CN113972985A - Private cloud encryption storage method based on cloud cipher machine key management - Google Patents

Private cloud encryption storage method based on cloud cipher machine key management Download PDF

Info

Publication number
CN113972985A
CN113972985A CN202111025468.2A CN202111025468A CN113972985A CN 113972985 A CN113972985 A CN 113972985A CN 202111025468 A CN202111025468 A CN 202111025468A CN 113972985 A CN113972985 A CN 113972985A
Authority
CN
China
Prior art keywords
key
data
ceph
key management
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111025468.2A
Other languages
Chinese (zh)
Inventor
池亚平
于淼
王雄
许盛伟
张柁苧
张健毅
王志强
尹涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Original Assignee
BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE filed Critical BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Priority to CN202111025468.2A priority Critical patent/CN113972985A/en
Publication of CN113972985A publication Critical patent/CN113972985A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a private cloud encryption storage method based on cloud cipher machine key management, which solves the problem of data security in government affair cloud environment in the prior art. The invention comprises the following steps of firstly, initializing a key management module; step two, data encryption; step three, storing data; and step four, data decryption. When the data key is stored, the technology can realize a multi-level key protection strategy based on the research, so that the key security of the private cloud platform encryption storage scheme is ensured. In the aspect of data transmission, the Ceph and the key management module perform ciphertext interaction through a public and private key pair generated in an initialization stage, so that the confidentiality of a communication process is realized, and the security of a key transmission process is guaranteed. In the aspect of data storage, user data are encrypted at the Ceph gateway to form ciphertext data and stored in the back-end database, and even if the user data are attacked maliciously by the database, the plaintext data cannot be acquired, so that the safety of the user data is guaranteed.

Description

Private cloud encryption storage method based on cloud cipher machine key management
Technical Field
The invention relates to the field of data encryption of cloud storage, in particular to a private cloud encryption storage method based on cloud cipher machine key management.
Background
The development of cloud storage functions in foreign countries and the combination of the cloud storage functions and practical application scenes are very mature, storage services are mainly and independently provided for the outside, related security research is limited to data backup, data loss caused by hardware faults or other objective reasons is prevented, and the cloud storage system does not have enough security protection capability for data loss or damage caused by subjective factors such as hacker attacks and the like. Meanwhile, some emerging storage back-ends have some more excellent characteristics due to their rapid development, but lack support for related research and practice. In many private cloud storage backend, compared with the Swift which is currently used more, Ceph has the characteristics of high storage speed, multiple storage modes and high data reading efficiency. Ceph can provide uniform storage: the object storage service can be provided for Openstack service and external. However, the research results of applying Ceph as a storage backend of a private cloud platform and simultaneously providing a secure cloud storage service are currently few.
Domestic cloud storage was the earliest occurring in the Aliyun and developed rapidly. Each enterprise and public institution is actively invested in cloud computing development, and each large IT enterprise is also providing various cloud storage services. The comparison is known as: arri cloud storage, tengcong cloud storage, kyotong cloud storage, and the like. The safety is an index which must be regarded by attention in the development of the private cloud storage service, and is also the basis for the development of the cloud storage. In order to ensure the security of user data in object storage, researchers propose various data protection schemes aiming at various security threats and protection defects in a private cloud environment. The research idea of these schemes mainly focuses on user identity authentication and data encryption and data integrity. There are two main types of common identity authentication: password authentication and multiple identity authentication. Password authentication is realized through a user name and a password, and is simple and quick, but the defects of password leakage and the like exist. The data encryption is to encrypt the data and store the ciphertext at the storage end. Integrity of data refers to correctness, validity, and consistency in the data store.
In the existing data encryption scheme, the secure storage of the key is a key problem for ensuring the confidentiality of data, and for key management in a cloud storage environment, experts and scholars propose various secure storage modes, such as hardware storage, the key generated by a key generator is encrypted by using a root key, and then the root key is written into hardware equipment, such as Ukey and a password card, so that a large number of password equipment needs to be deployed in a machine room, the efficiency of a cloud storage function is seriously reduced, and the use cost of storage service is greatly improved. In addition, some experts and scholars propose various security storage schemes based on identity authentication, researchers aim to realize data isolation through effective identity verification, for example, Dropbox company proposes a key storage method based on hash encryption, which stores an identity information digest value of a verified party and prevents information leakage caused by off-library. However, for an attacker targeting the attack to the back-end database, the scheme still has a risk of data loss or leakage. Meanwhile, the encryption operation during storage inevitably reduces the efficiency of data storage, so that related optimization and improvement are required for the performance problem of data storage. Zhou lin in the literature indicates that the Ceph component has significant advantages in speed performance and storage mode diversity over the traditional private cloud storage component Swift. The architecture design of Swift leads to deficiencies in both transmission speed and latency, mainly because all incoming and outgoing traffic in the Swift cluster goes through the proxy server, and Ceph uses better algorithms to handle data backup, in this regard, Ceph system allows users to handle the problems of large scale more flexibly. The Zhang Xiao et al indicate some defects of the Ceph in the storage aspect, such as instability of a core algorithm CRUSH, multiple abstract levels with complex structures and the like, and provide improved strategies such as optimizing a data placement method, optimizing storage engines such as IO logic and the like. Aiming at the characteristics of cloud computing, various information security management strategies under the cloud environment are provided, and an information management scheme for improving the cloud computing data cracking complexity is provided aiming at the user data security. The goldenrain faithful analysis is carried out on the existing security protection technology under the cloud environment, and the encryption algorithm analysis is carried out on the protection scheme applying the cryptography technology. Aiming at the problem of user data encryption, Chenyuan et al propose a secure ciphertext interval retrieval scheme based on a cloud storage technology, which is used for improving encryption complexity, ensuring security and optimizing encryption performance. Li jiangpeng et al propose a node priority algorithm in the literature for improving the scheduling success rate of the cryptographic service system in a high concurrency scenario, and improving the key distribution efficiency in the context of cloud computing mass data. The invention provides and designs the data storage module by taking the optimization schemes as reference, and provides data storage support for the high-efficiency encryption storage scheme.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a private cloud encryption storage scheme based on a cloud cipher machine for solving the data security in the government affair cloud environment.
The technical scheme of the invention is to provide a private cloud encryption storage method based on cloud cipher machine key management, which comprises the following steps: the method comprises the following steps of firstly, initializing a key management module; step two, data encryption; step three, storing data; and step four, data decryption.
Preferably, in the first step, the key management module is mainly composed of a cloud service crypto engine and a backend database, and provides a key management service, specifically including generation, distribution and storage of keys, the data encryption storage module is mainly composed of a Ceph storage module and a backend database, and provides an encryption and storage service for user data, wherein a data key used for encrypting and decrypting user data is managed by the key management module, after a user initiates a data storage request, the data encryption module initiates a key acquisition request to the key management module, and after a data key returned by the key management module is obtained, the user data is encrypted at the Ceph gateway, and then a ciphertext is stored.
Preferably, in the first step, when the cryptographic engine is initialized, a plurality of administrators introduce the components Ukey into the VSM to synthesize the DMK, the LMK is generated in a dispersed manner, and after Ceph is deployed successfully, an initialization request is firstly initiated to the key management module, and the address and the user information of the cryptographic engine are sent; and after the key management module obtains the request, establishing a corresponding user table, calling a corresponding interface function to generate an SM2 public and private key pair for the Ceph user, transmitting the private key to the Ceph, using the key pair as a user public and private key pair of the data encryption storage module for subsequent key distribution, storing the public key into the user table, and completing the initialization stage.
Preferably, the second step comprises the following steps,
step 2.1, after receiving the data key request, the key management module calls a corresponding interface function, generates an SM4 data key and an SM3 digest value of the key through cryptographic equipment, encrypts and outputs a public key by using the SM2 of a user, and stores a ciphertext and the digest value of the data key in a database of the key management module;
step 2.2, the data key is encrypted by the LMK in the cipher machine, and the encrypted form is stored in the database;
and 2.3, the Ceph end obtains the data key and the digest value encrypted by the user public key, decrypts by using the user private key to obtain plaintext information, encrypts the plaintext data of the user by using the data key, and destroys the data key.
Preferably, in the third step, the ciphertext and the abstract value are grouped and mapped into a plurality of groups of data segments with the same size, the PG is obtained through one Hsah operation, and then mapped to corresponding OSDs through a Crush operation for data storage, and the stored addressing process is totally three steps,
the first step is the mapping from File to Objects, the mapping divides the complete ciphertext data File into a plurality of groups of Objects with the same size, and each object generated after division obtains unique oid;
the second step is the mapping from the Objects to the PG, the PG is a logic set of the Objects, oid is mapped into a pseudo-random value which is approximately uniformly distributed by calculating a hash value of oid, and the pseudo-random value and the mask are subjected to bitwise AND to obtain a PG serial number;
thirdly, mapping PG to OSD, calculating the object to be mapped to corresponding OSDs by using CRUSH algorithm, wherein the group of OSDs are the storage positions of object data in PG; in the Ceph mechanism, one OSD usually needs to exchange information with other OSDs that carry the same PG together to determine whether each OSD works normally.
Preferably, the third step designs the data interaction step of the Ceph storage module and the key management module,
after Ceph is deployed successfully, an initialization request is firstly initiated to a key management module, and the address and the user information of the Ceph are sent;
step (ii), after the key management module obtains the request, establishing a corresponding user table, simultaneously generating an SM2 key pair, sending a private key to Ceph, storing a public key into the user table, and completing an initialization stage;
step (iii), the Ceph stores the private key, and after obtaining the data storage request of the user, the Ceph initiates an encryption request to the key management module, provides own user information and signs;
step (iiii) after the key management module checks the signature, generating an SM4 data key and a corresponding SM3 digest value, encrypting the SM4 data key and the SM3 digest value by using a user public key of the Ceph, and sending the encrypted SM4 data key to the Ceph;
and (iiii) encrypting and storing the user data after the data key is obtained, and simultaneously storing the abstract value into the corresponding user table.
Preferably, the four steps comprise the steps of,
step 4.1, the Ceph sends a request with a digest value to the key management module;
and 4.2, the key management module finds out a corresponding data key ciphertext in the database through digest value comparison, calls a corresponding interface function to decrypt to obtain a corresponding data key plaintext, and sends the data key to the Ceph end in a same sending mode as the encryption step.
Compared with the prior art, the private cloud encryption storage method based on the cloud cipher machine key management has the following advantages: a set of private cloud platform encryption storage scheme based on Ceph is designed by combining cloud password service. The private cloud storage takes Ceph as a core component, and shows strong power of the Ceph in a comparison test with Swift; the key management module is based on a cloud service cipher machine and is combined with a threshold sharing idea and a division idea to design a multi-level key protection mechanism; the data encryption storage module is supported by a Ceph component and based on a multi-level key protection mechanism, and realizes government affair private cloud file secure storage by utilizing a national secret SM4 algorithm.
In terms of security, key storage security is based on a three-level key protection mechanism. The cloud service cipher machine is provided with a unique VSM (Database master keys, DMK), is stored in a cipher card arranged in the cipher machine after being synthesized by leading-in components Ukey of a plurality of managers, ensures the absolute safety of the VSM master key from the generation to the storage of the key, and simultaneously protects a user private key by using Local Master Keys (LMK) generated by DMK in a dispersing way to ensure the absolute safety of a data key. In the aspect of data transmission, the Ceph and the key management module perform ciphertext interaction through a public and private key pair generated in an initialization stage, so that the confidentiality of a communication process is realized, and the security of a key transmission process is guaranteed. In the aspect of data storage, user data are encrypted at the Ceph gateway to form ciphertext data and stored in the back-end database, and even if the user data are attacked maliciously by the database, the plaintext data cannot be acquired, so that the safety of the user data is guaranteed.
Drawings
FIG. 1 is a screenshot of the Ceph test results of the present invention;
FIG. 2 is a screenshot of the Swift test result of the present invention;
FIG. 3 is a graph comparing Ceph and Swift throughput rates according to the present invention;
FIG. 4 is an application scenario of the present invention;
FIG. 5 is a general design of the solution of the present invention;
FIG. 6 illustrates an initialization phase of the cloud cryptographic engine of the present invention;
FIG. 7 illustrates a key management phase of the cloud cryptographic engine of the present invention;
FIG. 8 is a three-tier key architecture of the present invention;
FIG. 9 is a diagram of the Ceph storage logic of the present invention;
FIG. 10 is a block communication data flow of the present invention;
FIG. 11 is a screenshot of the cipher machine public and private key encryption test results of the present invention;
Detailed Description
The private cloud encrypted storage method based on cloud cipher machine key management according to the present invention is further described with reference to the accompanying drawings and the detailed description below: in the embodiment, aiming at the characteristic that the requirement on the read-write capacity of a large number of small files is high in the government affair cloud environment, pressure tests are carried out on the Ceph storage assembly and the Swift storage assembly, and the storage assemblies which are more suitable for the application scene are selected in a contrast mode; based on a cloud service cipher machine, in combination with a threshold sharing idea and a partition idea, a multi-level key protection mechanism is designed to provide key management service, specifically comprising key generation, key distribution and key storage; on the basis of a multi-level key protection mechanism with a Ceph component as a support, government private cloud file safe storage is realized by using a SM4 algorithm, a set of reliable encryption storage scheme is formed, and user data security is protected.
The concrete contents comprise the following steps:
(1) ceph and Swift performance test;
according to the invention, a Nautilus version Ceph is established on a Centos7 operating system, and three OSD (object Storage devices) are configured for data Storage. And (4) applying a COSBench pressure test module to carry out pressure test on the storage assembly.
The purpose of this test is to compare the efficiency of reading and writing small files under the same conditions by Ceph and Swift. The test sets a single client with a thread count of 8, sets 32 buckets, 50 objects (1600 objects total) per bucket, and has a single object size of 64 KB. During testing, a Ceph component is accessed through a LibRads interface, a Swift is accessed through an S3(Simple Storage Service) interface, and small file Storage requests are respectively initiated for the two Storage components. According to the experimental test result, in the read-write stage, the Swift component reads the file at 31.6M/S, and writes the file at 7.9M/S. The file reading speed of the Ceph component can reach 36M/S, and the file writing speed can reach 9M/S. Ceph is approximately 14% faster than Swift in reading and writing file speed. In terms of throughput, Ceph also has a distinct advantage over Swift. Ceph is obviously superior to Swift in the read-write capability of processing small files. The application scenario of the invention mainly aims at private cloud environments such as government affair cloud and the like, the requirement on data consistency is high, and the requirement on small file read-write capacity is strong, so that Ceph has great advantages for the application scenario.
(2) Designing a data encryption storage scheme;
in a conventional data encryption scheme, the encryption stages in the read-write path of data are divided into transmission encryption and storage encryption. For transmission encryption, in order to ensure the security of data, SSL (Secure Sockets Layer) protocol is generally used for transmission. For storage Encryption, that is, data stored in a disk-down state, in order to ensure the security of the data, a Server-Side Encryption (SSE) method is usually adopted, that is, after the data is received, the data is encrypted first and then stored in the disk-down state. In the current government affair cloud environment, the key generation efficiency of the known scheme is low, and the security of the distribution process and the key storage is poor. Therefore, the invention designs the key management module based on the cipher machine, and is used for solving the problem of key management in the data encryption process. Meanwhile, a data encryption storage module is designed, and effective information interaction is carried out with a key management module to realize efficient encryption storage of data.
(2a) The data encryption storage scheme designed by the invention can be applied to a typical government affair cloud environment. The application scene mainly comprises a user and a government affair cloud platform. After a user initiates a request for storing or reading data, the data encryption storage module interacts with the key management module to complete the distribution and storage of the key and encrypt and store the data. In an application scenario, there are several potential safety hazards as follows:
(i) when user data is sent to a server, the plaintext data can be stolen by attacks such as eavesdropping;
(ii) in a cloud platform, a data key transmission process may be attacked maliciously to steal a data key, so that user data is revealed;
(iii) back-end storage media may be subject to malicious attacks to steal data.
(2b) The encryption storage scheme based on the Ceph provided by the invention mainly comprises a data encryption storage module and a key management module. The key management module mainly comprises a cloud service cipher machine and a back-end database, provides key management service, and specifically comprises generation, distribution and storage of keys. The data encryption storage module mainly comprises a Ceph storage component and a back-end database, provides encryption and storage services for user data, and a data key used for encrypting and decrypting the user data is managed by the key management module. After a user initiates a data storage request, a data encryption module initiates a key acquisition request to a key management module, after a data key returned by the key management module is obtained, user data is encrypted at a Ceph gateway, and then a ciphertext is stored. All modules form a set of reliable encryption storage scheme together through effective key management and data encryption service, so that the safety of user data is protected, and the safety problem under a government affair cloud platform is effectively solved.
(2) Key management module design
(2a) The invention integrates the cipher machine and a private cloud platform in a self-defined plug-in mode based on an SDF interface designed by the cloud service cipher machine according to the application interface specification of the national cipher standard GM/T0018 and 2012 cipher equipment, and provides a secret key of a domestic cipher algorithm as a secret key generator of a system. In the scheme, the cloud service cipher machine is divided into two working phases, namely an initialization phase and a key management phase. Meanwhile, a VSM three-layer key system is designed in the key management module and used for protecting the safety of the user application key.
(2b) A three-layer Key system architecture is designed, which is respectively a VSM Master Key (DMK), a Local Master Key (LMK) and a user data Key. The VSM master key in the system is the uppermost layer and is used for dispersedly generating a local master key; the local master key is a middle layer and is used for protecting various keys and sensitive information stored in the VSM; the user data key is the bottom layer and is used for encrypting and protecting various application service data of a large number of users. The DMK is used as the only main key of the VSM, the components Ukey are led into the VSM by multiple administrators during initialization, and the main key DMK of the VSM is generated by utilizing a PBKDF function. And reading the VSM master key into a hardware password card, and generating a local master key LMK of the VSM in the password card. Through the distributed protection of the DMK on the LMK and the encryption protection of the LMK on the data key, a set of three-level key protection scheme is formed, and the key storage safety of the private cloud platform encryption storage scheme is ensured.
DMK=PBKDF(Ukey1,Ukey2,Ukey3…Salt)
LMK=KDF(DMK,Salt)
DATenc=DK(Date||SM3(Date))DATenc——>DB(Ceph)
LMK(DK||SM3(Date))——>DB(Key manager)
(3) Data encryption storage module design
(3a) The data encryption and storage module is designed based on the Ceph, the encryption and decryption functions of user data are provided, the optimization strategy for the storage of the Ceph component is provided, and the overall working efficiency of the system is improved. And the Ceph gateway encrypts the user data by using the data key provided by the key management module and stores the obtained ciphertext. The storage addressing process has three steps, the first step is the mapping from File to Objects, the mapping divides the complete ciphertext data File into a plurality of groups of Objects with the same size. Each object generated after slicing will obtain a unique oid (object id), the second step is the mapping of Objects to PG, PG (concept group) is the logical set of Objects, oid is mapped to a pseudo-random value which is approximately uniformly distributed by calculating the hash value of oid, and the pseudo-random value and mask (total number of PGs minus 1) are bitwise anded to obtain the PG number (PG id). The third step is the mapping of PG to OSD (object storage device), and the object mapping is calculated by using the CRUSH algorithm to the corresponding OSDs, which are the storage locations of the object data in PG. In the Ceph mechanism, one OSD usually needs to exchange information with other OSDs that carry the same PG together to determine whether each OSD works normally. Because hundreds of PGs are carried on one OSD, each PG usually has 3 OSD, and one OSD needs to exchange information for thousands of OSD information within a period of time, the io efficiency is improved, and the data storage efficiency can be effectively improved. The read-write speed can be optimized by designing a new io engine, such as using redundant data technology instead of the three copy technology currently used. Meanwhile, the result of the CRUSH algorithm used in the addressing process is variable, and the distribution characteristic of the calculation result is influenced by the change of the influence factor, so that the selection of the influence factor can be optimized and improved, the obtained address is more random, and the overall performance of the system is improved.
hash(oid)&mask->pgid
CRUSH(pgid)->(osd1,osd2)
(3b) In the scheme of the invention, the direct communication between the key management module and the Ceph storage module can be the target of attack or eavesdropping, so a safe communication mechanism is designed. RADOS in the Ceph storage structure provides a service to access Ceph clusters using standard object storage APIs. It supports S3 and Swift API, and can complete data exchange based on HTTP (Hypertext Transfer Protocol) or HTTPs (Hypertext Transfer Protocol over secure session Layer). Designing the data interaction steps of the Ceph storage module and the key management module.
(i) After Ceph is successfully deployed, an initialization request is first initiated to the key management module. Sending own address and user information;
(ii) after the key management module obtains the request, a corresponding user table is established, an SM2 key pair is generated at the same time, a private key is sent to the Ceph, a public key is stored in the user table, and the initialization stage is completed;
(iii) the Ceph stores the private key, and after the data storage request of the user is obtained, the Ceph initiates an encryption request to the key management module. Providing own user information and signing;
(iiii) after the key management module checks the signature, generating an SM4 data key and a corresponding SM3 digest value, encrypting the SM4 data key and the SM3 digest value by using a user public key of the Ceph, and sending the SM4 data key and the corresponding SM3 digest value to the Ceph;
(iiii) encrypting and storing the user data after obtaining the data key, and simultaneously storing the abstract value into the corresponding user table.
The Ceph may provide SSE functionality in a manner that the client passes data to the object gateway, which stores the data encrypted to the Ceph cluster. The invention adopts SSE-C (Server-Side Encryption-Client, Server-Side Encryption for providing key by user) mode, and the gateway is only responsible for encrypting and decrypting data, and can not manage the key transmitted by the Client. The client provides keys for reading and writing the encrypted data, the keys are managed by the client, and the difficulty of key management is high. Therefore, the key management module is used for managing the key, the SSE function is used for carrying out encryption protection on plaintext data, and the obtained ciphertext is sent to the cluster for storage, so that the safe and reliable data storage function is realized.
The specific implementation steps of the present invention are further described with reference to fig. 5, 6, 7, 8, 9, and 10.
Step 1, registering a user and finishing initialization. The cipher machine is initialized by a plurality of administrators to import the component Ukey into the VSM to synthesize DMK (VSM master key) and dispersedly generate LMK (local master key). After Ceph is successfully deployed, an initialization request is first initiated to the key management module. Sending own address and user information; and after the key management module obtains the request, establishing a corresponding user table, calling a corresponding interface function to generate an SM2 public and private key pair for the Ceph user, and transmitting the private key to the Ceph. The key pair is used as a user public and private key pair of the data encryption storage module for subsequent key distribution. And storing the public key into the user table, and finishing the initialization stage.
Step 2, the user applies for the encrypted data
Step one, after receiving a data key request, a key management module calls a corresponding interface function, an SM4 data key and an SM3 digest value of the key are generated through cryptographic equipment, an SM2 encryption public key of a user is used for encrypting and outputting, and meanwhile, a ciphertext and the digest value of the data key are stored in a database of the key management module;
secondly, encrypting the data key by the LMK in the cipher machine, and storing the encrypted form in a database;
and thirdly, the Ceph end obtains the data key and the digest value encrypted by the user public key, and the plaintext information is obtained after decryption is carried out by using the user private key. And then, encrypting the plaintext data of the user by using the data key, and destroying the data key.
Step 3, storing data
And (4) grouping the ciphertext and the abstract values obtained in the step two, mapping the ciphertext and the abstract values into a plurality of groups of data segments with the same size, obtaining the PG (fragment group) through one Hsah operation, and mapping the PG (fragment group) to corresponding OSDs through a Crush operation to store data.
Step 4, the user applies for the decrypted data
Step one, Ceph sends a request with a digest value to a key management module;
and secondly, the key management module finds out a corresponding data key ciphertext in the database through digest value comparison, calls a corresponding interface function to decrypt to obtain a corresponding data key plaintext, and sends the data key to the Ceph end in a same sending mode as the encryption step.
The effects of the present invention will be further described with reference to the experiments of the present invention. The invention selects Ceph as the storage component of the whole scheme, has 14% performance improvement in the aspect of re-reading and writing performance compared with the Swift of the mainstream storage component, greatly improves the throughput rate, and is enough to adapt to the reading and writing requirements of mass files in the government affair cloud environment. In the aspect of key management performance, the invention provides a data encryption environment for the whole system by designing the key management module based on the cloud service cipher machine. The cloud server cipher machine is a hardware cipher product designed and developed aiming at a special scene of a cloud computing environment, and each virtual cipher machine can realize the capabilities of encrypting and decrypting data of a host application layer, verifying the correctness of a message source, managing a secret key and the like, so that the hardware resource performance is exerted to the maximum extent, and a safe data encryption protection service is provided for an application system in the cloud environment. The system has a key bank with super-large capacity, and can safely manage and store various application keys up to eighty thousand levels. The cipher machine is used as the core of the key management module and provides key management service in the scheme, so that the processing speed of mass data of the cipher machine is subjected to related stress test. In the public and private key encryption test with the packet length of 4096, the cipher machine can realize public and private key encryption and decryption operations which are processed for more than 42 ten thousand times per second, and the average data volume processed per second is more than 3 Gb.

Claims (7)

1. A private cloud encryption storage method based on cloud cipher machine key management is characterized in that: comprises the following steps of (a) carrying out,
step one, initializing a key management module;
step two, data encryption;
step three, storing data;
and step four, data decryption.
2. The private cloud encryption storage method based on cloud crypto engine key management according to claim 1, wherein: the key management module in the first step mainly comprises a cloud service cipher machine and a back-end database, provides key management service, and specifically comprises key generation, distribution and storage, the data encryption storage module mainly comprises a Ceph storage module and the back-end database, provides encryption and storage service for user data, wherein a data key used for encrypting and decrypting the user data is managed by the key management module, after a user initiates a data storage request, the data encryption module initiates a key acquisition request to the key management module, and after a data key returned by the key management module is obtained, the user data is encrypted at the Ceph gateway, and a ciphertext is stored.
3. The private cloud encryption storage method based on cloud crypto engine key management according to claim 1, wherein: in the first step, when the cipher machine is initialized, a plurality of administrators introduce a component Ukey into the VSM to synthesize the DMK, the DMK is dispersedly generated, and after Ceph is successfully deployed, an initialization request is firstly initiated to a key management module, and the address and the user information of the cipher machine are sent; and after the key management module obtains the request, establishing a corresponding user table, calling a corresponding interface function to generate an SM2 public and private key pair for the Ceph user, transmitting the private key to the Ceph, using the key pair as a user public and private key pair of the data encryption storage module for subsequent key distribution, storing the public key into the user table, and completing the initialization stage.
4. The private cloud encryption storage method based on cloud crypto engine key management according to claim 1, wherein: the second step comprises the following steps of,
step 2.1, after receiving the data key request, the key management module calls a corresponding interface function, generates an SM4 data key and an SM3 digest value of the key through cryptographic equipment, encrypts and outputs a public key by using the SM2 of a user, and stores a ciphertext and the digest value of the data key in a database of the key management module;
step 2.2, the data key is encrypted by the LMK in the cipher machine, and the encrypted form is stored in the database;
and 2.3, the Ceph end obtains the data key and the digest value encrypted by the user public key, decrypts by using the user private key to obtain plaintext information, encrypts the plaintext data of the user by using the data key, and destroys the data key.
5. The private cloud encryption storage method based on cloud crypto engine key management according to claim 4, wherein: in the third step, the cryptograph and the abstract value are grouped and mapped into a plurality of groups of data segments with the same size, the PG is obtained through one Hsah operation, and then mapped to corresponding OSDs through the Crush operation for data storage, and the stored addressing process is totally three steps,
the first step is the mapping from File to Objects, the mapping divides the complete ciphertext data File into a plurality of groups of Objects with the same size, and each object generated after division obtains unique oid;
the second step is the mapping from the Objects to the PG, the PG is a logic set of the Objects, oid is mapped into a pseudo-random value which is approximately uniformly distributed by calculating a hash value of oid, and the pseudo-random value and the mask are subjected to bitwise AND to obtain a PG serial number;
thirdly, mapping PG to OSD, calculating the object to be mapped to corresponding OSDs by using CRUSH algorithm, wherein the group of OSDs are the storage positions of object data in PG; in the Ceph mechanism, one OSD usually needs to exchange information with other OSDs that carry the same PG together to determine whether each OSD works normally.
6. The private cloud encryption storage method based on cloud crypto engine key management according to claim 1, wherein: the third step designs the data interaction step of the Ceph storage module and the key management module,
after Ceph is deployed successfully, an initialization request is firstly initiated to a key management module, and the address and the user information of the Ceph are sent;
step (ii), after the key management module obtains the request, establishing a corresponding user table, simultaneously generating an SM2 key pair, sending a private key to Ceph, storing a public key into the user table, and completing an initialization stage;
step (iii), the Ceph stores the private key, and after obtaining the data storage request of the user, the Ceph initiates an encryption request to the key management module, provides own user information and signs;
step (iiii) after the key management module checks the signature, generating an SM4 data key and a corresponding SM3 digest value, encrypting the SM4 data key and the SM3 digest value by using a user public key of the Ceph, and sending the encrypted SM4 data key to the Ceph;
and (iiii) encrypting and storing the user data after the data key is obtained, and simultaneously storing the abstract value into the corresponding user table.
7. The private cloud encryption storage method based on cloud crypto engine key management according to claim 1, wherein: the fourth step comprises the following steps of,
step 4.1, the Ceph sends a request with a digest value to the key management module;
and 4.2, the key management module finds out a corresponding data key ciphertext in the database through digest value comparison, calls a corresponding interface function to decrypt to obtain a corresponding data key plaintext, and sends the data key to the Ceph end in a same sending mode as the encryption step.
CN202111025468.2A 2021-09-02 2021-09-02 Private cloud encryption storage method based on cloud cipher machine key management Pending CN113972985A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111025468.2A CN113972985A (en) 2021-09-02 2021-09-02 Private cloud encryption storage method based on cloud cipher machine key management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111025468.2A CN113972985A (en) 2021-09-02 2021-09-02 Private cloud encryption storage method based on cloud cipher machine key management

Publications (1)

Publication Number Publication Date
CN113972985A true CN113972985A (en) 2022-01-25

Family

ID=79586411

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111025468.2A Pending CN113972985A (en) 2021-09-02 2021-09-02 Private cloud encryption storage method based on cloud cipher machine key management

Country Status (1)

Country Link
CN (1) CN113972985A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117155567A (en) * 2023-09-19 2023-12-01 江南信安(南京)科技有限公司 Multi-layer key generation management method and device based on cipher machine resource pool
WO2024088145A1 (en) * 2022-10-27 2024-05-02 腾讯科技(深圳)有限公司 Data processing method and apparatus, and program product, computer device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103595730A (en) * 2013-11-28 2014-02-19 中国科学院信息工程研究所 Ciphertext cloud storage method and system
CN109040045A (en) * 2018-07-25 2018-12-18 广东工业大学 A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base
CN109726584A (en) * 2018-12-12 2019-05-07 西安得安信息技术有限公司 Cloud database key management system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103595730A (en) * 2013-11-28 2014-02-19 中国科学院信息工程研究所 Ciphertext cloud storage method and system
CN109040045A (en) * 2018-07-25 2018-12-18 广东工业大学 A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base
CN109726584A (en) * 2018-12-12 2019-05-07 西安得安信息技术有限公司 Cloud database key management system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张晓: "Ceph分布式存储系统性能优化技术研究综述", 计算机科学 *
莫崇维: "云计算密钥存储与更新方案研究与实现", 中国优秀硕士学位论文全文数据库信息科技辑 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024088145A1 (en) * 2022-10-27 2024-05-02 腾讯科技(深圳)有限公司 Data processing method and apparatus, and program product, computer device and storage medium
CN117155567A (en) * 2023-09-19 2023-12-01 江南信安(南京)科技有限公司 Multi-layer key generation management method and device based on cipher machine resource pool
CN117155567B (en) * 2023-09-19 2024-05-31 江南信安(南京)科技有限公司 Multi-layer key generation management method and device based on cipher machine resource pool

Similar Documents

Publication Publication Date Title
US6125185A (en) System and method for encryption key generation
CN111448779B (en) System, device and method for hybrid secret sharing
US8401186B2 (en) Cloud storage data access method, apparatus and system based on OTP
US10148438B2 (en) Methods and apparatus for protecting sensitive data in distributed applications
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
CN107948156A (en) The closed key management method and system of a kind of identity-based
CN113541935B (en) Encryption cloud storage method, system, equipment and terminal supporting key escrow
US11757625B2 (en) Multi-factor-protected private key distribution
CN103414682A (en) Method for cloud storage of data and system
KR102656403B1 (en) Generate keys for use in secure communications
CN113972985A (en) Private cloud encryption storage method based on cloud cipher machine key management
CN106936579A (en) Cloud storage data storage and read method based on trusted third party agency
CN114244508B (en) Data encryption method, device, equipment and storage medium
CN107911221B (en) Key management method for secure storage of solid-state disk data
CN116567624A (en) 5G feeder terminal communication safety protection method, device and storage medium
CN106919348A (en) Distributed memory system and storage method that anti-violence is cracked
GB2488753A (en) Encrypted communication
Bokhari et al. Evaluation of hybrid encryption technique to secure data during transmission in cloud computing
Gong [Retracted] Application Research of Data Encryption Algorithm in Computer Security Management
CN110048852A (en) Quantum communications service station Signcryption method and system based on unsymmetrical key pond
CN115204876A (en) Quantum security U shield equipment and method for mobile payment
CN114866244A (en) Controllable anonymous authentication method, system and device based on ciphertext block chaining encryption
CN112651034A (en) One-time pad replaceable encryption algorithm, assembly and equipment based on codebook
CN110213299A (en) A kind of more attribute authority encryption methods and device of suitable mobile cloud environment
AU2019381522A1 (en) Encryption system and method employing permutation group-based encryption technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination