Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the existing problems, a file fragmentation encryption storage method, an acquisition method and a system based on a block chain are provided, so that the risk that data is acquired by a storage host is avoided, and the data privacy of all parties of the data is protected.
The technical scheme adopted by the invention is as follows: a file fragmentation encryption storage method based on a block chain is characterized in that:
dividing the encrypted file into file fragments;
calculating the abstract signature of the file fragment according to the content of the file fragment;
recording the abstract signature of the file fragment into the load of the block chain transaction to generate the transaction, and sending the transaction to the block chain module;
and sending the file fragments to a distributed storage module, and storing the file fragments by the distributed storage module.
The file encryption comprises the following steps:
acquiring user authentication information and a file which is uploaded by a user and needs to be encrypted and stored;
after the authentication is passed, encrypting the file according to the encryption key;
the encryption key is a default key which is designated by the user or distributed by the system for each user and is determined based on the user authentication information.
The file segmentation comprises:
and selecting a proper fragment division number and a proper fragment division method according to the encryption level to divide the encrypted file into file fragments.
The file fragments are stored in the distributed storage module in a multi-copy mode.
The distributed storage module is composed of a distributed file storage system or a distributed database.
A method for acquiring a storage file by adopting a storage method is characterized by comprising the following steps:
acquiring a file acquisition request of a user, wherein the file acquisition request comprises user authentication information and a file name;
after the authentication is passed, acquiring file storage position information according to the file name;
acquiring file fragments from the distributed storage module according to the file name and the file storage position information, and acquiring transactions corresponding to the file fragments from the block chain module;
acquiring the digest signature of the file fragment, comparing the digest signature with the digest signature of the file fragment in the block chain transaction, and confirming the integrity of the file fragment;
after the file fragments are confirmed to be complete, combining the file fragments into a complete encrypted file;
and decrypting the encrypted file and then sending the decrypted file to the user.
The encrypted file is decrypted based on a decryption key provided by the user or a default key assigned by the system to each user determined based on user authentication information.
A file fragmentation encrypted storage system based on a blockchain, comprising:
the file directory service module is used for providing a writing and reading interface of an encrypted file, user identity verification and authentication, recording related information of the file and providing file index service for a user;
the file encryption module is used for encrypting the file;
the file segmentation module is used for segmenting the encrypted file into file fragments;
the transaction generation module is used for converting each file fragment into one transaction on the block chain and storing the file fragment into the distributed storage module;
the block chain module is used for storing the transaction corresponding to each file fragment;
the distributed storage module is used for storing each file fragment;
the transaction verification module is used for acquiring the file fragments from the distributed storage module and verifying the file fragments through transaction data related to the file fragments on the block chain;
the file merging module is used for merging the file fragments into a complete encrypted file;
and the file decryption module is used for decrypting the encrypted file.
Acquiring an uploaded file needing to be encrypted and stored through a file directory service module, and specifying an encryption key, an encryption method and an encryption level by a user;
the file directory service module performs authentication operation on the user and records the file name, the encryption method, the encryption level and the file storage position information corresponding to the file uploaded by the user;
the file directory service module sends the file, the encryption method, the encryption level and the encryption key to the file encryption module;
the file encryption module selects a proper encryption method to encrypt the received file according to the received encryption method and encryption key to obtain an encrypted file;
the file encryption module sends the encrypted file and the encryption level to the file segmentation module;
the file segmentation module selects a proper fragment segmentation quantity and a proper fragment segmentation method according to the encryption level, and segments the encrypted file into file fragments;
the file segmentation module sends the file fragments to the transaction generation module;
the transaction generation module calculates the abstract signature of the file fragment according to the content of the file fragment, records the abstract signature of the file fragment into the load of the blockchain transaction, and sends the transaction to the blockchain module after generating the transaction, and the blockchain module writes the received transaction into a corresponding blockchain system according to a preset rule;
the transaction generation module sends the file fragments to the distributed storage module, and the distributed storage module stores the received file fragments according to a preset rule.
The file directory service module acquires a file acquisition request sent by a user, wherein the file acquisition request comprises a file name, user authentication information and a decryption key;
the file directory service module performs user authentication according to the user authentication information;
after the authentication is passed, the file directory service module acquires file storage position information according to the file name and transmits a file acquisition request containing the file name, the file storage position information and a decryption key to the transaction verification module;
after receiving the request, the transaction verification module acquires file fragments from the distributed storage module according to the file name and the file storage position information, and acquires transactions corresponding to the fragments from the block chain module;
the transaction verification module acquires the digest signature of the file fragment, compares the digest signature with the digest signature of the file fragment in the block chain transaction and confirms the integrity of the file fragment;
after the completeness of the file fragments is confirmed, the transaction verification module returns all file fragments related to the file merging module;
the file merging module merges the file fragments into a complete encrypted file according to the cutting rule recorded by the file directory service module and returns the encrypted file to the file decryption module;
and the file decryption module completes decryption according to the decryption method and the decryption key to obtain the decrypted original file.
And the file directory service module sends the decrypted original file to the user.
The invention has the beneficial effects that: the encrypted file is divided into file fragments, actual data of the file fragments are stored in the distributed storage modules, and transactions which correspond to the file fragments and are used for verifying the integrity of the file are stored in the block chain system, so that any storage management side cannot acquire the data and the whole copy of the file, the risk that the data is acquired by the storage management side is fundamentally avoided, and the data privacy of all data sides is protected.
Detailed Description
The embodiment is a block chain-based file fragmentation encryption storage method, which specifically comprises the following steps:
acquiring user authentication information, files which are uploaded by a user and need to be encrypted and stored, and an encryption key, an encryption method and an encryption level which are specified by the user;
after the authentication is passed, recording the file name, the encryption method, the encryption level and the file storage position information corresponding to the file;
encrypting the file according to the encryption method and the encryption key to obtain an encrypted file;
according to the encryption level, selecting a proper fragment division number and a proper fragment division method, and dividing the encrypted file into file fragments;
calculating the abstract signature of the file fragment according to the content of the file fragment;
the abstract signature of the file fragment is recorded into the load of the block chain transaction, and after the transaction is generated, the transaction is sent to a block chain module;
the block chain module writes the received transaction into a corresponding block chain system according to a preset rule;
sending the file fragments to a distributed storage module;
the distributed storage module stores the received file fragments according to a preset rule.
The embodiment also provides a file acquisition method for acquiring the file stored by the storage method of the embodiment, which includes the following specific steps:
acquiring a file acquisition request of a user, wherein the file acquisition request comprises user authentication information, a file name and a decryption key;
after the authentication is passed, acquiring a decryption method and file storage position information according to the file name;
acquiring file fragments from the distributed storage module according to the file name and the file storage position information, and acquiring transactions corresponding to the file fragments from the block chain module;
calculating and acquiring the abstract signature of the file fragment acquired from the distributed storage module, comparing the abstract signature with the file fragment abstract signature in block chain transaction, and confirming the integrity of the file fragment;
after the file fragments are confirmed to be complete, combining the file fragments into a complete encrypted file according to a segmentation rule during file segmentation;
according to the decryption method and the decryption key, the decryption of the encrypted file is completed;
and sending the decrypted file to a user.
When the user stores and acquires the file, if the encryption and decryption keys are not specified, the system uses the default key which corresponds to each user and is distributed by the system to carry out encryption and decryption operation. The default secret key of each user adopts a symmetric encryption algorithm, and the user authentication information of each user is used as a secret key for encryption. If the authentication information of the user does not exist or is wrong, the default key of the user cannot be obtained, and the encryption and decryption operation of the file cannot be performed.
As shown in fig. 1, this embodiment further provides a block chain-based file fragmentation encryption storage system, which includes a file directory service module, a file encryption module, a file splitting module, a transaction generation module, a block chain module, a distributed storage module, a transaction verification module, a file merging module, and a file decryption module.
In this embodiment, the file directory service module is configured to provide a writing and reading interface for a file for a user, where the user interface may be in a variety of different forms, including but not limited to interface service forms based on a pipe, Socket, and the like; for user authentication and authorization; management of user default encryption and decryption keys; for management of user directory space; recording related information (including file name, file size, encryption mode and fragment number) for user files, and providing file index service.
In this example, the file encryption module is used for encrypting the file content. The file encryption module can simultaneously select a plurality of different encryption methods, including but not limited to encryption algorithms such as DES, 3DES, AES, RC2, RC4, RC5, Blowfish, SM1, SM2, SM4, SM7, SM9, ZUC, RSA, and the like, and can also encrypt a plurality of times by using a plurality of different encryption algorithms.
The file segmentation module in this embodiment is configured to segment the encrypted file. The file segmentation module can segment the encrypted file into different numbers of file fragments according to the encryption level designated by the user, each file fragment only contains part of the encrypted file content, and all the fragments are combined together to completely restore the original encrypted file.
The transaction generation module is used for converting each file fragment into a transaction on the blockchain and storing the file fragments into the distributed storage module. After the file segmentation module sends the fragments of the encrypted file to the transaction generation module, the transaction generation module signs each file fragment according to the conversion rule, converts the file fragment into a transaction on a block chain, and sends the transaction to the block chain module; meanwhile, the transaction generation module sends the signed file fragments to the distributed storage module for storage.
In this embodiment, the block chain module is used to permanently store the transaction corresponding to each file fragment. The blockchain module can be composed of a public chain system or a alliance chain system, and when a transaction is received, the blockchain module can be matched with a corresponding blockchain system rule, the transaction information is written into the blockchain system for permanent storage, and the data is prevented from being tampered privately.
The distributed storage module is used for permanently and fixedly storing the actual data of each file fragment. The distributed module can be composed of a distributed file storage system or a distributed database, and when a file fragment is received, the distributed storage module stores the file fragment according to a storage mode specified by the file directory service module. The file fragments are stored in the distributed storage module in a multi-copy mode, and the risk of data loss is reduced.
In this embodiment, the transaction verification module is configured to obtain fragments of the encrypted file from the distributed storage, and verify the file fragments by using transaction data related to the fragments in the blockchain.
The file merging module in the embodiment is used for merging the fragments of the encrypted file. After receiving the file fragments sent by the transaction verification module, the file merging module can merge the files according to the file splitting rules recorded in the file directory service module, so as to obtain a complete encrypted file.
In this example, the file decryption module is used to decrypt the encrypted file content. And after receiving the encrypted file sent by the file merging module, the file decryption module decrypts the encrypted file according to the file encryption/decryption rule recorded in the file directory service module and the decryption key provided by the user. And after decryption is finished, returning the original file to the user through the file directory service module.
The file storage method of the file fragmentation encryption storage system based on the block chain in the embodiment includes:
the file directory service module acquires files which are uploaded by a user and need to be encrypted and stored, and an encryption key, an encryption method and an encryption level which are specified by the user.
The file directory service module performs authentication operation on the user and records the file name, the encryption method, the encryption level and the file storage position information corresponding to the file uploaded by the user.
The file directory service module sends the file, the encryption method, the encryption level and the encryption key to the file encryption module. If the user does not specify an encryption key, a default encryption key is used.
And the file encryption module selects a proper encryption method to encrypt the received file according to the received encryption method and encryption key to obtain the encrypted file.
The file encryption module sends the encrypted file and the encryption level to the file segmentation module.
And the file segmentation module selects a proper fragment segmentation quantity and a segmentation method according to the encryption level, and segments the encrypted file into file fragments. And sending the file division rule to a file directory service module, and recording by the file directory service module.
The file splitting module sends the file fragments to the transaction generation module.
And the transaction generation module calculates the digest signature of the file fragment according to the content of the file fragment, records the digest signature of the file fragment into the load of the blockchain transaction, and sends the transaction to the blockchain module after the transaction is generated.
The transaction generation module sends the file fragments to the distributed storage module.
The blockchain module writes the received transaction into the corresponding blockchain system according to a predetermined rule.
The distributed storage module stores the received file fragments according to a preset rule.
The file acquisition method of the file fragmentation encryption storage system based on the block chain in the embodiment includes:
the file directory service module acquires a file acquisition request sent by a user, wherein the file acquisition request comprises a file name, user authentication information and a decryption key.
And the file directory service module performs user authentication according to the user authentication information in the request.
After the authentication is passed, the file directory service module acquires related information such as a file storage position, a cutting rule and the like according to the file name; and if the request does not comprise the decryption key, decrypting the stored user default key by using the authentication information to obtain the default key.
The file directory service module transmits a file acquisition request containing information such as a file name, a file storage position, a decryption key and the like to the transaction verification module.
After receiving the request, the transaction verification module acquires file fragments from the distributed storage module according to information such as file names, file storage positions and the like, and acquires transactions corresponding to the fragments from the block chain module.
And the transaction verification module calculates the file fragment abstract signature acquired from the distributed storage module, compares the file fragment abstract signature with the file fragment abstract signature in the block chain transaction and confirms the integrity of the file fragments.
And after the file fragments are confirmed to be complete, the transaction verification module returns all the fragments related to the files to the file merging module.
The file merging module merges the file fragments into a complete encrypted file according to the cutting rule recorded by the file directory service module, and returns the encrypted file to the file decryption module.
And the file decryption module completes decryption according to the decryption method and the decryption key to obtain the decrypted original file.
And the file directory service module sends the decrypted original file to the user.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.