CN113139213A - Multi-version data integrity cloud auditing method and system - Google Patents
Multi-version data integrity cloud auditing method and system Download PDFInfo
- Publication number
- CN113139213A CN113139213A CN202110520638.8A CN202110520638A CN113139213A CN 113139213 A CN113139213 A CN 113139213A CN 202110520638 A CN202110520638 A CN 202110520638A CN 113139213 A CN113139213 A CN 113139213A
- Authority
- CN
- China
- Prior art keywords
- client
- file
- server
- current version
- version
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012795 verification Methods 0.000 claims abstract description 105
- 238000012550 audit Methods 0.000 claims abstract description 43
- 230000006870 function Effects 0.000 claims description 124
- 230000002776 aggregation Effects 0.000 claims description 28
- 238000004220 aggregation Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 14
- 238000004891 communication Methods 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 24
- 230000003190 augmentative effect Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 238000013496 data integrity verification Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/11—File system administration, e.g. details of archiving or snapshots
- G06F16/113—Details of archiving
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/172—Caching, prefetching or hoarding of files
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a cloud auditing method and system for integrity of multi-version data, and relates to the technical field of cloud computing. The method comprises the steps of verifying a signature of a current version file sent by a client according to metadata for verifying the signature; after the signature of the current version file passes verification, establishing a trusted container and a trusted channel between the client and a server trusted container according to an operating environment authentication request sent by the client; and verifying the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel. According to the invention, after the signature of the current version file passes the verification, the verification of the integrity of the current version file and the historical version file is realized in the trusted container by establishing the trusted channel between the trusted container and the server trusted container, so that the computing and communication overhead of multi-version data integrity cloud audit can be reduced.
Description
Technical Field
The invention relates to the technical field of cloud computing, in particular to a multi-version data integrity cloud auditing method and system.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
In order to save storage space in the cloud storage service, data is often saved in an incremental manner during data updating and data backup. The data is saved in an incremental mode, so that the storage space can be effectively saved, and the data rollback is facilitated. In the process of continuously modifying the data, the multi-version data is formed by incrementally saving the data. In cloud data auditing, how to realize integrity auditing of multi-version data and avoid serious calculation and communication overhead of a user side and a server side become a problem to be solved urgently.
Disclosure of Invention
The embodiment of the invention provides a multi-version data integrity cloud auditing method, which is used for reducing the calculation and communication overhead of multi-version data integrity cloud auditing and comprises the following steps:
the server verifies the signature of the current version file sent by the client according to the metadata for verifying the signature;
after the signature of the current version file passes verification, the server establishes a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client;
and the server verifies the integrality of the current version file and the historical version file according to the file identifier and the integrality verification request sent by the client through the trusted channel.
The embodiment of the invention also provides a multi-version data integrity cloud auditing system, which is used for reducing the calculation and communication overhead of the multi-version data integrity cloud auditing and comprises the following steps:
the signature verification module is used for verifying the signature of the current version file sent by the client according to the metadata for verifying the signature;
the running environment authentication module is used for establishing a trusted container and a trusted channel between the client and the server trusted container according to a running environment authentication request sent by the client after the signature of the current version file passes verification;
and the integrity verification module is used for verifying the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the multi-version data integrity cloud auditing method when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the multi-version data integrity cloud auditing method.
In the embodiment of the invention, a server verifies the signature of the current version file sent by a client according to the metadata for verifying the signature; after the signature of the current version file passes verification, the server establishes a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client; and the server verifies the integrality of the current version file and the historical version file according to the file identifier and the integrality verification request sent by the client through the trusted channel. In the embodiment of the invention, after the signature of the current version file passes the verification, the verification of the integrity of the current version file and the historical version file is realized in the trusted container by establishing the trusted channel between the trusted container and the trusted container of the server, so that the computing and communication expenses of the cloud audit of the integrity of the multi-version data can be reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
fig. 1 is a flowchart illustrating an implementation of a multi-version data integrity cloud auditing method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an implementation of step 101 in a multi-version data integrity cloud auditing method according to an embodiment of the present invention;
FIG. 2-1 is a schematic diagram of an inverse scalar version control chain according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating implementation of step 201 in a multi-version data integrity cloud auditing method according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating an implementation of step 202 in a multi-version data integrity cloud auditing method according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating an implementation of step 102 in a multi-version data integrity cloud auditing method according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating an implementation of step 103 in a multi-version data integrity cloud auditing method according to an embodiment of the present invention;
fig. 7 is a flowchart of another implementation of step 103 in the multi-version data integrity cloud auditing method according to the embodiment of the present invention;
FIG. 7-1 is a schematic diagram of a control chain for an inverse delta version according to an embodiment of the present invention;
fig. 8 is a functional block diagram of a multi-version data integrity cloud audit system according to an embodiment of the present invention;
fig. 9 is a block diagram illustrating a structure of a signature verification module 801 in a multi-version data integrity cloud audit system according to an embodiment of the present invention;
fig. 10 is a block diagram illustrating a structure of a client signature generation unit 901 in a multi-version data integrity cloud audit system according to an embodiment of the present invention;
fig. 11 is a block diagram illustrating a structure of a hash value generation unit 902 of a server-side control chain in a multi-version data integrity cloud audit system according to an embodiment of the present invention;
fig. 12 is a block diagram illustrating a structure of an operating environment authentication module 802 in a multi-version data integrity cloud audit system according to an embodiment of the present invention;
fig. 13 is a block diagram illustrating a structure of an integrity verification module 803 in a multi-version data integrity cloud audit system according to an embodiment of the present invention;
fig. 14 is another structural block diagram of an integrity verification module 803 in the multi-version data integrity cloud audit system according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
Fig. 1 illustrates an implementation flow of a multi-version data integrity cloud auditing method provided by an embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are illustrated, and details are as follows:
as shown in fig. 1, the multi-version data integrity cloud auditing method is applied to a multi-version data integrity cloud auditing system including a server and a client that deploy software protection extension instructions. The multi-version data integrity cloud auditing method comprises the following steps:
and 103, verifying the integrality of the current version file and the historical version file by the server according to the file identifier and the integrality verification request sent by the client through the trusted channel.
A multi-version data integrity cloud auditing method is applied to a multi-version data integrity cloud auditing system. The multi-version data integrity cloud auditing system comprises a server and a client, wherein the server is provided with a Software protection extension instruction (SGX for short).
The client can organize and store the files in an increment mode, and the preferable client organizes and stores the files in an inverse increment mode. When the file (data) is stored in the reverse increment mode, a plurality of versions exist, the latest version is completely stored, and other versions are stored in the reverse increment mode. Specifically, when the integrity of the multi-version data is subjected to cloud audit, the client sends the signature of the current version file and the metadata for verifying the signature (of the client) to the server in an inverse increment mode. And the server further verifies the signature of the current version file sent by the client according to the metadata for verifying the signature.
After the signature of the current version file passes the verification, the file is stated to be true and valid, at the moment, the server feeds back a message that the signature of the current version file passes the verification to the client, and the client sends an operating environment authentication request to the server based on the message that the signature of the current version file passes the verification fed back by the server. And then, the server establishes a trusted container according to the running environment authentication request sent by the client and establishes a trusted channel between the client and the server trusted container.
After a trusted container and a trusted channel between a client and a server trusted container are established, the client sends a file identifier corresponding to a current version file and an integrity verification request of the current version file through the established trusted channel, and then the server verifies the integrity of the current version file according to the file identifier and the integrity verification request.
In the embodiment of the invention, the server verifies the signature of the current version file sent by the client according to the metadata for verifying the signature; after the signature of the current version file passes verification, the server establishes a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client; and the server verifies the integrality of the current version file and the historical version file according to the file identifier and the integrality verification request sent by the client through the trusted channel. In the embodiment of the invention, after the signature of the current version file passes the verification, the verification of the integrity of the current version file and the historical version file is realized in the trusted container by establishing the trusted channel between the trusted container and the trusted container of the server, so that the computing and communication expenses of the cloud audit of the integrity of the multi-version data can be reduced.
The signature of the current version of the file may or may not verify. In a preferred embodiment, to ensure data security, on the basis of the steps of the method shown in fig. 1, the multi-version data integrity cloud audit method further includes:
and when the signature verification of the current version file fails, the server feeds back a message that the signature verification fails to the client. The signature verification of the current version file fails, which indicates that the current version file may be an unsafe or invalid file, and at this time, a message indicating that the signature verification fails is fed back to the client, so that the data security can be guaranteed.
The current version file may or may not be complete. In a preferred embodiment, to facilitate understanding of the integrity status of the current version file, on the basis of the method steps shown in fig. 1, the multi-version data integrity cloud audit method further includes:
when the server verifies that the current version file is complete, feeding back a message that the current version file is complete to the client;
and when the server verifies that the current version file is incomplete, feeding back a message of the damage of the current version file to the client.
Fig. 2 shows an implementation flow of step 101 in the multi-version data integrity cloud auditing method provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are shown, and the details are as follows:
in an embodiment of the invention, the signed metadata includes a one-way hash function and a secure hash function of the multi-version data integrity cloud auditing system. In order to improve the accuracy of the client digital signature verification, as shown in fig. 2, in step 101, the server verifies the signature of the current version file sent by the client according to the metadata for verifying the signature, including:
and 203, the server verifies the client digital signature corresponding to the current version file according to the public key and the server version control chain hash value corresponding to the current version file.
The multi-version data integrity cloud auditing system comprises a server and a client. Wherein, the absolute value of the big prime number p of the multi-version data integrity cloud auditing system is equal to the safety parameter l of the multi-version data integrity cloud auditing system, namely: l is equal to p. G is a multiplication cycle group with a large prime number p, G is a generator of the multiplication cycle group G, H (-) and H (-) are a one-way hash function and a secure hash function of the multi-version data integrity cloud audit system, respectively, and are defined as H (-) 0,1*→ G. The client generates a public key and private key pair (x, pk), wherein x is the private key, pk is the public key, and the private key x, the public key pk and the generator g satisfy: pk is gx. In addition, the client publishes its own public key pk to the server.
When the signature of the current version file (client digital signature) is verified, the client organizes and stores the file in an inverse increment mode. The latest version of the inverse delta version control is saved in its entirety, while the other versions are saved in inverse delta form. Fig. 2-1 shows an inverse-delta version control chain schematic provided by an embodiment of the present invention. Where Δ i (i ═ 1,2, …, v-2, v-1) denotes the file F for the ith versioniUpdated and newly added inverse delta, client for version 1 file F1Generating corresponding file labelIdentifier FidAll subsequent versions of files adopt the file identifier Fid. v denotes the latest version number, FvIs the latest edition of this document. The inverse increment Δ i and the file and the like satisfy: fi+1=Fi+Δi。Fi+1Representing the i +1 th version file.
Then, the client end is according to the current version file FiCorresponding file identifier FidGenerating a client-side digital signature sigma (σ) corresponding to the current version file by using a private key x in a public key and private key pair (x, pk) of a one-way hash function H (DEG) and a secure hash function H (DEG) of the multi-version data integrity cloud auditing systemi1. The client side sends the current version file FiFile identifier FidAnd client digital signature sigmai1Sending to the server, and deleting the local current version file Fi。
Then, the server identifies the corresponding file identifier F according to the current version fileidGenerating a current version file F by using a public key pk in a public key and private key pair (x, pk) of a one-way hash function H (-) and a secure hash function H (-) of the multi-version data integrity cloud auditing systemiCorresponding server-side version control chain hash value thetai2;
Then, the server generates a current version file F according to the public key pkiCorresponding server-side version control chain hash value thetai2For the current version file FiCorresponding client digital signature σi1Verification is performed to verify the current version file FiClient side digital signature sigma ofi1The effectiveness of (c). Client side digital signature sigmai1Verification of (c) may be represented by:
δ=Verify(pk,σi1,θi2);
where δ represents the client digital signature σi1Verification result of (1), Verify (pk, σ)i1,θi2) Representing the use of the public key pk with the current version of the file FiCorresponding server-side version control chain hash value thetai2For the current version file FiCorresponding client digital signature σi1And (6) carrying out verification. If it is testedIf the result delta is true, the server stores the current version file F sent by the clienti(ii) a And if the verification result delta is false, the server feeds back a message that the signature verification fails to pass to the client.
In the embodiment of the invention, a client generates a client digital signature corresponding to a current version file by using a private key in a public key and private key pair according to a file identifier corresponding to the current version file, a one-way hash function and a safe hash function of a multi-version data integrity cloud auditing system; the server generates a server-side version control chain hash value corresponding to the current version file by using a public key in a public key private key pair according to a file identifier corresponding to the current version file, a one-way hash function and a secure hash function of the multi-version data integrity cloud auditing system; and the server verifies the client digital signature corresponding to the current version file according to the public key and the server side version control chain hash value corresponding to the current version file. According to the embodiment of the invention, the client generates the digital signature of the client by using the private key according to the one-way hash function and the secure hash function, and the server generates the hash value of the version control chain of the server by using the public key according to the one-way hash function and the secure hash function. And then the client digital signature is verified by adopting the public key and the server version control chain hash value, so that the accuracy of the client digital signature verification can be improved.
Fig. 3 illustrates an implementation flow of step 201 in the multi-version data integrity cloud auditing method provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are illustrated, and the details are as follows:
in an embodiment of the present invention, in order to improve the security of a client digital signature, as shown in fig. 3, in step 201, a client generates a client digital signature corresponding to a current version file by using a private key in a public key and private key pair according to a file identifier corresponding to a current version file, a one-way hash function and a secure hash function of a multi-version data integrity cloud auditing system, and the client digital signature corresponding to the current version file includes:
The client generates a current version file FiCorresponding client digital signature σi1Then, the client end firstly uses the current version file FiCorresponding file identifier FidAnd a one-way hash function h (-) of the multi-version data integrity cloud auditing system, and determining the current version file FiCorresponding inverse augmented hash client aggregate value Ei1. The current version file F can be specifically determined by the following formulaiCorresponding inverse augmented hash client aggregate value Ei1:
Then, the client end is based on the current version file FiCorresponding file identifier FidAnd inverse augmented hash client aggregation value Ei2Determining a current version file F according to a one-way hash function H (-) and a safety hash function H (-) of the multi-version data integrity cloud audit systemiCorresponding client version control chain hash value thetai1. Specifically, the current version file F may be determined in the following manneriCorresponding client version control chain hash value thetai1:
θi1=H(Fid||(Ei1+h(Fi)));
The client determines the current version file FiCorresponding client version control chain hash value thetai1After that, the air conditioner is started to work,then, the current version file F is subjected to private key xiCorresponding client version control chain hash value thetai1Generating a current version file FiCorresponding client digital signature σi1. Specifically, the current version file F may be determined in the following manneriCorresponding client digital signature σu+1=SIG(x,θu+1):
σi1=SIG(x,θi1);
Wherein SIG (x, theta)i1) Representing client version control chain hash value θ with private key xi1Generating client-side digital signature (Boneh-Lynn-Shacham signature, BLS signature for short) sigmai1。
In the embodiment of the invention, a client determines a client aggregation value of an inverse increment hash corresponding to a current version file according to a file identifier corresponding to the current version file and a one-way hash function of a multi-version data integrity cloud auditing system; the client determines a client version control chain hash value corresponding to the current version file according to a file identifier corresponding to the current version file, a client aggregation value of inverse increment hash, a one-way hash function and a safe hash function of a multi-version data integrity cloud auditing system; and the client generates a client digital signature corresponding to the current version file according to the client version control chain hash value corresponding to the current version file by the client according to the private key. In the embodiment of the invention, the client determines the client aggregate value through the file identifier and the one-way hash function, further determines the client version control chain hash value through the file identifier, the client aggregate value, the one-way hash function and the secure hash function, and finally generates the client digital signature by using the private key and the client version control chain hash value, so that the security of the client digital signature can be improved.
Fig. 4 illustrates an implementation flow of step 202 in the multi-version data integrity cloud auditing method provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are illustrated, and the details are as follows:
in an embodiment of the present invention, in order to improve the accuracy of the server-side version control chain hash value, as shown in fig. 4, in step 202, according to a file identifier corresponding to a current version file, a one-way hash function and a secure hash function of a multi-version data integrity cloud audit system, a public key in a public-private key pair is used to generate the server-side version control chain hash value corresponding to the current version file, which includes:
The client side sends the current version file FiFile identifier FidAnd client digital signature sigmai1After being sent to the server, the server firstly generates a file F according to the current versioniCorresponding file identifier FidAnd a one-way hash function h (-) of the multi-version data integrity cloud auditing system, and determining the current version file FiCorresponding inverse-delta-hash server-side aggregate value Ei2. The current version file F can be specifically determined by the following formulaiCorresponding inverse-delta-hash server-side aggregate value Ei2:
Then, the server is based on the current version file FiCorresponding file identifier FidAnd inverse-increment Hash server-side aggregation value Ei2Determining a current version file F according to a one-way hash function H (-) and a safety hash function H (-) of the multi-version data integrity cloud audit systemiCorresponding server-side version control chain hash value thetai2. Specifically, the current version file F may be determined in the following manneriCorresponding clothesServer-side version control chain hash value thetai2:
θi2=H(Fid||(Ei2+h(Fi)))。
In the embodiment of the invention, a server determines a server-side aggregation value of inverse increment hash corresponding to a current version file according to a file identifier corresponding to the current version file and a one-way hash function of a multi-version data integrity cloud auditing system; and the server determines the server-side version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the server-side aggregation value of the inverse increment hash, the one-way hash function and the safe hash function of the multi-version data integrity cloud auditing system. According to the embodiment of the invention, the server determines the server side aggregate value through the file identifier and the one-way hash function, and then the server determines the server side version control chain hash value according to the file identifier, the server side aggregate value, the one-way hash function and the safe hash function, so that the accuracy of the server side version control chain hash value can be improved.
Fig. 5 illustrates an implementation flow of step 102 in the multi-version data integrity cloud auditing method provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are illustrated, and the details are as follows:
in an embodiment of the present invention, in order to improve the file data security, as shown in fig. 5, in step 102, after the signature of the current version file is verified, the server establishes a trusted container and a trusted channel between the client and the trusted container according to a running environment authentication request sent by the client, where the trusted channel includes:
and step 503, when the hash value of the trusted container sent by the verification server is consistent with the expected hash value, establishing a trusted channel between the client and the trusted container of the server.
And after the signature of the current version file passes the verification, the client sends an operating environment authentication request to the server based on the message that the signature fed back by the server passes the verification. The server creates a trusted container (enclave) according to the running environment authentication request sent by the client, and sends the hash value of the trusted container (enclave) to the client.
After receiving the hash value sent by the server trusted container, the client verifies whether the hash value of the trusted container sent by the server is consistent with the expected hash value through a Software Attestation (Software authentication) program in a Software protection extension (SGX) instruction. When the hash value of the trusted container sent by the verification server is consistent with the expected hash value, the trusted container is reliable, and data transmission through the trusted container is safe, so that a trusted channel between the client and the trusted container of the server is established, file data is transmitted through the trusted channel, and the security of the file data is guaranteed.
In the embodiment of the invention, after the signature of the current version file passes verification, the server creates a trusted container according to an operating environment authentication request sent by a client, and sends a hash value of the trusted container to the client; the client verifies whether the hash value of the trusted container sent by the server is consistent with the expected hash value or not through a software proof program in the software protection extension instruction; and when the hash value of the trusted container sent by the verification server is consistent with the expected hash value, establishing a trusted channel between the client and the trusted container of the server. According to the embodiment of the invention, the server creates the trusted container based on the operation environment authentication request, and when the client verifies that the hash value of the trusted container sent by the server is consistent with the expected hash value, the trusted channel between the client and the trusted container of the server is established, so that the security of file data is improved.
In addition, the hash value of the trusted container sent by the server may or may not match the expected hash value. In a preferred embodiment, to further ensure data security, on the basis of the above method steps, the multi-version data integrity cloud audit method further includes:
and when the hash value of the trusted container sent by the verification server is inconsistent with the expected hash value, the server feeds back a message that the running environment authentication fails to pass to the client.
Fig. 6 illustrates an implementation flow of step 103 in the multi-version data integrity cloud auditing method provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are illustrated, and details are as follows:
in an embodiment of the present invention, in order to improve the accuracy of data integrity verification, as shown in fig. 6, in step 103, the server verifies the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel, including:
601, loading a current version file corresponding to a file identifier and an inverse increment corresponding to the current version file from the outside of a trusted container to the trusted container by a server according to the file identifier, an integrity verification request and a client version control chain hash value corresponding to the current version file sent by a client through a trusted channel;
in step 604, the server verifies whether the trusted container version control chain hash value corresponding to the current version file is consistent with the client version control chain hash value corresponding to the current version file.
The server is on the current version file FiAnd when the integrity of the historical version file is verified, the client initiates selection to the serverWar, i.e. client sends the current version file F through trusted channeliFile identifier FidCurrent version file FiAnd request for integrity verification of the historical version file, and the current version file FiCorresponding client version control chain hash value thetai1After receiving the information sent by the client, the server sends the information to the client according to the current version file FiFile identifier FidLoading file identifiers F from outside the trusted containeridCorresponding current version file FiAnd the inverse increment delta i corresponding to the current version file is added into the trusted container.
The server then generates a file F according to the current version in the trusted containeriCorresponding file identifier FidDetermining a current version file F by using a one-way hash function h (-) of the multi-version data integrity cloud auditing systemiTrusted container aggregate value E for corresponding inverse augmented hashi3. The current version file F can be specifically determined by the following formulaiCorresponding inverse augmented hash client aggregate value Ei3:
Then, the server is based on the current version file FiCorresponding file identifier FidAnd inverse augmented hash client aggregation value Ei3Determining a current version file F according to a one-way hash function H (-) and a safety hash function H (-) of the multi-version data integrity cloud audit systemiCorresponding client version control chain hash value thetai3. Specifically, the current version file F may be determined in the following manneriCorresponding client version control chain hash value thetai3:
θi3=H(Fid||(Ei3+h(Fi)));
The server determines the current version file FiCorresponding trusted container version control chain hash value thetai3The server then verifies the current version of file FiCorresponding trusted containerDevice version control chain hash value thetai3With the current version file FiCorresponding client version control chain hash value thetai1Whether they are consistent. Controlling chain hash value theta in trusted container versioni3Hash value theta with client version control chaini1When consistent, the current version file F is illustratediAnd the file data of the historical version file is complete, and the hash value theta is controlled in the version control chain of the trusted containeri3Hash value theta with client version control chaini1If not, the current version file F is illustratediAnd the file data of the historical version file is damaged, and the server feeds back a file damage message to the client so that the client can know the integrity state of the file in time.
In the embodiment of the invention, a server loads a current version file corresponding to a file identifier and an inverse increment corresponding to the current version file from the outside of a trusted container to the trusted container according to the file identifier, an integrity verification request and a client version control chain hash value corresponding to the current version file which are sent by a client through a trusted channel; the server determines a credible container aggregation value of inverse increment hash corresponding to the current version file according to a file identifier corresponding to the current version file and a one-way hash function of a multi-version data integrity cloud auditing system in a credible container; the server determines a trusted container version control chain hash value corresponding to the current version file according to a file identifier corresponding to the current version file, an inverse increment hash trusted container aggregation value, a multi-version data integrity cloud auditing system one-way hash function and a safe hash function; and the server verifies whether the trusted container version control chain hash value corresponding to the current version file is consistent with the client version control chain hash value corresponding to the current version file. The server determines the trusted container aggregate value based on the file identifier and the one-way hash function in the trusted container, further determines the trusted container version control chain hash value according to the file identifier, the trusted container aggregate value, the one-way hash function and the secure hash function, verifies the integrity of file data by verifying whether the trusted container version control chain hash value is consistent with the client version control chain hash value, and can improve the accuracy of data integrity verification.
Fig. 7 illustrates another implementation flow of step 103 in the multi-version data integrity cloud auditing method provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are illustrated, and the details are as follows:
in an embodiment of the present invention, in order to facilitate the client to know the integrity status of the file in time, as shown in fig. 7, on the basis of the above method steps, in step 103, the server verifies the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel, and further includes:
When the trusted container version control chain hash value is verified to be consistent with the client version control chain hash value, the data of the current version file and the data of the historical version file are complete, so that the client can know the integrity state of the files in time conveniently, and the server feeds back a complete file notification to the client.
In the embodiment of the invention, when the hash value of the version control chain of the trusted container corresponding to the current version file is verified to be consistent with the hash value of the version control chain of the client corresponding to the current version file, the server feeds back a complete notification of the file to the client, so that the client can know the complete state of the file in time.
In a preferred embodiment, in order to facilitate the client to know the file integrity status in time, the cloud audit method for integrity of multi-version data further includes:
and when the hash value of the version control chain of the trusted container corresponding to the current version file is verified to be inconsistent with the hash value of the version control chain of the client corresponding to the current version file, the server feeds back a notification that the file is incomplete to the client.
When the trusted container version control chain hash value is verified to be inconsistent with the client version control chain hash value, the fact that the data of the current version file and the data of the historical version file are incomplete or damaged is shown, so that the client can know the integrity state of the files in time conveniently, and the server feeds back a notice that the files are incomplete to the client.
FIG. 7-1 shows a schematic diagram of a control chain of some inverse incremental versions provided by the embodiment of the present invention, and as can be seen from FIG. 7-1, the current file version is u, and the latest (to-be-updated) file version should be u +1, that is, the file is represented by FuIs updated to Fu+1The file inverse increment is Δ u.
Client side aggregation value of inverse incremental hash is calculated by client side firstly
And client version control chain hash value theta(u+1)1=H(Fid||(E(u+1)1+h(Fu+1) ) and then controls the chain hash value theta for the client version with the private key x)(u+1)1Generating a client digital signature σ(u+1)1=SIG(x,θ(u+1)1)。
Then, the client uploads the inverse increment delta u of the file and the client digital signature sigma(u+1)1To the server. And after receiving the information uploaded by the client, the server verifies the integrity of the file data. The server first calculates the server aggregate value of the inverse incremental hash
And further calculating a hash value theta of the version control chain at the server end(u+1)2=H(Fid||(E(u+1)2+h(Fu+1) ) and then use the public key pk and the server-side version control chain hash value θ(u+1)2Digitally signing client(u+1)1And (6) carrying out verification. The method comprises the following specific steps: deltau+1=Verify(pk,θ(u+1)2,σ(u+1)1). If deltau+1If true, the latest file F is determinedu+1=Fu+ Δ u, save the latest file Fu+1If deltau+1Is falseThe client is required to upload the file again.
The embodiment of the invention also provides a multi-version data integrity cloud auditing system, which is described in the following embodiment. Because the problem solving principle of the systems is similar to that of the multi-version data integrity cloud auditing method, the implementation of the systems can be referred to the implementation of the method, and repeated details are not repeated.
Fig. 8 shows functional modules of a multi-version data integrity cloud audit system provided by an embodiment of the present invention, and for convenience of description, only parts related to the embodiment of the present invention are shown, and detailed as follows:
referring to fig. 8, modules included in the multi-version data integrity cloud audit system are used to execute steps in the embodiment corresponding to fig. 1, and specific reference is made to fig. 1 and related descriptions in the embodiment corresponding to fig. 1, which are not described herein again. In the embodiment of the invention, the multi-version data integrity cloud auditing system comprises a client and a server, wherein the client is provided with a software protection extension instruction. The multi-version data integrity cloud auditing system comprises a signature verification module 801, an operating environment authentication module 802 and an integrity verification module 803.
And the signature verification module 801 is configured to verify the signature of the current version file sent by the client according to the metadata for verifying the signature.
And the operating environment authentication module 802 is configured to establish a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client after the signature of the current version file passes verification.
The integrity verification module 803 is configured to verify the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel.
In the embodiment of the present invention, the signature verification module 801 verifies the signature of the current version file sent by the client according to the metadata for verifying the signature; after the signature of the current version file passes verification, the operating environment authentication module 802 establishes a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client; the integrity verification module 803 verifies the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel. In the embodiment of the invention, after the signature of the current version file passes the verification, the running environment authentication module 802 establishes the trusted channel between the trusted container and the server trusted container, and the integrity verification module 803 realizes the verification of the integrity of the current version file and the historical version file in the trusted container, so that the computing and communication overhead of the multi-version data integrity cloud audit can be reduced.
Fig. 9 shows a structural schematic diagram of a signature verification module 801 in a multi-version data integrity cloud auditing system provided by an embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are shown, and the detailed description is as follows:
in an embodiment of the invention, the signed metadata includes a one-way hash function and a secure hash function of the multi-version data integrity cloud auditing system. In order to improve the accuracy of the client digital signature verification, referring to fig. 9, each unit included in the signature verification module 801 is configured to execute each step in the embodiment corresponding to fig. 2, and please refer to fig. 2 and the related description in the embodiment corresponding to fig. 2 specifically, which is not described herein again. In the embodiment of the present invention, the signature verification module 801 includes a client signature generation unit 901, a server control chain hash value generation unit 902, and a client signature verification unit 903.
The client signature generation unit 901 is configured to generate a client digital signature corresponding to the current version file by using a private key in a public key and private key pair according to the file identifier corresponding to the current version file, the one-way hash function and the secure hash function of the multi-version data integrity cloud auditing system.
And a server-side control chain hash value generation unit 902, configured to generate a server-side version control chain hash value corresponding to the current version file by using a public key in a public key and private key pair according to the file identifier corresponding to the current version file, the one-way hash function and the secure hash function of the multi-version data integrity cloud audit system.
And the client signature verification unit 903 is configured to verify the client digital signature corresponding to the current version file according to the public key and the server version control chain hash value corresponding to the current version file.
In the embodiment of the present invention, the client signature generation unit 901 generates a client digital signature corresponding to a current version file by using a private key in a public key and private key pair according to a file identifier corresponding to the current version file, a one-way hash function and a secure hash function of a multi-version data integrity cloud auditing system; the server-side control chain hash value generation unit 902 generates a server-side version control chain hash value corresponding to the current version file by using a public key in a public key private key pair according to a file identifier corresponding to the current version file, a one-way hash function and a secure hash function of the multi-version data integrity cloud auditing system; the client signature verification unit 903 verifies the client digital signature corresponding to the current version file according to the public key and the server version control chain hash value corresponding to the current version file. In the embodiment of the present invention, the client signature generation unit 901 generates a client digital signature by using a private key according to a one-way hash function and a secure hash function, and the server control chain hash value generation unit 902 generates a server version control chain hash value by using a public key according to the one-way hash function and the secure hash function. And then the client signature verification unit 903 verifies the client digital signature by using the public key and the server version control chain hash value, so that the accuracy of the client digital signature verification can be improved.
Fig. 10 shows a structural schematic diagram of a client signature generation unit 901 in the multi-version data integrity cloud auditing system provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are shown, and the details are as follows:
in an embodiment of the present invention, in order to improve the security of the client digital signature, referring to fig. 10, each sub-unit included in the client signature generating unit 901 is configured to execute each step in the embodiment corresponding to fig. 3, and specifically refer to fig. 3 and the related description in the embodiment corresponding to fig. 3, which is not described herein again. In this embodiment of the present invention, the client signature generating unit 901 includes a client aggregate value determining subunit 1001, a client control chain hash value determining subunit 1002, and a client signature generating subunit 1003.
The client aggregate value determining subunit 1001 is configured to determine, according to a file identifier corresponding to the current version file and a one-way hash function of the multi-version data integrity cloud audit system, a client aggregate value of the inverse increment hash corresponding to the current version file.
The client control chain hash value determining subunit 1002 is configured to determine a client version control chain hash value corresponding to the current version file according to the file identifier and the inverse increment hash client aggregation value corresponding to the current version file, and the one-way hash function and the secure hash function of the multi-version data integrity cloud audit system.
The client signature generation subunit 1003 is configured to generate a client digital signature corresponding to the current version file according to the client version control chain hash value corresponding to the current version file by the private key.
In the embodiment of the present invention, the client aggregate value determining subunit 1001 determines, according to a file identifier corresponding to a current version file and a one-way hash function of a multi-version data integrity cloud audit system, a client aggregate value of an inverse increment hash corresponding to the current version file; the client control chain hash value determination subunit 1002 determines a client version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the client aggregation value of the inverse increment hash, and the one-way hash function and the secure hash function of the multi-version data integrity cloud audit system; the client signature generation subunit 1003 generates a client digital signature corresponding to the current version file according to the client version control chain hash value corresponding to the current version file by the private key. In the embodiment of the present invention, the client aggregate value determining subunit 1001 determines the client aggregate value through the file identifier and the one-way hash function, the client control chain hash value determining subunit 1002 determines the client version control chain hash value through the file identifier, the client aggregate value, the one-way hash function, and the secure hash function, and finally, the client signature generating subunit 1003 generates the client digital signature by using the private key and the client version control chain hash value, so that the security of the client digital signature can be improved.
Fig. 11 shows a structural schematic diagram of a server-side control chain hash value generation unit 902 in the multi-version data integrity cloud auditing system provided by the embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are shown, and the details are as follows:
in an embodiment of the present invention, in order to improve the accuracy of the server-side version control chain hash value, referring to fig. 11, each sub-unit included in the server-side version control chain hash value generating unit 902 is configured to execute each step in the embodiment corresponding to fig. 4, specifically please refer to fig. 4 and the related description in the embodiment corresponding to fig. 4, which is not described herein again. In this embodiment of the present invention, the server-side control chain hash value generating unit 902 includes a server-side aggregate value determining sub-unit 1101 and a server-side control chain hash value determining sub-unit 1102.
The server-side aggregate value determining subunit 1101 is configured to determine, according to a file identifier corresponding to the current version file and a one-way hash function of the multi-version data integrity cloud auditing system, a server-side aggregate value of inverse increment hash corresponding to the current version file.
The server-side control chain hash value determining subunit 1102 is configured to determine a server-side version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the inverse increment hashed server-side aggregation value, the one-way hash function of the multi-version data integrity cloud audit system, and the secure hash function.
In this embodiment of the present invention, the server-side aggregate value determining subunit 1101 determines, according to a file identifier corresponding to a current version file and a one-way hash function of a multi-version data integrity cloud audit system, a server-side aggregate value of inverse increment hash corresponding to the current version file; the server-side control chain hash value determination subunit 1102 determines a server-side version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the server-side aggregation value of the inverse increment hash, and the one-way hash function and the secure hash function of the multi-version data integrity cloud audit system. In the embodiment of the present invention, the server side aggregate value determining subunit 1101 determines the server side aggregate value through the file identifier and the one-way hash function, and then the server side control chain hash value determining subunit 1102 determines the server side version control chain hash value according to the file identifier, the server side aggregate value, the one-way hash function, and the secure hash function, so that the accuracy of the server side version control chain hash value can be improved.
Fig. 12 shows a structural schematic diagram of an operating environment authentication module 802 in a multi-version data integrity cloud auditing system provided by an embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are shown, and the detailed description is as follows:
in an embodiment of the present invention, in order to improve the security of the file data, referring to fig. 12, each unit included in the operating environment authentication module 802 is configured to execute each step in the embodiment corresponding to fig. 5, specifically please refer to fig. 5 and the related description in the embodiment corresponding to fig. 5, which is not described herein again. In the embodiment of the present invention, the operating environment authentication module 802 includes a trusted container establishing unit 1201, a container hash value verifying unit 1202, and a trusted channel establishing unit 1203.
And the trusted container establishing unit 1201 is configured to, after the signature of the current version file passes verification, establish a trusted container according to the operating environment authentication request sent by the client, and send the hash value of the trusted container to the client.
And a container hash value verification unit 1202, configured to verify, by a software attestation program in the software protection extension instruction, whether the hash value of the trusted container sent by the server is consistent with the expected hash value.
A trusted channel establishing unit 1203, configured to establish a trusted channel between the client and the trusted container of the server when the hash value of the trusted container sent by the server is verified to be consistent with the expected hash value.
In the embodiment of the present invention, after the signature of the current version file passes verification, the trusted container establishing unit 1201 establishes a trusted container according to an operating environment authentication request sent by a client, and sends a hash value of the trusted container to the client; the container hash value verification unit 1202 proves whether the hash value of the trusted container sent by the program verification server is consistent with the expected hash value through software in the software protection extension instruction; the trusted channel establishing unit 1203 establishes a trusted channel between the client and the trusted container of the server when the hash value of the trusted container sent by the server is verified to be consistent with the expected hash value. In the embodiment of the present invention, the trusted container establishing unit 1201 establishes the trusted container based on the operating environment authentication request, and when the container hash value verifying unit 1202 verifies that the hash value of the trusted container sent by the server is consistent with the expected hash value, the trusted channel establishing unit 1203 establishes the trusted channel between the client and the trusted container of the server, thereby improving the security of the file data.
Fig. 13 shows a structural schematic diagram of an integrity verification module 803 in a multi-version data integrity cloud auditing system provided by an embodiment of the present invention, and for convenience of description, only the parts related to the embodiment of the present invention are shown, and the details are as follows:
in an embodiment of the present invention, in order to improve the accuracy of data integrity verification, referring to fig. 13, each unit included in the integrity verification module 803 is used to execute each step in the embodiment corresponding to fig. 6, and specifically, please refer to fig. 6 and the related description in the embodiment corresponding to fig. 6, which is not described herein again. In this embodiment of the present invention, the integrity verification module 803 includes a loading unit 1301, a trusted container aggregate value determining unit 1302, a trusted container control chain hash value determining unit 1303, and a hash value verification unit 1304.
The loading unit 1301 is configured to load, from outside the trusted container, the current version file corresponding to the file identifier and the inverse increment corresponding to the current version file into the trusted container according to the file identifier, the integrity verification request, and the client version control chain hash value corresponding to the current version file, which are sent by the client through the trusted channel.
A trusted container aggregate value determining unit 1302, configured to determine, in a trusted container, an inverse increment hashed trusted container aggregate value corresponding to a current version file according to a file identifier corresponding to the current version file and a one-way hash function of the multi-version data integrity cloud auditing system.
And the trusted container control chain hash value determining unit 1303 is configured to determine the trusted container version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the inverse increment hashed trusted container aggregation value, the one-way hash function of the multi-version data integrity cloud auditing system, and the secure hash function.
And a hash value verifying unit 1304, configured to verify whether the trusted container version control chain hash value corresponding to the current version file is consistent with the client version control chain hash value corresponding to the current version file.
In the embodiment of the present invention, the loading unit 1301 loads the current version file corresponding to the file identifier and the inverse increment corresponding to the current version file from outside the trusted container to the trusted container according to the file identifier, the integrity verification request and the client version control chain hash value corresponding to the current version file sent by the client through the trusted channel; the trusted container aggregate value determining unit 1302 determines a trusted container aggregate value of inverse increment hash corresponding to a current version file in a trusted container according to a file identifier corresponding to the current version file and a one-way hash function of a multi-version data integrity cloud auditing system; the trusted container control chain hash value determining unit 1303 determines a trusted container version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the inverse increment hashed trusted container aggregation value, the one-way hash function of the multi-version data integrity cloud auditing system, and the secure hash function; the hash value verification unit 1304 verifies whether the trusted container version control chain hash value corresponding to the current version file is consistent with the client version control chain hash value corresponding to the current version file. In the embodiment of the present invention, the trusted container aggregate value determining unit 1302 determines the trusted container aggregate value based on the file identifier and the one-way hash function in the trusted container, and then the trusted container control chain hash value determining unit 1303 determines the trusted container version control chain hash value according to the file identifier, the trusted container aggregate value, the one-way hash function, and the secure hash function, and the hash value verifying unit 1304 verifies the integrity of the file data by verifying whether the trusted container version control chain hash value is consistent with the client version control chain hash value, so that the accuracy of data integrity verification can be improved.
Fig. 14 shows another structural schematic diagram of the integrity verification module 803 in the multi-version data integrity cloud auditing system provided by the embodiment of the present invention, and for convenience of description, only the part related to the embodiment of the present invention is shown, and the detailed description is as follows:
in an embodiment of the present invention, in order to facilitate the client to know the file integrity status in time, referring to fig. 14, each unit included in the integrity verification module 803 is used to execute each step in the embodiment corresponding to fig. 7, specifically please refer to fig. 7 and the related description in the embodiment corresponding to fig. 7, which is not described herein again. In the embodiment of the present invention, on the basis of the module structure shown in fig. 13, the integrity verification module 803 further includes a feedback unit 1401.
And a feedback unit 1401, configured to feed back a complete notification of the file to the client when it is verified that the hash value of the version control chain of the trusted container corresponding to the current version file is consistent with the hash value of the version control chain of the client corresponding to the current version file.
In the embodiment of the present invention, when verifying that the hash value of the version control chain of the trusted container corresponding to the current version file is consistent with the hash value of the version control chain of the client corresponding to the current version file, the feedback unit 1401 feeds back a complete notification of the file to the client, so that the client can know the complete state of the file in time.
In a cloud storage service, data is often saved in an incremental form for data updating and data backup. The data is saved in an incremental mode, so that the storage space can be effectively saved, and the data rollback is facilitated. Aiming at cloud audit of multi-version data, the invention provides a multi-version data integrity cloud audit method based on SGX. And organizing data storage in an inverse increment mode according to the characteristics of a multi-version data storage mode and the realization of efficient data access. In order to reduce the calculation and communication overhead and storage overhead of a multi-version data user end and a multi-version data server end, an Intel Software protection Extension (SGX) technology is introduced into the method, so that the problem that the traditional cloud auditing method generates serious calculation and communication overhead for auditing the integrity of the multi-version data at the user end and the server end is avoided, and meanwhile, the method also reduces the communication overhead of the user end and the server end brought for auditing the integrity of the data. The freshness of the data is ensured by using a hash chain mode, and the data of multiple versions can be verified at one time.
The multi-version data integrity cloud auditing method and system provided by the invention can be applied to the financial field, and can be understood as being applicable to other application fields except the financial field, and the invention is not particularly limited to this.
The embodiment of the invention also provides computer equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the multi-version data integrity cloud auditing method when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the multi-version data integrity cloud auditing method.
In summary, in the embodiment of the present invention, the server verifies the signature of the current version file sent by the client according to the metadata for verifying the signature; after the signature of the current version file passes verification, the server establishes a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client; and the server verifies the integrality of the current version file and the historical version file according to the file identifier and the integrality verification request sent by the client through the trusted channel. According to the embodiment of the invention, after the signature of the current version file passes the verification, the verification of the integrity of the current version file and the historical version file is realized in the trusted container by establishing the trusted channel between the trusted container and the trusted container of the server, so that the computing and communication overhead of the cloud audit of the integrity of the multi-version data can be reduced.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A multi-version data integrity cloud auditing method is characterized by being applied to a multi-version data integrity cloud auditing system comprising a server and a client which are deployed with software protection extension instructions, and comprising the following steps:
the server verifies the signature of the current version file sent by the client according to the metadata for verifying the signature;
after the signature of the current version file passes verification, the server establishes a trusted container and a trusted channel between the client and the server trusted container according to an operating environment authentication request sent by the client;
and the server verifies the integrality of the current version file and the historical version file according to the file identifier and the integrality verification request sent by the client through the trusted channel.
2. The cloud auditing method for multi-version data integrity of claim 1 in which the server verifies the signature of the current version of the file sent by the client according to the metadata for verifying the signature, including:
and the server verifies the signature of the current version file sent by the client in an inverse increment mode according to the metadata for verifying the signature.
3. The cloud audit method of multi-version data integrity according to claim 2, wherein the signed metadata includes a one-way hash function and a secure hash function of the cloud audit system of multi-version data integrity, and the server verifies the signature of the current version file sent by the client in an inverse-incremental manner according to the signed metadata, including:
the client generates a client digital signature corresponding to the current version file by using a private key in a public key and private key pair according to a file identifier corresponding to the current version file, a one-way hash function and a secure hash function of the multi-version data integrity cloud auditing system;
the server generates a server-side version control chain hash value corresponding to the current version file by using a public key in a public key private key pair according to a file identifier corresponding to the current version file, a one-way hash function and a secure hash function of the multi-version data integrity cloud auditing system;
and the server verifies the client digital signature corresponding to the current version file according to the public key and the server side version control chain hash value corresponding to the current version file.
4. The cloud auditing method for multi-version data integrity of claim 3 where the client generates a client digital signature for a current version of a file using a private key in a public and private key pair based on a file identifier corresponding to the current version of the file, a one-way hash function and a secure hash function of the cloud auditing system for multi-version data integrity, comprising:
the client determines a client aggregation value of the inverse increment hash corresponding to the current version file according to a file identifier corresponding to the current version file and a one-way hash function of the multi-version data integrity cloud auditing system;
the client determines a client version control chain hash value corresponding to the current version file according to a file identifier corresponding to the current version file, a client aggregation value of inverse increment hash, a one-way hash function and a safe hash function of a multi-version data integrity cloud auditing system;
and the client generates a client digital signature corresponding to the current version file according to the client version control chain hash value corresponding to the current version file by the client according to the private key.
5. The cloud audit method of multi-version data integrity of claim 3 wherein generating the server-side version control chain hash value corresponding to the current version file using the public key in the public key private key pair according to the file identifier corresponding to the current version file, the one-way hash function and the secure hash function of the cloud audit system of multi-version data integrity comprises:
the server determines a server-side aggregation value of inverse increment hash corresponding to the current version file according to a file identifier corresponding to the current version file and a one-way hash function of the multi-version data integrity cloud auditing system;
and the server determines the server-side version control chain hash value corresponding to the current version file according to the file identifier corresponding to the current version file, the server-side aggregation value of the inverse increment hash, the one-way hash function and the safe hash function of the multi-version data integrity cloud auditing system.
6. The cloud audit method of multi-version data integrity of claim 2 wherein the server establishes the trusted container and the trusted channel between the client and the server trusted container according to the operating environment authentication request sent by the client after the signature verification of the current version file passes, comprising:
after the signature of the current version file passes verification, the server creates a trusted container according to an operating environment authentication request sent by the client, and sends a hash value of the trusted container to the client;
the client verifies whether the hash value of the trusted container sent by the server is consistent with the expected hash value or not through a software proof program in the software protection extension instruction;
and when the hash value of the trusted container sent by the verification server is consistent with the expected hash value, establishing a trusted channel between the client and the trusted container of the server.
7. The cloud auditing method for multi-version data integrity of claim 2 in which a server verifies the integrity of current and historical version files according to a file identifier and an integrity verification request sent by a client over a trusted channel, comprising:
the server loads a current version file corresponding to the file identifier and an inverse increment corresponding to the current version file from the outside of the trusted container to the trusted container according to the file identifier, the integrity verification request and a client version control chain hash value corresponding to the current version file which are sent by the client through the trusted channel;
the server determines a credible container aggregation value of inverse increment hash corresponding to the current version file according to a file identifier corresponding to the current version file and a one-way hash function of a multi-version data integrity cloud auditing system in a credible container;
the server determines a trusted container version control chain hash value corresponding to the current version file according to a file identifier corresponding to the current version file, an inverse increment hash trusted container aggregation value, a multi-version data integrity cloud auditing system one-way hash function and a safe hash function;
and the server verifies whether the trusted container version control chain hash value corresponding to the current version file is consistent with the client version control chain hash value corresponding to the current version file.
8. The utility model provides a multi-version data integrality cloud audit system which characterized in that, including client and the server of having deployed software protection extension instruction, includes:
the signature verification module is used for verifying the signature of the current version file sent by the client according to the metadata for verifying the signature;
the running environment authentication module is used for establishing a trusted container and a trusted channel between the client and the server trusted container according to a running environment authentication request sent by the client after the signature of the current version file passes verification;
and the integrity verification module is used for verifying the integrity of the current version file and the historical version file according to the file identifier and the integrity verification request sent by the client through the trusted channel.
9. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the multi-version data integrity cloud audit method of any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium storing a computer program for executing the multi-version data integrity cloud audit method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110520638.8A CN113139213A (en) | 2021-05-13 | 2021-05-13 | Multi-version data integrity cloud auditing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110520638.8A CN113139213A (en) | 2021-05-13 | 2021-05-13 | Multi-version data integrity cloud auditing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113139213A true CN113139213A (en) | 2021-07-20 |
Family
ID=76817707
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110520638.8A Pending CN113139213A (en) | 2021-05-13 | 2021-05-13 | Multi-version data integrity cloud auditing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113139213A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114818005A (en) * | 2022-04-20 | 2022-07-29 | 北京凝思软件股份有限公司 | Linux system integrity checking method and system |
| CN114866337A (en) * | 2022-06-10 | 2022-08-05 | 中国工商银行股份有限公司 | Shared data auditing method, device, apparatus, storage medium, and program product |
| CN115174601A (en) * | 2022-06-23 | 2022-10-11 | 中国工商银行股份有限公司 | Data processing method, system, processor and electronic equipment |
| CN115795485A (en) * | 2023-02-07 | 2023-03-14 | 山东可信云信息技术研究院 | Method, system, equipment and storage medium for safely delivering software in trusted cloud environment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110138799A (en) * | 2019-05-30 | 2019-08-16 | 东北大学 | A kind of secure cloud storage method based on SGX |
| CN111859467A (en) * | 2020-07-23 | 2020-10-30 | 中国工商银行股份有限公司 | Cloud data integrity auditing method and device based on SGX |
| CN112383394A (en) * | 2020-11-23 | 2021-02-19 | 重庆大学 | Novel incremental signature method based on ideal lattice |
| CN112632638A (en) * | 2020-12-24 | 2021-04-09 | 中国工商银行股份有限公司 | Multi-copy data integrity verification method and device |
-
2021
- 2021-05-13 CN CN202110520638.8A patent/CN113139213A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109993003A (en) * | 2019-03-12 | 2019-07-09 | 广州大学 | A kind of software flow safe verification method and device based on SGX |
| CN110138799A (en) * | 2019-05-30 | 2019-08-16 | 东北大学 | A kind of secure cloud storage method based on SGX |
| CN111859467A (en) * | 2020-07-23 | 2020-10-30 | 中国工商银行股份有限公司 | Cloud data integrity auditing method and device based on SGX |
| CN112383394A (en) * | 2020-11-23 | 2021-02-19 | 重庆大学 | Novel incremental signature method based on ideal lattice |
| CN112632638A (en) * | 2020-12-24 | 2021-04-09 | 中国工商银行股份有限公司 | Multi-copy data integrity verification method and device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114818005A (en) * | 2022-04-20 | 2022-07-29 | 北京凝思软件股份有限公司 | Linux system integrity checking method and system |
| CN114866337A (en) * | 2022-06-10 | 2022-08-05 | 中国工商银行股份有限公司 | Shared data auditing method, device, apparatus, storage medium, and program product |
| CN114866337B (en) * | 2022-06-10 | 2023-12-01 | 中国工商银行股份有限公司 | Shared data auditing method and device, equipment, storage medium and program product thereof |
| CN115174601A (en) * | 2022-06-23 | 2022-10-11 | 中国工商银行股份有限公司 | Data processing method, system, processor and electronic equipment |
| CN115795485A (en) * | 2023-02-07 | 2023-03-14 | 山东可信云信息技术研究院 | Method, system, equipment and storage medium for safely delivering software in trusted cloud environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113139213A (en) | Multi-version data integrity cloud auditing method and system | |
| US11662991B2 (en) | Vehicle-mounted device upgrade method and related device | |
| CN110912937B (en) | Block chain-based digital certificate storage platform and certificate storage method | |
| US20200128075A1 (en) | System and method for service level agreement based data verification | |
| CN111045855B (en) | Method, apparatus and computer program product for backing up data | |
| JP7322176B2 (en) | Version history management using blockchain | |
| US20150326667A1 (en) | Peer-to-peer sharing of cloud-based content | |
| US10116450B1 (en) | Merkle signature scheme using subtrees | |
| US8856538B2 (en) | Secured flash programming of secondary processor | |
| WO2017140358A1 (en) | Method for storing data on a storage entity | |
| US11977637B2 (en) | Technique for authentication and prerequisite checks for software updates | |
| EP3819802A1 (en) | Data consistency checking method and data uploading/downloading apparatus | |
| CN106209365B (en) | Method for re-signing by using backup data in cloud environment when user cancels | |
| US20210099432A1 (en) | Data consistency verification method, and data uploading and downloading device | |
| US10411896B2 (en) | Mixed checksum injection for content verification on multiple platforms | |
| CN109936562B (en) | Extensible access control method for fog computing | |
| CN114124982A (en) | Manuscript file monitoring system and method based on block chain and IPFS | |
| CN112632638A (en) | Multi-copy data integrity verification method and device | |
| CN112434269A (en) | Zero knowledge proof method, verification method, computing device and storage medium of file | |
| US20180060349A1 (en) | Method for transferring a difference file | |
| Ni-Na et al. | On providing integrity for dynamic data based on the third-party verifier in cloud computing | |
| US20130159718A1 (en) | Updating signature algorithms for strong name binding | |
| CN112328414A (en) | Service governance method, system, device and storage medium | |
| CN113761585A (en) | Data processing method, device and system | |
| CN113824757B (en) | Data acquisition method, system and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |