CN115857815A - Data security management system in scientific data open sharing - Google Patents
Data security management system in scientific data open sharing Download PDFInfo
- Publication number
- CN115857815A CN115857815A CN202211600414.9A CN202211600414A CN115857815A CN 115857815 A CN115857815 A CN 115857815A CN 202211600414 A CN202211600414 A CN 202211600414A CN 115857815 A CN115857815 A CN 115857815A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- module
- file
- scientific
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data security management system in scientific data open sharing, which comprises a data input module, a data inspection module, a cloud server computing module and a data storage module, wherein the data input module is used for uploading data by an external user, the data inspection module is used for performing repeated data detection and user ownership verification on the data uploaded by the external user, the cloud server computing module is used for performing permission authentication part computing part on data watching of a database by the external user, and the data storage module comprises the database and a storage medium. The invention realizes the function of decrypting outsourcing by the user on the basis of the original protocol, shortens the decryption time of the user side, can effectively prevent the invasion of an internal attacker and an external attacker, and has the simulation experiment that the design of outsourcing decryption can effectively shorten the decryption time of the user side.
Description
Technical Field
The invention relates to the technical field of data security management, in particular to a data security management system in scientific data open sharing.
Background
Cloud storage technology is a derivative of cloud computing, and comes around how to safely store and efficiently manage the massive data generated by (and needed by) cloud computing. As an emerging storage mode, cloud storage has obvious advantages over traditional local storage: (1) The capacity can be distributed as required, the cloud storage service can distribute storage spaces with different sizes to different users according to the needs of the users, and the users can upgrade the accounts to obtain larger storage spaces. (2) The cost of users is saved, free storage space provided by a cloud service provider can meet the requirements of most users, but problems also exist in application of the cloud storage service, wherein enterprises and users are worried about most and pay the most priority, and the problem of data security is caused by that negative messages are easy to appear and cause panic. The threat of data security comes from outside or inside, and a user database such as the CSDN of a known programmer website is attacked by a hacker in 2011 at 12/21, so that over 600 ten thousand account information and passwords are exposed and leaked, and the whole network is strongly responded. Com also suffered from 18-hour service interruption in 2017, 1/31, and finally could not be completely repaired, while the failure reason is that employees deleted database catalogs from wrong database servers in the maintenance process, which resulted in the final loss of production data of some customers, including modification information of projects, comments and accounts. The occurrence of such security events causes users to worry about security problems of their own data before cloud storage is applied. To prevent similar security events from happening again, more and more scholars are beginning to focus on studying the security issues of large data in cloud storage services.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The present invention has been made in view of the above and/or other problems occurring in the conventional data security management system in open sharing of scientific data.
Therefore, the problem to be solved by the present invention is how to provide a data security management system in scientific data open sharing.
In order to solve the technical problems, the invention provides the following technical scheme: the data security management system in scientific data open sharing comprises a data input module, a data inspection module, a cloud server computing module and a data storage module;
the data input module is used for uploading data by an external user;
the data inspection module is used for carrying out repeated data detection and user ownership verification on data uploaded by an external user;
the cloud server computing module is a permission authentication part computing part for external users to view data of the database;
the data storage module comprises a database and a storage medium.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the data input module is used for enabling an external user to upload data by himself, when the external user wants to put a copy of data into the database of the data storage module, a repeated data detection protocol needs to be carried out with the data inspection module firstly, and the protocol has two possibilities;
when the repeated detection finds that the data exists in the database, the uploading process is cancelled;
and uploading the file data when the repeated detection finds that the data does not exist in the database.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: after the data inspection module detects repeated data, the data is not detected in a database, and then authorization period check for the uploaded files is carried out;
when the uploaded file is found to be in the authorization period, the cloud server computing module operates normally;
and when the uploaded file is found not to be in the authorization period, the cloud server computing module deletes the deterministic protocol and rejects the file to be uploaded.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the cloud server computing module comprises a client, a cloud server and a trusted third party in an authorization center;
the client is used for user management, duplicate removal processing and visualization processing;
the cloud server is used for partial decryption processing and file management;
the trusted third party is used for ownership certification, partial decryption processing and data deletion processing;
the authorization center is used for user management and key management.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the user of the client manages the registration information for the user, modifies the information and performs the user login function;
the duplicate removal processing is responsible for deleting the duplicate files and checking the duplicate rate of the files in the database;
the visualization processing refers to viewing files, uploading files and downloading decrypted files.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the trusted third party is used for ownership certification, firstly, it is assumed that a file to be verified has m data blocks, a file in a user hand has c databases different from a source file, the trusted third party requires to verify the t databases, D is the number of inconsistency in the randomly extracted databases, the QD is defined to be at least one different probability of the t verified databases, namely, the verification success probability, and the calculation method is that
And wherein
Where i is the ith data block of the m data blocks.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the test success probability is finally calculated
As is apparent from the equation, when the number of c is 1% of m, t is 460, and the given target that the detection probability reaches more than 99% can be obtained. That is, when the detection file is inconsistent with more than 1% of the data blocks in the database file, 460 data blocks are extracted for detection, and more than 99% of success probability detection can be obtained.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the authorization center of the cloud server computing module also needs to perform security analysis, and the analysis needs to be performed from two aspects of internal attack and external impact of the system.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: in the analysis of the internal attack, the data security management system in the scientific data open sharing uses the CPABE algorithm, so that the identity of the user login corresponds to the attribute of the user, the user cannot change the attribute of the user in the decryption process, and the user can obtain the key only by observing the reconstruction characteristic of the secret sharing scheme in the ciphertext decryption process, thereby ensuring that only the user with the unchanged attribute and completely meeting the system requirement can perform ciphertext transposition, and reducing the possibility of being attacked.
As a preferred scheme of the data security management system in the scientific data open sharing, the invention comprises: the analysis of the external impact and the data security management system in the scientific data open sharing are carried out when the ownership of the user is verified, in the verification process, a trusted third party randomly generates a trust number r every time, and the returned values are different, so that an attacker can not carry out ownership verification without the random trust number r of the trusted third party even if the attacker obtains the returned value of the secret key;
the data storage module updates the database content in real time, logs are logged in by users, the users browse records, the users upload records, the user stay records and the user key records are stored, and the data storage module performs coverage updating once a month.
The method has the advantages that the files uploaded by the user are sampled and fragmented in advance, the sampled ciphertext of the data and the position information are uploaded to the trusted third-party server to be stored, and the rest part of the data is only uploaded to the cloud server. And when the deletion operation is realized, deleting the sampling ciphertext and the position information in the trusted third-party server. And the function of outsourcing decryption by the user is realized on the basis of the original protocol, and the decryption time of the user side is shortened. The scheme can effectively prevent the invasion of an internal attacker and an external attacker, and simulation experiments show that the decryption time of the user side can be effectively shortened by the outsourcing decryption design.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
fig. 1 is a block diagram of a data security management system in scientific data open sharing in embodiment 1.
Fig. 2 is an interaction flowchart of the data security management system in scientific data open sharing in embodiment 1.
Fig. 3 is a diagram of an embodiment of a data security management system in scientific data open sharing in embodiment 2.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, embodiments accompanying figures of the present invention are described in detail below.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Example 1
Referring to fig. 1 and 2, a first embodiment of the present invention provides a data security management system in scientific data open sharing, where the data security management system in scientific data open sharing includes
The system comprises a data input module 100, a data inspection module 200, a cloud server computing module 300 and a data storage module 400;
the data input module 100 is used for uploading data by an external user;
the data checking module 200 performs repeated data detection and user ownership verification on data uploaded by an external user;
the cloud server computing module 300 is an authority authentication part computing part for external users to view data of the database;
the data storage module 400 includes a database and a storage medium, and the structure thereof is shown in fig. 1.
The data input module 100 is used for an external user to upload data by himself, when the external user wants to put a copy of data into the database of the data storage module 400, a duplicate data detection protocol needs to be performed with the data inspection module (400) first, and the protocol has two possibilities;
when the repeated detection finds that the data exists in the database, the uploading process is cancelled;
and uploading the file data when the repeated detection finds that the data does not exist in the database.
After detecting repeated data, the data checking module 200 checks an authorization period of an uploaded file after finding that the data does not exist in the database;
when the uploaded file is found to be in the authorization period, the cloud server computing module 300 operates normally;
when the uploaded file is found not to be in the authorization period, the cloud server computing module 300 deletes the deterministic protocol and rejects the file to be uploaded, and the structure is shown in fig. 2. The user U1 wants to upload a file to the cloud, a repeated data detection protocol is firstly operated between the user U1 and the cloud server, and two detection results are possible, wherein the file already exists in the cloud server or does not exist in the cloud server.
And if the file already exists in the cloud server, a user ownership verification protocol is operated between the U1 and the trusted third party. If the U1 passes the ownership verification protocol, the U1 is a legal user and can access cloud data. If the U1 does not pass the ownership verification protocol, the U1 identity is an illegal user and the cloud data cannot be accessed.
If the file does not exist in the cloud service, the U1 is an initial uploading person, and the file sampling fragments are encrypted and uploaded. If the user is within the authorization period, the user normally uses the cloud storage service. And if the authorization period is over, the trusted third party executes a data deterministic deletion protocol to delete the sampled data information.
The cloud server computing module 300 comprises a client, a cloud server and a trusted third party in an authorization center;
the client is used for user management, duplicate removal processing and visualization processing; the cloud server is used for partial decryption processing and file management; the trusted third party is used for ownership certification, partial decryption processing and data deletion processing; the authorization center is used for user management and key management.
The client module comprises a data owner and a user, wherein the data owner needs to use the hash value of the file to interact with the cloud server to detect repeated data; interacting with a trusted third party and operating a user ownership certification protocol; the file sampling fragmentation encryption uploading and the file decryption are realized.
The client module consists of four sub-modules: the system comprises a visualization module, a duplicate removal module, a user management module and a data deletion module. The user management module manages user information, and specifically realizes three functions of user registration, information modification and user login. The user can register to own account, and if the registration is successful, a piece of information is added into the database table. The deduplication module is responsible for relevant data generation of file deduplication, and specifically comprises relevant information in duplicate data detection and user use right certification protocols. The method comprises the steps of firstly carrying out repeated data detection work, including uploading a file hash value, carrying out sampling fragmentation encryption uploading on the file, generating ownership challenge certification information and the like. The visual module comprises three modules of checking files, uploading files and downloading decryption files. The data deleting module comprises a clock module and an uploading deleting instruction module.
The cloud server module actually comprises a plurality of storage devices and provides a uniform cloud interface for the outside. In the design of the cloud server module, the problems of server deployment and the like are not considered, and the main consideration is the implementation of functions. The cloud server module is required to realize three functions, namely detection of repeated data, storage of residual ciphertext and partial decryption of the residual ciphertext.
The cloud server module includes four modules: the system comprises a user management module, a file duplication removing module, a partial decryption module and a file management module. The user management module comprises two modules: the system comprises an administrator login module and an administration user module. The main realized function is to facilitate the administrator to log in the system and manage the relevant information of the user according to the rules, including deleting the illegal user information. The file duplication eliminating module comprises a decision tree generating module, a retrieval tag module and a verification module. The module generates a decision tree according to the file hash value and performs related deduplication operations according to a repeated data detection protocol. And the partial decryption module can calculate the transposed ciphertext of the residual ciphertext in the cloud server according to the transposed key and return the transposed ciphertext to the user. The file management module can manage the ciphertext file and store the corresponding ciphertext into the designated path.
The trusted third-party module is a trusted authority and is used for realizing four functions: the method comprises the steps of storage of a sampling ciphertext, challenge and verification of an ownership verification protocol, partial decryption of the sampling ciphertext and deletion of the sampling ciphertext. Mainly include four modules: the system comprises a user management module, an ownership proving module, a partial decryption module and a data deleting module. The user management module allows an administrator to log into the system. The proof of ownership module generates challenge data in the proof of ownership protocol and verifies the returned proof information. The partial decryption module may calculate a transposed ciphertext of the sampled ciphertext from the trusted third party according to the transposed key, and return the transposed ciphertext to the user. And the data deleting module deletes the stored sampling ciphertext information after receiving the deleting instruction.
The main task of the rights issuer module is to generate keys in the system. The system comprises two modules, namely a user management module and a key management module. The user management module allows an administrator to log into the system. The key management module mainly comprises two parts: an encryption key is generated for a user who uploads a file and a decryption key is generated for a general user.
The trusted third party is used for ownership certification, firstly, it is assumed that a file to be verified has m data blocks, a file in a user hand has c databases different from a source file, the trusted third party requires to verify the t databases, D is the number of inconsistency in the randomly extracted databases, the QD is defined to be at least one different probability of the t verified databases, namely, the verification success probability, and the calculation method is that
And wherein
Where i is the ith data block of the m data blocks.
The probability of success of the test is finally calculated
As is apparent from the equation, when the number of c is 1% of m, t is 460, and the given target that the detection probability reaches more than 99% can be obtained. That is, when the detection file is inconsistent with more than 1% of the data blocks in the database file, 460 data blocks are extracted for detection, and more than 99% of success probability detection can be obtained.
Example 2
Referring to fig. 3, a second embodiment of the present invention provides a data security management system using the scientific data open sharing method described in embodiment 1, which includes
A specific practical model is established by a company based on a data security management system in scientific data open sharing as shown in figure 3, and experimental comparison with the traditional security management system is carried out
TABLE 1 comparison table of data upload time (5 experiments with different data amount uploaded, 10kb,30kb,100kb,500kb and 1gb, respectively)
TABLE 2 data safety accuracy comparison table (5 experiments with different data amount uploaded each time, 10kb,30kb,100kb,500kb and 1 gb)
Compared with the traditional method, the method provided by the invention has the advantages that the coding speed is obviously improved, the monitoring practice is reduced, and the labor cost is saved; and the authentication result can be ensured to be hundreds of correct, the error rate is reduced, and the authentication management is facilitated.
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (10)
1. A data security management system in scientific data open sharing is characterized in that: the system comprises a data input module (100), a data verification module (200), a cloud server computing module (300) and a data storage module (400);
the data input module (100) is used for uploading data by an external user;
the data checking module (200) is used for carrying out repeated data detection and user ownership verification on data uploaded by an external user;
the cloud server computing module (300) is a permission authentication part computing part for external users to view data of the database;
the data storage module (400) comprises a database and a storage medium.
2. The system for data security management in scientific data open sharing according to claim 1, characterized in that: the data input module (100) is used for enabling an external user to upload data by himself, when the external user wants to put a piece of data into the database of the data storage module (400), a repeated data detection protocol needs to be carried out with the data inspection module (400), and the protocol has two possibilities;
when the repeated detection finds that the data exists in the database, the uploading process is cancelled;
and uploading the file data when the repeated detection finds that the data does not exist in the database.
3. The system for data security management in scientific data open sharing according to claim 2, characterized in that: after the data inspection module (200) detects repeated data, the data is not detected in the database, and then authorization period check for the uploaded file is carried out;
when the uploaded file is found to be in the authorization period, the cloud server computing module (300) operates normally;
when the uploaded file is found not to be within the authorization period, the cloud server computing module (300) deletes the deterministic protocol and rejects the file to be uploaded.
4. The system for data security management in scientific data open sharing according to claim 3, wherein: the cloud server computing module (300) comprises a client, a cloud server and a trusted third party in an authorization center;
the client is used for user management, duplicate removal processing and visualization processing;
the cloud server is used for partial decryption processing and file management;
the trusted third party is used for ownership certification, partial decryption processing and data deletion processing;
the authorization center is used for user management and key management.
5. The system for data security management in scientific data open sharing according to any one of claims 1, 2 and 4, characterized by: the user of the client manages the registration information for the user, modifies the information and performs the user login function;
the duplicate removal processing is responsible for deleting the duplicate files and checking the duplicate rate of the files in the database;
the visualization processing refers to viewing files, uploading files and downloading decrypted files.
6. The system for data security management in scientific data open sharing according to claim 5, wherein: the trusted third party is used for ownership certification, firstly, it is assumed that a file to be verified has m data blocks, a file in a user hand has c databases different from a source file, the trusted third party requires verification of the t databases, D is the number of inconsistency in the randomly extracted databases, and the QD is defined to be at least one different probability of the t verified databases, namely the verification success probability, and the calculation method is that
And wherein
Where i is the ith data block of the m data blocks.
7. The system for data security management in scientific data open sharing according to claim 6, characterized in that: the test success probability is finally calculated
As is apparent from the equation, when the number of c is 1% of m, t is 460, and the given target that the detection probability reaches more than 99% can be obtained. That is, when the detection file is inconsistent with more than 1% of the data blocks in the database file, 460 data blocks are extracted for detection, and more than 99% of success probability detection can be obtained.
8. The system for data security management in scientific data open sharing according to claim 6 or 7, wherein: the authorization center of the cloud server computing module (300) also performs security analysis from both internal attacks and external impacts of the system.
9. The system for managing data security in open sharing of scientific data according to claim 8, wherein: in the analysis of the internal attack, the data security management system in the scientific data open sharing uses the CPABE algorithm, so that the identity of the user login corresponds to the attribute of the user, the user cannot change the attribute of the user in the decryption process, and the user can obtain the key only by observing the reconstruction characteristic of the secret sharing scheme in the process of decrypting the ciphertext, thereby ensuring that only the user with the unchanged attribute and completely meeting the system requirement can perform ciphertext transposition, and reducing the possibility of being attacked.
10. A data security management system in scientific data open sharing according to any one of claims 1, 2, 4, 6, 7 and 9, characterized by: the analysis of the external impact and the data security management system in the scientific data open sharing are carried out when the ownership of the user is verified, in the verification process, a trusted third party randomly generates a trust number r every time, and the returned values are different, so that an attacker can not carry out ownership verification without the random trust number r of the trusted third party even if the attacker obtains the returned value of the secret key;
the data storage module (400) updates the database content in real time, logs are logged in by a user, the user browses records, the user uploads the records, the user stay records and the user key records are stored, and the coverage updating is performed once a month.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211600414.9A CN115857815A (en) | 2022-12-12 | 2022-12-12 | Data security management system in scientific data open sharing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211600414.9A CN115857815A (en) | 2022-12-12 | 2022-12-12 | Data security management system in scientific data open sharing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115857815A true CN115857815A (en) | 2023-03-28 |
Family
ID=85672583
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211600414.9A Pending CN115857815A (en) | 2022-12-12 | 2022-12-12 | Data security management system in scientific data open sharing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115857815A (en) |
-
2022
- 2022-12-12 CN CN202211600414.9A patent/CN115857815A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lee et al. | Blockchain based privacy preserving multimedia intelligent video surveillance using secure Merkle tree | |
| Tan et al. | A survey on proof of retrievability for cloud data integrity and availability: Cloud storage state-of-the-art, issues, solutions and future trends | |
| CN106330452B (en) | Safety network attachment device and method for block chain | |
| US20220006634A1 (en) | Decentralized data authentication | |
| CN111147255B (en) | Data security service system, method and computer readable storage medium | |
| JP2000200209A (en) | System and method for safe electronic data storage and taking-out | |
| KR20000047643A (en) | System for electronic repository of data enforcing access control on data search and retrieval | |
| CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
| CN106682069A (en) | User-controllable data retravel method and data storage method, terminal and system | |
| US11544392B2 (en) | Implementation of a file system on a block chain | |
| CN112632639B (en) | Distributed trusted log management method based on blockchain | |
| Doshi et al. | A review paper on security concerns in cloud computing and proposed security models | |
| CN109309645A (en) | A kind of software distribution security guard method | |
| CN110708156B (en) | Communication method, client and server | |
| Liu et al. | A data preservation method based on blockchain and multidimensional hash for digital forensics | |
| Jeong et al. | Design and implementation of a digital evidence management model based on hyperledger fabric | |
| CN113014394B (en) | Electronic data certification method and system based on alliance chain | |
| KR102013415B1 (en) | System and method for verifying integrity of personal information | |
| CN112583586A (en) | Network security information processing system | |
| US20230107805A1 (en) | Security System | |
| JP4512697B2 (en) | Digital forensic maintenance equipment | |
| Shahin et al. | Big data platform privacy and security, a review | |
| Thakur et al. | Data integrity techniques in cloud computing: an analysis | |
| CN115857815A (en) | Data security management system in scientific data open sharing | |
| CN115022044A (en) | Storage method and system based on multi-cloud architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |