CN109190410B - Log behavior auditing method based on block chain in cloud storage environment - Google Patents
Log behavior auditing method based on block chain in cloud storage environment Download PDFInfo
- Publication number
- CN109190410B CN109190410B CN201811126706.7A CN201811126706A CN109190410B CN 109190410 B CN109190410 B CN 109190410B CN 201811126706 A CN201811126706 A CN 201811126706A CN 109190410 B CN109190410 B CN 109190410B
- Authority
- CN
- China
- Prior art keywords
- user
- data
- intelligent contract
- data file
- cloud storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6272—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a block chain-based log behavior auditing method in a cloud storage environment, wherein each interface required in the method flow is compiled by an intelligent contract, so that both sides can not deny the behavior of the interfaces, and the log record in a block chain network is completely credible. And when an audit requirement exists, an audit interface of the intelligent contract is called, and the intelligent contract checks the log record and returns the result to the user who makes the request. According to the cloud log storage method, the cloud log storage is transferred from the cloud storage provider to the block chain, and the safety and the integrity of log data are guaranteed by the characteristics of decentralization, distrust, high reliability and the like of the block chain; the block chain network provides a read-write interface and an audit structure of the log by using an intelligent contract, and a data access flow is designed aiming at the interaction between a user and a cloud service provider, so that the log can be completely recorded on the block chain network by both the user and a cloud storage, and the log record cannot be denied or tampered.
Description
Technical Field
The invention belongs to the technical field of cloud storage safety, and particularly relates to a block chain-based log behavior auditing method in a cloud storage environment.
Background
A public auditing service utilizing cloud data storage may allow users to turn to an independent Third Party Auditor (TPA) when outsourced data needs to be reviewed. The TPA has professional knowledge and ability which are not possessed by a user, and can periodically audit the integrity of all data stored in the cloud storage server on behalf of the user, so that a simpler and more economic mode is provided for the user, and the data can be correctly stored in the cloud. In addition, besides helping users to evaluate the risk of the ordered cloud storage service, the auditing result of the TPA also helps cloud storage providers to improve the cloud-based service platform, and even can realize independent arbitration purpose by using the TPA. In sum, public auditing services will play an important role in this emerging cloud storage field and may become an important way to establish a trust relationship between users and cloud storage providers.
Whether the data owner or the ordinary user relies on a trusted third party for authentication and authorization, but some security problems such as data leakage and tampering which frequently occur in recent years are enough to show that: trusted third parties are not always trustworthy and may sell secure information such as the user's data or access controls for the benefit of the third party. On the other hand, the user may maliciously declare data loss and ask the service provider for high compensation. The lack of trust between the cloud storage platform and the user has influenced the development of the cloud storage technology, and new methods and new technical means are needed to solve the current problems.
At present, most of research on cloud data auditing is about data integrity, the research on cloud data operation behavior auditing is less, the operation behavior auditing based on log records is greatly helpful for confirming responsibility attribution, tracing user data, limiting illegal operation and the like, and the trust problem between a user and a cloud storage provider can be effectively relieved.
Disclosure of Invention
Aiming at the defects of the prior art, the cloud data auditing method and device aim to solve the technical problems that cloud data auditing depends on a third party and the auditing of cloud data operation behaviors is lacked in the prior art.
In order to achieve the above object, in a first aspect, an embodiment of the present invention provides a block chain-based log behavior auditing method in a cloud storage environment, where the method includes:
s1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and if not, the operation is finished;
s2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to a block chain network;
s3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
s4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, go to step S6;
s5, the cloud storage provider calls an intelligent contract to authenticate the log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees with the write-in operation request, and calls the intelligent contract to add the log record to the blockchain network;
s6, the cloud storage provider calls an intelligent contract to authenticate the log record, after feedback that the intelligent contract agrees to the read operation request is received, corresponding read operation is executed according to the read operation request, the requested data file is returned to a common user, the intelligent contract is called to add the log record to the block chain network, and the step S7 is carried out;
and S7, when the data file returned by the cloud storage server is inconsistent with the data file obtained through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
More specifically, the intelligent contract includes a plurality of interfaces, specifically as follows:
upload: the data owner records the metadata information of the data file uploaded to the cloud service provider to the blockchain network through the interface, generates an initial access record of the data file, records a log signed by a user private key to the blockchain network for broadcasting, and packages the log into blocks to achieve consensus in the blockchain network;
getfile: the method comprises the steps that a user obtains an address L of a data file in a cloud storage server through an interface, and when the user sends a remote read/write request to a cloud storage server, the user needs to obtain the address and a temporary token through the interface;
VerifyRequest: the interface is provided for a cloud storage provider to use and can only be called by the cloud storage provider, when the cloud storage provider receives an operation request of a user, the interface is called to inquire whether the user has access authority or not, and meanwhile, the interface can acquire access request information of the user and store the access request information as a log record on a blockchain network;
grant: the data owner sets the access authority of a common user to the data stored on the cloud storage server through the interface, and the interface is used for authorizing the common user, namely endowing the user with the read-write authority to the data file;
revoke: the data owner gives the read-write authority to the data file stored on the cloud storage server by the common user before revoking through the interface;
and (2) Audit: the auditing user tracks the life cycle of the data file through the interface, namely knows when the data file is created and destroyed, accessed by a common user and executed operations;
and (3) Logging: the interface is used for broadcasting the access data file of the common user in the blockchain network to generate an access log record, and adding and storing the log record to the blockchain, and the access log record is completed by the interface together.
More specifically, the address L is url.
More specifically, step S2 is specifically as follows:
s201, a data owner creates a serial number fid for each data file to be uploaded, and uploads the data file to a cloud storage provider;
s202, a data owner calls an Upload interface of an intelligent contract to record metadata information of a data file to a block chain network;
s203, the data owner sends the signed log record (uid, fid, type, H (X0), OPM, ts, sign) to the cloud storage provider;
s204, the cloud storage provider checks the correctness of each field of the log record, if the fields are correct, a Logging interface of an intelligent contract is called to add the log record to the block chain network, and if the fields are not correct, the process is ended;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
More specifically, the operation request information is (type, fit), where the type is an operation type of a user on the data file, and there are three types of types, namely Create, Read, and Write, which respectively represent uploading data, reading data, and writing data; fid is the only identification of the accessed data file; the metadata information of the data file comprises an address L of the data file on the cloud storage server, a hash value of the data file before operation and a token.
More specifically, the read operation request is (read, L, H (X0), token), and the write operation request is (write, L, H (Xn), token); the log record is generated by the private key signature of the access record (uid, fid, type, H (X0), H (Xn), OPM, ts, sign) in step S4;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; h (Xn) is the operated data hash value; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
More specifically, step S5 is specifically as follows:
s501, after receiving a request of a common user, the cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S502 is carried out, and if not, the process is ended;
s502, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the common user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S503, if not, rejecting the request of the user, and ending the process;
s503, after receiving feedback that the intelligent contract agrees to the write operation request, the cloud storage provider executes corresponding write operation according to the request of the user;
s504, the intelligent contract adds the log record to the block chain network.
More specifically, step S6 is specifically as follows:
s601, after receiving a request of a user, a cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S602 is switched to, and if not, the process is ended;
s602, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S603, otherwise, rejecting the request of the user and ending the process;
s603, after receiving feedback that the intelligent contract agrees to the read operation request, the cloud storage provider executes corresponding read operation according to the request of the user and returns the requested data file to the common user;
s604, the intelligent contract adds the log record to the block chain network, and the step S7 is carried out.
More specifically, step S7 is specifically as follows:
after receiving a data file sent by a cloud storage server, a common user calculates a hash value of the data file, compares the hash value with a latest hash value H (X0) of the data file acquired through an intelligent contract, if the hash value H is the same as the latest hash value H, the read data file is proved to be correct, otherwise, the read data file is proved to be tampered or not to be a latest version, and the user can call an Audit interface of the intelligent contract to initiate an Audit request for the data file.
In a second aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the log behavior auditing method according to the first aspect.
Generally, compared with the prior art, the above technical solution conceived by the present invention has the following beneficial effects:
1. according to the cloud log storage method and the cloud log storage system, the cloud log storage is transferred from the cloud storage provider to the block chain, and the safety and the integrity of log data are guaranteed by the characteristics of decentralization, distrust, high reliability and the like of the block chain.
2. According to the invention, the block chain network provides a read-write interface and an audit structure of the log by using the intelligent contract, and a data access flow is designed aiming at the interaction between the user and the cloud service provider, so that the log can be completely recorded on the block chain network by both the user and the cloud storage, and the log record cannot be denied or tampered.
Drawings
Fig. 1 is a schematic diagram of a block chain-based log behavior audit model in a cloud storage environment according to the present invention;
fig. 2 is a flowchart of a block chain-based log behavior auditing method in a cloud storage environment according to the present invention;
FIG. 3 is a flowchart of step S2 provided by the present invention;
FIG. 4 is a flowchart illustrating a remote write operation performed on data stored in a cloud storage server according to the present invention;
fig. 5 is a flowchart of performing a remote read operation on data stored in a cloud storage server according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic diagram of a block chain-based log behavior audit model in a cloud storage environment. As shown in fig. 1, the log behavior audit model includes the following components:
cloud storage users: the data management system consists of two types, namely a data owner and a common user, and can be an individual or an organization.Data congestion One of whom isThe data can be uploaded to a cloud storage provider, the uploading operation is broadcasted in the blockchain network at the same time, and the operation log is recorded by the blockchain;general usersAnd mainly performing read-write operation on the cloud data, and broadcasting in the block chain network and recording the operation record of the block chain network.
The cloud storage provider: and the cloud storage provider provides the virtualized resources to the user in a storage resource pool mode for free use according to the requirements of the user. The user can upload data to the cloud data server and perform remote read-write operation on the data, and meanwhile, the cloud storage provider is added into the block chain network to verify the log records together with the user.
Block chain network: the user and the cloud storage provider serve as nodes to form the whole block chain network, each node equally receives operation record information broadcasted by the user node, and the record information is packaged into blocks through a mining algorithm. The entire blockchain network stores the operational behavior log as a distributed database.
A third party auditor: the cloud storage system has professional knowledge and ability which are not possessed by a user, and can periodically audit the integrity of all data stored in the cloud storage server on behalf of the user, so that a simpler and more economic mode is provided for the user, and the data can be correctly stored in the cloud.
In order to enable both a cloud storage user and a cloud storage provider to be incapable of denying log records and to obtain confirmation of both the cloud storage user and the cloud storage provider when a log is recorded, the invention provides a block chain-based log behavior auditing method in a cloud storage environment.
Fig. 2 is a flowchart of a block chain-based log behavior auditing method in a cloud storage environment according to the present invention. As shown in fig. 2, the method comprises the steps of:
s1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and if not, the operation is finished;
s2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to a block chain network;
s3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
s4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, go to step S6;
s5, the cloud storage provider calls an intelligent contract to authenticate the log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees with the write-in operation request, and calls the intelligent contract to add the log record to the blockchain network;
s6, the cloud storage provider calls an intelligent contract to authenticate the log record, after feedback that the intelligent contract agrees to the read operation request is received, corresponding read operation is executed according to the read operation request, the requested data file is returned to a common user, the intelligent contract is called to add the log record to the block chain network, and the step S7 is carried out;
and S7, when the data file returned by the cloud storage server is inconsistent with the data file obtained through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
Step S1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and otherwise, the operation is finished.
Firstly, the system needs to be initialized, a user and a cloud service provider jointly negotiate an intelligent contract rule, then the contract is deployed on a blockchain network, the contract deployment process initiates a transaction with an acceptance address of 0, and a data field of the transaction contains a contract code which is compiled into byte codes. The transaction is broadcast over the blockchain network, received by the nodes and packaged into blocks, which now get a unique contract address from which we can invoke the contract. Since the transaction containing the contract code is packaged into blocks and agreed upon throughout the network, the contract code cannot be tampered with, and we can believe that this piece of code must be run according to the rules we have formulated. The process returns the smart contract address to the user side and the cloud service provider.
The intelligent contract comprises a plurality of interfaces, and a user, a cloud storage provider and a forensics investigator realize log recording and auditing work through the following interfaces:
upload: the data owner records the metadata information of the data file uploaded to the cloud service provider to the blockchain network through the interface, generates an initial access record of the data file, broadcasts the log record signed by the private key of the user in the blockchain network, and packs the log record into blocks to achieve consensus in the blockchain network.
The log records are treated as transaction data packaged into blocks.
Getfile: the user acquires the address L of the data file in the cloud storage server through the interface, and when the user sends a remote read/write request to the cloud storage server, the user needs to acquire the address and a temporary token through the interface.
Preferably, the address L is url. After receiving the request, the intelligent contract records the action as a pre-request log for auditing the operation action of the user in the follow-up process, and meanwhile, the token can prevent the user from directly utilizing the url acquired by calling the Getfile interface last time to make a request for the cloud storage server.
VerifyRequest: the interface is provided for a cloud storage provider to use and can only be called by the cloud storage provider, when the cloud storage provider receives an operation request of a user, the interface is called to inquire whether the user has access authority, and meanwhile, the interface can acquire access request information of the user and store the access request information as a log record on a blockchain network.
Grant: the data owner sets the access authority of a common user to the data stored on the cloud storage server through the interface, and the interface is used for authorizing the common user, namely endowing the user with the read-write authority to the data file.
Revoke: and the data owner gives the read-write permission to the data file stored on the cloud storage server to the common user before revoking through the interface.
And (2) Audit: the audit user tracks the lifecycle of the data file through the interface, i.e., knows when the data file was created and destroyed, when it was accessed by the average user, and which operations were performed.
And (3) Logging: the interface is used for broadcasting the access data file of the common user in the blockchain network to generate an access log record, and adding and storing the log record to the blockchain, and the access log record is completed by the interface together.
And S2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to the block chain network.
Step S2 corresponds to a Create access operation of the data owner to the data. After contract deployment is successful, the system is initialized. Then, each time the data owner uploads data to the cloud, the data owner calls an Upload interface of the intelligent contract to Upload file metadata and writes a log record, the process of calling the intelligent contract is a process of broadcasting a transaction in the blockchain network, the receiving address of the transaction is an intelligent contract address, a data field contains parameters provided by a sender, and the transaction contains the signature of the sender and can be verified by other nodes.
When the transaction is received by other nodes, the intelligent contract is executed and corresponding state variables are stored, then the transaction is packaged into blocks and is agreed on the whole network, the state of the intelligent contract after operation is confirmed by the whole network, and therefore file metadata and log records are written into a block chain and cannot be tampered.
The data owner can also make an access control strategy for the file through the Grant interface and the Revoke interface. When the transaction is broadcast over the blockchain network, the receiving node verifies the signature of the transaction and only the data owner can formulate a policy, otherwise the call is considered an invalid operation.
Fig. 3 is a flowchart of step S2 provided by the present invention. As shown in fig. 3, step S2 is specifically as follows:
s201, a data owner creates a serial number fid for each data file to be uploaded, and uploads the data file to a cloud storage provider;
and S202, the data owner calls an Upload interface of the intelligent contract to record the metadata information of the data file to the block chain network.
S203, the data owner sends the signed log record (uid, fid, type, H (X0), OPM, ts, sign) to the cloud storage provider.
The user's signature attached to the log record can ensure that the user cannot repudiate the action.
S204, the cloud storage provider checks the correctness of each field of the log record, if the fields are correct, a Logging interface of an intelligent contract is called to add the log record to the block chain network, and if the fields are not correct, the process is ended;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
For example, whether the user uid is correct and whether the operation type corresponds to the user uid is checked, the validity of the user signature is verified, whether the hash value of the data file is the same as that of H (X0) is calculated finally, and if the hash value is correct, the Logging interface of the intelligent contract can be called to write the log record into the block chain network.
S3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
specifically, the operation request information is (type, fit), wherein the type is an operation type of a user on the data file, and the types include Create, Read, and Write, which respectively represent uploading data, reading data, and writing data; fid is the unique identification of the data file being accessed. The metadata information of the data file comprises an address L of the data file on the cloud storage server, a hash value of the data file before operation and a token. The access control policy specified by the file owner to the file is also included, and is implemented by using an access control list in the system.
S4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, the process proceeds to step S6.
Specifically, the read operation request is (read, L, H (X0), token), the write operation request is (write, L, H (Xn), token); the log record is generated by the private key signature of the access record (uid, fid, type, H (X0), H (Xn), OPM, ts, sign) in step S4;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; h (Xn) is the operated data hash value; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
And S5, the cloud storage provider calls an intelligent contract to authenticate the log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees to the write-in operation request, and calls the intelligent contract to add the log record into the block chain network.
Fig. 4 is a flowchart illustrating a remote write operation performed on data stored in a cloud storage server according to the present invention. As shown in fig. 4, step S5 is specifically as follows:
s501, after receiving a request of a common user, the cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S502 is carried out, and if not, the process is ended;
s502, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the common user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S503, if not, rejecting the request of the user, and ending the process;
s503, after receiving feedback that the intelligent contract agrees to the write operation request, the cloud storage provider executes corresponding write operation according to the request of the user;
s504, the intelligent contract adds the log record to the block chain network.
And S6, the cloud storage provider calls an intelligent contract to authenticate the log record, after receiving feedback that the intelligent contract agrees to the read operation request, executes corresponding read operation according to the read operation request, returns the requested data file to a common user, calls the intelligent contract to add the log record to the block chain network, and the step S7 is carried out.
Fig. 5 is a flowchart of performing a remote read operation on data stored in a cloud storage server according to the present invention. As shown in fig. 5, step S6 is specifically as follows:
s601, after receiving a request of a user, a cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S602 is switched to, and if not, the process is ended;
s602, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S603, otherwise, rejecting the request of the user and ending the process;
s603, after receiving feedback that the intelligent contract agrees to the read operation request, the cloud storage provider executes corresponding read operation according to the request of the user and returns the requested data file to the common user;
s604, the intelligent contract adds the log record to the block chain network, and the step S7 is carried out.
And S7, when the data file returned by the cloud storage server is inconsistent with the data file acquired through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
After receiving data sent by the cloud storage server, a common user calculates a hash value of the data, and then compares the hash value with a latest hash value H (X0) of the data obtained through the intelligent contract, if the hash value H is the same as the latest hash value H, the read data is proved to be correct, otherwise, the data is proved to be falsified or not to be the latest version, and at the moment, the user can call an Audit interface of the intelligent contract to initiate an Audit request for the data file.
The intelligent contract is characterized in that the intelligent contract can only read data and does not need to write data because the data is damaged or maliciously tampered, but the intelligent contract also provides an interface through which a user can perform integrity audit on the data at any time. Auditing of data manipulation behavior may be based on extraction and analysis of log records. When there is audit demand, first, the audit interface of intelligent contract is called, and the intelligent contract checks the log record and returns the result to the user who has made the request.
The invention provides three auditing functions and can be used as a public auditing interface Audit to be opened for all users. The audit can be invoked by a third party auditor or any other user. These three audit functions are: obtaining the life cycle of the file, inquiring illegal users and verifying the integrity of the file.
Acquiring the file life cycle provides all operation records of the data file from uploading to deleting.
The inquiry of the illegal users provides which users try to perform illegal operations, so that some punishment measures can be taken for the users or the authority of the malicious users can be timely revoked. By comparing whether the request sent by the Getfile and the request sent by the VerifyRequest are consistent or not, if the request operations of the Getfile and the VerifyRequest are inconsistent, the user is proved to have initiated an illegal request, and the user is an illegal user.
Verifying the integrity of the file provides the user with a verification that the file he or she has obtained has been tampered with. By comparing the hash value of the data with the hash value of the data in the most recent record, if not, it is said that the integrity of the data is compromised.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A log behavior auditing method based on a block chain in a cloud storage environment is characterized by comprising the following steps:
s1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and if not, the operation is finished;
s2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to a block chain network;
s3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
s4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, go to step S6;
s5, the cloud storage provider calls an intelligent contract authentication log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees to the write-in operation request, and calls an intelligent contract to add the log record to the blockchain network;
s6, the cloud storage provider calls an intelligent contract authentication log record, after feedback that the intelligent contract agrees to the read operation request is received, corresponding read operation is executed according to the read operation request, the requested data file is returned to a common user, the intelligent contract is called to add the log record to the block chain network, and the step S7 is carried out;
and S7, when the data file returned by the cloud storage server is inconsistent with the data file obtained through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
2. The log behavior auditing method of claim 1, where the intelligent contract includes a plurality of interfaces, specifically as follows:
upload: the data owner records the metadata information of the data file uploaded to the cloud service provider to the blockchain network through the interface, generates an initial access record of the data file, records a log signed by a user private key to the blockchain network for broadcasting, and packages the log into blocks to achieve consensus in the blockchain network;
getfile: the method comprises the steps that a user obtains an address L of a data file in a cloud storage server through an interface, and when the user sends a remote read/write request to a cloud storage server, the user needs to obtain the address and a temporary token through the interface;
VerifyRequest: the interface is provided for a cloud storage provider to use and can only be called by the cloud storage provider, when the cloud storage provider receives an operation request of a user, the interface is called to inquire whether the user has access authority or not, and meanwhile, the interface can acquire access request information of the user and store the access request information as a log record on a blockchain network;
grant: the data owner sets the access authority of a common user to the data stored on the cloud storage server through the interface, and the interface is used for authorizing the common user, namely endowing the user with the read-write authority to the data file;
revoke: the data owner gives the read-write authority to the data file stored on the cloud storage server by the common user before revoking through the interface;
and (2) Audit: the auditing user tracks the life cycle of the data file through the interface, namely knows when the data file is created and destroyed, accessed by a common user and executed operations;
and (3) Logging: the interface is used for broadcasting the access data file of the common user in the blockchain network to generate an access log record, and adding and storing the log record to the blockchain, and the access log record is completed by the interface together.
3. The log behavior auditing method of claim 2 where the address L is url.
4. The log behavior auditing method of claim 2, in which step S2 is as follows:
s201, a data owner creates a serial number fid for each data file to be uploaded, and uploads the data file to a cloud storage provider;
s202, a data owner calls an Upload interface of an intelligent contract to record metadata information of a data file to a block chain network;
s203, the data owner sends the signed log record (uid, fid, type, H (X0), OPM, ts, sign) to the cloud storage provider;
s204, the cloud storage provider checks the correctness of each field of the log record, if the fields are correct, a Logging interface of an intelligent contract is called to add the log record to the block chain network, and if the fields are not correct, the process is ended;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
5. The log behavior auditing method according to claim 2, characterized in that the operation request information is (type, fit), wherein the type is the operation type of the data file by the user, and the type has three types of Create, Read and Write, which respectively represent uploading data, reading data and writing data; fid is the only identification of the accessed data file; the metadata information of the data file comprises an address L of the data file on the cloud storage server, a hash value of the data file before operation and a token.
6. The log behavior auditing method of claim 5 where the read operation request is (read, L, H (X0), token), the write operation request is (write, L, H (Xn), token); the log record is generated by the private key signature of the access record (uid, fid, type, H (X0), H (Xn), OPM, ts, sign) in step S4;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; h (Xn) is the operated data hash value; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
7. The log behavior auditing method of claim 2, in which step S5 is as follows:
s501, after receiving a request of a common user, the cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S502 is carried out, and if not, the process is ended;
s502, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the common user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S503, if not, rejecting the request of the user, and ending the process;
s503, after receiving feedback that the intelligent contract agrees to the write operation request, the cloud storage provider executes corresponding write operation according to the request of the user;
s504, the intelligent contract adds the log record to the block chain network.
8. The log behavior auditing method of claim 2, in which step S6 is as follows:
s601, after receiving a request of a user, a cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S602 is switched to, and if not, the process is ended;
s602, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S603, otherwise, rejecting the request of the user and ending the process;
s603, after receiving feedback that the intelligent contract agrees to the read operation request, the cloud storage provider executes corresponding read operation according to the request of the user and returns the requested data file to the common user;
s604, the intelligent contract adds the log record to the block chain network, and the step S7 is carried out.
9. The log behavior auditing method of claim 2, in which step S7 is as follows:
after receiving a data file sent by a cloud storage server, a common user calculates a hash value of the data file, compares the hash value with a latest hash value H (X0) of the data file acquired through an intelligent contract, if the hash value H is the same as the latest hash value H, the read data file is proved to be correct, otherwise, the read data file is proved to be tampered or not to be a latest version, and the user can call an Audit interface of the intelligent contract to initiate an Audit request for the data file.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the log behavior auditing method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811126706.7A CN109190410B (en) | 2018-09-26 | 2018-09-26 | Log behavior auditing method based on block chain in cloud storage environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811126706.7A CN109190410B (en) | 2018-09-26 | 2018-09-26 | Log behavior auditing method based on block chain in cloud storage environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109190410A CN109190410A (en) | 2019-01-11 |
| CN109190410B true CN109190410B (en) | 2020-05-19 |
Family
ID=64907256
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811126706.7A Active CN109190410B (en) | 2018-09-26 | 2018-09-26 | Log behavior auditing method based on block chain in cloud storage environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109190410B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110084069A (en) * | 2019-04-17 | 2019-08-02 | 江苏全链通信息科技有限公司 | Server log monitoring method and system based on block chain |
Families Citing this family (56)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109829334B (en) * | 2019-01-30 | 2022-12-20 | 复旦大学 | Block chain-based data box configuration, use and accounting method and operation system thereof |
| CN109903046A (en) * | 2019-02-02 | 2019-06-18 | 中国互联网络信息中心 | User data management and device based on block chain |
| CN109815203A (en) * | 2019-02-12 | 2019-05-28 | 山东超越数控电子股份有限公司 | A kind of log audit method and system based on block chain |
| CN109862103B (en) * | 2019-02-26 | 2022-02-25 | 上海南潮信息科技有限公司 | File data secure sharing method and device based on block chain |
| CN109977089A (en) * | 2019-03-13 | 2019-07-05 | 深圳壹账通智能科技有限公司 | Blog management method, device, computer equipment and computer readable storage medium |
| CN110138733B (en) * | 2019-04-03 | 2021-09-21 | 华南理工大学 | Block chain-based object storage system trusted evidence storage and access authority control method |
| CN110048828A (en) * | 2019-04-17 | 2019-07-23 | 江苏全链通信息科技有限公司 | Log storing method and system based on data center |
| CN109902074B (en) * | 2019-04-17 | 2021-02-09 | 江苏全链通信息科技有限公司 | Data center-based log storage method and system |
| US11360946B2 (en) * | 2019-05-17 | 2022-06-14 | International Business Machines Corporation | Tracking data transfers |
| CN110263584B (en) * | 2019-06-19 | 2020-10-27 | 华中科技大学 | Block chain-based data integrity auditing method and system |
| CN110365766A (en) * | 2019-07-12 | 2019-10-22 | 全链通有限公司 | Cloud storage method, equipment and computer readable storage medium based on block chain |
| CN110430248B (en) * | 2019-07-23 | 2022-03-25 | 平安科技(深圳)有限公司 | Block chain construction method, device, medium and electronic equipment based on cloud service |
| US10783054B2 (en) | 2019-07-29 | 2020-09-22 | Alibaba Group Holding Limited | Method, apparatus, and device for storing operation record based on trusted execution environment |
| CN110457898B (en) * | 2019-07-29 | 2020-10-30 | 创新先进技术有限公司 | Operation record storage method, device and equipment based on trusted execution environment |
| CN110473094B (en) * | 2019-07-31 | 2021-05-18 | 创新先进技术有限公司 | Data authorization method and device based on block chain |
| US11057189B2 (en) | 2019-07-31 | 2021-07-06 | Advanced New Technologies Co., Ltd. | Providing data authorization based on blockchain |
| US11251963B2 (en) | 2019-07-31 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Blockchain-based data authorization method and apparatus |
| CN110457875B (en) * | 2019-07-31 | 2021-04-27 | 创新先进技术有限公司 | Data authorization method and device based on block chain |
| CN110473096A (en) * | 2019-07-31 | 2019-11-19 | 阿里巴巴集团控股有限公司 | Data grant method and device based on intelligent contract |
| US11252166B2 (en) | 2019-07-31 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Providing data authorization based on blockchain |
| CN110414270B (en) * | 2019-08-01 | 2022-12-06 | 谈建中 | Personal data protection system and method based on block chain |
| CN110417909B (en) * | 2019-08-07 | 2022-04-08 | 中国联合网络通信集团有限公司 | Wireless network remote login method and system |
| US10936581B2 (en) | 2019-08-30 | 2021-03-02 | Advanced New Technologies Co., Ltd. | Blockchain transaction processing method and apparatus |
| CN110633309A (en) * | 2019-08-30 | 2019-12-31 | 阿里巴巴集团控股有限公司 | Block chain transaction processing method and device |
| CN112527825B (en) * | 2019-09-19 | 2022-12-06 | 上海哔哩哔哩科技有限公司 | Data storage method and device and computer equipment |
| CN112561695B (en) * | 2019-09-25 | 2021-07-23 | 支付宝(杭州)信息技术有限公司 | Method and apparatus for concurrently executing transactions in a blockchain |
| CN110677407B (en) * | 2019-09-26 | 2022-04-22 | 北京笔新互联网科技有限公司 | Safety control method of lightweight block chain platform |
| CN111092745A (en) * | 2019-10-12 | 2020-05-01 | 深圳壹账通智能科技有限公司 | Log processing method and device based on block chain, computer equipment and storage medium |
| CN110798478B (en) * | 2019-11-06 | 2022-04-15 | 中国联合网络通信集团有限公司 | Data processing method and device |
| CN111131191A (en) * | 2019-12-10 | 2020-05-08 | 山东超越数控电子股份有限公司 | Method and system for auditing cloud storage service operation and cloud storage system |
| CN111177096A (en) * | 2019-12-11 | 2020-05-19 | 招银云创(深圳)信息技术有限公司 | Log management method and device, computer equipment and storage medium |
| CN111241104A (en) * | 2020-01-14 | 2020-06-05 | 腾讯科技(深圳)有限公司 | Operation auditing method and device, electronic equipment and computer-readable storage medium |
| US11310051B2 (en) | 2020-01-15 | 2022-04-19 | Advanced New Technologies Co., Ltd. | Blockchain-based data authorization method and apparatus |
| WO2021154157A1 (en) * | 2020-01-31 | 2021-08-05 | Agency For Science, Technology And Research | Blockchain-based data exchange |
| CN111339550B (en) * | 2020-02-01 | 2023-08-29 | 温州理工学院 | Comment information credibility method based on blockchain technology |
| SG11202012921XA (en) * | 2020-02-14 | 2021-01-28 | Alipay Hangzhou Inf Tech Co Ltd | Data authorization based on decentralized identifiers |
| CN111698278B (en) * | 2020-04-10 | 2021-06-25 | 湖南大学 | Multi-cloud data storage method based on block chain |
| CN111428207B (en) * | 2020-04-23 | 2023-11-14 | 重庆邮电大学 | Digital copyright registration and transaction method based on blockchain technology |
| CN111611614B (en) * | 2020-04-29 | 2023-09-08 | 南京财经大学 | Cloud storage public auditing method and system for resisting malicious auditors based on blockchain |
| CN111797142A (en) * | 2020-07-06 | 2020-10-20 | 北京荷月科技有限公司 | Method and system for auditing data on link |
| CN111950020B (en) * | 2020-07-20 | 2024-04-19 | 北京思特奇信息技术股份有限公司 | Block chain-based data sharing system, method, computing device and storage medium |
| CN112134698B (en) * | 2020-09-10 | 2022-10-11 | 江苏大学 | Block chain-based quick communication authentication method and system for vehicles and vehicles in Internet of vehicles |
| CN112134869B (en) * | 2020-09-16 | 2023-04-18 | 北方工业大学 | Cloud service examination system and examination method based on block chain |
| CN112417496A (en) * | 2020-10-28 | 2021-02-26 | 北京八分量信息科技有限公司 | Method for realizing white list based on intelligent contract based on deep learning |
| CN112307233B (en) * | 2020-10-30 | 2024-08-06 | 圆通速递有限公司 | Method and system for deleting repeated images in cloud storage based on block chain |
| CN112448946B (en) * | 2020-11-09 | 2024-03-19 | 北京工业大学 | Log auditing method and device based on block chain |
| CN112306983B (en) * | 2020-11-18 | 2024-04-09 | 武汉德尔达科技有限公司 | Ship electronic turbine log system and data protection method |
| CN112434040B (en) * | 2020-11-30 | 2023-09-22 | 泰康保险集团股份有限公司 | Data storage method, data acquisition method, device, system and equipment |
| CN112564985A (en) * | 2020-12-24 | 2021-03-26 | 南京联成科技发展股份有限公司 | Safe operation and maintenance management method based on block chain |
| CN113094754B (en) * | 2021-05-08 | 2022-11-01 | 重庆银行股份有限公司 | Big data platform data modification system and modification, response, cache and verification method |
| CN113382073B (en) * | 2021-06-08 | 2022-06-21 | 重庆邮电大学 | Monitoring system and method for edge nodes in cloud edge-side industrial control system |
| CN113486082B (en) * | 2021-06-28 | 2023-03-28 | 电子科技大学 | Outsourcing data access control system based on block chain |
| CN113285812A (en) * | 2021-07-26 | 2021-08-20 | 西南石油大学 | Cloud storage self-auditing method based on SGX and Ether house block chain |
| CN113836237A (en) * | 2021-09-30 | 2021-12-24 | 北京中经惠众科技有限公司 | Method and device for auditing data operation of database |
| CN114020726B (en) * | 2021-11-26 | 2024-09-10 | 中国电力科学研究院有限公司 | Log auditing method, system, equipment and medium based on multivariate log data analysis |
| US11768821B1 (en) | 2022-03-23 | 2023-09-26 | International Business Machines Corporation | Blockchain based multi vendor change monitoring system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10805393B2 (en) * | 2015-12-02 | 2020-10-13 | Olea Networks, Inc. | System and method for data management structure using auditable delta records in a distributed environment |
| CN106650478B (en) * | 2016-12-28 | 2019-12-06 | 优刻得科技股份有限公司 | data operation management device and method |
| CN107707410B (en) * | 2017-10-26 | 2021-04-27 | 上海点融信息科技有限责任公司 | Method for configuring system audit service, information processing device and readable storage medium |
| CN108446407B (en) * | 2018-04-12 | 2021-04-30 | 北京百度网讯科技有限公司 | Database auditing method and device based on block chain |
-
2018
- 2018-09-26 CN CN201811126706.7A patent/CN109190410B/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110084069A (en) * | 2019-04-17 | 2019-08-02 | 江苏全链通信息科技有限公司 | Server log monitoring method and system based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109190410A (en) | 2019-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109190410B (en) | Log behavior auditing method based on block chain in cloud storage environment | |
| US11170092B1 (en) | Document authentication certification with blockchain and distributed ledger techniques | |
| CN109691015B (en) | Dynamic access control method and system on block chain | |
| CN108076057B (en) | Data security system and method based on block chain | |
| CN107480555B (en) | Database access authority control method and device based on block chain | |
| US20180337771A1 (en) | Policy enforcement via peer devices using a blockchain | |
| Lee et al. | Modifiable public blockchains using truncated hashing and sidechains | |
| CN110855777B (en) | Node management method and device based on block chain | |
| KR20190105027A (en) | Data sharing method and data sharing system | |
| CN109242404B (en) | Resume information management method, resume information management device, computer equipment and readable storage medium | |
| CN113656780B (en) | Cross-chain access control method and device | |
| CN109388957B (en) | Block chain-based information transfer method, device, medium and electronic equipment | |
| CN110908786A (en) | Intelligent contract calling method, device and medium | |
| CN111292174A (en) | Tax payment information processing method and device and computer readable storage medium | |
| US20220141014A1 (en) | Storing secret data on a blockchain | |
| CN112712372B (en) | Alliance chain cross-chain system and information calling method | |
| CN114357490A (en) | Data sharing method, device and system based on block chain | |
| CN117216740A (en) | Digital identity authentication method based on blockchain technology | |
| CN112101945B (en) | Method and system for supervising block chain content | |
| CN109033882A (en) | A kind of safe dissemination method of retrospective big data and system | |
| CN110851851A (en) | Authority management method, device and equipment in block chain type account book | |
| CN112417403B (en) | Automatic system authentication and authorization processing method based on GitLab API | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| CN117118640A (en) | Data processing method, device, computer equipment and readable storage medium | |
| CN114707141A (en) | Multi-party computing method and system based on block chain system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |