CN111414628B - Data storage method and device and computing equipment - Google Patents
Data storage method and device and computing equipment Download PDFInfo
- Publication number
- CN111414628B CN111414628B CN201910017093.1A CN201910017093A CN111414628B CN 111414628 B CN111414628 B CN 111414628B CN 201910017093 A CN201910017093 A CN 201910017093A CN 111414628 B CN111414628 B CN 111414628B
- Authority
- CN
- China
- Prior art keywords
- data
- key
- ciphertext
- target
- storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 238000013500 data storage Methods 0.000 title claims abstract description 84
- 230000000875 corresponding effect Effects 0.000 description 55
- 230000008569 process Effects 0.000 description 36
- 238000007726 management method Methods 0.000 description 19
- 238000004891 communication Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 230000002596 correlated effect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 101100247620 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) RCK2 gene Proteins 0.000 description 2
- 101150017073 cmk1 gene Proteins 0.000 description 2
- 101150103556 cmk2 gene Proteins 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 230000008929 regeneration Effects 0.000 description 1
- 238000011069 regeneration method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data storage method, which comprises the following steps: encrypting the data to be stored by adopting a data key to generate a data ciphertext; encrypting the data key by adopting the first key to generate a data key ciphertext; and storing the second key, the data ciphertext and the data key ciphertext in an associated mode, wherein the second key and the first key have a corresponding relation. The invention also discloses a corresponding data storage device and computing equipment.
Description
Technical Field
The present invention relates to the field of data storage technologies, and in particular, to a data storage method, apparatus, and computing device.
Background
In the cloud storage service, a user can upload data to a cloud server for storage. In order to ensure the security of user data and prevent data leakage caused by program faults of a cloud server or hacking and the like, the data needs to be stored in the cloud server in an encrypted mode.
One existing data encryption method is that a cloud server stores a master key (CMK) corresponding to each user. When a user uploads data, the data is encrypted by using the master key of the user and the encrypted data is stored. On the one hand, the method still has the risk of data leakage, and if the master key list stored by the server is leaked, other people can adopt the master key to decrypt corresponding user data, so that the user data is leaked. On the other hand, in the method, as long as the user has the data access authority of the server, the data can be decrypted, the master key authority management cannot be performed, the method is not flexible, and the application scene is limited.
Disclosure of Invention
To this end, the present invention provides a data storage method, apparatus and computing device in an effort to solve or at least alleviate the above-identified problems.
According to one aspect of the present invention, there is provided a data storage method comprising: encrypting the data to be stored by adopting a data key to generate a data ciphertext; encrypting the data key by adopting a first key to generate a data key ciphertext; and storing the data ciphertext and the data key ciphertext in association with a second key, wherein the second key has a corresponding relation with the first key.
According to another aspect of the present invention, there is provided a data storage device comprising: the encryption module is suitable for encrypting the data to be stored by adopting the data key to generate a data ciphertext; encrypting the data key by adopting a first key to generate a data key ciphertext; and the storage module is suitable for storing the data ciphertext and the data key ciphertext in association with a second key, wherein the second key has a corresponding relation with the first key. According to one aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the data storage method as described above.
According to yet another aspect of the present invention, there is provided a readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the data storage method as described above.
The technical scheme of the invention adopts a double encryption mechanism, and when in encryption, a data key is adopted to encrypt the data to be stored, so as to generate a data ciphertext; encrypting the data key by adopting the first key to generate a data key ciphertext; and storing the data ciphertext, the data key ciphertext and the second key in an associated manner, wherein the second key has a corresponding relation with the first key. Therefore, even if the second secret key, the data ciphertext and the data secret key ciphertext which are stored in a correlated way are revealed together, other people cannot recover the first secret key according to the information, and further cannot recover the data secret key by adopting the first secret key, and cannot decrypt the data ciphertext by adopting the data secret key, so that the safety of user data is ensured.
When decrypting, the server obtains a corresponding target first key according to the corresponding relation between the first key and the second key; decrypting the target data key ciphertext by adopting the target first key to obtain a target data key; and finally, decrypting the data ciphertext to be accessed by adopting the target data key to obtain the data plaintext to be accessed.
Furthermore, in the technical scheme of the invention, one user can have a plurality of authority identifiers (namely a master key), and each authority identifier corresponds to the encrypted data storage and access authorities of different storage spaces, so that the authority management is realized, and the user can select the proper authority identifier according to different actual application scenes, so that the data can be stored more flexibly. Specifically, when the user encrypts and stores data, a permission identifier is required to be specified, and the permission identifier is stored in association with the data ciphertext, the data key ciphertext and the second key; accordingly, when the user decrypts and accesses the data, a permission identifier is also required to be specified, and when the permission identifier specified by the user is consistent with the permission identifier corresponding to the data to be accessed, the user is allowed to decrypt and access the data. In addition, the server only stores the association relation between the user and the permission identifier, and even if the association relation is revealed, any help cannot be provided for acquiring the first key, so that the safety of the user data is further ensured.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which set forth the various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to fall within the scope of the claimed subject matter. The above, as well as additional objects, features, and advantages of the present disclosure will become more apparent from the following detailed description when read in conjunction with the accompanying drawings. Like reference numerals generally refer to like parts or elements throughout the present disclosure.
FIG. 1 illustrates a schematic diagram of a data storage system 100, according to one embodiment of the invention;
FIG. 2 illustrates a flow chart of a data storage method 200 according to one embodiment of the invention;
FIG. 3 shows a schematic diagram of a data encryption process according to one embodiment of the invention;
FIG. 4 illustrates a flow chart of a data storage method 400 according to one embodiment of the invention;
FIG. 5 shows a schematic diagram of a data decryption process according to one embodiment of the invention;
FIG. 6 illustrates a flow chart of a data storage method 600 according to one embodiment of the invention;
FIG. 7 shows a schematic diagram of a data encryption process according to one embodiment of the invention;
FIG. 8 illustrates a flow chart of a data storage method 800 according to one embodiment of the invention;
FIG. 9 shows a schematic diagram of a data decryption process according to one embodiment of the invention;
FIG. 10 shows a schematic diagram of an interaction process of a data storage method according to one embodiment of the invention;
FIG. 11 shows a schematic diagram of a computing device 700 according to one embodiment of the invention;
fig. 12 shows a schematic diagram of a data storage device 1200 according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 illustrates a schematic diagram of a data storage system 100, according to one embodiment of the invention. As shown in fig. 1, data storage system 100 includes a client 110, a storage server 120, and a data storage 130.
The client 110 is a device on the user side, and may be, for example, a personal computer such as a desktop computer or a notebook computer, or a mobile device such as a mobile phone, a tablet computer, a multimedia device, or an intelligent wearable device, but is not limited thereto.
The storage server 120 is a server for providing storage services to users. In some embodiments, it may also provide services such as elastic computing, load balancing scheduling, and the like, not just storage services. The server 120 may be implemented as a single server or as a distributed service cluster composed of a plurality of servers.
The data storage 130 may be a relational database such as MySQL, ACCESS, etc., or a non-relational database such as NoSQL, etc.; the data storage device 130 may be a local database residing in the computing device 200, or may be a distributed database, such as HBase, disposed at a plurality of geographic locations, and in any case, the data storage device 130 is used to store data, and the specific deployment and configuration of the data storage device 130 is not limited by the present invention. The storage server 120 may be connected to the data storage device 130, store data in the data storage device 130, or retrieve data stored in the data storage device 130. The storage server 120 may access the data storage device 130 directly (where the data storage device 130 is a local database of the storage server 120), or may access the internet via a wired or wireless means, and access the data storage device 130 via a data interface.
The user may upload data to the server 120 through the client 110 and store the data to the data storage 130. In one embodiment, storage server 120 is a server for providing object storage services (Object Storage Service, OSS for short) and, accordingly, data storage 130 is an object storage system (Object Storage System). The object storage system is divided into a plurality of storage spaces (pockets), the interior of the same storage space is flat, and each object in the storage space directly belongs to the storage space without a hierarchical directory relationship. The data uploaded by the client 110 is stored in the form of objects (objects) in a memory space (which is created in advance for the user before uploading the file). The Object is composed of an Object identification (Key), user Data (Data) and Meta information (Object Meta), wherein the Object identification is used for uniquely identifying a certain Object in the storage space; meta-information is a set of key-value pairs used to represent some properties of the object, such as last modification time, file size, etc., and the user may also store some custom information in the meta-information.
In order to secure the user data, the storage server 120 encrypts the user data and stores the encrypted data in the data storage device 130. The existing data encryption mode is low in safety, still has the risk of data leakage, cannot carry out authority management and is poor in flexibility, so that the data storage method provided by the invention enables user data to be stored in a safer and more flexible encryption mode. The data storage method of the present invention will be described in detail below. FIG. 2 illustrates a flow chart of a data storage method 200 according to one embodiment of the invention. The method 200 is performed on a server (e.g., the storage server 120) for encrypted storage of data uploaded by a user. As shown in fig. 2, the method 200 begins at step S210.
In step S210, the data to be stored is encrypted using the data key, and a data ciphertext is generated.
The algorithm adopted for encrypting the data to be stored is a symmetric encryption algorithm, namely, the process of encrypting the data to be stored to generate a data ciphertext and decrypting the data ciphertext to restore the data plaintext to be stored adopts the same secret key, and the same secret key is the data secret key. The invention is not limited to the particular symmetric encryption algorithm selected, and in one embodiment, the symmetric encryption algorithm may be set to an advanced encryption standard (i.e., AES-256) with a key length of 256 bits.
Subsequently, in step S220, the data key is encrypted with the first key, generating a data key ciphertext.
The algorithm used for encrypting the data key is also a symmetric encryption algorithm, that is, the same key is used in the process of encrypting the data key to generate the data key ciphertext and decrypting the data key ciphertext to recover the data key, and the same key is the first key. The invention is not limited to the particular symmetric encryption algorithm selected, and in one embodiment, the symmetric encryption algorithm may be set to an advanced encryption standard (i.e., AES-256) with a key length of 256 bits.
Subsequently, in step S230, the data ciphertext and the data key ciphertext are stored in association with a second key, wherein the second key has a correspondence with the first key.
In an Object storage system, data to be stored is to be stored in a storage space in the form of an Object (Object), the Object comprising three parts of an Object identification (Key), user Data (Data) and Meta information (Object Meta), in which Meta information (Object Meta) of the Object a second Key, a Data Key ciphertext, i.e. user Data (Data), can be written.
In an embodiment of the invention, the first key has a correspondence with the second key. It should be noted that, the first key and the second key have a corresponding relationship, which means that given the first key, the second key corresponding to the first key can be determined; given the second key, a first key corresponding thereto may be determined. However, the present invention does not limit what correspondence the first key and the second key specifically have.
According to one embodiment, the second key is ciphertext obtained by encrypting the first key using a predetermined encryption algorithm. Namely, in the embodiment, the first key and the second key have a plaintext-ciphertext relationship, and a preset encryption algorithm is adopted to encrypt the first key, so that the second key can be obtained; and decrypting the second key by adopting a decryption algorithm corresponding to the preset encryption algorithm to obtain the first key. The preset encryption algorithm may be a general encryption algorithm such as an RSA encryption algorithm, an ElGamal encryption algorithm, or any non-general encryption algorithm (such as some custom character processing algorithms) capable of implementing the mutual conversion between the first key and the second key. The preset encryption algorithm may be any encryption algorithm, and the present invention does not limit the specific setting of the encryption algorithm,
According to another embodiment, the server stores the first key and the second key in association such that the first key and the second key have a correspondence. By searching the association list of the first key and the second key, the second key corresponding to the given first key can be determined, and the first key corresponding to the given second key can be determined.
It should be noted that, the above only provides two examples of the correspondence between the first key and the second key, and other methods may be adopted by those skilled in the art to correspond the first key and the second key besides the above examples, which does not limit the specific correspondence manner of the first key and the second key.
The method 200 adopts a double encryption mechanism, and adopts a data key to encrypt data to be stored during encryption to generate a data ciphertext; encrypting the data key by adopting the first key to generate a data key ciphertext; and storing the data ciphertext, the data key ciphertext and the second key in an associated manner, wherein the second key has a corresponding relation with the first key. Therefore, even if the second secret key, the data ciphertext and the data secret key ciphertext which are stored in a correlated way are revealed together, other people cannot recover the first secret key according to the information, and further cannot recover the data secret key by adopting the first secret key, and cannot decrypt the data ciphertext by adopting the data secret key, so that the safety of user data is ensured.
Fig. 3 shows a schematic diagram of an embodiment of a data encryption process based on one of the methods 200. As shown in fig. 3, a DATA storage request initiated by a client includes DATA to be stored and a storage space identifier, and a key corresponding to the DATA storage request includes: a first key KDK, a second key KEK and a data key DEK.
In step S310, the DATA to be stored is encrypted with the DATA key DEK, generating a DATA ciphertext DATA'. In order to distinguish between plaintext and ciphertext, in the embodiment of the present invention, the upper right corner of the ciphertext mark is marked with a single quotation mark ('), and the plaintext mark does not have a single quotation mark.
Subsequently, in step S320, the data key DEK is encrypted using the first key KDK, generating a data key ciphertext DEK'. Finally, the DATA ciphertext DATA ', the DATA key ciphertext DEK', and the second key KEK are stored in a designated storage space in an associated manner. When the storage space is a socket in the object storage system, the DATA ciphertext DATA ', the DATA key ciphertext DEK', and the second key KEK correspond to an object Obj, and the user DATA of the object is the DATA ciphertext DATA ', and the meta information comprises the DATA key ciphertext DEK' and the second key KEK.
Fig. 4 shows a flow chart of a data storage method 400 according to another embodiment of the invention. The method 400 is performed on a server (e.g., the storage server 120) for encrypted storage of data uploaded by a user and decrypted access to the encrypted stored data. As shown in fig. 4, method 400 includes two parts, an encryption process and a decryption process. In a server, encryption and decryption processes for a plurality of groups of data are often performed concurrently at the same time. Those skilled in the art will appreciate that the encryption process and the decryption process for different DATA may be performed concurrently, for example, the storage server may encrypt the DATA1 and decrypt the DATA ciphertext DATA2' in parallel. Of course, it will be understood by those skilled in the art that the encryption and decryption processes are sequential for the same set of data, and decryption access is only performed after storage is encrypted.
In fig. 4, steps S410 to 430 in the encryption process correspond to steps S210 to S230 in the method 200 one by one, and detailed implementation methods of steps S410 to 430 can refer to the related descriptions of steps S210 to S230, which are not repeated here. The data decryption process of the present invention will be described in detail below. Those skilled in the art will appreciate that the decryption process is in fact the reverse of the encryption process.
In step S440, a data access request is received, the data access request including an identification of a data ciphertext to be accessed.
For example, if data is stored in the storage space in the form of an Object (Object), the identification of the ciphertext of the data to be accessed is the Object identification (Key) of the Object.
Subsequently, in step S450, the target data key ciphertext and the target second key corresponding to the data ciphertext to be accessed are obtained according to the association relationship between the stored data ciphertext, the data key ciphertext and the second key.
Specifically, in step S230, the data ciphertext, the data key ciphertext, and the second key are stored in association with each other, and accordingly, in step S450, the target data key ciphertext and the target second key corresponding to the data ciphertext to be accessed may be determined according to the association relationship between the stored data ciphertext, the data key ciphertext, and the second key.
Subsequently, in step S460, the target first key corresponding to the target second key is determined according to the correspondence between the first key and the second key.
Specifically, since the first key and the second key in step S230 have a corresponding relationship, in step S460, accordingly, the target first key corresponding to the target second key may be determined according to the corresponding relationship between the first key and the second key.
If in step S230, the second key is a ciphertext obtained by encrypting the first key using a preset encryption algorithm; in step S460, the target second key is decrypted by using a preset decryption algorithm, so as to obtain the target first key. The preset decryption algorithm is a decryption algorithm corresponding to the encryption algorithm preset in step S230, for example, a decryption algorithm corresponding to an RSA encryption algorithm or an ElGamal encryption algorithm.
If the first key and the second key have the association relationship in step S230, in step S460, the target first key corresponding to the target second key may be determined by searching the association relationship list of the first key and the second key.
Subsequently, in step S470, the target data key ciphertext is decrypted using the target first key, resulting in a target data key.
Subsequently, in step S480, the ciphertext of the data to be accessed is decrypted using the target data key, thereby obtaining the data to be accessed.
Fig. 5 shows a schematic diagram of an embodiment of a data decryption process based on one of the methods 400. As shown in fig. 5, the identifier of the DATA ciphertext to be accessed included in the DATA access request initiated by the client may determine the DATA ciphertext DATA to be accessed based on the identifier of the DATA ciphertext to be accessed t '. Based on a pre-stored second key KEK and data keyThe association relation of the text DATA 'and the DATA key ciphertext DEK' can determine the DATA ciphertext DATA to be accessed t ' corresponding target second Key KEK t And target data key ciphertext DEK t ’。
In step S510, a target first key corresponding to the target second key is determined according to the correspondence between the first key and the second key. For example, to the target second key KEK t Decrypting to obtain the target second key KEK t Corresponding target first key KDK t . Or determining the target second key KEK according to the association relation between the first key and the second key which are stored in advance t Corresponding target first key KDK t 。
Subsequently, in step S520, the target first key KDK is employed t Cipher text DEK for target data t ' decrypting to obtain the target data key DEK t . Finally, in step S530, the target data key DEK is employed t DATA ciphertext DATA to be accessed t ' decrypting, recovering the DATA plaintext DATA t 。
In some embodiments, a user may have multiple rights identifiers (i.e., master keys), where each rights identifier corresponds to encrypted data storage and access rights of a different storage space, so that rights management is implemented, and the user may select an appropriate rights identifier according to different actual application scenarios, so that data may be stored more flexibly. Fig. 6 shows a flow chart of a data storage method 600 according to an embodiment of the invention, the method 600 being performed on a server (e.g. the storage server 120) for cryptographically storing data uploaded by a user according to the access rights of the user. As shown in fig. 6, the method 600 begins at step S610.
In step S610, a data storage request is received, the data storage request including data to be stored, a storage space, and a rights identification.
The storage space is a target storage location for data to be stored. For example, in a File storage system, the storage space is a specific folder in which data to be stored is to be stored in the form of files; in an Object storage system, the storage space is a specific storage space container (socket) in which data to be stored is to be stored in the form of objects (objects).
The rights identification is used for indicating encryption and decryption rights of the user. The association of the user with the rights identification is stored at a server (e.g., storage server 120). One user may have multiple rights identifications, each rights identification has different data encryption and decryption rights, for example, a certain user has three rights identifications CMK1, CMK2 and CMK3, CMK1 may be used to encrypt and decrypt data in storage space 1, CMK2 may be used to encrypt and decrypt data in storage spaces 2 and 3, and CMK3 may only read and write plaintext data and may not be encrypted and decrypted.
In the technical scheme of the invention, one user can have a plurality of authority identifiers, and each authority identifier corresponds to the encrypted data storage and access authority of different storage spaces, so that the authority management is realized, and the user can select the proper authority identifier according to different actual application scenes, so that the data can be stored more flexibly.
The data storage request is sent by the client 110, where the data storage request includes the data to be stored, the storage space specified by the user for the data to be stored, and the rights identification specified by the user. According to one embodiment, after the server receives the data storage request, it is first determined according to the permission identifier specified by the user whether the user has permission to store encrypted data in the specified storage space, if so, steps S620 to S650 are continuously performed to encrypt the data to be stored in the storage space specified by the user; if not, rejecting the data storage request.
Subsequently, in step S620, a first key, a second key, and a data key are generated, wherein the first key and the second key have a correspondence relationship.
It should be noted that, the first key and the second key have a corresponding relationship, which means that given the first key, the second key corresponding to the first key can be determined; given the second key, a first key corresponding thereto may be determined. However, the present invention does not limit what correspondence the first key and the second key specifically have.
In one embodiment, the first key is generated randomly or with some preset rule, and the second key is ciphertext obtained by encrypting the first key with a preset encryption algorithm. Namely, in the embodiment, the first key and the second key have a plaintext-ciphertext relationship, and a preset encryption algorithm is adopted to encrypt the first key, so that the second key can be obtained; and decrypting the second key by adopting a decryption algorithm corresponding to the preset encryption algorithm to obtain the first key. The preset encryption algorithm may be any encryption algorithm, and the specific setting of the encryption algorithm is not limited in the present invention, and in one embodiment, the preset encryption algorithm may be an RSA encryption algorithm, an ElGamal encryption algorithm, or the like.
In another implementation, the first key and the second key are both generated randomly or by adopting a preset rule, and the server stores the first key and the second key in an associated manner. By searching the association list of the first key and the second key, the second key corresponding to the given first key can be determined, and the first key corresponding to the given second key can be determined.
In addition, it should be noted that each data storage request corresponds to a set of a first key, a second key, and a data key. Preferably, the data key is generated randomly or according to a preset rule for each data storage request, and the data keys corresponding to the data storage requests are usually different (in very individual cases, the data keys generated randomly or according to a preset rule twice may be the same). The first and second keys may be generated less frequently than the data keys, i.e., multiple data storage requests may share a set of first and second keys without having to regenerate the set of first and second keys for each data storage request. For example, a storage space may be set to correspond to a set of first and second keys, and when a first data storage request for the storage space is received, a set of first and second keys is newly generated and stored in association with the storage space as the first and second keys corresponding to the storage space. When the data storage request for the storage space is received later, the corresponding first key and second key are directly acquired without regeneration. In an extreme case, it is also possible to provide that all memory spaces share a set of first keys, second keys.
Subsequently, in step S630, the data to be stored is encrypted using the data key, and a data ciphertext is generated.
The algorithm adopted for encrypting the data to be stored is a symmetric encryption algorithm, namely, the process of encrypting the data to be stored to generate a data ciphertext and decrypting the data ciphertext to restore the data plaintext to be stored adopts the same secret key, and the same secret key is the data secret key. The invention is not limited to the particular symmetric encryption algorithm selected, and in one embodiment, the symmetric encryption algorithm may be set to an advanced encryption standard (i.e., AES-256) with a key length of 256 bits.
Subsequently, in step S640, the data key is encrypted with the first key, and the data key ciphertext is generated.
The algorithm used for encrypting the data key is also a symmetric encryption algorithm, that is, the same key is used in the process of encrypting the data key to generate the data key ciphertext and decrypting the data key ciphertext to recover the data key, and the same key is the first key. The invention is not limited to the particular symmetric encryption algorithm selected, and in one embodiment, the symmetric encryption algorithm may be set to an advanced encryption standard (i.e., AES-256) with a key length of 256 bits.
Subsequently, in step S650, the rights identification, the second key, the data ciphertext, and the data key ciphertext are stored in association with the storage space.
In an Object storage system, data to be stored is to be stored in a storage space in the form of an Object (Object) comprising three parts of an Object identification (Key), user Data (Data) and Meta information (Object Meta), in which Meta information (Object Meta) of the Object a rights identification, a second Key, a Data Key ciphertext, i.e. user Data (Data) can be written.
In the method 600, a dual encryption mechanism is adopted, and when in encryption, a user needs to specify a permission identifier, and then the data to be stored is encrypted by adopting a data key to generate a data ciphertext; encrypting the data key by adopting the first key to generate a data key ciphertext; and storing the permission identification, the second key, the data ciphertext and the data key ciphertext in an associated manner. Therefore, even if the authority identification, the second key, the data ciphertext and the data key ciphertext which are stored in a correlated way are revealed together, other people cannot recover the first key according to the information, further cannot recover the data key by adopting the first key, cannot decrypt the data ciphertext by adopting the data key, and therefore the user data security is ensured. In addition, the server only stores the association relation between the user and the permission identifier, and even if the association relation is revealed, any help cannot be provided for acquiring the first key, so that the safety of the user data is further ensured.
Fig. 7 shows a schematic diagram of an embodiment of a data encryption process based on one of the methods 600. As shown in fig. 7, the DATA storage request initiated by the client includes the DATA to be stored, the rights identifier CMK and the identifier of the storage space, and generates a first key KDK, a second key KEK and a DATA key DEK for the DATA storage request.
In step S710, the DATA to be stored is encrypted with the DATA key DEK, generating a DATA ciphertext DATA'. Subsequently, in step S720, the data key DEK is encrypted using the first key KDK, generating a data key ciphertext DEK'. Finally, the DATA ciphertext DATA ', the DATA key ciphertext DEK', the second key KEK and the rights identification CMK are stored in association in a specified storage space. When the storage space is a socket in the object storage system, the DATA ciphertext DATA ', the DATA key ciphertext DEK', the second key KEK and the permission identifier CMK correspond to an object Obj, and the user DATA of the object is the DATA ciphertext DATA ', and the meta information comprises the DATA key ciphertext DEK', the second key KEK and the permission identifier CMK.
Fig. 8 shows a flow chart of a data storage method 800 according to another embodiment of the invention. The method 800 is performed on a server (e.g., the storage server 120) for encrypted storage of data uploaded by a user and decrypted access to the encrypted stored data. As shown in fig. 8, method 800 includes two parts, an encryption process and a decryption process. In a server, encryption and decryption processes for a plurality of groups of data are often performed concurrently at the same time. Those skilled in the art will appreciate that the encryption process and the decryption process for different DATA may be performed concurrently, for example, the storage server may encrypt the DATA1 and decrypt the DATA ciphertext DATA2' in parallel. Of course, it will be understood by those skilled in the art that the encryption and decryption processes are sequential for the same set of data, and decryption access is only performed after storage is encrypted.
In fig. 8, steps S801 to 805 in the encryption process correspond to steps S610 to S650 in the method 200 one by one, and detailed implementation methods of the steps S801 to 805 can refer to the related descriptions of the steps S610 to S650, which are not repeated here. The data decryption process of the present invention will be described in detail below. Those skilled in the art will appreciate that the decryption process is in fact the reverse of the encryption process.
In step S806, a data access request is received, the data access request including an identification of a data ciphertext to be accessed and a rights identification. Based on the identification of the data ciphertext to be accessed, the data ciphertext to be accessed may be determined.
For example, if data is stored in the storage space in the form of an Object (Object), the identification of the ciphertext of the data to be accessed is the Object identification (Key) of the Object.
Subsequently, in step S807, the target permission identifier, the target second key, and the target data key ciphertext corresponding to the data ciphertext to be accessed are acquired according to the association relationship of the stored permission identifier, the second key, the data ciphertext, and the data key ciphertext.
Specifically, in step S650, the permission identifier, the data ciphertext, the data key ciphertext, and the second key are stored in association with each other, and accordingly, in step S807, the target permission identifier, the target data key ciphertext, and the target second key corresponding to the data ciphertext to be accessed may be determined according to the stored association relationship between the permission identifier, the data ciphertext, the data key ciphertext, and the second key.
Subsequently, in step S808, when the rights identification in the data access request coincides with the target rights identification, the target first key corresponding to the target second key is determined.
And rejecting the data access request when the permission identification in the data access request is inconsistent with the target permission identification.
Since the first key and the second key in step S620 have a correspondence relationship, the target first key corresponding to the target second key can be determined based on the correspondence relationship.
If in step S620, the second key is a ciphertext obtained by encrypting the first key using a preset encryption algorithm; in step S808, the target second key is decrypted by using a preset decryption algorithm, so as to obtain the target first key. The preset decryption algorithm is a decryption algorithm corresponding to the encryption algorithm preset in step S620, for example, a decryption algorithm corresponding to an RSA encryption algorithm or an ElGamal encryption algorithm.
If the first key and the second key have the association relationship in step S620, in step S808, the target first key corresponding to the target second key may be determined by searching the association relationship list of the first key and the second key.
Subsequently, in step S809, the target data key ciphertext is decrypted using the target first key, resulting in a target data key.
Subsequently, in step S810, the ciphertext of the data to be accessed is decrypted using the target data key, thereby obtaining the data to be accessed.
Fig. 9 shows a schematic diagram of an embodiment of a data decryption process based on one of the methods 800. As shown in fig. 9, the DATA access request initiated by the client includes the identifier of the DATA ciphertext to be accessed and the authority identifier CMK, and based on the identifier of the DATA ciphertext to be accessed, the DATA ciphertext DATA to be accessed can be determined t '. Identifying the CMK, the second key KEK and the data key according to the pre-stored rightsThe association relation of the text DATA 'and the DATA key ciphertext DEK' can determine the DATA ciphertext DATA to be accessed t ' corresponding target rights identification CMK t Target second key KEK t And target data key ciphertext DEK t ’。
In step S910, the rights identification CMK carried in the data access request and the target rights identification CMK are combined t And comparing to judge whether the two are consistent. If the two are consistent, step S920 is executed, and if the two are inconsistent, the data access request of the client is denied.
In step S920, a target first key corresponding to the target second key is determined according to the correspondence between the first key and the second key. For example, to the target second key KEK t Decrypting to obtain the target second key KEK t Corresponding target first key KDK t . Or determining the target second key KEK according to the association relation between the first key and the second key which are stored in advance t Corresponding target first key KDK t 。
Subsequently, in step S930, the target first key KDK is employed t Cipher text DEK for target data t ' decrypting to obtain the target data key DEK t 。
Finally, in step S940, the target data key DEK is used t DATA ciphertext DATA to be accessed t ' decrypting, recovering the DATA plaintext DATA t 。
It should be noted that, the steps of the methods 200, 400, 600 and 800 may be performed by one server or may be performed cooperatively by a plurality of servers. For example, the storage server 120 may be responsible for encryption and decryption of data, and the key management server 140 may perform key management. FIG. 10 shows a schematic diagram of interactions of storage server 120 with key management server 140 during data storage according to one embodiment of the invention.
As shown in fig. 10, in step S1010, the client 110 transmits a DATA storage request including DATA to be stored, a storage space designated by a user for the DATA to be stored, and a rights identification CMK designated by the user to the storage server 120.
The storage server 120 determines whether the user has the authority to store the encrypted data in the designated storage space according to the authority identifier CMK designated by the user, and if so, proceeds to step S1020; if not, rejecting the data storage request.
In step S1020, the storage server 120 sends the rights identification CMK to the key management server 140 to instruct the key management server 140 to allocate the first key KDK, the second key KEK and the data key DEK for the present data storage.
Subsequently, in step S1030, the key management server 140 generates a first key KDK, a second key KEK, and a data key DEK, and returns the first key KDK, the second key KEK, and the data key DEK to the storage server 120. In one embodiment, the rights identification CMK is used only to trigger the key management server 140 to distribute keys, and does not participate in a specific key distribution process. In another embodiment, the rights identification CMK may also be stored in association with the assigned first key KDK, second key KEK.
Subsequently, in step S1040, after receiving the first key KDK, the second key KEK, and the DATA key DEK, the storage server 120 encrypts the DATA to be stored with the DATA key DEK to generate a DATA ciphertext DATA'; and then encrypting the data key DEK by adopting the first key KDK to generate a data key ciphertext DEK'.
Subsequently, in step S1050, the storage server 120 stores the DATA ciphertext DATA ', the DATA key ciphertext DEK', the second key KEK, and the rights identification CMK in association in the designated storage space of the DATA storage 130. When the storage space is a socket in the Object storage system, the DATA ciphertext DATA ', the DATA Key ciphertext DEK', the second Key KEK and the rights identification CMK correspond to an Object Obj, which is composed of an Object identifier (Key), user DATA (DATA) and Meta information (Object Meta), wherein the DATA ciphertext DATA 'is the user DATA (DATA) of the Object Obj, and the DATA Key ciphertext DEK', the second Key KEK and the rights identification CMK are written into the Meta information (Object Meta) of the Object Obj.
Steps S1010 to S1050 show a procedure in which the storage server 120 performs encrypted storage of data uploaded by the client 110 in cooperation with the key management server 140. In addition to encrypting the data, the client 110 may access the stored data, and accordingly, the storage server 120 and the key management server 140 may decrypt the stored data and return the decrypted data to the client 110. Steps S1060 to S1110 show a procedure in which the storage server 120 decrypts the data in cooperation with the key management server 140 and returns the decrypted data to the client 110.
In step S1060, the client 110 sends a data access request to the storage server 120, where the data access request includes an identifier of a data ciphertext to be accessed and a rights identifier CMK. Based on the identification of the DATA ciphertext to be accessed, the DATA ciphertext DATA to be accessed may be determined t '. If the data is stored in the storage space in the form of an Object (Object), the identification of the ciphertext of the data to be accessed is the Object identification (Key) of the Object.
Subsequently, in step S1070, the storage server 120 determines the DATA ciphertext DATA to be accessed according to the association of the pre-stored rights identification CMK, the second key KEK, the DATA ciphertext DATA', the DATA key ciphertext DEK t ' corresponding target rights identification CMK t Target second key KEK t And target data key ciphertext DEK t ’。
The authority identification CMK carried in the data access request and the target authority identification CMK are processed t And comparing to judge whether the two are consistent. If the two are consistent, step S1080 is executed, and if the two are inconsistent, the data access request of the client is refused.
In step S1080, the storage server 120 stores the target second key KEK t Is sent to the key management server 140 so that the key management server 140 determines the target second key KEK according to the corresponding relationship between the first key and the second key t Corresponding target first key KDK t . For example, the key management server 140 may key the target second key KEK t Decrypting to obtain the target second key KEK t Corresponding target first key KDK t . Or determining the target second key KEK according to the association relation between the first key and the second key which are stored in advance t Corresponding target first key KDK t 。
Subsequently, in step S1090, the key management server 140 applies the target first key KDK t Returned to the storage server 120.
Subsequently, in step S1100, the storage server 120 employs the target first key KDK t Cipher text DEK for target data t ' decrypting to obtain the target data key DEK t . Then, the target data key DEK is adopted t DATA ciphertext DATA to be accessed t ' decrypting, recovering the DATA plaintext DATA t 。
Finally, in step S1110, the storage server 120 stores the DATA plaintext DATA t Returned to the client 110.
FIG. 11 shows a schematic diagram of a computing device 700 according to one embodiment of the invention. As shown in FIG. 7, in a basic configuration 702, a computing device 700 typically includes a system memory 706 and one or more processors 704. A memory bus 708 may be used for communication between the processor 704 and the system memory 706.
Depending on the desired configuration, the processor 704 may be any type of processing including, but not limited to: a microprocessor (μp), a microcontroller (μc), a digital information processor (DSP), or any combination thereof. Processor 604 may include one or more levels of cache, such as a first level cache 710 and a second level cache 712, a processor core 714, and registers 716. Example processor cores 714 may include Arithmetic Logic Units (ALUs), floating Point Units (FPUs), digital signal processing cores (DSP cores), or any combination thereof. An example memory controller 718 may be used with the processor 704, or in some implementations, the memory controller 718 may be an internal part of the processor 704.
Depending on the desired configuration, system memory 706 may be any type of memory including, but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. The system memory 706 may include an operating system 720, one or more applications 722, and program data 724. The application 722 is in effect a number of program instructions for instructing the processor 704 to perform a corresponding operation. In some implementations, the application 722 may be arranged to cause the processor 704 to operate with program data 724 on an operating system.
Computing device 700 may also include an interface bus 740 that facilitates communication from various interface devices (e.g., output devices 742, peripheral interfaces 744, and communication devices 746) to the basic configuration 702 via a bus/interface controller 730. The example output devices 742 include a graphics processing unit 748 and an audio processing unit 750. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 752. Example peripheral interfaces 744 can include a serial interface controller 754 and a parallel interface controller 756, which can be configured to facilitate communication via one or more I/O ports 758 and external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.). Example communication devices 746 may include a network controller 760 that may be arranged to facilitate communications with one or more other computing devices 762 over network communication links via one or more communication ports 764.
The network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media in a modulated data signal, such as a carrier wave or other transport mechanism. A "modulated data signal" may be a signal that has one or more of its data set or changed in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or special purpose network, and wireless media such as acoustic, radio Frequency (RF), microwave, infrared (IR) or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In computing device 700 according to the present invention, application 722 may comprise, for example, data storage apparatus 1200, apparatus 1200 comprising a plurality of program instructions. The data storage device 1200 may instruct the processor 704 to perform the data storage method 200, 400, 600, or 800 of the present invention, thereby enabling encrypted storage of data uploaded by a user and decrypted access to the encrypted stored data.
Fig. 12 shows a schematic diagram of a data storage device 1200 according to one embodiment of the invention. The data storage device 1200 resides in a server (e.g., storage server 120) for performing any of the data storage methods 200, 400, 600, 800 of the present invention. As shown in fig. 8, the data storage device 1200 includes an encryption module 1210 and a storage module 1220.
The encryption module 1210 is adapted to encrypt data to be stored by using a data key to generate a data ciphertext; and encrypting the data key by adopting the first key to generate a data key ciphertext. The encryption module 1210 is specifically configured to perform the method as described in the foregoing steps S210 and S220, and the processing logic and functions of the encryption module 1210 can be referred to in the foregoing description of the steps S210 and S220, which are not repeated herein.
The storage module 1220 is adapted to store the data ciphertext and the data key ciphertext in association with a second key, where the second key has a correspondence with the first key. The storage module 1220 is specifically configured to perform the method of step S230, and the processing logic and functions of the storage module 1220 can be referred to the related description of step S230, which is not repeated herein.
According to one embodiment, the data storage device 1200 further includes a request receiving module 1230 and an authentication module 1240.
The request receiving module 1230 is adapted to receive a data storage request comprising data to be stored, a storage space identification and a rights identification. The authentication module 1240 is adapted to determine whether the authority for storing the encrypted data in the storage space is available according to the authority identification, and if not, reject the data storage request. The request receiving module 1230 and the authentication module 1240 are specifically configured to perform the method as described in the foregoing step S610, and the processing logic and functions of the request receiving module 1230 and the authentication module 1240 may be referred to the relevant description of the foregoing step S610, which is not repeated herein.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions of the methods and apparatus of the present invention, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U-drives, floppy diskettes, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the data storage method of the present invention in accordance with instructions in said program code stored in the memory.
By way of example, and not limitation, readable media comprise readable storage media and communication media. The readable storage medium stores information such as computer readable instructions, data structures, program modules, or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with examples of the invention. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into a plurality of sub-modules.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Furthermore, some of the embodiments are described herein as methods or combinations of method elements that may be implemented by a processor of a computer system or by other means of performing the functions. Thus, a processor with the necessary instructions for implementing the described method or method element forms a means for implementing the method or method element. Furthermore, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is for carrying out the functions performed by the elements for carrying out the objects of the invention.
As used herein, unless otherwise specified the use of the ordinal terms "first," "second," "third," etc., to describe a general object merely denote different instances of like objects, and are not intended to imply that the objects so described must have a given order, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is defined by the appended claims.
Claims (10)
1. A data storage method, comprising:
encrypting the data to be stored by adopting a data key to generate a data ciphertext;
encrypting the data key by adopting a first key to generate a data key ciphertext;
and storing the data ciphertext and the data key ciphertext in association with a second key, wherein the first key and the second key are stored in association so that the first key and the second key have a corresponding relationship.
2. The method of claim 1, wherein before the step of encrypting the data to be stored using the data key, further comprising the step of:
receiving a data storage request, wherein the data storage request comprises data to be stored, a storage space identifier and a permission identifier;
judging whether the authority for storing the encrypted data in the storage space is available or not according to the authority identification, and rejecting the data storage request if not.
3. The method of claim 2, wherein,
and storing the data ciphertext, the data key ciphertext, the second key and the permission identifier in an associated mode.
4. The method of claim 1, further comprising:
receiving a data access request, wherein the data access request comprises an identification of a data ciphertext to be accessed;
Acquiring a target data key ciphertext and a target second key corresponding to the data ciphertext to be accessed according to the association relationship among the stored data ciphertext, the data key ciphertext and the second key;
determining a target first key corresponding to the target second key according to the corresponding relation between the first key and the second key;
decrypting the target data key ciphertext by using the target first key to obtain a target data key; and
and decrypting the data ciphertext to be accessed by adopting the target data key to obtain the data to be accessed.
5. The method of claim 4, wherein the determining the target first key corresponding to the target second key according to the correspondence between the first key and the second key comprises:
and determining the target first key corresponding to the target second key according to the association relation between the stored first key and the second key.
6. The method of claim 4, wherein the data access request further comprises a rights identification; before the step of determining the target first key corresponding to the target second key, the method further includes:
acquiring a target data key ciphertext, a target second key and a target authority identifier corresponding to the data ciphertext to be accessed according to the association relation among the stored data ciphertext, the data key ciphertext, the second key and the authority identifier;
Judging whether the authority identification in the data access request is consistent with the target authority identification, and if not, rejecting the data access request.
7. A data storage device, comprising:
the encryption module is suitable for encrypting the data to be stored by adopting the data key to generate a data ciphertext; encrypting the data key by adopting a first key to generate a data key ciphertext;
and the storage module is suitable for storing the data ciphertext and the data key ciphertext in association with a second key, wherein the first key and the second key are stored in association so that the first key and the second key have a corresponding relationship.
8. The apparatus of claim 7, further comprising:
the request receiving module is suitable for receiving a data storage request, wherein the data storage request comprises data to be stored, a storage space identifier and a permission identifier;
and the authentication module is suitable for judging whether the authority for storing the encrypted data into the storage space exists or not according to the authority identification, and if not, rejecting the data storage request.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-6.
10. A readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910017093.1A CN111414628B (en) | 2019-01-08 | 2019-01-08 | Data storage method and device and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910017093.1A CN111414628B (en) | 2019-01-08 | 2019-01-08 | Data storage method and device and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111414628A CN111414628A (en) | 2020-07-14 |
| CN111414628B true CN111414628B (en) | 2024-01-02 |
Family
ID=71492687
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910017093.1A Active CN111414628B (en) | 2019-01-08 | 2019-01-08 | Data storage method and device and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111414628B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112613058A (en) * | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Method and device for retrieving encryption key, electronic equipment and storage medium |
| CN112887087B (en) * | 2021-01-20 | 2023-04-18 | 成都质数斯达克科技有限公司 | Data management method and device, electronic equipment and readable storage medium |
| CN113194123A (en) * | 2021-04-19 | 2021-07-30 | 秦皇岛市德润教育科技集团有限公司 | Online vocational education and education delivery fusion management system based on cloud platform |
| CN118153068A (en) * | 2022-12-06 | 2024-06-07 | 蔚来移动科技有限公司 | Data processing method, device, vehicle and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
| CN102915263A (en) * | 2012-10-19 | 2013-02-06 | 北京小米科技有限责任公司 | Data backup method, system and equipment |
| US9735962B1 (en) * | 2015-09-30 | 2017-08-15 | EMC IP Holding Company LLC | Three layer key wrapping for securing encryption keys in a data storage system |
| CN108154038A (en) * | 2016-12-06 | 2018-06-12 | 北京京东尚科信息技术有限公司 | Data processing method and device |
| CN108880806A (en) * | 2018-08-01 | 2018-11-23 | 深圳三角形科技有限公司 | Encryption and decryption method, chip and readable storage medium storing program for executing |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8837734B2 (en) * | 2012-09-14 | 2014-09-16 | Red Hat, Inc. | Managing encrypted data and encryption keys |
| US9985782B2 (en) * | 2015-11-24 | 2018-05-29 | Red Hat, Inc. | Network bound decryption with offline encryption |
-
2019
- 2019-01-08 CN CN201910017093.1A patent/CN111414628B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102624522A (en) * | 2012-03-30 | 2012-08-01 | 华中科技大学 | Key encryption method based on file attribution |
| CN102915263A (en) * | 2012-10-19 | 2013-02-06 | 北京小米科技有限责任公司 | Data backup method, system and equipment |
| US9735962B1 (en) * | 2015-09-30 | 2017-08-15 | EMC IP Holding Company LLC | Three layer key wrapping for securing encryption keys in a data storage system |
| CN108154038A (en) * | 2016-12-06 | 2018-06-12 | 北京京东尚科信息技术有限公司 | Data processing method and device |
| CN108880806A (en) * | 2018-08-01 | 2018-11-23 | 深圳三角形科技有限公司 | Encryption and decryption method, chip and readable storage medium storing program for executing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111414628A (en) | 2020-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111414628B (en) | Data storage method and device and computing equipment | |
| US10084790B2 (en) | Peer to peer enterprise file sharing | |
| US11115418B2 (en) | Registration and authorization method device and system | |
| Yan et al. | Heterogeneous data storage management with deduplication in cloud computing | |
| CN106664202B (en) | Method, system and computer readable medium for providing encryption on multiple devices | |
| US9037870B1 (en) | Method and system for providing a rotating key encrypted file system | |
| EP2830282B1 (en) | Storage method, system and apparatus | |
| US8572372B2 (en) | Method for selectively enabling access to file systems of mobile terminals | |
| US8621036B1 (en) | Secure file access using a file access server | |
| CN107959567A (en) | Date storage method, data capture method, apparatus and system | |
| US20130290733A1 (en) | Systems and methods for caching security information | |
| US20160226844A1 (en) | Multiple recipient message encryption | |
| CN103620556A (en) | Binding applications to device capabilities | |
| US9571288B2 (en) | Peer to peer enterprise file sharing | |
| US20180006823A1 (en) | Multi-hop secure content routing based on cryptographic partial blind signatures and embedded terms | |
| US9584508B2 (en) | Peer to peer enterprise file sharing | |
| JP2015500585A (en) | Simplified management of group secrets by group members | |
| CN101286994A (en) | Digital literary property management method, server and system for content sharing within multiple devices | |
| US20130019110A1 (en) | Apparatus and method for preventing copying of terminal unique information in portable terminal | |
| WO2014205333A2 (en) | Distributed network encryption key generation | |
| US11734394B2 (en) | Distributed license encryption and distribution | |
| CN113992702A (en) | Storage state encryption reinforcing method and system for ceph distributed file system | |
| CN114117406A (en) | Data processing method, device, equipment and storage medium | |
| CN110401689A (en) | File management method, device and storage medium | |
| CN105518696B (en) | Operation is executed to data storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |