CN112947855A - Efficient encryption repeated data deleting method based on hardware security zone - Google Patents

Efficient encryption repeated data deleting method based on hardware security zone Download PDF

Info

Publication number
CN112947855A
CN112947855A CN202110136154.3A CN202110136154A CN112947855A CN 112947855 A CN112947855 A CN 112947855A CN 202110136154 A CN202110136154 A CN 202110136154A CN 112947855 A CN112947855 A CN 112947855A
Authority
CN
China
Prior art keywords
key
client
encryption
key generation
storage server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110136154.3A
Other languages
Chinese (zh)
Other versions
CN112947855B (en
Inventor
李经纬
任彦璟
杨祚儒
李柏晴
张小松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202110136154.3A priority Critical patent/CN112947855B/en
Publication of CN112947855A publication Critical patent/CN112947855A/en
Application granted granted Critical
Publication of CN112947855B publication Critical patent/CN112947855B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/064Management of blocks
    • G06F3/0641De-duplication techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an efficient encryption repeated data deleting method based on a hardware security area, and belongs to the technical field of information security. Aiming at the efficiency problems of server auxiliary key generation and data block ownership verification in the existing encryption data de-duplication system, the invention provides an efficient encryption data de-duplication method based on a hardware security area, so that expensive cryptography calculation in the traditional scheme is replaced, and the calculation performance is obviously improved under the condition of ensuring the same security. The method can be used in a storage model of a client-key manager-cloud storage server: deploying a client at a user side to support data reading and writing; a key manager and a storage server are deployed at the cloud storage server for managing remote data and supporting key generation.

Description

Efficient encryption repeated data deleting method based on hardware security zone
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a technology for realizing encrypted repeated data deletion and storage based on a hardware security area.
Background
In an encrypted deduplication storage system, encrypted deduplication is achieved by dividing an input file into non-overlapping chunks. For each data chunk, a hash (referred to as a fingerprint) of the data chunk contents is first computed and fingerprints of all currently stored data chunks are tracked in a key-value store referred to as a fingerprint index. Assuming that in practice a fingerprint collision is very unlikely, if the fingerprint is a new fingerprint that does not exist in the fingerprint index, a physical copy of the chunk is stored, or if the fingerprint has been tracked, the chunk is treated as a logical copy, pointing it to a physical copy already saved. The encryption repeated data deletion expands block-based repeated data deletion through encryption, so that data confidentiality and storage efficiency guarantee are provided for outsourcing cloud storage at the same time. The client encrypts each plaintext block of the input file into a ciphertext block by using a plurality of symmetric keys, uploads all the ciphertext blocks to the cloud, and deletes repeated data in the cloud to apply to the ciphertext blocks.
It is crucial that duplicate plaintext blocks are encrypted into duplicate ciphertext blocks, so that deduplication is still feasible over ciphertext blocks. Message Locked Encryption (MLE) (specifically, see documents m.bellare, s.keelevedhi, and t.ristenbart.messagelocked encryption and secure de-duplication. in proc.of EuroCrypt, 2013) formalizes an encryption primitive that specifies how to derive a symmetric encryption key (referred to as an MLE key) from the contents of a plaintext block in order to preserve the encrypted deduplication capability. An example of a mainstream MLE is Convergent Encryption (CE) (see in particular documents j.r. doucur, a.adya, w.j.bolosky, p.simon, and m.Theimer. recycling space from discrete file system in a server distributed file system. in proc. of IEEE ICDCS, 2002), which derives an MLE key from a cryptographic hash of a plaintext block. However, CEs are vulnerable to offline brute force attacks (see in particular documents M. Bellar, S. Keelvedeshi, and T. Ristenboard. Duplex: server-aid encryption for reduced storage. in Proc. of USENIX Security, 2013), in which an attacker can examine a target ciphertext block by enumerating the MLE keys of all possible plaintext blocks and infer the input plaintext block without knowing the MLE keys. Since any plaintext block is encrypted as the corresponding target ciphertext block. Thus, the original MLE requires that the blocks be unpredictable (see in particular documents m.bellare, s.keelevedehi, and t.ristenbart.messagelocated encryption and secure de-duplication. in proc.of EuroCrypt, 2013), on which cryptographic deduplication is based against offline brute force attacks.
To support file reconstruction, each client creates file metadata for the uploaded file that lists, in order, the fingerprint, size, and MLE key of the ciphertext block. The client encrypts the file metadata using its own master key and then uploads it (along with the uploaded ciphertext block) into the cloud. To download a file, the client will retrieve the file metadata and decrypt it using the master key. And then, searching the ciphertext block, decrypting the ciphertext block according to the MLE key stored in the file metadata, and reconstructing the original file.
In order to defend against predictable offline brute force attacks against data blocks, server-assisted MLEs (specifically, see documents m. bellare, s. keelevhi, and t. ristenbart. duplex: server-aided encryption for reduced storage. in proc. of usenix Security, 2013)) deploy a dedicated key server to generate MLE keys. To encrypt a plaintext block, a client first sends a fingerprint of the plaintext block to a key server, which generates and returns an MLE key via the fingerprint and a global secret maintained by the key server. If the global secret is secure, an adversary cannot really launch offline brute force attacks even against predictable blocks of data. If the global secret is revealed, the security will be reduced to that of the original MLE. Server assisted MLE is further built on two security mechanisms: first, it uses the forgotten pseudo-random function (OPRF) (see in particular the documents M.Naor and O.Regingold. number-the-environmental constraints of influence pseudo-random functions. journal of the ACM,51(2):231 and 262, 2004) to allow the client to send a "blind" fingerprint of the plaintext block, so that the key server can still return the same MLE key for the same fingerprint, while the original fingerprint of the data block cannot be obtained. Second, it rate limits key generation requests from clients to prevent online brute force attacks (malicious clients attempt to issue a large number of key generation requests to the key server).
To save network traffic, encryption deduplication may employ client-based deduplication technology, where duplicate ciphertext blocks are deleted at the client without being uploaded to a cloud storage server. Specifically, the client first sends the fingerprint of the ciphertext block to the cloud storage server, which checks whether the fingerprint is tracked by the fingerprint index (i.e., the corresponding ciphertext block has been stored). Then, the client uploads only non-repeated ciphertext blocks to the cloud storage server. However, client-based Deduplication is susceptible to side-channel attacks (see, in particular, documents d.harnik, b.pinkas, and a.shulman-peer.side channels in closed services: reduction in closed storage. ieee Security & Privacy,8(6): 40-47,201). in such attacks, a malicious client may infer the presence of any target ciphertext block by sending a fingerprint of the target ciphertext block into a cloud storage server for querying, and even obtaining information, to achieve unauthorized access (see, in particular, documents m.mulazza, s.schritwieser, m.leithhner, and m.huber.dark said rights in which is used to secure the source ciphertext block and the source fragment in us.2011cure. To protect against side-channel attacks, client-based deduplication should be used in conjunction with proof of ownership (PoW) (see specifically references d.harnik, e.tsfadia, d.chen, and r.hat.securing the storage data path with sgx enclaves. https:// axiv.org/abs/1806.10883,2018) to ensure that the client actually owns the ciphertext block. Specifically, each fingerprint that the client sends to the cloud storage server is accompanied by a certificate by which the cloud storage server can verify whether the client is the true owner of the corresponding ciphertext block. The cloud storage server responds only after successful proof verification succeeds, thereby preventing any malicious client from identifying ciphertext blocks owned by other clients.
However, implementing secure server assisted MLE requires expensive encryption operations. For example, the server-assisted MLE implementation of DupLESS (see, in particular, document "M. Bellar, S. Keelvedeshi, and T. Ristenboard. Duplex: server-aided encryption for reduced storage. in. Proc. of USENIX Security, 2013)": first, DupLESS implements the OPRF protocol to protect fingerprint information from a key server, but the OPRF protocol builds on expensive public key encryption operations. Second, DupLESS rate limits the client's key generation requests, protecting them from online brute force attacks, while also limiting storage system throughput. Finally, in order to support client-based deduplication, DupLESS needs to prevent side channel attacks by PoW technology, but current PoW implementations are based on Merkle-tree protocols (specifically, see documents "s.halevi, d.harnik, b.pinkas, and a.shulman-peleg.proofs in renew storage systems. in proc.of acm CCS, 2011), which may result in excessive overhead in building Merkle trees for computation on a per data block basis.
Disclosure of Invention
The invention aims to: aiming at the efficiency problems of server auxiliary key generation and data block ownership proof in the existing encryption repeated data deleting system, an efficient encryption repeated data deleting method based on a hardware security area is provided.
The invention discloses a high-efficiency encryption repeated data deleting method based on a hardware security area, which is implemented in an encryption repeated data deleting system comprising a cloud storage server, a key manager and a client, and comprises the following steps:
the method comprises the steps that firstly, a cloud storage server distributes a key with an additional signature to generate a security area dynamic operation library to a key manager, and distributes an ownership certification security area dynamic operation library to each client; the dynamic operation library of the key generation secure area comprises a global secret component Sub _ s of the cloud storage serverC
Step two, the key manager creates a key generation safety area through a key generation safety area dynamic operation library, and remotely proves the correctness of the key generation safety area operated by the key generation safety area to the cloud storage server (the cloud storage server verifies the keyValidity of a key generation security zone held by the manager), if the certification is passed, the key manager and the cloud storage server respectively start key regression calculation at the same time, and derive the latest blinded key K based on the key regression technologykFor protecting key generation operations;
thirdly, the client side establishes an ownership proof safety zone through an ownership proof safety zone dynamic operation library, accesses the cloud storage server to remotely proof the ownership proof safety zone (the cloud storage server verifies the validity of the ownership proof safety zone held by the client side), and if the ownership proof safety zone passes the verification, the client side obtains the latest blinded key state information through the cloud storage server, obtains the key of the key manager through the key manager to generate the key state version information currently accepted by the safety zone, and obtains the key based on the key regression technology to generate the blinded key K currently accepted by the safety zonek
Step four, the client side based on the currently acquired blinding secret key KkEncrypting a data Block fingerprint FP to be uploadedMObtaining the encrypted data block fingerprint C (FP)M) And passing the blinded secret key KkCalculate C (FP)M) Hash operation message authentication code HMACFP(ii) a Finally, C (FP)M) And HMACFPSending an encryption key for the requested data block to the key manager;
step five, the key manager calls the currently received C (FP) through a specified safe area call interfaceM) And HMACFPTransmitting to a key generation secure area;
key generation secure zone based on KkAnd HMACFPValidating received C (FP)M) If the correctness of the key is passed, the blinded key K is usedkDecryption C (FP)M) To obtain the fingerprint FPMAnd according to H (FP)MS) to obtain the fingerprint FPMIs encrypted by the encryption key KFP(ii) a If not, rejecting the key generation, and requiring the client to resend the key generation request; wherein the global secret s is: h (Sub _ s)C||Sub_sK),Sub_sKGlobal secret component representing a key manager, invoked through a specified secure zoneAn interface is transmitted to a key generation safety area, and H () represents a preset hash function;
key generation secure zone uses blinded key KkEncryption KFPObtain the cipher text key C (K)FP) And calculates a corresponding signature HMACKI.e. the cipher text key C (K)FP) The hash operation message authentication code;
key generation secure area encrypted key C (K) through a designated secure area call interfaceFP) And HMACKTransmitting to the key manager, and returning to the client through the key manager;
step six, verifying the HMAC by the clientKIf pass, then decrypt C (K)FP) Obtaining an encryption key KFP(ii) a If not, the key generation request is carried out again;
client side uses encryption key KFPFor fingerprint FPMEncrypting the corresponding data block to obtain a ciphertext block C, accessing the ownership proof security area through the appointed security area calling interface, and acquiring the fingerprint FP of the ciphertext block CCAnd its certification information CMACC(i.e., cipher-type message authentication code for ciphertext block C); and initiating an ownership certification request to the cloud storage server, wherein the request comprises a fingerprint FPCAnd certification information CMACC
Seventhly, the cloud storage server verifies the certification information CMACCDetermining that the current client has the certification information CMACCAfter the corresponding data block, pass the fingerprint FPCQuerying the repeated data deletion index, and returning the result to the client;
and step eight, the client uploads the data based on the returned result of the cloud storage server: if the cloud storage server already has the fingerprint FPCIf yes, the ciphertext block C is not uploaded; otherwise, the ciphertext block C is uploaded to the cloud storage server.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that: the efficient encryption repeated data deleting method based on the hardware security area replaces the expensive cryptography calculation of the traditional scheme, and obviously improves the calculation performance under the condition of ensuring the same security.
Drawings
Fig. 1 is a schematic structural diagram of a system according to an embodiment of the present invention.
Fig. 2 is a performance analysis of a blind key management method according to an embodiment of the present invention, where fig. 2(a) shows update delays corresponding to different key update parameters n, and fig. 2(b) shows a delay of an ith key update operation corresponding to a default key update parameter n;
FIG. 3 is a graph comparing key generation rates in the example;
FIG. 4 is a diagram illustrating the extensibility of the key generation zones in the embodiment with or without the use of Intel SGX for speculative encryption.
FIG. 5 is a comparison of computing speeds for different proof of ownership schemes in an embodiment;
FIG. 6 is a graph comparing upload speeds for an encrypted deduplication system and a plaintext deduplication system in accordance with an embodiment of the present invention;
FIG. 7 is a comparison graph of download speed for an encrypted deduplication system and a plaintext deduplication system in accordance with an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings.
Aiming at the efficiency problems of server auxiliary key generation and data block ownership verification in the existing encryption data de-duplication system, the invention provides an efficient encryption data de-duplication method based on a hardware security area, and the computing performance is obviously improved under the condition of ensuring the same security by replacing the expensive cryptography calculation of the traditional scheme. The method can be used in a storage model of a client-key manager-cloud storage server: deploying a client at a user side to support data reading and writing; a key manager and a storage server are deployed at the cloud storage server for managing remote data and supporting key generation. The method for deleting the repeated data by the high-efficiency encryption based on the hardware security area has the following specific implementation process:
firstly, adopting blind key management to resist online brute force attack.
According to the invention, the client side authority is verified through the cloud storage server, and the key is distributed to generate the security zone blinding key, so that high overhead caused by verifying the client side authority in the key generation security zone and carrying out blinding key negotiation can be avoided. The blinding key is used to encrypt the plaintext block fingerprints and corresponding encryption keys in the key generation, replacing the expensive public key cryptographic algorithm in the conventional OPRF protocol. The blinding key is also used to generate a corresponding message authentication code for the client and the key manager to verify the correctness of the data. Meanwhile, the client side which is attacked can be prevented from having the permanent access qualification to the key generation safety zone by means of the blind key updating technology, and online brute force cracking attack can be resisted. The specific implementation comprises the following steps:
step S101: in the key manager initialization process, the cloud storage server sends the key generation secure area code to the key manager in the form of signature attached to the dynamic runtime.
The cloud storage server encodes and writes the global secret component Sub _ s in the key generation secure area codeCAnd a blinding secret K to be used for generating a blinding key K required for the key generation requestk
Step S102: the key manager creates a key generation safety zone through a key generation safety zone dynamic operation base, and the safety zone is proved to be correct to the cloud storage server through the remote authentication service.
Step S103: after the authentication is passed, the key manager and the cloud storage server start a timer, and key updating operation is carried out after the preset time is reached.
The key manager notifies a key generation safety zone updating blinding key K through a preset safety zone calling interface after the key updating time is up and no client is connectedk
Step S104: for blinding the key update, a key regression technique (refer to documents k.fu, s.kamara, and t.kohno.key regression: abstract information distribution for secure distributed storage. in proc.ofndss, 2006) is used.
The key regression technique first generates a series of key states S [1], S [2], S [3] S [ m ], each of which can be used to derive a blinded key.
The key regression technique allows the cloud storage server and key generation security zone to derive any new key states from the old key states using the blinded secret K (e.g., derive S [2] from S [1]), ensuring that the client cannot learn any information of the new states. It also allows the client to derive any old state from the new state (e.g., derive S [1] from S [2 ]).
Step S105: the key generation safety zone and the cloud storage server use the same key regression scheme based on the Hash function, a common parameter N (representing the maximum times of key regression that can be performed) is set, and the ith state is calculated to be S [ i ] based on the blinded secret K]=HN-i+1(K) Where H () represents a hash function.
Step S106: client downloads current latest blinded key state Si from cloud storage server]And then obtaining the current version number j of the blinded key accepted by the current key generation safety zone from the key manager. By new state Si]And j derives the blinded key state accepted by the key generation security zone as Sj]=Hi-j+1(S[i])。
Since the key generation security zone may not be able to immediately update the blinded key since key generation is being performed, j may be less than i, requiring the client to re-derive the correct blinded key state S [ j ] based on the latest blinded key state and the blinded key state version number accepted by the key generation security zone.
Step S107: client uses blinded key state Sj]By Kk[j]=H(S[j]||(0)8) Calculating a blinded key K for key generationk[j]. Wherein, (0)8Representing a string of binary zeros with a bit number of 8. Wherein "|" represents a connector.
To simplify the description, the currently generated blinding key is denoted as blinding key KkThe blinded secret key KkSecure communication for key generation secure zones and clients (instead of in the conventional 0PRF protocolBased on the blinding operation of the public key cryptosystem), communication content is protected from being obtained by a malicious key manager. In the present embodiment, based on the blinded secret key KkThe process of encrypting the data block specifically comprises the following steps:
step S201: client uses the currently obtained blinded key KkEncrypted plaintext block fingerprint FPMAnd use of KkComputing an encrypted data Block fingerprint C (FP)M) Corresponding Hash operation message authentication code HMACFP. Mixing C (FP)M) And HMACFPTo the key manager.
For example, the client calculates the HMAC through the HMAC-SHA256FP. Any incorrect or outdated blinded key is detected by checking the MAC using the Crypto-then-MAC (encrypted before message authentication code) paradigm (see in particular references m.bellare and c.napremple. authenticated encryption: relationships and analysis of the genetic composition of the subject matter proc. of the asia crypt, 2000). The signature uses a blinded key KkAnd data Block fingerprint C (FP)M) As input, the key generation secure area is enabled to generate a fingerprint C (FP) of the received data blockM) The validity of (2) is verified.
Step S202: c (FP) to be received by the key managerM) And HMACFPAnd then, transferring the key to a key generation safety area through a preset safety area calling interface.
Due to blinding the secret key KkThe key manager cannot obtain C (FP) only if the client holds the key generation secure areaM) The corresponding plaintext block fingerprint FP realizes the same function of keeping the data block fingerprint secret to the key manager as the blind operation in the OPRF protocol.
Step S203: key generation secure zone usage KkAnd attached to the encrypted data block fingerprint C (FP)M) Post HMACFPVerification C (FP)M) Whether it is correct.
Key generation secure zone usage KkRecalculating encrypted data Block fingerprints C (FP)M) The latter hash message authentication code is marked as HMAC'FPAnd with the received HMACFPAnd (6) comparison.If the two are the same, continuing to execute the next operation; if the two key generation requests are different, the client uses a forged or outdated blinded key, the key generation is refused, and the client is required to send again.
Step S204: key generation secure zone verification C (FP)M) After correctness, use KkDecryption C (FP)M) Obtain the plaintext block fingerprint FPMConnecting the global secret s of the key service to the plaintext block fingerprint FPMThen, the plaintext block fingerprint FP is obtained by Hash calculation H (FP | | s)MCorresponding encryption key KFP
In the step, the global secret s is generated by the key manager and the cloud storage server together, and specifically comprises the following steps: the cloud storage server makes up the global secret Sub _ s of the cloud storage serverCEncoding the code into a dynamic running library of a key generation safety zone, distributing the code of the key generation safety zone to a key manager in the form of additional signature of the dynamic running library, and enabling the key manager to transmit a global secret component Sub _ s held by the key manager through a preset safety zone calling interfaceKAdded to the key generation secure area. The key generation secure zone calculates H (Sub _ s) by a hash functionC||Sub_sK) A global secret s of the final key generation service is obtained.
Step S205: key generation secure zone will encrypt key KFPBy KkEncrypted to obtain C (K)FP) And calculates corresponding message authentication code HMACKFor client authentication. And mixing C (K)FP) And HMACKAnd returning the key to the key manager, and sending the key to the client by the key manager.
Step S206: client use KkValidating HMACKAnd decrypt C (K) after verification is passedFP) Obtaining an encryption key K corresponding to the data block fingerprint FPFP
Client use KkRecalculating the encrypted data block encryption key C (K)FP) The latter message authentication code is marked as HMAC'KAnd with the received message authentication code HMACKAnd (6) comparison. If the key is the same as the key, the key is accepted and the generation of the rest keys is continued; if the difference is not the same, the key generation error is indicated,refusing the key generation result, and carrying out key generation again for the current data block fingerprint.
In the invention, the ownership certification of the data block based on the hardware security zone is realized by replacing an ownership certification mechanism based on a Merkel tree with high calculation cost through a hardware security zone technology, so that the performance of the ownership certification is obviously improved, and the safety of client data deduplication can be effectively guaranteed. The technology comprises the following steps:
step S301: the client initiates remote attestation to the cloud storage server, and verifies correctness of the running ownership attestation security zone. Meanwhile, the ownership proof security zone performs key agreement based on a designated elliptic curve (such as NIST P-256 elliptic curve), and generates an ownership proof signature key KP(held by both the cloud storage server and the proof of ownership security zone, the client program cannot obtain).
Step S302: and the client inputs the encrypted ciphertext block content C into the ownership proof safety area through a preset safety area calling interface.
Step S303: ownership proof secure zone computing input ciphertext block C fingerprint FPCAnd corresponding CMAC message authentication code CMACC(based on the signing key KP) And the result (including FP)CAnd CMACC) And returning to the client program.
Step S304: client connects FPCAnd CMACCSending the data to a cloud storage server, and receiving the data by the cloud storage server according to the FPCAnd a signing key KPRecalculating message authentication code CMAC'CAnd is combined with CMACCAnd (6) carrying out comparison. If the comparison is successful, the ownership of the data block is credible, and if the comparison is failed, the client is considered to be illegal, and the service is stopped being provided for the client.
To further ease the burden of online encryption/decryption of the key generation secure zone. In the present embodiment, the encryption/decryption mask for the AES CTR mode is generated offline under the no-load condition based on the speculative encryption of Intel SGX (refer to documents v.eidardo, l.c.e.de Bona, and w.m.n.zola.speculative encryption on gpu applied to cryptographic file systems in proc.of useix FAST, 2019), and the specific implementation process is as follows:
step (1): if the client is started for the first time, the encryption Nonce theta (any non-repeated random number value used only once) is randomly selected, and the counter I is set to 0. If the client is not started for the first time (the old Nonce θ and the counter I are locally stored), the encryption/decryption operation is performed by using the existing Nonce θ and the counter I.
Step (2): the client uses K for the Nonce theta and the counter IkEncrypted to obtain thetacAnd IcAnd calculates the corresponding message authentication code. Theta obtained by encryptioncAnd IcAnd corresponding message authentication code HMACθ||ITo the key manager.
And (3): theta received by the key managercAnd IcAnd corresponding message authentication code HMACθ||IDelivered to the key generation secure area through a pre-configured interface (Ecall).
And (4): key generation secure zone verification message authentication code HMACθ||ICorrect post decryption of thetacAnd IcAnd obtaining a plaintext Nonce theta and a counter I. The query Nonce list checks the states of θ and I, and is divided into the following three states:
case 1: if θ is repeated and I is 0, indicating that the Nonce has been used by other users, the notification key manager sends a notification asking the client to reselect a new Nonce.
Case 2: if θ is repeated and I ≠ 0, it indicates that the encryption Nonce has been stored, flags it if the encryption mask corresponding to this Nonce has been precomputed (available), and informs the key manager that the client is required to start performing key generation.
Case 3: if θ is nonrepeating (no saved Nonce is the same as the Nonce), then the Nonce θ is added to the Nonce list and informs the key manager to ask the client to start performing key generation.
And (5): when the key manager is idle (no client connection), and after the encryption/decryption mask is calculated from the last offline, there is a partial maskThe code is used or KkAnd when updating, the key manager informs the key generation safety area through the Ecall to perform off-line encryption and decryption mask calculation.
And (6): the key generation secure area checks the Nonce list, calculates a future available encryption/decryption mask for a most recently used Nonce, and stores the calculated encryption/decryption mask in a mask storage area inside the key generation secure area.
And carrying out XOR operation on the encryption and decryption mask and the data needing encryption/decryption operation to obtain corresponding ciphertext/plaintext. The encryption and decryption mask is used, so that the online (instant) encryption and decryption operation can be simplified into the exclusive-or operation, and the efficiency is greatly improved.
Each encryption and decryption mask is 16 bytes (block size for AES256 encryption), so generation of each key requires the use of 4 encryption and decryption masks. Two of which are used to decrypt the block fingerprint C (FP)M) (SHA256 Hash, 32 bytes, size of two AES256 encrypted Block size) two data Block keys KF for encryption GenerationP(SHA256 hash result of data chunk fingerprint and global secret, 32 bytes, size of two AES256 encrypted chunk sizes). The off-line calculated encryption and decryption mask is stored in the key generation safety area, and information such as offset stored by the mask is added into a record of the corresponding Nonce in the Nonce list, so that the key generation safety area is convenient to use.
And (7): client sends C (FP) to key managerM) And HMACFPKey generation is started (see key technology 2, step S2).
Step S8: the key generation secure area checks whether the Nonce used by the client has an encryption/decryption mask generated earlier, and if so, the key generation secure area directly calculates using the encryption/decryption mask, and if not, the key generation secure area performs key generation operation after calculating the encryption/decryption mask online (see steps S201 to S206).
Examples
In this embodiment, the hardware security area adopts an Intel SGX security area, a corresponding deduplication system is called SGXDedup, a system structure diagram of the system is shown in fig. 1, and the system structure diagram includes a key manager, a client and a cloud storage server, and a specific work flow for implementing efficient encryption deduplication is as follows:
step 1: the cloud storage server distributes the key to generate a dynamic operation library of the security zone to the key manager, and distributes an ownership proof dynamic operation library of the security zone to the client.
Step 2: the key manager remotely proves the key generation safety zone to the cloud storage server, respectively starts key regression timing with the cloud storage server after verification is passed, and derives the latest blinded key Kk
And step 3: the client-side carries out remote certification to the cloud storage server, and the validity of the held ownership certification security zone is verified.
And 4, step 4: if the verification in the step 3 is passed, the client downloads the latest blinded key state S [ i ] from the cloud storage server]And downloading from the key manager the key state version information accepted by the current key generation secure zone, by Sj]=Hi -j+1(S[i]) Deriving applicable key states, then passing Kk[j]=H(S[j]||(0)8) Calculating to obtain a blinded secret key K for secret key generationk
And 5: client computing fingerprint FP on data blockMAnd by blinding the secret key KkEncrypting and generating a message authentication code, and comparing the result (C (FP)M) And HMACFP) To the key manager.
Step 6: the key manager calls the key generation safe area through Ecall to generate a corresponding key and a message authentication code, and sends the result (C (K)FP) And HMACK) And sending the data to the corresponding client.
And 7: client side uses obtained data block encryption key KFPEncrypting the data block, calling the ownership proof safety area of the encrypted ciphertext block C through Ecall to obtain the fingerprint of the current ciphertext block and corresponding proof information (including FP)CAnd CMACC)。
And 8: the client sends the data block Fingerprints (FP) and corresponding certification information (Sig) to the cloud storage server, the cloud storage server verifies the certification information, after the client is determined to actually possess the data block, the fingerprint of the client is used for inquiring the repeated data deletion index, and the result is returned to the client.
And step 9: and the client determines whether to send the data block to the cloud storage server or not according to a result returned by the cloud storage server (if the cloud storage server exists, the data block is not sent, otherwise, the data block is sent to the cloud storage server).
The data de-duplication system of the present embodiment is compared with the existing data de-duplication system to further verify the validity of the present invention.
For the blind key management technique adopted in the present invention, fig. 2(a) shows a relationship between the delay of the first key update operation and the key regression parameter (the maximum value of the tolerable number of key updates), and the delays of the key generation secure area and the cloud storage server increase with the increase of the key regression parameter, because a larger key regression parameter means that more hash calculations are required to perform key update. Because the SGX secure zone is less capable of handling intensive computing, the key update latency of the secure zone is approximately 1.22-1.56 times higher than that of the cloud storage server. FIG. 2(b) shows the delay of each rekeying operation, with the key regression parameter fixed at 220. The rekeying delay decreases as more rekeying operations are performed, as each rekeying operation reduces the overhead of one hash calculation in the next rekeying operation. On average, the key update delay of the key security zone is 0.040s, while the key update delay of the cloud storage server is about 0.027s, which means that the key update overhead is limited and has practical value.
Aiming at the key generation technology based on Intel SGX (based on a hardware security area) and the speculative encryption compatible with the Intel SGX, the encryption scheme considering the comparison comprises the following steps:
1) server assisted key generation (OPRF-BLS) under the OPRF protocol based on Blind-BLS, data blinding is performed using BLS (cryptocurrency signature algorithm), wherein specific implementation procedures of OPRF-BLS can be found in documents f.armknecht, j.
2) Server assisted MLE key generation (OPRF-RSA) under the OPRF protocol based on Blind-RSA, using RSA for data blinding, wherein the specific implementation process of OPRF-RSA can be referred to in documents m.bellaree, s.keelevedhi, and t.ristenbart.duplex: server-aid encryption for reduced storage. in process.of useenix Security, 2013.
3) Minimum hash Encryption (MinHash Encryption), wherein the minimum hash value of all data blocks in a data segment (the average size of each data segment is configured to be 1MB) is used as an Encryption key of all data blocks in the data segment; the bottom layer uses server assisted MLE key generation under the Blind-RSA based OPRF protocol. For the implementation of MinHash Encryption, reference is made to the document "C.Qin, J.Li, and P.P.C.Lee.the design and implementation of a reproducing-a ware encrypted reduction Storage system, ACM Transactions on Storage,13(1):9: 1-9: 30,2017".
4) Adjustable encryption Technology (TED) [ see documents j.li, z.yang, y.ren, p.p.c.lee, and x.zhang.blancing storage effectiveness and data consistency with a structured encrypted reduction. in proc.of ACM euros, 2020 ], CM-Sketch based data block frequency statistics techniques perform real-time frequency estimation on the repetitive data deletion system workload, and balance storage efficiency and data confidentiality assurance by automated parameter configuration techniques to generate the same or different keys for the same data block. (TED generates an MLE key for each data block based on a sketch-based frequency count of the short hash value of the data block)
5) The SGXDedup key generation without using the blinded key management technique (speculative encryption) of the present invention, the encryption/decryption operations in the key generation process are all calculated on-line.
6) The SGXDedup key generation using the speculative encryption, and encryption/decryption operations in the key generation process all use a pre-generated encryption/decryption mask.
In the comparison, whether the effect of the server-assisted MLE key generation technology based on the Intel SGX technology under the condition of the off-line encryption and decryption mask calculation technology is used is evaluated relative to the effect of the existing scheme, a 2GB random file is used as the input of a client for testing, and the client performs key generation operation after blocking data blocks with variable sizes. Fig. 3 shows the test results (all comparison schemes in the test are reproduced according to the original description), because the scheme provided by the invention avoids expensive Encryption primitives in the OPRF-BLS, OPRF-RSA and MinHash Encryption and the frequency statistics and optimization problem solving calculation in the TED, the SGX-based key generation technique provided by the invention is superior to all comparison methods. SGXDedup (SGX-1st) without speculative encryption achieves 1,583 times and 131.9 times acceleration, respectively, compared to OPRF-BLS and OPRF-RSA. Compared with MinHash encryption and TED (both schemes sacrifice storage efficiency and security), the acceleration is 9.4 times and 3.7 times, respectively. In sgxdeup key generation (SGX-2nd, the scheme of the present invention) using speculative encryption, performance is improved by 67.8% compared to SGX-1st speed without speculative encryption.
The speculative encryption of the Intel SGX employed in the present invention is contrasted with the impact of whether speculative encryption techniques are used. FIG. 4 shows the extensibility of the key generation safe area in both cases of speculative encryption with and without Intel SGX. In both cases, with or without the use of speculative decryption techniques, the overall key generation speed (the ratio of the overall key generation number to the overall key generation time for a plurality of simulation clients, each of which starts to make a key generation request at the same time and has the same total number of generations) first increases with the number of simulation clients. At best performance, 8.5 x 10 is achieved for five and ten analog clients, respectively, without and with speculative encryption techniques5Key/s and 29 × 105Key/s. After more than ten clients, the overall key generation speed decreases due to the increase in context switch overhead. On average, the overall key generation speed of speculative encryption is improved by a factor of 4.4.
Aiming at the data block ownership certification based on the hardware security zone adopted by the invention, the following two data block ownership certification schemes are compared and analyzed:
1) based on the proof of ownership (POW-MT) of Merkel Tree (Merkel Tree), the scheme encodes data blocks using erasure codes, and establishes Merkel Tree for proof of ownership based on the encoding result, and the specific proof process may be referred to in documents j.xu, e.
2) Proof of ownership based on universal hash function (PoW-UH), which is based on universal hash but sacrifices security for performance, can be found in documents s.halevi, d.hamik, b.pinkas, and a.shulman-peleg.proofs of owership in remote storage systems in proc.of ACM CCS, 2011.
In evaluating the computational performance of proof of ownership, consider a proof of ownership test on a 2GB sized file. In the test, a client creates plaintext blocks from a file, encrypts each data block, calculates certification information for each data block, and then sends a ownership certification request to a cloud storage server. In this embodiment, the speed of ownership certification (excluding network transmission time) is measured according to the total calculation time of all data blocks by the client and the cloud storage server. The results of the tests are given in fig. 5 (the comparative protocols in the tests were reproduced as described originally). The scheme (SGXDedup in FIG. 5) of the invention avoids erasure code coding and Merkel tree construction in the client and Merkel tree-based verification in the cloud storage server, thus being significantly better than PoW-MT. It can achieve 8.2 times acceleration compared to PoW-MT. It also enables 2.2 times acceleration compared to PoW-UH while providing a higher security guarantee.
The performance comparison test is carried out from the whole body by combining the blinding key management technology, the speculative encryption, the off-line encryption and decryption mask calculation and the data block ownership proof based on the hardware safety zone, and the whole effect is verified. During verification, the upper limit of the network bandwidth is controlled by using Trickel (specifically, the reference can be made to M.A. Eriksen. Trickle: A used land bandwidth wrapper for unix-like systems. in Proc. of USENIX ATC, 2005), and the influence of different network bandwidths on the uploading and downloading performance is analyzed. In the benchmark system, a client executes blocking, data block fingerprint calculation, data de-duplication based on the client, and finally, uploading of all non-duplicated data blocks is executed. In order to download the file, the client sends a download request to the cloud storage server, and the cloud accesses the file metadata to retrieve the corresponding data blocks and returns the assembled file. The reference system and the encrypted repeated data deleting system have different two-time downloading modes. In the latter (encrypted deduplication system), the client first downloads and decrypts the file metadata, then downloads the data chunks and reconstructs the file after decryption. Fig. 6 shows a comparison of upload speeds for different network bandwidths. For the first uploading, when the network bandwidth is 1Gbps, the uploading speeds of the SGXDedup (106.6MB/s) and the reference system (106.2MB/s) of the scheme of the invention are both limited by the network speed. However, when the network bandwidth increases to 10Gbps (default), the upload speed of SGXDedup becomes 193.6MB/s, while the upload speed of the reference system reaches 242.0 MB/s. For the second uploading (uploading the same file, namely all data blocks are repeated data blocks; meanwhile, a key generation safety zone in a key generation part performs blinding processing by using an off-line calculated encryption and decryption mask), the uploading speed of the SGXDedup and the reference system of the invention is not influenced by network bandwidth. On average, the SGXDedup of the present invention results in a drop of about 14.5% and 21.5% in the first and second uploads, respectively, compared to the baseline system. Compared with a plaintext data de-duplication system, the method has the advantages that strong safety guarantee is provided, and meanwhile performance loss is small. Fig. 7 shows the comparison result of the download speed. As network bandwidth increases to 10Gbps, SGXDedup reaches 323.1MB/s, a 44.1% drop compared to the reference system. The reason is that the SGXDedup first retrieves and decrypts the file metadata, and then downloads the ciphertext block and decrypts to complete the file restoration.
In summary, the invention is based on the processing mode of the efficient server assisted MLE key generation and data block level ownership certification of the Intel SGX, can realize efficient data block key generation and data block ownership certification supporting client-side data deduplication, and has smaller and controllable additional overhead compared with a plaintext data deduplication system in practice.
While the invention has been described with reference to specific embodiments, any feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise; all of the disclosed features, or all of the method or process steps, may be combined in any combination, except mutually exclusive features and/or steps.

Claims (7)

1. An efficient encryption data de-duplication method based on a hardware security zone is characterized in that in an encryption data de-duplication system comprising a cloud storage server, a key manager and a client, the following steps are executed:
the method comprises the steps that firstly, a cloud storage server distributes a key with an additional signature to generate a security area dynamic operation library to a key manager, and distributes an ownership certification security area dynamic operation library to a client; the dynamic operation library of the key generation secure area comprises a global secret component Sub _ s of the cloud storage serverC
Step two, the key manager creates a key generation safety zone through a key generation safety zone dynamic operation base, remotely proves the correctness of the key generation safety zone to the cloud storage server, if the key generation safety zone passes the verification, the key manager and the cloud storage server respectively and simultaneously start periodic key regression calculation, and the calculation derives the latest blinded key K based on the key regression technologyk
Thirdly, the client establishes an ownership proof security zone through the ownership proof security zone dynamic operation library, accesses the cloud storage server to remotely proof the ownership proof security zone, and if the ownership proof security zone of the client passes the authentication, the ownership proof security zone of the client negotiates with the cloud storage server to obtain a shared key KPFor generating and verifying the integrity of the data block fingerprint;
meanwhile, the client side obtains the latest blinded key state information through the cloud storage server, obtains the key state version information currently accepted by the key generation safety zone through the key manager, and obtains the blinded key K currently accepted by the key generation safety zone based on the key regression technologyk
Step four, the client side based on the currently acquired blinding secret key KkEncrypting a fingerprint FP of a plaintext data block M to be uploadedMObtaining the encrypted data block fingerprint C (FP)M) And passing the blinded secret key KkCalculate C (FP)M) Hash operation message authentication code HMACFP(ii) a And mixing C (FP)M) And HMACFPSending an encryption key for the requested data block to the key manager;
step five, the key manager calls the currently received C (FP) through a specified safe area call interfaceM) And HMACFPTransmitting to a key generation secure area;
key generation secure zone based on KkAnd HMACFPValidating received C (FP)M) If the correctness of the key is passed, the blinded key K is usedkDecryption C (FP)M) To obtain the fingerprint FPMAnd according to H (FP)MS) to obtain the fingerprint FPMIs encrypted by the encryption key KFP(ii) a If not, rejecting the key generation, and requiring the client to resend the key generation request; wherein the global secret s is: h (Sub _ s)C||Sub_sK),Sub_sKA global secret component representing a key manager, which is transferred to a key generation secure area through a designated secure area call interface, and H () represents a preset hash function;
key generation secure zone uses blinded key KkEncryption KFPObtain the cipher text key C (K)FP) And calculates a corresponding signature HMACK
Key generation secure area encrypted key C (K) through a designated secure area call interfaceFP) And HMACKPassing to the key manager, and returning C (K) to the client through the key managerFP) And HMACK
Step six, verifying the HMAC by the clientKIf pass, then decrypt C (K)FP) Obtaining an encryption key KFP(ii) a If not, the key generation request is carried out again;
client side uses encryption key KFPFor fingerprint FPMThe corresponding data block M is encrypted to obtain a ciphertext block C, and the ciphertext block C is obtained through encryptionThe appointed safe area calls the interface to access the ownership proof safe area and obtains the fingerprint FP of the ciphertext block CCAnd its certification information CMACC(ii) a And initiating an ownership certification request to the cloud storage server, wherein the request comprises a fingerprint FPCAnd certification information CMACC
Seventhly, the cloud storage server verifies the certification information CMACCDetermining that the current client has the certification information CMACCAfter the corresponding data block, pass the fingerprint FPCQuerying the repeated data deletion index, and returning the result to the client;
and step eight, the client uploads the data based on the returned result of the cloud storage server: if the cloud storage server already has the fingerprint FPCIf yes, the ciphertext block C is not uploaded; otherwise, the ciphertext block C is uploaded to the cloud storage server.
2. The method of claim 1, wherein in step two, the latest blinding key K is derived based on a key regression techniquekThe method specifically comprises the following steps:
the key generation safety zone and the cloud storage server use the same key regression scheme based on the Hash function, a common parameter N is set, and the ith state is calculated to be S [ i ] based on the blinded secret K]=HN-i+1(K) Where the parameter N represents the maximum number of times the key regression is performed.
3. The method according to claim 2, wherein in step three, the client obtains the blinding key K currently accepted by the key generation security zone based on the key regression techniquekThe method specifically comprises the following steps:
client downloads current latest blinded key state Si from cloud storage server](ii) a Then obtaining the current version number j of the blinded key accepted by the key generation safety zone from the key manager, and according to Sj]=Hi-j+1(S[i]) Deriving blinded key states Sj for key generation security zone acceptance];
Then according to Kk[j]=H(S[j]||(0)8) Calculating a blinded key K for key generationk[j]Is a reaction of Kk[j]Blinding key K currently accepted as key generation security zonekWherein (0)8Representing a string of binary zeros with a bit number of 8.
4. The method of claim 1, wherein in step five, the received C (K) is verifiedFP) The correctness of (1) is specifically: secret key generation secure zone using KkRecalculating C (FP)M) The hash calculation message authentication code of (2), is denoted as HMAC'FPAnd with the received HMACFPComparing, and if the two are the same, the verification is passed; otherwise, the verification is not passed.
5. The method of claim 1, wherein in step six, the client calls the proof of ownership security zone to obtain the fingerprint FP of the ciphertext block CCAnd its certification information CMACCThe method specifically comprises the following steps:
when the client is started, remote certification is initiated to the cloud storage server, and the correctness of an ownership certification security zone held and operated by the client is verified;
if the ownership certificate passes the key agreement, the ownership certificate security zone performs key agreement with the cloud storage server based on the designated elliptic curve to generate an ownership certificate signature key KP
The client transmits the ciphertext block C to the ownership proof security area through a designated security area calling interface;
fingerprint FP of ownership proof secure area calculation ciphertext block CCAnd CMAC message authentication code CMAC thereofCAnd apply the fingerprint FPCAnd CMACCAnd returning the data to the client.
6. The method of claim 5, wherein in step seven, the cloud storage server verifies the attestation information CMACCThe method specifically comprises the following steps: cloud storage Server according to FPCAnd a signing key KPRecalculating message authentication code CMAC'CAnd with the received CMACCComparing, and if the ownership is the same, passing the ownership verification; otherwise it does not pass.
7. The method of claim 1, wherein, in the absence of load, the encryption/decryption operation is performed in an off-line manner, and the specific processing procedure is as follows:
(1) if the client is started for the first time, randomly selecting an encryption Nonce, recording the encryption Nonce as theta, and setting a count value I of a counter to be 0; if the client is not started for the first time, the encryption/decryption operation is carried out by adopting the existing Nonce and the count value I;
(2) client side adopts blinded secret key KkRespectively encrypting theta and I to obtain thetacAnd IcAnd calculating Hash operation message authentication code HMAC of theta and Iθ||I(ii) a And will be thetacAnd IcAnd a message authentication code HMACθ||ISending to a key manager;
(3) theta received by the key managercAnd IcAnd a message authentication code HMACθ||ITransferring the key to a key generation safety area through a designated safety area calling interface;
(4) and the key generation safety zone verifies that the message authentication code is correct and then decrypts to obtain theta and I, queries a Nonce list to obtain the states of the theta and I, and performs different processing as follows:
if theta is repeated and I is 0, the current Nonce is used by other users, and the notification key manager sends a notification to request the client to reselect a new Nonce;
if theta is repeated and I is not equal to 0, the current Nonce is stored, if the encryption mask corresponding to the Nonce is pre-calculated, the token is marked, and a key manager is informed to require a client to start executing key generation, namely, an encryption key generation request is initiated;
if theta is not repeated, adding theta into the Nonce list, and informing the key manager to require the client to start executing key generation;
(5) when the key manager is idle, and since the last off-line computation of the encryption/decryption mask, a partial mask is used or KkWhen updating, the key manager informs the key generation safe area to carry out off-line encryption and decryption mask calculation through a specified safe area calling interface;
(6) a key generation secure area check Nonce list, calculating a future available encryption/decryption mask for a most recently used Nonce, and storing the calculated encryption/decryption mask in a mask storage area inside the key generation secure area;
(7) the client side sends C (K)FP) And HMACFPSending an encryption key for the requested data block to the key manager;
(8) and the key generation safety area checks whether the Nonce used by the client has a marked pre-generated encryption and decryption mask, if so, the encryption and decryption mask is used for direct calculation, and if not, the encryption and decryption mask is calculated on line and then key generation operation is carried out.
CN202110136154.3A 2021-02-01 2021-02-01 Efficient encryption repeated data deleting method based on hardware security zone Active CN112947855B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110136154.3A CN112947855B (en) 2021-02-01 2021-02-01 Efficient encryption repeated data deleting method based on hardware security zone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110136154.3A CN112947855B (en) 2021-02-01 2021-02-01 Efficient encryption repeated data deleting method based on hardware security zone

Publications (2)

Publication Number Publication Date
CN112947855A true CN112947855A (en) 2021-06-11
CN112947855B CN112947855B (en) 2022-10-14

Family

ID=76240647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110136154.3A Active CN112947855B (en) 2021-02-01 2021-02-01 Efficient encryption repeated data deleting method based on hardware security zone

Country Status (1)

Country Link
CN (1) CN112947855B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141602A (en) * 2015-08-18 2015-12-09 西安电子科技大学 File ownership proof method based on convergence encryption
US20160077977A1 (en) * 2014-09-16 2016-03-17 Netapp, Inc. Secure proofs of storage for deduplication
US20180337775A1 (en) * 2017-05-19 2018-11-22 International Business Machines Corporation Cryptographic key-generation with application to data deduplication
CN110213042A (en) * 2019-05-09 2019-09-06 电子科技大学 A kind of cloud data duplicate removal method based on no certification agency re-encryption

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160077977A1 (en) * 2014-09-16 2016-03-17 Netapp, Inc. Secure proofs of storage for deduplication
CN105141602A (en) * 2015-08-18 2015-12-09 西安电子科技大学 File ownership proof method based on convergence encryption
US20180337775A1 (en) * 2017-05-19 2018-11-22 International Business Machines Corporation Cryptographic key-generation with application to data deduplication
CN110213042A (en) * 2019-05-09 2019-09-06 电子科技大学 A kind of cloud data duplicate removal method based on no certification agency re-encryption

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
JINGWEI LI等: "Rekeying for Encrypted Deduplication Storage", 《2016 46TH ANNUAL IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND NETWORKS (DSN)》 *
SHANSHANLI等: "CSED: Client-Side encrypted deduplication scheme based on proofs of ownership for cloud storage", 《JOURNAL OF INFORMATION SECURITY AND APPLICATIONS》 *
张明月: "客户端加密重复数据删除机制的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
李经纬等: "数据安全重删系统与关键技术研究", 《信息安全研究》 *

Also Published As

Publication number Publication date
CN112947855B (en) 2022-10-14

Similar Documents

Publication Publication Date Title
US10324892B2 (en) Security via data concealment
Puzio et al. ClouDedup: Secure deduplication with encrypted data for cloud storage
CN108768978B (en) SGX-based remote storage service method and system
Li et al. Rekeying for encrypted deduplication storage
Kaaniche et al. A secure client side deduplication scheme in cloud storage environments
US8462955B2 (en) Key protectors based on online keys
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
US20140006806A1 (en) Effective data protection for mobile devices
US20150089231A1 (en) Systems and methods for establishing and using distributed key servers
US20210143986A1 (en) Method for securely sharing data under certain conditions on a distributed ledger
JP2022501971A (en) Methods for key management, user devices, management devices, storage media and computer program products
US11444761B2 (en) Data protection and recovery systems and methods
KR102656403B1 (en) Generate keys for use in secure communications
CN111277572A (en) Cloud storage safety duplicate removal method and device, computer equipment and storage medium
CN114765543A (en) Encryption communication method and system of quantum cryptography network expansion equipment
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
US11216571B2 (en) Credentialed encryption
CN112947855B (en) Efficient encryption repeated data deleting method based on hardware security zone
Bacis et al. Mix&Slice for Efficient Access Revocation on Outsourced Data
KR102539418B1 (en) Apparatus and method for mutual authentication based on physical unclonable function
KR102328896B1 (en) Crypto Key distribution and recovery method for 3rd party managed system
CN113656818A (en) No-trusted third party cloud storage ciphertext duplication removing method and system meeting semantic security
Ren et al. Limited times of data access based on SGX in cloud storage
Aziz et al. Assured data deletion in cloud computing: security analysis and requirements
US20240356743A1 (en) Storing cryptographic keys securely

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant