CN112784314B - Data integrity detection method and device, electronic equipment and storage medium - Google Patents
Data integrity detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112784314B CN112784314B CN202110113654.5A CN202110113654A CN112784314B CN 112784314 B CN112784314 B CN 112784314B CN 202110113654 A CN202110113654 A CN 202110113654A CN 112784314 B CN112784314 B CN 112784314B
- Authority
- CN
- China
- Prior art keywords
- data
- owner
- anonymous
- authenticator
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention discloses a data integrity detection method, which comprises the following steps: the key generation center generates first anonymous data for an original owner of the data and generates second anonymous data for a new owner of the data; the data source owner generates an aggregation file authenticator by using the first anonymous data and sends the aggregation file authenticator to the cloud server; the original owner of the data transfers the file data stored in the cloud server to the new owner of the data; the original owner and the new owner of the data generate data conversion values for the third-party data verifier by using the first anonymous data and the second anonymous data; and the third-party data verifier and the cloud server perform data integrity detection on the file data by using the aggregated file authenticator and the data conversion value. The invention adopts the aggregation file authenticator to detect the data integrity, can ensure that the detection is not influenced by the file data volume and improves the detection efficiency. The invention also provides a data integrity detection device, electronic equipment and a storage medium, and has the beneficial effects.
Description
Technical Field
The present invention relates to the field of data integrity detection, and in particular, to a data integrity detection method and apparatus, an electronic device, and a storage medium.
Background
User data is an important source for the operation and development power of a plurality of enterprises, and is an important and sensitive asset of the enterprises. In a scenario similar to a company purchase, user data may be transferred, and in this case, in order to ensure the integrity of the user data, it is important to perform data integrity detection on data before and after the transfer.
In the related art, data integrity detection supporting data transfer is performed by means of an authenticator of a data block, and due to the fact that the number of users in an actual scene is large, and further the text data volume of the users is large, a large number of data blocks can be generated, if data integrity detection is performed by means of the authenticator of each data block, the calculation amount and the calculation difficulty can be remarkably improved, and inconvenience is brought to data integrity detection work.
Disclosure of Invention
The invention aims to provide a data integrity detection method, a data integrity detection device, electronic equipment and a storage medium.
In order to solve the above technical problem, the present invention provides a data integrity detection method, including:
the key generation center generates first anonymous data for an original owner of the data and generates second anonymous data for a new owner of the data;
the original data owner generates an aggregation file authenticator by using the first anonymous data and sends the aggregation file authenticator to a cloud server;
the original data owner transfers the file data stored in the cloud server to the new data owner;
the original data owner and the new data owner generate a data conversion value for a third-party data verifier by using the first anonymous data and the second anonymous data;
and the third-party data verifier and the cloud server perform data integrity detection on the file data by using the aggregated file authenticator and the data conversion value.
Optionally, the third-party data verifier and the cloud server perform data integrity detection on the file data by using the aggregated file authenticator and the data conversion value, including:
the third-party data verifier generates challenge data and sends the challenge data to the cloud server;
The cloud server receives the challenge data and generates verification data by using the challenge data and the aggregated file authenticator;
the cloud server sends the verification data to the third party data verifier;
and the third-party data verifier receives the verification data and performs data integrity detection on the file data by using the verification data and the data conversion value.
Optionally, the generating verification data by using the challenge data and the aggregated document authenticator includes:
the cloud server generates initial verification data by using the challenge data and the aggregated file authenticator;
and the cloud server carries out random masking operation on the initial verification data and generates the verification data by using the randomly masked initial verification data.
Optionally, the third-party data verifier receives the verification data and performs data integrity detection on the file data by using the verification data and the data conversion value, including:
the third-party data verifier judges whether the file data is transferred or not;
if so, performing first data integrity detection on the file data by using the verification data and the data conversion value;
And if not, performing second data integrity detection on the file data by using the verification data.
Optionally, the generating, by the original data owner and the new data owner, a data conversion value for a third-party data verifier by using the first anonymous data and the second anonymous data includes:
the original data owner generates first auxiliary information and intermediate data by using a first secret key in the first anonymous data, sends the first auxiliary information to the third-party data verifier, and sends the intermediate data to the new data owner;
the new data owner receives the intermediate data, generates second auxiliary information by using the intermediate data and the second anonymous data, and sends the second auxiliary information to the third-party data verifier;
the third-party data verifier receives the first auxiliary information and the second auxiliary information, and generates the data conversion value using the first auxiliary information and the second auxiliary information.
Optionally, the generating, by the key generation center, first anonymous data for an original owner of the data, and second anonymous data for a new owner of the data, includes:
The key generation center generates a master key and a preset number of password hash functions, and system parameters are determined by using the password hash functions;
the key generation center generates the first anonymous data by using first identity data of the original data owner, the master key and the system parameters;
the key generation center generates the second anonymous data by using second identity data of the new owner of the data, the master key and the system parameter.
Optionally, the data source owner generates an aggregated file authenticator by using the first anonymous data, including:
the original data owner divides data stored in the cloud server into a preset number of data blocks;
and the original data owner generates an initial authenticator for each data block by using the first key in the first anonymous data, and generates the aggregated file authenticator by using the initial authenticator and the corresponding data block information.
The invention also provides a data integrity detection device comprising a unit for executing the data integrity detection method.
The present invention also provides an electronic device comprising:
A memory for storing a computer program;
a processor for implementing the data integrity detection method as described above when executing the computer program.
The invention also provides a storage medium, wherein the storage medium stores computer-executable instructions, and when the computer-executable instructions are loaded and executed by a processor, the data integrity detection method is realized.
The invention provides a data integrity detection method, which comprises the following steps: the key generation center generates first anonymous data for an original owner of the data and generates second anonymous data for a new owner of the data; the original data owner generates an aggregated file authenticator by using the first anonymous data, and sends the aggregated file authenticator to a cloud server; the original data owner transfers the file data stored in the cloud server to the new data owner; the original data owner and the new data owner generate data conversion values for a third-party data verifier by using the first anonymous data and the second anonymous data; and the third-party data verifier and the cloud server perform data integrity detection on the file data by using the aggregated file authenticator and the data conversion value.
Therefore, before data transfer, the original data owner of the invention generates a uniform aggregated file authenticator for the file data. Because the existing authenticator is the authenticator of each data block, the third-party data authenticator needs to check and convert each authenticator when carrying out data integrity verification, so that the existing data integrity detection is positively correlated with the size of file data. In the invention, the aggregated file authenticator generated by the original data owner is a unified authenticator of the file data, and the third-party data authenticator and the cloud server only need to utilize the aggregated file authenticator to carry out single data integrity detection, so that the data integrity detection is not influenced by the file data amount, the calculation amount of the data integrity detection is finally reduced, and the detection efficiency is improved. The invention also provides a data integrity detection device, electronic equipment and a storage medium, which have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of data integrity detection according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a hardware framework for data integrity detection according to an embodiment of the present invention;
fig. 3 is a block diagram of a data integrity detection apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of a key generation center according to an embodiment of the present invention;
FIG. 5 is a block diagram of a data source owner according to an embodiment of the present invention;
FIG. 6 is a block diagram of a new owner of data according to an embodiment of the present invention;
fig. 7 is a block diagram of a third-party data verifier according to an embodiment of the present invention;
fig. 8 is a block diagram of a cloud server according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the related technology, data integrity detection supporting data transfer is performed by using an authenticator of each data block, and a third-party data verifier determines integrity of the data blocks by verifying the authenticator, thereby determining integrity of all file data. Because the file data volume of the user is huge in an actual application scene, and a large number of data blocks are generated in data migration, when data integrity detection is carried out, a third-party data verifier faces a large number of authenticator calculation and conversion processes, and the detection efficiency of the data integrity is further reduced. In view of this, embodiments of the present invention provide a data integrity detection method, which can use a unified aggregated file authenticator to represent all file data, thereby reducing complexity of data integrity detection and improving detection efficiency. To solve the above problem, please refer to fig. 1, in which fig. 1 is a flowchart of a data integrity detection method according to an embodiment of the present invention, the method may include:
s101, the key generation center generates first anonymous data for an original data owner and generates second anonymous data for a new data owner.
It can be understood that user data is important and sensitive data, and in order to avoid the problem of data leakage, both the original owner of the data and the new owner of the data should use anonymous data for data transfer; meanwhile, in order to ensure the identity of anonymous data and facilitate the encryption and decryption work, in the embodiment of the invention, the same key generation center is adopted to generate the anonymous data for the original owner of the data and the new owner of the data, so that the original owner of the data and the new owner of the data can transfer the data in an anonymous state.
It should be noted that, in the embodiment of the present invention, specific contents included in the first anonymous data and the second anonymous data are not limited, and for example, the first anonymous data and the second anonymous data may include authentication information, identity information, or key information corresponding to a data owner, or a combination of multiple kinds of anonymous information of the data owner may be included in the first anonymous data and the second anonymous data, and a user may set the contents according to actual application requirements. In the embodiment of the invention, in order to facilitate data encryption or data decryption by a data owner, anonymous data can contain a key; secondly, in order to facilitate the data owner to identify the identity of the data owner, the anonymous data may further include identity information corresponding to the data owner. It should be noted that, the embodiment of the present invention does not limit the specific form of the key and the identity information, as long as the application requirements can be met, and the user may refer to the related technology.
Further, the embodiments of the present invention do not limit the hardware content and the hardware structure included in the key generation center, as long as the key generation center can generate the first anonymous data and the second anonymous data according to some encryption protection protocol or some encryption rule. The embodiment of the present invention also does not limit what kind of technology the key generation center uses to generate the first anonymous data and the second anonymous data, for example, a digital certificate technology may be used to generate the anonymous data, or an identity code technology may be used to generate the anonymous data, where the identity code technology is a technology that uses identification information of a user to generate a key. In the embodiment of the invention, the anonymous data can be generated by adopting the identity identification cryptographic technology in the embodiment of the invention, because the certificate management is more complicated and the anonymous information generation process can be simplified by adopting the identity identification cryptographic technology. It should be noted that the embodiment of the present invention does not limit the process of generating anonymous information by using the id-based encryption technology, for example, the key generation center may first generate a master key and system parameters for encryption, and then generate anonymous data by using the master key, the system parameters and the identity data corresponding to the data owner, or certainly, other manners may be adopted, and the related technology of id-based encryption may be specifically referred to.
In one possible scenario, the process of the key generation center generating first anonymous data for the original owner of the data and generating second anonymous data for the new owner of the data may include:
step 11: the key generation center generates a master key and a preset number of password hash functions, and system parameters are determined by the password hash functions;
step 12: the key generation center generates first anonymous data by using first identity data of an original data owner, a master key and system parameters;
step 13: the key generation center generates second anonymous data by using second identity data of the new owner of the data, the master key and the system parameters.
It should be noted that the embodiment of the present invention is not limited to a specific preset number, as long as the application requirement can be met. The embodiment of the present invention also does not limit the specific master key and the specific cryptographic hash function, as long as the application requirements of the other steps described in the present invention can be met. The embodiment of the invention also does not limit the specific forms of the first identity data and the second identity data, and the user can set the identity data according to the actual application requirements.
Finally, the embodiment of the present invention does not limit the specific hardware content and hardware structure included in the original data owner and the new data owner, and any device or hardware result capable of managing the user data authority can be set as the original data owner and the new data owner.
The generation process of the anonymous data is explained below with reference to a specific example.
The key generation center first performs an initialization process:
1. randomly selecting a bilinear map: e is G 1 ×G 1 →G 2 Wherein G is 1 ,G 2 For two multiplication cyclic groups of order p, G, u being G 1 The generator of (1). The key generation center selects five different cryptographic hash functions:
H 3 :{0,1} * →G 1 ;
where, l represents the length of the 01 string,
a multiplication loop group is shown.
2. Key generation center selection
As the master key, and calculates Y ═ g x . The key generation center finally obtains the following system parameters, and ends the initialization process:
params=(G 1 ,G 2 ,e,g,u,Y,h,h 1 ,H 1 ,H 2 ,H 3 )
the key generation center then generates first anonymous data using first identity data of the original owner of the data:
1. the data owner sends the first identity data ID 1 ∈{0,1} l And sending the key to a key generation center. After the key generation center receives the key, the key generation center calculates beta by using the master key x 1 =xh(ID 1 );
2. The key generation center calculates a first anonymous identity for the original owner of the data
3. Key generation center random selection
Then calculating the key information of the original owner of the data:
σ 1 =r 1 +xH 2 (PID 1 ,R 1 );
key generation center setting (R) 1 ,σ 1 ) Is the first key of the original owner of the data, and will { PID 1 ,(R 1 ,σ 1 ) And sending the data to the original owner of the data.
4. The owner of the data source receives the PID sent by the key generation center 1 ,(R 1 ,σ 1 ) After that, can pass through the equation
Verifying the received first key (R) 1 ,σ 1 ) Whether it is correct.
Similarly, the key generation center generates second anonymous data using second identity data of the new owner of the data:
1. the new owner of the data will be the first identity data ID 2 ∈{0,1} l And sending the key to a key generation center. After the key generation center receives the key, the key generation center calculates beta by using the master key x 2 =xh(ID 2 );
2. The key generation center calculates a first key for the new owner of the dataAnonymous identities
3. Key generation center random selection
Then calculating the key information of the new owner of the data:
σ 2 =r 2 +xH 2 (PID 2 ,R 2 );
key generation center setting (R) 2 ,σ 2 ) A second key of a new owner of the data, and a { PID 2 ,(R 2 ,σ 2 ) It sends it to the new owner of the data.
4. The new owner of the data receives the PID sent by the key generation center 2 ,(R 2 ,σ 2 ) After, can pass the equation
Verifying the received second key (R) 2 ,σ 2 ) Whether it is correct.
S102, the data source owner generates an aggregation file authenticator by using the first anonymous data, and sends the aggregation file authenticator to the cloud server.
In the prior art, the authenticator used in the data integrity check is the authenticator for each data block. In an actual application scenario, the data size of the data block is large due to a large user data size. If the existing authenticator is subjected to data integrity detection, a large amount of calculation is generated, so that the complexity of the data integrity detection is increased, and the efficiency is reduced. In the embodiment of the invention, a uniform aggregation file authenticator is adopted to carry out data integrity detection, the aggregation authenticator can directly represent all data blocks, data calculation is not required to be carried out on each data block during data integrity test, the aggregation authenticator is directly used for calculation, and the calculation overhead is linearly independent of the number of files.
It should be noted that the embodiment of the present invention does not limit the generation manner of the aggregated file authenticator, for example, the aggregated file authenticator may be directly generated by using all data, or the data may be first divided into a plurality of data blocks, an initial authenticator is generated by using the data blocks, and finally the initial authenticator is aggregated to obtain the aggregated file authenticator. In the embodiment of the invention, in order to improve the generation efficiency and the success rate, the data can be firstly divided into the data blocks, the data blocks are used for generating the initial authenticator, and finally the initial authenticator is aggregated to obtain the aggregated file authenticator.
The generation process of the aggregated document authenticator is described below. In one possible scenario, the process of generating an aggregated-file authenticator by the data source owner using the first anonymous data may include:
step 21: the data source owner divides data stored in the cloud server into a preset number of data blocks.
It should be noted that the embodiment of the present invention does not limit the specific preset number, and the user may set the preset number according to the actual application requirement. The size of each data block is not limited in the embodiment of the invention, the size is related to the actual data volume and the preset number, and the user can set the size according to the actual application condition.
Step 22: and the original owner of the data generates an initial authenticator for each data block by using the first key in the first anonymous data, and generates an aggregated file authenticator by using the initial authenticator and the corresponding data block information.
The above process is explained below with reference to specific examples. The original owner of the data firstly divides the file F with the name identifier into n data blocks, and each data block uses m i And (i-1, …, n). The data source owner uses the first key for each data block m i Generating corresponding initial authenticator
And aggregating the initial authenticators to obtain an aggregated file authenticator { m i ,τ i } i∈[1,n] . The data source owner then sends the aggregated file authenticator to the cloud server and sends R 1 And sending the data to a third party data verifier.
S103, the original data owner transfers the file data stored in the cloud server to the new data owner.
It should be noted that, the embodiments of the present invention do not limit the specific method and process of data transfer, and a user may refer to the related technology of data transfer.
S104, the original data owner and the new data owner generate a data conversion value for the third-party data verifier by using the first anonymous data and the second anonymous data.
In the embodiment of the present invention, since the ownership of the data belongs to the new owner of the data after the transfer, the third-party data verifier is required to perform the conversion calculation on the authenticator by using the first anonymous data and the second anonymous data respectively representing the identities of the original owner of the data and the new owner of the data, so as to obtain the data integrity detection result, and the data conversion value generated by the first anonymous data and the second anonymous data is the data for performing the conversion calculation work.
In one possible case, the process of generating the data conversion value for the third-party data verifier by the original owner of the data and the new owner of the data by using the first anonymous data and the second anonymous data may include:
step 31: the original owner of the data generates first auxiliary information and intermediate data by using a first secret key in the first anonymous data, and sends the first auxiliary information to a third-party data verifier and the intermediate data to a new owner of the data;
step 32: the new data owner receives the intermediate data, generates second auxiliary information by using the intermediate data and the second anonymous data, and sends the second auxiliary information to the third-party data verifier;
step 33: the third-party data verifier receives the first auxiliary information and the second auxiliary information and generates a data conversion value by using the first auxiliary information and the second auxiliary information.
The above calculation process of the data conversion value is explained below with reference to specific examples.
The data source owner randomly selects a parameter from the multiplicative group
And utilizes sigma in the first anonymous information 1 Calculating the first auxiliary information 1/t and the intermediate data t/sigma 1 The intermediate data are sent to the new data owner, and the first auxiliary information is sent to the third-party data verifier;
Receiving intermediate data t/sigma by new data owner 1 And calculating:
subsequently, the new owner of the data integrates to obtain the second auxiliary information (omega, R) 2 ) And sending to a third party data verifier;
the third party data verifier receives the first assistance information 1/t and the second assistance information (ω, R) 2 ) And calculating to obtain a data conversion value:
and S105, the third-party data verifier and the cloud server perform data integrity detection on the file data by using the aggregated file authenticator and the data conversion value.
Specifically, the process of performing data integrity detection on the file data by the third-party data verifier and the cloud server by using the aggregated file authenticator and the data conversion value may include:
step 41: the third-party data verifier generates challenge data and sends the challenge data to the cloud server;
step 42: the cloud server receives the inquiry data and generates verification data by using the inquiry data and the aggregated file authenticator;
step 43: the cloud server sends verification data to the third-party data verifier;
step 44: and the third-party data verifier receives the verification data and performs data integrity detection on the file data by using the verification data and the data conversion value.
It should be noted that the embodiment of the present invention does not limit the specific form and content of the challenge data, and the user may refer to the related technology of the data integrity challenge.
Further, the embodiment of the present invention does not limit whether the cloud server needs to encrypt the verification data during the verification data generation process, and when the data security during the data integrity detection process can be ensured before the data encryption process is not performed, the encryption process may not be performed, and when the data security needs to be improved, the encryption process may be performed on the verification data. In the embodiment of the present invention, in order to prevent the third-party data verifier from stealing the privacy of the user by using the verification data, the verification data may be encrypted. The embodiment of the present invention also does not limit the specific encryption processing manner, for example, a symmetric encryption manner, an asymmetric encryption manner, or a random masking technique may be used for encryption, where the random masking technique is a technique for blinding a data block in the verification data generation process. In the embodiment of the invention, the random masking technology can not only encrypt the user data, but also simplify the integrity detection process of the encrypted data, so the random masking technology can be adopted to encrypt the verification data.
In one possible scenario, the process of generating verification data using challenge data and the aggregated document authenticator may include:
Step 51: the cloud server generates initial verification data by using the inquiry data and the aggregated file authenticator;
step 52: and the cloud server performs random masking operation on the initial verification data and generates verification data by using the randomly masked initial verification data.
Further, the embodiment of the present invention does not limit whether the third-party data verifier performs corresponding data integrity detection according to the transfer condition of the file data, and when only performing integrity detection on the transferred file data, the transfer condition of the file data does not need to be determined. In the embodiment of the invention, in order to ensure the integrity of the data in the whole data transfer process, corresponding data integrity detection can be carried out according to the data transfer condition. The embodiment of the present invention does not limit the manner of determining whether to transfer the document data, for example, when the text data has an ownership identifier, the third-party data verifier may determine whether to transfer the document data through the identifier, and may also determine whether to receive the first auxiliary information and the second auxiliary information.
In one possible case, the third-party data verifier receives verification data and performs data integrity detection on the file data by using the verification data and the data conversion value, including:
step 61: the third-party data verifier judges whether the file data is transferred or not; if yes, go to step 62; if not, go to step 63;
step 62: performing first data integrity detection on the file data by using the verification data and the data conversion value;
and step 63: a second data integrity check is performed on the file data using the verification data.
The data integrity detection process between the third-party data verifier and the cloud server is explained below with reference to specific examples.
The third-party data verifier firstly generates data integrity challenge data:
1. a set I of c elements is randomly selected,
2. generating a random value for each I e I
3. Generating challenge data chal ═ { i, v i } i∈I And sending the challenge data to the cloud server.
After receiving the challenge data, the cloud server generates verification data by using the challenge data and the aggregated file authenticator:
1. computing
And mu ═ Σ i∈I m i v i ;
2. Randomly masking mu' and randomly selecting
Calculating R ═ u r And calculating mu ═ mu' -rh 1 (name,R);
3. Generating verification data proof ═ (u, T, R), and transmitting the verification data to the third party data verifier.
The third-party data verifier determines the transfer condition of the text data and executes corresponding data integrity detection according to the condition:
1. when the text data is not transferred, namely the text data still belongs to the original owner of the data, the third-party data verifier executes a first data integrity detection operation by the following equation:
2. when the text data is transferred, the third-party data verifier first calculates T' to T using the data conversion value ω ω′ Then, a second data integrity check operation is performed using the following equation:
based on the above embodiment, the original owner of the data in the method first generates a uniform aggregated file authenticator for the file data before data transfer. Because the existing authenticator is the authenticator of each data block, the third-party data authenticator needs to check and convert each authenticator when carrying out data integrity verification, so that the existing data integrity detection is positively correlated with the size of file data. In the invention, the aggregated file authenticator generated by the original data owner is a unified authenticator of the file data, and the third-party data authenticator and the cloud server only need to utilize the aggregated file authenticator to carry out single data integrity detection, so that the data integrity detection is not influenced by the file data amount, the calculation amount of the data integrity detection is finally reduced, and the detection efficiency is improved.
Based on the above embodiments, the above process is explained below with reference to specific examples. Referring to fig. 2, fig. 2 is a schematic diagram of a hardware framework for data integrity detection according to an embodiment of the present invention. The scheme comprises the following five entities: the system comprises a data original owner, a data new owner, a cloud server, a key generation center and a third-party data verifier. The data integrity detection method can be divided into the following processes: the authentication method comprises an initialization stage, an anonymous identity and key generation stage, an authenticator generation stage, a data transfer stage, an attestation generation stage and an attestation verification stage. Specifically, the execution main bodies and specific steps of the stages may include:
1. the initialization stage is executed by a key generation center to generate a master key and system parameters;
2. the anonymous identity and key generation phase is performed by the original owner of the data, the new owner of the data and the key generation center. The key generation center respectively generates corresponding anonymous identities and keys according to the real identities of the original data owner and the new data owner, and then sends the anonymous identities and the keys to the original data owner and the new data owner;
3. the authenticator generation phase is performed by the data source owner. The data original owner generates a corresponding authenticator for the data, sends the data and the corresponding authenticator to the cloud server, and sends a verification value to a third-party data verifier;
4. And the data transfer stage is executed by the original data owner, the new data owner and the third-party data verifier, the original data owner and the new data owner cooperate to calculate auxiliary information and then send the auxiliary information to the third-party data verifier, and the third-party data verifier calculates a corresponding data conversion value according to the auxiliary information. The third-party data verifier can process the data integrity detection proof generated by the cloud server according to the conversion value;
5. the credential generation phase is performed by a third-party data verifier and a cloud server. The third-party data verifier sends a data integrity detection challenge to the cloud server, and the cloud server returns a corresponding data integrity detection certificate;
6. the proof verification phase is performed by the third party data verifier. And the third-party data verifier judges whether the file is completely stored on the cloud server according to the data integrity detection certificate sent by the cloud server.
The following describes a data integrity detection apparatus, an electronic device, and a storage medium according to embodiments of the present invention, and the following describes a data integrity detection apparatus, an electronic device, and a storage medium and the above described data integrity detection method with reference to each other.
Referring to fig. 3, fig. 3 is a block diagram of a data integrity detection apparatus according to an embodiment of the present invention, where the data integrity detection apparatus 300 includes a key generation center 310, an original data owner 320, a new data owner 330, a third-party data verifier 340, and a cloud server 350.
Referring to fig. 4, the key generation center 310 may include:
the anonymous data generating module 311 is configured to generate first anonymous data for the original owner 320 of the data, and generate second anonymous data for the new owner 330 of the data.
Referring to fig. 5, the data source owner 320 may include:
the authenticator generating module 321 is configured to generate an aggregated file authenticator by using the first anonymous data, and send the aggregated file authenticator to the cloud server 350;
a data transfer module 322 for transferring the file data stored in the cloud server 350 to the data new owner 330;
a first data conversion value generating module 323, configured to generate a data conversion value for the third-party data verifier 340 with the new data owner 330 by using the first anonymous data and the second anonymous data;
referring to fig. 6, the data new owner 330 may include:
a second data conversion value generating module 331, configured to generate a data conversion value for the third-party data verifier 330 by using the first anonymous data and the second anonymous data with the data source owner 320;
Referring to fig. 7, the third party data verifier 340 may include:
the first data integrity detection module 341 is configured to perform data integrity detection on the file data by using the aggregated file authenticator and the data conversion value with the cloud server 350.
A third data conversion value generation module 342 for generating data conversion values with the original owner 320 of data and the new owner 330 of data.
Referring to fig. 8, the cloud server 350 may include:
the second data integrity detection module 351 is configured to perform data integrity detection on the file data by using the aggregate file authenticator and the data conversion value with the third-party data verifier 340.
Based on the above embodiment, the original owner of the data in the device generates a unified aggregate file authenticator for the file data before the data transfer. Because the existing authenticator is the authenticator of each data block, the third-party data authenticator needs to check and convert each authenticator when carrying out data integrity verification, so that the existing data integrity detection is positively correlated with the size of file data. In the invention, the aggregated file authenticator generated by the original data owner is a unified authenticator of the file data, and the third-party data authenticator and the cloud server only need to utilize the aggregated file authenticator to carry out single data integrity detection, so that the data integrity detection is not influenced by the file data amount, the calculation amount of the data integrity detection is finally reduced, and the detection efficiency is improved.
Optionally, the first data integrity detecting module 341 may include:
the challenge data generation submodule is used for generating challenge data and sending the challenge data to the cloud server 350;
and the data integrity detection submodule is used for receiving the verification data and carrying out data integrity detection on the file data by utilizing the verification data and the data conversion value.
The second data integrity detection module 341 may include:
the verification data generation submodule is used for receiving the inquiry data and generating verification data by utilizing the inquiry data and the aggregated file authenticator;
and the verification data sending submodule is used for sending verification data to the third-party data verifier 340.
Optionally, the verification data generation sub-module may include:
the initial verification data generation unit is used for generating initial verification data by utilizing the inquiry data and the aggregation file authenticator;
and the random masking unit is used for carrying out random masking operation on the initial verification data and generating verification data by using the randomly masked initial verification data.
Optionally, the data integrity detection sub-module may include:
the transfer state judging unit is used for judging whether the file data is transferred or not;
the first data integrity detection unit is used for executing first data integrity detection on the file data by using the verification data and the data conversion value;
And the second data integrity detection unit is used for executing second data integrity detection on the file data by using the verification data.
Optionally, the first data conversion value generating module 323 may include:
a first data generating unit, configured to generate first auxiliary information and intermediate data by using a first key in the first anonymous data, send the first auxiliary information to the third-party data verifier 340, and send the intermediate data to the new data owner 330;
the second data conversion value generating module 331 may include:
the second data generating unit is configured to receive the intermediate data, generate second auxiliary information by using the intermediate data and the second anonymous data, and send the second auxiliary information to the third-party data verifier 340;
the third data conversion value generation module 342 may include:
and a third data generation unit for receiving the first auxiliary information and the second auxiliary information and generating a data conversion value by using the first auxiliary information and the second auxiliary information.
Optionally, the anonymous data generating module 311 may include:
the parameter generation submodule is used for generating a master key and a preset number of password hash functions and determining system parameters by using the password hash functions;
The first anonymous data generation submodule is used for generating first anonymous data by using the first identity data, the master key and the system parameters of the original data owner 320;
and the first anonymous data generation submodule is used for generating second anonymous data by using the second identity data, the master key and the system parameters of the new owner 330 of the data.
Optionally, the authenticator generating module 321 may include:
a data block generation submodule configured to divide data stored in the cloud server 350 into a preset number of data blocks;
and the authenticator generating submodule is used for generating an initial authenticator for each data block by using the first key in the first anonymous data and generating an aggregation file authenticator by using the initial authenticator and the corresponding data block information.
An embodiment of the present invention further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the data integrity detection method when executing the computer program.
Since the embodiment of the electronic device portion corresponds to the embodiment of the data integrity detection method portion, please refer to the description of the embodiment of the data integrity detection method portion for the embodiment of the electronic device portion, which is not repeated here.
The embodiment of the present invention further provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the data integrity detection method in any of the above embodiments are implemented.
Since the embodiment of the storage medium portion and the embodiment of the data integrity detection method portion correspond to each other, please refer to the description of the embodiment of the data integrity detection method portion for the embodiment of the storage medium portion, which is not repeated here.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The data integrity detection method, the data integrity detection device, the electronic device and the storage medium provided by the invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (8)
1. A method for data integrity detection, comprising:
the key generation center generates first anonymous data for an original owner of the data and generates second anonymous data for a new owner of the data;
The data original owner divides data stored in the cloud server into a preset number of data blocks, an initial authenticator is generated for each data block by using a first secret key in the first anonymous data, each initial authenticator is aggregated to generate an aggregated file authenticator, and the aggregated file authenticator is sent to the cloud server and is an authenticator capable of representing the data blocks of the divided data blocks, wherein the aggregated file authenticator is obtained by aggregating the initial authenticators of the divided data blocks;
the original data owner transfers the file data stored in the cloud server to the new data owner;
the original data owner and the new data owner generate a data conversion value for a third-party data verifier by using the first anonymous data and the second anonymous data;
the third-party data verifier generates challenge data and sends the challenge data to the cloud server;
the cloud server receives the challenge data and generates verification data by using the challenge data and the aggregated file authenticator;
the cloud server sends the verification data to the third party data verifier;
and the third-party data verifier receives the verification data and performs data integrity detection on the file data by using the verification data and the data conversion value.
2. The method according to claim 1, wherein the generating verification data using the challenge data and the aggregated document authenticator comprises:
the cloud server generates initial verification data by using the challenge data and the aggregation file authenticator;
and the cloud server carries out random masking operation on the initial verification data and generates the verification data by using the randomly masked initial verification data.
3. The data integrity detection method of claim 1, wherein the third party data verifier receives the verification data and performs data integrity detection on the document data using the verification data and the data conversion value, and comprises:
the third-party data verifier judges whether the file data is transferred or not;
if so, performing first data integrity detection on the file data by using the verification data and the data conversion value;
and if not, performing second data integrity detection on the file data by using the verification data.
4. The data integrity detection method of claim 1, wherein the generating of the data conversion value for the third party data verifier by the original owner of the data and the new owner of the data using the first anonymous data and the second anonymous data comprises:
The original data owner generates first auxiliary information and intermediate data by using a first secret key in the first anonymous data, sends the first auxiliary information to the third-party data verifier, and sends the intermediate data to the new data owner;
the new data owner receives the intermediate data, generates second auxiliary information by using the intermediate data and the second anonymous data, and sends the second auxiliary information to the third-party data verifier;
the third-party data verifier receives the first auxiliary information and the second auxiliary information, and generates the data conversion value using the first auxiliary information and the second auxiliary information.
5. The data integrity detection method of claim 1, wherein the key generation center generates first anonymous data for an original owner of the data and second anonymous data for a new owner of the data, and comprises:
the key generation center generates a master key and a preset number of password hash functions, and system parameters are determined by using the password hash functions;
the key generation center generates the first anonymous data by using first identity data of the original data owner, the master key and the system parameters;
The key generation center generates the second anonymous data using second identity data of the new owner of the data, the master key, and the system parameters.
6. A data integrity checking apparatus, characterized by comprising means for performing the data integrity checking method according to any one of claims 1 to 5.
7. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the data integrity detection method of any one of claims 1 to 5 when executing the computer program.
8. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out a method of data integrity detection as claimed in any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110113654.5A CN112784314B (en) | 2021-01-27 | 2021-01-27 | Data integrity detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110113654.5A CN112784314B (en) | 2021-01-27 | 2021-01-27 | Data integrity detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112784314A CN112784314A (en) | 2021-05-11 |
| CN112784314B true CN112784314B (en) | 2022-07-29 |
Family
ID=75759138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110113654.5A Active CN112784314B (en) | 2021-01-27 | 2021-01-27 | Data integrity detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112784314B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254374A (en) * | 2016-09-05 | 2016-12-21 | 电子科技大学 | A kind of cloud data public audit method possessing duplicate removal function |
| CN111339570A (en) * | 2020-02-27 | 2020-06-26 | 青岛大学 | Method, device, equipment and medium for verifying integrity of cloud storage file |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790311A (en) * | 2017-03-31 | 2017-05-31 | 青岛大学 | Cloud Server stores integrality detection method and system |
| CN111339040B (en) * | 2020-02-27 | 2023-05-05 | 青岛大学 | Cloud storage method, device and equipment for data files and storage medium |
-
2021
- 2021-01-27 CN CN202110113654.5A patent/CN112784314B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254374A (en) * | 2016-09-05 | 2016-12-21 | 电子科技大学 | A kind of cloud data public audit method possessing duplicate removal function |
| CN111339570A (en) * | 2020-02-27 | 2020-06-26 | 青岛大学 | Method, device, equipment and medium for verifying integrity of cloud storage file |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112784314A (en) | 2021-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111628868B (en) | Digital signature generation method and device, computer equipment and storage medium | |
| Li et al. | Privacy-preserving public auditing protocol for low-performance end devices in cloud | |
| Yang et al. | Provable data possession of resource-constrained mobile devices in cloud computing | |
| Wang et al. | Privacy-preserving public auditing for data storage security in cloud computing | |
| US20220376894A1 (en) | Adaptive attack resistant distributed symmetric encryption | |
| CN109818730B (en) | Blind signature acquisition method and device and server | |
| CN114036539A (en) | Safety auditable Internet of things data sharing system and method based on block chain | |
| CN112804217B (en) | Block chain technology-based evidence storing method and device | |
| CN115242553B (en) | Data exchange method and system supporting safe multi-party calculation | |
| Li et al. | A blockchain-based public auditing protocol with self-certified public keys for cloud data | |
| CN110690969A (en) | Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties | |
| CN115174104A (en) | Attribute-based online/offline signature method and system based on secret SM9 | |
| CN115277010A (en) | Identity authentication method, system, computer device and storage medium | |
| CN108664814B (en) | Group data integrity verification method based on agent | |
| CN111404892A (en) | Data supervision method and device and server | |
| CN114095162A (en) | Connection verification method and device for certificateless power consumption information acquisition system | |
| Sun et al. | Anonymous authentication and key agreement scheme combining the group key for vehicular ad hoc networks | |
| CN111245594B (en) | Homomorphic operation-based collaborative signature method and system | |
| Xu et al. | A generic integrity verification algorithm of version files for cloud deduplication data storage | |
| CN116170144A (en) | Smart power grid anonymous authentication method, electronic equipment and storage medium | |
| Poorvadevi et al. | Enhancing distributed data integrity verification scheme in cloud environment using machine learning approach | |
| CN112784314B (en) | Data integrity detection method and device, electronic equipment and storage medium | |
| CN114257374B (en) | Verifiable secure outsourcing calculation method and system for identifying cryptosystem | |
| CN111539031B (en) | Data integrity detection method and system for privacy protection of cloud storage tag | |
| CN111585756B (en) | Certificate-free cloud auditing method suitable for multi-copy-multi-cloud situation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |