CN109347923B - Anti-quantum computing cloud storage method and system based on asymmetric key pool - Google Patents

Anti-quantum computing cloud storage method and system based on asymmetric key pool Download PDF

Info

Publication number
CN109347923B
CN109347923B CN201811101455.7A CN201811101455A CN109347923B CN 109347923 B CN109347923 B CN 109347923B CN 201811101455 A CN201811101455 A CN 201811101455A CN 109347923 B CN109347923 B CN 109347923B
Authority
CN
China
Prior art keywords
key
file
user side
random number
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811101455.7A
Other languages
Chinese (zh)
Other versions
CN109347923A (en
Inventor
富尧
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201811101455.7A priority Critical patent/CN109347923B/en
Publication of CN109347923A publication Critical patent/CN109347923A/en
Application granted granted Critical
Publication of CN109347923B publication Critical patent/CN109347923B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to an anti-quantum computing cloud storage method and system based on an asymmetric key pool.A user side uploads a server by using a data file encrypted by a file key, the user side is provided with a quantum key card for generating a file key true random number and generates the file key in a combined manner, and uploads the file key true random number to the server in a public key and file characteristic value encryption manner, wherein the public key is generated by using a public key true random number, and the user side uploads a personal key, a data key and a public key true random number to the server; the server receives and stores relevant parameters from the user side; and downloading each parameter by the user side, and acquiring the data file by using the private key. The quantum key card is used for storing the public key, the quantum key card is independent hardware isolation equipment, the possibility that the secret key is stolen by malicious operation is reduced, meanwhile, the server end cannot contact various secret keys and plaintext data files of the user end, and the safety of data storage on the cloud server is guaranteed.

Description

Anti-quantum computing cloud storage method and system based on asymmetric key pool
Technical Field
The invention relates to the field of cloud storage, in particular to a cloud storage security control method and system based on an asymmetric key pool.
Background
With the development of science and technology, cloud storage has become a trend more and more, various cloud storage technologies are endless, and in order to ensure the security of cloud storage data, various encryption methods are generally used to ensure the security of the data, for example, the security of the data can be ensured by asymmetric key encryption, where the asymmetric key encryption needs to use different keys to respectively complete encryption and decryption operations, one is publicly issued, i.e., a public key, and the other is secretly stored by a user, i.e., a private key. The information sender uses the public key to decrypt, and the information receiver uses the private key to decrypt; or the sender of the information is decrypted with the private key and the receiver of the information is decrypted with the public key.
Shared storage is adopted in the cloud storage, so that a service provider needs to control the private key, and the security of the private key is low. The invention patent document with the publication number of CN103236934A entitled "a method for cloud storage security control" discloses a method for solving the problem of low security of a private key. The invention uses two different encryption modes to encrypt and respectively store the private keys of the users.
As most people know, quantum computers have great potential in password cracking. The asymmetric (public key) encryption algorithms, such as the RSA encryption algorithm, which are mainstream today, are mostly based on two mathematical challenges, namely factorization of large integers or computation of discrete logarithms over a finite field. Their difficulty in breaking is also dependent on the efficiency with which these problems are solved. On a traditional computer, the two mathematical problems are required to be solved, and the time is taken to be exponential (namely, the cracking time increases in exponential order along with the increase of the length of the public key), which is not acceptable in practical application. The xiuer algorithm tailored for quantum computers can perform integer factorization or discrete logarithm calculation within polynomial time (i.e. the cracking time increases at the speed of k power along with the increase of the length of a public key, wherein k is a constant irrelevant to the length of the public key), thereby providing possibility for the cracking of RSA and discrete logarithm encryption algorithms.
At present, enterprises or business units have the requirement of data cloud, but public clouds are generally not easy to be trusted by the units, and the information security is considered to be possibly problematic, or keys are easy to be obtained and cracked by hackers, so that public cloud customers worry about the data cloud.
The problems existing in the prior art are as follows:
(1) there is a certain risk of storing keys on the cloud server. Public cloud customers have worries about cloud-up on data.
(2) The invention patent document with the publication number of CN103236934A and the name of 'a method for cloud storage security control' uses a user public key to encrypt a file key, and because a quantum computer can quickly obtain a corresponding private key through the public key, the scheme is easy to crack by the quantum computer.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a quantum computing resistant cloud storage method and system based on an asymmetric key pool.
A quantum computing resistant cloud storage method based on an asymmetric key pool comprises the steps that a user side uploads a data file encrypted by a file key to a server, the user side is provided with a quantum key fob, the file key is generated by using a file key true random number generated by the quantum key fob, and the user side uploads the file key true random number to the server in an encrypted form; the file key true random number is encrypted in a manner that a public key is used for encrypting the file key true random number to obtain an individual key and a file characteristic value is used for encrypting the file key true random number to obtain a data key; the public key is generated by utilizing a public key and a secret key true random number generated by a quantum key card; and the user side uploads the personal key, the data key and the public key true random number to the server.
There are currently many storage cloud services, including many public clouds. In this embodiment, the server of the storage cloud is simply referred to as a server, and the storage cloud client used by the member is a user side. The user side is equipment for accessing the storage cloud, and can be a mobile terminal or a fixed terminal, the terminals are all provided with quantum key fobs, and the description of the quantum key fobs can be seen in a patent with an application number of '201610843210.6'. When the mobile terminal is used, the quantum key card is preferably a quantum key SD card; when the terminal is a fixed terminal, the quantum key card is preferably a quantum key USBKey or a host quantum key card.
The generation of the file key and the encryption of the data file are completed in the quantum key fob, the security of the execution environment of an encryption program of a user end is ensured, the file key is generated by the true random number of the file key in the quantum key fob, the true randomness of the file key is ensured, the security of the file key is greatly improved, meanwhile, the quantum key fob is an independent hardware isolation device, the possibility of stealing the key by malicious software or malicious operation is greatly reduced, the true random number of the file key is uploaded to a server in an encryption mode instead of file key storage, and the danger that the key is stolen when the key is stored on the server is solved.
Optionally, the number of the user sides is one or more, the same key pool is stored in the quantum key card configured for each user side, the user side uploading the data file generates a file key through the key pool of the own party to encrypt the data file, and the user side downloading the data file correspondingly generates the file key by combining the true random number from the server with the key pool of the own party to decrypt the data file.
The issuing party of the quantum key card is a main managing party of the quantum key card, and is generally a management department of a certain enterprise or a public institution; the issuing party of the quantum key fob is a member managed by the master administrator of the quantum key fob, generally, all levels of employees of a certain enterprise or business, who use the user side to access the cloud data. The user first applies for an account opening to the supervisor of the quantum key fob. When the user side performs registration and approval, the quantum key card (with the unique quantum key card ID) is obtained. The quantum key card stores the customer registration information and is also internally provided with an identity authentication protocol, at least comprising a key generation algorithm and an authentication function, or other algorithms related to identity authentication. The user side keys in the quantum key fobs are all downloaded from the same quantum network service station, and the key pools stored in each quantum key fobs issued by the owner of the same quantum key fobs are completely consistent. Preferably, the key pool size stored in the quantum key fob may be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G, and so forth. The capacity depends on the requirement of the supervisor on safety, and the larger the capacity is, the higher the safety is.
Optionally, the key pool of each user side includes:
the group type symmetric key pool is used for generating the file key;
the asymmetric key pool stores public keys of all the user sides in the group, and the public keys are extracted by combining the asymmetric key pool with the true random numbers of the public key; and
and the asymmetric key is a private key of the user side.
In the present invention, the key area of the quantum key fob is divided into a group-type symmetric key pool, an asymmetric key pool (public key), and an asymmetric key (private key) as shown in fig. 2. The public key area possesses the public keys of all users of the organization, and the private key area stores the private keys of the users.
Preferably, the file key generation method includes: combining the file key true random number with a file key seed pointer function to obtain a file key seed pointer, extracting a corresponding file key seed from the group type symmetric key pool in the quantum key card by using the file key seed pointer, and combining the file key seed with a file key function to obtain the file key; and the user side also sends the ID of the file key seed pointer function and the ID of the file key function to the server.
Preferably, the public key generation method includes that the public key true random number is combined with a public key pointer function to obtain a public key pointer, and the public key pointer is used for extracting a corresponding public key from the asymmetric key pool in the quantum key card.
Preferably, the file key seed pointer function ID and the file key function ID are used as an identifier of whether the server performs deduplication.
Preferably, when a plurality of user sides share a data file, both the sharing user side and the shared user side disclose the public key and secret key true random number, the sharing user side generates a personal key of the shared user side by disclosing the public key and secret key true random number, and uploads the personal key to the server so as to realize file sharing of the shared user side.
A quantum computation resistant cloud storage method based on an asymmetric key pool comprises the steps that a server receives and stores a data file encrypted by a file key from a user side, the server also receives and stores a personal key, a data key and a public key true random number from the user side, and the personal key and the data key are obtained by encrypting the file key true random number;
the file key true random number is encrypted by using a public key to encrypt the file key true random number to obtain an individual key, and the file key true random number is encrypted by using a file characteristic value to obtain a data key, wherein the public key is generated by using a public key true random number generated by a quantum key card.
Preferably, the server further receives and stores function IDs related to generating the file key from the user side, where two function IDs are used as an indication identifier for indicating whether the server performs deduplication;
when the server judges the duplicate removal according to the indication mark, the server sends a data key to the user side;
and when the server judges that the duplicate removal is not needed according to the indication identifier, receiving and storing the function ID which is from the user side and is related to the generation of the file key.
An anti-quantum-computing cloud storage system based on an asymmetric key pool comprises a server and a user side, wherein the user side uploads a data file encrypted by a file key to the server, the user side is configured with a quantum key fob, the file key is generated by using a file key true random number generated by the quantum key fob, and the user side uploads the file key true random number to the server in an encrypted form; the file key true random number is encrypted by using a public key to encrypt the file key true random number to obtain an individual key and a file feature value to encrypt the file key true random number to obtain a data key, wherein the public key is generated by using a public key true random number generated by a quantum key card, and the user side uploads the individual key, the data key and the public key true random number to the server; the server receives and stores the personal key, the public key and the true random number of the key and the data file from the user side; the user side downloads the personal key, the public key and the true random number and the data file encrypted by the file key, the user side decrypts the personal key by using the private key to obtain the true random number of the file key so as to generate the file key, and the data file encrypted by using the file key is decrypted by using the file key to obtain the data file.
According to the anti-quantum-computing cloud storage method and system based on the asymmetric key pool, a user side uploads a data file encrypted by a file key to a server, the user side is configured with a quantum key fob, the file key is generated by using a file key true random number generated by the quantum key fob, the user side also uploads the file key true random number to the server in an encrypted form, the encryption mode is that a public key is used for encrypting the file key true random number to obtain a personal key and a file characteristic value is used for encrypting the file key true random number to obtain a data key, the public key is generated by using a public key true random number generated by the quantum key fob, and the user side uploads the personal key, the data key and the public key true random number to the server; the server receives and stores the personal key, the public key and the true random number of the key and the data file from the user side; the user side downloads the personal key, the public key and the true random number and the data file encrypted by the file key, and the user side decrypts the personal key by using the private key to obtain the data file. The quantum key card is used for storing the public key, the quantum key card is an independent hardware isolation device, the possibility that the secret key is stolen by malicious software or malicious operation is greatly reduced, meanwhile, the server end cannot contact various secret keys (public keys, private keys, file secret keys and the like) and plaintext data files of the user end, and the safety of data storage on the cloud server is guaranteed.
Drawings
FIG. 1 is a schematic structural diagram of a storage system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a key region structure of a user side according to an embodiment of the present invention;
fig. 3 is a flowchart of a public key storage method according to an embodiment of the present invention;
FIG. 4 is a flowchart of file key generation according to an embodiment of the present invention;
fig. 5 is a flowchart of a public key reading method according to an embodiment of the present invention;
fig. 6 is a flowchart of a storage method according to embodiment 1 of the present invention;
fig. 7 is a flowchart of a reading method according to embodiment 2 of the present invention.
Detailed Description
In the following steps, a plurality of operations involved at each user end are all performed in the matched quantum key card.
Fig. 1 is a schematic structural diagram of a cloud storage system based on an asymmetric key pool according to an embodiment of the present invention, including a server and a user, where the user uploads a data file encrypted by using a file key to the server, the user is configured with a quantum key fob, the file key is generated by using a file key true random number generated by the quantum key fob, and the user further uploads the file key true random number to the server in an encrypted form;
the file key true random number is encrypted by using a public key to encrypt the file key true random number to obtain an individual key and by using a file characteristic value to encrypt the file key true random number to obtain a data key, wherein the public key is generated by using a public key true random number generated by a quantum key card, and the user side uploads the individual key, the data key and the public key true random number to the server.
The user side includes: the device comprises a Hash value calculation module, a key generation module and an encryption and decryption module.
And the Hash value calculating module is used for calculating the Hash value of the data file of the new user and uploading the Hash value to the server so that the server judging module can judge whether the data file with the same Hash value exists in the stored data file or not.
And the key generation module is used for generating a file key when the judgment result of the judgment module of the server is negative.
In this embodiment, there are one or more clients, the same key pool is stored in the quantum key card configured for each client, the client that uploads the data file generates a file key through the own key pool to encrypt the data file, and the client that downloads the data file correspondingly generates a file key by combining the true random number from the server with the own key pool to decrypt the data file.
The key generation module of each user side is provided with a group type symmetric key pool for generating a file key and an asymmetric key pool for storing a public key. The symmetric key pool is denoted KP and the asymmetric key pool is denoted KPP. Wherein the public key area possesses the public keys of all users of the organization. As shown in fig. 3, the public key is stored in a manner that a random number rk of the public key is randomly taken for a certain user, a public key pointer rkp is obtained by combining a specific public key pointer function frkp, and the public key krk of the user is stored from a corresponding position in a corresponding asymmetric key pool.
A file key generation method, as shown in fig. 4, first generating a file key random number rf using a true random number generator in a matched quantum key fob; then combining a specific file key seed pointer function frfp to obtain a file key seed pointer rfp and extracting corresponding file key seeds krf from the symmetric key pool; the file key kf is then generated in conjunction with the file key function fkf.
The file key seed pointer function frfp and the file key function fkf are customizable by the quantum key card host.
The file key seed pointer function frfp is a function obtained by performing some numerical transformation on a true random number, and then performing modulo operation, for example, frfp (r)% s,
where r is the input variable (here a true random number), d is the offset,% is the modulo operation, and s is the total size of the key pool. Of course, the file key seed pointer function frfp is not limited thereto as long as the file key seed pointer rfp can be obtained according to design requirements.
The file key function fkf is a function obtained by performing some numerical transformation on input data and then taking a modulus, for example, fkf (x) ((ax)% 2)len
Where x is the input variable,% is the modulus operation, and len is the user-specified key length (unit: bit). Of course, the file key function fkf is not limited to this as long as the file key kf can be generated, according to design requirements.
Since this patent highlights dots as being resistant to quantum computing attacks, all users' frfp and fkf are the same.
The encryption and decryption module is used for encrypting the data file by using the file key; encrypting the file key random number rf by using two different encryption modes to form a personal key and a data key; the method comprises the steps that a user private key is used as a decryption key to decrypt a personal key to obtain a file key random number rf; the characteristic value of the data file before encryption is used as a decryption key to decrypt the data key so as to obtain a file key random number rf; the file key is derived from the file key random number rf.
The server receives and stores a data file encrypted by a file key from a user side, and is characterized in that the server also receives and stores a personal key, a data key and a public key true random number from the user side, wherein the personal key and the data key are obtained by encrypting the file key true random number;
the server includes: the device comprises a storage module, a judgment module and a key authorization module.
The storage module is used for storing a Hash value of a file, an encrypted data file, a personal key and a data key;
the judging module is used for carrying out duplicate removal judgment, judging whether the same data files exist in the stored data files or not before the data files of the user are stored, and informing the key authorization module; if the judgment result is yes, the key authorization module is informed to send the data key to the user side, and if the judgment result is no, the received Hash value is sent to the storage module to be stored.
Specifically, the server further receives and stores function IDs from the user side, which are related to generating the file key, where the two function IDs are used as an indication identifier for indicating whether the server performs deduplication;
when the server judges the duplicate removal according to the indication mark, the server sends a data key to the user side;
and when the server judges that the duplicate removal is not needed according to the indication identifier, receiving and storing the function ID which is from the user side and is related to the generation of the file key.
And the key authorization module is used for sending the data key to the user side when the judgment result of the judgment module is yes, and sending the information without the same data file to the user side when the judgment result of the judgment module is no.
In this embodiment, the key authorization module is further divided into a sending submodule and an accepting submodule. The sending submodule is used for sending data keys or information, and the receiving submodule is used for receiving personal keys of the user from the user side, the data keys and the encrypted data files and sending the data files to the storage module for storage.
The user side downloads the personal key, the public key and the true random number and the data file encrypted by the file key, the user side decrypts the personal key by using the private key to obtain the true random number of the file key so as to generate the file key, and the data file encrypted by using the file key is decrypted by using the file key to obtain the data file.
The present invention will be described in further detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example 1
Fig. 6 is a flowchart of a quantum computing resistant cloud storage method based on an asymmetric key pool according to an embodiment of the present invention, which includes the following specific steps:
step 1.1: the client uploads the Hash value and each algorithm ID of the data file to a server: before uploading the data file, the client calculates the Hash value of the data file and uploads the Hash value to the server. Also uploaded is the ID of each function (including the file key seed pointer function frfp and the file key function fkf, the same applies hereinafter). In order to relieve the storage pressure, the server performs ciphertext duplication removal on the file, namely, identifies the duplicate file.
Step 1.2: the server identifies the duplicate file: the server takes the Hash value of the file and each algorithm ID into comprehensive consideration to identify duplicate files, i.e. if two files have the same Hash value and the IDs of frfp and fkf are respectively the same, it is considered that the same data file needs to be deduplicated. If the server judges that duplicate removal is not needed, the server stores the received Hash value and each algorithm ID, and executes the step 1.3.1. If deduplication is required, the server performs step 1.4.1.
As will be understood by those skilled in the art, in some cases, the same user may upload the same data file one after another, and then when the user expects to upload the uploaded data file again at the same frfp and fkf, the server side does not perform any operation if it is determined that the data file originates from the same user.
Step 1.3: if the server does not need deduplication:
step 1.3.1: the server informs the user side to generate random numbers: and after storing the received Hash value and the algorithm ID, the server sends the information that the server does not have the same data file to the user side.
Step 1.3.2: the user end processes the information and sends the content to be stored on the server to the server: after the user side receives the information that the server does not have the same data file, the user side generates a file key random number rf according to the matched true random number generator and further obtains a file key kf, the specific steps are shown in fig. 4, and the text description is as follows:
generating a file key random number rf according to the matched quantum key card, combining the rf with a specific file key seed pointer function frfp to obtain a file key seed pointer rfp, and extracting corresponding file key seeds krf from the symmetric key pool; the file key kf is then generated in conjunction with the file key function fkf.
After the file key kf is obtained, the user side encrypts the data file by using the file key to obtain a ciphertext kff, wherein the encryption algorithm can be a symmetric encryption algorithm;
the user side uses the public key to encrypt the file key random number rf to obtain the personal key. The plaintext public key of the patent is not disclosed, and only the random number of the common public key secret key is disclosed. The process of obtaining the public key krk from the public key random number rk is shown in fig. 5 and described in text as follows:
the public key pointer rkp is obtained by using its own public key random number rk in combination with a specific public key pointer function frkp, and then the public key krk is fetched from the corresponding location in the corresponding asymmetric key pool.
A user side generates a file characteristic value, and encrypts a file key random number rf by using the file characteristic value to obtain a data key; the calculation method of the file characteristic value is a predefined algorithm, and can be but is not limited to Hash calculation, file compression or other file characteristic calculation algorithms;
and the user side sends the ciphertext, the algorithm ID, the personal key, the public key and the key random number and the data key to the server.
Step 1.3.3: the server stores corresponding information: and the server stores the received ciphertext, the algorithm ID, the personal key, the public key and the key random number and the data key.
Step 1.4: if the server needs to deduplicate:
step 1.4.1: the server sends a data key to the user side: and the server sends the data key of the file to the user side.
Step 1.4.2: the user end processes the information and sends the content to be stored on the server to the server: and after receiving the data key, the user side generates a file characteristic value according to the data file, and decrypts the data key by using the file characteristic value to obtain a file key random number rf.
The user side obtains the public key kf according to the public key random number rk, and the specific process is shown in fig. 5. And encrypting the file key random number rf by using the public key to obtain a personal key, and sending the personal key to the server, wherein the public key random number rk is also sent.
Step 1.4.3: the server stores corresponding information: the server receives the personal key and the random number of the public key and stores the personal key and the random number of the public key.
The public key in the asymmetric key pool can also be used for the issuance of digital signatures when the user ends share files. For example, when the user a uses a file as a file that can be shared to the user B, the user a generates a personal key of a and also generates a personal key of B, that is, the public key KBP of B is extracted by the random number KRB of the public key of B, and the extraction process is as shown in fig. 5, and the text description is the same as the above. The personal key of B is obtained by encrypting the file key random number rf with the public key of B. In order to ensure that the user side B trusts the ciphertext shared by the user side A, the user side A adds a digital signature after the ciphertext uploaded by the user side A. The process of issuance and verification of digital signatures is as follows: the user A performs single hash function operation on the original text to obtain a message digest, and then performs digital signature algorithm encryption on the message digest by using a private key to obtain a digital signature. A random number R is generated to encrypt the digital signature, and the encrypted signature and the random number encrypted by the private key of A are stored on the server together with the ciphertext. When the user side B verifies the signature, the public key KAP of the A is extracted through the public key secret key random number KRA of the A, the user side B decrypts the encryption secret key by using the public key of the A to obtain a random number R, and the encrypted signature is decrypted by using the random number R to obtain a digital signature. And decrypting the digital signature by using the public key of the A, comparing the decrypted digital signature with a result of performing single hash function operation on the original text, and trusting that the file is uploaded by the user side A if the result is consistent.
Example 2
Fig. 7 is a flowchart of a method for reading a file in quantum-computing-resistant cloud storage based on an asymmetric key pool according to an embodiment of the present invention, and the specific process is as follows:
step 2.1: uploading a data file Hash value and each algorithm ID by a user side: and the user side uploads the Hash value of the file to be read and each algorithm ID to the server.
Step 2.2: the server sends corresponding information to the user side: and after receiving the Hash value and the algorithm ID of the file, the server finds out the information corresponding to the Hash value and the algorithm ID and sends the ciphertext, the personal key and the public key random number rk to the user side.
Step 2.3: the user side obtains a file key: the user side decrypts the personal key by using the private key to obtain a file key random number rf and further obtain a file key kf, and the specific steps are shown in fig. 4.
Step 2.4: the user side obtains a data file: and the user side decrypts the ciphertext obtained from the server by using the file key to obtain a data file, and finishes reading the server file.
The quantum key card is an identity authentication, encryption and decryption product which combines quantum physics technology (in the case of carrying a quantum random number generator), cryptography technology and hardware security isolation technology. The embedded chip and operating system of the quantum key fob may provide secure storage of keys and cryptographic algorithms, among other functions. Due to its independent data processing capabilities and good security, quantum key fobs become a secure carrier for private keys and key pools. Each quantum key fob has hardware PIN code protection, the PIN code and hardware constituting two essential factors for a user to use the quantum key fob. So-called "two-factor authentication" is a method in which a user can log in a system only by simultaneously acquiring a quantum key card and a user PIN code that store relevant authentication information. Even if the PIN code of the user is leaked, the identity of the legal user cannot be counterfeited as long as the quantum key card held by the user is not stolen; if the user's quantum key card is lost, the finder cannot imitate the identity of the legitimate user because the finder does not know the user PIN code.
In the whole cloud storage process, the server side cannot contact various keys (public keys, private keys, file keys and the like) and plaintext data files of the user side. Furthermore, the individual key and the data key stored on the server are random numbers encrypted using different methods, which in combination with a specific key selection algorithm may result in a pointer. The pointer points to a specific area in the key pool, and under the condition that the key pool is not obtained, the file key of the encrypted file cannot be obtained even if the personal key or the data key is cracked. The patent uses a public key only disclosed to the quantum key fob to encrypt the file key and uses the quantum key fob to store the public key, the quantum key fob being an independent hardware isolation device, the possibility of stealing the key by malware or malicious operations is greatly reduced. Because the quantum computer can not obtain the public key of the user, and can not obtain the corresponding private key, the scheme is not easy to be cracked by the quantum computer.

Claims (9)

1. A quantum computing resistant cloud storage method based on an asymmetric key pool comprises the steps that a user side uploads a data file encrypted by a file key to a server, and the quantum key card is configured at the user side;
the system comprises a server, one or more user sides, a quantum key card and a quantum key pool, wherein the quantum key card configured for each user side stores the same key pool, the user side uploading data files generates a file key through the key pool of the own party to encrypt the data files, and the user side downloading the data files correspondingly generates a file key by combining true random numbers from the server with the key pool of the own party to decrypt the data files;
the file key true random number is encrypted in a manner that a public key is used for encrypting the file key true random number to obtain an individual key and a file characteristic value is used for encrypting the file key true random number to obtain a data key;
the public key is generated by utilizing a public key and a secret key true random number generated by a quantum key card; and the user side uploads the personal key, the data key and the public key true random number to the server.
2. The asymmetric-key-pool-based quantum-computation-resistant cloud storage method according to claim 1, wherein the key pool of each user side comprises:
the group type symmetric key pool is used for generating the file key;
the asymmetric key pool stores public keys of all the user sides in the group, and the public keys are extracted by combining the asymmetric key pool with the true random numbers of the public key; and
and the asymmetric key is a private key of the user side.
3. The asymmetric key pool based quantum computing resistant cloud storage method according to claim 2, wherein the file key generation method comprises: combining the file key true random number with a file key seed pointer function to obtain a file key seed pointer, extracting a corresponding file key seed from the group type symmetric key pool in the quantum key card by using the file key seed pointer, and combining the file key seed with a file key function to obtain the file key; and the user side also sends the ID of the file key seed pointer function and the ID of the file key function to the server.
4. The asymmetric key pool-based quantum computation resistant cloud storage method according to claim 2, wherein the public key generation method comprises the steps of obtaining a public key pointer by combining the true random number of the public key with a public key pointer function, and extracting a corresponding public key from the asymmetric key pool in the quantum key card by using the public key pointer.
5. The asymmetric key pool based quantum computation resistant cloud storage method of claim 3, wherein the file key seed pointer function ID and the file key function ID are used as an identification of whether the server performs deduplication.
6. The asymmetric-key-pool-based quantum-computation-resistant cloud storage method according to claim 4, wherein when a plurality of user sides share a data file, both the sharing user side and the shared user side disclose the public-key true random number, the sharing user side generates a personal key of the shared user side by disclosing the public-key true random number, and uploads the personal key to the server to further implement file sharing of the shared user side.
7. A quantum computation resistant cloud storage method based on an asymmetric key pool comprises the steps that a server receives and stores a data file encrypted by a file key from a user side, and is characterized in that the server also receives and stores a personal key, a data key and a public key true random number from the user side, wherein the personal key and the data key are obtained by encrypting the file key true random number;
the system comprises a server, one or more user sides, a quantum key card and a quantum key pool, wherein the quantum key card configured for each user side stores the same key pool, the user side uploading data files generates a file key through the key pool of the own party to encrypt the data files, and the user side downloading the data files correspondingly generates a file key by combining true random numbers from the server with the key pool of the own party to decrypt the data files;
the file key true random number is encrypted by using a public key to encrypt the file key true random number to obtain an individual key, and the file key true random number is encrypted by using a file characteristic value to obtain a data key, wherein the public key is generated by using a public key true random number generated by a quantum key card.
8. The asymmetric key pool based quantum computation resistant cloud storage method according to claim 7, wherein the server further receives and stores function IDs from the user side in association with generation of the file key, wherein two function IDs are used as an indication of whether the server performs deduplication;
when the server judges the duplicate removal according to the indication mark, the server sends a data key to the user side;
and when the server judges that the duplicate removal is not needed according to the indication identifier, receiving and storing the function ID which is from the user side and is related to the generation of the file key.
9. An anti-quantum computing cloud storage system based on an asymmetric key pool comprises a server and a user side, and is characterized in that,
the user side uploads a data file encrypted by a file key to the server, the user side is configured with a quantum key fob, the file key is generated by using a file key true random number generated by the quantum key fob, and the user side uploads the file key true random number to the server in an encrypted form;
the system comprises a server, one or more user sides, a quantum key card and a quantum key pool, wherein the quantum key card configured for each user side stores the same key pool, the user side uploading data files generates a file key through the key pool of the own party to encrypt the data files, and the user side downloading the data files correspondingly generates a file key by combining true random numbers from the server with the key pool of the own party to decrypt the data files;
the file key true random number is encrypted by using a public key to encrypt the file key true random number to obtain an individual key and a file feature value to encrypt the file key true random number to obtain a data key, wherein the public key is generated by using a public key true random number generated by a quantum key card, and the user side uploads the individual key, the data key and the public key true random number to the server;
the server receives and stores the personal key, the public key and the true random number of the key and the data file from the user side;
the user side downloads the personal key, the public key and the true random number and the data file encrypted by the file key, the user side decrypts the personal key by using the private key to obtain the true random number of the file key so as to generate the file key, and the data file encrypted by using the file key is decrypted by using the file key to obtain the data file.
CN201811101455.7A 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool Active CN109347923B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811101455.7A CN109347923B (en) 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811101455.7A CN109347923B (en) 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool

Publications (2)

Publication Number Publication Date
CN109347923A CN109347923A (en) 2019-02-15
CN109347923B true CN109347923B (en) 2022-01-25

Family

ID=65305811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811101455.7A Active CN109347923B (en) 2018-09-20 2018-09-20 Anti-quantum computing cloud storage method and system based on asymmetric key pool

Country Status (1)

Country Link
CN (1) CN109347923B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109889330B (en) * 2019-01-11 2023-08-04 如般量子科技有限公司 Anti-quantum computing blind signature method and system based on asymmetric key pool
CN110061895B (en) * 2019-04-02 2021-04-06 如般量子科技有限公司 Close-range energy-saving communication method and system for quantum computing resisting application system based on key fob
CN109981255B (en) * 2019-04-02 2022-06-14 如般量子科技有限公司 Method and system for updating key pool
CN110138565A (en) * 2019-04-22 2019-08-16 如般量子科技有限公司 Anti- quantum calculation wired home quantum communications method and system based on unsymmetrical key pond pair

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152732A (en) * 2013-03-15 2013-06-12 汪德嘉 Cloud password system and operation method thereof
CN109151053A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on public asymmetric key pond

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9948459B2 (en) * 2014-07-25 2018-04-17 Cheng-Han KO Multiple encrypting method and system for encrypting a file and/or a protocol

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152732A (en) * 2013-03-15 2013-06-12 汪德嘉 Cloud password system and operation method thereof
CN109151053A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on public asymmetric key pond

Also Published As

Publication number Publication date
CN109347923A (en) 2019-02-15

Similar Documents

Publication Publication Date Title
CN109151053B (en) Anti-quantum computing cloud storage method and system based on public asymmetric key pool
CN109150519B (en) Anti-quantum computing cloud storage security control method and system based on public key pool
CN109104276B (en) Cloud storage security control method and system based on key pool
US10785019B2 (en) Data transmission method and apparatus
CN108985099B (en) Proxy cloud storage security control method and system based on public key pool
CN108989033B (en) Cloud storage security control method and system based on public key pool
US8462955B2 (en) Key protectors based on online keys
CN109347923B (en) Anti-quantum computing cloud storage method and system based on asymmetric key pool
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
US20110145576A1 (en) Secure method of data transmission and encryption and decryption system allowing such transmission
CN109981255B (en) Method and system for updating key pool
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
CN109495251B (en) Anti-quantum-computation intelligent home cloud storage method and system based on key fob
CN109951513B (en) Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card
CN110868291B (en) Data encryption transmission method, device, system and storage medium
CN107920052B (en) Encryption method and intelligent device
US11757625B2 (en) Multi-factor-protected private key distribution
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN109299618B (en) Quantum-resistant computing cloud storage method and system based on quantum key card
CN109787747B (en) Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
CN113259317B (en) Cloud storage data deduplication method based on identity agent unencrypted
CN109302283B (en) Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool
CN109412788B (en) Anti-quantum computing agent cloud storage security control method and system based on public key pool

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant