145642B true CN109145642B (en) 2020-11-10

Family

ID=64792749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810916478.7A Active CN109145642B (en) 2018-08-13 2018-08-13 Data storage method, terminal and database based on CPK digital seal

Country Status (1)

Country Link
CN (1) CN109145642B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101427234A (en) * 2006-04-21 2009-05-06 微软公司 Peer-to-peer contact exchange
CN101894238A (en) * 2010-08-09 2010-11-24 中国人民解放军海军工程大学 Double authentication-based word document electronic seal system and method
CN102236766A (en) * 2011-05-10 2011-11-09 桂林电子科技大学 Security data item level database encryption system
CN108122098A (en) * 2018-01-10 2018-06-05 晋商博创(北京)科技有限公司 Digital coin systems, method of payment and terminal based on CPK

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2003210625A1 (en) * 2002-01-22 2003-09-02 Digimarc Corporation Digital watermarking and fingerprinting including symchronization, layering, version control, and compressed embedding

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101427234A (en) * 2006-04-21 2009-05-06 微软公司 Peer-to-peer contact exchange
CN101894238A (en) * 2010-08-09 2010-11-24 中国人民解放军海军工程大学 Double authentication-based word document electronic seal system and method
CN102236766A (en) * 2011-05-10 2011-11-09 桂林电子科技大学 Security data item level database encryption system
CN108122098A (en) * 2018-01-10 2018-06-05 晋商博创(北京)科技有限公司 Digital coin systems, method of payment and terminal based on CPK

Also Published As

Publication number Publication date
CN109145642A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN107342867B (en) Signature verification method and device
JP6995762B2 (en) Cryptographic methods and systems for the secure extraction of data from the blockchain
CN1161922C (en) Document authentication system and method
EP3701668B1 (en) Methods for recording and sharing a digital identity of a user using distributed ledgers
CN109583219A (en) A kind of data signature, encryption and preservation method, apparatus and equipment
CN108737374A (en) The method for secret protection that data store in a kind of block chain
CN108009445B (en) Semi-centralized trusted data management system
CN112866990B (en) Conditional identity anonymous privacy protection public auditing method with incentive mechanism
CN109447809A (en) A kind of video active identification method of combination block chain
Li et al. A Blockchain‐Based Public Auditing Protocol with Self‐Certified Public Keys for Cloud Data
CN104182525A (en) Electronic record management device applying multimedia files with copyright protection function and applying state encryption algorithm
CN113343255A (en) Data interaction method based on privacy protection
CN113761578A (en) Document true checking method based on block chain
CN111159774B (en) Decentralized intelligent contract escrow wallet method and system
CN113065151A (en) Relational database information security enhancement method, system, terminal and storage medium
CN102833239B (en) Method for implementing nesting protection of client account information based on network identity
CN109145642B (en) Data storage method, terminal and database based on CPK digital seal
CN114169888B (en) Universal type cryptocurrency custody method supporting multiple signatures
CN116069856A (en) Data integrity verification method and system based on blockchain
CN112332989B (en) Method and device for encrypting and decrypting electronic bill based on related party
Chen et al. Adjacency‐Hash‐Table Based Public Auditing for Data Integrity in Mobile Cloud Computing
CN111861688B (en) Electronic tax registration method and system based on blockchain
CN116830181A (en) Service providing system
Yuan et al. Blockchain‐Based Self‐Auditing Scheme with Batch Verification for Decentralized Storage
Trivedi et al. Digitally signed document chain (DSDC) blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant