CN112953930A - Cloud storage data processing method and device and computer system - Google Patents
Cloud storage data processing method and device and computer system Download PDFInfo
- Publication number
- CN112953930A CN112953930A CN202110178479.8A CN202110178479A CN112953930A CN 112953930 A CN112953930 A CN 112953930A CN 202110178479 A CN202110178479 A CN 202110178479A CN 112953930 A CN112953930 A CN 112953930A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- signature
- identity
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 6
- 238000012795 verification Methods 0.000 claims abstract description 47
- 238000000034 method Methods 0.000 claims abstract description 34
- 238000012545 processing Methods 0.000 claims abstract description 14
- 230000035945 sensitivity Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000011217 control strategy Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000008929 regeneration Effects 0.000 description 1
- 238000011069 regeneration method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The application discloses a cloud storage data processing method, a cloud storage data processing device and a computer system, wherein the method comprises the steps of receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user; verifying the signature according to the public key of the first user; when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained; when the corresponding access policy comprises the identity of the first user, the data to be acquired is returned to the first user, and the cloud platform can determine the user which can access the data corresponding to the data identifier according to the access policy corresponding to each data identifier, so that the problems that a large amount of storage space is occupied and computing resources are consumed when a new access structure is generated and encrypted for storage in the prior art are solved.
Description
Technical Field
The invention relates to the field of data processing, in particular to a cloud storage data processing method and device and a computer system.
Background
In the prior art, a technology mainly adopted by a cloud storage platform for fine-grained access control of stored data is attribute-based encryption, and an access control attribute set is mainly used for performing autonomous access control according to a CP/KP-ABE encryption algorithm. For example, the data encryption and sharing based on the CP-ABE algorithm includes:
initialization: the key center (KGC) generates public parameters PK and a master key MK according to the secret parameters and the attribute complete set, and discloses the PK to all users;
and (3) generating a secret key: the key center collects AB according to the attribute of each useriGenerating a user private key SKi by using MK and PK, and safely transmitting the user private key SKi to each user;
data encryption: the key center determines an attribute set of a user capable of acquiring the data according to an access control strategy corresponding to plaintext data to be stored, and generates an access structure AC according to the attribute set; encrypting plaintext data according to the AC and the PK;
user decryption: the user obtains the encrypted data from the data platform, and when the attribute set AB of the usernWhen the user belongs to the AC, the user can use the own key SKnAnd the PK decrypts the encrypted data to obtain plaintext data.
However, based on the above prior art, when data needs to be dynamically shared, the access control policy corresponding to the data needs to be updated frequently, which results in a new access structure AC needing to be generated and stored in an encrypted manner, resulting in a waste of storage space.
Disclosure of Invention
In order to solve the defects of the prior art, the present invention mainly aims to provide a method, an apparatus and a computer system for processing cloud storage data, so as to solve the above technical problems of the prior art.
In order to achieve the above object, the present invention provides a method for processing cloud storage data in a first aspect, where the method includes:
receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user;
verifying the signature according to the public key of the first user;
when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
and when the corresponding access policy comprises the identity of the first user, returning the data to be acquired to the first user.
In some embodiments, the method comprises:
receiving a data uploading request sent by a second user, wherein the data uploading request comprises data to be stored, a signature and an identity of the second user and an encryption level of the data to be stored;
and verifying the signature of the second user according to the public key of the second user, and storing the data to be stored, the signature and the identity of the second user and the encryption level of the data to be stored when the verification is passed.
In some embodiments, the returning the data to be acquired to the first user when the corresponding access policy includes the identity of the first user includes:
determining whether the data to be acquired is encrypted data or not according to the encryption level corresponding to the data to be acquired;
when the data is encrypted, re-encrypting the data to be acquired according to a first re-encryption key corresponding to the data to be acquired;
and returning the re-encrypted data to be acquired to the first user, so that the first user can decrypt the re-encrypted data to be acquired according to the private key of the first user and acquire the plaintext data to be acquired.
In some embodiments, the method comprises:
receiving a data sharing request sent by a third user, wherein the data sharing request comprises a signature of the third user, a data identifier of data to be shared and a target access strategy;
and verifying the signature of the third user according to the public key of the third user, and storing the target access policy when the signature passes the verification so as to determine the identity which can access the data to be shared according to the target access policy.
In some embodiments, the method comprises:
receiving a private key updating request sent by a fourth user, wherein the updating request comprises an original identity of the fourth user, an updated identity and a first original signature, and the first original signature is generated according to the original private key of the fourth user;
verifying the signature of the fourth user according to the public key of the fourth user, and when the signature passes the verification, generating an updated private key and a public key according to the updated identity and returning the updated private key to the fourth user;
receiving a second original signature, an updated signature and a second re-encryption key returned by the fourth user, wherein the second original signature is generated according to an original private key of the fourth user, and the updated signature is generated according to the updated private key;
verifying the second original signature according to the public key before updating and verifying the updated signature according to the updated public key;
and when the authentication passes, updating the stored identity of the fourth user into the updated identity, and re-encrypting the encrypted data stored by the fourth user according to the second re-encryption key.
In some embodiments, the storing the data to be stored, the signature and the identity of the second user, and the encryption level of the data to be stored when the authentication is passed comprises:
inquiring whether the same data as the data to be stored exists in a storage database;
when the data exists, recording the identity of the second user to the owner record corresponding to the same data;
and when the data to be stored does not exist, generating a backup of the data to be stored and storing the data to be stored and the backup into a storage database.
In some embodiments, the storing the target access policy for subsequent determination of the identity that can access the data to be shared according to the target access policy when the authentication passes includes:
when the data to be shared passes the verification, acquiring owner records and historical access strategies of the data to be shared;
and when the identity of the third user belongs to the owner record or the historical access strategy, storing the access strategy of the data to be shared so as to determine the identity which can access the data to be shared according to the target access strategy and the historical access strategy.
In a second aspect, the present application provides an apparatus for processing cloud storage data, the apparatus including:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a data acquisition request sent by a first user, the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user; when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
the verification module is used for verifying the signature according to the public key of the first user;
and the return module is used for returning the data to be acquired to the first user when the corresponding access policy comprises the identity of the first user.
In some embodiments, the receiving module may be further configured to receive a data upload request sent by a second user, where the data upload request includes data to be stored, a signature and an identity of the second user, and an encryption level of the data to be stored;
the verification module can also be used for verifying the signature of the second user according to the public key of the second user, and storing the data to be stored, the signature and the identity of the second user and the encryption level of the data to be stored when the verification is passed.
In a third aspect, the present application provides a computer system comprising:
one or more processors;
and memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user;
verifying the signature according to the public key of the first user;
when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
and when the corresponding access policy comprises the identity of the first user, returning the data to be acquired to the first user.
The invention has the following beneficial effects:
the application provides a cloud storage data processing method which comprises the steps of receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identification and a signature of the first user and a data identification corresponding to data to be acquired, and the signature is generated according to a private key of the first user; verifying the signature according to the public key of the first user; when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained; when the corresponding access policy comprises the identity of the first user, the data to be acquired is returned to the first user, the cloud platform can determine the user who can access the data corresponding to the data identifier according to the access policy corresponding to each data identifier, and when the data needs to be shared by other users, the identity of the accessible data stored in the corresponding access policy can be directly modified, so that the generation of a new access structure AC and the encryption and storage of the new access structure AC in the prior art, which occupy a large amount of storage space and consume computing resources, can be avoided, and compared with the access control based on attributes in the prior art, the access authority of each data can be managed in a finer granularity, and the processing efficiency is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a diagram of a cloud storage architecture provided in an embodiment of the present application;
FIG. 2 is a flow chart of a method provided by an embodiment of the present application;
FIG. 3 is a block diagram of an apparatus according to an embodiment of the present disclosure;
fig. 4 is a computer system structure diagram provided in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As described in the background art, in the prior art, an attribute-based access control method is mainly used for data stored in a cloud platform, and a corresponding access structure needs to be regenerated and encrypted each time the access right of the data is changed, which causes waste of storage space and computing resources.
In order to solve the technical problems, the application provides a method for processing cloud storage data, a cloud platform can determine a user capable of accessing data corresponding to a data identifier according to an access policy corresponding to each data identifier, and when the data needs to be shared to other users, the identity identifier of the accessible data stored in the corresponding access policy can be directly modified, so that the generation of a new access structure AC and the encryption storage in the prior art are avoided, a large amount of storage space is occupied, computing resources are consumed, and compared with the access control based on attributes in the prior art, the access authority of each data can be managed in a finer granularity, and the processing efficiency is improved.
Example one
Specifically, a cloud storage platform as shown in fig. 1 may be established, where the KGC may be independently deployed in a trusted third party server for managing the key. The cloud storage platform has a large number of tenants, namely users, and the users can store data to be stored, which are generated by their own servers, to the storage servers of the cloud storage platform through the gateways of the cloud storage platform.
When initializing, the user can use the ID of the useriUpload to KGC. KGC authentication idiAfter being a legal user of the cloud storage platform, the agent re-encryption algorithm based on identity control can use CIBPRE fine granularity and according to the ID of each useriGenerating a private key sk for each useriAnd public key pkiStoring the corresponding public key of each user and storing the private key sk of the useriAnd the data is transmitted to the corresponding user through a secure encrypted channel by wire transmission or through offline mailing and the like. Where each user's ID is unique.
After the user obtains the key, the data can be uploaded to the cloud storage platform by calling the cloud storage gateway. The uploading process comprises the following steps:
a1, a user A sends a data uploading request to a cloud storage platform;
the uploading request comprises data to be uploaded. When the data to be uploaded is plaintext, the uploading request comprises plaintext data m1 and signature sign of user Am1(ska,m1|IDa| D), the identity of user A, namely IDaAnd a data sensitivity level D, wherein sign is signedm1(ska,m1|IDa| D) is to use the private key sk of the user A according to an asymmetric signature algorithm such as eccaFor m1, IDaAnd D, generating a signature result value after at least one signature. When the data to be uploaded is plaintext, the value of the data sensitivity level D may be 1.
When the data to be uploaded is a ciphertext, the uploading request comprises the ciphertext data c1 and a signature sign 1(ska, c1| IDa | D) of the user A) ID of user AaAnd a data sensitivity level D, wherein sign is signedc1(ska,c1|IDa| D) is to use the private key sk of the user A according to an asymmetric signature algorithm such as eccaFor c1, IDaAnd D, generating a signature result value after at least one signature. When the data to be uploaded is plaintext, the value of the data sensitivity level D may be 0. The ciphertext data is obtained by using a private key of a user A to perform signature sign on original data m1 to be uploaded according to a CIBPRE encryption algorithmm1And encrypting the generated encrypted data.
A2, the cloud storage gateway checks the signature of the uploading request, and stores the data to be uploaded, the signature and the ID after the check is passedaAnd a data sensitivity level D, and returns a data identifier oid corresponding to the data to be uploaded;
specifically, the cloud storage gateway may verify the signature according to the public key of the user a.
In order to avoid repeated storage of the same data, the cloud storage gateway can match the data to be uploaded with the data stored in the storage server after the verification is passed, and when the data identical to the data to be uploaded exists in the stored data, the user A can be directly added to the owner record of the identical data, so that the storage space is saved.
When the stored data does not have the same data as the data to be uploaded, redundant storage can be performed according to the three backup data of the data to be uploaded in the sound field, wherein the storage server stores each backup data in a fragmentation mode according to the storage logic disk block and stores the backup data to a plurality of physical devices, so that the risk of overall damage of the data is reduced, and the utilization rate of a storage space is improved.
The user A can acquire the uploaded data from the cloud storage platform, and the acquiring process comprises the following steps:
a3, sending a data acquisition request to a cloud storage platform;
the data acquisition request includes a signature sign (ska, rands | | oid | | | time estimate) and a data identifier oid of the data to be acquired. Wherein the middle signature sign (ska, rands | | oid | | | time estimate) is calculated according to the ecc and other asymmetric signaturesMethod of using private key sk of user AaAnd signing at least one of rands, oid and timestamp to generate a signature result value, wherein rands is a random character string, and timestamp is a timestamp.
A4, verifying the signature according to the public key of the user A, and when the verification is passed, acquiring a complete data copy corresponding to the data identifier from the storage server and returning the data copy to the user A.
When the returned data is ciphertext data, the user A can decrypt the ciphertext data by using the private key to obtain plaintext data and signature signm1. User A can use its own public key to signm1And checking to determine that the acquired data is the stored original data after the checking is passed so as to prevent the data from being tampered.
When the user a needs to share data with the user B, the data sharing process includes:
b1, the user A sends a data sharing request to the cloud storage gateway;
when the data to be shared is ciphertext data, the sharing request comprises an access control policy set group1(S1, oid-g1, rk1, D) and a signature sign2(ska, rands | | | group1| | | time estimate), wherein the access control policy set group1(S1, oid-g1, rk1, D) comprises a data identification set oid-g1 of the data to be shared, a set S1 of identification IDs corresponding to users having access to the set oid-g1, a re-encryption key rk1 and a data sensitivity level D. Wherein the re-encryption key RK1 is generated by using the RK algorithm of the CIBPRE broadcast agent re-encryption algorithm.
When the data to be shared is plaintext data, the sharing request comprises an access control policy set group1(S1, oid-g1, D) and a signature sign2(ska, rand | | | group1| | | time estimate), wherein the access control policy set group1(S1, oid-g1, rk1, D) comprises a data identification set oid-g1 of the data to be shared, a set S1 of corresponding identification IDs of users having access to the set oid-g1 and a data sensitivity level D.
Signature sign2(ska, rands group1 time) is obtained by using private key sk of user A according to an asymmetric signature algorithm such as eccaSigning at least one of rands, group1 and timestamp to generate a signature result value, rands being a random wordString, timestamp is a timestamp.
B2, the cloud storage gateway verifies the signature according to the public key of the user A, and when the signature passes the verification, the access control policy group1 is stored in the policy database for subsequent calling.
Preferably, the cloud storage gateway may first query the owner record of all data corresponding to the data ID sets oid-g1 and the existing access control policy set in the policy database, and then determine whether the ID of user a is recorded in the owner record or the existing access control policy set. When a record exists, verification of the signature is performed again.
When the user B needs to acquire the data shared by the user a, the acquisition process includes:
c1, the user B sends a data acquisition request to the cloud storage gateway;
the acquisition request includes signature sign3(skb, ranks | | | oid-g | | | ID) of user Bb| timestamp), data identification set oid-g of data to be acquired and identity ID of user Bb. Wherein sign3(skb, ranks | | | oid-g | | | ID)b| timestamp) is to use the private key sk of user B according to the ecc and other asymmetric signature algorithmsbFor rands, data identification set oid-g, IDbAnd a signature result value generated after at least one signature in the data sensitivity level D.
C2, verifying the signature of the user B according to the public key of the user B, acquiring owner records of all data corresponding to the data identification set oid-g of the data to be acquired after the signature passes verification, and returning all corresponding data to the user B when the owner records comprise the user B;
c3, when the user B is not included, acquiring an access control policy set of all data corresponding to the data identification set oid-g and determining whether the access control policy contains the user B;
specifically, a corresponding access policy set may be first obtained from the access policy cache library, and when the corresponding access policy set does not exist in the access policy cache library, the access policy set may be obtained from the access policy database.
The access strategy cache library is used for storing the access strategies which are hit within a preset time period. Specifically, after the corresponding access control policy set is acquired from the access policy database, the acquired access control policy set is stored in the access policy cache library. The preset time period may be any length of time, preferably 5 minutes.
C4, when the access control strategy set comprises a user B, determining whether the data to be acquired is ciphertext data according to the data sensitivity level of the data to be acquired;
specifically, when there are a plurality of data to be acquired, there may be a plurality of access control policies included in the corresponding access control policy set. When all the access control strategies comprise the user B, the user B can acquire all the data to be acquired; when some access control policies include the user B but the rest do not include the user B, the user B may acquire the data to be acquired that the corresponding access control policy includes the user B.
Specifically, when the data sensitivity level is 1, the data is described as plaintext data. When 0, the data is ciphertext data.
C5, when the data to be acquired is ciphertext data, re-encrypting the ciphertext data by using the corresponding re-encryption key and returning the re-encrypted data to the user B;
c6, user B uses private key skbDecrypting the re-encrypted data to obtain the data to be acquired of the plaintext and the signature signm1;
User B can sign according to public key of user Am1Verification is performed to ensure the integrity of the resource.
When the data to be acquired is plaintext data, the cloud storage platform can directly send the plaintext data to the user.
The sharing and obtaining process realizes secret sharing of the ciphertext data, the content of the ciphertext information cannot be obtained through cloud storage, and an interactive process of key agreement is not needed when the users share the encrypted data.
When the private key of the user A needs to be replaced, the regeneration of the public and private keys and the data re-encryption process comprise the following steps:
d1, the user A sends a private key generation request to the cloud storage platform;
the private key generation request comprises a signature signID (ska, rands | IDa | IDa' | timestamp) of the user A, a random number rands, a timestamp, and an original identity IDaUpdated identification IDa’。
D2, verifying the signature according to the public key of the user A, and after the verification is passed, according to the updated identity Ida’Generating updated public key and private key sk of user Aa’The private key is sent to the user A in a mode of online transmission through a secure encryption channel or offline mailing and the like;
d3, user A generates original signature sign ' (ska, rands | IDa | IDa ' | time) according to original private key, and generates updated signature sign2 ' (sk) according to updated private keya’And rands | IDa | IDa' | time estimate) and uploading to the cloud storage platform;
d4, the cloud storage platform verifies the original signature sign 'according to the original public key, and verifies the updated signature sign 2' according to the updated key;
and when the user A passes the verification, updating the identity of the user A in the record into an updated identity IDa', and re-encrypting the data stored by the user A by using a re-encryption algorithm so that the user A can decrypt the data by using the updated private key.
Example two
Corresponding to the foregoing embodiment, the present application provides a method for processing cloud storage data, where as shown in fig. 2, the method includes:
210. receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user;
specifically, in the present application, the first user, the second user, the third user, and the fourth user may be any user of the cloud storage platform, and the first user, the second user, the third user, and the fourth user may be different users or the same user, which is not limited in this application.
220. Verifying the signature according to the public key of the first user;
230. when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
240. and when the corresponding access policy comprises the identity of the first user, returning the data to be acquired to the first user.
Preferably, the method comprises:
250. receiving a data uploading request sent by a second user, wherein the data uploading request comprises data to be stored, a signature and an identity of the second user and an encryption level of the data to be stored;
251. and verifying the signature of the second user according to the public key of the second user, and storing the data to be stored, the signature and the identity of the second user and the encryption level of the data to be stored when the verification is passed.
Preferably, when the corresponding access policy includes the identity of the first user, the data to be acquired is returned to the first user:
252. determining whether the data to be acquired is encrypted data or not according to the encryption level corresponding to the data to be acquired;
253. when the data is encrypted, re-encrypting the data to be acquired according to a first re-encryption key corresponding to the data to be acquired;
254. and returning the re-encrypted data to be acquired to the first user, so that the first user can decrypt the re-encrypted data to be acquired according to the private key of the first user and acquire the plaintext data to be acquired.
Preferably, when the verification is passed, the storing the data to be stored, the signature and the identity of the second user, and the encryption level of the data to be stored includes:
255. inquiring whether the same data as the data to be stored exists in a storage database;
256. when the data exists, recording the identity of the second user to the owner record corresponding to the same data;
257. and when the data to be stored does not exist, generating a backup of the data to be stored and storing the data to be stored and the backup into a storage database.
Preferably, the method comprises:
260. receiving a data sharing request sent by a third user, wherein the data sharing request comprises a signature of the third user, a data identifier of data to be shared and a target access strategy;
261. and verifying the signature of the third user according to the public key of the third user, and storing the target access policy when the signature passes the verification so as to determine the identity which can access the data to be shared according to the target access policy.
Preferably, when the verification is passed, the storing the target access policy so as to determine the identity identifier capable of accessing the data to be shared according to the target access policy subsequently includes:
262. when the data to be shared passes the verification, acquiring owner records and historical access strategies of the data to be shared;
263. and when the identity of the third user belongs to the owner record or the historical access strategy, storing the access strategy of the data to be shared so as to determine the identity which can access the data to be shared according to the target access strategy and the historical access strategy.
Preferably, the method comprises:
270. receiving a private key updating request sent by a fourth user, wherein the updating request comprises an original identity of the fourth user, an updated identity and a first original signature, and the first original signature is generated according to the original private key of the fourth user;
271. verifying the signature of the fourth user according to the public key of the fourth user, and when the signature passes the verification, generating an updated private key and a public key according to the updated identity and returning the updated private key to the fourth user;
272. receiving a second original signature, an updated signature and a second re-encryption key returned by the fourth user, wherein the second original signature is generated according to an original private key of the fourth user, and the updated signature is generated according to the updated private key;
273. verifying the second original signature according to the public key before updating and verifying the updated signature according to the updated public key;
274. and when the authentication passes, updating the stored identity of the fourth user into the updated identity, and re-encrypting the encrypted data stored by the fourth user according to the second re-encryption key.
EXAMPLE III
Corresponding to the foregoing embodiments, the present application provides a processing apparatus for cloud storage data, as shown in fig. 3, the apparatus includes:
a receiving module 310, configured to receive a data acquisition request sent by a first user, where the data acquisition request includes an identity of the first user, a signature, and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user; when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
a verification module 320, configured to verify the signature according to the public key of the first user;
a returning module 330, configured to return the data to be acquired to the first user when the corresponding access policy includes the identity of the first user.
Preferably, the receiving module 310 is further configured to receive a data uploading request sent by a second user, where the data uploading request includes data to be stored, a signature and an identity of the second user, and an encryption level of the data to be stored; the verification module 320 may further be configured to verify a signature of the second user according to the public key of the second user, and store the data to be stored, the signature and the identity of the second user, and the encryption level of the data to be stored when the verification is passed.
Preferably, the returning module 330 is further configured to determine whether the data to be acquired is encrypted data according to an encryption level corresponding to the data to be acquired; when the data is encrypted, re-encrypting the data to be acquired according to a first re-encryption key corresponding to the data to be acquired; and returning the re-encrypted data to be acquired to the first user, so that the first user can decrypt the re-encrypted data to be acquired according to the private key of the first user and acquire the plaintext data to be acquired.
Preferably, the receiving module 310 is further configured to receive a data sharing request sent by a third user, where the data sharing request includes a signature of the third user, a data identifier of data to be shared, and a target access policy; the verification module 320 may be further configured to verify the signature of the third user according to the public key of the third user; the device further comprises a storage module, which is used for storing the target access policy when the verification is passed so as to determine the identity of the accessible data to be shared according to the target access policy.
Preferably, the receiving module 310 is further configured to receive a private key update request sent by a fourth user, where the update request includes an original identity, an updated identity, and a first original signature of the fourth user, the first original signature generates according to the original private key of the fourth user, and receives a second original signature, an updated signature, and a second re-encryption key returned by the fourth user, the second original signature generates according to the original private key of the fourth user, and the updated signature generates according to the updated private key; the verification module 320 may be further configured to verify the signature of the fourth user according to the public key of the fourth user, verify the second original signature according to the public key before updating, and verify the updated signature according to the updated public key; the returning module 330 is further configured to generate an updated private key and an updated public key according to the updated identity and return the updated private key to the fourth user when the authentication is passed, and the storing module is further configured to update the stored identity of the fourth user to the updated identity and re-encrypt the encrypted data stored by the fourth user according to the second re-encryption key when the authentication is passed.
Preferably, the storage module may be further configured to query whether data identical to the data to be stored exists in a storage database; when the data exists, recording the identity of the second user to the owner record corresponding to the same data; and when the data to be stored does not exist, generating a backup of the data to be stored and storing the data to be stored and the backup into a storage database.
Preferably, the storage module is further configured to obtain an owner record and a historical access policy of the data to be shared when the verification is passed; and when the identity of the third user belongs to the owner record or the historical access strategy, storing the access strategy of the data to be shared so as to determine the identity which can access the data to be shared according to the target access strategy and the historical access strategy.
Example four
Corresponding to the above method, apparatus, and system, a fourth embodiment of the present application provides a computer system, including: one or more processors; and memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user;
verifying the signature according to the public key of the first user;
when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
and when the corresponding access policy comprises the identity of the first user, returning the data to be acquired to the first user.
Fig. 4 illustrates an architecture of a computer system, which may include, in particular, a processor 1510, a video display adapter 1511, a disk drive 1512, an input/output interface 1513, a network interface 1514, and a memory 1520. The processor 1510, video display adapter 1511, disk drive 1512, input/output interface 1513, network interface 1514, and memory 1520 may be communicatively coupled via a communication bus 1530.
The processor 1510 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solution provided by the present Application.
The Memory 1520 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1520 may store an operating system 1521 for controlling the operation of the computer system 1500, a Basic Input Output System (BIOS)1522 for controlling low-level operations of the computer system 1500. In addition, a web browser 1523, a data storage management 1524, an icon font processing system 1525, and the like may also be stored. The icon font processing system 1525 may be an application program that implements the operations of the foregoing steps in this embodiment of the application. In summary, when the technical solution provided by the present application is implemented by software or firmware, the relevant program codes are stored in the memory 1520 and called for execution by the processor 1510. The input/output interface 1513 is used for connecting an input/output module to realize information input and output. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The network interface 1514 is used to connect a communication module (not shown) to enable the device to communicatively interact with other devices. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
The bus 1530 includes a path to transfer information between the various components of the device, such as the processor 1510, the video display adapter 1511, the disk drive 1512, the input/output interface 1513, the network interface 1514, and the memory 1520.
In addition, the computer system 1500 may also obtain information of specific extraction conditions from the virtual resource object extraction condition information database 1541 for performing condition judgment, and the like.
It should be noted that although the above devices only show the processor 1510, the video display adapter 1511, the disk drive 1512, the input/output interface 1513, the network interface 1514, the memory 1520, the bus 1530, etc., in a specific implementation, the devices may also include other components necessary for proper operation. Furthermore, it will be understood by those skilled in the art that the apparatus described above may also include only the components necessary to implement the solution of the present application, and not necessarily all of the components shown in the figures.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a cloud server, or a network device) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (10)
1. A processing method of cloud storage data is characterized by comprising the following steps:
receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user;
verifying the signature according to the public key of the first user;
when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
and when the corresponding access policy comprises the identity of the first user, returning the data to be acquired to the first user.
2. The method according to claim 1, characterized in that it comprises:
receiving a data uploading request sent by a second user, wherein the data uploading request comprises data to be stored, a signature and an identity of the second user and an encryption level of the data to be stored;
and verifying the signature of the second user according to the public key of the second user, and storing the data to be stored, the signature and the identity of the second user and the encryption level of the data to be stored when the verification is passed.
3. The method of claim 2, wherein returning the data to be obtained to the first user when the corresponding access policy includes the identity of the first user comprises:
determining whether the data to be acquired is encrypted data or not according to the encryption level corresponding to the data to be acquired;
when the data is encrypted, re-encrypting the data to be acquired according to a first re-encryption key corresponding to the data to be acquired;
and returning the re-encrypted data to be acquired to the first user, so that the first user can decrypt the re-encrypted data to be acquired according to the private key of the first user and acquire the plaintext data to be acquired.
4. A method according to any of claims 1-3, characterized in that the method comprises:
receiving a data sharing request sent by a third user, wherein the data sharing request comprises a signature of the third user, a data identifier of data to be shared and a target access strategy;
and verifying the signature of the third user according to the public key of the third user, and storing the target access policy when the signature passes the verification so as to determine the identity which can access the data to be shared according to the target access policy.
5. A method according to any of claims 1-3, characterized in that the method comprises:
receiving a private key updating request sent by a fourth user, wherein the updating request comprises an original identity of the fourth user, an updated identity and a first original signature, and the first original signature is generated according to the original private key of the fourth user;
verifying the signature of the fourth user according to the public key of the fourth user, and when the signature passes the verification, generating an updated private key and a public key according to the updated identity and returning the updated private key to the fourth user;
receiving a second original signature, an updated signature and a second re-encryption key returned by the fourth user, wherein the second original signature is generated according to an original private key of the fourth user, and the updated signature is generated according to the updated private key;
verifying the second original signature according to the public key before updating and verifying the updated signature according to the updated public key;
and when the authentication passes, updating the stored identity of the fourth user into the updated identity, and re-encrypting the encrypted data stored by the fourth user according to the second re-encryption key.
6. The method according to claim 2 or 3, wherein storing the data to be stored, the signature and the identity of the second user, and the encryption level of the data to be stored when the authentication is passed comprises:
inquiring whether the same data as the data to be stored exists in a storage database;
when the data exists, recording the identity of the second user to the owner record corresponding to the same data;
and when the data to be stored does not exist, generating a backup of the data to be stored and storing the data to be stored and the backup into a storage database.
7. The method of claim 4, wherein when the verification is passed, the storing the target access policy for subsequent determination of the identity of the data to be shared according to the target access policy comprises:
when the data to be shared passes the verification, acquiring owner records and historical access strategies of the data to be shared;
and when the identity of the third user belongs to the owner record or the historical access strategy, storing the access strategy of the data to be shared so as to determine the identity which can access the data to be shared according to the target access strategy and the historical access strategy.
8. An apparatus for processing cloud storage data, the apparatus comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a data acquisition request sent by a first user, the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user; when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
the verification module is used for verifying the signature according to the public key of the first user;
and the return module is used for returning the data to be acquired to the first user when the corresponding access policy comprises the identity of the first user.
9. The apparatus according to claim 8, wherein the receiving module is further configured to receive a data upload request sent by a second user, where the data upload request includes data to be stored, a signature and an identity of the second user, and an encryption level of the data to be stored;
the verification module can also be used for verifying the signature of the second user according to the public key of the second user, and storing the data to be stored, the signature and the identity of the second user and the encryption level of the data to be stored when the verification is passed.
10. A computer system, the system comprising:
one or more processors;
and memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
receiving a data acquisition request sent by a first user, wherein the data acquisition request comprises an identity identifier of the first user, a signature and a data identifier corresponding to data to be acquired, and the signature is generated according to a private key of the first user;
verifying the signature according to the public key of the first user;
when the verification is passed, obtaining an access strategy corresponding to the data identifier, wherein the access strategy comprises a preset identity identifier which can access the data to be obtained;
and when the corresponding access policy comprises the identity of the first user, returning the data to be acquired to the first user.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110178479.8A CN112953930A (en) | 2021-02-09 | 2021-02-09 | Cloud storage data processing method and device and computer system |
| PCT/CN2021/131747 WO2022170810A1 (en) | 2021-02-09 | 2021-11-19 | Method and apparatus for processing cloud storage data, and computer system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110178479.8A CN112953930A (en) | 2021-02-09 | 2021-02-09 | Cloud storage data processing method and device and computer system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112953930A true CN112953930A (en) | 2021-06-11 |
Family
ID=76244786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110178479.8A Pending CN112953930A (en) | 2021-02-09 | 2021-02-09 | Cloud storage data processing method and device and computer system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112953930A (en) |
| WO (1) | WO2022170810A1 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113254986A (en) * | 2021-07-16 | 2021-08-13 | 深圳市永兴元科技股份有限公司 | Data processing method, device and computer readable storage medium |
| CN113821818A (en) * | 2021-11-19 | 2021-12-21 | 国网浙江省电力有限公司 | Method, device and storage medium for blocking access of middleboxes based on identification management |
| CN114567477A (en) * | 2022-02-24 | 2022-05-31 | 特赞(上海)信息科技有限公司 | Multi-party collaborative authority management method, device, terminal and storage medium |
| WO2022170810A1 (en) * | 2021-02-09 | 2022-08-18 | 苏宁易购集团股份有限公司 | Method and apparatus for processing cloud storage data, and computer system |
| CN115378659A (en) * | 2022-07-28 | 2022-11-22 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-grained access control method based on user identity |
| CN116599647A (en) * | 2023-06-29 | 2023-08-15 | 中国电信股份有限公司 | Information processing method, service node, blockchain network, and storage medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115603865B (en) * | 2022-12-13 | 2023-03-14 | 广东广宇科技发展有限公司 | Cloud storage-based big data rapid transmission method |
| CN116938594B (en) * | 2023-09-08 | 2024-03-22 | 数盾信息科技股份有限公司 | Multi-level identity verification system based on high-speed encryption technology |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980477A (en) * | 2014-04-14 | 2015-10-14 | 航天信息股份有限公司 | Data access control method and system in cloud storage environment |
| CN108563788A (en) * | 2018-04-27 | 2018-09-21 | 腾讯科技(深圳)有限公司 | Data query method, apparatus, server and storage medium based on block chain |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055730B (en) * | 2009-11-02 | 2013-09-11 | 华为终端有限公司 | Cloud processing system, cloud processing method and cloud computing agent device |
| US9166791B2 (en) * | 2013-11-20 | 2015-10-20 | At&T Intellectual Property I, L.P. | Method and apparatus for user identity verification |
| CN108462568B (en) * | 2018-02-11 | 2021-08-06 | 西安电子科技大学 | Block chain-based secure file storage and sharing method and cloud storage system |
| CN111031037A (en) * | 2019-12-12 | 2020-04-17 | 北京金山云网络技术有限公司 | Authentication method and device for object storage service and electronic equipment |
| CN112953930A (en) * | 2021-02-09 | 2021-06-11 | 苏宁易购集团股份有限公司 | Cloud storage data processing method and device and computer system |
-
2021
- 2021-02-09 CN CN202110178479.8A patent/CN112953930A/en active Pending
- 2021-11-19 WO PCT/CN2021/131747 patent/WO2022170810A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980477A (en) * | 2014-04-14 | 2015-10-14 | 航天信息股份有限公司 | Data access control method and system in cloud storage environment |
| CN108563788A (en) * | 2018-04-27 | 2018-09-21 | 腾讯科技(深圳)有限公司 | Data query method, apparatus, server and storage medium based on block chain |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022170810A1 (en) * | 2021-02-09 | 2022-08-18 | 苏宁易购集团股份有限公司 | Method and apparatus for processing cloud storage data, and computer system |
| CN113254986A (en) * | 2021-07-16 | 2021-08-13 | 深圳市永兴元科技股份有限公司 | Data processing method, device and computer readable storage medium |
| CN113254986B (en) * | 2021-07-16 | 2021-10-15 | 深圳市永兴元科技股份有限公司 | Data processing method, device and computer readable storage medium |
| CN113821818A (en) * | 2021-11-19 | 2021-12-21 | 国网浙江省电力有限公司 | Method, device and storage medium for blocking access of middleboxes based on identification management |
| CN113821818B (en) * | 2021-11-19 | 2022-02-08 | 国网浙江省电力有限公司 | Method, device and storage medium for blocking access of middleboxes based on identification management |
| CN114567477A (en) * | 2022-02-24 | 2022-05-31 | 特赞(上海)信息科技有限公司 | Multi-party collaborative authority management method, device, terminal and storage medium |
| CN114567477B (en) * | 2022-02-24 | 2024-03-22 | 特赞(上海)信息科技有限公司 | Multi-party collaborative authority management method, device, terminal and storage medium |
| CN115378659A (en) * | 2022-07-28 | 2022-11-22 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-grained access control method based on user identity |
| CN115378659B (en) * | 2022-07-28 | 2024-04-16 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-granularity access control method based on user identity |
| CN116599647A (en) * | 2023-06-29 | 2023-08-15 | 中国电信股份有限公司 | Information processing method, service node, blockchain network, and storage medium |
| CN116599647B (en) * | 2023-06-29 | 2023-09-29 | 中国电信股份有限公司 | Information processing method, service node, blockchain network, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022170810A1 (en) | 2022-08-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112953930A (en) | Cloud storage data processing method and device and computer system | |
| EP4120114A1 (en) | Data processing method and apparatus, smart device and storage medium | |
| US9813414B2 (en) | Password-based management of encrypted files | |
| EP3404891A1 (en) | Method and system for distributing digital content in peer-to-peer network | |
| CN102404314B (en) | Remote resources single-point sign on | |
| CN102427442B (en) | Combining request-dependent metadata with media content | |
| JP5735978B2 (en) | Secure Kerberos access to the cryptographic file system | |
| US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
| US8607045B2 (en) | Tokencode exchanges for peripheral authentication | |
| JP5522307B2 (en) | System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines | |
| US10423791B2 (en) | Enabling offline restart of shielded virtual machines using key caching | |
| US9893896B1 (en) | System and method for remote storage auditing | |
| US10454910B2 (en) | Management apparatus, computer program product, system, device, method, information processing apparatus, and server | |
| US20120254622A1 (en) | Secure Access to Electronic Devices | |
| US11909728B2 (en) | Network resource access control methods and systems using transactional artifacts | |
| WO2008035450A1 (en) | Authentication by one-time id | |
| CN111131336B (en) | Resource access method, device, equipment and storage medium under multi-party authorization scene | |
| MX2014010310A (en) | Identity data management system for high volume production of product-specific identity data. | |
| US11368291B2 (en) | Mutually authenticated adaptive management interfaces for interaction with sensitive infrastructure | |
| JP2007334417A (en) | Distributed information sharing method and terminal equipment | |
| CN110912892B (en) | Certificate management method and device, electronic equipment and storage medium | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN110851851B (en) | Authority management method, device and equipment in block chain type account book | |
| US20230244797A1 (en) | Data processing method and apparatus, electronic device, and medium | |
| WO2021239034A1 (en) | Identity encryption-based data transmission method and apparatus, and electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210611 |
|
| RJ01 | Rejection of invention patent application after publication |