CN109347923A - Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond - Google Patents

Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond Download PDF

Info

Publication number
CN109347923A
CN109347923A CN201811101455.7A CN201811101455A CN109347923A CN 109347923 A CN109347923 A CN 109347923A CN 201811101455 A CN201811101455 A CN 201811101455A CN 109347923 A CN109347923 A CN 109347923A
Authority
CN
China
Prior art keywords
key
file
user terminal
random number
public
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811101455.7A
Other languages
Chinese (zh)
Other versions
CN109347923B (en
Inventor
富尧
钟民
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201811101455.7A priority Critical patent/CN109347923B/en
Publication of CN109347923A publication Critical patent/CN109347923A/en
Application granted granted Critical
Publication of CN109347923B publication Critical patent/CN109347923B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of anti-quantum calculation cloud storage method and system based on unsymmetrical key pond, user terminal utilizes the data file upload server of file key encryption, user terminal is configured with the quantum key card for generating file key true random number, and it combines and generates file key, and file key true random number with public key and is uploaded to server using file characteristic value encrypted form by user terminal, wherein public key is generated using public-key cryptographic keys true random number, and user terminal uploads personal key, data key and public-key cryptographic keys true random number to server;Server receives and stores the relevant parameter from user terminal;User terminal downloads each parameter, obtains data file using private key.Utilize quantum key card storage of public keys, quantum key card is independent hardware isolated equipment, a possibility that key is stolen by malicious operation reduction, while server end can not all touch all kinds of keys of user terminal and plaintext data file, guarantee the safety that data storage is carried out on Cloud Server.

Description

Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond
Technical field
The present invention relates to cloud storage field more particularly to a kind of sides of the cloud storage security control based on unsymmetrical key pond Method and system.
Background technique
With the development of science and technology, cloud storage has increasingly becomed a kind of trend, various cloud storage technologies emerge one after another, and are Guarantee the safety of cloud storage data, it will usually guarantee the safety of data using various encryption methods, for example, can pass through Asymmetric-key encryption guarantees the safeties of data, asymmetric-key encryption need to be respectively completed using different keys plus Close and decryption oprerations, one publishes, i.e. public key, another is saved by user oneself is secret, i.e. private key.Information transmitter is used Public key goes to encrypt, and information receiver goes to decrypt with private key;Or information transmitter goes to encrypt with private key, and information receiver uses Public key goes to decrypt.
Due to mostly using shared storage in cloud storage, this makes service provider need to control private key, leads to private key Safety is lower.Publication No. CN103236934A, the invention of entitled " a kind of method of cloud storage security control " are special Sharp document discloses a kind of for solving the problems, such as the lower method of private key safety.The invention uses two different encryptions Mode encrypts the private key of user and stores respectively.
As most people is understood, quantum computer has great potential in password cracking.Mainstream is non-now Symmetrically (public key) Encryption Algorithm, such as RSA cryptographic algorithms, it is most of to be all based in factorization or the finite field of big integer The two difficult math questions of the calculating of discrete logarithm.Their difficulty that cracks also is dependent on the efficiency solved these problems.Tradition On computer, it is desirable that solve the two difficult math questions, the cost time is the exponential time (to crack the time with the growth of public key length Increased with exponential), this is unacceptable in practical applications.It and is that your elegant algorithm for making to measure of quantum computer can be with In polynomial time (time is cracked as the growth of public key length is increased with the speed of k power, wherein k is long with public key Spend unrelated constant) carry out integer factorization or discrete logarithm and calculate, thus for RSA, discrete logarithm Encryption Algorithm it is broken Solution provides may.
There are the demand of cloud in data in current enterprise or public institution sometimes, and public cloud is generally not susceptible to these units letter Appoint, is considered the possible problematic or key of information security and is easy to be obtained and cracked by hacker, therefore cause public cloud visitor There is trouble and worry at family to cloud in data.
Problem of the existing technology:
(1) key storage is carried out on Cloud Server has certain risk.Public cloud client looks back cloud in data Sorrow.
(2) invention of Publication No. CN103236934A, entitled " a kind of method of cloud storage security control " are special Sharp document encrypts file key using client public key, due to quantum calculation function obtain quickly through public key it is corresponding Private key, therefore the program is easy to be cracked by quantum computer.
Summary of the invention
Based on this, it is necessary in view of the above-mentioned problems, providing a kind of anti-quantum calculation cloud storage based on unsymmetrical key pond Method and system.
A kind of anti-quantum calculation cloud storage method based on unsymmetrical key pond, including user terminal will be added using file key Close data file is uploaded to server, and the user terminal is configured with quantum key card, and the file key is close using quantum File key true random number caused by key card generate, and the user terminal by the file key true random number in an encrypted form It is uploaded to the server;The cipher mode of the file key true random number is to use public key encryption file key true random number It obtains personal key and obtains data key using file characteristic value encryption file key true random number;Wherein, the public key It is generated using public-key cryptographic keys true random number caused by quantum key card;The user terminal is by the personal key, the data Key and public-key cryptographic keys true random number upload the server.
Currently there are many storage cloud services, including many public clouds.In the present embodiment, the server letter of cloud is stored Referred to as server, the used storage cloud client of member is user terminal.User terminal is the equipment of access storage cloud in the present invention, Can be mobile terminal, or be fixed terminal, terminal is equipped with quantum key card, the description of quantum key card it is visible application No. is The patent of " 201610843210.6 ".When for mobile terminal, quantum key card is preferably quantum key SD card;When be it is fixed eventually When end, quantum key card is preferably quantum key USBkey or host quantum key board.
The generation of file key and being encrypted in quantum key card for data file are completed, and guarantee that user terminal encipheror is held Row Environmental security, the file key true random number in quantum key card generate file code key, guarantee the truly random property of file code key, The safety of file code key is greatly improved, while quantum key card is independent hardware isolated equipment, by Malware or malice Operation a possibility that stealing key, substantially reduces, and file key true random number is uploaded to server in an encrypted form, rather than file Key storage solves the risk that key storage is stolen on the server.
Electedly, the user terminal has one or more, is stored in the quantum key card of each user terminal configuration identical Pool of keys, the user terminal for uploading data file generate file key by the pool of keys of one's own side with data file encryption, download number Generate file key accordingly using the pool of keys of the true random number combination one's own side from server according to the user terminal of file to decrypt Data file out.
The quantum key card side of issuing of this patent is the supervisor side of quantum key card, generally certain enterprise or public institution Administrative department;The member that the quantum key card side of being awarded is managed by the supervisor side of quantum key card, generally certain enterprise or thing The employees at different levels of industry unit carry out cloud data access using user terminal.User terminal arrives the supervisor side of quantum key card first Application is opened an account.After user terminal carries out registering granted, quantum key card will be obtained (there is unique quantum key card ID). Quantum key card stores client enrollment register information, is also built-in with identity authentication protocol, include at least key schedule with And verification function or other algorithms relevant to authentication.User side key in quantum key card is all downloaded from down same Quantum network service station, and for the supervisor side of the same quantum key card stores in each quantum key card issued Pool of keys be completely the same.Preferably, the pool of keys size stored in quantum key card can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..Its capacity depends on supervisor side and wants to safety It asks, capacity is bigger, and safety is higher.
Electedly, the pool of keys of each user terminal includes:
Group's type pool of symmetric keys, for generating the file key;
Unsymmetrical key pond, in the unsymmetrical key pond in storage cluster all user terminals public key, it is described asymmetric Pool of keys extracts public key in conjunction with the public-key cryptographic keys true random number;And
Unsymmetrical key, the unsymmetrical key are user terminal private key.
In the present invention, the key zone of quantum key card is as shown in Fig. 2, be divided into group's type pool of symmetric keys, unsymmetrical key Pond (public key) and unsymmetrical key (private key).Wherein, public key area possesses this public key for organizing all users, and the storage of private key area is originally The private key of user.
Preferably, the file key generation method includes: by the file key true random number combination file key kind Sub- pointer function obtains file key seed pointer, utilizes this document key seed pointer group described in the quantum key card Corresponding file key seed is extracted in group type pool of symmetric keys, this document key seed combination file key function obtains described File key;The ID of the file key seed pointer function ID and file key function are also sent to described by the user terminal Server.
Preferably, the public key generation method includes: that the public-key cryptographic keys true random number combination public key pointer function obtains Public key pointer extracts corresponding public key in the unsymmetrical key pond described in the quantum key card using the public key pointer.
Preferably, the file key seed pointer function ID and file key function ID as the server whether into The mark of row duplicate removal.
Preferably, when a plurality of clients shared data file, user terminal is shared and is shared user terminal disclosing the public affairs Key key true random number, the shared user terminal are shared user terminal described in the public-key cryptographic keys true random number generation by disclosing Personal key, upload the personal key to the server so that realize to the file-sharing for being shared user terminal.
A kind of anti-quantum calculation cloud storage method based on unsymmetrical key pond, including server receive and store to use by oneself Family end utilizes the data file of file key encryption, and institute's server also receives and stores personal key from user terminal, data Key and public-key cryptographic keys true random number, the personal key and the data key are encrypted by the file key true random number It obtains;
The cipher mode of the file key true random number is to obtain individual using public key encryption file key true random number Key, and data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum Public-key cryptographic keys true random number caused by key card generates.
Preferably, the server also receives and stores relevant to the file key is generated from the user terminal Whether function ID, two of them function ID carry out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server is close to user terminal transmission data Key;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with generation The relevant function ID of the file key.
A kind of anti-quantum calculation cloud storage system based on unsymmetrical key pond, including server and user terminal, the use The data file encrypted using file key is uploaded to the server by family end, and the user terminal is configured with quantum key card, The file key is to be generated using file key true random number caused by the quantum key card, and the user terminal will also The file key true random number is uploaded to the server in an encrypted form;The cipher mode of the file key true random number For use public key encryption file key true random number to obtain personal key and use file characteristic value encrypt file key very with Machine number obtains data key, wherein the public key is generated using public-key cryptographic keys true random number caused by quantum key card, it is described User terminal uploads the personal key, the data key and public-key cryptographic keys true random number to the server;The service Device receives and stores personal key, public-key cryptographic keys true random number and data file from the user terminal;User terminal downloading Personal key, public-key cryptographic keys true random number and the data file using file key encryption, user terminal decrypt institute using private key Personal key is stated to obtain file key true random number and then generate file key, it is close using file using file key decryption The data file of key encryption obtains data file.
The above-mentioned anti-quantum calculation cloud storage method and system based on unsymmetrical key pond, user terminal will utilize file key The data file of encryption is uploaded to server, and user terminal is configured with quantum key card, and the file key is to utilize quantum key Block caused by file key true random number generate, and the user terminal also by the file key true random number in an encrypted form It is uploaded to the server, cipher mode is to obtain personal key and use using public key encryption file key true random number File characteristic value encryption file key true random number obtains data key, wherein the public key is using caused by quantum key card Public-key cryptographic keys true random number generates, the user terminal upload the personal key, the data key and public-key cryptographic keys very with Machine number is to the server;It is truly random that the server receives and stores personal key from the user terminal, public-key cryptographic keys Several and data file;User terminal downloads personal key, public-key cryptographic keys true random number and the data using file key encryption File, user terminal decrypt the personal key using private key and then obtain data file.Utilize quantum key card storage of public keys, amount A possibility that sub-key card is independent hardware isolated equipment, steals key by Malware or malicious operation substantially reduces, together When server end can not all touch all kinds of keys of user terminal (public key, private key, file key etc.) and plaintext data file, protect Demonstrate,prove the safety that data storage is carried out on Cloud Server.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of storage system provided in an embodiment of the present invention;
Fig. 2 is the key zone structural schematic diagram of user terminal provided in an embodiment of the present invention;
Fig. 3 is public key storage mode flow chart provided in an embodiment of the present invention;
Fig. 4 is file key product process figure provided in an embodiment of the present invention;
Fig. 5 is public key reading manner flow chart provided in an embodiment of the present invention;
Fig. 6 is the flow chart for the storage method that the embodiment of the present invention 1 provides;
Fig. 7 is the flow chart for the read method that the embodiment of the present invention 2 provides.
Specific embodiment
In following steps, operates in many places that each user terminal is related to, all carried out in matched quantum key card.
Fig. 1 is the structural schematic diagram of the cloud storage system provided in an embodiment of the present invention based on unsymmetrical key pond, including The data file encrypted using file key is uploaded to the server, the use by server and user terminal, the user terminal Family end is configured with quantum key card, and the file key is to utilize file key true random number caused by the quantum key card It generates, and the file key true random number is also uploaded to the server by the user terminal in an encrypted form;
The cipher mode of the file key true random number is to obtain individual using public key encryption file key true random number Key and using file characteristic value encryption file key true random number obtain data key, wherein the public key using quantum it is close Public-key cryptographic keys true random number caused by key card generates, the user terminal upload the personal key, the data key and Public-key cryptographic keys true random number is to the server.
The user terminal includes: hash value computing module, key production module and encryption/decryption module.
This hash value is uploaded to service by hash value computing module, the hash value of the data file for calculating new user Device, for whether there is the data file with identical hash value in the judgement of server judgment module storing data file.
Key production module when the result judged for the judgment module in server is no, generates file key.
In the present embodiment, user terminal has one or more, is stored in the quantum key card of each user terminal configuration identical Pool of keys, upload the user terminal of data file by the pool of keys of one's own side and generate file key with data file encryption, downloading The user terminal of data file generates file key accordingly using the pool of keys of the true random number combination one's own side from server to solve Close data file out.
The key production module of each user terminal in addition to group's type pool of symmetric keys for generating file key, There are also the unsymmetrical key ponds for being used for storage of public keys.Pool of symmetric keys is expressed as KP, and unsymmetrical key pond is expressed as KPP.Wherein Public key area possesses this public key for organizing all users.The storage mode of public key as shown in figure 3, take public key close some user at random Key random number rk obtains public key pointer rkp in conjunction with specific public key pointer function frkp and from corresponding unsymmetrical key pond Corresponding position be stored in the public key krk of the user.
File key generation method, as shown in figure 4, first using the real random number generator in matched quantum key card Generate file key random number rf;File key seed is obtained then in conjunction with specific file key seed pointer function frfp to refer to Needle rfp simultaneously extracts corresponding file key seed krf from pool of symmetric keys;It is generated then in conjunction with file key function fkf File key kf.
The file key seed pointer function frfp and file key function fkf is that quantum key card supervisor can determine System.
File key seed pointer function frfp is that modulus after certain numerical transformation, such as frfp are carried out to true random number (r)=(r+d) %s,
Wherein r is input variable (being herein true random number), and d is offset, and % is modulo operation, and s is that pool of keys is always big It is small.Certainly according to the design needs, file key seed pointer function frfp is without being limited thereto, as long as file key seed can be obtained Pointer rfp.
File key function fkf is that modulus after certain numerical transformation, such as fkf (x)=(ax+ are carried out to input data B) %2len,
Wherein x is input variable, and a, b are transformation parameter, and % is modulo operation, and len is that the key length that user specifies is (single Position: bit).Certainly according to the design needs, file key function fkf is without being limited thereto, as long as file key kf can be generated.
Since this patent projecting point is resisting quantum computation attack, so the frfp and fkf of all users are.
Encryption/decryption module, for being encrypted using file key to data file;And utilize two kinds of different encryption sides Formula carries out encryption to file key random number rf and forms personal key and data key;Wherein, using private key for user as decruption key File key random number rf can be obtained after personal key is decrypted;It is decryption with the characteristic value of data file before encrypting Data key key can obtain file key random number rf after being decrypted;File can be obtained by file key random number rf Key.
Server receives and stores the data file that file key encryption is utilized from user terminal, which is characterized in that is taken Business device also receives and stores personal key, data key and public-key cryptographic keys true random number from user terminal, and the individual is close Key and the data key are encrypted by the file key true random number to be obtained;
The server includes: memory module, judgment module and key authorization module.
Memory module, for the hash value of storage file, encrypted data file, personal key and data key;
Judgment module judges for duplicate removal, before the data file of storage user, judgement in storing data file whether There are identical data file and notify key authorization module;If the determination result is YES, then notify key authorization module to user End send data key, if judging result be it is no, by the hash value received be sent to memory module preservation.
Specifically, the server also receives and stores relevant to the file key is generated from the user terminal Whether function ID, two of them function ID carry out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server is close to user terminal transmission data Key;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with generation The relevant function ID of the file key.
Key authorization module when result for judging in judgment module is is, sends data key to user terminal, is sentencing When the result that disconnected module judges is no, the information without same data file is sent to user terminal.
In the present embodiment, key authorization module is divided into sending submodule again and receives submodule.Sending submodule is used for Data key or information are sent, it is close for receiving the personal key of the user from user terminal, data to receive submodule Key and encrypted data file send it to memory module preservation.
User terminal downloads personal key, public-key cryptographic keys true random number and the data file using file key encryption, uses Family end decrypts the personal key using private key and obtains file key true random number and then generating file key, utilizes the file Key decryption obtains data file using the data file of file key encryption.
The present invention is further described in detail below with reference to the accompanying drawings and embodiments.It should be appreciated that described herein Specific embodiment is used only for explaining the present invention, is not intended to limit the present invention.
Embodiment 1
Fig. 6 is a kind of stream of the anti-quantum calculation cloud storage method based on unsymmetrical key pond provided in an embodiment of the present invention Cheng Tu, the specific steps are as follows:
Step 1.1: the hash value of data file and each algorithm ID are uploaded to server by user terminal: user terminal uploads number Before file, the hash value of data file is first calculated, and the hash value is uploaded to server.What is uploaded simultaneously is also each The ID (including file key seed pointer function frfp and file key function fkf, hereafter similarly) of a function.Server is Mitigate storage pressure, will carry out ciphertext duplicate removal to file, that is, identifies duplicate file.
Step 1.2: server identifies duplicate file: server integrates the hash value of file and each algorithm ID Consider to recognize if the ID of two parts of files hash value having the same and frfp and fkf are identical respectively to identify duplicate file To there is identical data file to need duplicate removal.If server judgement does not need duplicate removal, server saves this hash value received And each algorithm ID, and execute step 1.3.1.If desired duplicate removal, server execute step 1.4.1.
It will be understood by those skilled in the art that in some cases, same user may successively upload same data text Part, then server end was if it is determined that should when the user expects to have uploaded data file again with identical frfp, fkf Data file derives from same user, will not execute any operation.
Step 1.3: if server does not need duplicate removal:
Step 1.3.1: server notice user terminal generates random number: server saves the hash value and algorithm ID received Afterwards, the information with same data file is not present in server and is sent to user terminal.
Step 1.3.2: user terminal processing information simultaneously will need the content stored on the server to be sent to server: user End receives server there is no after the information of data file having the same, and user terminal is according to the matched real random number generator of institute It generates file key random number rf and further obtains file key kf, specific steps are as shown in figure 4, verbal description is as follows:
File key random number rf is generated according to matched quantum key card, rf combines specific file key seed pointer Function frfp obtains file key seed pointer rfp and extracts corresponding file key seed krf from pool of symmetric keys;So File key function fkf is combined to generate file key kf afterwards.
After obtaining file key kf, user terminal obtains ciphertext kff using file key data file encryption, and Encryption Algorithm can For symmetric encipherment algorithm;
User terminal obtains personal key using public key encryption file key random number rf.This patent plaintext public key is underground, Total public-key cryptographic keys random number is only disclosed.The process of public key krk is obtained as shown in figure 5, verbal description by public-key cryptographic keys random number rk It is as follows:
Specific public key pointer function frkp is combined to obtain public key pointer rkp using the public-key cryptographic keys random number rk of oneself, Then public key krk is taken out from the corresponding position in corresponding unsymmetrical key pond.
User terminal generates file characteristic value, and to obtain data close using file characteristic value encryption file key random number rf Key;The calculation method of file characteristic value is predefined algorithm, can be but not limited to Hash calculating, compressing file or other texts Part feature calculation algorithm;
Ciphertext, algorithm ID, personal key, public-key cryptographic keys random number and data key are sent to server by user terminal.
Step 1.3.3: server saves corresponding information: server is by the ciphertext received, algorithm ID, personal key, public key Key random number and data key are saved.
Step 1.4: if server needs duplicate removal:
Step 1.4.1: server sends data key to user terminal: the data key of this document is sent to use by server Family end.
Step 1.4.2: user terminal processing information simultaneously will need the content stored on the server to be sent to server: user After end receives data key, obtained according to Generating Data File file characteristic value, and using file characteristic value ciphertext data key File key random number rf.
User terminal obtains public key kf according to public-key cryptographic keys random number rk, and detailed process is as shown in Figure 5.Added using public key public key Close file key random number rf obtains personal key, and personal key is sent to server, and the also public key sent together is close Key random number rk.
Step 1.4.3: server saves corresponding information: server receives the personal key and public-key cryptographic keys random number is laggard Row saves.
Public key in unsymmetrical key pond can also in user terminal shared file issuing for digital signature.Such as with Family end A while generating the personal key of A, generates one using a file as when the file that can share to user terminal B together The personal key of a B extracts the public key KBP of B by the public-key cryptographic keys random number KRB of B, extraction process is as shown in figure 5, text Word description and consistent above.The personal key of B can be obtained using the public key encryption file key random number rf of B.In order to ensure with Family end B trusts the shared ciphertext of user terminal A, and user terminal A adds a digital signature after the ciphertext that oneself is uploaded.Digital signature Issue it is as follows with verification process: user terminal A to original text carry out hash functional operation obtain an eap-message digest, reuse Private key is digitally signed algorithm for encryption to it and obtains a digital signature.A random number R cryptographic digital signature is generated, and will Ciphering signature and using A private key encryption random number and ciphertext store together on the server.User terminal B verifies this signature When, the public key KAP of A is extracted by the public-key cryptographic keys random number KRA of A, user terminal B carries out encryption key using the public key of A Decryption obtains random number R, obtains digital signature using random number R decryption ciphering signature.Reuse the public key of A to digital signature into Row decryption, and compared with the result for carrying out hash functional operation to original text, as a result unanimously then trusting this document is to use What family end A was uploaded.
Embodiment 2
Fig. 7 is that file is read in a kind of anti-quantum calculation cloud storage based on unsymmetrical key pond provided in an embodiment of the present invention The flow chart of method is taken, detailed process is as follows:
Step 2.1: user terminal uploads data file hash value and each algorithm ID: user terminal is by the file of desired reading Hash value and each algorithm ID are uploaded to server.
Step 2.2: corresponding information is sent to user terminal by server: after server receives file hash value and algorithm ID, Information corresponding with the hash value and algorithm ID is found, ciphertext and personal key and public-key cryptographic keys random number rk are sent to use Family end.
Step 2.3: user terminal obtains file key: to obtain file key random using private key decryption personal key for user terminal Number rf simultaneously further obtains file key kf, and specific steps are as shown in Figure 4.
Step 2.4: user terminal obtains data file: user terminal decrypts the ciphertext obtained from server using file key, Data file is obtained, the reading to server file is completed.
Quantum key card is developed from smart card techniques, is combined with quantum physics technology and (it is random to be carried quantum In the case where number generator), cryptological technique, the authentication of hardware security isolation technology and encryption and decryption product.Quantum key The embedded chip and operating system of card can provide the functions such as secure storage and the cryptographic algorithm of key.Since it is with independent Data-handling capacity and good safety, quantum key card become the safety barrier of private key and pool of keys.Each quantum is close Key card has the protection of hardware PIN code, and PIN code and hardware constitute two necessary factors that user uses quantum key card.That is institute It calls " double factor authentication ", user only has while obtaining the quantum key card and user's PIN code that save relevant authentication information, just may be used With login system.Even if the PIN code of user is leaked, as long as the quantum key card that user holds is not stolen, legitimate user's Identity would not be counterfeit;If the quantum key card of user is lost, the person of picking up can not also imitate due to not knowing user's PIN code Emit the identity of legitimate user.
In cloud storage overall process of the present invention, server end can not all touch user terminal all kinds of keys (public key, private key, text Part key etc.) and plaintext data file.Moreover, the personal key stored on server is using different from data key The random number of method encryption, the random number combine specific key selection algorithm that a pointer can be obtained.The pointer is directed toward key The specific region of some in pond, in the case where not obtaining pool of keys, nothing having cracked personal key or data key Method obtains the file key of encryption file.This patent, which uses, only adds public key disclosed in quantum key card to file key It is close, and quantum key card storage of public keys is used, quantum key card is independent hardware isolated equipment, is grasped by Malware or malice A possibility that stealing key substantially reduces.Since quantum computer is unable to get client public key, it is then also unable to get correspondence Private key, therefore the program is not easy to be cracked by quantum computer.

Claims (10)

1. a kind of anti-quantum calculation cloud storage method based on unsymmetrical key pond, including user terminal will be encrypted using file key Data file be uploaded to server, which is characterized in that the user terminal be configured with quantum key card, the file key be benefit The file key true random number caused by quantum key card generate, and the user terminal by the file key true random number with Encrypted form is uploaded to the server;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number And data key is obtained using file characteristic value encryption file key true random number;
Wherein, the public key is generated using public-key cryptographic keys true random number caused by quantum key card;The user terminal will be described Personal key, the data key and public-key cryptographic keys true random number upload the server.
2. the anti-quantum calculation cloud storage method according to claim 1 based on unsymmetrical key pond, which is characterized in that institute Stating user terminal has one or more, is stored with identical pool of keys in the quantum key card of each user terminal configuration, uploads data text The user terminal of part generates file key by the pool of keys of one's own side with data file encryption, and the user terminal of downloading data file utilizes The pool of keys of true random number combination one's own side from server generates file key accordingly to decrypt data file.
3. the anti-quantum calculation cloud storage method according to claim 2 based on unsymmetrical key pond, which is characterized in that institute The pool of keys for stating each user terminal includes:
Group's type pool of symmetric keys, for generating the file key;
Unsymmetrical key pond, in the unsymmetrical key pond in storage cluster all user terminals public key, the unsymmetrical key Pond extracts public key in conjunction with the public-key cryptographic keys true random number;And
Unsymmetrical key, the unsymmetrical key are user terminal private key.
4. the anti-quantum calculation cloud storage method according to claim 3 based on unsymmetrical key pond, which is characterized in that institute Stating file key generation method includes: that the file key true random number combination file key seed pointer function is obtained file Key seed pointer is mentioned in group's type pool of symmetric keys described in the quantum key card using this document key seed pointer Corresponding file key seed is taken, this document key seed combination file key function obtains the file key;The user The ID of the file key seed pointer function ID and file key function are also sent to the server by end.
5. the anti-quantum calculation cloud storage method according to claim 3 based on unsymmetrical key pond, which is characterized in that institute Stating public key generation method includes: that the public-key cryptographic keys true random number combination public key pointer function obtains public key pointer, utilizes the public affairs Key pointer extracts corresponding public key in the unsymmetrical key pond described in the quantum key card.
6. the anti-quantum calculation cloud storage method according to claim 4 based on unsymmetrical key pond, which is characterized in that institute State the mark whether file key seed pointer function ID and file key function ID carries out duplicate removal as the server.
7. the anti-quantum calculation cloud storage method according to claim 5 based on unsymmetrical key pond, which is characterized in that more When a user terminal shared data file, user terminal is shared and is shared user terminal disclosing the public-key cryptographic keys true random number, institute It states shared user terminal and passes through the personal key for disclosing and being shared user terminal described in the public-key cryptographic keys true random number generation, upload institute Personal key is stated to the server and then is realized to the file-sharing for being shared user terminal.
8. a kind of anti-quantum calculation cloud storage method based on unsymmetrical key pond, including server are received and stored from user The data file that end is encrypted using file key, which is characterized in that institute's server also receives and stores the individual from user terminal Key, data key and public-key cryptographic keys true random number, the personal key and the data key are true by the file key Random number encryption obtains;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number, And data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum key card Generated public-key cryptographic keys true random number generates.
9. the anti-quantum calculation cloud storage method according to claim 8 based on unsymmetrical key pond, which is characterized in that institute It states server and also receives and stores the function ID relevant to the file key is generated from the user terminal, two of them letter Whether number ID carries out the sign of duplicate removal as server;
When server judges duplicate removal according to the sign, the server sends data key to the user terminal;
When server according to the sign judgement be not required to duplicate removal when, receive storage from the user terminal with described in generation The relevant function ID of file key.
10. a kind of anti-quantum calculation cloud storage system based on unsymmetrical key pond, including server and user terminal, feature exist In,
The data file encrypted using file key is uploaded to the server by the user terminal, and the user terminal is configured with amount Sub-key card, the file key is generated using file key true random number caused by the quantum key card, and described The file key true random number is also uploaded to the server by user terminal in an encrypted form;
The cipher mode of the file key true random number is to obtain personal key using public key encryption file key true random number And data key is obtained using file characteristic value encryption file key true random number, wherein the public key utilizes quantum key card Generated public-key cryptographic keys true random number generates, the user terminal uploads the personal key, the data key and public key Key true random number is to the server;
The server receives and stores personal key, public-key cryptographic keys true random number and data text from the user terminal Part;
User terminal downloads personal key, public-key cryptographic keys true random number and the data file using file key encryption, user terminal The personal key is decrypted using private key to obtain file key true random number and then generating file key, utilizes the file key Decryption obtains data file using the data file of file key encryption.
CN201811101455.7A 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool Active CN109347923B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811101455.7A CN109347923B (en) 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811101455.7A CN109347923B (en) 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool

Publications (2)

Publication Number Publication Date
CN109347923A true CN109347923A (en) 2019-02-15
CN109347923B CN109347923B (en) 2022-01-25

Family

ID=65305811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811101455.7A Active CN109347923B (en) 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool

Country Status (1)

Country Link
CN (1) CN109347923B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889330A (en) * 2019-01-11 2019-06-14 如般量子科技有限公司 Anti- quantum calculation Proxy Signature method and system based on unsymmetrical key pond
CN109981255A (en) * 2019-04-02 2019-07-05 如般量子科技有限公司 The update method and system of pool of keys
CN110061895A (en) * 2019-04-02 2019-07-26 如般量子科技有限公司 Anti- quantum calculation application system short distance energy-saving communication method and system based on key card
CN110138565A (en) * 2019-04-22 2019-08-16 如般量子科技有限公司 Anti- quantum calculation wired home quantum communications method and system based on unsymmetrical key pond pair

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152732A (en) * 2013-03-15 2013-06-12 汪德嘉 Cloud password system and operation method thereof
US20160028540A1 (en) * 2014-07-25 2016-01-28 Cheng-Han KO Multiple encrypting method and system for encrypting a file and/or a protocol
CN109151053A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on public asymmetric key pond

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152732A (en) * 2013-03-15 2013-06-12 汪德嘉 Cloud password system and operation method thereof
US20160028540A1 (en) * 2014-07-25 2016-01-28 Cheng-Han KO Multiple encrypting method and system for encrypting a file and/or a protocol
CN109151053A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on public asymmetric key pond

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889330A (en) * 2019-01-11 2019-06-14 如般量子科技有限公司 Anti- quantum calculation Proxy Signature method and system based on unsymmetrical key pond
CN109981255A (en) * 2019-04-02 2019-07-05 如般量子科技有限公司 The update method and system of pool of keys
CN110061895A (en) * 2019-04-02 2019-07-26 如般量子科技有限公司 Anti- quantum calculation application system short distance energy-saving communication method and system based on key card
CN110061895B (en) * 2019-04-02 2021-04-06 如般量子科技有限公司 Close-range energy-saving communication method and system for quantum computing resisting application system based on key fob
CN109981255B (en) * 2019-04-02 2022-06-14 如般量子科技有限公司 Method and system for updating key pool
CN110138565A (en) * 2019-04-22 2019-08-16 如般量子科技有限公司 Anti- quantum calculation wired home quantum communications method and system based on unsymmetrical key pond pair

Also Published As

Publication number Publication date
CN109347923B (en) 2022-01-25

Similar Documents

Publication Publication Date Title
CN109150519B (en) Anti-quantum computing cloud storage security control method and system based on public key pool
CN109151053B (en) Anti-quantum computing cloud storage method and system based on public asymmetric key pool
KR101999188B1 (en) Secure personal devices using elliptic curve cryptography for secret sharing
CN109104276A (en) A kind of cloud storage method of controlling security and system based on pool of keys
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
Janbandhu et al. Novel biometric digital signatures for Internet‐based applications
US20060256961A1 (en) System and method for authentication seed distribution
JP2020522205A (en) Progressive key encryption algorithm
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
CN108985099A (en) It is a kind of that cloud storage method of controlling security and system are acted on behalf of based on public keys pond
US20150113283A1 (en) Protecting credentials against physical capture of a computing device
CN110868291B (en) Data encryption transmission method, device, system and storage medium
KR20000075650A (en) Administration and utilization of secret fresh random numbers in a networked environment
CN101815091A (en) Cipher providing equipment, cipher authentication system and cipher authentication method
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN106130716A (en) Cipher key exchange system based on authentication information and method
CN109347923A (en) Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond
CN109921905B (en) Anti-quantum computation key negotiation method and system based on private key pool
CN109495251A (en) Anti- quantum calculation wired home cloud storage method and system based on key card
CN110460581A (en) Sharing files method, equipment, SE device, is shared end and medium at system
CN109299618B (en) Quantum-resistant computing cloud storage method and system based on quantum key card
CN109787747B (en) Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools
US10764260B2 (en) Distributed processing of a product on the basis of centrally encrypted stored data
CN109412788B (en) Anti-quantum computing agent cloud storage security control method and system based on public key pool
CN109302283B (en) Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant