CN112019540B - Data security sharing method oriented to cloud computing environment - Google Patents
Data security sharing method oriented to cloud computing environment Download PDFInfo
- Publication number
- CN112019540B CN112019540B CN202010880926.XA CN202010880926A CN112019540B CN 112019540 B CN112019540 B CN 112019540B CN 202010880926 A CN202010880926 A CN 202010880926A CN 112019540 B CN112019540 B CN 112019540B
- Authority
- CN
- China
- Prior art keywords
- group
- user
- decryption
- symmetric encryption
- user account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/16—Arrangements for providing special services to substations
- H04L12/18—Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
- H04L12/185—Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with management of multicast group membership
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data security sharing method facing a cloud computing environment, which comprises the following steps: the user side adopts a registration process to register to the sharing server; a user side creates a group; adding other group members to the group; uploading shared files and downloading shared files. According to the data security sharing method for the cloud computing environment, the group is established, the mode of adding members to the group and the mode of uploading and downloading shared files are limited, the use security of the shared files is comprehensively improved from multiple angles, and the leakage and the counterfeiting of the shared files are prevented.
Description
Technical Field
The invention belongs to the technical field of data sharing, and particularly relates to a data security sharing method oriented to a cloud computing environment.
Background
Currently, cloud computing development faces many key problems, and particularly, the data security problem is serious. Specifically, in the cloud computing mode, the cloud computing service provider develops a part of storage space for the user to use on the basis of the highly integrated large-capacity storage space. But the user does not know on which server his own data is stored, or even in which country the server is placed; whether the cloud computing service provider has information security and other problems in the country where the storage resources are located or not and whether data can be guaranteed not to be leaked are all problems which are worried by users.
Many data information relate to privacy and safety of individuals or organizations, particularly for shared files, the data safety problem is particularly prominent, although a sharing server service provider promises to guarantee the safety of user information, for users, the initiative of information storage and reference is in the sharing server, data is browsed and downloaded, so that the disclosure is not controlled by users at all, therefore, users have great worry about the safety problem of using the sharing server, how to improve the safety of the use of the sharing server, particularly the safety of the use of the shared files is guaranteed, and users can pay own data to the sharing server service provider for storage management with great care, which is a problem to be solved at present.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a data security sharing method facing to a cloud computing environment, which can effectively solve the problems.
The technical scheme adopted by the invention is as follows:
the invention provides a data security sharing method facing a cloud computing environment, which comprises the following steps:
step 1, a user side registers to a shared server by adopting a registration process, and the registration method comprises the following steps:
step 1.1, for any user side, which is represented as a user side A, receiving a login password plaintext PIN (A) from a user account A; then, the user A encrypts the login password plaintext PIN (A) by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A);
step 1.2, the user A transmits the name of the user account A and a login password ciphertext MDPIN (A) to a sharing server through a network;
the sharing server receives and stores authentication information of a user account A; the authentication information of the user account A comprises the name of the user account A and a login password ciphertext MDPIN (A);
step 1.3, a user A generates a public key plaintext GK (A) and a private key plaintext SK (A) which are uniquely corresponding to a user account A by adopting a first asymmetric encryption and decryption algorithm;
step 1.4, the user side a encrypts the private key plaintext sk (a) by using a private key encryption algorithm to obtain a private key ciphertext dessk (a), and specifically includes:
1) the user A adopts a second message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a symmetric encryption and decryption key DK (A);
2) the user side A encrypts a private key plaintext SK (A) by using a first symmetric encryption and decryption algorithm by taking a symmetric encryption and decryption key DK (A) as a key to obtain a private key ciphertext DESSK (A);
3) the user A stores a private key ciphertext DESSK (A);
step 1.5, a user terminal A transmits the name of a user account A and a plain text GK (A) of a public key to a sharing server through a network;
the sharing server adds a public key plaintext GK (A) to the authentication information of the user account A; wherein, the public key plaintext GK (A) allows other server users to read;
step 1.6, finally, the sharing server obtains the following server authentication information of the user account A: the name of a user account A, a login password ciphertext MDPIN (A) and a public key plaintext GK (A); then, the sharing server adds the server authentication information of the user account A into an authentication management list;
the user side A stores user side authentication information of the user account A, wherein the user side authentication information comprises the name of the user account A and a private key ciphertext DESSK (A), and then registration operation of the user account A is completed;
step 2, the user end A creates a group (A), and the method is as follows:
step 2.1, a user A 'receives a login request from a user account A', wherein the login request carries a login password plaintext PIN (A ') and a user account A' name;
step 2.2, the user terminal A 'performs identity verification on the user account A' through the shared server to verify whether the user account A 'is a registered user, and if the user account A' is the registered user, the step 2.3 is executed; otherwise, refusing to execute the operation of creating the group (A), and ending the process;
the specific method for identity authentication comprises the following steps:
step 2.2.1, the user side A ' encrypts a login password plaintext PIN (A ') by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A ');
step 2.2.2, the user terminal A ' sends an identity verification request to the sharing server, wherein the identity verification request carries the name of the user account A ' and a login password ciphertext MDPIN (A ');
step 2.2.3, the shared server searches the authentication management list to obtain a user account name which is the same as the name of the user account A', namely the name of the user account A, and then obtains a corresponding login password ciphertext MDPIN (A) according to the name of the user account A; then, the sharing server judges whether the login password ciphertext MDPIN (A) is the same as the verified login password ciphertext MDPIN (A '), if so, the identity verification of the user account A' is successful, the operation of creating the group (A) in the step 2.3 is allowed to be executed, and if not, the operation of creating the group (A) in the step 2.3 is refused to be executed;
step 2.3, the user terminal A' is verified as the user terminal A; the user account A' is verified as the user account A; the user terminal A creates a group (A) corresponding to the user account A in the following way:
step 2.3.1, the user A creates a group (A) corresponding to the user account A and sends the name of the group (A) and the name of the user account A to a sharing server;
the sharing server pre-creates a group management list and stores the group (A) name and the group creator name into the group management list; the group creator name is the name of the user account A; to this end, the sharing server completes the operation of creating the group (A);
for the user terminal a, continuing to execute the step 2.3.2;
step 2.3.2, the user A obtains and stores a group symmetric encryption and decryption cipher text DESGAKEY (A) through the following group cipher encryption algorithm to complete the creation operation of the group (A):
1) the user A generates a group symmetric encryption and decryption cipher plaintext GAKEY;
2) the user A adopts a third message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (A);
3) the user end A uses the group symmetric encryption and decryption key GDK (A) as a key, and adopts a second symmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (A);
the user A stores group authentication information, which comprises: group (A) name and group symmetric encryption and decryption cipher text DESGAKEY (A); the creation process of the group (A) is completed;
step 3, add other group members to the group (A), the method is:
step 3.1, when the sharing server receives a request message from the user account A ″ for adding the user account B to the group (A), the sharing server searches the authentication management list and judges whether the user account B is in the authentication management list, if so, the step 3.2 is allowed to be executed; otherwise, refusing to execute the step 3.2, and ending the process;
step 3.2, the sharing server searches the group management list, and judges whether the user account A' is a creating account of the group (A), namely: verifying whether the user account A' is the same as the user account A, and if so, allowing the step 3.3 to be executed; otherwise, refusing to execute the step 3.3, and ending the process;
step 3.3, the sharing server obtains the authentication information of the user account B by searching the authentication management list, wherein the authentication information comprises the name of the user account B, a login password ciphertext MDPIN (B) and a public key plaintext GK (B);
the sharing server sends the name of the user account B and the plaintext GK (B) of the public key to the user A;
step 3.4, the user A obtains a group symmetric encryption and decryption cipher plaintext GAKEY by the following method:
1) the user A encrypts a login password plaintext PIN (A) by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A);
2) the user A adopts a third message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (A);
3) the user end A decrypts the group symmetric encryption and decryption cipher text DESGAKEY (A) by using a second symmetric encryption and decryption algorithm by taking the group symmetric encryption and decryption key GDK (A) as a key to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 3.5, the user a encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group asymmetric encryption and decryption cipher ciphertext rsagakey (B) that can be decrypted only by using the private key plaintext sk (B) uniquely corresponding to the user account B, and the method comprises the following steps:
the user end A uses the public key plaintext GK (B) obtained in the step 3.3 as a secret key, and adopts a second asymmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group asymmetric encryption and decryption cipher ciphertext RSAGAKEY (B);
step 3.6, the user end A returns a response message for adding the user account B into the group (A) to the shared server, wherein the response message carries a group asymmetric encryption and decryption cipher text RSAGAKEY (B);
step 3.7, the sharing server sends an invitation message added to the group (A) to the user terminal B, wherein the invitation message carries a group asymmetric encryption and decryption cipher text RSAGAKEY (B);
step 3.8, after the user side B successfully logs in the sharing server, receiving an invitation message which is sent by the sharing server and added to the group (a), if the user side B refuses to join the group (a), returning a notification message of refusing to join to the sharing server, wherein the sharing server does not add the user side B to the group management list, and the group invitation fails;
if the user side B agrees to join the group (A), the user side B locally stores a group asymmetric encryption and decryption password ciphertext RSAGAKEY (B), meanwhile, a notification message of agreement of the joining is returned to the sharing server, and the sharing server joins the user side B into a group management list, wherein the member role of the user side B is a group common user, the group invitation is successful, and then the step 3.9 is executed;
step 3.9, the user B locally saves the group asymmetric encryption and decryption cipher texts rsagakakey (B), and decrypts by the following method to obtain the group symmetric encryption and decryption cipher plaintext GAKEY:
1) the user side B adopts a second message digest algorithm to combine the login password plaintext PIN (B) and the login password ciphertext MDPIN (B) and then carry out encryption processing to obtain a symmetric encryption and decryption key DK (B);
2) the user side B uses the symmetric encryption and decryption key DK (B) as a key, and decrypts the locally stored private key ciphertext DESSK (B) by adopting a first symmetric encryption and decryption algorithm to obtain a private key plaintext SK (B);
3) the user end B decrypts the group asymmetric encryption and decryption cipher text RSAGAKEY (B) by taking the private key plaintext SK (B) as a secret key to obtain a group symmetric encryption and decryption cipher text GAKEY;
step 3.10, the user B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext desgakey (B), so far, the user B locally stores group authentication information, which includes: the group (A) name and the group symmetric encryption and decryption cipher text DESGAKEY (B) complete the process of joining the group (A);
the user side B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (B), and the method comprises the following steps:
the user side B adopts a third message digest algorithm to combine the login password plaintext PIN (B) and the login password ciphertext MDPIN (B) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (B);
the user end B uses the group symmetric encryption and decryption key GDK (B) as a key, and adopts a second symmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (B);
step 4, uploading the shared file by adopting the same method for any group member successfully added into the group (A); specifically, for any user account C in the group (a), the following method is adopted to upload the shared file:
step 4.1, after the user account C is successfully authenticated, successfully logging in the sharing server;
step 4.2, the user C locally stores the private key ciphertext DESSK (C), and decrypts the private key ciphertext DESSK (C) to obtain the private key plaintext SK (C):
step 4.3, the user C locally stores the group symmetric encryption and decryption cipher texts DESGAKEY (C), and decrypts the group symmetric encryption and decryption cipher texts DESGAKEY (C) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 4.4, the user C securely uploads the local FILE to the shared server by adopting the following method:
step 4.4.1, the user C encrypts the local FILE by adopting a fourth message digest algorithm to obtain a first encrypted FILE MDFile;
step 4.4.2, the user C encrypts the first encrypted file MDFILE by using a third asymmetric encryption and decryption algorithm with the private key sk (C) as a secret key to obtain a second encrypted file RSAMDFILE(C);
step 4.4.3, the user side C merges the local FILE and the second encrypted FILE RSAMDFILE(C), and performs encryption processing by using the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a third encrypted FILE desfile (C);
step 4.4.4, the user terminal C sends a third encrypted file desfile (C) to the sharing server through the network, and the sharing server receives and adds the third encrypted file desfile (C) to a shared storage space corresponding to the group (a) for the group members of the group (a) to access and download;
step 5, for any group member successfully added to the group (A), downloading the shared file by adopting the same method; specifically, for any user account D in the group (a), the following method is adopted to download the shared file from the shared storage space:
step 5.1, after the user account D is successfully authenticated, successfully logging in the sharing server;
step 5.2, because the user account D is a group member of the group (A), the user end D locally stores the group symmetric encryption and decryption cipher texts DESGAKEY (D);
the user end D carries out decryption operation on the group symmetric encryption and decryption cipher texts DESGAKEY (D) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY; the decryption method comprises the following steps:
the user end D adopts a third message digest algorithm to combine the login password plaintext PIN (D) and the login password ciphertext MDPIN (D) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (D);
the user end D uses the group symmetric encryption and decryption key GDK (D) as a key, and performs decryption operation on the group symmetric encryption and decryption cipher text DESGAKEY (D) by adopting a second symmetric encryption and decryption algorithm to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 5.3, the user end D queries, through the network, the identification of the shared file uploaded by the user account C, i.e. a third encrypted file desfile (C), from the shared storage space corresponding to the group (a) of the shared server, and downloads the third encrypted file desfile (C) from the shared storage space corresponding to the group (a) of the shared server to the user end D;
step 5.4, the user end D uses the group symmetric encryption and decryption cipher plaintext GAKEY as a key to decrypt the third encrypted FILE DESFILE (C) to obtain a second encrypted FILE RSAMDFILE(C) and a FILE FILE;
step 5.5, the user end D encrypts the FILE FILE obtained in the step 5.4 by adopting a fourth message digest algorithm to obtain a first encrypted FILE MDFILE';
step 5.6, the user end D obtains a file publisher, namely a public key plaintext GK (C) of the user account C through the sharing server; then, a third asymmetric encryption and decryption algorithm is adopted to decrypt the second encrypted file RSAMDFILE(C) to obtain a first encrypted file MDFILE ";
step 5.7, the user end D compares the first encrypted FILE MDFILE ' obtained in the step 5.5 to determine whether the first encrypted FILE MDFILE ' is the same as the first encrypted FILE MDFILE ' obtained in the step 5.6, if so, the user end D confirms that the FILE FILE read this time is issued by the user account C, the identity of the user account C is confirmed, and the user end D successfully downloads the shared FILE, namely the FILE FILE; if the FILE is not the same as the FILE read by the user account C, the FILE read by the user is the FILE issued by forging the user account C identity by other users, and the FILE read by the user is the forged FILE.
Preferably, the first message digest algorithm, the second message digest algorithm, the third message digest algorithm and the fourth message digest algorithm are the same or different;
the first symmetric encryption and decryption algorithm and the second symmetric encryption and decryption algorithm are the same or different;
the first asymmetric encryption and decryption algorithm, the second asymmetric encryption and decryption algorithm and the third asymmetric encryption and decryption algorithm are the same or different.
Preferably, the first message digest algorithm, the second message digest algorithm, the third message digest algorithm and the fourth message digest algorithm are MD5 algorithms;
the first symmetric encryption and decryption algorithm and the second symmetric encryption and decryption algorithm are DES algorithms;
the first asymmetric encryption and decryption algorithm, the second asymmetric encryption and decryption algorithm and the third asymmetric encryption and decryption algorithm are RSA algorithms.
The data security sharing method for the cloud computing environment has the following advantages:
according to the data security sharing method for the cloud computing environment, the group is established, the mode of adding members to the group and the mode of uploading and downloading shared files are limited, the use security of the shared files is comprehensively improved from multiple angles, and the leakage and the counterfeiting of the shared files are prevented.
Drawings
Fig. 1 is a schematic flow chart of a data security sharing method for a cloud computing environment according to the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects solved by the present invention more clearly apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a data security sharing method facing a cloud computing environment, which is used for an application scene of group user file sharing, effectively and safely protecting the shared files of the group users, and preventing the leakage and the forgery of the shared files.
Referring to fig. 1, the data security sharing method facing the cloud computing environment comprises the following steps:
step 1, a user side registers to a shared server by adopting a registration process, and the registration method comprises the following steps:
step 1.1, for any user side, which is represented as a user side A, receiving a login password plaintext PIN (A) from a user account A; then, the user A encrypts the login password plaintext PIN (A) by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A);
in this step, the first message digest algorithm includes, but is not limited to, the MD5 algorithm, and when the MD5 algorithm is adopted, the encrypting process of the login password plaintext pin (a) means: calculating a hash value corresponding to the login password plaintext PIN (A) by using a hash function to obtain a login password ciphertext MDPIN (A), namely: mdpin (a) ═ MD5[ pin (a) ].
In the present invention, taking the login password ciphertext as an example, the login password ciphertext mdpin (a) represents: a login password ciphertext corresponding to the user account A; similarly, the login password ciphertext MDPIN (A ') appearing in the following step represents the login password ciphertext corresponding to the user account A'; the login password ciphertext mdpin (b) represents: a login password ciphertext corresponding to the user account B; the login password ciphertext MDPIN (C) represents: and the login password ciphertext corresponding to the user account C. When the user account a, the user account a 'and the user account C are different user accounts, the specific contents of the MDPIN (a), the MDPIN (a') and the MDPIN (C) are different.
For other information, such as login password plaintext pin (a), public key plaintext gk (a), private key plaintext sk (a), and the like, the same expression is used, that is: and representing the relation between the related information and the corresponding account through the user account identification in the brackets.
Step 1.2, the user A transmits the name of the user account A and a login password ciphertext MDPIN (A) to a sharing server through a network;
the sharing server receives and stores authentication information of a user account A; the authentication information of the user account A comprises the name of the user account A and a login password ciphertext MDPIN (A);
step 1.3, a user A generates a public key plaintext GK (A) and a private key plaintext SK (A) which are uniquely corresponding to a user account A by adopting a first asymmetric encryption and decryption algorithm, such as an RSA algorithm;
step 1.4, the user side a encrypts the private key plaintext sk (a) by using a private key encryption algorithm to obtain a private key ciphertext dessk (a), and specifically includes:
1) the user A adopts a second message digest algorithm, such as MD5 algorithm, to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a symmetric encryption and decryption key DK (A);
the formula is expressed as: dk (a) ═ MD5[ pin (a) + mdpin (a) ].
2) The user side A encrypts the private key plaintext SK (A) by using a first symmetric encryption and decryption algorithm, such as a DES algorithm, with a symmetric encryption and decryption key DK (A) as a key to obtain a private key ciphertext DESSK (A); the private key ciphertext DESSK (A) can be decrypted only by using the symmetric encryption/decryption key DK (A) as the key.
The formula is expressed as: dessk (a) ═ DESENCRYPT [ dk (a), sk (a) ].
3) The user A stores a private key ciphertext DESSK (A);
step 1.5, a user terminal A transmits the name of a user account A and a plain text GK (A) of a public key to a sharing server through a network;
the sharing server adds a public key plaintext GK (A) to the authentication information of the user account A; wherein, the public key plaintext GK (A) allows other server users to read;
step 1.6, finally, the sharing server obtains the following server authentication information of the user account A: the name of a user account A, a login password ciphertext MDPIN (A) and a public key plaintext GK (A); then, the sharing server adds the server authentication information of the user account A into an authentication management list;
the user side A stores user side authentication information of the user account A, wherein the user side authentication information comprises the name of the user account A and a private key ciphertext DESSK (A), and then registration operation of the user account A is completed.
That is, for any user side successfully registered to the shared server, the private key ciphertext is stored locally at the user side; and at the shared server, the name of the user account, the cipher text of the login password and the plaintext of the public key are all stored.
In the invention, the user side registers to the sharing server, and the method has the following advantages:
1) in the step, the user side transmits the login password to the shared server in a login password ciphertext mode, so that the transmission safety of the login password in the network is effectively improved.
2) The user side stores the private key ciphertext and the sharing server stores the login password ciphertext, so that the user side and the sharing server both store related information in a ciphertext mode, and the safety of the related information is further improved.
Step 2, the user end A creates a group (A), and the method is as follows:
step 2.1, a user A 'receives a login request from a user account A', wherein the login request carries a login password plaintext PIN (A ') and a user account A' name;
step 2.2, the user terminal A 'performs identity verification on the user account A' through the shared server to verify whether the user account A 'is a registered user, and if the user account A' is the registered user, the step 2.3 is executed; otherwise, refusing to execute the operation of creating the group (A), and ending the process;
the specific method for identity authentication comprises the following steps:
step 2.2.1, the user side A ' encrypts the login password plaintext PIN (A ') by adopting a first message digest algorithm, such as an MD5 algorithm, so as to obtain a login password ciphertext MDPIN (A ');
step 2.2.2, the user terminal A ' sends an identity verification request to the sharing server, wherein the identity verification request carries the name of the user account A ' and a login password ciphertext MDPIN (A ');
step 2.2.3, the shared server searches the authentication management list to obtain a user account name which is the same as the name of the user account A', namely the name of the user account A, and then obtains a corresponding login password ciphertext MDPIN (A) according to the name of the user account A; then, the sharing server judges whether the login password ciphertext MDPIN (A) is the same as the verified login password ciphertext MDPIN (A '), if so, the identity verification of the user account A' is successful, the operation of creating the group (A) in the step 2.3 is allowed to be executed, and if not, the operation of creating the group (A) in the step 2.3 is refused to be executed;
step 2.3, the user terminal A' is verified as the user terminal A; the user account A' is verified as the user account A; the user terminal A creates a group (A) corresponding to the user account A in the following way:
step 2.3.1, the user A creates a group (A) corresponding to the user account A and sends the name of the group (A) and the name of the user account A to a sharing server;
the sharing server pre-creates a group management list and stores the group (A) name and the group creator name into the group management list; the group creator name is the name of the user account A; to this end, the sharing server completes the operation of creating the group (A);
for the user terminal a, continuing to execute the step 2.3.2;
step 2.3.2, the user A obtains and stores a group symmetric encryption and decryption cipher text DESGAKEY (A) through the following group cipher encryption algorithm to complete the creation operation of the group (A):
1) the user A generates a group symmetric encryption and decryption cipher plaintext GAKEY;
it should be emphasized that, for any user side, when adding group members, uploading shared files, or downloading shared files in the following, only the group symmetric encryption/decryption password plaintext GAKEY appears, which refers to the unique group password. That is to say, when adding group members, uploading shared files, or downloading shared files in the following, the basic premise is that the user end needs to acquire the group symmetric encryption/decryption cipher plaintext gatey to successfully complete the function of uploading or downloading shared files.
2) The user A adopts a third message digest algorithm, such as MD5 algorithm, to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (A);
3) the user end A uses the group symmetric encryption and decryption key GDK (A) as a key, and adopts a second symmetric encryption and decryption algorithm, such as a DES algorithm, to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (A);
the group symmetric encryption/decryption cipher text DESGAKEY (A) can be decrypted only by using the group symmetric encryption/decryption key GDK (A) as a key.
The user A stores group authentication information, which comprises: group (A) name and group symmetric encryption and decryption cipher text DESGAKEY (A); the creation process of the group (A) is completed;
the method mainly has the following advantages:
since the group password has an important meaning for completing the group-related function, once leakage occurs, a serious security accident may be caused, and thus, the security of the group password needs to be strictly guaranteed. Therefore, in this step, the user a does not locally store the group symmetric encryption/decryption password plaintext token in the plaintext form, but stores the group password in the ciphertext form after encrypting the group symmetric encryption/decryption password plaintext token, that is: and the symmetric encryption and decryption cipher texts DESGAKEY (A) in the group are obtained, so that the security of the cipher texts is ensured. In addition, the group password is not directly stored in the shared server, and the use safety of the group password is further improved.
Step 3, add other group members to the group (A), the method is:
step 3.1, when the sharing server receives a request message from the user account A ″ for adding the user account B to the group (A), the sharing server searches the authentication management list and judges whether the user account B is in the authentication management list, if so, the step 3.2 is allowed to be executed; otherwise, refusing to execute the step 3.2, and ending the process;
step 3.2, the sharing server searches the group management list, and judges whether the user account A' is a creating account of the group (A), namely: verifying whether the user account A' is the same as the user account A, and if so, allowing the step 3.3 to be executed; otherwise, refusing to execute the step 3.3, and ending the process;
that is, in the present invention, in order to enhance the management strength of the group (a) and improve the use security, only the creating account of the group (a) is allowed to invite other user accounts to join the group, and the general members of the group (a) do not have the function.
Step 3.3, the sharing server obtains the authentication information of the user account B by searching the authentication management list, wherein the authentication information comprises the name of the user account B, a login password ciphertext MDPIN (B) and a public key plaintext GK (B);
the sharing server sends the name of the user account B and the plaintext GK (B) of the public key to the user A;
since the public key itself is open, the public key plaintext gk (b) is sent in plaintext over the network without security problems.
Step 3.4, the user A obtains a group symmetric encryption and decryption cipher plaintext GAKEY by the following method:
1) the user A encrypts a login password plaintext PIN (A) by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A);
2) the user A adopts a third message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (A);
3) the user end A decrypts the group symmetric encryption and decryption cipher text DESGAKEY (A) by using a second symmetric encryption and decryption algorithm by taking the group symmetric encryption and decryption key GDK (A) as a key to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 3.5, the user a encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group asymmetric encryption and decryption cipher ciphertext rsagakey (B) that can be decrypted only by using the private key plaintext sk (B) uniquely corresponding to the user account B, and the method comprises the following steps:
the user end A uses the public key plaintext GK (B) obtained in the step 3.3 as a secret key, and adopts a second asymmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group asymmetric encryption and decryption cipher ciphertext RSAGAKEY (B);
step 3.6, the user end A returns a response message for adding the user account B into the group (A) to the shared server, wherein the response message carries a group asymmetric encryption and decryption cipher text RSAGAKEY (B);
the main functions of step 3.4 to step 3.6 are: because the group password is the key information affecting the group security, the group password is not allowed to be transmitted on the network in a plaintext manner, in the present invention, the group password stored locally at the user end a is a group password in a ciphertext form, that is: the group symmetric encryption and decryption cipher texts DESGAKEY (A), therefore, the user A firstly decrypts the group symmetric encryption and decryption cipher texts DESGAKEY (A) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY; and encrypting the group symmetric encryption and decryption cipher plaintext GAKEY in a manner that only the user side B can decrypt the group symmetric encryption and decryption cipher plaintext GAKEY, and transmitting the group symmetric encryption and decryption cipher plaintext GAKEY to the user side B through the shared server in a cipher text manner. Thus, the user B can successfully decrypt the group symmetric encryption/decryption cipher plaintext GAKEY.
Step 3.7, the sharing server sends an invitation message added to the group (A) to the user terminal B, wherein the invitation message carries a group asymmetric encryption and decryption cipher text RSAGAKEY (B);
step 3.8, after the user side B successfully logs in the sharing server, receiving an invitation message which is sent by the sharing server and added to the group (a), if the user side B refuses to join the group (a), returning a notification message of refusing to join to the sharing server, wherein the sharing server does not add the user side B to the group management list, and the group invitation fails;
if the user side B agrees to join the group (A), the user side B locally stores a group asymmetric encryption and decryption password ciphertext RSAGAKEY (B), meanwhile, a notification message of agreement of the joining is returned to the sharing server, and the sharing server joins the user side B into a group management list, wherein the member role of the user side B is a group common user, the group invitation is successful, and then the step 3.9 is executed;
step 3.9, the user B locally saves the group asymmetric encryption and decryption cipher texts rsagakakey (B), and decrypts by the following method to obtain the group symmetric encryption and decryption cipher plaintext GAKEY:
1) the user side B adopts a second message digest algorithm to combine the login password plaintext PIN (B) and the login password ciphertext MDPIN (B) and then carry out encryption processing to obtain a symmetric encryption and decryption key DK (B);
2) the user side B uses the symmetric encryption and decryption key DK (B) as a key, and decrypts the locally stored private key ciphertext DESSK (B) by adopting a first symmetric encryption and decryption algorithm to obtain a private key plaintext SK (B);
3) the user end B decrypts the group asymmetric encryption and decryption cipher text RSAGAKEY (B) by taking the private key plaintext SK (B) as a secret key to obtain a group symmetric encryption and decryption cipher text GAKEY;
step 3.10, the user B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext desgakey (B), so far, the user B locally stores group authentication information, which includes: the group (A) name and the group symmetric encryption and decryption cipher text DESGAKEY (B) complete the process of joining the group (A);
the user side B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (B), and the method comprises the following steps:
the user side B adopts a third message digest algorithm to combine the login password plaintext PIN (B) and the login password ciphertext MDPIN (B) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (B);
and the user end B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY by using a second symmetric encryption and decryption algorithm by taking the group symmetric encryption and decryption key GDK (B) as a key to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (B).
Therefore, all group members successfully joining the group (A) need to store the group symmetric encryption and decryption cipher texts locally, and the group cipher is stored locally in a cipher text mode, so that the group security is improved.
Step 4, uploading the shared file by adopting the same method for any group member successfully added into the group (A); specifically, for any user account C in the group (a), the following method is adopted to upload the shared file:
step 4.1, after the user account C is successfully authenticated, successfully logging in the sharing server;
step 4.2, the user C locally stores the private key ciphertext DESSK (C), and decrypts the private key ciphertext DESSK (C) to obtain the private key plaintext SK (C):
specifically, the user C combines the login password plaintext pin (C) and the login password ciphertext mdpin (C) by using a second message digest algorithm, such as the MD5 algorithm, and then performs encryption processing to obtain a symmetric encryption and decryption key dk (C);
the user side C uses the symmetric encryption and decryption key DK (C) as a key, and performs decryption processing on the private key ciphertext DESSK (C) by adopting a first symmetric encryption and decryption algorithm to obtain a private key plaintext SK (C);
step 4.3, the user C locally stores the group symmetric encryption and decryption cipher texts DESGAKEY (C), and decrypts the group symmetric encryption and decryption cipher texts DESGAKEY (C) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
specifically, the user C combines the login password plaintext pin (C) and the login password ciphertext mdpin (C) by using a third message digest algorithm, such as the MD5 algorithm, and then performs encryption processing to obtain a group symmetric encryption and decryption key gdk (C);
the user end C uses the group symmetric encryption and decryption key GDK (C) as a key, and adopts a second symmetric encryption and decryption algorithm to decrypt the group symmetric encryption and decryption cipher text DESGAKEY (C) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 4.4, the user C securely uploads the local FILE to the shared server by adopting the following method:
step 4.4.1, the user C encrypts the local FILE by adopting a fourth message digest algorithm to obtain a first encrypted FILE MDFile;
step 4.4.2, the user C encrypts the first encrypted file MDFILE by using a third asymmetric encryption and decryption algorithm with the private key sk (C) as a secret key to obtain a second encrypted file RSAMDFILE(C);
step 4.4.3, the user side C merges the local FILE and the second encrypted FILE RSAMDFILE(C), and performs encryption processing by using the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a third encrypted FILE desfile (C);
step 4.4.4, the user terminal C sends a third encrypted file desfile (C) to the sharing server through the network, and the sharing server receives and adds the third encrypted file desfile (C) to a shared storage space corresponding to the group (a) for the group members of the group (a) to access and download;
in this step 4, when the user transmits the file to the sharing server through the network, the file being transmitted is a three-layer encrypted file, that is: firstly, a fourth message digest algorithm is adopted for encryption, then, a private key plaintext SK (C) is further adopted for encryption, and finally, a group symmetric encryption and decryption cipher plaintext GAKEY is adopted for encryption, so that the security of the file transmission process is ensured.
In addition, as the key information for decrypting the file, namely the group symmetric encryption and decryption cipher plaintext GAKEY is not stored in the shared server, the security of file storage is further ensured.
Step 5, for any group member successfully added to the group (A), downloading the shared file by adopting the same method; specifically, for any user account D in the group (a), the following method is adopted to download the shared file from the shared storage space:
step 5.1, after the user account D is successfully authenticated, successfully logging in the sharing server;
step 5.2, because the user account D is a group member of the group (A), the user end D locally stores the group symmetric encryption and decryption cipher texts DESGAKEY (D);
the user end D carries out decryption operation on the group symmetric encryption and decryption cipher texts DESGAKEY (D) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY; the decryption method comprises the following steps:
the user end D adopts a third message digest algorithm to combine the login password plaintext PIN (D) and the login password ciphertext MDPIN (D) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (D);
the user end D uses the group symmetric encryption and decryption key GDK (D) as a key, and performs decryption operation on the group symmetric encryption and decryption cipher text DESGAKEY (D) by adopting a second symmetric encryption and decryption algorithm to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 5.3, the user end D queries, through the network, the identification of the shared file uploaded by the user account C, i.e. a third encrypted file desfile (C), from the shared storage space corresponding to the group (a) of the shared server, and downloads the third encrypted file desfile (C) from the shared storage space corresponding to the group (a) of the shared server to the user end D;
step 5.4, the user end D uses the group symmetric encryption and decryption cipher plaintext GAKEY as a key to decrypt the third encrypted FILE DESFILE (C) to obtain a second encrypted FILE RSAMDFILE(C) and a FILE FILE;
step 5.5, the user end D encrypts the FILE FILE obtained in the step 5.4 by adopting a fourth message digest algorithm to obtain a first encrypted FILE MDFILE';
step 5.6, the user end D obtains a file publisher, namely a public key plaintext GK (C) of the user account C through the sharing server; then, a third asymmetric encryption and decryption algorithm is adopted to decrypt the second encrypted file RSAMDFILE(C) to obtain a first encrypted file MDFILE ";
step 5.7, the user end D compares the first encrypted FILE MDFILE ' obtained in the step 5.5 to determine whether the first encrypted FILE MDFILE ' is the same as the first encrypted FILE MDFILE ' obtained in the step 5.6, if so, the user end D confirms that the FILE FILE read this time is issued by the user account C, the identity of the user account C is confirmed, and the user end D successfully downloads the shared FILE, namely the FILE FILE; if the FILE is not the same as the FILE read by the user account C, the FILE read by the user is the FILE issued by forging the user account C identity by other users, and the FILE read by the user is the forged FILE.
It is emphasized that, in the present invention, the first message digest algorithm, the second message digest algorithm, the third message digest algorithm, and the fourth message digest algorithm may be the same or different;
the first symmetric encryption and decryption algorithm and the second symmetric encryption and decryption algorithm can be the same or different;
the first asymmetric encryption and decryption algorithm, the second asymmetric encryption and decryption algorithm and the third asymmetric encryption and decryption algorithm can be the same or different.
However, the first symmetric encryption and decryption algorithms appearing in different steps are the same algorithm; likewise, the second symmetric encryption and decryption algorithms appearing in different steps are all the same algorithm. And expressing the first message digest algorithm, the second message digest algorithm, the third message digest algorithm, the fourth message digest algorithm, the first asymmetric encryption and decryption algorithm, the second asymmetric encryption and decryption algorithm and the third asymmetric encryption and decryption algorithm by the same rule.
The invention provides a data security sharing method facing a cloud computing environment, which has the following advantages:
1) for group members, only three information of a private key ciphertext, a joined group name and a group symmetric encryption and decryption password ciphertext need to be stored at a local user side, on one hand, the amount of locally stored information is small, and on the other hand, locally stored key information is that: the private key ciphertext and the group symmetric encryption and decryption password ciphertext are stored in a ciphertext mode, so that the safety of locally stored information is comprehensively improved;
2) for the shared server, only an authentication management list and a group management list need to be saved; the authentication management list stores user account names, login password ciphertexts and public key plaintexts of registered users; the group management list stores group names, group member roles (group creators or group general members), and group member names, so on one hand, the amount of information stored by the shared server is small, and on the other hand, the key information stored by the shared server is: the login password ciphertext is stored in a ciphertext mode, so that the safety of information stored by the shared server is comprehensively improved.
3) In the process of adding group members, the transmission of key information is as follows: the group password is transmitted in a ciphertext mode in the whole process, so that the safety of information transmission is improved;
4) in the process of uploading the shared file, the shared file is transmitted in a three-layer encryption mode, so that the transmission safety of the shared file is improved;
5) in the process of downloading the shared file, the shared file is transmitted to the local part of the user side in a three-layer encryption mode, and then the user side carries out decryption operation on the shared file, so that the transmission safety of the shared file is improved.
In summary, according to the data security sharing method for the cloud computing environment, provided by the invention, by establishing the group and limiting the group member adding manner and the sharing file uploading and downloading manner, the use security of the sharing file is comprehensively improved from multiple angles, and the leakage and the forgery of the sharing file are prevented.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements should also be considered within the scope of the present invention.
Claims (3)
1. A data security sharing method facing to a cloud computing environment is characterized by comprising the following steps:
step 1, a user side registers to a shared server by adopting a registration process, and the registration method comprises the following steps:
step 1.1, for any user side, which is represented as a user side A, receiving a login password plaintext PIN (A) from a user account A; then, the user A encrypts the login password plaintext PIN (A) by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A);
step 1.2, the user A transmits the name of the user account A and a login password ciphertext MDPIN (A) to a sharing server through a network;
the sharing server receives and stores authentication information of a user account A; the authentication information of the user account A comprises the name of the user account A and a login password ciphertext MDPIN (A);
step 1.3, a user A generates a public key plaintext GK (A) and a private key plaintext SK (A) which are uniquely corresponding to a user account A by adopting a first asymmetric encryption and decryption algorithm;
step 1.4, the user side a encrypts the private key plaintext sk (a) by using a private key encryption algorithm to obtain a private key ciphertext dessk (a), and specifically includes:
1) the user A adopts a second message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a symmetric encryption and decryption key DK (A);
2) the user side A encrypts a private key plaintext SK (A) by using a first symmetric encryption and decryption algorithm by taking a symmetric encryption and decryption key DK (A) as a key to obtain a private key ciphertext DESSK (A);
3) the user A stores a private key ciphertext DESSK (A);
step 1.5, a user terminal A transmits the name of a user account A and a plain text GK (A) of a public key to a sharing server through a network;
the sharing server adds a public key plaintext GK (A) to the authentication information of the user account A; wherein, the public key plaintext GK (A) allows other server users to read;
step 1.6, finally, the sharing server obtains the following server authentication information of the user account A: the name of a user account A, a login password ciphertext MDPIN (A) and a public key plaintext GK (A); then, the sharing server adds the server authentication information of the user account A into an authentication management list;
the user side A stores user side authentication information of the user account A, wherein the user side authentication information comprises the name of the user account A and a private key ciphertext DESSK (A), and then registration operation of the user account A is completed;
step 2, the user end A creates a group (A), and the method is as follows:
step 2.1, a user A 'receives a login request from a user account A', wherein the login request carries a login password plaintext PIN (A ') and a user account A' name;
step 2.2, the user terminal A 'performs identity verification on the user account A' through the shared server to verify whether the user account A 'is a registered user, and if the user account A' is the registered user, the step 2.3 is executed; otherwise, refusing to execute the operation of creating the group (A), and ending the process;
the specific method for identity authentication comprises the following steps:
step 2.2.1, the user side A ' encrypts a login password plaintext PIN (A ') by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A ');
step 2.2.2, the user terminal A ' sends an identity verification request to the sharing server, wherein the identity verification request carries the name of the user account A ' and a login password ciphertext MDPIN (A ');
step 2.2.3, the shared server searches the authentication management list to obtain a user account name which is the same as the name of the user account A', namely the name of the user account A, and then obtains a corresponding login password ciphertext MDPIN (A) according to the name of the user account A; then, the sharing server judges whether the login password ciphertext MDPIN (A) is the same as the verified login password ciphertext MDPIN (A '), if so, the identity verification of the user account A' is successful, the operation of creating the group (A) in the step 2.3 is allowed to be executed, and if not, the operation of creating the group (A) in the step 2.3 is refused to be executed;
step 2.3, the user terminal A' is verified as the user terminal A; the user account A' is verified as the user account A; the user terminal A creates a group (A) corresponding to the user account A in the following way:
step 2.3.1, the user A creates a group (A) corresponding to the user account A and sends the name of the group (A) and the name of the user account A to a sharing server;
the sharing server pre-creates a group management list and stores the group (A) name and the group creator name into the group management list; the group creator name is the name of the user account A; to this end, the sharing server completes the operation of creating the group (A);
for the user terminal a, continuing to execute the step 2.3.2;
step 2.3.2, the user A obtains and stores a group symmetric encryption and decryption cipher text DESGAKEY (A) through the following group cipher encryption algorithm to complete the creation operation of the group (A):
1) the user A generates a group symmetric encryption and decryption cipher plaintext GAKEY;
2) the user A adopts a third message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (A);
3) the user end A uses the group symmetric encryption and decryption key GDK (A) as a key, and adopts a second symmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (A);
the user A stores group authentication information, which comprises: group (A) name and group symmetric encryption and decryption cipher text DESGAKEY (A); the creation process of the group (A) is completed;
step 3, add other group members to the group (A), the method is:
step 3.1, when the sharing server receives a request message from the user account A ″ for adding the user account B to the group (A), the sharing server searches the authentication management list and judges whether the user account B is in the authentication management list, if so, the step 3.2 is allowed to be executed; otherwise, refusing to execute the step 3.2, and ending the process;
step 3.2, the sharing server searches the group management list, and judges whether the user account A' is a creating account of the group (A), namely: verifying whether the user account A' is the same as the user account A, and if so, allowing the step 3.3 to be executed; otherwise, refusing to execute the step 3.3, and ending the process;
step 3.3, the sharing server obtains the authentication information of the user account B by searching the authentication management list, wherein the authentication information comprises the name of the user account B, a login password ciphertext MDPIN (B) and a public key plaintext GK (B);
the sharing server sends the name of the user account B and the plaintext GK (B) of the public key to the user A;
step 3.4, the user A obtains a group symmetric encryption and decryption cipher plaintext GAKEY by the following method:
1) the user A encrypts a login password plaintext PIN (A) by adopting a first message digest algorithm to obtain a login password ciphertext MDPIN (A);
2) the user A adopts a third message digest algorithm to combine the login password plaintext PIN (A) and the login password ciphertext MDPIN (A) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (A);
3) the user end A decrypts the group symmetric encryption and decryption cipher text DESGAKEY (A) by using a second symmetric encryption and decryption algorithm by taking the group symmetric encryption and decryption key GDK (A) as a key to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 3.5, the user a encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group asymmetric encryption and decryption cipher ciphertext rsagakey (B) that can be decrypted only by using the private key plaintext sk (B) uniquely corresponding to the user account B, and the method comprises the following steps:
the user end A uses the public key plaintext GK (B) obtained in the step 3.3 as a secret key, and adopts a second asymmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group asymmetric encryption and decryption cipher ciphertext RSAGAKEY (B);
step 3.6, the user end A returns a response message for adding the user account B into the group (A) to the shared server, wherein the response message carries a group asymmetric encryption and decryption cipher text RSAGAKEY (B);
step 3.7, the sharing server sends an invitation message added to the group (A) to the user terminal B, wherein the invitation message carries a group asymmetric encryption and decryption cipher text RSAGAKEY (B);
step 3.8, after the user side B successfully logs in the sharing server, receiving an invitation message which is sent by the sharing server and added to the group (a), if the user side B refuses to join the group (a), returning a notification message of refusing to join to the sharing server, wherein the sharing server does not add the user side B to the group management list, and the group invitation fails;
if the user side B agrees to join the group (A), the user side B locally stores a group asymmetric encryption and decryption password ciphertext RSAGAKEY (B), meanwhile, a notification message of agreement of the joining is returned to the sharing server, and the sharing server joins the user side B into a group management list, wherein the member role of the user side B is a group common user, the group invitation is successful, and then the step 3.9 is executed;
step 3.9, the user B locally saves the group asymmetric encryption and decryption cipher texts rsagakakey (B), and decrypts by the following method to obtain the group symmetric encryption and decryption cipher plaintext GAKEY:
1) the user side B adopts a second message digest algorithm to combine the login password plaintext PIN (B) and the login password ciphertext MDPIN (B) and then carry out encryption processing to obtain a symmetric encryption and decryption key DK (B);
2) the user side B uses the symmetric encryption and decryption key DK (B) as a key, and decrypts the locally stored private key ciphertext DESSK (B) by adopting a first symmetric encryption and decryption algorithm to obtain a private key plaintext SK (B);
3) the user end B decrypts the group asymmetric encryption and decryption cipher text RSAGAKEY (B) by taking the private key plaintext SK (B) as a secret key to obtain a group symmetric encryption and decryption cipher text GAKEY;
step 3.10, the user B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext desgakey (B), so far, the user B locally stores group authentication information, which includes: the group (A) name and the group symmetric encryption and decryption cipher text DESGAKEY (B) complete the process of joining the group (A);
the user side B encrypts the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (B), and the method comprises the following steps:
the user side B adopts a third message digest algorithm to combine the login password plaintext PIN (B) and the login password ciphertext MDPIN (B) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (B);
the user end B uses the group symmetric encryption and decryption key GDK (B) as a key, and adopts a second symmetric encryption and decryption algorithm to encrypt the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a group symmetric encryption and decryption cipher ciphertext DESGAKEY (B);
step 4, uploading the shared file by adopting the same method for any group member successfully added into the group (A); specifically, for any user account C in the group (a), the following method is adopted to upload the shared file:
step 4.1, after the user account C is successfully authenticated, successfully logging in the sharing server;
step 4.2, the user C locally stores the private key ciphertext DESSK (C), and decrypts the private key ciphertext DESSK (C) to obtain the private key plaintext SK (C):
step 4.3, the user C locally stores the group symmetric encryption and decryption cipher texts DESGAKEY (C), and decrypts the group symmetric encryption and decryption cipher texts DESGAKEY (C) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 4.4, the user C securely uploads the local FILE to the shared server by adopting the following method:
step 4.4.1, the user C encrypts the local FILE by adopting a fourth message digest algorithm to obtain a first encrypted FILE MDFile;
step 4.4.2, the user C encrypts the first encrypted file MDFILE by using a third asymmetric encryption and decryption algorithm with the private key sk (C) as a secret key to obtain a second encrypted file RSAMDFILE(C);
step 4.4.3, the user side C merges the local FILE and the second encrypted FILE RSAMDFILE(C), and performs encryption processing by using the group symmetric encryption and decryption cipher plaintext GAKEY to obtain a third encrypted FILE desfile (C);
step 4.4.4, the user terminal C sends a third encrypted file desfile (C) to the sharing server through the network, and the sharing server receives and adds the third encrypted file desfile (C) to a shared storage space corresponding to the group (a) for the group members of the group (a) to access and download;
step 5, for any group member successfully added to the group (A), downloading the shared file by adopting the same method; specifically, for any user account D in the group (a), the following method is adopted to download the shared file from the shared storage space:
step 5.1, after the user account D is successfully authenticated, successfully logging in the sharing server;
step 5.2, because the user account D is a group member of the group (A), the user end D locally stores the group symmetric encryption and decryption cipher texts DESGAKEY (D);
the user end D carries out decryption operation on the group symmetric encryption and decryption cipher texts DESGAKEY (D) to obtain a group symmetric encryption and decryption cipher plaintext GAKEY; the decryption method comprises the following steps:
the user end D adopts a third message digest algorithm to combine the login password plaintext PIN (D) and the login password ciphertext MDPIN (D) and then carry out encryption processing to obtain a group symmetric encryption and decryption key GDK (D);
the user end D uses the group symmetric encryption and decryption key GDK (D) as a key, and performs decryption operation on the group symmetric encryption and decryption cipher text DESGAKEY (D) by adopting a second symmetric encryption and decryption algorithm to obtain a group symmetric encryption and decryption cipher plaintext GAKEY;
step 5.3, the user end D queries, through the network, the identification of the shared file uploaded by the user account C, i.e. a third encrypted file desfile (C), from the shared storage space corresponding to the group (a) of the shared server, and downloads the third encrypted file desfile (C) from the shared storage space corresponding to the group (a) of the shared server to the user end D;
step 5.4, the user end D uses the group symmetric encryption and decryption cipher plaintext GAKEY as a key to decrypt the third encrypted FILE DESFILE (C) to obtain a second encrypted FILE RSAMDFILE(C) and a FILE FILE;
step 5.5, the user end D encrypts the FILE FILE obtained in the step 5.4 by adopting a fourth message digest algorithm to obtain a first encrypted FILE MDFILE';
step 5.6, the user end D obtains a file publisher, namely a public key plaintext GK (C) of the user account C through the sharing server; then, a third asymmetric encryption and decryption algorithm is adopted to decrypt the second encrypted file RSAMDFILE(C) to obtain a first encrypted file MDFILE ";
step 5.7, the user end D compares the first encrypted FILE MDFILE ' obtained in the step 5.5 to determine whether the first encrypted FILE MDFILE ' is the same as the first encrypted FILE MDFILE ' obtained in the step 5.6, if so, the user end D confirms that the FILE FILE read this time is issued by the user account C, the identity of the user account C is confirmed, and the user end D successfully downloads the shared FILE, namely the FILE FILE; if the FILE is not the same as the FILE read by the user account C, the FILE read by the user is the FILE issued by forging the user account C identity by other users, and the FILE read by the user is the forged FILE.
2. The data security sharing method oriented to the cloud computing environment according to claim 1, wherein the first message digest algorithm, the second message digest algorithm, the third message digest algorithm and the fourth message digest algorithm are the same or different;
the first symmetric encryption and decryption algorithm and the second symmetric encryption and decryption algorithm are the same or different;
the first asymmetric encryption and decryption algorithm, the second asymmetric encryption and decryption algorithm and the third asymmetric encryption and decryption algorithm are the same or different.
3. The data security sharing method oriented to the cloud computing environment according to claim 2, wherein the first message digest algorithm, the second message digest algorithm, the third message digest algorithm and the fourth message digest algorithm are MD5 algorithms;
the first symmetric encryption and decryption algorithm and the second symmetric encryption and decryption algorithm are DES algorithms;
the first asymmetric encryption and decryption algorithm, the second asymmetric encryption and decryption algorithm and the third asymmetric encryption and decryption algorithm are RSA algorithms.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880926.XA CN112019540B (en) | 2020-08-27 | 2020-08-27 | Data security sharing method oriented to cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880926.XA CN112019540B (en) | 2020-08-27 | 2020-08-27 | Data security sharing method oriented to cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112019540A CN112019540A (en) | 2020-12-01 |
| CN112019540B true CN112019540B (en) | 2022-03-11 |
Family
ID=73502670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010880926.XA Active CN112019540B (en) | 2020-08-27 | 2020-08-27 | Data security sharing method oriented to cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112019540B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114205090B (en) * | 2021-11-30 | 2024-01-30 | 傲然技术有限公司 | Safe file sharing method and system based on cryptographic algorithm |
| CN114640666B (en) * | 2022-03-04 | 2023-07-25 | 微位(深圳)网络科技有限公司 | File sharing downloading method, electronic equipment and readable storage medium |
| CN116226890A (en) * | 2023-05-05 | 2023-06-06 | 北京华阅嘉诚科技发展有限公司 | Audio file processing method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618419A (en) * | 2014-08-02 | 2015-05-13 | 江苏物泰信息科技有限公司 | Scheme based on content sharing policy in cloud |
| CN105072180A (en) * | 2015-08-06 | 2015-11-18 | 武汉科技大学 | Cloud storage data security sharing method with permission time control |
| CN106506155A (en) * | 2016-12-09 | 2017-03-15 | 四川师范大学 | Cryptograph Sharing method under publicly-owned cloud environment |
| CN111526197A (en) * | 2020-04-24 | 2020-08-11 | 远光软件股份有限公司 | Cloud data secure sharing method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8544068B2 (en) * | 2010-11-10 | 2013-09-24 | International Business Machines Corporation | Business pre-permissioning in delegated third party authorization |
-
2020
- 2020-08-27 CN CN202010880926.XA patent/CN112019540B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618419A (en) * | 2014-08-02 | 2015-05-13 | 江苏物泰信息科技有限公司 | Scheme based on content sharing policy in cloud |
| CN105072180A (en) * | 2015-08-06 | 2015-11-18 | 武汉科技大学 | Cloud storage data security sharing method with permission time control |
| CN106506155A (en) * | 2016-12-09 | 2017-03-15 | 四川师范大学 | Cryptograph Sharing method under publicly-owned cloud environment |
| CN111526197A (en) * | 2020-04-24 | 2020-08-11 | 远光软件股份有限公司 | Cloud data secure sharing method |
Non-Patent Citations (5)
| Title |
|---|
| Conditional Proxy Re-Encryption for Secure Big Data Group Sharing in Cloud Environment;Son, Junggab,Kim, Donghyun;《33rd IEEE Annual Conference on Computer Communications (IEEE INFOCOM)》;20140502;全文 * |
| 一种云存储下多授权访问控制及用户属性撤销方案;江泽涛等;《微电子学与计算机》;20180505(第05期);全文 * |
| 丁智国; 莫毓昌; 杨凡.一种新的在线流数据异常检测方法.《计算机科学》.2016, * |
| 云存储环境下数据共享的安全性分析与改进;胡彦婷等;《科学咨询(科技管理)》;20161203(第12期);全文 * |
| 付玉书;莫毓昌;潘竹生.网络可靠性BDD分析中选择最优启发式边排序策略.《信息通信》.2015, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112019540A (en) | 2020-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11799656B2 (en) | Security authentication method and device | |
| CN112019540B (en) | Data security sharing method oriented to cloud computing environment | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| CN106453612B (en) | A kind of storage of data and shared system | |
| CN109347835A (en) | Information transferring method, client, server and computer readable storage medium | |
| CN113553574A (en) | Internet of things trusted data management method based on block chain technology | |
| US20120284506A1 (en) | Methods and apparatus for preventing crimeware attacks | |
| US7822974B2 (en) | Implicit trust of authorship certification | |
| US20090158394A1 (en) | Super peer based peer-to-peer network system and peer authentication method thereof | |
| US20040255137A1 (en) | Defending the name space | |
| CN101605137A (en) | Safe distribution file system | |
| US11349646B1 (en) | Method of providing secure communications to multiple devices and multiple parties | |
| CN105429962B (en) | A kind of general go-between service construction method and system towards encryption data | |
| US20210306133A1 (en) | Decentralized Methods and Systems for Storage, Access, Distribution and Exchange of Electronic Information and Documents over the Internet using Blockchain to protect against Cyber attacks and Theft | |
| CN112861157A (en) | Data sharing method based on decentralized identity and proxy re-encryption | |
| CN115766066A (en) | Data transmission method, device, safety communication system and storage medium | |
| US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
| CN100499453C (en) | Method of the authentication at client end | |
| CN114154181A (en) | Privacy calculation method based on distributed storage | |
| Hesse et al. | Password-authenticated tls via opaque and post-handshake authentication | |
| CN110912857B (en) | Method and storage medium for sharing login between mobile applications | |
| CN111698203A (en) | Cloud data encryption method | |
| Madhumala et al. | Secure file storage & sharing on cloud using cryptography | |
| TWI766171B (en) | Account data processing method and account data processing system | |
| Hoffmann et al. | Towards an architecture for end-to-end-encrypted file synchronization systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |