CN111539031B - Data integrity detection method and system for privacy protection of cloud storage tag - Google Patents
Data integrity detection method and system for privacy protection of cloud storage tag Download PDFInfo
- Publication number
- CN111539031B CN111539031B CN202010386096.5A CN202010386096A CN111539031B CN 111539031 B CN111539031 B CN 111539031B CN 202010386096 A CN202010386096 A CN 202010386096A CN 111539031 B CN111539031 B CN 111539031B
- Authority
- CN
- China
- Prior art keywords
- data
- user
- stored
- parameter
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
- G06F21/645—Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
Abstract
The invention relates to a data integrity detection method and system for privacy protection of a cloud storage tag. The method comprises the following steps: acquiring system parameters disclosed by a key distribution center; acquiring a first parameter disclosed by a trusted authority; generating a label with privacy protection corresponding to the data to be stored of the user according to the system parameter, the private key of the user and the first parameter; sending the data to be stored and the label with privacy protection to a cloud service provider for cloud storage; acquiring a second parameter disclosed by the user; the cloud service provider performs integrity verification on the cloud-stored data according to the system parameters, the first parameters and the second parameters; and the third party audit carries out integrity verification on the data stored in the cloud according to the entrustment of the user. The invention can improve the safety performance of cloud storage.
Description
Technical Field
The invention relates to the technical field of privacy protection, in particular to a data integrity detection method and system for privacy protection of a cloud storage tag.
Background
With the development and popularization of cloud computing technology, more and more individuals and enterprise users save data by means of remote cloud storage platforms. The user can use the cloud storage service in a pay-as-needed manner without building hardware resources locally. Once the data is sent to the cloud, the user loses control over the data, and meanwhile, no data copy is stored locally, so that the integrity of the data in the cloud cannot be guaranteed. In the data integrity detection mechanism, a user processes data (such as photos, videos, electronic checks and the like), generates a verifiable data signature tag for each data block, and sends the data signature tag and the data signature tag to a cloud service provider for storage. Once a user's signature tag (e.g., an electronic check) is obtained by others (e.g., a malicious cloud service provider, hacker, etc.), they can take the corresponding cash away, thereby causing immeasurable losses to the user. Therefore, the data integrity detection method and system scheme for privacy protection of the cloud storage tag is very meaningful and has extremely strong practical application background.
The signature mechanism is an important means of ensuring data integrity. In the data integrity detection system, the data signature tag is directly sent to a cloud service provider for storage, and once the cloud service provider is malicious, the data signature tag may be saved in an attempt to obtain the maximum benefit. Meanwhile, the integrity verification process requires the verifier to perform heavy modular exponentiation, and the integrity verification process needs to be performed periodically. A common approach is to delegate periodic integrity verification tasks to third-party audits or proxies, thereby reducing the computational burden on the user. Data signature tags are visible to third party audits and if they are malicious, the privacy of the data signature tags may be compromised. Therefore, a secure data integrity detection scheme is required to be considered, which can hide the data signature tag and efficiently perform data integrity detection. The data integrity detection method and system scheme for cloud storage tag privacy protection need to meet the requirements, and privacy of a data signature tag is guaranteed.
The current data integrity detection scheme is mainly divided into two processes. The data storage process is that a user processes data, a verifiable data signature tag is generated for each data block, the data signature tags are sent to a cloud service provider together for storage, and meanwhile, a local copy is deleted. And in the data auditing process, a user (verifier) submits a random inquiry challenge to the cloud end, the cloud server generates a response by using the stored data and the signature tag and returns the response to the user (verifier), and finally the user (verifier) judges the integrity of the data according to the response of the cloud server. Such a scheme may present a problem: data signature tags are visible to cloud service providers or third party audits, and if they are malicious, they may cause immeasurable loss to users, resulting in poor cloud storage security.
Disclosure of Invention
The invention aims to provide a data integrity detection method and a data integrity detection system for privacy protection of a cloud storage tag, so as to improve the safety performance of cloud storage.
In order to achieve the purpose, the invention provides the following scheme:
a data integrity detection method for privacy protection of a cloud storage tag comprises the following steps:
obtaining system parameters disclosed by a key distribution center;
acquiring a first parameter disclosed by a trusted authority;
generating a label with privacy protection corresponding to the data to be stored of the user according to the system parameter, the private key of the user and the first parameter; the private key of the user is generated by the key distribution center according to the identity of the user;
sending the data to be stored and the tag with privacy protection to a cloud service provider for cloud storage;
acquiring a second parameter disclosed by the user;
the cloud service provider performs integrity verification on the cloud stored data according to the system parameters, the first parameters and the second parameters;
and the third party audit carries out integrity verification on the data stored in the cloud according to the entrustment of the user.
Optionally, the obtaining of the system parameter disclosed by the key distribution center further includes:
the user submits a user Identity (ID) to the key distribution center to obtain a private key of the user returned by the key distribution center;
and the trusted authority submits the ID of the trusted authority to the key distribution center to obtain the private key of the trusted authority returned by the key distribution center.
Optionally, the generating a tag for privacy protection of data to be stored by the user according to the system parameter, the private key of the user, and the first parameter specifically includes:
dividing the data to be stored into a plurality of data blocks;
randomly generating a second parameter and a third parameter according to the first parameter;
for each data block, generating a verifiable label according to the system parameters and the private key of the user;
generating a label with privacy protection corresponding to each data block according to the third parameter and the verifiable label of each data block;
and determining a set formed by the privacy protection tags corresponding to each data block as the tags for privacy protection of the data to be stored by the user.
Optionally, the third-party audit performs integrity verification on the cloud-stored data according to a commission of a user, and specifically includes:
according to the data to be stored by the user, the third party audits and generates a challenge request;
the cloud service provider generates an integrity evidence according to the challenge request, the cloud-stored data and the label corresponding to the cloud-stored data;
the third party audit carries out validity verification on the integrity evidence according to the first parameter and the second parameter;
when the integrity evidence is valid, determining that the cloud stored data is complete;
when the integrity evidence is invalid, determining that the cloud stored data is incomplete.
Optionally, the method further includes:
when the cloud service provider requests the trusted authority for the real label of the data to be stored of the user, the trusted authority calculates the label with privacy protection corresponding to the data to be stored of the user according to the private key of the trusted authority and the second parameter, and the real label corresponding to the data to be stored of the user is obtained.
The invention also provides a data integrity detection system for privacy protection of the cloud storage tag, which comprises the following steps:
the system parameter acquisition module is used for acquiring system parameters disclosed by the key distribution center;
the first parameter acquisition module is used for acquiring a first parameter disclosed by a trusted authority;
the label generation module with privacy protection is used for generating a label with privacy protection corresponding to the data to be stored of the user according to the system parameters, the private key of the user and the first parameters; the private key of the user is generated by the key distribution center according to the identity of the user;
the cloud storage module is used for sending the data to be stored and the label with privacy protection to a cloud service provider for cloud storage;
the second parameter acquisition module is used for acquiring a second parameter disclosed by the user;
the cloud service provider integrity verification module is used for verifying the integrity of the cloud stored data by using a cloud service provider according to the system parameters, the first parameters and the second parameters;
and the third party audit integrity verification module is used for verifying the integrity of the cloud storage data by using third party audit according to the entrustment of the user.
Optionally, the method further includes:
the user private key generation module is used for generating a private key of the user by using the key distribution center according to the user identity ID submitted to the key distribution center by the user;
and the trusted authority private key generation module is used for submitting the trusted authority identity ID to the key distribution center according to the trusted authority and generating the private key of the trusted authority by using the key distribution center.
Optionally, the tag generation module with privacy protection specifically includes:
the data block dividing unit is used for dividing the data to be stored into a plurality of data blocks;
a second parameter and third parameter generating unit, configured to randomly generate a second parameter and a third parameter according to the first parameter;
the verifiable label generating unit is used for generating a verifiable label of each data block according to the system parameters and the private key of the user;
a label generating unit with privacy protection, configured to generate a label with privacy protection corresponding to each data block according to the third parameter and a verifiable label of each data block;
and the tag determining unit with privacy protection corresponding to the data to be stored is used for determining a set formed by the tags with privacy protection corresponding to each data block as the tags with privacy protection corresponding to the data to be stored of the user.
Optionally, the third party audit integrity verification module specifically includes:
the challenge request generating unit is used for generating a challenge request by utilizing the third-party audit according to the data to be stored by the user;
the integrity evidence generating unit is used for generating integrity evidence by using the cloud service provider according to the challenge request, the cloud-stored data and the label corresponding to the cloud-stored data;
the validity verification unit is used for verifying the validity of the integrity evidence by using the third-party audit according to the first parameter and the second parameter;
the data integrity determination unit is used for determining that the data stored in the cloud is complete when the integrity evidence is valid;
a data incomplete determination unit configured to determine that the cloud-stored data is incomplete when the integrity evidence is invalid.
Optionally, the method further includes:
and the real label calculation module is used for calculating a label with privacy protection corresponding to the data to be stored of the user by using the trusted authority according to the private key of the trusted authority and the second parameter when the cloud service provider requests the trusted authority for the real label of the data to be stored of the user, so as to obtain the real label corresponding to the data to be stored of the user.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention uses the verifiable encryption signature technology to encrypt the real data signature tag, and the cloud server or third party audit can still efficiently detect the data integrity without decryption, thereby ensuring the privacy of the data signature tag. The invention achieves the verifiable security in cryptography, has high safety, realizes a safe data integrity detection scheme, has the advantages of high efficiency, low cost, high safety, strong operability and the like, and can be used for storing important files such as photos, electronic checks, contract books and the like.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a data integrity detection method for privacy protection of a cloud storage tag according to the present invention;
FIG. 2 is a schematic structural diagram of a data integrity detection system for privacy protection of a cloud storage tag according to the present invention;
FIG. 3 is a system model diagram of an embodiment of the present invention;
fig. 4 is a data flow diagram according to an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Fig. 1 is a schematic flow chart of a data integrity detection method for privacy protection of a cloud storage tag according to the present invention. As shown in fig. 1, the data integrity detection method for privacy protection of cloud storage tags of the present invention includes the following steps:
step 100: system parameters disclosed by a key distribution center are obtained. According to the safety parametersThe number, key distribution center KGC selects two multiplication cyclic groups G with prime number p as order 1 And G 2 G is G 1 Generating element of group, randomly selecting u E G 1 . Defining bilinear operation e G 1 ×G 1 →G 2 . Defining two hash functions H 1 :{0,1} * →Z p * ,H 2 :{0,1} * →G 1 * ,Represents->Set of integers other than 0, G 1 * Represents G 1 Except for 0. Random selection>Let Y = g r . Then the system parameter MPK = (G) 1 ,G 2 ,e,q,g,Y,u,H 1 ,H 2 ) The master private key MSK = r. The key distribution center KGC discloses the system parameters MPK.
Step 200: a first parameter disclosed by a trusted authority is obtained. Before the first parameter is disclosed by the trusted authority, the private key of the user and the private key of the trusted authority need to be generated. Specifically, the user submits a user identity ID to the key distribution center to obtain a private key of the user returned by the key distribution center, and the trusted authority submits a trusted authority identity ID to the key distribution center to obtain a private key of the trusted authority returned by the key distribution center. The key distribution center randomly selects s E Z P * Generating a private key sk of the user and the trusted authority i =(sk i,1 ,sk i,2 ) Wherein, sk i,1 =g s ,sk i,2 =s+rH 1 (ID i ,sk i,1 ) mod q, i ∈ { CU, TA }, and sends the private key sk through a secure channel CU And sk TA Respectively sent to the cloud user and the trusted authority, sk CU Is the private key, sk, of the user CU =(sk CU,1 ,sk CU,2 ),sk TA As a trusted authorityPrivate key of (Sk) TA =(sk TA,1 ,sk TA,2 )。
Step 300: and generating a label with privacy protection corresponding to the data to be stored of the user according to the system parameters, the private key of the user and the first parameters. The private key of the user is generated by the key distribution center according to the identity of the user. The specific process is as follows:
and dividing the data to be stored into a plurality of data blocks.
Randomly selecting alpha epsilon Z according to the first parameter (R, Z) p * Using the formula η = g α And λ = Z α A second parameter η and a third parameter λ are generated.
For each data block, using a formula based on the system parameters and the user's private keyAnd generating a tag which can be verified by the ith data block, wherein the name is the file name of the data to be stored, and i represents the ith data block.
And generating a label with privacy protection corresponding to each data block according to the third parameter and the verifiable label of each data block. The ith data block has a privacy protection label of sigma i =σ i ′·λ。
Phi = { sigma (σ) = a set of privacy-protected tags corresponding to each data block i } 1≤i≤n And determining a label for privacy protection of the data to be stored of the user.
Step 400: and sending the data to be stored and the label with privacy protection to a cloud service provider for cloud storage.
Step 500: and acquiring a second parameter disclosed by the user.
Step 600: the cloud service provider completes the cloud storage data according to the system parameters, the first parameters and the second parametersAnd (5) sex verification. After receiving the data, the cloud service provider firstly calculatesAnd &>It is then determined whether the following equation holds:
if the equation is true, the data block is complete and then stored.
Step 700: and the third party audit carries out integrity verification on the data stored in the cloud according to the entrustment of the user. The specific process is as follows:
and generating a challenge request by the third party audit according to the data to be stored by the user. When a cloud user entrusts third party audit to execute a data integrity detection task, the third party audit divides the data F into block indexes [1,n ]]In the random selection of c block indexes s 1 ,...,s c H, let I = { s = } 1 ,...,s c }. For each I ∈ I, randomly choose ν i ∈Z p Simultaneously generating a challenge request chal = { i, v = [, v [ ] i } i∈I 。
And the cloud service provider generates an integrity evidence according to the challenge request, the cloud-stored data and the label corresponding to the cloud-stored data. When a challenge request is received by the cloud service providerThen, from the data { F, Φ } stored on its server, μ = ∑ ν is calculated i m i And &>Combining the two together generates one integrity proof P = (μ, σ).
And the third party audit carries out validity verification on the integrity evidence according to the first parameter and the second parameter. Verifying whether the integrity proof is valid by verifying whether the proof P satisfies the following equation:
determining that the cloud stored data is complete when the equation is such that the integrity evidence is immediately valid.
When the equation is false, i.e., the integrity evidence is invalid, it is determined that the cloud-stored data is incomplete.
In addition, when the cloud service provider requests the trusted authority for the real label of the data to be stored of the user, the trusted authority utilizes a formula for the label with privacy protection corresponding to the data to be stored of the user according to the private key of the trusted authority and the second parameterCalculating to obtain a real label sigma corresponding to the data to be stored of the user i '。
Fig. 2 is a schematic structural diagram of a data integrity detection system for privacy protection of a cloud storage tag according to the present invention. As shown in fig. 2, the data integrity detection system for privacy protection of cloud storage tags of the present invention includes the following structures:
a system parameter obtaining module 201, configured to obtain a system parameter disclosed by the key distribution center.
The first parameter obtaining module 202 is configured to obtain a first parameter disclosed by the trusted authority.
The tag generation module with privacy protection 203 is used for generating a tag with privacy protection corresponding to the data to be stored of the user according to the system parameter, the private key of the user and the first parameter; and the private key of the user is generated by the key distribution center according to the identity of the user.
The cloud storage module 204 is configured to send the data to be stored and the tag with privacy protection to a cloud service provider for cloud storage.
A second parameter obtaining module 205, configured to obtain a second parameter disclosed by the user.
And the cloud service provider integrity verification module 206 is configured to perform integrity verification on the cloud-stored data by using a cloud service provider according to the system parameter, the first parameter, and the second parameter.
And the third party audit integrity verification module 207 is used for verifying the integrity of the cloud-stored data by using third party audit according to the entrustment of the user.
As another embodiment, the data integrity detection system for privacy protection of cloud storage tags of the present invention further includes:
and the user private key generation module is used for generating a private key of the user by using the key distribution center according to the user identity ID submitted to the key distribution center by the user.
And the trusted authority private key generation module is used for submitting the trusted authority identity ID to the key distribution center according to the trusted authority and generating the private key of the trusted authority by using the key distribution center.
As another embodiment, in the data integrity detection system with privacy protection for cloud storage tags according to the present invention, the tag generation module 203 with privacy protection specifically includes:
and the data block dividing unit is used for dividing the data to be stored into a plurality of data blocks.
And the second parameter and third parameter generating unit is used for randomly generating a second parameter and a third parameter according to the first parameter.
And the verifiable label generating unit is used for generating a verifiable label of each data block according to the system parameters and the private key of the user.
And the label generating unit with privacy protection is used for generating a label with privacy protection corresponding to each data block according to the third parameter and the verifiable label of each data block.
And the tag determination unit with privacy protection corresponding to the data to be stored is used for determining a set formed by the tags with privacy protection corresponding to each data block as the tags with privacy protection corresponding to the data to be stored of the user.
As another embodiment, in the data integrity detection system with privacy protection of cloud storage tags of the present invention, the third party audit integrity verification module 207 specifically includes:
and the challenge request generating unit is used for generating a challenge request by utilizing the third-party audit according to the data to be stored by the user.
And the integrity evidence generating unit is used for generating integrity evidence by using the cloud service provider according to the challenge request, the cloud-stored data and the label corresponding to the cloud-stored data.
And the validity verification unit is used for verifying the validity of the integrity evidence by using the third-party audit according to the first parameter and the second parameter.
And the data integrity determination unit is used for determining that the data stored in the cloud is complete when the integrity evidence is valid.
A data incomplete determination unit configured to determine that the cloud-stored data is incomplete when the integrity evidence is invalid.
As another embodiment, the system for detecting data integrity of privacy protection of cloud storage tags further includes:
and the real label calculation module is used for calculating a label with privacy protection corresponding to the data to be stored of the user by using the trusted authority according to the private key of the trusted authority and the second parameter when the cloud service provider requests the trusted authority for the real label of the data to be stored of the user, so as to obtain the real label corresponding to the data to be stored of the user.
The following example is provided to further illustrate the invention.
Fig. 3 is a model diagram of a system according to an embodiment of the present invention, and as shown in fig. 3, the system according to the embodiment includes a key distribution center KGC, a cloud user CU, a cloud service provider CSP, a third party audit TPA, and a trusted authority TA. The key distribution center KGC is responsible for generating private keys of users and trusted authorities, and is honest; the cloud user CU is responsible for outsourcing own data to a cloud service provider CSP, which is honest; the cloud service provider CSP is responsible for providing a large amount of storage space and computing services, and is semi-honest; the third party auditing TPA is entrusted by the cloud user CU, is responsible for detecting the integrity of data, and is semi-honest; the trusted authority TA is an authority trusted by both the cloud user CU and the cloud service provider CSP, and is responsible for recovering the authentic tag, which is trusted. By semi-honest is meant that the protocol can be executed correctly but it may be possible to save the authentic data tag in an attempt to gain its own interest.
Fig. 4 is a data flow diagram according to an embodiment of the invention. As shown in fig. 4, the process of this embodiment is as follows:
step 1: and initializing the system, and generating common parameters required by the scheme. System common parameter MPK = (G) 1 ,G 2 ,e,q,g,Y,u,H 1 ,H 2 ) The master private key MSK = r. The key distribution center KGC discloses the system parameters MPK.
And 2, step: and (5) extracting the secret key, and generating respective private keys according to the identities.
Step 2.1: the cloud user CU or the trusted authority TA submits the identity ID thereof i ∈{0,1} * To the key distribution center KGC. KGC randomly selects s ∈ Z P * Calculating the private key sk i =(sk i,1 ,sk i,2 ),sk i,1 =g s ,sk i,2 =s+rH 1 (ID i ,sk i,1 ) modq. Where i ∈ { CU, TA }.
Step 2.2: the secret key sk is sent to the secret key distribution center KGC through a secure channel CU And sk TA And respectively sending the data to the cloud user CU and the trusted authority TA.
Step 2.3: after the private key is received by the cloud user CU and the trusted authority TA, whether the following equation is established or not is verified:if yes, receiving the private key of the user. Is arranged and/or is>R=g s The trusted authority publishes the parameters (R, Z).
And step 3: generating a label, namely performing block processing on the data and generating a corresponding signature label at the same time;
step 3.1: the cloud user CU divides the data F with the file name of name into n blocks, namely F = (m) 1 ,...,m n ). Randomly selecting alpha epsilon Z p Calculating λ = Z α And η = g α . For each block m of data F i Generating a verifiable labelAccording to λ and σ i ', generating a privacy-preserving label sigma i =σ i '. λ and labelset Φ = { σ = { i } 1≤i≤n 。
Step 3.2: the cloud user CU sends the data F, Φ to the cloud service provider CPS.
Step 3.3: the cloud user CU discloses the parameter η.
And 4, step 4: the label is verified, and the received data is verified, updated and stored;
step 4.1: after receiving the data, the cloud service provider firstly calculatesAnd &>It is then determined whether the following equation holds:
step 4.2: if the equation is true, the data block is complete and then stored.
And 5: generating a challenge, and initiating a challenge request of integrity verification;
step 5.1: and the CU of the cloud user entrusts a third party to audit the TPA and execute a data integrity detection task. Third party audits TPA fromData F Block index [1,n]In the random selection of c block indexes s 1 ,...,s c Let I = { s } 1 ,...,s c }. For each I ∈ I, randomly choose ν i ∈Z p Simultaneously generating a challenge request chal = { i, v = [, v [ ] i } i∈I 。
Step 5.2: the third party audits the TPA sending the challenge request to the cloud service provider CPS.
And 6: generating an evidence, namely generating an integrity evidence according to the request;
step 6.1: when a challenge request is received by a cloud service provider CPSThen, from the data { F, Φ } stored on its server, μ = ∑ ν is calculated i m i And &>Combining the two together generates one integrity proof P = (μ, σ).
Step 6.2: the cloud service provider CPS returns the evidence P to the third party audit TPA.
And 7: verifying the evidence, namely verifying the received evidence and returning a detection result;
step 7.1: after the third party audits the TPA to receive the evidence, verifying whether the evidence P correctly passes the following equation:
and 7.2: if the result is true, the TPA is audited by a third party to ensure that P is a valid evidence, which indicates that the data is complete; otherwise, the data is described as being corrupted. And the TPA is audited by the third party and the detection result is returned to the CU of the cloud user.
And 8: extracting a label, namely extracting a real label from the hidden signature label:
step 8.1: when the cloud service provider CPS needs a real label, the trusted authority TA calculates by using its private keyThus obtaining the compound.
Step 8.2: trusted authority TA will σ i ' is sent to the cloud service provider CPS.
The invention aims to protect the privacy of a data signature tag, in a traditional data integrity detection scheme, a cloud user basically directly sends the data signature tag to a cloud server for storage, and once the cloud server or third-party audit is malicious, property or other important file loss can be brought to the cloud user. According to the scheme, the verifiable encryption signature technology is used for the data signature tag, so that the data integrity detection can still be efficiently carried out under the condition that a verifier does not obtain a real data signature tag.
The invention has the following beneficial effects:
(1) In a traditional data integrity detection scheme, a cloud user directly sends a data signature tag to a cloud server, and once the cloud server or third-party audit is malicious, the data signature tag may be saved for profit making. The invention uses the verifiable encryption signature technology to encrypt the real data signature tag, and the cloud server or third party audit can still efficiently detect the data integrity without decryption, thereby ensuring the privacy of the data signature tag.
(2) Current partial data integrity schemes are performed in a public key environment, and each cloud user needs to hold a public key certificate issued by a trusted intermediary, which increases the burden of system management, maintenance and verification. The invention uses the identity of the cloud user as the public key thereof, thereby eliminating the burden of managing the public key certificate.
(3) The invention achieves the verifiable security in cryptography, has high safety, realizes a safe data integrity detection scheme, has the advantages of high efficiency, low cost, high safety, strong operability and the like, and can be used for storing important files such as photos, electronic checks, contract books and the like.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the foregoing, the description is not to be taken in a limiting sense.
Claims (8)
1. A data integrity detection method for privacy protection of a cloud storage tag is characterized by comprising the following steps:
obtaining system parameters disclosed by a key distribution center;
obtaining a first parameter disclosed by a trusted authority, and sending a private key sk through a secure channel CU And sk TA Respectively sending the information to the cloud user and the trusted authority;
generating a label with privacy protection corresponding to the data to be stored of the user according to the system parameter, the private key of the user and the first parameter; the private key of the user is generated by the key distribution center according to the identity of the user;
sending the data to be stored and the tag with privacy protection to a cloud service provider for cloud storage;
acquiring a second parameter disclosed by the user;
the cloud service provider performs integrity verification on the cloud-stored data according to the system parameters, the first parameters and the second parameters;
the third party audit carries out integrity verification on the cloud storage data according to the entrustment of the user;
when the cloud service provider requests the trusted authority for the real label of the data to be stored of the user, the cloud service provider can be used for storing the real label of the data to be stored of the userThe trusted authority utilizes a formula for the label with privacy protection corresponding to the data to be stored of the user according to the private key of the trusted authority and the second parameterCalculating to obtain a real label sigma corresponding to the data to be stored of the user i '。
2. The method for detecting data integrity of cloud storage tag privacy protection according to claim 1, wherein the obtaining system parameters disclosed by the key distribution center further includes:
the user submits a user Identity (ID) to the key distribution center to obtain a private key of the user returned by the key distribution center;
and the trusted authority submits the trusted authority identity ID to the key distribution center to obtain a private key of the trusted authority returned by the key distribution center.
3. The data integrity detection method for privacy protection of the cloud storage tag according to claim 1, wherein the generating of the tag for privacy protection of the data to be stored of the user according to the system parameter, the private key of the user, and the first parameter specifically includes:
dividing the data to be stored into a plurality of data blocks;
randomly generating a second parameter and a third parameter according to the first parameter;
for each data block, generating a verifiable label according to the system parameters and the private key of the user;
generating a label with privacy protection corresponding to each data block according to the third parameter and the verifiable label of each data block;
and determining a set formed by the privacy protection tags corresponding to each data block as the tags for privacy protection of the data to be stored by the user.
4. The data integrity detection method for privacy protection of the cloud storage tag according to claim 1, wherein the third party audit performs integrity verification on the cloud storage data according to a user's delegation, and specifically includes:
according to the data to be stored by the user, the third party audits and generates a challenge request;
the cloud service provider generates an integrity evidence according to the challenge request, the cloud-stored data and the label corresponding to the cloud-stored data;
the third party audit carries out validity verification on the integrity evidence according to the first parameter and the second parameter;
when the integrity evidence is valid, determining that the data stored by the cloud is complete;
when the integrity evidence is invalid, determining that the cloud stored data is incomplete.
5. A data integrity detection system for privacy protection of cloud storage tags, comprising:
the system parameter acquisition module is used for acquiring system parameters disclosed by the key distribution center;
a first parameter obtaining module, configured to obtain a first parameter disclosed by a trusted authority, and obtain the private key sk through a secure channel CU And sk TA Respectively sending the data to the cloud user and the trusted authority;
the label generation module with privacy protection is used for generating a label with privacy protection corresponding to the data to be stored of the user according to the system parameters, the private key of the user and the first parameters; the private key of the user is generated by the key distribution center according to the identity of the user;
the cloud storage module is used for sending the data to be stored and the tag with privacy protection to a cloud service provider for cloud storage;
the second parameter acquisition module is used for acquiring a second parameter disclosed by the user;
the cloud service provider integrity verification module is used for verifying the integrity of the cloud stored data by using a cloud service provider according to the system parameters, the first parameters and the second parameters;
the third-party audit integrity verification module is used for verifying the integrity of the cloud-stored data by using third-party audit according to the entrustment of the user;
the data integrity detection system for privacy protection of the cloud storage tag further comprises:
a real tag calculation module, configured to, when the cloud service provider requests the trusted authority for a real tag of the data to be stored of the user, the trusted authority, according to the private key of the trusted authority and the second parameter, apply a formula to a tag with privacy protection corresponding to the data to be stored of the userCalculating to obtain a real label sigma corresponding to the data to be stored of the user i '。
6. The cloud storage tag privacy protected data integrity detection system of claim 5, further comprising:
the user private key generation module is used for generating a private key of the user by using the key distribution center according to the user identity ID submitted to the key distribution center by the user;
and the trusted authority private key generation module is used for submitting the trusted authority identity ID to the key distribution center according to the trusted authority and generating the private key of the trusted authority by using the key distribution center.
7. The data integrity detection system for privacy protection of cloud storage tags according to claim 5, wherein the tag generation module with privacy protection specifically comprises:
the data block dividing unit is used for dividing the data to be stored into a plurality of data blocks;
a second parameter and third parameter generating unit, configured to randomly generate a second parameter and a third parameter according to the first parameter;
a verifiable label generating unit, configured to generate a verifiable label for each data block according to the system parameter and the private key of the user;
the tag generation unit with privacy protection is used for generating a tag with privacy protection corresponding to each data block according to the third parameter and the verifiable tag of each data block;
and the tag determination unit with privacy protection corresponding to the data to be stored is used for determining a set formed by the tags with privacy protection corresponding to each data block as the tags with privacy protection corresponding to the data to be stored of the user.
8. The cloud storage tag privacy protection data integrity detection system according to claim 5, wherein the third party audit integrity verification module specifically comprises:
the challenge request generating unit is used for generating a challenge request by utilizing the third-party audit according to the data to be stored by the user;
the integrity evidence generating unit is used for generating integrity evidence by using the cloud service provider according to the challenge request, the cloud-stored data and the label corresponding to the cloud-stored data;
the validity verification unit is used for verifying the validity of the integrity evidence by using the third-party audit according to the first parameter and the second parameter;
the data integrity determination unit is used for determining that the data stored in the cloud is complete when the integrity evidence is valid;
a data incomplete determining unit, configured to determine that the cloud-stored data is incomplete when the integrity evidence is invalid.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010386096.5A CN111539031B (en) | 2020-05-09 | 2020-05-09 | Data integrity detection method and system for privacy protection of cloud storage tag |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010386096.5A CN111539031B (en) | 2020-05-09 | 2020-05-09 | Data integrity detection method and system for privacy protection of cloud storage tag |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111539031A CN111539031A (en) | 2020-08-14 |
CN111539031B true CN111539031B (en) | 2023-04-18 |
Family
ID=71979178
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010386096.5A Active CN111539031B (en) | 2020-05-09 | 2020-05-09 | Data integrity detection method and system for privacy protection of cloud storage tag |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111539031B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113722767B (en) * | 2021-09-03 | 2022-09-02 | 南京南瑞信息通信科技有限公司 | Data integrity verification method, system, storage medium and computing equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109951296A (en) * | 2019-03-05 | 2019-06-28 | 北京邮电大学 | A kind of remote data integrity verification method based on short signature |
CN110677487A (en) * | 2019-09-30 | 2020-01-10 | 陕西师范大学 | Outsourcing data duplicate removal cloud storage method supporting privacy and integrity protection |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106357701B (en) * | 2016-11-25 | 2019-03-26 | 西安电子科技大学 | The integrity verification method of data in cloud storage |
US10896267B2 (en) * | 2017-01-31 | 2021-01-19 | Hewlett Packard Enterprise Development Lp | Input/output data encryption |
CN107948143B (en) * | 2017-11-15 | 2021-03-30 | 安徽大学 | Identity-based privacy protection integrity detection method and system in cloud storage |
CN110505052B (en) * | 2019-08-28 | 2022-11-25 | 安徽大学 | Cloud data public verification method for protecting data privacy |
-
2020
- 2020-05-09 CN CN202010386096.5A patent/CN111539031B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109951296A (en) * | 2019-03-05 | 2019-06-28 | 北京邮电大学 | A kind of remote data integrity verification method based on short signature |
CN110677487A (en) * | 2019-09-30 | 2020-01-10 | 陕西师范大学 | Outsourcing data duplicate removal cloud storage method supporting privacy and integrity protection |
Also Published As
Publication number | Publication date |
---|---|
CN111539031A (en) | 2020-08-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210271764A1 (en) | Method for storing data on a storage entity | |
CN111859348B (en) | Identity authentication method and device based on user identification module and block chain technology | |
EP3563553B1 (en) | Method for signing a new block in a decentralized blockchain consensus network | |
Waziri et al. | Network security in cloud computing with elliptic curve cryptography | |
Yang et al. | Provable data possession of resource-constrained mobile devices in cloud computing | |
EP3091690A1 (en) | Rsa decryption using multiplicative secret sharing | |
CN109889497A (en) | A kind of data integrity verification method for going to trust | |
CN105978695A (en) | Batch self-auditing method for cloud storage data | |
Nirmala et al. | Data confidentiality and integrity verification using user authenticator scheme in cloud | |
CN108712259B (en) | Identity-based cloud storage efficient auditing method capable of uploading data by proxy | |
Luo et al. | An effective integrity verification scheme of cloud data based on BLS signature | |
CN112906056A (en) | Cloud storage key security management method based on block chain | |
Malina et al. | Efficient security solution for privacy-preserving cloud services | |
Jalil et al. | A secure and efficient public auditing system of cloud storage based on BLS signature and automatic blocker protocol | |
Skudnov | Bitcoin clients | |
Yu et al. | Veridedup: A verifiable cloud data deduplication scheme with integrity and duplication proof | |
Wu et al. | Secure public data auditing scheme for cloud storage in smart city | |
Sathya et al. | A comprehensive study of blockchain services: future of cryptography | |
Xu et al. | Secure fuzzy identity-based public verification for cloud storage | |
CN111539031B (en) | Data integrity detection method and system for privacy protection of cloud storage tag | |
Deng et al. | A lightweight identity-based remote data auditing scheme for cloud storage | |
CN113285934B (en) | Method and device for detecting IP (Internet protocol) of server cryptographic machine client based on digital signature | |
CN111585756B (en) | Certificate-free cloud auditing method suitable for multi-copy-multi-cloud situation | |
Ganesh et al. | An efficient integrity verification and authentication scheme over the remote data in the public clouds for mobile users | |
Rajeb et al. | Formal analyze of a private access control protocol to a cloud storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |