CN110650152B - A cloud data integrity verification method supporting dynamic key update - Google Patents

A cloud data integrity verification method supporting dynamic key update Download PDF

Info

Publication number
CN110650152B
CN110650152B CN201910970921.3A CN201910970921A CN110650152B CN 110650152 B CN110650152 B CN 110650152B CN 201910970921 A CN201910970921 A CN 201910970921A CN 110650152 B CN110650152 B CN 110650152B
Authority
CN
China
Prior art keywords
cloud
data
key
trusted
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910970921.3A
Other languages
Chinese (zh)
Other versions
CN110650152A (en
Inventor
李莉
韦鹏程
王博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University of Education
Original Assignee
Chongqing University of Education
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Education filed Critical Chongqing University of Education
Priority to CN201910970921.3A priority Critical patent/CN110650152B/en
Publication of CN110650152A publication Critical patent/CN110650152A/en
Application granted granted Critical
Publication of CN110650152B publication Critical patent/CN110650152B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to the technical field of cloud storage data processing, and discloses a cloud data integrity verification method supporting dynamic key updating; a quintuple is used for representing a cloud storage algorithm to realize cloud storage and verification; encrypting by using an RSA encryption algorithm and a user public key PK; the data owner requests a new key from the trusted third party, which returns the new key and is encrypted with the data owner's public key PK. The invention uses a secret key wrapping technology to process, the data uploaded to the cloud end is encrypted by a symmetric encryption algorithm, and an encrypted secret key is encrypted by a public key cryptosystem. In order to improve the safety of the scheme; a trusted third party is introduced to support dynamic updating of keys. According to the invention, a safe cloud storage scheme is adopted, so that a user can store data to the cloud server in a blocking manner and carry out integrity check on the data at regular time. And when the data is uploaded to the cloud, double encryption is carried out to protect the data security, and the secret key is dynamically updated when an event is triggered.

Description

Cloud data integrity verification method supporting dynamic key updating
Technical Field
The invention belongs to the technical field of cloud storage data processing, and particularly relates to a cloud data integrity verification method supporting dynamic key updating.
Background
Currently, the closest prior art: cloud storage is a new and developing storage technology based on cloud computing. With the advent of the big data era, how to safely store mass data is a headache problem for enterprises or individuals. If the user can safely store mass data in the cloud server of the enterprise or the leased cloud server, and can extract the data at any time when needed, the huge software and hardware cost and expenditure of the storage can be greatly reduced. Therefore, once cloud storage is proposed, the cloud storage is concerned by all communities, and all manufacturers also successively produce their own cloud storage products, such as amazon's simple cloud storage service, Rackspace's cloud files, and the like, and then the hardware of which the products mainly concern is the hot spot of research of today's scholars how to design safe storage data and provide integrity check by using the hardware.
In order to solve the above problems, a large number of papers for integrity detection of cloud data are emerging. In data integrity verification schemes, data ownership (PDP) is a critical technology among others. In 2007, Atenise et al put forward the concept of PDP for the first time, and then Swminathana et al improved the scheme, and introduced the homomorphic-based Hash function to improve efficiency, but the scheme does not address the dynamic update problem. Chen proposes a scheme for designing secure cloud storage according to network coding, any network coding is given, a corresponding cloud storage scheme can be systematically constructed, but the problems of data privacy and the like are not considered, Yang and Wang respectively propose a data auditing scheme for checking data integrity, but a complex cryptography tool is adopted in the scheme, and the overall efficiency needs to be improved.
In summary, the problems of the prior art are as follows:
(1) the existing scheme mainly focuses on the data integrity inspection problem and does not relate to data confidentiality and privacy protection.
(2) The existing scheme does not relate to the problems of key management and dynamic updating.
(3) The efficiency of outsourcing in the existing scheme needs to be improved, and the processing time is long.
The difficulty of solving the technical problems is as follows:
(1) the scheme needs to be added with a privacy protection function, data confidentiality is increased, and it is ensured that only authorized users can correctly access data.
(2) The key generation, distribution and storage under the trusted environment need to be solved.
(3) The data outsourcing algorithm needs to be redesigned, and a lighter-weight cryptographic algorithm is adopted, so that the scheme is more efficient.
The significance of solving the technical problems is as follows:
(1) the confidentiality of the data and the privacy of the data are effectively protected, and the credit on the cloud service is further improved.
(2) The cipher text can be updated regularly by dynamically updating the cipher key, so that the security is improved, and the risk of breaking the plaintext by intrusion is reduced.
(3) The efficiency of the scheme is improved, so that the scheme has more practical significance.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a cloud data integrity verification method supporting dynamic key updating.
The invention is realized in such a way that a cloud data integrity verification method supporting dynamic key updating comprises the following steps:
the method comprises the following steps that firstly, a quintuple is used for representing a cloud storage algorithm to realize cloud storage and verification;
secondly, encrypting by using an RSA encryption algorithm and a user public key PK;
and thirdly, the data owner requests a new secret key from the trusted third party, and the trusted third party returns the new secret key and encrypts the secret key by using the public key PK of the data owner.
Further, the quintuple of the first step specifically includes:
(1) KeyGen: inputting a security parameter lambda, and generating a private key SK and a public key PK used in a cloud storage and verification algorithm by a user side, wherein the specific process is as follows: generating prime number c, generating large random prime numbers a and b, and generating other random prime numbers e, p by taking note that a-1 and b-1 need to be relatively prime with c1,p2…pnLet d be a · b, and public key PK be (e, p)1,p2…pnC, d), the private key SK ═ (a, b);
(2) outsource: the data is divided into blocks, each block has a size of n, and m blocks are provided, wherein each block is expressed as: w is ai=1,2,...m=[yi1,yi2…yin]Each element belonging to a finite field
Figure BDA0002232044290000031
Generating random numbers
Figure BDA0002232044290000032
Find a random number for each block
Figure BDA0002232044290000033
So that the following equation holds:
Figure BDA0002232044290000034
let ti(s, v, y) is referred to as wiThe data block is sent to the cloud end C together with the authentication informationt={wi,ti}i=1,2...m
(3) And (2) Audit: the user terminal generates l random numbers, and ij=1,2...l,0≤ijLess than or equal to m, mixingj=1,2...lSending the cloud as a query Q;
(4) and (iv) pro: the cloud generates gamma as a corresponding proof of the query Q, and extracts information in the query block
Figure BDA0002232044290000035
Computing federation information w*And joint authentication information t*
Figure BDA0002232044290000036
Figure BDA0002232044290000037
Figure BDA0002232044290000038
Figure BDA0002232044290000039
And (3) calculating:
Figure BDA00022320442900000310
then the information w is combined*The joint authentication information of t*=(s*,v*,y*) Cloud will prove Γ ═ (w)*,t*) Returning to the user side;
(6) verify: the user end verifies whether the following formula holds:
Figure BDA0002232044290000041
the output δ is true if equal, otherwise it is false.
Further, the encrypting using RSA encryption algorithm and user public key PK in the second step specifically includes:
(1) ASK _ newkey (do): the user side sends a request for returning the encryption key to the trusted third party;
(2)DOPK(K) the method comprises the following steps The trusted third party returns an encryption key K, encrypts the K by using an RSA encryption algorithm and encrypts the K by using a user side public key PK;
(3)K=DOSK(DOPK(K)),C=EK(P): the user side decrypts K by using the private key SK and encrypts original data P by using K;
(4) outsource (C): the user side uploads data to the cloud side by adopting the algorithm introduced in the previous section;
(5) ASK _ c (do): the user side requests the encrypted data C from the cloud side;
(6) return (C): the cloud returns encrypted data C;
(7)P=DK(C) the method comprises the following steps The user side uses the decryption key K to decrypt and obtain P.
Further, the data owner in the third step requests a new key from the trusted third party, the trusted third party returns the new key, and the encrypting with the public key PK of the data owner specifically includes:
(1) ASK _ KEY & c (du): a user side sends a request for acquiring data to a data owner;
(2) ASK _ key (du): the data owner transmits a request for obtaining the secret key K to a trusted third party;
(3)DUPK(K) the method comprises the following steps The trusted third party returns K and encrypts the K by using a public key PK of the user side;
(4) ASK _ c (du): the data owner transmits a request for obtaining the ciphertext C to the cloud end;
(5) return (C): the cloud returns a ciphertext cloud;
(6)K=DUSK(DUPK(K)),P=DK(C): the user side decrypts K by using the private key and decrypts C by using K to obtain a plaintext P;
(7) response (DU): after the user side obtains the plaintext, sending feedback information to the data owner to replace the key;
(8) ASK _ newkey (do): the data owner requests a new key from a trusted third party;
(9)DOPK(K'): the trusted third party returns a new secret key K 'and encrypts the secret key K' by using a public key PK of the data owner;
(10)K'=DOSK(DOPK(K')),C'=EK'(P): the data owner decrypts K ' by using SK and encrypts original data P by using K ' to obtain a ciphertext C ';
(11) outsource (C'): and the data owner uploads the ciphertext C' to the cloud.
The invention also aims to provide a cloud storage data processing system applying the cloud data integrity verification method supporting dynamic key updating.
Another objective of the present invention is to provide a cloud server applying the cloud data integrity verification method supporting dynamic key update.
In summary, the advantages and positive effects of the invention are: the present document proposes a cloud data integrity detection scheme based on PDP. While paying attention to data integrity verification, the privacy of data is also not negligible, and for the privacy of data, the cloud security alliance points out: if the data in the cloud is not encrypted, the data can be considered as lost. It can be seen that it is essential to encrypt the cloud data. The invention uses a double encryption technology to protect the privacy of the data, and the data is encrypted before being uploaded to the cloud.
In view of the efficiency requirements, the present invention uses key wrapping techniques for processing, namely: and encrypting the data uploaded to the cloud by using a symmetric encryption algorithm, wherein an encrypted key is encrypted by using a public key cryptosystem. In order to further improve the safety of the scheme; a trusted third party is introduced to support dynamic updating of keys.
According to the invention, a safe cloud storage scheme is adopted, so that a user can store data to the cloud server in a blocking manner and carry out integrity check on the data at regular time. And when the data is uploaded to the cloud, double encryption is carried out to protect the data security, and the secret key is dynamically updated when an event is triggered.
Drawings
Fig. 1 is a flowchart of a cloud data integrity verification method supporting dynamic key update according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a double encryption/decryption framework according to an embodiment of the present invention.
Fig. 3 is a diagram of a double encryption and decryption process provided by an embodiment of the present invention.
Fig. 4 is a diagram of a dynamic key update framework according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The following detailed description of the principles of the invention is provided in connection with the accompanying drawings.
As shown in fig. 1, the cloud data integrity verification method supporting dynamic key update according to the embodiment of the present invention includes the following steps:
s101: a quintuple is used for representing a cloud storage algorithm to realize cloud storage and verification;
s102: encrypting by using an RSA encryption algorithm and a user public key PK;
s103: the data owner requests a new key from the trusted third party, which returns the new key and is encrypted with the data owner's public key PK.
The application of the principles of the present invention will now be described in further detail with reference to the accompanying drawings.
1 preliminary knowledge
1.1 secure cloud storage framework
There are generally three entities in a secure cloud storage framework: namely: the user, the cloud service provider and the trusted third party. Wherein the user is responsible for encrypting data, uploading data, auditing data integrity, and retrieving data; the cloud service provider is responsible for storing data, receiving audit and returning integrity certification; the trusted third party is responsible for the management of the dynamic keys. In designing a cloud storage framework, the following design goals need to be considered:
(1) and (4) correctness. If the user uploads data to the dishonest cloud, which tampering or deleting the data without permission, then the probability that it passes integrity detection is negligible. Conversely, if the user and honest cloud strictly execute the scheme, the scheme can correctly verify the integrity of the data.
(2) High efficiency. The scheme is to reduce the calculation overhead, the storage overhead and the communication overhead as much as possible while primarily satisfying the correctness.
(3) And (4) dynamic property. The scheme has strong adaptability and can support dynamic update of data.
1.2 Dual encryption/decryption framework
As is well known, the encryption algorithms in the field of information security are divided into two categories: the symmetric encryption system has high safety, short key length and high encryption speed, but other information except secret keys in the encryption algorithm is even public, and the encryption and decryption keys are required to be consistent in the symmetric encryption algorithm, so that how to distribute and store the keys is a big problem. The asymmetric cryptosystem can effectively make up for the deficiency, in the cryptosystem, an encryption key and a decryption key have no direct relation, but the asymmetric cryptosystem is slow in encryption speed and needs a longer key length, and the asymmetric cryptosystem is not a particularly efficient choice for encrypting data. In order to achieve both efficiency and security, the use of double encryption based on key wrapping is a good choice. The user side encrypts data P to be uploaded to the cloud side by adopting a classical symmetric cryptographic algorithm AES encryption algorithm, the used secret key is K, then a trusted third party wraps the K by using a public key pk in an asymmetric cryptographic algorithm RSA encryption algorithm and transmits the K to the user side, the user side decrypts the K by using a private key sk in the RSA encryption algorithm, and finally, the original data P is decrypted by using the secret key K. The double encryption and decryption framework is shown in fig. 2:
2 scheme of the invention
2.1 cloud storage and authentication
The invention uses a quintuple to represent Cloud Storage Algorithm (CSA), namely: CSA (KeyGen, output, audio, pro, Verify) introduces the meaning of each element in the tuple one by one.
(1) KeyGen: inputting a security parameter lambda, and generating a private key SK and a public key PK used in a cloud storage and verification algorithm by a user side, wherein the specific process is as follows: generating prime number c, generating large random prime numbers a and b, and generating other random prime numbers e, p by taking note that a-1 and b-1 need to be relatively prime with c1,p2…pnLet d be a · b, and public key PK be (e, p)1,p2…pnC, d), the private key SK ═ (a, b).
(2) Outsource: the data is divided into blocks, each block has a size of n, and m blocks are provided, wherein each block is expressed as: w is ai=1,2,...m=[yi1,yi2…yin]Each element belonging to a finite field
Figure BDA0002232044290000071
Generating random numbers
Figure BDA0002232044290000072
Find a random number for each block
Figure BDA0002232044290000081
So that the following equation holds:
Figure BDA0002232044290000082
let ti(s, v, y) is referred to as wiThe data block is sent to the cloud end C together with the authentication informationt={wi,ti}i=1,2...m
(3) And (2) Audit: the user terminal generates l random numbers, and ij=1,2...l,0≤ijLess than or equal to m, mixingj=1,2...lAnd sending the cloud as a query Q.
(4) And (iv) pro: and the cloud end generates gamma as a corresponding proof of the query Q. Cloud extraction of information in query blocks
Figure BDA0002232044290000083
Computing federation information w*And joint authentication information t*As follows:
Figure BDA0002232044290000084
Figure BDA0002232044290000085
Figure BDA0002232044290000086
Figure BDA0002232044290000087
from (1) to (5), the following equation can be calculated:
Figure BDA0002232044290000088
then the information w is combined*The joint authentication information of t*=(s*,v*,y*) Cloud will prove Γ ═ (w)*,t*) And returning the data to the user terminal.
(6) Verify: the user end verifies whether the following formula holds:
Figure BDA0002232044290000089
the output δ is true if equal, otherwise it is false.
2.2 double encryption and decryption
The specific steps of double encryption and decryption are shown in fig. 3:
(1) ASK _ newkey (do): the user side sends a request for returning the encryption key to the trusted third party.
(2)DOPK(K) The method comprises the following steps And the trusted third party returns the encryption key K, encrypts the encryption key K by using an RSA encryption algorithm and encrypts the encryption key K by using the user public key PK.
(3)K=DOSK(DOPK(K)),C=EK(P): the user side decrypts K using the private key SK and encrypts the original data P using K.
(4) Outsource (C): and the user side uploads the data to the cloud side by adopting the algorithm introduced in the previous section.
(5) ASK _ c (do): and the user side requests the cloud side for the encrypted data C.
(6) Return (C): the cloud returns encrypted data C.
(7)P=DK(C) The method comprises the following steps The user side uses the decryption key K to decrypt and obtain P.
2.3 dynamic updating of the key, as shown in FIG. 4;
(1) ASK _ KEY & c (du): the client sends a request for obtaining data to the data owner.
(2) ASK _ key (du): the data owner forwards a request to obtain the key K to a trusted third party.
(3)DUPK(K) The method comprises the following steps The trusted third party returns K and encrypts it using the public key PK of the user side.
(4) ASK _ c (du): and the data owner transmits a request for obtaining the ciphertext C to the cloud.
(5) Return (C): the cloud returns the ciphertext cloud.
(6)K=DUSK(DUPK(K)),P=DK(C) The method comprises the following steps The user side decrypts K by using the private key and decrypts C by using K to obtain a plaintext P.
(7) Response (DU): and after the user side obtains the plaintext, sending feedback information to the data owner to replace the key.
(8) ASK _ newkey (do): the data owner requests a new key from a trusted third party.
(9)DOPK(K'): the trusted third party returns a new key K',and encrypted with the public key PK of the data owner.
(10)K'=DOSK(DOPK(K')),C'=EK'(P): the data owner decrypts K ' using SK and encrypts the original data P using K ' to obtain the ciphertext C '.
(11) Outsource (C'): and the data owner uploads the ciphertext C' to the cloud.
Table 1 comparison of the performance of the present invention with the advanced scheme (crypt stands for cryptographic operation)
Figure BDA0002232044290000101
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (3)

1.一种支持动态密钥更新的云端数据完整性验证方法,其特征在于,所述支持动态密钥更新的云端数据完整性验证方法包括:1. A cloud data integrity verification method supporting dynamic key update, wherein the cloud data integrity verification method supporting dynamic key update comprises: 第一步,用一个五元组表示云存储算法,实现云存储及验证;The first step is to use a five-tuple to represent the cloud storage algorithm to realize cloud storage and verification; 第二步,使用RSA加密算法和用户端公钥PK加密;The second step is to use RSA encryption algorithm and client public key PK encryption; 第三步,数据拥有者向可信第三方请求新的密钥,可信第三方返回新的密钥,并用数据拥有者的公钥PK加密;In the third step, the data owner requests a new key from the trusted third party, and the trusted third party returns the new key and encrypts it with the public key PK of the data owner; 所述第一步的五元组具体包括:The quintuple of the first step specifically includes: (1)KeyGen:输入安全参数λ,用户端生成云存储及验证算法中所使用的私钥SK和公钥PK,具体过程如下:生成素数c,生成大随机素数a和b,注意a-1和b-1需要和c互质,生成其他随机素数e,p1,p2…pn,设d=a·b,公钥PK=(e,p1,p2...pn,c,d),私钥SK=(a,b);(1)KeyGen: Enter the security parameter λ, and the client generates the private key SK and public key PK used in the cloud storage and verification algorithm. The specific process is as follows: generate a prime number c, generate large random prime numbers a and b, pay attention to a-1 And b-1 needs to be relatively prime to c, to generate other random prime numbers e,p 1 ,p 2 ... p n , set d=a·b, public key PK=(e,p 1 ,p 2 ...p n , c, d), private key SK=(a, b); (2)Outsource:将数据分块,每一个块的大小为n,共有m个块,每个块表示为:wi=1,2,...m=[yi1,yi2...yin],每个元素属于有限域
Figure FDA0002787073430000011
生成随机数
Figure FDA0002787073430000012
为每一块找到一个随机数
Figure FDA0002787073430000013
使得下面的式子成立:(2) Outsource: divide the data into blocks, the size of each block is n, there are m blocks in total, and each block is represented as: w i=1,2,...m =[y i1 ,y i2 ... y in ], each element belongs to a finite field
Figure FDA0002787073430000011
generate random numbers
Figure FDA0002787073430000012
Find a random number for each block
Figure FDA0002787073430000013
Make the following formula hold:
Figure FDA0002787073430000014
Figure FDA0002787073430000014
 令ti=(s,v,y),称为wi的认证信息,将数据块连同认证信息一起发送到云端Ct={wi,ti}i=1,2...mLet t i =(s,v,y), called the authentication information of wi , send the data block together with the authentication information to the cloud C t ={ wi ,t i } i=1,2...m ; (3)Audit:用户端生成l个随机数,并且ij=1,2...l,0≤ij≤m,将ij=1,2...l作为查询Q发送云端;(3) Audit: The client generates l random numbers, and i j=1, 2...l , 0≤i j ≤m, and sends i j=1, 2...l as the query Q to the cloud; (4)Prove:云端生成Γ作为查询Q相应的证明,云端提取查询块中的信息
Figure FDA0002787073430000015
计算联合信息w*和联合认证信息t*(4) Prove: The cloud generates Γ as the corresponding proof of the query Q, and the cloud extracts the information in the query block
Figure FDA0002787073430000015
Calculate joint information w * and joint authentication information t * :
Figure FDA0002787073430000016
Figure FDA0002787073430000016
Figure FDA0002787073430000017
Figure FDA0002787073430000017
Figure FDA0002787073430000021
Figure FDA0002787073430000021
Figure FDA0002787073430000022
Figure FDA0002787073430000022
 计算出:Calculate:
Figure FDA0002787073430000023
Figure FDA0002787073430000023
 则联合信息w*的联合认证信息为t*=(s*,v*,y*),云端将证明Γ=(w*,t*)返回给用户端;Then the joint authentication information of the joint information w * is t * =(s * ,v * ,y * ), and the cloud returns the proof Γ=(w * ,t * ) to the client; (5)Verify:用户端验证下式是否成立:(5) Verify: The client verifies whether the following formula holds:
Figure FDA0002787073430000024
Figure FDA0002787073430000024
 相等则输出δ为真,否则为假;If it is equal, the output δ is true, otherwise it is false; 所述第二步的使用RSA加密算法和用户端公钥PK加密具体包括:The use of the RSA encryption algorithm and the client public key PK encryption of the second step specifically includes: (1)ASK_NEWKEY(DO):用户端向可信第三方发送返回加密密钥的请求;(1) ASK_NEWKEY(DO): The client sends a request to the trusted third party to return the encryption key; (2)DOPK(K):可信第三方返回加密密钥K,并使用RSA加密算法加密,采用用户端公钥PK加密K;(2) DO PK (K): The trusted third party returns the encryption key K, encrypts it with the RSA encryption algorithm, and encrypts K with the client public key PK; (3)K=DOSK(DOPK(K)),C=EK(P):用户端使用私钥SK解密K,并使用K加密原始数据P;(3) K=DO SK (DO PK (K)), C=E K (P): the client uses the private key SK to decrypt K, and uses K to encrypt the original data P; (4)Outsource(C):用户端采用五元组中的Outsource算法上传数据到云端;(4) Outsource (C): The client uses the Outsource algorithm in the quintuple to upload data to the cloud; (5)ASK_C(DO):用户端向云端请求加密数据C;(5) ASK_C(DO): The client requests encrypted data C from the cloud; (6)Return(C):云端返回密文给用户端;(6) Return (C): The cloud returns the ciphertext to the client; (7)P=DK(C):用户端使用解密密钥K解密得到P;(7) P=D K (C): the client uses the decryption key K to decrypt to obtain P; 所述第三步的数据拥有者向可信第三方请求新的密钥,可信第三方返回新的密钥,并用数据拥有者的公钥PK加密具体包括:The data owner of the third step requests a new key from the trusted third party, the trusted third party returns the new key, and encrypts with the public key PK of the data owner specifically including: (1)ASK_KEY&C(DU):用户端向数据拥有者发送获取数据的请求;(1) ASK_KEY&C(DU): The client sends a request for data acquisition to the data owner; (2)ASK_KEY(DU):数据拥有者向可信第三方转发获取密钥K的请求;(2) ASK_KEY(DU): The data owner forwards the request to obtain the key K to a trusted third party; (3)DUPK(K):可信第三方返回K,并使用用户端的公钥PK加密;(3) DU PK (K): The trusted third party returns K and encrypts it with the public key PK of the client; (4)ASK_C(DU):数据拥有者向云端转发获取密文C的请求;(4) ASK_C(DU): The data owner forwards the request to obtain the ciphertext C to the cloud; (5)Return(C):云端返回密文云端;(5) Return (C): The cloud returns the ciphertext cloud; (6)K=DUSK(DUPK(K)),P=DK(C):用户端使用私钥解密K,并使用K解密C得到明文P;(6) K=DU SK (DU PK (K)), P=D K (C): the client uses the private key to decrypt K, and uses K to decrypt C to obtain plaintext P; (7)Response(DU):用户端得到明文后,向数据拥有者发送反馈信息更换密钥;(7) Response (DU): After the user terminal obtains the plaintext, it sends feedback information to the data owner to replace the key; (8)ASK_NEWKEY(DO):数据拥有者向可信第三方请求新的密钥;(8) ASK_NEWKEY(DO): The data owner requests a new key from a trusted third party; (9)DOPK(K'):可信第三方返回新的密钥K',并用数据拥有者的公钥PK加密;(9) DO PK (K'): The trusted third party returns a new key K' and encrypts it with the public key PK of the data owner; (10)K'=DOSK(DOPK(K')),C'=EK'(P):数据拥有者使用SK解密K',并使用K'加密原始数据P得到密文C';(10) K'=DO SK (DO PK (K')), C'=E K' (P): The data owner uses SK to decrypt K', and uses K' to encrypt the original data P to obtain the ciphertext C'; (11)Outsource(C'):数据拥有者上传密文C'到云端。(11) Outsource(C'): The data owner uploads the ciphertext C' to the cloud. 2.一种应用权利要求1所述支持动态密钥更新的云端数据完整性验证方法的云存储数据处理系统。2. A cloud storage data processing system applying the cloud data integrity verification method supporting dynamic key update according to claim 1. 3.一种应用权利要求1所述支持动态密钥更新的云端数据完整性验证方法的云服务器。3. A cloud server applying the cloud data integrity verification method supporting dynamic key update according to claim 1.
CN201910970921.3A 2019-10-14 2019-10-14 A cloud data integrity verification method supporting dynamic key update Active CN110650152B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910970921.3A CN110650152B (en) 2019-10-14 2019-10-14 A cloud data integrity verification method supporting dynamic key update

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910970921.3A CN110650152B (en) 2019-10-14 2019-10-14 A cloud data integrity verification method supporting dynamic key update

Publications (2)

Publication Number Publication Date
CN110650152A CN110650152A (en) 2020-01-03
CN110650152B true CN110650152B (en) 2021-01-12

Family

ID=68993949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910970921.3A Active CN110650152B (en) 2019-10-14 2019-10-14 A cloud data integrity verification method supporting dynamic key update

Country Status (1)

Country Link
CN (1) CN110650152B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302449A (en) * 2016-08-15 2017-01-04 中国科学院信息工程研究所 A kind of ciphertext storage cloud service method open with searching ciphertext and system
CN106612169A (en) * 2016-05-25 2017-05-03 四川用联信息技术有限公司 Safe data sharing method in cloud environment
CN107426165A (en) * 2017-05-16 2017-12-01 安徽大学 Bidirectional secure cloud storage data integrity detection method supporting key updating
CN108768975A (en) * 2018-05-16 2018-11-06 东南大学 Support the data integrity verification method of key updating and third party's secret protection

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103986732B (en) * 2014-06-04 2017-02-15 青岛大学 Cloud storage data auditing method for preventing secret key from being revealed
CN104811300B (en) * 2015-04-22 2017-11-17 电子科技大学 The key updating method of cloud storage and the implementation method of cloud data accountability system
US20190036703A1 (en) * 2017-07-28 2019-01-31 Nexenta Systems, Inc. Shard groups for efficient updates of, and access to, distributed metadata in an object storage system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106612169A (en) * 2016-05-25 2017-05-03 四川用联信息技术有限公司 Safe data sharing method in cloud environment
CN106302449A (en) * 2016-08-15 2017-01-04 中国科学院信息工程研究所 A kind of ciphertext storage cloud service method open with searching ciphertext and system
CN107426165A (en) * 2017-05-16 2017-12-01 安徽大学 Bidirectional secure cloud storage data integrity detection method supporting key updating
CN108768975A (en) * 2018-05-16 2018-11-06 东南大学 Support the data integrity verification method of key updating and third party's secret protection

Also Published As

Publication number Publication date
CN110650152A (en) 2020-01-03

Similar Documents

Publication Publication Date Title
CN110855671B (en) Trusted computing method and system
Khanezaei et al. A framework based on RSA and AES encryption algorithms for cloud computing services
Zuo et al. Fine-grained two-factor protection mechanism for data sharing in cloud storage
Yang et al. Provable data possession of resource-constrained mobile devices in cloud computing
Youn et al. Efficient client-side deduplication of encrypted data with public auditing in cloud storage
CN105743888A (en) Agent re-encryption scheme based on keyword research
US11316671B2 (en) Accelerated encryption and decryption of files with shared secret and method therefor
CN106878322B (en) A kind of encryption and decryption method of fixed length ciphertext and key based on attribute
CN103812927A (en) Storage method
Huang Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing
KR20210058313A (en) Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment
Cui et al. Towards Multi-User, Secure, and Verifiable $ k $ NN Query in Cloud Database
Hussien et al. Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor
Malarvizhi et al. Secure file sharing using cryptographic techniques in cloud
CN110650152B (en) A cloud data integrity verification method supporting dynamic key update
Sunitha et al. Enhancing privacy in cloud service provider using cryptographic algorithm
CN115809459A (en) Data protection and decryption method, system, device and medium for software cryptographic module
CN115935426A (en) Remote image feature extraction and retrieval method based on SGX
Kamboj et al. DEDUP: Deduplication system for encrypted data in cloud
CN114969801A (en) Data authorization access method, device and medium based on block chain
Reddy et al. Data Storage on Cloud using Split-Merge and Hybrid Cryptographic Techniques
CN114598535B (en) CP-ABE agent re-encryption method based on cloud computing multi-authorization center
JP7622969B1 (en) Information processing method, information processing program, and information processing system
CN118694618B (en) A method to enhance the quantum security of the Central Authentication Service Protocol
Gonthireddy et al. Secure Big Data Deduplication with Dynamic Ownership Management in Cloud Computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant