CN114143098B - Data storage method and data storage device - Google Patents
Data storage method and data storage device Download PDFInfo
- Publication number
- CN114143098B CN114143098B CN202111470327.1A CN202111470327A CN114143098B CN 114143098 B CN114143098 B CN 114143098B CN 202111470327 A CN202111470327 A CN 202111470327A CN 114143098 B CN114143098 B CN 114143098B
- Authority
- CN
- China
- Prior art keywords
- data block
- uploaded
- client
- data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The application provides a data storage method and a data storage device, which can be used in the field of data storage and are beneficial to considering data security and data duplication removal during data storage. The method comprises the following steps: the client acquires a plurality of data blocks, an identifier of each data block in the plurality of data blocks and a convergence key, and sends the identifier of each data block to the server; after receiving the identification of each data block, the server determines a data block list to be uploaded based on the identification of each data block, and sends the data block list to be uploaded to the client; the client determines a data block to be uploaded based on the data block list to be uploaded, encrypts at least one data block to be uploaded through at least one convergence key of the data block to be uploaded to obtain at least one ciphertext of the data block to be uploaded, and sends the at least one ciphertext of the data block to be uploaded and the convergence key ciphertext of the data block to be uploaded to the server.
Description
Technical Field
The present application relates to the field of data storage, and in particular, to a data storage method and a data storage device.
Background
In the field of data storage, deduplication technology is widely used in network disks and content delivery networks (content delivery network, CDN). When the data is stored, if the duplicate removal technology is not used, the same data is required to be stored and transmitted for multiple times, and if the duplicate removal technology is used, the same data can be stored and transmitted once, so that the data storage cost and the data transmission efficiency are greatly reduced.
Current data storage means may include plaintext, unified key encryption, and user-defined encryption. The plain text and the unified key encryption mode allow operation and maintenance personnel of the data center to check all data, and duplicate data can be subjected to deduplication, but the security is low. The user self-defines the encryption mode, different users encrypt the data by using different keys to obtain different ciphertexts, so that the security can be improved, but the difficulty of data deduplication can be increased. Therefore, the current data storage method cannot achieve both data security and data deduplication.
Disclosure of Invention
The application provides a data storage method and a data storage device, which are beneficial to considering data security and data duplication removal during data storage.
In a first aspect, the present application provides a data storage method, including: the method comprises the steps that a client acquires a plurality of data blocks of a first file, an identifier of each data block in the plurality of data blocks and a convergence key of each data block; the client sends the identification of each data block to the server; the client receives a data block list to be uploaded sent by the server according to the identification of each data block, wherein the data block list to be uploaded comprises at least one identification of the data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the data blocks; the client encrypts at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded to obtain a ciphertext of the at least one data block to be uploaded; the method comprises the steps that a client sends at least one ciphertext of a data block to be uploaded and at least one convergence key ciphertext of the data block to be uploaded to a server, and the at least one convergence key ciphertext of the data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key of a first key pair.
According to the data storage method provided by the application, the data blocks which are not stored in the server are determined according to the identification of the data blocks, so that the data block list to be uploaded is determined, the data deduplication is realized, the data transmission efficiency is improved, the data storage cost is reduced, in addition, the client encrypts the data blocks to be uploaded through the convergence key, encrypts the convergence key through the first public key, and the data transmission safety is improved in an encryption mode. Therefore, the method can simultaneously consider data security and data deduplication, and is beneficial to reducing data storage cost and data transmission efficiency.
With reference to the first aspect, in some implementations of the first aspect, the sending, by the client, an identifier of each data block to the server includes: the client builds a hash tree based on the identification of each data block, and sends information of the hash tree to the server, wherein a leaf node of the hash tree is a hash value of the identification of each data block, and a root node of the hash tree is a hash check value of the leaf node; the client receiving server sends a data block list to be uploaded according to the identification of each data block, and the data block list to be uploaded comprises the following components: and the client receives a data block list to be uploaded, which is sent by the server according to the information of the hash tree.
According to the data storage method provided by the application, the server can perform self-checking according to the hash tree information sent by the client, the integrity of the data block is verified, the received data block is not missed and tampered, meanwhile, the server can determine the data block which is not stored in the server according to the information of the leaf node of the hash tree sent by the client, further determine the data block list to be uploaded, realize data deduplication, and improve the data transmission efficiency and reduce the data storage cost.
With reference to the first aspect, in certain implementation manners of the first aspect, the method further includes: the client signs the first tuple through a first private key in the first key pair to obtain a signed first tuple, wherein the first tuple comprises information of a root node, a file name of a first file and a version number of the first file; the client sends the signed first tuple to the server.
According to the data storage method, the client signs the first tuple through the first private key, so that the follow-up server can verify the integrity of the data again according to the information of the first tuple and the information of the hash tree, and the data security is further improved.
With reference to the first aspect, in certain implementation manners of the first aspect, the method further includes: the client sends a request for downloading a first file to the server; the client receives ciphertext of a plurality of data blocks from the server and convergence key ciphertext of the plurality of data blocks; the client decrypts the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks; and the client decrypts the ciphertext of the plurality of data blocks through the convergence keys of the plurality of data blocks to obtain the plurality of data blocks.
According to the data storage method provided by the application, the client downloads the first file stored by the server, and a plurality of data blocks of the first file are obtained in a twice decryption mode, so that the safety of data transmission is improved.
With reference to the first aspect, in certain implementation manners of the first aspect, the method further includes: the client receives the signed first tuple from the server; and the client performs integrity verification on the signed first tuple by using the first public key.
The data storage method provided by the application utilizes the first public key to carry out integrity verification on the signed first tuple, thereby being beneficial to ensuring the integrity of data and further improving the safety of data transmission.
With reference to the first aspect, in certain implementation manners of the first aspect, the method further includes: the client sends a request for sharing a first file with another client to the server; the client receives a second public key in a second key pair corresponding to the other client from the server and convergent key ciphertexts of a plurality of data blocks; the client decrypts the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks; the client encrypts the convergence keys of the plurality of data blocks through the second public key respectively to obtain new convergence key ciphertext of the plurality of data blocks; the client sends the new convergent key ciphertext for the plurality of data blocks to the server.
According to the data storage method, when the client side shares files with the other client side, the client side can acquire the second public key of the other client side through the server, encrypt the convergence keys of the data blocks based on the second public key to obtain new convergence key ciphertext of the data blocks, acquire the new convergence key ciphertext of the data blocks and the key ciphertext of the data blocks through the server, decrypt the new convergence key ciphertext of the data blocks through the second public key generated by the client side, obtain the convergence key of the key ciphertext capable of decrypting the data blocks, and further obtain the data blocks. In the method, the shared file can be realized without exposing the public key between the client and the other client, and the security of data transmission can be provided.
In a second aspect, the present application provides a data storage method, comprising: the method comprises the steps that a server receives an identification of each data block in a plurality of data blocks from a client; the server compares the identifiers of the plurality of data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded, wherein the data block list to be uploaded comprises at least one identifier of the data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the plurality of data blocks; the server sends a data block list to be uploaded to the client; the server receives ciphertext of at least one data block to be uploaded from the client and convergence key ciphertext of at least one data block to be uploaded, wherein the ciphertext of the at least one data block to be uploaded is obtained by encrypting the at least one data block to be uploaded through the convergence key of the at least one data block to be uploaded, and the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key in a first key pair.
With reference to the second aspect, in certain implementations of the second aspect, the server receives an identification of each of a plurality of data blocks from the client, including: the server receives information of a hash tree from the client, wherein the hash tree is constructed based on the identifiers of a plurality of data blocks of a first file, leaf nodes of the hash tree are hash values of the identifiers of each data block in the plurality of data blocks, and root nodes of the hash tree are hash check values of the leaf nodes; after the server receives the identification of each of the plurality of data blocks from the client, the method further comprises: the server performs integrity check by utilizing the information of the root node and the information of the leaf node; the server compares the identifiers of the plurality of data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded, including: and under the condition of passing the integrity check, the server compares the identifiers of the plurality of data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded.
With reference to the second aspect, in certain implementations of the second aspect, the method further includes: the server receives a signed first tuple from the client, wherein the first tuple comprises root node information, a file name of a first file and a version number of the first file, and is obtained by signing the first tuple through a first private key in a first key pair; the server again performs integrity verification on the signed first tuple using the first public key.
With reference to the second aspect, in certain implementation manners of the second aspect, the method includes: the server receives a request for downloading a first file from a client; the server sends ciphertext of the plurality of data blocks and convergence key ciphertext of the plurality of data blocks to the client based on the request to download the first file.
With reference to the second aspect, in certain implementation manners of the second aspect, the method further includes: the server receives a request from a client to share a first file with another client; the server sends a second public key in a second key pair corresponding to the other client and convergent key ciphertext of a plurality of data blocks to the client based on a request for sharing the first file with the other client; the server receives new convergence key ciphertext of a plurality of data blocks from the client, wherein the new convergence key ciphertext of the plurality of data blocks is obtained by encrypting convergence keys of the plurality of data blocks through a second public key; the server sends the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to another client.
In a third aspect, the present application provides a data storage device comprising: the device comprises a processing module and a receiving and transmitting module. The processing module is used for acquiring a plurality of data blocks of the first file, an identifier of each data block in the plurality of data blocks and a convergence key of each data block; constructing a hash tree based on the identification of each data block; the receiving and transmitting module is used for transmitting information of the hash tree to the server, wherein a leaf node of the hash tree is a hash value of the identifier of each data block, and a root node of the hash tree is a hash check value of the leaf node; receiving a data block list to be uploaded sent by a server according to the information of the hash tree, wherein the data block list to be uploaded comprises at least one identifier of a data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the data blocks; the processing module is also used for: encrypting at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded to obtain a ciphertext of the at least one data block to be uploaded; signing the first tuple through a first private key in the first key pair to obtain a signed first tuple, wherein the first tuple comprises information of a root node, a file name of a first file and a version number of the first file; the transceiver module is also for: and sending the signed first tuple, the ciphertext of the at least one data block to be uploaded and the convergence key ciphertext of the at least one data block to be uploaded to the server, wherein the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key of a first key pair.
With reference to the third aspect, in some implementations of the third aspect, the transceiver module is further configured to: sending a request for downloading a first file to a server; receiving ciphertext of a plurality of data blocks from a server and convergence key ciphertext of the plurality of data blocks; the processing module is also used for: decrypting the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks; and decrypting the ciphertext of the plurality of data blocks through the convergence keys of the plurality of data blocks to obtain the plurality of data blocks.
With reference to the third aspect, in some implementations of the third aspect, the transceiver module is configured to: receiving a signed first tuple from a server; and carrying out integrity verification on the signed first tuple by using the first public key.
With reference to the third aspect, in some implementations of the third aspect, the transceiver module is further configured to: sending a request for sharing the first file with another client to the server; receiving a second public key in a second key pair corresponding to another client from the server and converging key ciphertext of a plurality of data blocks; the processing module is used for: decrypting the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks; encrypting the convergence keys of the plurality of data blocks through the second public key respectively to obtain new convergence key ciphertext of the plurality of data blocks; the transceiver module is also for: and sending the new convergent key ciphertext of the plurality of data blocks to the server.
In a fourth aspect, the present application provides a data storage device comprising: a transceiver module and a processing module. The receiving and transmitting module is used for receiving information of a hash tree from the client, the hash tree is constructed based on the identifications of a plurality of data blocks of the first file, a leaf node of the hash tree is a hash value of the identification of each data block in the plurality of data blocks, and a root node of the hash tree is a hash check value of the leaf node; the processing module is used for carrying out integrity check by utilizing the information of the root node and the information of the leaf node; under the condition that the integrity check is passed, the server compares the identifications of the plurality of data blocks with the identifications of the data blocks stored in the server respectively, a data block list to be uploaded is determined, the data block list to be uploaded comprises at least one identification of the data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the plurality of data blocks; the transceiver module is also for: sending a data block list to be uploaded to a client; the method comprises the steps of receiving a signed first tuple from a client, at least one ciphertext of a data block to be uploaded and at least one convergence key ciphertext of the data block to be uploaded, wherein the first tuple comprises root node information, a file name of a first file and a version number of the first file, the signed first tuple is obtained by signing the first tuple through a first private key in a first key pair, the ciphertext of the at least one data block to be uploaded is obtained by encrypting the at least one data block to be uploaded through the convergence key of the at least one data block to be uploaded, and the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key in the first key pair.
With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver module is configured to: receiving a request from a client for downloading a first file; based on the request to download the first file, ciphertext of the plurality of data blocks and convergence key ciphertext of the plurality of data blocks are sent to the client.
With reference to the fourth aspect, in some implementations of the fourth aspect, the transceiver module is configured to: receiving a request from a client to share a first file with another client; based on a request for sharing the first file with the other client, sending a second public key in a second key pair corresponding to the other client and a convergent key ciphertext of a plurality of data blocks to the client; receiving new convergence key ciphertext of a plurality of data blocks from a client, wherein the new convergence key ciphertext of the plurality of data blocks is obtained by encrypting convergence keys of the plurality of data blocks through a second public key; and sending the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to another client.
In a fifth aspect, the present application provides a data storage device comprising a processor and a memory. The processor is configured to read instructions stored in the memory to perform a method according to any one of the possible implementations of the above aspect.
Optionally, the processor is one or more and the memory is one or more.
Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.
In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
The data storage device in the fifth aspect may be a chip, and the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor, implemented by reading software code stored in a memory, which may be integrated in the processor, or may reside outside the processor, and exist separately.
In a sixth aspect, the application provides a computer readable medium storing a computer program (which may also be referred to as code, or instructions) which, when run on a computer, causes the computer to perform the method of any one of the possible implementations of any one of the aspects.
In a seventh aspect, the present application provides a computer program product comprising: a computer program (which may also be referred to as code, or instructions) which, when executed, causes a computer to perform the method of any one of the possible implementations of any one of the aspects.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic diagram of a communication system to which an embodiment of the present application is applicable;
FIG. 2 is a schematic flow chart of a data storage method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of another data storage method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of yet another data storage method provided by an embodiment of the present application;
FIG. 5 is a schematic block diagram of a data storage device according to an embodiment of the present application;
fig. 6 is a schematic block diagram of another data storage device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
The technical scheme of the application will be described below with reference to the accompanying drawings.
In order to facilitate understanding of the embodiments of the present application, related terms in the embodiments of the present application will be described first.
1. Plaintext and ciphertext
Plaintext is the word before encryption. Ciphertext is encrypted text.
The relationship between ciphertext and plaintext may be: ciphertext is a message that has been encrypted with plaintext.
2. Key(s)
A key is a parameter that is input in an algorithm that converts plaintext into ciphertext or converts ciphertext into plaintext.
Keys can be classified into symmetric keys and asymmetric keys. Wherein the symmetric key, i.e. the encrypted and decrypted key, is identical. Asymmetric keys, i.e. encryption and decryption keys, are different.
3. Symmetric key encryption
Symmetric key encryption, also known as private key encryption, is the operation of encrypting and decrypting plaintext by both parties sending and receiving data, using the same key.
4. Asymmetric key encryption
Asymmetric key encryption, also known as public key encryption, uses different keys to encrypt and decrypt plaintext by both the parties sending and receiving the data.
In asymmetric key encryption, the key used for encryption may be referred to as an asymmetric encryption public key, and the key used for decryption may be referred to as an asymmetric encryption private key.
5. Convergence encryption
The convergent encryption is an encryption scheme that generates a key from data content. Wherein the key generated from the data content may be referred to as a converging key.
In the convergent encryption scheme, the same data generated convergent key has uniqueness, i.e., the same data generated convergent key is the same.
6. Hash Tree (Hash Tree)
Hash trees, also commonly referred to as Merkle trees (Merkle tree), are a tree-shaped data structure in cryptography and computer science, each leaf node being labeled with a hash of a data block, and nodes other than the leaf node being labeled with a cryptographic hash of its child node label.
The hash tree is capable of efficiently and securely verifying the contents of large data structures.
7. Secure hash algorithm 256
The secure hash algorithm 256 (secure hash algorithm-256, sha-256) is a hash function, also known as a hashing algorithm, and is a method of creating a small digital "fingerprint" from any type of data.
The hash function may compress the message or data into a digest such that the amount of data is reduced, the format of the data is fixed, and then the data is shuffled to recreate a fingerprint called a hash value (or hash value). Wherein the hash value is typically represented by a string of short random letters and numbers.
For messages of any length, SHA256 generates a hash value of 256 bits (bits) long, called a message digest, which corresponds to an array of 32 bytes in length, typically represented by a hexadecimal string of length 64.
8. Secure hash algorithm 1 (secure hash algorithm-1, SHA-1)
SHA-1 is a cryptographic hash function that can generate a 160-bit (20 bytes) hash value called a message digest, typically in the form of 40 hexadecimal numbers.
In the SHA-1 method, the input information is different and the output message digest is different.
In the field of data storage, deduplication is a very critical technique. If the deduplication technology is not used in the data storage system, the same data needs to be stored and transmitted for multiple times. If the deduplication technology is used in the data storage system, the same data can be stored and transmitted once, and the data storage cost and the data transmission efficiency can be greatly reduced. Thus, deduplication technology is widely used in network disks and content delivery networks (content delivery network, CDN).
Current data storage means may include plaintext, unified key encryption, and user-defined encryption. The operation and maintenance personnel of the data center can check all data, duplicate data can be removed, but the security is low, and the requirements of users with higher sensitivity to data security such as enterprise users, financial users and the like are not met. The user self-defined encryption mode is adopted, different users encrypt data by using different keys to obtain different ciphertexts, so that the security can be improved, but the difficulty of data deduplication can be increased due to different ciphertexts. Therefore, the current data storage method cannot achieve both data security and data deduplication.
In addition, when users share data in a user-defined encryption mode, the users need to inform the other party of the own secret key, and the other party can obtain the shared data according to the secret key, namely when the users share the data, the users need to realize sharing under the condition of exposing the secret key of the users, so that the security is low.
Therefore, the data storage method and the data storage device provided by the embodiment of the application are beneficial to considering data security and data deduplication during data storage.
In order to facilitate understanding of the embodiments of the present application, a communication system to which the embodiments of the present application are applicable will be first described.
Fig. 1 is a schematic diagram of a communication system 100 according to an embodiment of the present application, and as shown in fig. 1, the communication system 100 includes a client 101, a client 102, and a server 103. The number of clients and servers in the communication system 100 is merely an example, and the number of clients and servers is not limited in the embodiment of the present application.
Both the client 101 and the client 102 may transmit data to the server 102, and the server 102 may transmit data to at least one of the client 101 and the client 102.
The client 101 and/or the client 102 may send data to the server 103 by using the method provided by the embodiment of the present application, and after the server 103 receives the data, the data may be stored and/or sent by using the method provided by the embodiment of the present application, which may give consideration to both data security and data deduplication during data storage.
Before describing the data storage method and the data storage device provided by the embodiment of the application, the following description is made:
first, the first, second and various numerical numbers in the embodiments shown below are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application. For example, different key pairs, different public keys, etc.
Second, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, and c may represent: a, b, or c, or a and b, or a and c, or b and c, or a, b and c, wherein a, b and c can be single or multiple.
Fig. 2 is a schematic flow chart of a data storage method 200 according to an embodiment of the present application, which can be applied to the communication system 100. The method 200 may include the steps of:
s201, the client acquires a plurality of data blocks of the first file, an identification of each data block in the plurality of data blocks and a convergence key of each data block.
The client may be the client 101 or the client 102 in the communication system 100 described above.
The client may divide the data in the first file into a plurality of data blocks with a preset fixed size. For example, the preset fixed size may be 512 Kilobytes (KB) or 2 Megabits (MB). The embodiment of the application does not limit the specific value of the preset fixed size.
The plurality of data blocks may include one data block, two data blocks, or more than two data blocks, and the number of the data blocks is not limited in the embodiment of the present application.
The data block may be represented by a symbol block.
The number of the plurality of data blocks is n, which can be expressed as block 1 ,block 2 ,…,block i ,…,block n ]Wherein, block i May be used to represent the i-th data block, i being an integer greater than or equal to 1 and less than or equal to n.
The identification of the data blocks is used to distinguish between the different data blocks and may be represented by the symbol Tag.
The identity of the multiple data blocks may be denoted as [ Tag ] 1 ,Tag 2 ,…,Tag i ,…,Tag n ]Wherein Tag i May be used to represent the identity of the ith data block.
Alternatively, the identification of the data block may be generated from the data block by SHA-256.
The convergence key of each data block may be generated by the client according to the data content of each data block, and the convergence key of the data block may be represented by symbol CK.
The convergence keys of the plurality of data blocks may be identified as [ CK ] 1 ,CK 2 ,…,CK i ,…,CK n ]Wherein, CK i May be used to represent the convergence key of the ith data block.
Alternatively, the convergence key for each data block may be generated from the data block by SHA-1.
S202, the client sends the identification of each data block to the server, and correspondingly, the server receives the identification of each data block.
S203, the server compares the identifiers of the data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded, wherein the data block list to be uploaded comprises at least one identifier of the data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the data blocks.
The data blocks stored in the server can be uploaded by the client or other clients, and the source of the data blocks stored in the server is not limited in the embodiment of the application.
Alternatively, the sizes of the data blocks already stored in the server may all be the same as the above-mentioned preset fixed size. Or the size of the data block stored in the server is partially the same as the preset fixed size, and partially different from the preset fixed size.
When the sizes of the data blocks already stored in the server are all the same as the preset fixed size, the server can respectively compare the identifiers of the plurality of data blocks with the identifiers of the data blocks already stored in the server, and add the identifiers of the data blocks which are different from the identifiers of the data blocks already stored in the server to the data block list to be uploaded.
When the size of the data block already stored in the server is partially the same as the preset fixed size and the size of the data block is partially different from the preset fixed size, the server can respectively compare the identifiers of the plurality of data blocks with the identifiers of the data blocks already stored in the server and having the same size as the preset fixed size, and add the identifiers of the different data blocks into the data block list to be uploaded.
In other words, in the case where the data blocks already stored in the server employ the same division rule and identification rule as the plurality of data blocks of the first file (for example, when the data blocks are divided, it is ensured that the sizes of the data blocks are the same, and the identifications of the data blocks corresponding to the same data are the same, etc.), the server may compare using the above identifications, thereby determining the data blocks not stored in the server.
In the embodiment of the present application, the number of data blocks to be uploaded may be one, or may be two or more, which is not limited in the embodiment of the present application.
It should be understood that when a plurality of data blocks of the first file are already stored in the server, that is, all the data blocks in the first file are already stored in the server, the number of data blocks to be uploaded is 0, and the client does not need to upload the data blocks to the server.
It should also be appreciated that when the number of the plurality of data blocks is the same as the number of data blocks to be uploaded, the client needs to send all the data blocks in the first file to the server, i.e. any data block in the first file is not stored in the server.
The identifier of the at least one data block to be uploaded may be sent in the form of the above-mentioned list of data blocks to be uploaded, or may be sent in other forms, for example, in the form of a message or a message, which is not limited in the embodiment of the present application.
S204, the server sends the data block list to be uploaded to the client, and correspondingly, the client receives the data block list to be uploaded sent by the server according to the identification of each data block.
The client receives the data block list to be uploaded, and can determine the data block to be uploaded according to the identification of at least one data block to be uploaded in the data block list to be uploaded. S205, the client encrypts at least one data block to be uploaded through the convergence key of the at least one data block to be uploaded to obtain ciphertext of the at least one data block to be uploaded.
The ciphertext of the data block to be uploaded may be represented by the symbol C.
Ciphertext of multiple data blocks to be uploaded may be represented as [ C ] 1 ,C 2 ,…,C i ,…,C n ]Wherein C i May be used to represent the ciphertext of the ith data block to be uploaded.
The client may pass through the convergence key CK of the ith data block to be uploaded i For the ith data block to be uploaded i Encrypting to obtain ciphertext C of the ith data block to be uploaded i 。
It should be understood that the convergence keys of the data blocks to be uploaded are different, and the client encrypts the data block to be uploaded through the convergence key of the data block to be uploaded to obtain the ciphertext of the data block to be uploaded.
S206, the client sends at least one ciphertext of the data block to be uploaded and at least one convergent key ciphertext of the data block to be uploaded to the server, wherein the at least one convergent key ciphertext of the data block to be uploaded is obtained by encrypting the convergent key of the at least one data block to be uploaded through a first public key of the first key pair.
The first key pair is automatically generated by the client upon registration of the user. The first private key may be represented by the symbol AKprv.
Alternatively, the first key pair may be an asymmetric key. The first private key may be an asymmetric encryption private key.
When the first key pair is an asymmetric key, the first public key may be an asymmetric encryption public key.
The first public key may be represented by the symbol AKpub. The convergence key ciphertext of the data block to be uploaded may be represented by a symbol ACK.
The convergence key ciphertext of the plurality of data blocks to be uploaded can be represented as [ ACK ] 1 ,ACK 2 ,…,ACK i ,…,ACK n ]Wherein ACK is i May be used to represent the convergence key ciphertext of the ith data block to be uploaded.
The client can encrypt the convergence key of at least one data block to be uploaded through the first public key to obtain a convergence key ciphertext of the at least one data block to be uploaded.
Illustratively, the client may use the first public key AKpub to converge the CK key of the ith data block to be uploaded i Encryption is carried out to obtain a convergence key ciphertext ACK of the ith data block to be uploaded i 。
According to the data storage method provided by the application, the data blocks which are not stored in the server are determined according to the identification of the data blocks, so that the data block list to be uploaded is determined, the data deduplication is realized, the data transmission efficiency is improved, the data storage cost is reduced, in addition, the client encrypts the data blocks to be uploaded through the convergence key, encrypts the convergence key through the first public key, and the data transmission safety is improved in an encryption mode. Therefore, the method can simultaneously consider data security and data deduplication, and is beneficial to reducing data storage cost and data transmission efficiency.
As an optional embodiment, S202, the client sends the identifier of each data block to the server, including: the client builds a hash tree based on the identification of each data block, and sends information of the hash tree to the server, wherein a leaf node of the hash tree is a hash value of the identification of each data block, and a root node of the hash tree is a hash check value of the leaf node; correspondingly, the server receives an identification of each of a plurality of data blocks from the client, including: the server receives information of the hash tree from the client, the server performs integrity check by utilizing the information of the root node and the information of the leaf node, and under the condition that the information passes the integrity check, the server compares the identifiers of a plurality of data blocks with the identifiers of the data blocks stored in the server respectively to determine a data block list to be uploaded. The step S204, where the receiving server of the client receives the list of data blocks to be uploaded sent according to the identifier of each data block, includes: and the client receives a data block list to be uploaded, which is sent by the server according to the information of the hash tree.
The client may construct a hash tree with the hash value of the identification of each data block as a leaf node and the hash check value of the leaf node as a root node.
The server may be the server 103 in the communication system 100 described above.
The information of the hash tree includes information of a root node and information of a leaf node of the hash tree.
The server may determine whether the identification of the plurality of data blocks is complete using the information of the root node and the information of the leaf node using a self-check of the hash tree.
The signed first tuple may include the signed root node information, the signed first file's filename, and the signed first file's version number.
The version number of the first file may be 3.8.1.6102, for example.
The signed first tuple can be represented by the Sign.
After receiving the signed first tuple, the ciphertext of the at least one data block to be uploaded and the convergence key ciphertext of the at least one data block to be uploaded, the server can sign the signed first tuple through a first public key to obtain root node information of the hash tree, compares the root node information of the hash tree with the hash tree, and again checks the integrity of the data. In the case of passing the integrity check, the server may save the ciphertext of the at least one data block to be uploaded to the storage medium (i.e. the landing disc), i.e. the server saves the deduplicated first file. The server may also generate descriptive data describing the first file, i.e. the signed first tuple and the converging key ciphertext of the data block to be uploaded.
According to the data storage method, the client signs the first tuple through the first private key, so that the follow-up server can verify the integrity of the data again according to the information of the first tuple and the information of the hash tree, and the data security is further improved.
Optionally, the server may perform a signing on the signed first tuple through the first public key to obtain root node information of the hash tree. Wherein the first public key may be sent by the client to the server.
The client may automatically generate the first public key and the first private key of the first key pair at the time of user registration. The client can send the first public key and the first private key to the server, and the server can store the first public key and the first private key after receiving the first public key and the first private key.
Under the condition that the server receives the signed first tuple, the server can sign the signed first tuple through the first public key to obtain the first tuple.
Alternatively, the client may not store the first public key and the first private key, or may store the first public key and the first private key, which is not limited in the embodiment of the present application.
In the case that the first public key and the first private key are not saved or lost after the client is saved, the client may automatically download the first public key and the first private key from the server.
Optionally, the user may customize the key at the client when registering with the client to prevent other users from viewing or stealing data. The key customized by the user at the client may be referred to as a user key or a user-customized key, and the name of the key is not limited in the embodiment of the present application.
Illustratively, the user key may be a symmetric encryption key, which may be represented by the symbol PK.
When a user registers at a client, the user can directly fill in a key at the client, or can import the key stored at the client. The embodiment of the application does not limit the source of the user key.
Optionally, the client may encrypt the first private key AKprv through the user key PK, to obtain an encrypted first private key. Wherein the encrypted first private key may be represented by the symbol C (AKprv).
The client may send the user name, the encrypted first private key C (AKprv) and the first public key to the server, and correspondingly, after the server receives the user name, the encrypted first private key C (AKprv) and the first public key, the user name, the encrypted first private key C (AKprv) and the first public key are saved, i.e. the user creates successfully.
Under the condition that the first public key and the first private key are not saved or lost after the client is saved, the client can download the encrypted first private key and the first public key from the server and decrypt the encrypted first private key through the first public key to obtain the first private key.
According to the data storage method provided by the embodiment of the application, the client encrypts the first private key through the user key, so that the security of transmitting the first private key can be improved, and meanwhile, the first private key can be bound with the user, thereby being beneficial to the management of data by the server.
The method 200 described above describes a process in which a client sends a first file to a server, from which the client may download the first file after the server has stored the relevant data for the first file. Therefore, the embodiment of the present application further provides a data storage method 300, which is used to introduce a process that a client downloads a first file from a server.
Fig. 3 is a schematic flow chart of another data storage method 300 according to an embodiment of the present application, where the method 300 may be applied to the communication system 100 described above.
The method 300 may include the steps of:
s301, the client sends a request for downloading the first file to the server, and correspondingly, the server receives the request for downloading the first file.
The client may be the client 101 or the client 102 in the communication system 100 described above. The server may be the server 103 in the communication system 100 described above.
Alternatively, the request for downloading the first file may include a file name of the first file.
S302, the server sends ciphertext of a plurality of data blocks and convergence key ciphertext of the plurality of data blocks to the client based on a request for downloading the first file, and correspondingly, the client receives the ciphertext of the plurality of data blocks and the convergence key ciphertext of the plurality of data blocks.
The server may determine a plurality of data blocks of the first file based on the request to download the first file. Wherein the plurality of data blocks may include at least one data block to be uploaded in the method 200 and the same data block as the data block already existing in the server.
For example, the server may establish correspondence between the plurality of data blocks and file names of the first file, and when the server receives a request to download the first file, the server may determine the plurality of data blocks based on the file names of the first file in the request to download the first file.
The ciphertext of the plurality of data blocks includes ciphertext of at least one data block to be uploaded in the method 200 described above and ciphertext of the same data block as the data block already present in the server.
In the case where the same data block as the data block already existing in the server is uploaded to the server by the client, the server stores the ciphertext of the same data block as the data block already existing in the server, and the ciphertext of the plurality of data blocks may be directly transmitted to the client.
In the case where the same data block as the data block already existing in the server is uploaded to the server by a client other than the above-described client, the server needs to encrypt the same data block as the data block already existing in the server by the convergence key of the same data block as the data block already existing in the server to obtain the ciphertext of the same data block as the data block already existing in the server, and then send the ciphertext of the plurality of data blocks to the client.
The convergence key ciphertext of the plurality of data blocks includes the convergence key ciphertext of at least one data block to be uploaded in the method 200 described above and the convergence key ciphertext of the same data block as the data block already present in the server.
In the case where the same data block as the data block already existing in the server is uploaded to the server by the client, the server stores the convergence key ciphertext of the same data block as the data block already existing in the server, and the convergence key ciphertext of the plurality of data blocks may be directly transmitted to the client.
In the case where the same data block as the data block already existing in the server is uploaded to the server by a client other than the above-described client, the server needs to encrypt the convergence key of the same data block as the data block already existing in the server by the first private key to obtain the convergence key ciphertext of the same data block as the data block already existing in the server, and then send the convergence key ciphertext of the plurality of data blocks to the client.
It should be appreciated that the first private key is the same as the first private key in the method 200 described above.
S303, the client decrypts the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks.
The first private key is the same as the first private key in the method 200 described above.
S304, the client decrypts the ciphertext of the plurality of data blocks through the convergence keys of the plurality of data blocks to obtain the plurality of data blocks.
The convergence keys of the plurality of data blocks are the same as those of the plurality of data blocks in the method 200, and will not be described herein.
According to the data storage method provided by the embodiment of the application, the client downloads the first file stored by the server, and a plurality of data blocks of the first file are obtained in a twice decryption mode, so that the safety of data transmission is improved.
As an alternative embodiment, the method 300 further includes: the server may also send the signed first tuple to the client, and correspondingly, the client receives the signed first tuple; and the client performs integrity verification on the signed first tuple by using the first public key.
The signed first tuple, the first public key, and the first tuple are the same as the signed first tuple, the first public key, and the first tuple, respectively, in the method 200 described above.
Illustratively, the client performs a signature-releasing operation on the signed first tuple by using the first public key, and if the signature-releasing operation is successful, the client can indicate that the data is complete; if the signature is not successful, the missing or tampered data can be indicated.
According to the data storage method provided by the embodiment of the application, the first signed tuple is subjected to integrity verification by using the first public key, so that the integrity of data is guaranteed, and the safety of data transmission is further improved.
The embodiment of the application also provides a data storage method 400 for introducing a process of file sharing between clients.
Fig. 4 is a schematic flow chart of yet another data storage method 400 according to an embodiment of the present application, where the method 400 may be applied to the communication system 100 described above.
The method 400 may include the steps of:
s401, the client sends a request for sharing the first file with the other client to the server, and correspondingly, the server receives the request for sharing the first file with the other client.
The client may be the client 101 in the communication system 100 described above. The other client may be a client 102 in the communication system 100.
It should be understood that, for convenience of description, the first file in the above method 200 and method 300 is taken as an example in this embodiment, and in other possible implementations, any other file may be shared between the clients, which is not limited by the embodiment of the present application.
In the embodiment of the present application, the client shares the first file with another client, that is, the other client may also obtain the data in the first file, that is, the multiple data blocks in the above-mentioned methods 200 and 300.
The user of a client may be referred to as user a and the user of another client may be referred to as user b, with the first file being shared between user a and user b.
For example, a request to share a first file with another client may be described in terms of a < user b, filename > tuple.
S402, the server sends a second public key in a second key pair corresponding to the other client and convergent key ciphertexts of a plurality of data blocks to the client based on a request for sharing the first file with the other client, and the client receives the second public key in the second key pair corresponding to the other client and the convergent key ciphertexts of the plurality of data blocks.
The other client may automatically generate a second public key and a second private key, i.e. a second key pair, upon user registration. It will be appreciated that the second key pair is different to the first key pair described above.
Alternatively, the second key pair may be an asymmetric key. The second private key may be an asymmetric encryption private key and the second public key may be an asymmetric encryption public key.
The convergence key ciphertext of the plurality of data blocks is the convergence key ciphertext of the plurality of data blocks in the first file.
For example, the second public key and the convergence key ciphertext of the plurality of data blocks may be described in terms of a < second public key, convergence key ciphertext of the plurality of data blocks > tuple.
S403, the client decrypts the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks.
The first private key is the same as the first private key in the methods 200 and 300 described above.
The client decrypts the convergent key ciphertext of the plurality of data blocks through the first private key of the client to obtain the convergent keys of the plurality of data blocks
S404, the client encrypts the convergence keys of the data blocks through the second public keys to obtain new convergence key ciphertexts of the data blocks.
And the client encrypts the convergence keys of the data blocks through the second public key of the other client to obtain new convergence key ciphertext of the data blocks.
S405, the client sends new convergence key ciphertext of the plurality of data blocks to the server, and correspondingly, the server receives the new convergence key ciphertext of the plurality of data blocks.
After receiving the new convergence key ciphertext of the plurality of data blocks, the server may establish a descriptive file of the first file, that is, the new convergence key ciphertext of the plurality of data blocks.
S406, the server sends the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to another client, and correspondingly, the other client can receive the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks.
When another client checks the data of the first file, the second private key is used for decrypting the new convergence key ciphertext of the plurality of data blocks respectively to obtain convergence keys of the plurality of data blocks, and the convergence keys of the plurality of data blocks are used for decrypting the ciphertext of the plurality of data blocks to obtain the plurality of data blocks, namely the data in the first file.
Optionally, before the step S406, the method 400 further includes: the method comprises the steps that another client sends a request for downloading a first file or a request for opening the first file to a server, and correspondingly, the server receives the request for downloading the first file or the request for opening the first file of the other client; the method S406 includes: the server sends the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to another client based on the request to download the first file or the request to open the first file.
Optionally, the server may further send the signed first tuple and the information of the hash tree to another client, and correspondingly, the other client may receive the signed first tuple and the information of the hash tree and perform integrity verification based on the signed first tuple and the information of the hash tree.
According to the data storage method provided by the embodiment of the application, when the client shares the file with the other client, the client can firstly acquire the second public key of the other client through the server, encrypt the convergent keys of the data blocks based on the second public key to obtain the new convergent key ciphertext of the data blocks, and the other client can acquire the new convergent key ciphertext of the data blocks and the key ciphertext of the data blocks through the server, decrypt the new convergent key ciphertext of the data blocks through the second public key generated by the client to obtain the convergent key capable of decrypting the key ciphertext of the data blocks, and further obtain the data blocks. In the method, the shared file can be realized without exposing the public key between the client and the other client, and the security of data transmission can be provided.
The method 300 and the method 400 are implemented based on the method 200, and the method 300 and the method 400 are two methods in parallel. The above method 200, method 300 and method 400 can be applied to many storage related fields such as Yu Yunpan, backup, CDN, object storage, etc., and all improve economy, availability, security and transmission efficiency.
The sequence numbers of the above-mentioned processes do not mean the sequence of execution sequence, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application.
The data storage method provided by the embodiment of the present application is described in detail above with reference to fig. 1 to 4, and the data storage device provided by the embodiment of the present application will be described in detail below with reference to fig. 5 and 6.
Fig. 5 illustrates a data storage device 500 provided in an embodiment of the present application. The apparatus 500 includes: a processing module 510 and a transceiver module 520.
In one possible implementation manner, the apparatus 500 is configured to execute each flow and step corresponding to the client in the foregoing method embodiment.
The processing module 510 is configured to: acquiring a plurality of data blocks of a first file, an identifier of each data block in the plurality of data blocks and a convergence key of each data block; the transceiver module 520 is configured to: sending the identification of each data block to a server; the method comprises the steps that a data block list to be uploaded sent by a server according to the identification of each data block is received, the data block list to be uploaded comprises at least one identification of the data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the data blocks; the processing module 510 is further configured to: encrypting at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded to obtain a ciphertext of the at least one data block to be uploaded; the transceiver module 520 is further configured to: and sending the ciphertext of the at least one data block to be uploaded and the convergence key ciphertext of the at least one data block to be uploaded to a server, wherein the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key of a first key pair.
Optionally, the processing module 510 is further configured to: constructing a hash tree based on the identification of each data block; the transceiver module 520 is further configured to: transmitting information of a hash tree to a server, wherein a leaf node of the hash tree is a hash value of an identifier of each data block, and a root node of the hash tree is a hash check value of the leaf node; and the receiving server sends the data block list to be uploaded according to the information of the hash tree.
Optionally, the processing module 510 is further configured to: signing the first tuple through a first private key in the first key pair to obtain a signed first tuple, wherein the first tuple comprises information of a root node, a file name of a first file and a version number of the first file; the transceiver module 520 is further configured to: and sending the signed first tuple to the server. Optionally, the transceiver module 520 is further configured to: sending a request for downloading a first file to a server; receiving ciphertext of a plurality of data blocks from a server and convergence key ciphertext of the plurality of data blocks; the processing module 510 is further configured to: decrypting the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks; and decrypting the ciphertext of the plurality of data blocks through the convergence keys of the plurality of data blocks to obtain the plurality of data blocks.
Optionally, the transceiver module 520 is configured to: receiving a signed first tuple from a server; and carrying out integrity verification on the signed first tuple by using the first public key.
Optionally, the transceiver module 520 is further configured to: sending a request for sharing the first file with another client to the server; receiving a second public key in a second key pair corresponding to another client from the server and converging key ciphertext of a plurality of data blocks; the processing module 510 is configured to: decrypting the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks; encrypting the convergence keys of the plurality of data blocks through the second public key respectively to obtain new convergence key ciphertext of the plurality of data blocks; the transceiver module 520 is further configured to: and sending the new convergent key ciphertext of the plurality of data blocks to the server.
In another possible implementation manner, the apparatus 500 is configured to perform the respective processes and steps corresponding to the server in the above method embodiment.
The transceiver module 520 is configured to: the identification processing module 510 that receives each of a plurality of data blocks from a client is configured to: comparing the identifiers of the plurality of data blocks with the identifiers of the data blocks stored in the server respectively, and determining a data block list to be uploaded, wherein the data block list to be uploaded comprises at least one identifier of the data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the plurality of data blocks; the transceiver module 520 is further configured to: sending a data block list to be uploaded to a client; receiving ciphertext of at least one data block to be uploaded and convergence key ciphertext of at least one data block to be uploaded from a client, wherein the ciphertext of the at least one data block to be uploaded is obtained by encrypting the at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded, and the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key of a first key pair.
Optionally, the transceiver module 520 is further configured to: receiving information of a hash tree from a client, wherein the hash tree is constructed based on the identifications of a plurality of data blocks of a first file, a leaf node of the hash tree is a hash value of the identification of each data block in the plurality of data blocks, and a root node of the hash tree is a hash check value of the leaf node; the processing module 510 is further configured to: carrying out integrity check by utilizing the information of the root node and the information of the leaf node; in the case of passing the integrity check, the identifiers of the plurality of data blocks are respectively compared with the identifiers of the data blocks already stored in the device 500, and a list of data blocks to be uploaded is determined.
Optionally, the transceiver module 520 is further configured to: receiving a signed first tuple from a client, wherein the first tuple comprises root node information, a file name of a first file and a version number of the first file, and is obtained by signing the first tuple through a first private key in a first key pair; the processing module 510 is further configured to: and carrying out integrity verification on the signed first tuple again by using the first public key.
Optionally, the transceiver module 520 is configured to: receiving a request from a client for downloading a first file; based on the request to download the first file, ciphertext of the plurality of data blocks and convergence key ciphertext of the plurality of data blocks are sent to the client.
Optionally, the transceiver module 520 is configured to: receiving a request from a client to share a first file with another client; based on a request for sharing the first file with the other client, sending a second public key in a second key pair corresponding to the other client and a convergent key ciphertext of a plurality of data blocks to the client; receiving new convergence key ciphertext of a plurality of data blocks from a client, wherein the new convergence key ciphertext of the plurality of data blocks is obtained by encrypting convergence keys of the plurality of data blocks through a second public key; and sending the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to another client.
It should be appreciated that the apparatus 500 herein is embodied in the form of functional modules. The term module herein may refer to an application specific integrated circuit (application specific integrated circuit, ASIC), an electronic circuit, a processor (e.g., a shared, dedicated, or group processor, etc.) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that support the described functionality. In an alternative example, it will be understood by those skilled in the art that the apparatus 500 may be specifically a client or a server in the foregoing embodiment, or the functions of the client or the server in the foregoing embodiment may be integrated in the apparatus 500, and the apparatus 500 may be used to execute each flow and/or step corresponding to the client or the server in the foregoing method embodiment, which is not repeated herein.
The apparatus 500 has functions to implement the corresponding steps performed by the client or server in the method 200, 300 or 400; the above functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.
Fig. 6 illustrates a data storage device 600 provided by an embodiment of the present application. The apparatus 600 includes: a processor 610, a transceiver 620, and a memory 630. Wherein the processor 610, the transceiver 620 and the memory 630 communicate with each other through an internal connection path, the memory 630 is used for storing instructions, and the processor 610 is used for executing the instructions stored in the memory 630 to control the transceiver to transmit signals and/or receive signals.
It should be understood that the apparatus 600 may be configured to perform the steps and/or processes corresponding to the client or the server in the above-described method embodiments. The memory 630 may optionally include read-only memory and random access memory, and provide instructions and data to the processor 610. A portion of memory 630 may also include nonvolatile random access memory. For example, the memory 630 may also store information of the device type. The processor 610 may be configured to execute instructions stored in the memory 630 and when the processor 610 executes instructions stored in the memory 630, the processor 610 is configured to perform the steps and/or processes of the method embodiments described above corresponding to the client or server.
It should be appreciated that in embodiments of the present application, the processor 610 of the apparatus 600 may be a central processing unit (central processing unit, CPU), and the processor 610 may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software elements in the processor for execution. The software elements may be located in a random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor executes instructions in the memory to perform the steps of the method described above in conjunction with its hardware. To avoid repetition, a detailed description is not provided herein.
The present application provides a readable computer storage medium for storing a computer program for implementing the method corresponding to the client or the server in the above embodiment.
The present application provides a computer program product comprising a computer program (which may also be referred to as code, or instructions) which, when run on a computer, performs the method corresponding to a client or server in the above embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (13)
1. A method of data storage, comprising:
the client acquires a plurality of data blocks of a first file, an identifier of each data block in the plurality of data blocks and a convergence key of each data block;
the client sends the identification of each data block to a server;
the client receives a data block list to be uploaded sent by the server according to the identification of each data block, wherein the data block list to be uploaded comprises at least one identification of a data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the data blocks;
the client encrypts the at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded to obtain a ciphertext of the at least one data block to be uploaded;
the client sends ciphertext of the at least one data block to be uploaded and convergence key ciphertext of the at least one data block to be uploaded to the server, wherein the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key of a first key pair;
The client sends a request for sharing the first file with another client to the server;
the client receives a second public key in a second key pair corresponding to the other client from the server and a convergent key ciphertext of the plurality of data blocks;
the client decrypts the convergent key ciphertext of the plurality of data blocks through a first private key in the first key pair respectively to obtain the convergent keys of the plurality of data blocks;
the client encrypts the convergence keys of the plurality of data blocks through the second public key respectively to obtain new convergence key ciphertext of the plurality of data blocks;
the client sends the new convergence key ciphertext of the plurality of data blocks to the server.
2. The method of claim 1, wherein the client sending the identification of each data block to a server comprises:
the client builds a hash tree based on the identification of each data block, and sends information of the hash tree to the server, wherein a leaf node of the hash tree is a hash value of the identification of each data block, and a root node of the hash tree is a hash check value of the leaf node;
The client receives a data block list to be uploaded sent by the server according to the identification of each data block, and the data block list to be uploaded comprises the following components:
and the client receives a data block list to be uploaded, which is sent by the server according to the information of the hash tree.
3. The method according to claim 2, wherein the method further comprises:
the client signs a first tuple through a first private key in the first key pair to obtain the signed first tuple, wherein the first tuple comprises the information of the root node, the file name of the first file and the version number of the first file;
the client sends the signed first tuple to the server.
4. The method according to claim 1, wherein the method further comprises:
the client sends a request for downloading the first file to the server;
the client receives ciphertext of the plurality of data blocks and convergence key ciphertext of the plurality of data blocks from the server;
the client decrypts the convergent key ciphertext of the plurality of data blocks through the first private key respectively to obtain the convergent keys of the plurality of data blocks;
And the client decrypts the ciphertext of the plurality of data blocks through the convergence keys of the plurality of data blocks to obtain the plurality of data blocks.
5. The method according to claim 4, wherein the method further comprises:
the client receives a signed first tuple from the server, wherein the first tuple comprises information of a root node, a file name of the first file and a version number of the first file, the root node is a root node of a hash tree, the hash tree is constructed based on the identification of each data block, a leaf node of the hash tree is a hash value of the identification of each data block, and the root node of the hash tree is a hash check value of the leaf node;
and the client performs integrity verification on the signed first tuple by using the first public key.
6. A method of data storage, comprising:
the method comprises the steps that a server receives an identification of each data block in a plurality of data blocks of a first file from a client;
the server compares the identifiers of the plurality of data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded, wherein the data block list to be uploaded comprises identifiers of at least one data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the plurality of data blocks;
The server sends the data block list to be uploaded to the client;
the server receives ciphertext of the at least one data block to be uploaded and convergence key ciphertext of the at least one data block to be uploaded from the client, wherein the ciphertext of the at least one data block to be uploaded is obtained by encrypting the at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded, and the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting a convergence key of the at least one data block to be uploaded through a first public key of a first key pair;
the server receives a request from the client to share the first file with another client;
the server sends a second public key in a second key pair corresponding to another client and convergent key ciphertext of the plurality of data blocks to the client based on the request for sharing the first file with the other client;
the server receives new convergence key ciphertext of the plurality of data blocks from the client, wherein the new convergence key ciphertext of the plurality of data blocks is obtained by encrypting convergence keys of the plurality of data blocks through the second public key;
And the server sends the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to the other client.
7. The method of claim 6, wherein the server receiving an identification of each of a plurality of data blocks of the first file from the client comprises:
the server receives information of a hash tree from a client, wherein the hash tree is constructed based on the identifications of a plurality of data blocks of the first file, leaf nodes of the hash tree are hash values of the identifications of each data block in the plurality of data blocks, and root nodes of the hash tree are hash check values of the leaf nodes;
after the server receives the identification of each of the plurality of data blocks of the first file from the client, the method further comprises:
the server performs integrity check by utilizing the information of the root node and the information of the leaf node;
the server compares the identifiers of the plurality of data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded, including:
and under the condition of passing the integrity check, the server compares the identifiers of the data blocks with the identifiers of the data blocks stored in the server respectively, and determines a data block list to be uploaded.
8. The method of claim 7, wherein the method further comprises:
the server receives a signed first tuple from the client, wherein the first tuple comprises information of the root node, a file name of the first file and a version number of the first file, and is obtained by signing the first tuple through a first private key in the first key pair;
and the server performs integrity verification on the signed first tuple again by using the first public key.
9. The method according to claim 6, characterized in that the method comprises:
the server receives a request from the client for downloading the first file;
and the server sends ciphertext of the plurality of data blocks and convergence key ciphertext of the plurality of data blocks to the client based on the request for downloading the first file.
10. A data storage device, comprising:
the processing module is used for acquiring a plurality of data blocks of the first file, an identification of each data block in the plurality of data blocks and a convergence key of each data block;
The receiving and transmitting module is used for transmitting the identification of each data block to the server; receiving a data block list to be uploaded sent by the server according to the identification of each data block, wherein the data block list to be uploaded comprises at least one identification of data blocks to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the server, and the at least one data block to be uploaded is all or part of the data blocks;
the processing module is further configured to: encrypting the at least one data block to be uploaded through the convergence key of the at least one data block to be uploaded to obtain a ciphertext of the at least one data block to be uploaded;
the transceiver module is further configured to: sending ciphertext of the at least one data block to be uploaded and convergence key ciphertext of the at least one data block to be uploaded to the server, wherein the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting the convergence key of the at least one data block to be uploaded through a first public key of a first key pair
The transceiver module is further configured to: sending a request for sharing the first file with another client to the server; receiving a second public key in a second key pair corresponding to the other client from the server and a convergent key ciphertext of the plurality of data blocks;
The processing module is further configured to: decrypting the convergent key ciphertext of the plurality of data blocks through a first private key in the first key pair respectively to obtain the convergent keys of the plurality of data blocks; encrypting the convergence keys of the plurality of data blocks through the second public key respectively to obtain new convergence key ciphertext of the plurality of data blocks;
the transceiver module is further configured to: and sending the new converged key ciphertext of the plurality of data blocks to the server.
11. A data storage device, comprising:
the receiving and transmitting module is used for receiving the identification of each data block in the plurality of data blocks of the first file from the client;
the processing module is used for comparing the identifications of the plurality of data blocks with the identifications of the data blocks stored in the device respectively, and determining a data block list to be uploaded, wherein the data block list to be uploaded comprises identifications of at least one data block to be uploaded, the at least one data block to be uploaded is different from the data blocks stored in the device, and the at least one data block to be uploaded is all or part of the data blocks in the plurality of data blocks;
the transceiver module is further configured to: sending the data block list to be uploaded to the client; receiving ciphertext of the at least one data block to be uploaded and convergence key ciphertext of the at least one data block to be uploaded from the client, wherein the ciphertext of the at least one data block to be uploaded is obtained by encrypting the at least one data block to be uploaded through a convergence key of the at least one data block to be uploaded, and the convergence key ciphertext of the at least one data block to be uploaded is obtained by encrypting a convergence key of the at least one data block to be uploaded through a first public key of a first key pair; receiving a request from the client to share the first file with another client; based on the request for sharing the first file with another client, sending a second public key in a second key pair corresponding to the other client and a convergent key ciphertext of the plurality of data blocks to the client; receiving new convergence key ciphertext of the plurality of data blocks from the client, wherein the new convergence key ciphertext of the plurality of data blocks is obtained by encrypting convergence keys of the plurality of data blocks through the second public key; and sending the new convergence key ciphertext of the plurality of data blocks and the ciphertext of the plurality of data blocks to the other client.
12. A data storage device, comprising: a processor coupled to a memory for storing a computer program which, when invoked by the processor, causes the apparatus to perform the method of any one of claims 1 to 5 or to perform the method of any one of claims 6 to 9.
13. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program executable by a processor, the computer program comprising instructions for implementing the method according to any of claims 1 to 5 or the method according to any of claims 6 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111470327.1A CN114143098B (en) | 2021-12-03 | 2021-12-03 | Data storage method and data storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111470327.1A CN114143098B (en) | 2021-12-03 | 2021-12-03 | Data storage method and data storage device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143098A CN114143098A (en) | 2022-03-04 |
| CN114143098B true CN114143098B (en) | 2023-08-15 |
Family
ID=80387594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111470327.1A Active CN114143098B (en) | 2021-12-03 | 2021-12-03 | Data storage method and data storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143098B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117097528A (en) * | 2023-08-22 | 2023-11-21 | 广州市番禺融合小额贷款股份有限公司 | Financial data secure storage system, method and equipment based on big data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685162A (en) * | 2012-09-05 | 2014-03-26 | 中国移动通信集团公司 | File storing and sharing method |
| CN104158880A (en) * | 2014-08-19 | 2014-11-19 | 济南伟利迅半导体有限公司 | User-end cloud data sharing solution |
| CN105915332A (en) * | 2016-07-04 | 2016-08-31 | 广东工业大学 | Cloud storage encryption and dereplication method and cloud storage encryption and dereplication system |
| CN106506474A (en) * | 2016-11-01 | 2017-03-15 | 西安电子科技大学 | A kind of efficient traceable data sharing method based on mobile cloud environment |
| CN109491591A (en) * | 2018-09-17 | 2019-03-19 | 广东工业大学 | A kind of information diffusion method suitable for cloudy storage system |
| CN112565434A (en) * | 2020-12-09 | 2021-03-26 | 广东工业大学 | Cloud storage safety duplicate removal method and device based on Mercker hash tree |
-
2021
- 2021-12-03 CN CN202111470327.1A patent/CN114143098B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685162A (en) * | 2012-09-05 | 2014-03-26 | 中国移动通信集团公司 | File storing and sharing method |
| CN104158880A (en) * | 2014-08-19 | 2014-11-19 | 济南伟利迅半导体有限公司 | User-end cloud data sharing solution |
| CN105915332A (en) * | 2016-07-04 | 2016-08-31 | 广东工业大学 | Cloud storage encryption and dereplication method and cloud storage encryption and dereplication system |
| CN106506474A (en) * | 2016-11-01 | 2017-03-15 | 西安电子科技大学 | A kind of efficient traceable data sharing method based on mobile cloud environment |
| CN109491591A (en) * | 2018-09-17 | 2019-03-19 | 广东工业大学 | A kind of information diffusion method suitable for cloudy storage system |
| CN112565434A (en) * | 2020-12-09 | 2021-03-26 | 广东工业大学 | Cloud storage safety duplicate removal method and device based on Mercker hash tree |
Non-Patent Citations (1)
| Title |
|---|
| 一种基于代理重加密的安全重复数据删除机制的研究;王珂;中国优秀硕士学位论文全文数据库 信息科技辑;第五章 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143098A (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11184157B1 (en) | Cryptographic key generation and deployment | |
| CA3073549C (en) | Methods and systems for secure data communication | |
| JP4875075B2 (en) | Secure patch system | |
| US9537657B1 (en) | Multipart authenticated encryption | |
| US9628276B2 (en) | Discovery of secure network enclaves | |
| US9116849B2 (en) | Community-based de-duplication for encrypted data | |
| US9742560B2 (en) | Key management in secure network enclaves | |
| CN109194466A (en) | A kind of cloud data integrity detection method and system based on block chain | |
| CN111131278B (en) | Data processing method and device, computer storage medium and electronic equipment | |
| US20220006835A1 (en) | Tls integration of post quantum cryptographic algorithms | |
| US11582045B2 (en) | Combined digital signature algorithms for security against quantum computers | |
| CN112738051B (en) | Data information encryption method, system and computer readable storage medium | |
| CN109981255A (en) | The update method and system of pool of keys | |
| CN115225409B (en) | Cloud data safety duplicate removal method based on multi-backup joint verification | |
| CN111970114A (en) | File encryption method, system, server and storage medium | |
| KR20220144810A (en) | Secret partitioning and metadata storage | |
| CN112804217A (en) | Block chain technology-based evidence storing method and device | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
| CN114143098B (en) | Data storage method and data storage device | |
| CN114679299B (en) | Communication protocol encryption method, device, computer equipment and storage medium | |
| CN112350920A (en) | Instant communication system based on block chain | |
| CN116866029B (en) | Random number encryption data transmission method, device, computer equipment and storage medium | |
| CN116743461B (en) | Commodity data encryption method and device based on time stamp | |
| US20230027422A1 (en) | Systems, apparatus, and methods for generation, packaging, and secure distribution of symmetric quantum cypher keys |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |