CN113886847A - Method and system for encrypted storage and access of IPFS file system - Google Patents
Method and system for encrypted storage and access of IPFS file system Download PDFInfo
- Publication number
- CN113886847A CN113886847A CN202111081546.0A CN202111081546A CN113886847A CN 113886847 A CN113886847 A CN 113886847A CN 202111081546 A CN202111081546 A CN 202111081546A CN 113886847 A CN113886847 A CN 113886847A
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- key
- character string
- random character
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for encrypted storage and access of an IPFS file system.A file to be uploaded and an encryption grade are obtained by an uploading client according to user operation, and a first public key is obtained from a key management server; the uploading client generates a random character string, encrypts a file to be uploaded by using the random character string to obtain an encrypted file, and encrypts the random character string according to the encryption grade and the first public key to obtain a corresponding encryption grade encryption step to obtain a key ciphertext; the uploading client sends the encrypted file to the IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sends metadata to the application server for storage, wherein the metadata comprises the content identifier, a key ciphertext and an encryption grade; the invention stores the encrypted file in the IPFS file system, and encrypts the random character string at the corresponding level according to the encryption level, thereby solving the security problem of the IPFS file system and simultaneously better meeting the security requirement of users.
Description
Technical Field
The invention relates to the technical field of data storage, in particular to a method and a system for encrypted storage and access of an IPFS file system.
Background
IPFS (Inter planet File System) is a point-to-point distributed File System for storing and accessing files, websites, applications and data. IPFS is not concerned with the concealment of data content. That is, it does not achieve efficient security guarantees for file storage for IPFS.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the method and the system for the encrypted storage and access of the IPFS file system are provided, and the safety of the IPFS file system can be effectively improved.
In order to solve the technical problems, the invention adopts the technical scheme that:
a method for encrypted storage and access of an IPFS file system comprises the following steps:
s1, the uploading client obtains the file to be uploaded and the encryption grade according to the user operation, and obtains a first public key from the key management server;
s2, the uploading client generates a random character string, encrypts the file to be uploaded by using the random character string to obtain an encrypted file, and encrypts the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
and S3, the uploading client sends the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sends metadata to an application server for storage, wherein the metadata comprises the content identifier, the key ciphertext and the encryption level.
In order to solve the technical problem, the invention adopts another technical scheme as follows:
a system for encrypted storage and access of an IPFS file system, comprising an upload client, the upload client comprising a first processor, a first memory, and a first computer program stored in the first memory and executable on the first processor, the first processor implementing the following steps when executing the first computer program:
s1, obtaining a file to be uploaded and an encryption grade according to user operation, and obtaining a first public key from a key management server;
s2, generating a random character string, encrypting the file to be uploaded by using the random character string to obtain an encrypted file, and performing an encryption step of a corresponding encryption grade on the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
s3, sending the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sending metadata to an application server for storage, wherein the metadata comprises the content identifier, the key ciphertext and the encryption level.
The invention has the beneficial effects that: the invention stores the encrypted file in the IPFS file system, the encryption key of the encrypted file adopts a random character string form, and after the random character string is encrypted according to the encryption grade and the corresponding grade is encrypted, the encrypted file, the content identifier and the encryption grade are stored in a third party server together, the file and the key are stored in a distinguishing way, the original file can not be obtained from the IPFS file system, the security problem of the IPFS file system is solved, and meanwhile, different encryption processes are adopted according to different encryption grades, so that the security requirement of a user is better met.
Drawings
FIG. 1 is a flowchart of a method for encrypted storage and access of an IPFS file system according to an embodiment of the present invention;
FIG. 2 is a block diagram of a system for encrypted storage and access of an IPFS file system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating an encryption flow of a method for storing and accessing an IPFS file system in an encrypted manner according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a decryption process of a method for encrypted storage and access of an IPFS file system according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a first-level encryption flow of a method for storing and accessing an IPFS file system in an encrypted manner according to an embodiment of the present invention;
fig. 6 is a schematic primary decryption flow diagram of a method for encrypted storage and access of an IPFS file system according to an embodiment of the present invention.
Detailed Description
In order to explain technical contents, achieved objects, and effects of the present invention in detail, the following description is made with reference to the accompanying drawings in combination with the embodiments.
Abbreviations and key term definitions:
IPFS (inter planar File System) is an interplanetary File system, which is a point-to-point distributed File system.
Kms (key Management server): key management service, identity authentication center.
Mdms (metadata Management server): the metadata management service, i.e. the application server in the present application, records file CID, name, fingerprint, file key, etc.
Aes (advanced Encryption standard): advanced encryption standards.
CID: the content identifier, each file in the IPFS, will have a unique CID to identify.
File key (AES key): the file is encrypted by AES, and the file key is the random string provided to the AES encryption.
RSA: RSA public key encryption algorithm.
Referring to fig. 1 and fig. 3 to 6, a method for encrypted storage and access of an IPFS file system includes the steps of:
s1, the uploading client obtains the file to be uploaded and the encryption grade according to the user operation, and obtains a first public key from the key management server;
s2, the uploading client generates a random character string, encrypts the file to be uploaded by using the random character string to obtain an encrypted file, and encrypts the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
and S3, the uploading client sends the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sends metadata to an application server for storage, wherein the metadata comprises the content identifier, the key ciphertext and the encryption level.
From the above description, the beneficial effects of the present invention are: the invention stores the encrypted file in the IPFS file system, the encryption key of the encrypted file adopts a random character string form, and after the random character string is encrypted according to the encryption grade and the corresponding grade is encrypted, the encrypted file, the content identifier and the encryption grade are stored in a third party server together, the file and the key are stored in a distinguishing way, the original file can not be obtained from the IPFS file system, the security problem of the IPFS file system is solved, and meanwhile, different encryption processes are adopted according to different encryption grades, so that the security requirement of a user is better met.
Further, the method also comprises the following steps:
s4, the access client acquires the encrypted file from the IPFS server and sends a decryption request to the key management server through the application server, wherein the decryption request comprises the encryption grade corresponding to the encrypted file and the key ciphertext;
s5, the key management server carries out a corresponding decryption process according to the encryption level, obtains the random character string after decryption is successful, and sends the random character string to the access client;
and S6, the access client decrypts the encrypted file according to the random character string to obtain a target file.
As can be seen from the above description, after the access client obtains the file from the IPFS server, the access client also needs to obtain the random string for encrypting the file through the application server and the key management server to decrypt the encrypted file, so as to obtain the target file, and thus the security of the file is ensured.
Further, the metadata further includes a file fingerprint;
the step S1 specifically includes:
the uploading client obtains the file to be uploaded and the encryption grade according to user operation, calculates the file fingerprint of the file to be uploaded, sends the file fingerprint to the application server for comparison, if the same file fingerprint exists, the file exists, the next operation is not carried out, otherwise, the application server obtains a first public key from the key management server, and returns the first public key to the uploading client.
According to the description, the file fingerprint is calculated before the file is encrypted and stored, the file fingerprint is stored in the application server as one of the contents of the metadata, and the file fingerprint is compared with the file fingerprint of the file stored in the IPFS, so that the file deduplication storage based on the file fingerprint is realized.
Further, the encryption level comprises non-encryption, primary encryption and secondary encryption, and the metadata further comprises uploading client information;
the step S1 is preceded by the steps of:
s01, the uploading client side initializes and generates a second public key and a second private key;
the step S2 includes the steps of:
s21, the uploading client generates the random character string, and encrypts the file to be uploaded by using the random character string to obtain the encrypted file;
s22, judging the encryption level, and if the encryption level is not encrypted, directly taking the random character string as the key ciphertext;
if the encryption level is first-level encryption, encrypting the random character string by using the first public key to obtain the key ciphertext;
if the encryption level is secondary encryption, encrypting the random character string by using the first public key to obtain an intermediate ciphertext, and encrypting the intermediate ciphertext by using the second public key to obtain the key ciphertext;
the step S4 includes the steps of:
s41, the access client acquires the encrypted file from the IPFS server according to the content identifier provided by the user, and sends a first decryption request to the application server, wherein the first decryption request comprises the content identifier;
s42, the application server searches the metadata of the file according to the content identifier to obtain the encryption grade and the key ciphertext corresponding to the content identifier;
s43, the application server judges whether the encryption level is secondary encryption, if not, a second decryption request is sent to the key management server, and the second decryption request comprises the key ciphertext, otherwise, the step S44 is executed;
s44, the application server sends a third decryption request including the encryption key to the uploading client according to the uploading client information, the uploading client receives the third decryption request, whether decryption is agreed is judged according to user operation or a white list preset by a user, if decryption is agreed, the key ciphertext is decrypted through the second private key to obtain the intermediate ciphertext, the intermediate ciphertext is returned to the application server, the application server sends the second decryption request to the key management server, the second decryption request includes the intermediate ciphertext, and if decryption is not agreed, decryption refusal information is returned;
the step S5 specifically includes:
and the key management server performs a corresponding decryption process on the key ciphertext or the intermediate ciphertext according to the encryption level, obtains the random character string after decryption is successful, and sends the random character string to the access client.
According to the description, the encryption grades are classified into non-encryption, first-grade encryption and second-grade encryption, the grading encryption can effectively meet the encryption requirements of users on different files, and for the second-grade encrypted files, decryption can be completed only by uploading confirmation of a client, so that the security is higher.
Further, the step S5 specifically includes the following steps:
s51, the key management server judges the encryption level, if the encryption level is not encrypted, the key ciphertext is the random character string required by decryption, the random character string is returned to the application server, otherwise, the key ciphertext or the intermediate ciphertext is decrypted by a first private key, the random character string is obtained and returned to the application server;
and S52, the application server returns the random character string to the access client.
From the above description, even if the encryption level is not encrypted, the application server and the key management server are required, and for the encryption levels of the primary encryption and the secondary encryption, the random character string for decrypting the encrypted file can be obtained only through the key management server, so that the security of the file is ensured.
Further, the first decryption request further includes a third public key generated by the access client;
the step S52 specifically includes:
the application server encrypts the random character string by using the third public key and returns the encrypted random character string to the access client;
the step S6 specifically includes:
and the access client decrypts the random character string encrypted by the third public key according to a third private key to obtain the original random character string, and decrypts the encrypted file by using the random character string to obtain a target file.
As can be seen from the above description, after the random character string for decryption is obtained, the random character string for decryption can be transmitted to the access client only after being encrypted by the third public key, and the random character string for decryption can be obtained only after being decrypted by the access client by the third private key, so that the security problem that the random character string for decryption is stolen in the process of transmitting data to the access client is solved.
Further, the step S01 is specifically:
and initializing the uploading client, and generating the second public key and the second private key by an RSA algorithm.
As can be seen from the above description, the RSA algorithm is adopted to generate the second public and private keys, and is recognized as one of the top-grade public key schemes, which has extremely high security.
Further, the encrypting the file to be uploaded by using the random character string to obtain an encrypted file specifically includes:
and encrypting the file to be uploaded by using the random character string through an AES encryption algorithm to obtain the encrypted file.
According to the description, the random character strings are used for encrypting the file to be uploaded by adopting an AES symmetric encryption algorithm, and the random character strings are used for encryption each time, so that the encryption is not regular and is more difficult to crack.
Referring to fig. 2, a system for encrypted storage and access of an IPFS file system includes an upload client, where the upload client includes a first processor, a first memory, and a first computer program stored in the first memory and executable on the first processor, and the first processor implements the following steps when executing the first computer program:
s1, obtaining a file to be uploaded and an encryption grade according to user operation, and obtaining a first public key from a key management server;
s2, generating a random character string, encrypting the file to be uploaded by using the random character string to obtain an encrypted file, and performing an encryption step of a corresponding encryption grade on the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
s3, sending the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sending metadata to an application server for storage, wherein the metadata comprises the content identifier, the key ciphertext and the encryption level.
From the above description, the beneficial effects of the present invention are: the invention stores the encrypted file in the IPFS file system, the encryption key of the encrypted file adopts a random character string form, and after the random character string is encrypted according to the encryption grade and the corresponding grade is encrypted, the encrypted file, the content identifier and the encryption grade are stored in a third party server together, the file and the key are stored in a distinguishing way, the original file can not be obtained from the IPFS file system, the security problem of the IPFS file system is solved, and meanwhile, different encryption processes are adopted according to different encryption grades, so that the security requirement of a user is better met.
Referring to fig. 1, fig. 3 and fig. 4, a first embodiment of the present invention is:
a method for encrypted storage and access of an IPFS file system comprises the following steps:
s01, the uploading client side initializes and generates a second public key and a second private key;
the step S01 specifically includes:
and initializing the uploading client, and generating the second public key and the second private key by an RSA algorithm.
In this embodiment, the client is first uploaded to initialize and generate its own public key and private key, i.e., the second public key and the second private key, which are implemented by using the RSA algorithm.
S1, the uploading client obtains the file to be uploaded and the encryption grade according to the user operation, and obtains a first public key from the key management server;
the step S1 specifically includes:
the uploading client obtains the file to be uploaded and the encryption grade according to user operation, calculates the file fingerprint of the file to be uploaded, sends the file fingerprint to the application server for comparison, if the same file fingerprint exists, the file exists, the next operation is not carried out, otherwise, the application server obtains a first public key from the key management server, and returns the first public key to the uploading client.
As shown in fig. 3, in this embodiment, when uploading a file, a user needs to select an encryption level, calculate a file fingerprint, and send the file fingerprint to an MDMS, that is, an application server. The MDMS inquires whether the file fingerprint exists or not so as to judge whether the file exists or not, if the same file fingerprint exists, the file exists, the next operation is not carried out, and if the same file fingerprint does not exist, the MDMS requests a KMS public key, namely a first public key, from a KMS (key management server), and sends the KMS public key to an uploading client.
S2, the uploading client generates a random character string, encrypts the file to be uploaded by using the random character string to obtain an encrypted file, and encrypts the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
the step S2 includes the steps of:
s21, the uploading client generates the random character string, and encrypts the file to be uploaded by using the random character string to obtain the encrypted file;
the encrypting the file to be uploaded by using the random character string to obtain an encrypted file specifically comprises:
and encrypting the file to be uploaded by using the random character string through an AES encryption algorithm to obtain the encrypted file.
In this embodiment, the client generates a random string AESKey, and encrypts the file using the string, and in this embodiment, an AES encryption algorithm is used to generate an encrypted file.
S22, judging the encryption level, and if the encryption level is not encrypted, directly taking the random character string as the key ciphertext;
if the encryption level is first-level encryption, encrypting the random character string by using the first public key to obtain the key ciphertext;
and if the encryption grade is secondary encryption, encrypting the random character string by using the first public key to obtain an intermediate ciphertext, and encrypting the intermediate ciphertext by using the second public key to obtain the key ciphertext.
As shown in fig. 3, in this embodiment, after the AES Key is used to encrypt a file, the AES Key is encrypted according to the encryption level, and the encryption is divided into non-encryption and one-level encryption and two-level encryption. And (2) carrying out primary encryption on the random character string AES Key by using the KMS public Key (namely, the first public Key), and if the encryption level is the second-level encryption, carrying out secondary encryption on the AESKey by using the second public Key to obtain the encrypted AESKey, namely, a Key ciphertext.
And S3, the uploading client sends the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sends metadata to an application server for storage, wherein the metadata comprises the content identifier, the file fingerprint, the key ciphertext, the uploading client information and the encryption grade.
As shown in fig. 3, in this embodiment, the upload client sends the file to the IPFS data server, and after obtaining the content identifier CID generated by the IPFS according to the encrypted file, sends the metadata to the MDMS for storage, where the metadata includes CID, file fingerprint, key ciphertext (i.e., encrypted AESKey), upload client information, and encryption level.
Further comprising the steps of:
s4, the access client acquires the encrypted file from the IPFS server and sends a decryption request to the key management server through the application server, wherein the decryption request comprises the encryption grade corresponding to the encrypted file and the key ciphertext;
the step S4 includes the steps of:
s41, the access client obtains the encrypted file from the IPFS server according to the content identifier provided by the user, and sends a first decryption request to the application server, where the first decryption request includes the content identifier.
In this embodiment, the access client sends a file download request to the IPFS server through the CID, and obtains an encrypted file returned by the IPFS. And then the visiting client searches the metadata of the file from the MDMS through the CID, and applies for decryption. The request includes a third public key generated by the access client.
S42, the application server searches the metadata of the file according to the content identifier to obtain the encryption grade and the key ciphertext corresponding to the content identifier.
In this embodiment, the MDMS obtains corresponding metadata including an encryption level first-level key ciphertext according to the CID.
S43, the application server judges whether the encryption level is secondary encryption, if not, a second decryption request is sent to the key management server, and the second decryption request comprises the key ciphertext, otherwise, the step S44 is executed;
s44, the application server sends a third decryption request including the encryption key to the uploading client according to the uploading client information, the uploading client receives the third decryption request, whether decryption is agreed is judged according to user operation or a white list preset by a user, if decryption is agreed, the key ciphertext is decrypted through the second private key to obtain the intermediate ciphertext, the intermediate ciphertext is returned to the application server, the application server sends the second decryption request to the key management server, the second decryption request includes the intermediate ciphertext, and if decryption is not agreed, decryption refusal information is returned.
In this embodiment, according to the encryption level, if the encryption level is the secondary encryption, the MDMS may want the file owner, that is, the upload client to initiate an inquiry, wait for the upload client to agree, decrypt the key ciphertext by using the second private key, and apply for decryption to the KMS by the upload client, and if the encryption level is the non-encryption or the primary encryption, directly apply for decryption to the KMS.
S5, the key management server carries out a corresponding decryption process according to the encryption level, obtains the random character string after decryption is successful, and sends the random character string to the access client;
the step S5 specifically includes the following steps:
s51, the key management server judges the encryption level, if the encryption level is not encrypted, the key ciphertext is the random character string required by decryption, the random character string is returned to the application server, otherwise, the key ciphertext or the intermediate ciphertext is decrypted by a first private key, the random character string is obtained and returned to the application server;
s52, the application server returns the random character string to the access client;
the step S52 specifically includes:
and the application server encrypts the random character string by using the third public key and returns the encrypted random character string to the access client.
In this embodiment, the KMS determines the encryption level, and if the encryption level is not encrypted, the KMS directly returns the AESKey, otherwise, the KMS decrypts the data using the KMS private key (i.e., the first private key) to obtain the AESKey and returns the AESKey. And after receiving the AESKey returned by the KMS, the MDMS encrypts the AESKey by using a third public key of the access client and then sends the encrypted AESKey to the access client.
And S6, the access client decrypts the encrypted file according to the random character string to obtain a target file.
The step S6 specifically includes:
and the access client decrypts the random character string encrypted by the third public key according to a third private key to obtain the original random character string, and decrypts the encrypted file by using the random character string to obtain a target file.
In the embodiment in the market, after receiving the MDMS return data, the access client decrypts the data through the private key to obtain the AESKey, and decrypts the encrypted file to obtain the target file.
Referring to fig. 1, fig. 3 and fig. 4, a second embodiment of the present invention is:
a method for encrypted storage and access of an IPFS file system comprises the following steps:
the client A selects a file f.txt to be uploaded, sets an encryption level, calculates a file fingerprint and compares the file fingerprint with the MDMS, and the file does not exist in the IPFS at the moment.
And the client A randomly generates a character string abc as a symmetric encryption key AES key. And the client A encrypts the original file f.txt by using the abc as a key through an AES algorithm, and the original file becomes f.txt.crypto after encryption.
The client a judges that the encryption level is first-level encryption, encrypts the symmetric key abc using the public key obtained from the KMS, and after encryption, the symmetric key is changed to 123.
The client a uploads the encrypted files f.txt.crypto to the IPFS system, and simultaneously sends the CID generated by the IPFS, the file fingerprint information, the client a information and the encrypted symmetric key 123 to the MDMS.
And B, the client sends a request for downloading f.txt through the CID, and the IPFS server returns the f.txt.crypt file to the client after receiving the request.
The B client initiates a decryption request to the MDMS.
After receiving the request, the MDMS judges that the encryption level is first-level encryption, sends a decryption request to the KMS, the KMS decrypts 123 into abc by using a private key, and encrypts the abc into 456 by using a public key of the client B and sends the abc to the client B.
After receiving the key 456, the client B uses its own private key to solve abc, and uses AES symmetric decryption to decrypt f.txt.
Referring to fig. 5 and 6, a third embodiment of the present invention is:
a method for encrypted storage and access of an IPFS file system comprises the following steps:
the file firstly calculates fingerprint information in a client, wherein the fingerprint information is a unique identifier for identifying the content of the file, then the MDMS requests to distinguish whether the same file exists, and if the same file does not exist, the MDMS requests a KMS to take a KMS public key back to the client. The client randomly generates a file key with 32 bit bytes, encrypts the file by adopting a symmetric encryption algorithm AES256, and encrypts the file key by using a public key returned by the KMS. And then, the file is sent to an IPFS data storage server, and the file information and the encrypted file key are sent to an MDMS for storage.
In particular, by encrypting the file key, we can divide the file security level into two levels, and the user controls the security property level of the uploaded file:
first-stage: and the client A randomly generates an AES key (32-byte) file key, encrypts and uploads the file to the IPFS data storage server for storage by adopting a symmetric encryption algorithm AES 256. Meanwhile, the AES key file key is encrypted by using a KMS public key and then is stored in the MDMS. When other users B access the file, the MDMS is required to apply for obtaining the file key, the AES key is decrypted through the KMS private key, the encrypted AES key is sent to the B client side after the public key of the user B is used for encryption, the client side is decrypted through the private key of the client side B to obtain the AES key, and the file can be accessed.
And (2) second stage: and the client A randomly generates an AES key (32-byte) file key, encrypts and uploads the file to the IPFS data storage server for storage by adopting a symmetric encryption algorithm AES 256. Meanwhile, the client A generates a pair of a public key and a private key, then the public key A is used for carrying out primary encryption on the AES key file key to obtain a character string (AES key + user public key primary encryption), then the KMS public key is used for carrying out secondary encryption to obtain a character string (AES key + user public key primary encryption + KMS public key secondary encryption), and the character string is uploaded to the MDMS for storage. When other users B access files, an application is sent to the MDMS, the MDMS firstly inquires whether the A client allows B access, if yes, the MDMS informs the KMS to decrypt by using a private key to obtain a (AES key + user public key primary encryption) character string to be sent to the A client, the A client decrypts by using the private key to obtain an AES key file key and simultaneously sends the AES key file key to the MDMS server by using the public key of the KMS, the MDMS decrypts for the second time by using the KMS private key to obtain the AES key file key, the AES key file key is encrypted by using the public key of the B user and then returned to the B client, and the B client decrypts by using the private key of the B client to obtain the AES key and can access the files. The method mainly comprises the steps of secondary encryption of a file key, other users access the file and need to be agreed by a file owner, the user can control the uploading of the file and can access the authorization of a white list and a black list of a client, and the security property level is higher.
Referring to fig. 2, embodiment 4 of the present invention is:
a system for encrypted storage and access of an IPFS file system comprises an uploading client, an access client, an application server and a key management server, wherein the uploading client and the access client belong to the IPFS client, the uploading client comprises a first processor, a first memory and a first computer program which is stored in the first memory and can run on the first processor, and the first processor implements the steps S01 to S3 in the first embodiment when executing the first computer program;
the access client comprises a second processor, a second memory and a second computer program stored in the second memory and executable on the second processor, the second processor implementing step S6 of the first embodiment and step S41 of step S4 when executing the second computer program;
the application server comprises a third processor, a third memory, and a third computer program stored in the third memory and executable on the third processor, the third processor implementing, when executing the third computer program, steps S42, S43, S44 in step S4 and step S52 in step S5 of the above embodiment one;
the key management server comprises a fourth processor, a fourth memory and a fourth computer program stored in the fourth memory and executable on the fourth processor, the fourth processor implementing step S51 in step S5 of embodiment one above when executing the fourth computer program.
In summary, the present invention provides a method and system for encrypted storage and access of an IPFS file system, stored in the IPFS file system is an encrypted file, and the encryption key of the encrypted file is in the form of a random string, and the random character string is encrypted according to the encryption level at a corresponding level and then stored in a third party server together with the content identifier and the encryption level, the files and the secret keys are stored in a distinguishing way, the original files can not be obtained from the IPFS file system, the safety problem of the IPFS file system is solved, meanwhile, the encryption grade is divided into non-encryption, first-level encryption and second-level encryption, different encryption processes are used for the random string according to different encryption levels, and when secondary encryption is used, if the file needs to be decrypted and needs to be confirmed to the uploading client of the uploaded file, the security is higher, and the security requirement of the user is better met.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.
Claims (9)
1. A method for encrypted storage and access of an IPFS file system is characterized by comprising the following steps:
s1, the uploading client obtains the file to be uploaded and the encryption grade according to the user operation, and obtains a first public key from the key management server;
s2, the uploading client generates a random character string, encrypts the file to be uploaded by using the random character string to obtain an encrypted file, and encrypts the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
and S3, the uploading client sends the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sends metadata to an application server for storage, wherein the metadata comprises the content identifier, the key ciphertext and the encryption level.
2. The method of claim 1, further comprising the steps of:
s4, the access client acquires the encrypted file from the IPFS server and sends a decryption request to the key management server through the application server, wherein the decryption request comprises the encryption grade corresponding to the encrypted file and the key ciphertext;
s5, the key management server carries out a corresponding decryption process according to the encryption level, obtains the random character string after decryption is successful, and sends the random character string to the access client;
and S6, the access client decrypts the encrypted file according to the random character string to obtain a target file.
3. The method of claim 1, wherein the metadata further comprises a file fingerprint;
the step S1 specifically includes:
the uploading client obtains the file to be uploaded and the encryption grade according to user operation, calculates the file fingerprint of the file to be uploaded, sends the file fingerprint to the application server for comparison, if the same file fingerprint exists, the file exists, the next operation is not carried out, otherwise, the application server obtains a first public key from the key management server, and returns the first public key to the uploading client.
4. The method of claim 2, wherein the encryption levels comprise no encryption, one-level encryption, and two-level encryption, and the metadata further comprises upload client information;
the step S1 is preceded by the steps of:
s01, the uploading client side initializes and generates a second public key and a second private key;
the step S2 includes the steps of:
s21, the uploading client generates the random character string, and encrypts the file to be uploaded by using the random character string to obtain the encrypted file;
s22, judging the encryption level, and if the encryption level is not encrypted, directly taking the random character string as the key ciphertext;
if the encryption level is first-level encryption, encrypting the random character string by using the first public key to obtain the key ciphertext;
if the encryption level is secondary encryption, encrypting the random character string by using the first public key to obtain an intermediate ciphertext, and encrypting the intermediate ciphertext by using the second public key to obtain the key ciphertext;
the step S4 includes the steps of:
s41, the access client acquires the encrypted file from the IPFS server according to the content identifier provided by the user, and sends a first decryption request to the application server, wherein the first decryption request comprises the content identifier;
s42, the application server searches the metadata of the file according to the content identifier to obtain the encryption grade and the key ciphertext corresponding to the content identifier;
s43, the application server judges whether the encryption level is secondary encryption, if not, a second decryption request is sent to the key management server, and the second decryption request comprises the key ciphertext, otherwise, the step S44 is executed;
s44, the application server sends a third decryption request including the encryption key to the uploading client according to the uploading client information, the uploading client receives the third decryption request, whether decryption is agreed is judged according to user operation or a white list preset by a user, if decryption is agreed, the key ciphertext is decrypted through the second private key to obtain the intermediate ciphertext, the intermediate ciphertext is returned to the application server, the application server sends the second decryption request to the key management server, the second decryption request includes the intermediate ciphertext, and if decryption is not agreed, decryption refusal information is returned;
the step S5 specifically includes:
and the key management server performs a corresponding decryption process on the key ciphertext or the intermediate ciphertext according to the encryption level, obtains the random character string after decryption is successful, and sends the random character string to the access client.
5. The method for encrypted storage and access of the IPFS file system according to claim 4, wherein the step S5 specifically comprises the steps of:
s51, the key management server judges the encryption level, if the encryption level is not encrypted, the key ciphertext is the random character string required by decryption, the random character string is returned to the application server, otherwise, the key ciphertext or the intermediate ciphertext is decrypted by a first private key, the random character string is obtained and returned to the application server;
and S52, the application server returns the random character string to the access client.
6. The method of claim 5, wherein the first decryption request further comprises a third public key generated by the accessing client;
the step S52 specifically includes:
the application server encrypts the random character string by using the third public key and returns the encrypted random character string to the access client;
the step S6 specifically includes:
and the access client decrypts the random character string encrypted by the third public key according to a third private key to obtain the original random character string, and decrypts the encrypted file by using the random character string to obtain a target file.
7. The method for encrypted storage and access of the IPFS file system according to claim 4, wherein the step S01 is specifically as follows:
and initializing the uploading client, and generating the second public key and the second private key by an RSA algorithm.
8. The IPFS file system encrypted storage and access method according to claim 1 or 4, wherein the encrypting the file to be uploaded by using the random character string to obtain the encrypted file specifically comprises:
and encrypting the file to be uploaded by using the random character string through an AES encryption algorithm to obtain the encrypted file.
9. A system for encrypted storage and access of an IPFS file system, comprising an upload client, said upload client comprising a first processor, a first memory, and a first computer program stored in said first memory and executable on said first processor, wherein said first processor when executing said first computer program implements the steps of:
s1, obtaining a file to be uploaded and an encryption grade according to user operation, and obtaining a first public key from a key management server;
s2, generating a random character string, encrypting the file to be uploaded by using the random character string to obtain an encrypted file, and performing an encryption step of a corresponding encryption grade on the random character string according to the encryption grade and the first public key to obtain a key ciphertext;
s3, sending the encrypted file to an IPFS server to obtain a content identifier generated by the IPFS server according to the encrypted file, and sending metadata to an application server for storage, wherein the metadata comprises the content identifier, the key ciphertext and the encryption level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111081546.0A CN113886847A (en) | 2021-09-15 | 2021-09-15 | Method and system for encrypted storage and access of IPFS file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111081546.0A CN113886847A (en) | 2021-09-15 | 2021-09-15 | Method and system for encrypted storage and access of IPFS file system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113886847A true CN113886847A (en) | 2022-01-04 |
Family
ID=79009439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111081546.0A Pending CN113886847A (en) | 2021-09-15 | 2021-09-15 | Method and system for encrypted storage and access of IPFS file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113886847A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844848A (en) * | 2022-03-16 | 2022-08-02 | 厦门市美亚柏科信息股份有限公司 | Local data storage method and terminal for instant messaging application |
| CN116383861A (en) * | 2023-06-07 | 2023-07-04 | 上海飞斯信息科技有限公司 | Computer security processing system based on user data protection |
| CN118587801A (en) * | 2024-08-02 | 2024-09-03 | 浙江德施曼科技智能股份有限公司 | Intelligent lock instruction operation method and system, intelligent lock and computer equipment |
-
2021
- 2021-09-15 CN CN202111081546.0A patent/CN113886847A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844848A (en) * | 2022-03-16 | 2022-08-02 | 厦门市美亚柏科信息股份有限公司 | Local data storage method and terminal for instant messaging application |
| CN116383861A (en) * | 2023-06-07 | 2023-07-04 | 上海飞斯信息科技有限公司 | Computer security processing system based on user data protection |
| CN116383861B (en) * | 2023-06-07 | 2023-08-18 | 上海飞斯信息科技有限公司 | Computer security processing system based on user data protection |
| CN118587801A (en) * | 2024-08-02 | 2024-09-03 | 浙江德施曼科技智能股份有限公司 | Intelligent lock instruction operation method and system, intelligent lock and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108768664B (en) | Key management method, device, system, storage medium and computer equipment | |
| CN113067699B (en) | Data sharing method and device based on quantum key and computer equipment | |
| CN113886847A (en) | Method and system for encrypted storage and access of IPFS file system | |
| US8239679B2 (en) | Authentication method, client, server and system | |
| JP4673890B2 (en) | How to transfer a certification private key directly to a device using an online service | |
| EP1383265A1 (en) | Method for generating proxy signatures | |
| US20020038420A1 (en) | Method for efficient public key based certification for mobile and desktop environments | |
| US20080301436A1 (en) | Method and apparatus for performing authentication between clients using session key shared with server | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| US20020083325A1 (en) | Updating security schemes for remote client access | |
| US20080098214A1 (en) | Encryption/decryption method, method for safe data transfer across a network, computer program products and computer readable media | |
| CN106411962B (en) | A kind of date storage method of combination user side access control and cloud access control | |
| US8670567B2 (en) | Recovery of expired decryption keys | |
| WO2023226308A1 (en) | File sharing methods, file sharing system, electronic device and readable storage medium | |
| WO2012154503A2 (en) | Certificate blobs for single sign on | |
| US20050033963A1 (en) | Method and system for authentication, data communication, storage and retrieval in a distributed key cryptography system | |
| WO2019083379A1 (en) | Data transmission | |
| CN113225302A (en) | Data sharing system and method based on proxy re-encryption | |
| US20180287796A1 (en) | Security key hopping | |
| US8307209B2 (en) | Universal authentication method | |
| EP3710972A1 (en) | System and method for storing encrypted data | |
| TW200803392A (en) | Method, device, server arrangement, system and computer program products for securely storing data in a portable device | |
| CN106790100B (en) | Data storage and access control method based on asymmetric cryptographic algorithm | |
| CN114710271A (en) | Method and device for sharing encrypted data, storage medium and electronic equipment | |
| CN113656818A (en) | No-trusted third party cloud storage ciphertext duplication removing method and system meeting semantic security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |