CN116055105A - Cloud storage data processing method, device and server - Google Patents

Cloud storage data processing method, device and server Download PDF

Info

Publication number
CN116055105A
CN116055105A CN202211580994.XA CN202211580994A CN116055105A CN 116055105 A CN116055105 A CN 116055105A CN 202211580994 A CN202211580994 A CN 202211580994A CN 116055105 A CN116055105 A CN 116055105A
Authority
CN
China
Prior art keywords
target file
ciphertext data
target
data
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211580994.XA
Other languages
Chinese (zh)
Inventor
刁培金
仇欣欣
赵翠
甘宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Citic Bank Corp Ltd
Original Assignee
China Citic Bank Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Citic Bank Corp Ltd filed Critical China Citic Bank Corp Ltd
Priority to CN202211580994.XA priority Critical patent/CN116055105A/en
Publication of CN116055105A publication Critical patent/CN116055105A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The specification provides a cloud storage data processing method, device and server. Based on the method, firstly, sampling and confusion processing can be carried out on ciphertext data of an encrypted target file according to a preset sampling and confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file; and uploading the mixed ciphertext data to a first cloud server for cloud storage, and storing the rest of the sampled ciphertext data into a private database based on block chains, which is only authorized to be accessed by the first user terminal or the user terminal with the authentication credentials, so that the data security of the target file held by the first user can be effectively protected, and the target file held by the first user is prevented from being leaked to the first cloud server or other third parties.

Description

Cloud storage data processing method, device and server
Technical Field
The specification belongs to the technical field of cloud storage, and particularly relates to a cloud storage data processing method, device and server.
Background
With the rising and developing of cloud storage technology, more and more users start to get used to upload and store data files held by themselves in the cloud.
However, based on the existing method, the cloud end usually stores ciphertext data of the complete data file of the user, which may pose a risk to the data security of the user. For example, when the user does not want to continue to store a certain data file in the cloud, the user cannot ensure whether the cloud actually deletes the ciphertext data of the data file, and the cloud or other third parties may decrypt the ciphertext data of the data file in a cracking manner, so that the data file of the user is leaked.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The specification provides a processing method, a processing device and a processing server for cloud storage data, which can effectively protect the data security of a target file held by a first user and avoid leakage of the target file held by the first user to the first cloud server or other third parties.
The specification provides a processing method of cloud storage data, which is applied to a first user terminal and comprises the following steps:
encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generating a related target head ciphertext;
processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file;
Uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file;
storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token;
issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
In one embodiment, encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file and generating a related target header ciphertext includes:
carrying out hash calculation on the target file to obtain a target hash value; encrypting the target file by using the target hash value to obtain ciphertext data of the target file;
signing the target hash value by using the first encryption private key to obtain target signature data; and encrypting the target signature data and the target hash value by using the first attribute public key to obtain the target head ciphertext.
In one embodiment, the method further comprises:
generating a first attribute public key and a first attribute master private key of a first user according to a preset attribute encryption algorithm and a preset access strategy;
generating a first encryption private key by using the first attribute main private key and the attribute set of the first user;
a first attribute public key of a first user is published on a blockchain.
In one embodiment, before generating the first attribute public key and the first attribute master private key of the first user according to the preset attribute encryption algorithm and the preset access policy, the method further comprises:
sending a registration request to a system attribute authorization module; the system attribute authorization module configures an attribute set of the first user according to the user information of the first user and generates an identity verification code corresponding to the first user;
and receiving the attribute set and the authentication code of the first user fed back by the attribute authorization module of the system.
In one embodiment, processing ciphertext data of a target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file includes:
Dividing ciphertext data of the target file into a plurality of ciphertext data sets according to a preset sampling confusion rule;
determining the random position of each ciphertext data set in the plurality of ciphertext data sets; recording the random position of each ciphertext data group to obtain a position tuple;
extracting data values at random positions of all ciphertext data sets to obtain data tuples; replacing the data value at the random position of each ciphertext data set with a corresponding random parameter value to obtain a plurality of processed ciphertext data sets;
combining the plurality of processed ciphertext data sets to obtain mixed ciphertext data of the target file; and combining the position tuple and the data tuple to obtain the sampling ciphertext data of the target file.
In one embodiment, determining a random position for each of a plurality of ciphertext data sets comprises:
the random position of the current ciphertext data set of the plurality of ciphertext data sets is determined as follows:
determining a random number range for the current ciphertext data set according to the character length of the current ciphertext data set;
generating a random number according to the random number range; and determining the character bit indicated by the random number in the current ciphertext data set as the random position of the current ciphertext data set.
In one embodiment, replacing the data values at random locations of each ciphertext data set with corresponding random parameter values comprises:
the data values at the random locations of the current ciphertext data set are replaced with corresponding random parameter values in the following manner:
randomly screening a preset data value from a plurality of preset data values to be used as a random parameter value corresponding to the random position of the current ciphertext data set; and replaces the data value at the random position of the current ciphertext data set with the random parameter value.
In one embodiment, after storing the sampled ciphertext data of the target file into the blockchain-based private database, the method further comprises:
responding to the triggering operation of the first user, and generating a target migration request about a target file;
sending the target migration request to an intelligent contract; the target migration request carries mixed ciphertext data of the target file based on a first target storage address of a first cloud server and a server identification of a second cloud server to be migrated; the intelligent contract responds to the target migration request, cooperates with the first cloud server and the second cloud server according to a preset migration rule, and migrates the confused ciphertext data of the target file from the first cloud server to the second cloud server for storage;
And receiving a second target storage address of the confused ciphertext data for the target file fed back by the second cloud server.
The specification also provides a processing method of cloud storage data, which is applied to a second user terminal and comprises the following steps:
querying a block chain to obtain a first target storage address and a target head ciphertext of a target file;
according to the first target storage address, obtaining mixed ciphertext data of the target file through downloading by a first cloud server;
sending a target download request about a target file to the intelligent contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy;
accessing a private database based on a block chain by using an authentication token to obtain sampling ciphertext data of a target file;
combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file;
and decrypting the ciphertext data of the target file to obtain the target file.
In one embodiment, combining the obfuscated ciphertext data and the sampled ciphertext data of the target file to obtain ciphertext data of the target file includes:
Acquiring a preset sampling confusion rule about a target file;
and combining the mixed ciphertext data of the target file with the sampling ciphertext data according to a preset sampling confusion rule to obtain the ciphertext data of the target file.
In one embodiment, the decrypting the ciphertext data of the target file to obtain the target file includes:
generating a second decryption private key according to a preset attribute encryption algorithm and an attribute set of a second user;
decrypting the target head ciphertext by using the second decryption private key to obtain a target hash value and target signature data;
and decrypting ciphertext data of the target file by using the target hash value to obtain the target file.
In one embodiment, after obtaining the target hash value and the target signature data, the method further comprises:
querying a blockchain to acquire a first attribute public key of a first user;
and checking whether the data source of the target file is the first user according to the first attribute public key, the target signature data and the target hash value.
In one embodiment, after obtaining the target file, the method further comprises:
carrying out hash calculation on the target file to obtain a check hash value;
and checking whether the target file is complete or not according to the check hash value and the target hash value.
The specification also provides a processing device of cloud storage data, which is applied to a first user terminal and comprises:
the encryption module is used for encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file and generating a related target header ciphertext;
the sampling confusion module is used for processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file;
the uploading module is used for uploading the confused ciphertext data of the target file to the first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file;
the storage module is used for storing the sampling ciphertext data of the target file into a private database based on a block chain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token;
the issuing module is used for issuing the associated information of the target file on the blockchain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
The specification also provides a processing device of cloud storage data, which is applied to a second user terminal and comprises:
the query module is used for querying the block chain and acquiring a first target storage address and a target head ciphertext of the target file;
the downloading module is used for downloading the mixed ciphertext data of the target file through the first cloud server according to the first target storage address;
a transmitting module for transmitting a target download request about a target file to the smart contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy;
the acquisition module is used for accessing the private database based on the blockchain by using the authentication token so as to acquire the sampling ciphertext data of the target file;
the combination module is used for combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file;
and the decryption module is used for decrypting the ciphertext data of the target file to obtain the target file.
The specification also provides a server comprising a processor and a memory for storing processor executable instructions, the processor implementing the steps of the cloud storage data processing method when executing the instructions.
The present specification also provides a computer storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of processing cloud storage data.
The present specification also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the cloud storage data processing method.
Based on the cloud storage data processing method, device and server provided by the specification, when a first user uses a first user terminal to upload a target file to a first server for cloud storage, the first user can encrypt the target file according to a preset encryption rule to obtain ciphertext data of the target file and generate a related target header ciphertext; sampling and mixing the ciphertext data of the target file according to a preset sampling and mixing rule to obtain mixed ciphertext data and sampling ciphertext data of the target file; then, the confused ciphertext data of the target file is independently uploaded to a first cloud server for cloud storage; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file; the first user terminal additionally stores the sampling ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token; finally, the first user terminal issues the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address. Firstly, sampling and confusion processing is carried out on ciphertext data of a target file according to a preset sampling and confusion rule, so that mixed ciphertext data and sampling ciphertext data of the target file are obtained; and uploading the mixed ciphertext data to a first cloud server for cloud storage, and storing the rest of the sampled ciphertext data into a private database which is only authorized to be accessed by the first user terminal or a user terminal with authentication credentials and is based on blockchain, so that the data security of the target file held by the first user can be effectively protected, the target file held by the first user is prevented from being leaked to the first cloud server or other third parties, the first user can effectively exercise the forgetting right of the first user for the target file, and the first cloud server cannot obtain the real and complete target file even if the mixed ciphertext data of the target file which is responsible for being stored is broken.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure, the drawings that are required for the embodiments will be briefly described below, and the drawings described below are only some embodiments described in the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a flow chart of a method for processing cloud storage data according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of one embodiment of a method for processing cloud storage data provided by embodiments of the present disclosure, in one example scenario;
FIG. 3 is a schematic diagram of one embodiment of a method for processing cloud storage data provided by embodiments of the present disclosure, in one example scenario;
FIG. 4 is a schematic diagram of one embodiment of a method for processing cloud storage data provided by embodiments of the present disclosure, in one example scenario;
FIG. 5 is a schematic diagram of one embodiment of a method for processing cloud storage data provided by embodiments of the present disclosure, in one example scenario;
fig. 6 is a flow chart of a method for processing cloud storage data according to another embodiment of the present disclosure;
FIG. 7 is a schematic diagram of the structural composition of a server according to one embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of a processing device for cloud storage data according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a processing device for cloud storage data according to another embodiment of the present disclosure.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
Referring to fig. 1, an embodiment of the present disclosure provides a method for processing cloud storage data, where the method is specifically applied to a first user terminal side. In particular implementations, the method may include the following:
s101: encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generating a related target head ciphertext;
S102: processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file;
s103: uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file;
s104: storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token;
s105: issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
In some embodiments, the above-mentioned method for processing cloud storage data may be specifically applied to a first user terminal side, where a first user (e.g., DO) holds the first user terminal. The first user may be specifically understood as a user who has a need for cloud storage of data files. The target file may be specifically understood as a data file to be stored in a cloud, which is held by the first user.
The first user terminal may specifically include a front end applied to a user side and capable of implementing functions such as data acquisition and data transmission. Specifically, the first user terminal may be, for example, an electronic device such as a desktop computer, a tablet computer, a notebook computer, a smart phone, etc. Alternatively, the first user terminal may be a software application capable of running in the electronic device. For example, it may be some cloud service APP running on a smart phone, etc.
In specific implementation, the target file may specifically include at least one of the following: resource data of the first user (e.g., asset data), image data of the first user (e.g., self-timer video), text data of the first user (e.g., paper report), identity information data of the first user, and so forth.
Specifically, referring to fig. 2, the first user currently wants to upload, through the first user terminal and in combination with the blockchain technology, the held target file to the first cloud service for cloud storage. Based on the method provided by the specification, a first user can use a first user terminal to sample and mix ciphertext data of a target file according to a preset sampling and mixing rule to obtain mixed ciphertext data of the target file and sampled ciphertext data of the target file; and storing the mixed ciphertext data of the target file in a cloud database through the first cloud server, and storing the sampled ciphertext number of the target file in a private database based on a blockchain through the first user terminal so as to finish cloud storage of the target file.
The first cloud server may specifically include a background server applied to a cloud storage service platform (for example, XY cloud, etc.) or a cloud storage service provider (CSP) side, and capable of implementing functions such as data transmission and data processing. Specifically, the first cloud server may be, for example, an electronic device having a data operation, a storage function, and a network interaction function. Alternatively, the first cloud server may be a software program running in the electronic device, which provides support for data processing, storage, and network interaction. In the present embodiment, the number of servers included in the first cloud server is not particularly limited. The first cloud server may be one server, or may be several servers, or a server cluster formed by several servers.
In some embodiments, during implementation, a first user terminal firstly receives and responds to an uploading operation initiated by a first user to obtain a target file; encrypting the target file (e.g. may be marked as M) according to a preset encryption rule to obtain ciphertext data (e.g. may be marked as E) of the target file h (M)) and generates a target header ciphertext (e.g., may be referred to as a Head) associated with ciphertext data of the target file.
In some embodiments, the encrypting the target file according to the preset encryption rule to obtain ciphertext data of the target file and generate a related target header ciphertext may include the following when implemented:
s1: carrying out hash calculation on the target file to obtain a target hash value; encrypting the target file by using the target hash value to obtain ciphertext data of the target file;
s2: signing the target hash value by using the first encryption private key to obtain target signature data; and encrypting the target signature data and the target hash value by using the first attribute public key to obtain the target head ciphertext.
Specifically, a hash function may be used to perform hash calculation on the target file, and a hash value (for example, may be denoted as h) of a specified length may be obtained as the target hash value. Further, the target hash value may be used as an encryption key to encrypt the target file, thereby obtaining ciphertext data of the target file.
In particular, a first encryption private key held by a first user and not disclosed to the outside may be utilized (e.g., may be noted as SK A ) Signing the target hash value to obtain corresponding target signature data (e.g., may be noted as sign h ) The method comprises the steps of carrying out a first treatment on the surface of the Combining the target signature data and the target hash value to obtain combined data; and uses the public key of the first attribute of the external disclosure (for example, can be recorded as PK A ) And encrypting the combined data to obtain the corresponding target head ciphertext.
In some embodiments, prior to implementation, the first user terminal may first initiate a process to generate the required first attribute public key, first attribute master private key (e.g., may be denoted MK A ) Key data such as a first encryption private key.
Specifically, when the method is implemented, the method may further include the following:
s1: generating a first attribute public key and a first attribute master private key of a first user according to a preset attribute encryption algorithm and a preset access strategy;
s2: generating a first encryption private key by using the first attribute main private key and the attribute set of the first user;
s3: a first attribute public key of a first user is published on a blockchain.
Wherein, the above-mentioned Attribute Encryption Algorithm (ABE), which may also be referred to as Attribute-Based Encryption, or Attribute-Based Encryption, based on which data may be encrypted according to the Attribute of the encrypted user; and the identity of the user attempting to decrypt is not required to be concerned during decryption, and only the user with the attribute meeting the requirements of the related attribute can successfully decrypt, so that the confidentiality of encrypted data is ensured.
In addition, the user key in the ABE is related to a random polynomial or a random number, and keys of different users cannot be combined, so that collusion attack of the users can be effectively prevented. Therefore, the security of the encrypted data can be further improved by adopting the attribute encryption algorithm, and the security of the data file of the user is better protected.
The Block Chain (Block Chain) may refer to a completely new decentralized distributed computing paradigm that uses an encrypted Chain Block structure to verify and store data, and based on a distributed node consensus algorithm to generate and update data, and uses smart contracts (an automation script) to program and manipulate data. Firstly, establishing trust relationship among nodes by adopting a cryptography method instead of a central mechanism by a blockchain so as to form a decentralised distributed architecture; secondly, the blockchain resists external attack by means of strong computing power formed by consensus algorithms such as workload proof of nodes of a distributed system, and the information can be tampered only by breaking through more than 51% of nodes, so that the cost of tampered information becomes extremely high in a large-enough blockchain system, and the non-tamperable and non-falsifiable blockchain data are ensured. The characteristics of a decentralization mechanism, ultrahigh reliability, non-falsification of block data and the like of the block chain technology are very suitable for high security protection of data by applying a cloud storage environment.
The blockchain used in this specification may specifically be a Fabric-based alliance blockchain.
In some embodiments, the preset attribute encryption algorithm may specifically include an attribute encryption algorithm (Ciphertext Policy Attribute Based Encryption, CP-ABE) of a ciphertext policy. Based on the CP-ABE, the ciphertext can be combined with the access policy, and the key can be combined with the user attribute by utilizing a ciphertext access control mechanism. Specifically, based on CP-ABE, the data file holder may formulate a specific access control policy (for example, a preset access policy may be denoted as T) in the encryption stage, and other users need to access the data file based on their own attributes under the condition that the related access control policy is satisfied.
In addition, the preset attribute encryption algorithm may further include an attribute encryption algorithm (Key Policy Attribute Based Encryption, KP-ABE) of a key policy, and based on KP-ABE, a ciphertext may be combined with the attribute and a key may be combined with the access policy by using a key access control mechanism.
In a cloud storage scene, considering that the CP-ABE can realize access control more effectively and conveniently relatively according to scene characteristics and processing requirements, the CP-ABE is mainly selected to be used as a preset attribute encryption algorithm for specific data processing in the specification.
In implementation, a first attribute public key and a first attribute master private key for a first user can be generated according to a preset attribute encryption algorithm and a preset access policy. The preset access policy may be specifically configured by the first user through the first user terminal. The first attribute master private key and the first user' S set of attributes (e.g., which may be denoted S) may then be utilized to generate a corresponding transaction encryption private key. The first encryption private key is key data which is not disclosed to the outside for a first user; according to the situation, the first user terminal can issue the first attribute public key on the blockchain for other users to inquire.
In some embodiments, before generating the first attribute public key and the first attribute master private key of the first user according to the preset attribute encryption algorithm and the preset access policy, the method may further include, when implemented, the following:
s1: sending a registration request to a system attribute authorization module; the system attribute authorization module configures an attribute set of the first user according to the user information of the first user and generates an identity verification code corresponding to the first user;
S2: and receiving the attribute set and the authentication code of the first user fed back by the attribute authorization module of the system.
The system attribute authorization module may be referred to as a system attribute authorization mechanism (may beDenoted CA), in particular may be used to generate public parameters, e.g. a system public key PK c And the full attribute set U of the system, and publishes the data on the blockchain, so as to facilitate the subsequent verification of whether the user has the right to access the data.
In the implementation, whenever a user hopes to use the cloud storage service, the corresponding user terminal can be used to submit registration information containing user information by sending a registration request to the CA. Accordingly, the CA may perform attribute authorization on the first user by using the above registration information, generate an attribute set for the user, and feed back an identity verification code (e.g., ID) corresponding to the user terminal. The identity verification code can be used for indicating the corresponding user.
In some embodiments, referring to fig. 3, the above-mentioned processing ciphertext data of the target file according to the preset sampling confusion rule, to obtain the mixed ciphertext data and the sampling ciphertext data of the target file, may include the following when implemented:
S1: dividing ciphertext data of the target file into a plurality of ciphertext data sets according to a preset sampling confusion rule;
s2: determining the random position of each ciphertext data set in the plurality of ciphertext data sets; recording the random position of each ciphertext data group to obtain a position tuple;
s3: extracting data values at random positions of all ciphertext data sets to obtain data tuples; replacing the data value at the random position of each ciphertext data set with a corresponding random parameter value to obtain a plurality of processed ciphertext data sets;
s4: combining the plurality of processed ciphertext data sets to obtain mixed ciphertext data of the target file; and combining the position tuple and the data tuple to obtain the sampling ciphertext data of the target file.
In some embodiments, determining the random position for each ciphertext data set of the plurality of ciphertext data sets may include: the random position of the current ciphertext data set of the plurality of ciphertext data sets is determined as follows: determining a random number range for the current ciphertext data set according to the character length of the current ciphertext data set; generating a random number according to the random number range; and determining the character bit indicated by the random number in the current ciphertext data set as the random position of the current ciphertext data set.
In some embodiments, the replacing the data value at the random position of each ciphertext data group with the corresponding random parameter value may include: the data values at the random locations of the current ciphertext data set are replaced with corresponding random parameter values in the following manner: randomly screening a preset data value from a plurality of preset data values to be used as a random parameter value corresponding to the random position of the current ciphertext data set; and replaces the data value at the random position of the current ciphertext data set with the random parameter value.
Specifically, for example, a random number may be introduced and used to sample and obfuscate ciphertext data of a target file according to a preset sampling obfuscation rule in the following manner:
s1: ciphertext data E of target file h (M) dividing into k groups to obtain k ciphertext data groups. In the specific division, one ciphertext data may be divided from every m bits in the ciphertext data of the target file.
S2: for each ciphertext data set, one or more random locations may be determined based on the sampling frequency. Specifically, for one ciphertext data set, n bits may be sampled.
For example, for one ciphertext data set, n integers pi may be randomly generated and the following random number range relationship is satisfied: pi is more than or equal to 0 and L (m), wherein L (m) is the character length of one ciphertext data set, and i=1, 2,3, … and n. In particular implementations, pi may be generated using a random number generator. The location indicated by the pi in the ciphertext data set may be determined as a random location of the ciphertext data set.
S3: for each ciphertext data set, the data value (e.g., bit data) at the pi-th position in the ciphertext data may be collected separately and stored in a data tuple EB; at the same time, a random number pi is also stored in the position tuple EP.
For example, after sampling any one ciphertext data group j as described above, the following data element combination position tuples may be obtained: ebj= (b 1, …, bi, …, bn), epj= (p 1, …, pi, …, pn). Where j=1, 2,3, …, k.
S4: while sampling the random position Pi in each ciphertext data set, the ciphertext data set may also be obfuscated by replacing the data value at the Pi position.
Specifically, when the pi position is replaced, a data value can be randomly selected from preset data values 0 and 1 to serve as a random parameter value, and the data value of the pi position is replaced by the random parameter value.
According to the mode, after sampling processing and confusion processing are respectively carried out on each ciphertext data set, a plurality of processed ciphertext data sets can be obtained; combining the plurality of processed ciphertext data groups to obtain mixed ciphertext data of the target file, which can be marked as E 2 (M)。
The ciphertext data obtained at this time is no longer ciphertext data of the actual target file, and even if the ciphertext data after confusion is decrypted by a cracking way, the actual target file cannot be obtained.
S5: the data tuples EB and the position tuples EP of a plurality of ciphertext data groups are combined according to the corresponding sequence, so that the sampled ciphertext data of the target file can be obtained and can be marked as E 1 (M)=(EB,EP)。
In some embodiments, the first user terminal may upload the obfuscated ciphertext data of the target file to the first cloud server.
In the implementation, the first user terminal may generate and send a storage request to the first cloud server, where the storage request at least carries mixed ciphertext data of the target file. Correspondingly, the first cloud server can receive and respond to the storage request, store the mixed ciphertext data of the target file in the cloud, and feed back a first target storage address of the mixed ciphertext data of the target file to the first user terminal. In addition, the first cloud server can write the record of the mixed ciphertext data of the received and stored target file into the blockchain, so that subsequent backtracking inquiry is facilitated.
Meanwhile, the first user terminal can store the sampled ciphertext data of the target file into a private database based on the blockchain. The private database is specifically understood to be a database that is based on a blockchain and is associated with a user. The private database may be arranged such that only user terminals held by the user, or user terminals holding authentication tokens, have access.
Then, the first user terminal can issue the association information with the target file on the blockchain, so that other users can download and acquire the target file in a satisfactory manner by acquiring and utilizing the association information on the blockchain.
The association information of the target file may at least include: identification information of the target file, target header ciphertext, a first target storage address, and the like. Further, the above-mentioned association information of the target file may further include a user identification of the first user holding the target file, summary content of the target file, and so on.
By the mode, the first user terminal can obtain mixed ciphertext data and sampling ciphertext data for the target file by sampling and mixing ciphertext data of the original real and complete target file; a real target file cannot be acquired based on only any one of the two pieces of data. Further, the first user terminal also splits and stores the two parts of data, and the confused ciphertext data with relatively large data quantity is stored in the cloud through the first cloud server; the sampled ciphertext data having a relatively small amount of data is stored separately in a blockchain-based private database. Therefore, the first cloud server or other third parties can be effectively prevented from acquiring the two parts of data simultaneously under the condition of no permission, and the data security of the target file can be effectively protected.
In some embodiments, referring to fig. 4 and 5, after storing the sampled ciphertext data of the target file in the blockchain-based private database, the method may further include, when implemented, the following:
s1: responding to the triggering operation of the first user, and generating a target migration request about a target file;
s2: sending the target migration request to an intelligent contract; the target migration request carries mixed ciphertext data of the target file based on a first target storage address of a first cloud server and a server identification of a second cloud server to be migrated; the intelligent contract responds to the target migration request, cooperates with the first cloud server and the second cloud server according to a preset migration rule, and migrates the confused ciphertext data of the target file from the first cloud server to the second cloud server for storage;
s3: and receiving a second target storage address of the confused ciphertext data for the target file fed back by the second cloud server.
In this embodiment, the current first user wants to migrate the obfuscated ciphertext data of the target file originally stored at the first cloud server to the second cloud server for storage. The second cloud server may be specifically understood as a cloud server of other cloud storage service platforms different from the cloud storage service platform corresponding to the first cloud server.
In implementation, referring to fig. 5, the first user terminal may generate the target migration request about the target file in response to a trigger operation initiated by the first user. The target migration request may specifically further carry data such as a server identifier (e.g., CSP 2) of the second cloud server to which the confused ciphertext data of the target file is to be migrated, where the confused ciphertext data of the target file is currently stored in the first target storage address of the first cloud server. Further, the target migration request may further carry an authentication code of the first user, where the authentication code is used to prove that the target file has permission to be migrated, where the ciphertext data is mixed up. In addition, the target migration request may further carry a server identifier (e.g., CSP 1) of the first cloud server.
The intelligent contract responds to the target migration request, cooperates with the first cloud server and the second cloud server according to a preset migration rule, and migrates the confused ciphertext data of the target file from the first cloud server to the second cloud server for storage, and when the intelligent contract is implemented, the intelligent contract can comprise the following contents: the intelligent contract receives and responds to the target migration request, generates a temporary symmetric encryption key (or called session key) according to a symmetric encryption algorithm, and sends the temporary symmetric encryption key to the first cloud server and the second cloud server respectively through a secure channel; the first cloud server and the second cloud server, upon receiving the temporary symmetric encryption key, may establish a secure connection according to a related protocol (e.g., SSL (Secure Socket Layer, secure socket layer) protocol); then, the first cloud server can encrypt the mixed ciphertext data of the target file by using the temporary symmetric encryption key to obtain the mixed ciphertext data of the encrypted target file, and then sends the mixed ciphertext data of the encrypted target file to the second cloud server through the secure connection to complete data migration.
After receiving the confused ciphertext data of the encrypted target file, the second cloud server can firstly attempt to decrypt by using the received temporary symmetric encryption key, and under the condition of successful decryption, the confused ciphertext data of the target file can be obtained; furthermore, the second cloud server can store the mixed ciphertext data of the target file, and can feed back a second target storage address of the mixed ciphertext data of the target file to the first user terminal; in addition, the first cloud server deletes the mixed ciphertext data of the stored target file according to the corresponding protocol rule, and sends the deleting information to the first user terminal.
Further, the first cloud server and/or the second cloud server may write the migration record of the obfuscated ciphertext data related to the target file and the data access record of the first user terminal into the blockchain for subsequent backtracking query.
The first user terminal may further issue the second target storage address to the blockchain after receiving the second target storage address, so as to update the storage address of the obfuscated ciphertext data about the target file on the blockchain.
After receiving the confused ciphertext data of the encrypted target file, the second cloud server can obtain the confused ciphertext data of the target file under the condition that decryption is failed by attempting to perform decryption processing by using the received temporary symmetric encryption key; further, the second cloud server may generate a retransmission instruction and send the retransmission instruction to the first cloud server; the first cloud server may respond to the retransmission instruction, and after confirming that the temporary symmetric encryption key is consistent with the second cloud server, re-use the temporary symmetric encryption key to encrypt the mixed ciphertext data of the target file, and re-send the mixed ciphertext data of the encrypted target file to the second cloud server.
Based on the mode, the confused ciphertext data of the target file to be transmitted is encrypted by the session key temporarily randomly generated by the intelligent contract and then transmitted, so that the confused ciphertext data of the target file is prevented from being easily leaked due to attack in the migration process. In addition, based on the mode, even if the mixed ciphertext data of the encrypted target file is intercepted and cracked by a third party in the migration process, the third party cannot acquire the real and complete target file because the transmitted ciphertext data of the target file is not real and complete, so that the data security in the migration process of the target file can be effectively protected.
Referring to fig. 6 and fig. 5, another method for processing cloud storage data is further provided in the embodiment of the present disclosure, and is applied to the second user terminal. The method can be implemented by the following steps:
s601: querying a block chain to obtain a first target storage address and a target head ciphertext of a target file;
s602: according to the first target storage address, obtaining mixed ciphertext data of the target file through downloading by a first cloud server;
s603: sending a target download request about a target file to the intelligent contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy;
s604: accessing a private database based on a block chain by using an authentication token to obtain sampling ciphertext data of a target file;
s605: combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file;
s606: and decrypting the ciphertext data of the target file to obtain the target file.
In some embodiments, referring to fig. 5, a second user (e.g., AU) holds a second user terminal. The second user hopes to download and acquire the target file held by the first user through the second user terminal.
The second user can obtain the associated information of the target file by querying the blockchain according to the identification information of the target file. And acquiring a first target storage address and a target head ciphertext of the target file according to the association information. Further, the user identification of the first user holding the target file can be obtained according to the association information.
Then, the second user can use the second user terminal to generate a corresponding downloading request according to the first target storage address; and sending the downloading request to the first cloud server to download the mixed ciphertext data of the target file. Correspondingly, the first cloud server can write the data access record related to the second user terminal and the download record of the confused ciphertext data of the target file in the blockchain.
Meanwhile, the second user terminal can additionally generate a target downloading request about the target file for downloading and acquiring the sampling ciphertext data of the target file. Specifically, the second user terminal may send the target download request to the smart contract.
The intelligent contract receives and responds to the target downloading request, interacts with the second user terminal, acquires the attribute set (for example, S') of the second user, and detects whether the attribute set of the second user is matched with a preset access strategy; in the case where it is determined that the attribute set of the second user matches the preset access policy, it may be determined that the second user has permission to access the private database of the first user, at which time a corresponding authentication token (e.g., token) may be generated and fed back to the second user terminal according to the token parameters. The attribute set of the second user may specifically be generated by the system attribute authorization module after the second user completes attribute authorization with the system attribute authorization module by using the second user terminal in advance.
The token parameters of the authentication token may specifically include one or more of the following: the authority range of the authentication token, the validity period of the authentication token, the use condition of the authentication token and the like. The token parameter of the authentication token may specifically be that the first user edits and sets by setting a chain code in the process of editing the intelligent contract by using the first user terminal in advance.
When the second user is specifically matched, a corresponding preset access structure (which can be marked as T') can be determined according to a preset access strategy, and whether the attribute set of the second user is matched with the preset access strategy is determined by detecting whether the attribute set of the second user accords with the preset access structure.
Specifically, the encryption mechanism based on ABE can realize access control with high granularity for users by defining various access strategies, thereby realizing safe sharing of data files of multiple users.
Wherein the access policy based access structure may be defined as follows: let set p= { P 1 ,P 2 ,…,P n Consists of n participants, set P is 2 in total P A set of all subsets is denoted as 2 P The non-empty set formed by a plurality of subsets of P is marked as A, A epsilon 2 P . For any B, C, when B ε A,
Figure BDA0003990908130000141
when there is C ε A, then set A isMonotonically, a is an access structure on a set P of n participants. If a set D belongs to set A, then set D is said to be an authorized set. Conversely, set D is an unauthorized set.
The access mechanism may specifically include: tree access structure, and gate access structure, LSSS access structure, etc., and the tree access structure will be mainly described in detail below.
Specifically, it is assumed that any non-leaf node on the access structure control tree T, T is called a Threshold Gate (Threshold Gate), and is described by all child nodes and thresholds of the non-leaf node together. Any node x, its number of child nodes is num x Indicating that node x should have a threshold value k x The threshold value k x The requirements are satisfied: k is more than or equal to 0 x ≤num x . Wherein when k is x When=1, node x is represented as an or gate; when k is x =num x At this point node x is denoted an and gate. If x is a leaf node, its threshold value k x =1, and x is described by a certain attribute. For all children nodes of each node from 1 to num x Numbering is performed in sequence, and index (x) is used to represent the specific sequence number of child node x between surrounding siblings. Meanwhile, parent node of node x is denoted by parent (x), attr (x) is an attribute associated with node x.
Each non-leaf node in the access structure tree represents a threshold value. The logical relationship represented is n of m, meaning that the gate holds if n attributes are met among a total of m attributes, the AND gate is n of n, and the OR gate is 1of n. Each node represents a secret, wherein the closer to the root node, the greater the corresponding weight. T (T) x Is a subtree of the access control tree T.
Specifically determining whether the attribute set accords with the access structure, when the attribute set gamma accords with the access control structure tree T x When T can be obtained x (γ) =1. By combining T x (gamma) performing a recursive operation in the following manner to determine whether the set of attributes gamma satisfies the access control tree T:
if x is a leaf node, T is if and only if the attribute attr (x) associated with that node x belongs to γ x (γ) =1; if x is not a leaf node, the value of Tx (gamma) corresponding to all child nodes of x needs to be calculated first, if the non-leaf node x has at least k x T of child node x When the value of (gamma) is 1, T can be proved x (γ) =1. By using the above recursive algorithm, it can be finally determined whether the attribute set γ of the user satisfies the access control structure tree T of the encryption mechanism.
In this embodiment, before implementation, the first user may set an appropriate access control structure as a preset access structure through the first user terminal, and issue a value smart contract corresponding to the preset access policy. When the smart contract receives the attribute set provided by the second user, it may be determined whether the attribute set of the second user conforms to a preset access structure in the above manner.
After obtaining the authentication token, the second user terminal may access the private database based on the blockchain of the first user within the corresponding authority range according to the related protocol (for example, jwt protocol, or cas protocol) by using the authentication token, so as to successfully download the sampled ciphertext data of the acquired target file.
In addition, the second user terminal can also obtain a preset sampling confusion rule by accessing the private database of the first user based on the blockchain according to the authentication token.
In some embodiments, the above-mentioned mixed ciphertext data and sampled ciphertext data of the target file may include the following contents when implemented:
s1: acquiring a preset sampling confusion rule about a target file;
s2: and combining the mixed ciphertext data of the target file with the sampling ciphertext data according to a preset sampling confusion rule to obtain the ciphertext data of the target file.
Based on the above embodiment, the second user terminal may obtain the ciphertext data of the real and complete target file by combining the mixed ciphertext data of the target file and the sampled ciphertext data.
In some embodiments, the decrypting the ciphertext data of the target file to obtain the target file may include the following when implemented:
S1: generating a second decryption private key according to a preset attribute encryption algorithm and an attribute set of a second user;
s2: decrypting the target head ciphertext by using the second decryption private key to obtain a target hash value and target signature data;
s3: and decrypting ciphertext data of the target file by using the target hash value to obtain the target file.
In particular implementations, the second user terminal may generate a private key of the second user using the CP-ABE and the second user's set of attributes (e.g., may be denoted as SK B ) As a second decryption private key.
It should be noted that, if the algorithm mechanism based on CP-ABE uses the decryption private key generated by the attribute set matched with the preset access policy, the ciphertext data encrypted by the attribute public key generated based on CP-ABE and the preset access policy before normal decryption can be obtained.
Specifically, in the encryption process based on CP-ABE, the first user may generate the ciphertext ET embedded with the preset access structure using the target file in the plaintext form and the access control structure tree T, as shown in equation 1-1. Wherein definition G 1 、G 2 For the p factorial cyclic group, G is one generator of G1. Defining a bilinear pair e based on bilinear mapping: g 1 ×G 1 →G 2 。Z p The random number alpha and the random number beta are all Z, which is a finite addition group containing p elements p . Y represents the set of attributes for all leaf nodes in the structure tree, attr (x) represents the attribute associated with that leaf node x.
ET=(T,C'=M·e(g,g) αs ,C=h s
Figure BDA0003990908130000162
C y =g qy(0) ,C' y =H(arrt(y) qy (0) )。 (1-1)
In the decryption process based on the CP-ABE, ciphertext ET and a private key SK of a second user can be utilized B And a Node x on the access control structure T outputting G by a defined recursive algorithm Decrypt Node 2 A number or "noteq" on the group. Wherein, the symbol "does not indicate that the user's attribute does not conform to the access structure, and the data cannot be decrypted. And distinguishing whether x is a leaf node or a non-leaf node, and performing recursion operation by adopting a corresponding formula.
Specifically, if x is a leaf node, performing a recursive operation using formula 1-2:
Figure BDA0003990908130000161
if x is a non-leaf node, then performing a recursive operation using equations 1-3:
Figure BDA0003990908130000171
where z is any child node in the child node set Sx of node x, i=index (x), S x' ={index(z):z∈S x }。
The result calculated by the root node R call algorithm is calculated from bottom to top through the recursion operation called for the node x, as shown in the formulas 1-4:
DecryptNode(ET,SK,R) = e(g,g) r·qR (0) = e(g,g) r.s =A。 (1-4)
if the attribute set of the second user meets the preset access structure T', the private key SK is used for B G can be calculated 2 The original data can be decrypted by using the calculated value A, and the calculation formula is shown in the formulas 1-5:
Figure BDA0003990908130000172
Wherein the bilinear map is as described aboveSpecifically, G can be set 1 And G 2 Is a multiplication cyclic group with two orders as prime number p, G is G 1 Is a generator of (1). Bilinear mapping is defined as e: g 1 ×G 1 →G 2 . If e satisfies the following condition, then G is referred to 1 Is a bilinear group:
bilinear (Bilinear): for any a, b ε Z p And arbitrary u, v E G 1 Equation e (u a ,v b )=e(u,v) ab Always hold;
non-degradation (Non-degenerate): e (g, g) noteq1;
computability (Computable): for any u, v ε G 1 The computation of bilinear mapping is always valid.
Based on the above three conditions, the bilinear map can be deduced to have the following properties: 1) For any three elements G in G 1 ,g 2 And g 3 All have e (g) 1 ·g 3 ,g 2 )=e(g 1 ,g 2 )·e(g 3 ,g 2 ) The method comprises the steps of carrying out a first treatment on the surface of the 2) For any three elements G in G 1 ,g 2 And g 3 All have e (g) 1 ,g 2 ·g 3 )=e(g 1 ,g 2 )·e(g 1 ,g 3 )。
And under the condition that the attribute set of the second user is matched with the preset access strategy, the second user terminal can successfully decrypt the target head ciphertext by using a second decryption private key generated based on the preset attribute encryption algorithm and the attribute set of the second user to obtain the target hash value and the target signature data. Furthermore, the second user terminal can utilize the target hash value as a decryption key to decrypt the ciphertext data of the target file, thereby obtaining the target file in a complete plaintext form.
In some embodiments, after obtaining the target hash value and the target signature data, the method may further include the following when implemented:
s1: querying a blockchain to acquire a first attribute public key of a first user;
s2: and checking whether the data source of the target file is the first user according to the first attribute public key, the target signature data and the target hash value.
In specific implementation, the second user terminal can utilize the first attribute public key of the first user and the target hash value to perform signature operation to obtain a corresponding check signature; the verification signature is then compared with the target signature data to determine if the data source of the target file is the first user.
If the verification signature is consistent with the target signature data, the data source of the target file can be determined to be the first user, and then the data source of the target file can be judged to be credible. In contrast, if the verification signature and the target signature data are inconsistent, it may be determined that the data source of the target file is not the first user, and further it may be determined that the data source of the target file may not be trusted.
In some embodiments, after obtaining the target hash value and the target signature data, the method may further include the following when implemented:
S1: carrying out hash calculation on the target file to obtain a check hash value;
s2: and checking whether the target file is complete or not according to the check hash value and the target hash value.
In specific implementation, the second user terminal may perform hash operation on the target file by using a hash function to obtain a corresponding hash value as a check hash value (for example, may be denoted as h); the verification hash value is then compared to the target hash value to determine if the resulting target file is complete.
If it is determined that the difference value between the verification hash value and the target hash value is smaller than the preset difference threshold value and is close to 0, it may be determined that the obtained target file is complete. In contrast, if the difference value between the verification hash value and the target hash value is greater than or equal to the preset difference threshold value, it may be determined that the obtained target file is incomplete.
Based on the above embodiment, the second user terminal may further utilize the target hash value and the target signature data to verify the data source and/or the integrity of the obtained target file, so as to accurately determine whether the obtained target file is a data file meeting the requirements.
As can be seen from the above, based on the method for processing cloud storage data provided in the embodiments of the present disclosure, when a first user uses a first user terminal to upload a target file to a first server for cloud storage, the first user may encrypt the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generate a related target header ciphertext; then, ciphertext data of the target file are processed according to a preset sampling confusion rule, and mixed ciphertext data and sampling ciphertext data of the target file are obtained; uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file; storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token; issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address. Firstly, sampling and confusion processing is carried out on ciphertext data of a target file according to a preset sampling and confusion rule, so that mixed ciphertext data and sampling ciphertext data of the target file are obtained; and uploading the confused ciphertext data to a first cloud server for cloud storage, and storing the rest of the sampled ciphertext data into a private database which is only authorized to be accessed by the first user terminal or a user terminal with authentication credentials and is based on blockchain, so that the data security of the target file held by the first user can be effectively protected, the target file held by the first user is prevented from being leaked to the first cloud server or other third parties, the first user can effectively exercise the forgetting right of the first user for the target file, and the first cloud server cannot obtain the real target file even if decrypting the confused ciphertext data of the target file which is responsible for being stored. Furthermore, based on the method for processing and storing the ciphertext data of the target file, the requirements of a first user can be met, the data migration of the target file can be safely and effectively completed, and the leakage of the related data of the target file in the migration process is avoided.
The embodiment of the specification also provides a server, which comprises a processor and a memory for storing instructions executable by the processor, wherein the processor can execute the following steps according to the instructions when being implemented: encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generating a related target head ciphertext; processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file; uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file; storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token; issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address. The server can be specifically deployed on a user side and used as a user terminal for users to use.
In order to more accurately complete the above instructions, referring to fig. 7, another specific server is provided in the embodiment of the present disclosure, where the server includes a network communication port 701, a processor 702, and a memory 703, and the above structures are connected by an internal cable, so that each structure may perform specific data interaction.
The network communication port 701 may be specifically configured to obtain a target file to be cloud-stored.
The processor 702 may be specifically configured to encrypt the target file according to a preset encryption rule, obtain ciphertext data of the target file, and generate a related target header ciphertext; processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file; uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file; storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token; issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
The memory 703 may be used for storing a corresponding program of instructions.
In this embodiment, the network communication port 701 may be a virtual port that binds with different communication protocols, so that different data may be sent or received. For example, the network communication port may be a port responsible for performing web data communication, a port responsible for performing FTP data communication, or a port responsible for performing mail data communication. The network communication port may also be an entity's communication interface or a communication chip. For example, it may be a wireless mobile network communication chip, such as GSM, CDMA, etc.; it may also be a Wifi chip; it may also be a bluetooth chip.
In this embodiment, the processor 702 may be implemented in any suitable manner. For example, the processor may take the form of, for example, a microprocessor or processor, and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a programmable logic controller, and an embedded microcontroller, among others. The description is not intended to be limiting.
In this embodiment, the memory 703 may include a plurality of layers, and in a digital system, the memory may be any memory as long as it can hold binary data; in an integrated circuit, a circuit with a memory function without a physical form is also called a memory, such as a RAM, a FIFO, etc.; in the system, the storage device in physical form is also called a memory, such as a memory bank, a TF card, and the like.
The embodiment of the present disclosure also provides another server, including a processor and a memory for storing instructions executable by the processor, where the processor may perform the following steps according to the instructions when the processor is specifically implemented: querying a block chain to obtain a first target storage address and a target head ciphertext of a target file; according to the first target storage address, obtaining mixed ciphertext data of the target file through downloading by a first cloud server; sending a target download request about a target file to the intelligent contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy; accessing a private database based on a block chain by using an authentication token to obtain sampling ciphertext data of a target file; combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file; and decrypting the ciphertext data of the target file to obtain the target file.
The embodiments of the present specification also provide a computer storage medium based on the above-mentioned cloud storage data processing method, where the computer storage medium stores computer program instructions that when executed implement: encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generating a related target head ciphertext; processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file; uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file; storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token; issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
In the present embodiment, the storage medium includes, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read-Only Memory (ROM), a Cache (Cache), a Hard Disk (HDD), or a Memory Card (Memory Card). The memory may be used to store computer program instructions. The network communication unit may be an interface for performing network connection communication, which is set in accordance with a standard prescribed by a communication protocol.
In this embodiment, the functions and effects of the program instructions stored in the computer storage medium may be explained in comparison with other embodiments, and are not described herein.
The embodiments of the present specification also provide another computer storage medium based on the above-mentioned cloud storage data processing method, where the computer storage medium stores computer program instructions that when executed implement: querying a block chain to obtain a first target storage address and a target head ciphertext of a target file; according to the first target storage address, obtaining mixed ciphertext data of the target file through downloading by a first cloud server; sending a target download request about a target file to the intelligent contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy; accessing a private database based on a block chain by using an authentication token to obtain sampling ciphertext data of a target file; combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file; and decrypting the ciphertext data of the target file to obtain the target file.
The embodiments of the present specification also provide a computer program product, which includes a computer program, where the computer program when executed by a processor implements the steps of the method for processing cloud storage data. Specifically, the following steps may be implemented: encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generating a related target head ciphertext; processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file; uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file; storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token; issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
Referring to fig. 8, on a software level, the embodiment of the present disclosure further provides a processing device for cloud storage data, where the device may specifically include the following structural modules:
the encryption module 801 may be specifically configured to encrypt the target file according to a preset encryption rule, obtain ciphertext data of the target file, and generate a related target header ciphertext;
the sampling confusion module 802 may be specifically configured to process ciphertext data of the target file according to a preset sampling confusion rule, so as to obtain mixed ciphertext data and sampling ciphertext data of the target file;
the uploading module 803 may be specifically configured to upload the confused ciphertext data of the target file to the first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file;
the storage module 804 may be specifically configured to store the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token;
the publishing module 805 may be specifically configured to publish association information of the target file on a blockchain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
In some embodiments, when the encryption module 801 is specifically implemented, the target file may be encrypted according to a preset encryption rule to obtain ciphertext data of the target file, and generate a related target header ciphertext according to the following manner: carrying out hash calculation on the target file to obtain a target hash value; encrypting the target file by using the target hash value to obtain ciphertext data of the target file; signing the target hash value by using the first encryption private key to obtain target signature data; and encrypting the target signature data and the target hash value by using the first attribute public key to obtain the target head ciphertext.
In some embodiments, the apparatus may specifically further include an initialization module, specifically configured to generate a first attribute public key and a first attribute master private key of the first user according to a preset attribute encryption algorithm and a preset access policy; generating a first encryption private key by using the first attribute main private key and the attribute set of the first user; a first attribute public key of a first user is published on a blockchain.
In some embodiments, before generating the first attribute public key and the first attribute master private key of the first user according to a preset attribute encryption algorithm and a preset access policy, the apparatus may be further configured to send a registration request to a system attribute authorization module when the apparatus is implemented; the system attribute authorization module configures an attribute set of the first user according to the user information of the first user and generates an identity verification code corresponding to the first user; and receiving the attribute set and the authentication code of the first user fed back by the attribute authorization module of the system.
In some embodiments, when the above-mentioned sampling confusion module 802 is specifically implemented, ciphertext data of the target file may be processed according to a preset sampling confusion rule in the following manner, so as to obtain mixed ciphertext data and sampling ciphertext data of the target file: dividing ciphertext data of the target file into a plurality of ciphertext data sets according to a preset sampling confusion rule; determining the random position of each ciphertext data set in the plurality of ciphertext data sets; recording the random position of each ciphertext data group to obtain a position tuple; extracting data values at random positions of all ciphertext data sets to obtain data tuples; replacing the data value at the random position of each ciphertext data set with a corresponding random parameter value to obtain a plurality of processed ciphertext data sets; combining the plurality of processed ciphertext data sets to obtain mixed ciphertext data of the target file; and combining the position tuple and the data tuple to obtain the sampling ciphertext data of the target file.
In some embodiments, when the sampling obfuscation module 802 is implemented, the random location of the current ciphertext data set of the plurality of ciphertext data sets may be determined as follows: determining a random number range for the current ciphertext data set according to the character length of the current ciphertext data set; generating a random number according to the random number range; and determining the character bit indicated by the random number in the current ciphertext data set as the random position of the current ciphertext data set.
In some embodiments, the sample obfuscation module 802 described above may be implemented to replace the data values at random locations of the current ciphertext data set with corresponding random parameter values in the following manner: randomly screening a preset data value from a plurality of preset data values to be used as a random parameter value corresponding to the random position of the current ciphertext data set; and replaces the data value at the random position of the current ciphertext data set with the random parameter value.
In some embodiments, after storing the sampled ciphertext data of the target file into the blockchain-based private database, the apparatus, when embodied, may be further configured to generate a target migration request for the target file in response to a triggering operation by the first user; sending the target migration request to an intelligent contract; the target migration request carries mixed ciphertext data of the target file based on a first target storage address of a first cloud server and a server identification of a second cloud server to be migrated; the intelligent contract responds to the target migration request, cooperates with the first cloud server and the second cloud server according to a preset migration rule, and migrates the confused ciphertext data of the target file from the first cloud server to the second cloud server for storage; and receiving a second target storage address of the confused ciphertext data for the target file fed back by the second cloud server.
Referring to fig. 9, on a software level, another processing apparatus for cloud storage data is provided in the embodiment of the present disclosure, where the apparatus may specifically include the following structural modules:
the query module 901 may be specifically configured to query a blockchain to obtain a first target storage address and a target header ciphertext of a target file;
the downloading module 902 may be specifically configured to obtain, according to the first target storage address, mixed ciphertext data of the target file through downloading by the first cloud server;
the sending module 903 may be specifically configured to send a target download request about a target file to the smart contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy;
the obtaining module 904 may specifically be configured to access a private database based on a blockchain by using the authentication token to obtain sampling ciphertext data of the target file;
the combination module 905 may specifically be configured to combine the mixed ciphertext data and the sampled ciphertext data of the target file to obtain ciphertext data of the target file;
the decryption module 906 may be specifically configured to decrypt ciphertext data of the target file to obtain the target file.
In some embodiments, when the above-mentioned combining module 905 is specifically implemented, the obfuscated ciphertext data and the sampled ciphertext data of the target file may be combined in the following manner to obtain the ciphertext data of the target file: acquiring a preset sampling confusion rule about a target file; and combining the mixed ciphertext data of the target file with the sampling ciphertext data according to a preset sampling confusion rule to obtain the ciphertext data of the target file.
In some embodiments, when the decryption module 906 is specifically implemented, the ciphertext data of the target file may be decrypted in the following manner to obtain the target file: generating a second decryption private key according to a preset attribute encryption algorithm and an attribute set of a second user; decrypting the target head ciphertext by using the second decryption private key to obtain a target hash value and target signature data; and decrypting ciphertext data of the target file by using the target hash value to obtain the target file.
In some embodiments, after obtaining the target hash value and the target signature data, the apparatus may be further configured to query the blockchain to obtain a first attribute public key of the first user when the apparatus is implemented; and checking whether the data source of the target file is the first user according to the first attribute public key, the target signature data and the target hash value.
In some embodiments, after obtaining the target hash value and the target signature data, the apparatus may be further configured to perform hash calculation on the target file to obtain a verification hash value when the apparatus is specifically implemented; and checking whether the target file is complete or not according to the check hash value and the target hash value.
It should be noted that, the units, devices, or modules described in the above embodiments may be implemented by a computer chip or entity, or may be implemented by a product having a certain function. For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when the present description is implemented, the functions of each module may be implemented in the same piece or pieces of software and/or hardware, or a module that implements the same function may be implemented by a plurality of sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
From the above, according to the cloud storage data processing device provided by the embodiment of the present disclosure, sampling confusion processing is performed on ciphertext data of a target file according to a preset sampling confusion rule, so as to obtain two data, namely ciphertext data and sampling ciphertext data, after confusion of the target file; and uploading the confused ciphertext data to a first cloud server for cloud storage, and storing the rest of the sampled ciphertext data into a private database which is only authorized to be accessed by the first user terminal or a user terminal with authentication credentials and is based on blockchain, so that the data security of the target file held by the first user can be effectively protected, the target file held by the first user is prevented from being leaked to the first cloud server or other third parties, the first user can effectively exercise the forgetting right of the first user for the target file, and the first cloud server cannot obtain the real target file even if decrypting the confused ciphertext data of the target file which is responsible for being stored.
Although the present description provides method operational steps as described in the examples or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented by an apparatus or client product in practice, the methods illustrated in the embodiments or figures may be performed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even in a distributed data processing environment). The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. The terms first, second, etc. are used to denote a name, but not any particular order.
Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller can be regarded as a hardware component, and means for implementing various functions included therein can also be regarded as a structure within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
From the above description of embodiments, it will be apparent to those skilled in the art that the present description may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the present specification may be embodied essentially in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and include several instructions to cause a computer device (which may be a personal computer, a mobile terminal, a server, or a network device, etc.) to perform the methods described in the various embodiments or portions of the embodiments of the present specification.
Various embodiments in this specification are described in a progressive manner, and identical or similar parts are all provided for each embodiment, each embodiment focusing on differences from other embodiments. The specification is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
Although the present specification has been described by way of example, it will be appreciated by those skilled in the art that there are many variations and modifications to the specification without departing from the spirit of the specification, and it is intended that the appended claims encompass such variations and modifications as do not depart from the spirit of the specification.

Claims (18)

1. The processing method of the cloud storage data is characterized by being applied to a first user terminal and comprising the following steps of:
encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file, and generating a related target head ciphertext;
processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file;
uploading the confused ciphertext data of the target file to a first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file;
storing the sampled ciphertext data of the target file into a private database based on a blockchain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token;
Issuing the associated information of the target file on a block chain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
2. The method of claim 1, wherein encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file and generating the related target header ciphertext comprises:
carrying out hash calculation on the target file to obtain a target hash value; encrypting the target file by using the target hash value to obtain ciphertext data of the target file;
signing the target hash value by using the first encryption private key to obtain target signature data; and encrypting the target signature data and the target hash value by using the first attribute public key to obtain the target head ciphertext.
3. The method according to claim 2, wherein the method further comprises:
generating a first attribute public key and a first attribute master private key of a first user according to a preset attribute encryption algorithm and a preset access strategy;
generating a first encryption private key by using the first attribute main private key and the attribute set of the first user;
a first attribute public key of a first user is published on a blockchain.
4. A method according to claim 3, wherein prior to generating the first attribute public key and the first attribute master private key of the first user according to a preset attribute encryption algorithm and a preset access policy, the method further comprises:
sending a registration request to a system attribute authorization module; the system attribute authorization module configures an attribute set of the first user according to the user information of the first user and generates an identity verification code corresponding to the first user;
and receiving the attribute set and the authentication code of the first user fed back by the attribute authorization module of the system.
5. The method of claim 1, wherein processing ciphertext data of the target file according to a preset sampling confusion rule to obtain the confused ciphertext data and the sampling ciphertext data of the target file comprises:
dividing ciphertext data of the target file into a plurality of ciphertext data sets according to a preset sampling confusion rule;
determining the random position of each ciphertext data set in the plurality of ciphertext data sets; recording the random position of each ciphertext data group to obtain a position tuple;
extracting data values at random positions of all ciphertext data sets to obtain data tuples; replacing the data value at the random position of each ciphertext data set with a corresponding random parameter value to obtain a plurality of processed ciphertext data sets;
Combining the plurality of processed ciphertext data sets to obtain mixed ciphertext data of the target file; and combining the position tuple and the data tuple to obtain the sampling ciphertext data of the target file.
6. The method of claim 5, wherein determining random locations for each of a plurality of ciphertext data sets comprises:
the random position of the current ciphertext data set of the plurality of ciphertext data sets is determined as follows:
determining a random number range for the current ciphertext data set according to the character length of the current ciphertext data set;
generating a random number according to the random number range; and determining the character bit indicated by the random number in the current ciphertext data set as the random position of the current ciphertext data set.
7. The method of claim 5, wherein replacing the data values at the random locations of each ciphertext data set with corresponding random parameter values comprises:
the data values at the random locations of the current ciphertext data set are replaced with corresponding random parameter values in the following manner:
randomly screening a preset data value from a plurality of preset data values to be used as a random parameter value corresponding to the random position of the current ciphertext data set; and replaces the data value at the random position of the current ciphertext data set with the random parameter value.
8. The method of claim 1, wherein after storing the sampled ciphertext data of the target file into the blockchain-based private database, the method further comprises:
responding to the triggering operation of the first user, and generating a target migration request about a target file;
sending the target migration request to an intelligent contract; the target migration request carries mixed ciphertext data of the target file based on a first target storage address of a first cloud server and a server identification of a second cloud server to be migrated; the intelligent contract responds to the target migration request, cooperates with the first cloud server and the second cloud server according to a preset migration rule, and migrates the confused ciphertext data of the target file from the first cloud server to the second cloud server for storage;
and receiving a second target storage address of the confused ciphertext data for the target file fed back by the second cloud server.
9. The cloud storage data processing method is characterized by being applied to a second user terminal and comprising the following steps of:
querying a block chain to obtain a first target storage address and a target head ciphertext of a target file;
According to the first target storage address, obtaining mixed ciphertext data of the target file through downloading by a first cloud server;
sending a target download request about a target file to the intelligent contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy;
accessing a private database based on a block chain by using an authentication token to obtain sampling ciphertext data of a target file;
combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file;
and decrypting the ciphertext data of the target file to obtain the target file.
10. The method of claim 9, wherein combining the obfuscated ciphertext data and the sampled ciphertext data of the target file to obtain ciphertext data of the target file comprises:
acquiring a preset sampling confusion rule about a target file;
and combining the mixed ciphertext data of the target file with the sampling ciphertext data according to a preset sampling confusion rule to obtain the ciphertext data of the target file.
11. The method of claim 9, wherein decrypting ciphertext data of the target file to obtain the target file comprises:
Generating a second decryption private key according to a preset attribute encryption algorithm and an attribute set of a second user;
decrypting the target head ciphertext by using the second decryption private key to obtain a target hash value and target signature data;
and decrypting ciphertext data of the target file by using the target hash value to obtain the target file.
12. The method of claim 11, wherein after obtaining the target hash value and the target signature data, the method further comprises:
querying a blockchain to acquire a first attribute public key of a first user;
and checking whether the data source of the target file is the first user according to the first attribute public key, the target signature data and the target hash value.
13. The method of claim 11, wherein after obtaining the target file, the method further comprises:
carrying out hash calculation on the target file to obtain a check hash value;
and checking whether the target file is complete or not according to the check hash value and the target hash value.
14. The processing device of cloud storage data is characterized by being applied to a first user terminal and comprising:
the encryption module is used for encrypting the target file according to a preset encryption rule to obtain ciphertext data of the target file and generating a related target header ciphertext;
The sampling confusion module is used for processing ciphertext data of the target file according to a preset sampling confusion rule to obtain mixed ciphertext data and sampling ciphertext data of the target file;
the uploading module is used for uploading the confused ciphertext data of the target file to the first cloud server; the first cloud server stores the mixed ciphertext data of the target file and feeds back a first target storage address of the mixed ciphertext data of the target file;
the storage module is used for storing the sampling ciphertext data of the target file into a private database based on a block chain; wherein the private database is arranged to support access by the first user terminal or a user terminal holding an authentication token;
the issuing module is used for issuing the associated information of the target file on the blockchain; wherein, the association information of the target file at least comprises: identification information of the target file, target header ciphertext, and a first target storage address.
15. The processing device of cloud storage data is characterized by being applied to a second user terminal and comprising:
the query module is used for querying the block chain and acquiring a first target storage address and a target head ciphertext of the target file;
The downloading module is used for downloading the mixed ciphertext data of the target file through the first cloud server according to the first target storage address;
a transmitting module for transmitting a target download request about a target file to the smart contract; the intelligent combination feeds back an authentication token to the second user terminal under the condition that the attribute set of the second user is determined to be matched with a preset access strategy;
the acquisition module is used for accessing the private database based on the blockchain by using the authentication token so as to acquire the sampling ciphertext data of the target file;
the combination module is used for combining the mixed ciphertext data of the target file with the sampling ciphertext data to obtain ciphertext data of the target file;
and the decryption module is used for decrypting the ciphertext data of the target file to obtain the target file.
16. A server comprising a processor and a memory for storing processor-executable instructions, which when executed by the processor implement the steps of the method of any one of claims 1 to 8, or 9 to 13.
17. A computer storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 8, or 9 to 13.
18. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any one of claims 1 to 8, or 9 to 13.
CN202211580994.XA 2022-12-09 2022-12-09 Cloud storage data processing method, device and server Pending CN116055105A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211580994.XA CN116055105A (en) 2022-12-09 2022-12-09 Cloud storage data processing method, device and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211580994.XA CN116055105A (en) 2022-12-09 2022-12-09 Cloud storage data processing method, device and server

Publications (1)

Publication Number Publication Date
CN116055105A true CN116055105A (en) 2023-05-02

Family

ID=86124612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211580994.XA Pending CN116055105A (en) 2022-12-09 2022-12-09 Cloud storage data processing method, device and server

Country Status (1)

Country Link
CN (1) CN116055105A (en)

Similar Documents

Publication Publication Date Title
US10673626B2 (en) Threshold secret share authentication proof and secure blockchain voting with hardware security modules
CN109144961B (en) Authorization file sharing method and device
CN109862041B (en) Digital identity authentication method, equipment, device, system and storage medium
JP6606156B2 (en) Data security service
US20200084027A1 (en) Systems and methods for encryption of data on a blockchain
RU2718689C2 (en) Confidential communication control
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
US9698974B2 (en) Method for creating asymmetrical cryptographic key pairs
US10880100B2 (en) Apparatus and method for certificate enrollment
CN111130770B (en) Information certification method and system based on blockchain, user terminal, electronic equipment and storage medium
US20100005318A1 (en) Process for securing data in a storage unit
CN112671720B (en) Token construction method, device and equipment for cloud platform resource access control
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
CN111476573B (en) Account data processing method, device, equipment and storage medium
Zhou et al. EverSSDI: blockchain-based framework for verification, authorisation and recovery of self-sovereign identity using smart contracts
JP2016508699A (en) Data security service
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
CN116601912A (en) Post-secret provisioning service providing encryption security
CN114244508B (en) Data encryption method, device, equipment and storage medium
US10785193B2 (en) Security key hopping
CN114826702A (en) Database access password encryption method and device and computer equipment
US10764260B2 (en) Distributed processing of a product on the basis of centrally encrypted stored data
US20190305940A1 (en) Group shareable credentials
CN114398623A (en) Method for determining security policy
CN113722749A (en) Data processing method and device for block chain BAAS service based on encryption algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination