CN112291356B - Self-verification variable name distributed storage method based on CNFS protocol - Google Patents

Self-verification variable name distributed storage method based on CNFS protocol Download PDF

Info

Publication number
CN112291356B
CN112291356B CN202011200979.9A CN202011200979A CN112291356B CN 112291356 B CN112291356 B CN 112291356B CN 202011200979 A CN202011200979 A CN 202011200979A CN 112291356 B CN112291356 B CN 112291356B
Authority
CN
China
Prior art keywords
user node
node
uploading
access
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011200979.9A
Other languages
Chinese (zh)
Other versions
CN112291356A (en
Inventor
原旭
于硕
罗乃文
陈志奎
孙野
陈怡�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dalian University of Technology
Original Assignee
Dalian University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dalian University of Technology filed Critical Dalian University of Technology
Priority to CN202011200979.9A priority Critical patent/CN112291356B/en
Publication of CN112291356A publication Critical patent/CN112291356A/en
Application granted granted Critical
Publication of CN112291356B publication Critical patent/CN112291356B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/137Hash-based
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • G06F16/1824Distributed file systems implemented using Network-attached Storage [NAS] architecture
    • G06F16/183Provision of network file services by network file servers, e.g. by using NFS, CIFS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • G06F16/1834Distributed file systems implemented based on peer-to-peer networks, e.g. gnutella
    • G06F16/1837Management specially adapted to peer-to-peer storage networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Abstract

The invention relates to the technical field of distributed storage, and provides a self-verification variable name distributed storage method based on a CNFS protocol, which comprises the following steps: 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol; step 200, an uploading user node A allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a domain name server system, uploads a file and indexes the file to the own namespace; step 300, an access user node acquires a file object, and verifies the authenticity of an object issued by an uploading user node by detecting whether a signature is matched with a public key and uploading user node information; step 400, the access user node analyzes and uploads the data hash value issued under the user node name space, and initiates a download request corresponding to the data hash to the storage node. The invention effectively reduces the network burden and improves the system expansibility.

Description

Self-verification variable name distributed storage method based on CNFS protocol
Technical Field
The invention relates to the technical field of distributed storage, in particular to a self-verification variable-name distributed storage method based on a CNFS protocol.
Background
The blockchain technology is considered to be the core technology of next generation subversion after a steam engine, power and the internet, and the blockchain technology is only used as the bottom layer technology of a bitcoin in the early period and is a chain data structure which cannot be tampered. Over the years of development, the blockchain changes from a simple data structure to a general term of distributed ledger series technology. A blockchain is a distributed database intended to maintain the consistency of the database among nodes that are not trusted by each other and is not tamper-evident.
The generation of the block chain aims to achieve decentralization, achieve consensus under the condition that no central mechanism exists, and maintain one account book together. The motivation for its design is not for efficiency or scalability. And a CNFS protocol is innovatively proposed in combination with the increasing importance of the Chinese government on the block chain. The CNFS (Cluster Net File System) protocol is a network transmission protocol stack based on content addressing distributed storage and shared files, and a management mechanism with a main control node is created, and the mechanism can complete quick consensus by using the main control node in a distributed environment. The combination of the block chain and the block chain supplements the defects of low storage efficiency, high cost, difficult coordination among chains in a cross chain and the like of the block chain, and meets the worry of China about potential safety hazard in complete decentralization. The use of the merkle DAG in the CNFS protocol makes it possible to search for data by addressing according to the content hash value, and can accurately find the content and effectively remove redundant data. As long as the contents of the file are not modified, the link for each chunk can be linked to the hash value of the next content, the link is always valid and no check on its data validity is needed. But at the same time of convenience, if a user updates the content of a file, the hash value of the whole path related to the file in the merkle tree is forced to change until the root of the tree is modified, the change occurring locally in the user is high in the cost of synchronizing to the whole blockchain network, and if the hash information of the whole branch is synchronized every time the file is modified, the practicability of the CNFS protocol is greatly reduced, and the data storage efficiency is low.
Disclosure of Invention
The invention mainly solves the problems that after a content addressable DAG object is formed in a CNFS protocol, the content address of a user data object simultaneously changes a Hash tree of a whole branch directory after the content of the user data object is updated, so that the network cost for modifying synchronous Hash information each time is overlarge, and the user unfriendly problem is caused by taking a file Hash as an address in a self-verification file system.
The invention provides a self-verification variable name distributed storage method based on a CNFS protocol, which comprises the following processes:
step 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol, which comprises the following steps 101 to 103:
step 101, when an uploading user node accesses a file system based on a CNFS protocol for the first time, the uploading user node loads an access agent module, and the agent module sends an authentication user request to a super node;
step 102, the super node judges whether the uploading user node is a legal node according to the authentication user request, after judging that the uploading user node is legal, whether the uploading user node completes registration in a server module of the super node is checked, if the uploading user node does not complete registration, step 103 is carried out; if the uploading user node is registered, allowing the user node to log in;
103, uploading a user node and generating CNFS node information through the unique identifier of the user node;
step 200, the uploading user node allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a domain name server system, uploads a file and indexes the file to the own namespace, and the method comprises the following steps 201 to 203:
step 201, an uploading user node reads a unique identifier of the uploading user node, and searches mapping data about the unique identifier in a local storage; if the searching is successful, updating the serial number of the mapping data, calling an updating interface of a routing layer in a file system of a CNFS protocol, and issuing the unique identifier and the routing mapping relation to the whole network; if the local search fails, calling an acquisition method of a routing layer in a file system of a CNFS protocol, searching route mapping data corresponding to the unique identifier from the whole network, and if the search succeeds, updating a data serial number and broadcasting the data serial number to the whole network again; if the whole network searching fails, newly establishing mapping data reflecting the unique identification and the file hash relation, and broadcasting the mapping data to the whole network;
step 202, adding a domain name to a domain name server system by an uploading user node, so that the uploading user node can access a file object in a file system of a CNFS protocol through the domain name;
step 203, the uploading user node distributes files in the name space, the files are signed by the private key of the uploading user node, the hash of the signed files is mounted under the CNFS path of the file, and the hash is used as an index;
step 300, the access user node obtains the file object, and verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information, including the following steps 301 to 304:
step 301, an access user node initiates a content access request to an upload user node, and the upload user node sends an original public key of the access user node;
step 302, after receiving the original public key of the uploading user node, the access user node sends the own public key to the uploading user node, randomly generates two access public keys, encrypts the two access public keys by using the public key of the uploading user node, and transmits the encrypted data to the uploading user node;
step 303, after receiving the encrypted access public key, the uploading user node decrypts the two access public keys by using the private key of the uploading user node, simultaneously randomly generates another two service public keys, encrypts the two service public keys by using the initial public key of the accessing user node, and sends the two service public keys to the accessing user node;
step 304, after receiving the encrypted service public key, the access user node decrypts by using its own private key, signs the data transmitted by both parties each time after the decryption is successful, and both parties send the signature to the other party together with the data to be sent; the access user node verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information;
step 400, the access user node analyzes and uploads a data hash value issued under a user node name space, and initiates a download request corresponding to the data hash to the storage node, which includes the following steps 401 to 404:
step 401, an access user node inquires mapping data uploaded to the user node from a local cache and caches the mapping data in the local cache;
step 402, if the cache search fails, the access user node initiates a network acquisition request to a file system routing layer of a CNFS protocol;
step 403, after the visiting user node successfully queries and uploads the mapping data of the user node a through local and network queries, the application layer receives a file hash value of the uploading user node; the access user node accesses and uploads the specific data content of the user node through the hash value;
in step 404, after receiving the hash value of the specific file of the uploading user node, the access user node searches a hash storage location of the file from the super node through the distributed storage network, the super node checks the hash of the file and then sends the storage location to the access user node, and the user node sends a download request to the storage node.
Further, when the private key of the uploading user node is leaked, the uploading user node sends a key revocation instruction to all other user nodes; and after receiving the key revocation instruction, the other user nodes revoke the address and the path corresponding to the key revocation instruction and forbid access.
The invention provides a self-verification variable name distributed storage method based on a CNFS protocol.A user node calls a proxy module to authenticate, check and verify a request to a super node, the user node generates a unique identifier as node information after passing the first verification, and the super node can judge whether a new user is admitted or not by continuously modifying the authentication protocol. The CNFS protocol allocates a namespace for the user node and uses the unique identifier as a named address. Uploading a user node to release a new file object in a CNFS network, firstly searching a mapping relation of a unique identifier in a distributed hash table in a local storage or a network, and calling the mapping relation of a routing layer method in a CNFS protocol after the whole network broadcasting is updated. The user can select to add the hash address of the user to the DNS system by using a DNSLink method, so that other user nodes can access the name space of the uploaded user node through the domain name. The new file object is signed by the upload user private key and the protocol mounts the file object in the user's namespace. When the access user node acquires the file object issued by the uploading user node, whether the signature is matched with the public key and the node information of the uploading user node is detected, and therefore the authenticity of the user issued object is verified. When the user exchanges data, the user node is uploaded, and after the user node is accessed to exchange the key by using the secure hash function, the signatures of the two parties are generated so that the two parties can form an encrypted secure channel. After the signatures of both parties are formed, the access user node analyzes the hash data under the unique identifier of the namespace of the uploading user node, obtains the specific data content under the unique identifier of the uploading user node after the hash data of the file is successfully obtained by local caching and initiating a network request to a routing layer to obtain the mapping relation of the unique identifier, and downloads the specific data by initiating a download request to the storage node.
The invention creates the possibility of constructing the self-authentication name in the global name space under the encryption environment, and solves the network redundancy caused by the synchronous hash information for each modification in the Mercker directed acyclic graph caused by the change of the updated file hash by the self-verification mode of uniquely identifying the mounted file hash in the user name space. And meanwhile, a file path is improved by using a DNSLink technology, so that the user friendliness is improved. Providing user authentication and self-authenticating user key revocation instructions prevents malicious users from being directed to the wrong file server. The invention can be used in the CNFS protocol naming layer, provides technical support for the CNFS protocol naming layer, effectively reduces network burden and improves system expansibility and safety. The method can provide technical support for a naming layer of the CNFS protocol, can effectively reduce network communication cost, and keeps fixed names in an environment with variable data object contents, so that the protocol can construct variable self-authentication names in an encryption environment and a global naming space.
Drawings
FIG. 1 is a flowchart of an implementation of a self-verification variable name distributed storage method based on a CNFS protocol according to the present invention;
FIG. 2 is a block diagram of a file system of the CNFS protocol;
FIG. 3 is a flowchart of an implementation of step 100;
FIG. 4 is a flowchart of an implementation of step 200;
FIG. 5 is a flowchart of an implementation of step 300;
FIG. 6 is a flowchart of an implementation of step 400;
fig. 7 is a flowchart of a process when the private key of the upload user node is compromised.
Detailed Description
In order to make the technical problems solved, technical solutions adopted and technical effects achieved by the present invention clearer, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some but not all of the relevant aspects of the present invention are shown in the drawings.
Fig. 1 is a flowchart of an implementation of a self-verification variable name distributed storage method based on a CNFS protocol according to the present invention. As shown in fig. 1, a self-verification variable name distributed storage method based on a CNFS protocol provided in an embodiment of the present invention includes:
and 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol.
In this embodiment, the uploading user node is represented by the user node a. Fig. 2 is a frame diagram of a file system of the CNFS protocol, and as shown in fig. 2, the file system based on the CNFS protocol includes: the system comprises a super node, a storage node and a plurality of user nodes, wherein the user nodes are CNFS clients of users, can perform user functions such as cache routing mapping, file uploading, namespace allocation, file downloading and user verification, and are inlets of the system used by the users. In this embodiment, a user node that performs file uploading is referred to as an uploading user node, and a user node that performs file accessing and downloading is referred to as an accessing user node. The super node is a key ring for innovatively providing semi-centralized distributed storage in a CNFS protocol, and is responsible for functions of using a block chain to store metadata to examine data and the like. In the invention, the super node is responsible for the verification function of the user, the agent module of the user node is responsible for interacting with the super node to finish the user verification, and the super node is responsible for finishing addressing according to the downloading request of the user to the content hash and providing the addressing for the user node. The storage nodes are responsible for distributively storing the file blocks and the file hash table and providing downloads. The hash table is responsible for storing hash values of all file blocks of the node to realize file block position index.
As shown in fig. 3, step 100 includes the following steps 101 to 103:
step 101, when an uploading user node accesses a file system based on a CNFS protocol for the first time, the uploading user node loads an access Agent module (Agent module), and the Agent module sends an authentication user request to a super node.
102, the super node judges whether the uploading user node A is a legal node according to the authentication user request, and checks whether the uploading user node A completes registration in a server module of the super node after judging that the uploading user node A is legal, and if the uploading user node A does not complete registration, the step 103 is carried out; and if the uploading user node A finishes the registration, allowing the user node to log in.
In the step, whether the uploading user node A is a legal node is judged by an anonymous examination method of the super node; and if the uploading user node A is judged to be an illegal node, rejecting the request of the uploading user node A.
And 103, uploading the unique identifier of the user node A to generate the CNFS node information.
In this embodiment, the hash value of the public key of the uploading user node a is used as a unique identifier, and is represented as node id hash (node.
Step 200, the uploading user node A allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a Domain Name Server (DNS) system, uploads a file and indexes the file to the own namespace. Step 200 comprises the following steps 201 to 203:
step 201, an uploading user node a reads a unique identifier (NodeID) of itself, and searches mapping data about the unique identifier in a local storage; if the searching is successful, updating the serial number of the mapping data, calling an update (PutValue) interface of a routing layer in a file system of a CNFS protocol, and issuing the unique identifier and the routing mapping relation to the whole network; if the local search fails, calling a method for obtaining a routing layer (GetValue) in a file system of a CNFS protocol, searching route mapping data corresponding to the unique identifier from the whole network, and updating a data serial number and broadcasting the data serial number to the whole network again if the search is successful; if the whole network searching fails, calling a reset (SetValue method), building a mapping data reflecting the unique identifier and the file hash relation, and broadcasting the mapping data to the whole network.
In a file system of a CNFS protocol, mapping data is a mapping relation of a hash table, and a relation between a unique identifier and a file hash is reflected.
In step 202, the uploading user node a adds a Domain Name to a Domain Name Server (DNS) System, so that it can access a file object in a file System of the CNFS protocol through the Domain Name.
In the step, a domain name mode is used for replacing a Hash addressing mode, the complicated Hash value website is converted into a domain name website with better user friendliness, and the domain name website can address the same ip address.
As shown in fig. 4, in steps 201 to 202, the unique identifier is used to allocate an address to the user, in order to reduce network load, first, route mapping data is searched locally, if the search fails, a network mapping relationship is searched from the whole network, if the search fails again, the route mapping is reset, after the mapping relationship is updated, a DNSLink function can be selected to add a domain name, and a domain name or an ip address which is not easy to be memorized by the user is selected.
Step 203, the uploading user node a publishes a file in the name space, the file is signed by the private key of the uploading user node, the signed file hash (hash) is mounted under the CNFS path of the uploading user node, and the hash is used as an index.
The CNFS path is, for example: Cnfs/vXCBsf 7afas9adsf79asd 7/.
And step 300, the access user node acquires the file object, and verifies the authenticity of the object issued by the uploading user node A by detecting whether the signature is matched with the public key and the information of the uploading user node A.
In this embodiment, the visiting user node is represented by user node B.
Step 301, an access user node B initiates a content access request to an upload user node a, and the upload user node a sends its original public key to the access user node B;
step 302, after receiving the original public key of the uploading user node a, the access user node B sends its own public key to the uploading user node a, randomly generates two access public keys, encrypts the two access public keys by using the public key of the uploading user node a, and transmits the encrypted data to the uploading user node a.
Wherein the two access public keys are marked as C1, C2.
Step 303, after receiving the encrypted access public key, the uploading user node a decrypts the two access public keys C1 and C2 by using the private key of the uploading user node a, and simultaneously randomly generates another two service public keys S1 and S2, encrypts the two service public keys S1 and S2 by using the initial public key of the accessing user node B, and sends the encrypted two service public keys to the accessing user node B.
Step 304, after receiving the encrypted service public key, the access user node B decrypts by using its own private key, signs the data transmitted by both parties each time after the decryption is successful, and both parties send the signature to the other party together with the data to be sent; and the access user node B verifies the authenticity of the object issued by the uploading user node A by detecting whether the signature is matched with the public key and the information of the uploading user node A.
Specifically, before each data transmission, SHA-1(Secure Hash Algorithm 1) is used to sign the file object data to be transmitted, and when the access user node B goes to the upload user node a, the following formula is used to sign the file object data:
Session-C=SHA-1(“C-S”,Pub-S,Pub-S1,Pub-C,Pub-C1)
when uploading user node a to visiting user node B, signature is performed using the following formula:
Session-S=SHA-1(“S-C”,Pub-S,Pub-S2,Pub-C,Pub-C2)
in the embodiment, the client detects whether the signature is matched with the public key and the node information, and modification and damage of a malicious node to data are avoided. In the signature, Pub-S is a public key of an uploading user node A, and Pub-C is a public key of an accessing user node B.
The purpose of this step is that the access user node B verifies the identity of the upload user node a, as shown in fig. 5, a secure channel is established, after a user initiates a content access request to the data owner upload user node a, the upload user node a first sends a public key to the access user node B, the upload user node a exchanges two pairs of random public keys with the access user node B, the exchange process uses the public keys of both parties to encrypt, and after receiving, both parties can decrypt with their own private keys to obtain a plaintext. The mutual random public key is used for signing, and the data transmission process of both parties needs to send the signatures to ensure the communication safety.
Step 400, the access user node B analyzes the data hash value issued under the namespace of the upload user node a, and initiates a download request corresponding to the data hash to the storage node.
Step 401, the visiting user node B queries the mapping data uploaded to the user node a from the local cache, and caches the mapping data in the local cache.
In the step, if the uploading user node A successfully allocates the variable name space, uploads the file and indexes the file to the own name space, the accessing user node B enters the CNFS network, searches the mapping data of the uploading user node A from the local cache and caches the mapping data in the local cache, and the network access cost can be effectively reduced by firstly reading the mapping data from the local cache each time.
Step 402, if the cache lookup fails, the access user node B initiates a network acquisition request to the file system routing layer of the CNFS protocol.
In step 403, after the visiting user node B successfully uploads the mapping data of the user node a through local and network queries, the application layer receives the file hash value of the uploading user node a. The visiting user node B can access the specific data content of the uploading user node A through the hash value.
In step 404, after receiving the hash value of the specific file uploaded to the user node a, the access user node B searches a hash storage location of the file from the super node through the distributed storage network, the super node checks the hash of the file and then sends the storage location to the access user node B, and the user node B sends a download request to the storage node.
As shown in fig. 6, the node B of the access user first searches for the file mapping data from the local cache, and if the local search fails, initiates a network request to the routing layer, obtains the file hash value of the user by using a GetValue method, uploads the file hash value of the node a of the user, and the node B of the access user can initiate a download request to the storage node through the hash value.
In addition, when the private key of the uploading user node A is leaked, the uploading user node A sends a key revocation instruction to all other user nodes; and after receiving the key revocation instruction, the other user nodes revoke the address and the path corresponding to the key revocation instruction and forbid access.
The form of the key revocation instruction is as follows:
RevokeMessage={“Pathrevoke”,NodeId,Pub_key,NULL}||Secret_key
the RevokeMessage represents a key revocation instruction, Pathrevoke is a constant field, NodeId is a self-verification path needing to revoke a key, and Pub _ key and Secret _ key are a private key and a public key needing to revoke.
As shown in fig. 7, when the private key of the uploading user node is compromised, the private key, the public key and the unique identifier may be broadcast to the whole network in the same direction, and after receiving the revocation instruction, other user nodes are prohibited from accessing the revoked address. While the uploading user node continuously requires its proxy module to check whether its previous self-authentication path has been revoked. The method can prevent the path of the original self-verification file from being wrongly positioned in the name space of the attacker.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: modifications of the technical solutions described in the embodiments or equivalent replacements of some or all technical features may be made without departing from the scope of the technical solutions of the embodiments of the present invention.

Claims (2)

1. A self-verification variable name distributed storage method based on a CNFS protocol is characterized by comprising the following processes:
step 100, uploading a user node to generate CNFS node information based on a file system of a CNFS protocol, which comprises the following steps 101 to 103:
step 101, when an uploading user node accesses a file system based on a CNFS protocol for the first time, the uploading user node loads an access agent module, and the agent module sends an authentication user request to a super node;
step 102, the super node judges whether the uploading user node is a legal node according to the authentication user request, after judging that the uploading user node is legal, whether the uploading user node completes registration in a server module of the super node is checked, if the uploading user node does not complete registration, step 103 is carried out; if the uploading user node is registered, allowing the user node to log in;
103, uploading a user node and generating CNFS node information through the unique identifier of the user node;
step 200, the uploading user node allocates a variable namespace, takes the previously generated node information as an address name, adds a domain name to a domain name server system, uploads a file and indexes the file to the own namespace, and the method comprises the following steps 201 to 203:
step 201, an uploading user node reads a unique identifier of the uploading user node, and searches mapping data about the unique identifier in a local storage; if the searching is successful, updating the serial number of the mapping data, calling an updating interface of a routing layer in a file system of a CNFS protocol, and issuing the unique identifier and the routing mapping relation to the whole network; if the local search fails, calling an acquisition method of a routing layer in a file system of a CNFS protocol, searching route mapping data corresponding to the unique identifier from the whole network, and if the search succeeds, updating a data serial number and broadcasting the data serial number to the whole network again; if the whole network searching fails, newly establishing mapping data reflecting the unique identification and the file hash relation, and broadcasting the mapping data to the whole network;
step 202, adding a domain name to a domain name server system by an uploading user node, so that the uploading user node can access a file object in a file system of a CNFS protocol through the domain name;
step 203, the uploading user node distributes files in the name space, the files are signed by the private key of the uploading user node, the hash of the signed files is mounted under the CNFS path of the file, and the hash is used as an index;
step 300, the access user node obtains the file object, and verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information, including the following steps 301 to 304:
step 301, an access user node initiates a content access request to an upload user node, and the upload user node sends an original public key of the access user node;
step 302, after receiving the original public key of the uploading user node, the access user node sends the own public key to the uploading user node, randomly generates two access public keys, encrypts the two access public keys by using the public key of the uploading user node, and transmits the encrypted data to the uploading user node;
step 303, after receiving the encrypted access public key, the uploading user node decrypts the two access public keys by using the private key of the uploading user node, simultaneously randomly generates another two service public keys, encrypts the two service public keys by using the initial public key of the accessing user node, and sends the two service public keys to the accessing user node;
step 304, after receiving the encrypted service public key, the access user node decrypts by using its own private key, signs the data transmitted by both parties each time after the decryption is successful, and both parties send the signature to the other party together with the data to be sent; the access user node verifies the authenticity of the published object of the uploading user node by detecting whether the signature is matched with the public key and the uploading user node information;
step 400, the access user node analyzes and uploads a data hash value issued under a user node name space, and initiates a download request corresponding to the data hash to the storage node, which includes the following steps 401 to 404:
step 401, an access user node inquires mapping data uploaded to the user node from a local cache and caches the mapping data in the local cache;
step 402, if the cache search fails, the access user node initiates a network acquisition request to a file system routing layer of a CNFS protocol;
step 403, after the visiting user node successfully queries and uploads the mapping data of the user node a through local and network queries, the application layer receives a file hash value of the uploading user node; the access user node accesses and uploads the specific data content of the user node through the hash value;
in step 404, after receiving the hash value of the specific file of the uploading user node, the access user node searches a hash storage location of the file from the super node through the distributed storage network, the super node checks the hash of the file and then sends the storage location to the access user node, and the user node sends a download request to the storage node.
2. The CNFS protocol-based self-authentication variable name distributed storage method according to claim 1, wherein when a private key of the uploading user node is leaked, the uploading user node sends a key revocation instruction to all other user nodes; and after receiving the key revocation instruction, the other user nodes revoke the address and the path corresponding to the key revocation instruction and forbid access.
CN202011200979.9A 2020-11-02 2020-11-02 Self-verification variable name distributed storage method based on CNFS protocol Active CN112291356B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011200979.9A CN112291356B (en) 2020-11-02 2020-11-02 Self-verification variable name distributed storage method based on CNFS protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011200979.9A CN112291356B (en) 2020-11-02 2020-11-02 Self-verification variable name distributed storage method based on CNFS protocol

Publications (2)

Publication Number Publication Date
CN112291356A CN112291356A (en) 2021-01-29
CN112291356B true CN112291356B (en) 2022-01-04

Family

ID=74353296

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011200979.9A Active CN112291356B (en) 2020-11-02 2020-11-02 Self-verification variable name distributed storage method based on CNFS protocol

Country Status (1)

Country Link
CN (1) CN112291356B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11184458B1 (en) * 2021-03-30 2021-11-23 Teso LT, UAB Proxy selection by monitoring quality and available capacity
CN113141414B (en) * 2021-05-07 2022-04-12 大连理工大学 Grouped multi-chain asynchronous consensus method for block chain nodes in CNFS protocol
CN115238257B (en) * 2022-09-26 2023-01-06 深圳市亲邻科技有限公司 Access control face permission updating method and device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105893468A (en) * 2016-03-28 2016-08-24 乐视控股(北京)有限公司 Cache data synchronization method system for CDN system
CN106612285A (en) * 2016-12-30 2017-05-03 Tcl集团股份有限公司 Distributed cloud data management method and system based on peer-to-peer network
CN108848111A (en) * 2018-08-06 2018-11-20 杭州云象网络技术有限公司 A kind of decentralization Virtual Private Network construction method based on block chain technology
CN110309117A (en) * 2019-07-08 2019-10-08 匿名科技(重庆)集团有限公司 A kind of High Availabitity block chain storage method
TW202004620A (en) * 2018-05-23 2020-01-16 葉佰蒼 Digital documents publication system based on blockchain network and implementing method thereof
CN111241115A (en) * 2020-01-07 2020-06-05 腾讯科技(深圳)有限公司 Data synchronization method, device, equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109791591B (en) * 2016-10-06 2023-07-07 万事达卡国际公司 Method and system for identity and credential protection and verification via blockchain
GB201714987D0 (en) * 2017-09-18 2017-11-01 Nchain Holdings Ltd Computer-implemented system and method
CN111309701B (en) * 2020-02-19 2022-06-28 北京航空航天大学 Multi-cloud storage management system based on block chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105893468A (en) * 2016-03-28 2016-08-24 乐视控股(北京)有限公司 Cache data synchronization method system for CDN system
CN106612285A (en) * 2016-12-30 2017-05-03 Tcl集团股份有限公司 Distributed cloud data management method and system based on peer-to-peer network
TW202004620A (en) * 2018-05-23 2020-01-16 葉佰蒼 Digital documents publication system based on blockchain network and implementing method thereof
CN108848111A (en) * 2018-08-06 2018-11-20 杭州云象网络技术有限公司 A kind of decentralization Virtual Private Network construction method based on block chain technology
CN110309117A (en) * 2019-07-08 2019-10-08 匿名科技(重庆)集团有限公司 A kind of High Availabitity block chain storage method
CN111241115A (en) * 2020-01-07 2020-06-05 腾讯科技(深圳)有限公司 Data synchronization method, device, equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Application Research on Blockchain-based Steel Structure Traceability Management";Ye Sun,Feng Zhang,Weijie Xia, Yaohua Chen;《2020 2nd International Conference on Machine Learning, Big Data and Business Intelligence》;20201025;1-4 *
"会话密钥协商协议研究进展";胡志言,杜学绘,曹利峰;《计算机应用与软件》;20180531;1-8,72 *
杨伟杰." 基于区块链的分布式文件存储系统的设计和实现".《中国优秀硕士学位论文全文数据库信息科技辑》.2020,I137-86. *

Also Published As

Publication number Publication date
CN112291356A (en) 2021-01-29

Similar Documents

Publication Publication Date Title
CN112291356B (en) Self-verification variable name distributed storage method based on CNFS protocol
US11140177B2 (en) Distributed data authentication and validation using blockchain
Lou et al. A blockchain-based key management scheme for named data networking
CN112425139B (en) Apparatus and method for resolving domain name
KR101330392B1 (en) Network nodes and methods for data authorization in distributed storage networks
US11336463B2 (en) Information assurance (IA) using an integrity and identity resilient blockchain
US9246888B2 (en) Systems and methods for secure communication over an unsecured communication channel
CN110430061B (en) Vehicle networking equipment identity authentication method based on block chain technology
JP2002358226A (en) Serverless distributed file system
JP2011008818A (en) Secure recovery in serverless distributed file system
CN106790296B (en) Domain name record verification method and device
Alzahrani An information-centric networking based registry for decentralized identifiers and verifiable credentials
EP1694027B1 (en) Peer-to-peer network information
CN106790261A (en) Distributed file system and the method for certification communication between its interior joint
JP4997769B2 (en) Cryptographic communication system, key sharing method, and key providing apparatus
Lin et al. A method for protecting private data in IPFS
CN109951481B (en) Information processing method and system based on block chain network adjacent nodes
Fotiou et al. Securing named data networking routing using decentralized identifiers
WO2008065349A1 (en) Worldwide voting system
WO2020010270A1 (en) Dynamic routing using a distributed hash table
Hanka et al. Secure deployment of application-tailored protocols in future networks
GB2444346A (en) Anonymous authentication in a distributed system
WO2008065346A2 (en) Secure messaging and data sharing
WO2008065348A2 (en) Perpetual data
CN114826654B (en) Client authentication method and system based on domain name system naming

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant