CN111010408B - Distributed encryption and decryption method and system - Google Patents

Distributed encryption and decryption method and system Download PDF

Info

Publication number
CN111010408B
CN111010408B CN202010010464.6A CN202010010464A CN111010408B CN 111010408 B CN111010408 B CN 111010408B CN 202010010464 A CN202010010464 A CN 202010010464A CN 111010408 B CN111010408 B CN 111010408B
Authority
CN
China
Prior art keywords
node
encryption
data
data key
fragment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010010464.6A
Other languages
Chinese (zh)
Other versions
CN111010408A (en
Inventor
钱唯
冀乃庚
弓祎斌
李勇攀
晁超
贾喜平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202010010464.6A priority Critical patent/CN111010408B/en
Publication of CN111010408A publication Critical patent/CN111010408A/en
Application granted granted Critical
Publication of CN111010408B publication Critical patent/CN111010408B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method for encrypting data by using a distributed cluster, which comprises the following steps: (1) the client sends an encryption requirement to a node in the distributed cluster; (2) the node determines a data key, at least one encryption algorithm and the fragment number of the data based on the encryption requirement, and sends the data key to the client; (3) the client sends the data to the node by using the data key; (4) the node distributing at least one fragment of the data, the data key, and the at least one encryption algorithm to at least one node in the distributed cluster based on the fragment number; and (5) the at least one node encrypts the at least one fragment based on the data key and any one encryption algorithm selected among the at least one encryption algorithm to obtain an encrypted at least one fragment.

Description

Distributed encryption and decryption method and system
Technical Field
The invention relates to the field of data encryption, in particular to a distributed encryption and decryption method and system.
Background
In the field of data encryption, those skilled in the art are always seeking better encryption schemes.
One existing encryption scheme is a hardware device encryption and decryption scheme. The sensitive data is encrypted and decrypted by the encryption machine, and the encrypted sensitive data is stored in the encryption machine. When the sensitive data is needed, the encryption machine can be accessed through a fixed instruction and the sensitive data can be obtained. The disadvantage of this solution is the high procurement and maintenance costs of the encryptors, and the poor availability and scalability.
Another existing encryption scheme is a stand-alone program encryption and decryption scheme. Sensitive data can be encrypted through a specified encryption algorithm and a pre-generated key, and both the ciphertext and the key are stored locally (such as a local file system, a database, or an NFS file system). The disadvantage of this scheme is that the key and the ciphertext are stored locally and are easily stolen once the system is hacked. This stand-alone encryption and locally stored scheme also carries a risk of data availability (e.g., sensitive data is lost or corrupted).
A third existing encryption scheme is the distributed encryption and decryption scheme. The scheme can distribute the plain text fragments in a plurality of nodes through a distributed cluster, so that the encryption, decryption and storage operations can be carried out on the fragments in the plurality of nodes, and the problems of safety and usability existing in the encryption and decryption scheme by using a single machine program are solved. The disadvantages of this solution are: (1) because the plurality of fragments adopt the same secret key and encryption algorithm for encryption and decryption, if a certain fragment is cracked, the risk of cracking other fragments is greatly increased; (2) the encryption function is single, different sensitive levels and encryption overhead are not considered, and an encryption algorithm, a key length, a fragment number and the like cannot be selected in a personalized mode according to encryption requirements.
Disclosure of Invention
In one aspect, the present invention provides a method for encrypting data using a distributed cluster, comprising: (1) the client sends an encryption requirement to a node in the distributed cluster; (2) the node determines a data key, at least one encryption algorithm and the fragment number of the data based on the encryption requirement, and sends the data key to the client; (3) the client sends the data to the node by using the data key; (4) the node distributing at least one fragment of the data, the data key, and the at least one encryption algorithm to at least one node in the distributed cluster based on the fragment number; and (5) the at least one node encrypts the at least one fragment based on the data key and any one encryption algorithm selected among the at least one encryption algorithm to obtain an encrypted at least one fragment.
The invention provides a system for encrypting data by using a distributed cluster, which comprises: a client; and a distributed cluster, wherein the client is capable of sending an encryption requirement to a node in the distributed cluster, the node is capable of determining a data key, at least one encryption algorithm and a number of fragments of the data based on the encryption requirement and sending the data key to the client, the client is capable of sending the data to the node using the data key, the node is capable of distributing the at least one fragment of the data, the data key and the at least one encryption algorithm to at least one node in the distributed cluster based on the number of fragments, and the at least one node is capable of encrypting the at least one fragment based on the data key and any one encryption algorithm selected from the at least one encryption algorithm to obtain the encrypted at least one fragment.
In another aspect, the present invention provides a method for decrypting data using a distributed cluster, comprising: (1) the client sends a data key and a mapping file to a node in the distributed cluster; (2) the node searches at least one node storing the encrypted at least one fragment of the data based on the mapping file, and distributes the data key and the mapping file to the at least one node; (3) the at least one node searches for at least one encryption algorithm that encrypts the encrypted at least one fragment based on the mapping file, decrypts the encrypted at least one fragment based on the at least one encryption algorithm and the data key to obtain decrypted at least one fragment, and sends the decrypted at least one fragment to the node; (4) the node merges the decrypted at least one fragment to obtain the data and sends the data to the client.
The invention provides a system for decrypting data by using a distributed cluster, which comprises the following steps: a client; the client side can send a data key and a mapping file to one node in the distributed cluster; the node is capable of finding at least one node storing the encrypted at least one fragment of the data based on the mapping file and distributing the data key and the mapping file to the at least one node; the at least one node is capable of finding at least one encryption algorithm that encrypts the encrypted at least one fragment based on the mapping file, decrypting the encrypted at least one fragment based on the at least one encryption algorithm and the data key to obtain decrypted at least one fragment, and sending the decrypted at least one fragment to the node; the node is capable of merging the decrypted at least one fragment to obtain the data and sending the data to the client.
The embodiment of the invention can improve the reliability of sensitive data storage by storing the encrypted fragments (namely, each fragment stores the copies on a plurality of nodes) in a distributed multi-copy mode. In addition, each copy of each fragment adopts an independent key and different encryption algorithms, and the copies have no obvious relevance with each other, so that the safety of other fragments cannot be influenced when a single fragment is cracked. In addition, the embodiment of the invention can individually make the encryption strategy by using the Service Level Agreement (SLA), thereby meeting the encryption and decryption requirements of the sensitive data of different levels.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Fig. 1 shows a schematic diagram of a first step in an encryption flow according to an embodiment of the invention.
Fig. 2 shows a schematic diagram of a second step in an encryption flow according to an embodiment of the invention.
Fig. 3 shows a schematic diagram of a third step in an encryption flow according to an embodiment of the invention.
Fig. 4 shows a schematic diagram of a fourth step in an encryption flow according to an embodiment of the present invention.
Fig. 5 shows a schematic diagram of a fifth step in an encryption flow according to an embodiment of the present invention.
Fig. 6 shows a schematic diagram of a first step in a decryption flow according to an embodiment of the invention.
Fig. 7 shows a schematic diagram of a second step in the decryption flow according to an embodiment of the invention.
Fig. 8 shows a schematic diagram of a third step in the decryption flow according to an embodiment of the invention.
Fig. 9 shows a schematic diagram of a fourth step in the decryption flow according to an embodiment of the invention.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The following detailed description of embodiments of the invention refers to the accompanying drawings.
Fig. 1 shows a schematic diagram of a first step in an encryption flow according to an embodiment of the invention.
Referring to fig. 1, the first step of the encryption flow is: the client side puts forward an encryption requirement to the server side, the server side sends the generated data secret key to the client side, and the client side sends the encrypted plaintext to the server side. Plaintext refers to unencrypted data. The client is the party requesting encryption and decryption, and the server is the party performing encryption and decryption operations. In some embodiments of the invention, the server is a distributed cluster.
Specifically, the first step includes the following substeps:
(a) the client may send the client public key and encryption requirements to any node in the server. In some embodiments, the encryption requirements are SLA requirements, where the SLA requirements include encryption level, encryption elapsed time, and plaintext size. Based on SLA requirements, the service end can autonomously select the length of the data key, the encryption algorithm and the fragment number. The number of slices is: the number of segments into which the plaintext is divided.
(b) The server can generate a data key K with a proper length according to SLA requirements, and encrypt the K through the client public key to obtain K'. The correspondent node of the server may then send K' back to the client. And the communication node of the server side stores the generated data key K locally. The correspondent node refers to one of the nodes in the server that communicates with the client.
(c) And after receiving the encrypted data key K ', the client decrypts the K' by using the client private key to obtain the data key K and stores the data key K.
(d) And the client encrypts the plaintext of the sensitive data by using the data key K and sends the obtained ciphertext to the communication node.
(e) And after receiving the ciphertext of the sensitive data, the node decrypts the ciphertext by using the data secret key K to obtain the plaintext of the sensitive data so as to encrypt the plaintext in the subsequent process.
The process of encrypting data using the client (or node) public key and decrypting the encrypted data using the client (or node) private key employs asymmetric encryption and decryption methods in the art. In the invention, the distributed cluster can adopt a P2P type centerless peer-to-peer architecture, namely, a client is connected with any node to realize the functions of encryption, decryption and storage. Nodes connected with the client side can be marked as communication nodes, and other nodes with encryption and decryption functions can be marked as encryption nodes.
Fig. 2 shows a schematic diagram of a second step in an encryption flow according to an embodiment of the invention.
Referring to fig. 2, the second step of the encryption flow is: an encryption policy is generated based on the encryption requirements.
After receiving SLA requirements submitted by a client, the communication node generates an encryption configuration according to a certain strategy. This configuration includes, but is not limited to: a fragmentation number, an encryption algorithm, a data key length (which is generated in the first step).
Specifically, for different encryption levels, the higher the encryption level, the more complex the encryption algorithm and the longer the data key length, but the greater the overhead of simultaneous encryption and decryption. The overhead refers to computing resources occupied in encrypting and decrypting the sensitive data, and the overhead may be embodied as time consumption occupied in encrypting and decrypting the sensitive data.
In addition, the number of fragments also affects the encryption overhead, which is expressed as: (1) increasing the number of fragments can reduce the number of bytes of data allocated to each fragment, thereby reducing the encryption overhead of a single fragment; since multiple slices can be encrypted in parallel using multiple nodes, the overall overhead is also reduced. (2) The number of fragments can be increased continuously, and at this time, because the number of bytes of the data of a single fragment has been reduced to a certain extent, the encryption overhead can not be reduced obviously any more, so that the overall encryption and decryption overhead is in a state of being basically unchanged at this time. (3) If the number of the fragments is too large, each fragment is over-fragmented, which increases the complexity of network transmission and the workload of subsequent statistics and processing, thereby increasing the encryption overhead to some extent. Therefore, the number of slices should not be too large.
In light of the above, the present invention provides a method for generating an encryption policy based on encryption requirements.
(1) The various encryption algorithms may be ordered according to security. In some embodiments, the time complexity of cracking the encryption algorithm can be roughly divided into: weak (Weak), Legacy (Legacy), Baseline (Baseline), Standard (Standard), High (High), and Ultra (Ultra), for example, the time complexity of the DES algorithm (Weak) is O (2)40) While the time complexity of the AES-192 algorithm (very high) is O (2)192)。
(2) Encryption algorithms and data keys that meet the level of encryption may be listed as alternatives according to the requirements of the submitted SLA. In some embodiments, there may be multiple encryption algorithms satisfying the encryption level for one data key at the same time.
(3) Alternative encryption algorithms and data source key lengths may be checked in turn. For each set of encryption algorithms and data source key length, the average elapsed time T ^ for the number of encryption operations that existed before can be calculated. For example, the plaintext is divided and normalized (i.e., as a minimum unit) by a length of 1K, and the unit encryption time of the minimum unit of encryption is recorded at each encryption. Multiple unit encryptions may be time consuming since there may be multiple sets including data keys and encryption algorithms.
(4) The estimated time consumption of the encryption can be respectively calculated according to the fact that n is from small to large: t ═ T ^ B/n, where T is the estimated encryption elapsed time, B is the total size of the plaintext (e.g., in KB), and n is the number of pseudo-shards (n >2), and until the specified encryption elapsed time in T ^ SLA, n satisfying the constraint of T ^ SLA requirement (i.e., encryption elapsed time) is taken as the number of shards. Since different numbers of slices may be calculated from each set of data keys and encryption algorithms, the calculated number of slices also needs to be selected. For example, as long as the number of slices calculated based on a certain set of data keys and an encryption algorithm is found to be greater than 1, the number of slices is rounded up as the number of slices actually used. For example, if the calculated number of slices is 1.5, it is determined that the number of actually used slices is 2.
(5) And (4) selecting a proper encryption algorithm, a data key length and a fragment number according to the methods in the steps (3) and (4), normalizing the time consumption of the current encryption by taking the length of 1K as a unit after encryption, and adding the normalized time consumption into the calculation of average time consumption for selecting the next encryption strategy.
In some embodiments, the number of fragment copies may be predefined or determined based on a combination of the selected encryption algorithm and the data key length. The number of sharded copies refers to the number of times a shard can be copied. A slice may have multiple copies that may be encrypted, decrypted, and stored by different nodes.
In some embodiments, the above method for generating the encryption policy calculates the encryption time required for meeting the SLA requirements in a predictive manner, so that it cannot be guaranteed that each calculation meets the encryption time. Therefore, the method for generating the encryption strategy can enable the result obtained in the next calculation to be closer to the real calculation result by continuously feeding back the actual encryption time consumption. Further, since the above method relies on statistics of the encryption elapsed time, there may be a problem of a cold start in the early stage of performing the encryption elapsed time calculation (i.e., starting the operation of calculating the encryption elapsed time without the number of encryption operations that existed before). Therefore, the method for generating the encryption strategy can also adopt a system preheating mode, namely, a certain number of encryption and decryption operations are performed in advance to complete the statistics of encryption time consumption.
Fig. 3 shows a schematic diagram of a third step in an encryption flow according to an embodiment of the invention.
Referring to fig. 3, the third step of the encryption flow is: different pieces of plaintext are distributed over the nodes.
Based on the number of fragments determined in the second step, the communication node cuts the plaintext into a plurality of fragments. Each fragment is then distributed to a plurality of encryption nodes according to the determined number of fragment copies. For example, if the number of copies of a fragment is specified as 2, each fragment needs to be sent to 2 encryption nodes for simultaneous encryption and storage, so as to ensure the availability and durability of the fragment, and the fragment is not lost due to downtime or damage of one node.
The communication node distributes the generated encryption strategy, the data key K and the fragment serial number while distributing the fragments, wherein the encryption node can independently and randomly select a proper encryption algorithm from the encryption strategy so as to ensure that each fragment can be encrypted by adopting different algorithms.
Fig. 4 shows a schematic diagram of a fourth step in an encryption flow according to an embodiment of the present invention.
Referring to fig. 4, the fourth step of the encryption flow is: the fragments distributed to are encrypted in each node.
The encryption node may perform an encryption operation upon receiving the fragment. In some embodiments, the encryption operation is as follows:
first, the encryption node may randomly select one of the encryption algorithms selectable within the encryption policy. Then, the data key K may be perturbed according to the node local variable (i.e., the data key K is perturbed according to the node local variable), so as to obtain the data key K related to the nodenode. Then, using the data key KnodeAnd randomly selecting an encryption algorithm to encrypt the plain text fragments, and storing the cipher text to the local. And finally, returning the file name, the fragment serial number and the randomly selected encryption algorithm to the communication node. The node local variable may be a fixed value that is different for each node, which may be a preset value, a network MAC address, etc. The perturbation operation refers to processing the data key K by using the local variable of the node. The perturbation operation may be implemented in a number of ways, for example, an exclusive or (XOR) operation may be performed on the node local variable with the data key K to obtain a new data key. The file name refers to the file name of the entire plaintext.
In some embodiments, a digest of a fragment may be derived from a fragment of the plaintext prior to performing the encryption operation. The digest of the shard may be obtained in a variety of ways, for example, using algorithms such as SHA1, SHA256, MD5, and the like. It should be noted that only the same summarization algorithm can be used across multiple nodes of the distributed cluster.
In the process of encrypting the fragments, the encryption operation can realize the following effects:
(1) because the selection of the encryption algorithm is randomly selected by the encryption node in the algorithm library meeting the SLA requirement, rather than being fixed, the method means that the copy of each fragment of the sensitive data on each node can adopt different encryption and decryption algorithms, so that the independence among different fragments is increased, and the risk of being cracked together is reduced.
(2) The node encrypts the fragments by using a uniform data key instead of directly, but a variable related to a local node is added, and the addition of the variable plays a disturbing role in the key, so that each fragment on different nodes is actually encrypted by using different data keys. Similarly, the method also increases the independence among different fragments and reduces the risk of being cracked together.
Fig. 5 shows a schematic diagram of a fifth step in an encryption flow according to an embodiment of the present invention.
Referring to fig. 5, the fifth step of the encryption flow is: and constructing a mapping file.
After receiving the information returned by all the encryption nodes, the communication node can construct a mapping file related to each fragment. In some embodiments, the mapping file may be a mapping table. The first column in the mapping table is a fragment serial number, and the second column is a node on which the fragment has a copy and which encryption algorithm is used; the third column is a digest of the slice in plaintext. In the art, a unique digest is obtained from each piece of plaintext. In the invention, the decrypted plaintext can be verified according to the digest when the decryption operation is executed. The content of the whole mapping table represents all encrypted information of the fragment. The mapping table may also store file names in plain text.
After the mapping table is constructed, the communication node can encrypt the mapping table through the public key of the client and return the mapping table to the client, and meanwhile, the communication node informs the client that the encryption and storage of the sensitive information are successful. In some embodiments, if the client does not wish to save the mapping table, the mapping table may be stored in a distributed manner in the cluster, or in a dedicated encryption engine to ensure the security of the mapping table itself.
As shown in fig. 5, the mapping table stores file names. In the first row of the table, one copy of slice 1 (slice sequence number 1) is encrypted using the DES algorithm in node a and the AES algorithm in node B. The digest that can be obtained based on slice 1 of the plaintext is 43d23 adf.
Fig. 6 shows a schematic diagram of a first step in a decryption flow according to an embodiment of the invention.
Referring to fig. 6, the first step in the decryption flow is: a decryption request is initiated. The first step specifically comprises the following substeps:
(1) the client and the server exchange respective public keys. The client may send the client public key to any node of the server, and the server may send a public key of any node (also referred to as a node public key) serving as a communication node to the client. In some embodiments, the client that initiates the decryption request may be the same or different than the client that initiated the encryption request.
(2) The client can encrypt the data key K and the mapping table through the node public key and send the encrypted data key K and the mapping table to the communication node.
Fig. 7 shows a schematic diagram of a second step in the decryption flow according to an embodiment of the invention.
Referring to fig. 7, the second step in the decryption flow is: and searching the encryption node according to the mapping table and distributing the data key and the mapping table to the encryption node.
After the communication node obtains the data key K and the mapping table, the communication node may select the encryption node according to the information in the mapping table to distribute the data key K and the mapping table. In some embodiments, if one fragment has multiple copies, the data key K and the mapping table are distributed to the node where the first copy is located first, and if the node is down or the copies are decrypted incorrectly, the data key K and the mapping table are continuously distributed to the node where the next copy is located.
Fig. 8 shows a schematic diagram of a third step in the decryption flow according to an embodiment of the invention.
Referring to fig. 8, the third step in the decryption flow is: a decryption operation is performed on the ciphertext at the encryption node.
The encryption node can search which fragment in the encryption node needs to be decrypted and the fragment serial number corresponding to the local storage of the fragment according to the file name in the received mapping table, and search and find the encryption algorithm used by the encryption node when the fragment is encrypted in the mapping table according to the fragment serial number of the local storage. Meanwhile, as in the case of encryption fragmentation, the encryption node may use the node local variable to disturb the data key K to obtain a data key K associated with the nodenode. Then, according to the data key KnodeAnd decrypting the ciphertext to obtain the plaintext of the fragment.
After the plaintext of the fragment is obtained, it needs to be checked whether the digest of the fragment is consistent with the digest of the fragment in the mapping table, so as to prevent the plaintext from being damaged or tampered. If the digest check is found to fail, then the decryption is performed on the encryption node that holds another copy of the fragment. If all copies fail to decrypt, it indicates that the fragment cannot be decrypted and the sensitive data cannot be restored. However, the distributed storage environment ensures that there is a very low probability that all copies will fail.
Fig. 9 shows a schematic diagram of a fourth step in the decryption flow according to an embodiment of the invention.
Referring to fig. 9, the fourth step in the decryption flow is: summarize and merge cleartext.
Each encryption node may send the decrypted fragmented plaintext back to the correspondent node. The communication node can combine all the fragments according to the fragment sequence number to obtain the original plaintext. The correspondent node can then encrypt the plaintext using the client public key and send it back to the client. The client side decrypts the ciphertext by using a local client side private key to obtain a plaintext of the sensitive data. At this point, the entire decryption process is completed.
In some embodiments of the present invention, the order of each step and sub-step in the encryption flow and the decryption flow is not limited to the order described above, and those skilled in the art may arbitrarily combine each step and sub-step in various orders.
Another aspect of the invention is a computer-readable medium having computer-readable instructions stored thereon that, when executed, perform a method of embodiments of the invention.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user computing device, partly on the user computing device, or entirely on a remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).
Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
It should be noted that although in the above detailed description several software means/modules and sub-means/modules are mentioned which implement the above described method, such a division is not mandatory. Indeed, the features and functionality of two or more of the devices described above may be embodied in one device/module according to embodiments of the invention. Conversely, the features and functions of one apparatus/module described above may be further divided into embodiments by a plurality of apparatuses/modules.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (14)

1. A method of encrypting data using a distributed cluster, comprising:
(1) the client sends an encryption requirement to a node in the distributed cluster;
(2) the node determines a data key, at least one encryption algorithm and the fragment number of the data based on the encryption requirement, and sends the data key to the client;
(3) the client sends the data to the node by using the data key;
(4) the node distributing at least one fragment of the data, the data key, and the at least one encryption algorithm to at least one node in the distributed cluster based on the fragment number; and
(5) the at least one node encrypting the at least one slice based on the data key and any one encryption algorithm selected among the at least one encryption algorithm to obtain at least one slice that is encrypted,
wherein the encryption requirement comprises an encryption level, an encryption elapsed time, and a size of the data, wherein the node determines the data key and at least one encryption algorithm according to the encryption level, and determines the fragmentation number according to the data key, the at least one encryption algorithm, the encryption elapsed time, and the size of the data.
2. The method of claim 1, wherein the method further comprises:
(6) the at least one node sending the selected one of the encryption algorithms to the node; and
(7) the node creates a mapping file based on the node sequence number of the at least one node, the fragment sequence number of the at least one fragment, and the selected one of the encryption algorithms.
3. The method of claim 2, wherein the node is further capable of creating a mapped file based on the node serial number of the at least one node, the shard serial number of the at least one shard, the selected one of the encryption algorithms, and the digest of the at least one shard.
4. The method of claim 1, wherein the step (3) comprises:
the client encrypts the data by using the data key and sends the encrypted data to the node; and
the node decrypts the encrypted data using the data key to obtain the data.
5. The method of claim 1, wherein the node is further capable of distributing any one of the at least one shard, the data key, and the at least one encryption algorithm to at least two nodes in the distributed cluster such that the at least two nodes encrypt the any one of the at least one shard based on the data key and any one selected among the at least one encryption algorithm.
6. The method of claim 1, wherein the determining the number of fragments according to the data key, at least one encryption algorithm, the encryption elapsed time, and the size of the data comprises:
estimating an encryption time for encrypting at least one unit of a data segment having a predetermined size based on the data key and at least one encryption algorithm;
determining at least one fragment value based on the at least one unit encryption elapsed time, the encryption elapsed time, and the size of the data; and
determining the number of slices based on a first occurring slice value of the at least one slice value that is greater than 1.
7. The method of claim 1, wherein the step (5) comprises:
the at least one node perturbs the data key using a node local variable specific to each of the at least one node to generate a node-dependent data key; and
the at least one node encrypts the at least one slice using the node-dependent data key and any one encryption algorithm selected from the any one encryption algorithm encryption.
8. A system for encrypting data using a distributed cluster, comprising:
a client; and
a distributed cluster of the plurality of clusters is provided,
wherein the client is capable of sending an encryption requirement to a node in the distributed cluster,
the node is capable of determining a data key, at least one encryption algorithm, and a number of fragments of the data based on the encryption requirement, and sending the data key to the client,
the client is capable of sending the data to the node using the data key,
the node is capable of distributing at least one shard of the data, the data key, and the at least one encryption algorithm to at least one node in the distributed cluster based on the sharding number,
the at least one node is capable of encrypting the at least one fragment based on the data key and any one encryption algorithm selected among the at least one encryption algorithm to obtain at least one fragment that is encrypted,
wherein the encryption requirements include an encryption level, an encryption elapsed time, and a size of the data, and wherein the node further comprises a module for determining the data key and at least one encryption algorithm according to the encryption level, and a module for determining the fragmentation number according to the data key, at least one encryption algorithm, the encryption elapsed time, and the size of the data.
9. The system of claim 8, wherein the at least one node is capable of sending the selected one of the encryption algorithms to the node, wherein the node is capable of creating a mapping file based on a node sequence number of the at least one node, a fragment sequence number of the at least one fragment, and the selected one of the encryption algorithms.
10. The system of claim 8, wherein the node is further capable of creating a mapped file based on a node serial number of the at least one node, a shard serial number of the at least one shard, the selected one of the encryption algorithms, and a digest of the at least one shard.
11. The system of claim 8, wherein the node is further capable of distributing any one of the at least one shard, the data key, and the at least one encryption algorithm to at least two nodes in the distributed cluster such that the at least two nodes encrypt the any one of the at least one shard based on the data key and any one selected among the at least one encryption algorithm.
12. The system of claim 8, wherein the means for determining the fraction number based on the data key, at least one encryption algorithm, the encryption elapsed time, and the size of the data comprises:
means for estimating an encryption time taken to encrypt at least one unit of a data segment having a predetermined size based on the data key and at least one encryption algorithm;
means for determining at least one shard value based on the at least one unit encryption elapsed time, the encryption elapsed time, and the size of the data; and
means for determining the number of shards based on a first occurring shard value of the at least one shard value being greater than 1.
13. The system of claim 9, wherein the operation of encrypting the at least one fragment based on the data key and any one encryption algorithm selected among the at least one encryption algorithm to obtain the encrypted at least one fragment comprises:
the at least one node perturbs the data key using a node local variable specific to each of the at least one node to generate a node-dependent data key; and
the at least one node encrypts the at least one slice using the node-dependent data key and any one encryption algorithm selected from the any one encryption algorithm encryption.
14. The system of claim 9, wherein the operation of sending the data to the node using the data key comprises:
the client encrypts the data by using the data key and sends the encrypted data to the node; and
the node decrypts the encrypted data using the data key to obtain the data.
CN202010010464.6A 2020-01-06 2020-01-06 Distributed encryption and decryption method and system Active CN111010408B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010010464.6A CN111010408B (en) 2020-01-06 2020-01-06 Distributed encryption and decryption method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010010464.6A CN111010408B (en) 2020-01-06 2020-01-06 Distributed encryption and decryption method and system

Publications (2)

Publication Number Publication Date
CN111010408A CN111010408A (en) 2020-04-14
CN111010408B true CN111010408B (en) 2022-02-11

Family

ID=70120552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010010464.6A Active CN111010408B (en) 2020-01-06 2020-01-06 Distributed encryption and decryption method and system

Country Status (1)

Country Link
CN (1) CN111010408B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654511A (en) * 2020-07-13 2020-09-11 中国银行股份有限公司 Chained data encryption method, chained data decryption method and corresponding systems
CN116405327B (en) * 2023-06-08 2023-08-22 天津市津能工程管理有限公司 Data processing method and device, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664928A (en) * 2012-04-01 2012-09-12 南京邮电大学 Data secure access method used for cloud storage and user terminal system
CN106254896A (en) * 2016-08-05 2016-12-21 中国传媒大学 A kind of distributed cryptographic method for real-time video
CN107025409A (en) * 2017-06-27 2017-08-08 中经汇通电子商务有限公司 A kind of data safety storaging platform
CN109597811A (en) * 2018-11-26 2019-04-09 湖南节点新火信息安全有限公司 A kind of distributed security data basd link block storage method
CN109858255A (en) * 2018-12-19 2019-06-07 杭州安恒信息技术股份有限公司 Data encryption storage method, device and realization device
CN110113340A (en) * 2019-05-09 2019-08-09 程丁 Based on distribution RSA in Hadoop platform and DES mixed encryption method
CN110401849A (en) * 2019-03-01 2019-11-01 腾讯科技(深圳)有限公司 The cipher processing method and device of video data
CN110602147A (en) * 2019-10-09 2019-12-20 吴新胜 Data encryption safe storage method, system and storage medium based on cloud platform
CN110650191A (en) * 2019-09-20 2020-01-03 浪潮电子信息产业股份有限公司 Data read-write method of distributed storage system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017193108A2 (en) * 2016-05-06 2017-11-09 ZeroDB, Inc. Encryption for distributed storage and processing

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102664928A (en) * 2012-04-01 2012-09-12 南京邮电大学 Data secure access method used for cloud storage and user terminal system
CN106254896A (en) * 2016-08-05 2016-12-21 中国传媒大学 A kind of distributed cryptographic method for real-time video
CN107025409A (en) * 2017-06-27 2017-08-08 中经汇通电子商务有限公司 A kind of data safety storaging platform
CN109597811A (en) * 2018-11-26 2019-04-09 湖南节点新火信息安全有限公司 A kind of distributed security data basd link block storage method
CN109858255A (en) * 2018-12-19 2019-06-07 杭州安恒信息技术股份有限公司 Data encryption storage method, device and realization device
CN110401849A (en) * 2019-03-01 2019-11-01 腾讯科技(深圳)有限公司 The cipher processing method and device of video data
CN110113340A (en) * 2019-05-09 2019-08-09 程丁 Based on distribution RSA in Hadoop platform and DES mixed encryption method
CN110650191A (en) * 2019-09-20 2020-01-03 浪潮电子信息产业股份有限公司 Data read-write method of distributed storage system
CN110602147A (en) * 2019-10-09 2019-12-20 吴新胜 Data encryption safe storage method, system and storage medium based on cloud platform

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种具有数据隐私加密功能的Hadoop系统;张迪明;《江苏船舶》;20131230;第30卷(第6期);25-27页 *
基于加密机制的云计算数据可靠存储方案研究;赵莉; 王魁祎;《信阳师范学院学报(自然科学版)》;20141010;第27卷(第4期);593-596页 *

Also Published As

Publication number Publication date
CN111010408A (en) 2020-04-14

Similar Documents

Publication Publication Date Title
CN109768987B (en) Block chain-based data file safe and private storage and sharing method
JP6787952B2 (en) Data security with keys provided by request
EP3062261B1 (en) Community-based de-duplication for encrypted data
US10439804B2 (en) Data encrypting system with encryption service module and supporting infrastructure for transparently providing encryption services to encryption service consumer processes across encryption service state changes
Hur et al. Secure data deduplication with dynamic ownership management in cloud storage
US9122888B2 (en) System and method to create resilient site master-key for automated access
US8892866B2 (en) Secure cloud storage and synchronization systems and methods
CN108418796B (en) Cloud data multi-copy integrity verification and association deletion method and cloud storage system
US9407432B2 (en) System and method for efficient and secure distribution of digital content
Yan et al. Heterogeneous data storage management with deduplication in cloud computing
US20100169321A1 (en) Method and apparatus for ciphertext indexing and searching
US20020083325A1 (en) Updating security schemes for remote client access
JP2013511771A (en) Method and apparatus for document sharing
CN110635906B (en) Key management method and device for distributed block storage system
US20080091947A1 (en) Software registration system
JP2004126639A (en) Data management system, method and program
US11601258B2 (en) Selector derived encryption systems and methods
JP5140026B2 (en) Database processing method, database processing program, and encryption apparatus
CN111010408B (en) Distributed encryption and decryption method and system
CN110688666A (en) Data encryption and storage method in distributed storage
US20210391976A1 (en) Low latency calculation transcryption method
Kamboj et al. DEDUP: Deduplication system for encrypted data in cloud
KR20170049700A (en) Cloud system for storing secure data and method thereof
Passricha et al. A secure deduplication scheme for encrypted data
KR20190076531A (en) Cloud storage encryption system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant