CN116383838A - Data encryption and decryption method and related device in distributed data storage system - Google Patents

Data encryption and decryption method and related device in distributed data storage system Download PDF

Info

Publication number
CN116383838A
CN116383838A CN202310259815.0A CN202310259815A CN116383838A CN 116383838 A CN116383838 A CN 116383838A CN 202310259815 A CN202310259815 A CN 202310259815A CN 116383838 A CN116383838 A CN 116383838A
Authority
CN
China
Prior art keywords
encryption
data
information
encryption key
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310259815.0A
Other languages
Chinese (zh)
Inventor
王文康
王祥宇
马鑫迪
马建峰
沈玉龙
苗银宾
张俊伟
卢笛
习宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202310259815.0A priority Critical patent/CN116383838A/en
Publication of CN116383838A publication Critical patent/CN116383838A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Mining & Analysis (AREA)
  • Fuzzy Systems (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data encryption and decryption method and a related device in a distributed data storage system, wherein the method comprises the following steps: receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information; encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end; generating a second encryption key based on the first encryption key, encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to a management node of the storage end. The method can improve the data security.

Description

Data encryption and decryption method and related device in distributed data storage system
Technical Field
The invention belongs to the technical field of information security, and relates to a data encryption and decryption method and a related device in a distributed data storage system.
Background
With the rapid development of the current science and technology, the importance of the resource of massive data is becoming more and more prominent, and how to effectively protect the security of the private data is also becoming one of the important research subjects at present. In the current process of mass data, the common practice is to package local data into a cloud server for storage and management. However, it is not absolutely safe to completely host data to a third party, and recently, there are many security problems such as data leakage due to explosion. Aiming at the security problem of a cloud server, the current common security protection technology is to encrypt data before storing the data in the cloud, download ciphertext from the server to local decryption when the data is needed, and then carry out subsequent operation. However, after encrypting the data, the relationship between the data is reduced, so how to efficiently perform ciphertext retrieval on the cloud server is one of the great challenges.
Existing encrypted databases such as the cryptodb enable corresponding operations to be performed on encrypted data by performing special processing on operations (selection, connection, projection, etc.) performed on the database. Although the problem of difficulty in retrieving ciphertext data by a cloud server is solved to a certain extent, the type of the stored data is single, and performance and security challenges in a large-scale user multi-key scene cannot be met. Therefore, on the premise of ensuring the security of cloud data, it is very necessary to establish an efficient encryption storage system.
Disclosure of Invention
The invention provides a data encryption and decryption method in a distributed data storage system and a related device.
In a first aspect, the present application provides a method for encrypting and decrypting data in a distributed data storage system, including: receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information; encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end; generating a second encryption key based on the first encryption key, encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to a management node of the storage end.
The step of receiving the data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information comprises the following steps: generating an encryption key based on the user identity information and generating a first key value pair based on the user identity information and the encryption secret; the step of determining the first encryption key corresponding to the data to be encrypted based on the user identity information comprises the following steps: and determining a first encryption key corresponding to the data to be encrypted from the first key value pair based on the user identity information.
Wherein the method further comprises: receiving data query information, determining user identity information corresponding to the data query information, and determining a first encryption key corresponding to the data query information based on the user identity information; encrypting the data query information by using the first encryption key to obtain third encryption information; and determining a query result corresponding to the data query information based on the third encryption information.
The step of determining the query result corresponding to the data query information based on the third encryption information includes: comparing the third encryption information with the second encryption information in the management node; responding to the second encryption information and the third encryption information to be matched, and determining a storage address of a query result corresponding to the data query information in the working node based on the matched second encryption information; obtaining the first encryption information based on the storage address; and decrypting the first decryption information by using the first encryption key to obtain a query result corresponding to the data query information.
The step of determining the storage address of the query result corresponding to the data query information in the working node based on the matched second encryption information includes: and decrypting the matched second encryption information by using the second encryption key to obtain a storage address of a query result corresponding to the data query information in the working node.
Wherein the second encryption key is different when each data block is encrypted.
Wherein the step of generating a second encryption key based on the first encryption key comprises: a second encryption key is generated based on the first encryption key using a pseudo-random function.
In a second aspect, the present application provides a data encryption and decryption device in a distributed data storage system, including: the receiving module is used for receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information; the first encryption module is used for encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end; a key derivation module for generating a second encryption key based on the first encryption key; and the second encryption module is used for encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to the management node of the storage end.
In a third aspect, the present application provides a data encryption and decryption system in a distributed data storage system, including: the client agent is used for receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information; encrypting the data to be encrypted by using the first encryption key to obtain first encryption information; the server side agent is used for generating a second encryption key based on the first encryption key, and encrypting a data block storing the first encryption information by using the second encryption key to obtain second encryption information; the storage end comprises a working node and a management node, wherein the working node is used for storing first encryption information, and the management node is used for storing second encryption information.
The data encryption and decryption method provided by the application comprises the following steps: receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information; encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end; generating a second encryption key based on the first encryption key, encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to a management node of the storage end. The method can improve the data security.
Drawings
FIG. 1 is a flow chart of a first embodiment of a data encryption and decryption method of the present application;
FIG. 2 is a flow chart of a second embodiment of the data encryption and decryption method of the present application;
FIG. 3 is a schematic structural diagram of an embodiment of a data encryption and decryption device according to the present application;
FIG. 4 is a schematic diagram of an embodiment of a data encryption and decryption system according to the present application.
Detailed Description
In order to further describe the technical means and effects adopted by the present invention to achieve the intended purpose, the present invention is described in detail below with reference to the accompanying drawings and the detailed description. The foregoing and other features, aspects, and advantages of the present invention will become more apparent from the following detailed description of the preferred embodiments when taken in conjunction with the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. The drawings are provided for reference and description only and are not intended to limit the technical solution of the present invention.
Referring to fig. 1, fig. 1 is a flow chart of a first embodiment of a data encryption and decryption method in a distributed data storage system according to the present application, which specifically includes:
step S11: and receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information.
Specifically, when data uploading is performed, the client sends a data uploading request and registers on the system. In one embodiment, a system generates an encryption key based on user identity information of a client and generates a first key-value pair based on the user identity information and the encryption secret. The key value is user identity information in the first key value pair, and the value stores a first encryption key.
When data uploading is carried out, the client sends the uploaded data to a system, the system receives the uploaded data as data to be encrypted, meanwhile, user identity information corresponding to the data to be encrypted is determined, and a first encryption key corresponding to the data to be encrypted is determined from the first key value pair based on the user identity information.
Step S12: and encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end.
Step S13: generating a second encryption key based on the first encryption key, encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to a management node of the storage end.
The storage end adopts an HDFS server cluster, and a part of nodes are used as management nodes NameNode to store management data, such as index information; and the other part of nodes are used as working nodes, namely the DataNode is used for storing service data, such as encrypted information to be encrypted. The storage end is a block storage, and a corresponding relation exists between the management node NameNode and the working node DataNode. In the method, data to be encrypted is encrypted by using a first encryption key to obtain first encryption information, and the first encryption information is stored in a working node of a storage end; generating a second encryption key based on the first encryption key, encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information into a management node of the storage end.
It should be noted that, the data block contains a keyword of the information to be encrypted, and the obtained second encrypted information represents a storage address of the information to be encrypted after the data block is encrypted.
In one embodiment, the second encryption key is different when each block of data is encrypted.
In the application, for the encryption processing of large data set files, a fine-grained file (data block) encryption scheme is designed, and each file (data block) is encrypted by using a different key to improve the security and prevent the whole data set from being influenced by the leakage of the key when the single key is used for encryption. However, encrypting each file (data block) using a different key can easily result in a significant key management overhead, and key derivation is introduced to solve this key management problem. For key derivation, the scheme introduces a deletable pseudorandom function, constructing the pseudorandom function on a strict subset of the key derivation trapdoors.
In an embodiment, a second encryption key is generated based on the first encryption key using a pseudo-random function. Specifically, the specific process is as follows:
let G {0,1} λ →{0,1} Where G is a pseudo-random generator, G0 (k), G1 (k) are the first half and the second half of the string G (k), and k is a random number seed of length λ bits. The definition of the GGM pseudo-random function family is:
Figure BDA0004130855000000051
so that
Figure BDA0004130855000000052
Where n is a polynomial in λ, x n-1 …x 0 Is an input bit string of size n.
The construction of the GGM tree requires defining a binary tree over the PRF domain, as depicted in FIG. 3, a binary tree with 5 levels, with leaves marked with decimal numbers ranging from 0 to 15, ordered in ascending order. Each node may be marked with a binary string, determined by the marking of the edge on the path from the root to the node, with the edge connecting between each node and the left and right children marked with a 0 or 1, respectively. Let PRF domain be {0,1} 4 The PRF value of 0010 is:
f k (0010)=G 0 (G 1 (G 0 (G 0 (k))))。
wherein G is synthesized in accordance with the root-to-value (0010) 2 The front (or back) half of the G output is selected when the edge label in the path between leaf nodes 2 of the accessed edge is 0 (or 1). On this basis, the n-long binary representation of the leaf tag constitutes the PRF field, each leaf being associated with its tag's PRF values, which constitute the PRF range.
Each internal node of the GGM tree is associated with a partial PRF value, communicatingThe combination of G, determined by the path of the root to the node, is performed. For example, node 00 and PRF G in FIG. 3 0 (G 0 (k) If a node has a partial PRF f k (x n-1 …x j ) It can calculate all 2j prefixes as x n-1 …x j Is only required to be located at x at the root node n-1 …x j DFS traversal (depth-first traversal) in a subtree of (1) and is associated with f k (x n-1 …x j ) Combining to obtain the final product. For example, using the partial PRF value of node 00, one can use the value of the partial PRF value at [0,3 ]]Derives the input PRF value in the (decimal) range: f (f) k (0000)=G 0 (G 0 (f k (00))),f k (0001)=G 1 (G 0 (f k (00))),f k (0010)=G 0 (G 1 (f k (00))),f k (0011)=G 1 (G 1 (f k (00))). For any range of leaf tags [ a, b ]]There is a set of (non-unique) subtrees in the GGM tree that just cover the corresponding leaves, and when the partial PRF values and subtree depths of the subtree roots are owned, it is possible to deduce all tags at [ a, b ]]PRF values for leaves of the range. As in fig. 3, according to (f k (001) 1) and (f k (01) 2) it can be deduced that the tag is [2,7]PRF values of leaves of (c).
The construction of the best range coverage is a triplet (F, T, C), F being the GGM PRF family with tree depth n, delegation policy:
P={[a,b]|0≤a≤b≤a+λγ<2 n };
wherein gamma is a constant integer. The inputs being the key k and a range a, b]The output is a deletable trapdoor τ such that each decimal is represented in [ a, b]X of each can calculate f k (x)。
First, the algorithm finds the first bit that is different for a and b, determining the common path from the root node to leaf nodes a and b. If the common path ends at node mu, then [ a, b ]]Is a tag set belonging to the subtree of node μ, and the thief outputs a single pair of μ -corresponding partial PRF values and subtree depth, otherwise continues traversing the left and right subtrees. For path p v→a From the left node v of μStarting at node a, it is checked whether a is the leftmost node of the subtree of v. If so, the PRF value of v is included along with the depth of the subtree of v, and the traversal is terminated; otherwise p v→a Continuing to the left subtree node of v, the trapdoor contains the PRF value of the right subtree node of v and the subtree.
Further, referring to fig. 2, fig. 2 is a flow chart of a second embodiment of the data encryption and decryption method of the present application, and specifically, the data encryption and decryption method of the present application further includes:
step S21: and receiving data query information, determining user identity information corresponding to the data query information, and determining a first encryption key corresponding to the data query information based on the user identity information.
Specifically, the data to be encrypted is encrypted and stored in the storage end in the manner shown in fig. 1. When data query is carried out, data query information sent by a client is received, user identity information corresponding to the data query information is determined, and a first encryption key corresponding to the data query information is determined from the first key value pair based on the user identity information.
Step S22: and encrypting the data query information by using the first encryption key to obtain third encryption information.
And encrypting the data query information by using the first encryption key to obtain third encryption information.
Step S23: and determining a query result corresponding to the data query information based on the third encryption information.
Specifically, comparing the third encryption information with the second encryption information in the management node; and responding to the second encryption information and the third encryption information to be matched, and determining the storage address of the query result corresponding to the data query information in the working node based on the matched second encryption information. Specifically, if the second encryption information matched with the third encryption information is found, the second encryption information matched with the third encryption information is decrypted by using the second encryption key at the moment, and the storage address of the query result corresponding to the data query information in the working node is obtained. Obtaining the first encryption information based on the storage address; and decrypting the first decryption information by using the first encryption key to obtain a query result corresponding to the data query information.
According to the data encryption and decryption method, a request is made by using a plaintext to a user side, so that a plaintext result is obtained; and the storage end requests the ciphertext to obtain a ciphertext result. The middleware simplifies the functions of the user terminal and the storage terminal, and greatly improves the safety. In addition, the method provides a process for encrypting and inquiring the file, an encryption database of a storage layer is adapted, a corresponding index file is generated according to the file type during uploading the file, after the inquiry is obtained, the index is processed according to a secret key, and then a ciphertext condition is generated to carry out matching inquiry on the index. The whole data set is prevented from being influenced by single key leakage, and different key encryption and decryption are used for each data block to improve the security. When the key derivation is carried out on the master key, the optimal range coverage scheme is adopted to construct a trusted pseudo-random function, the pseudo-random function is calculated on a strict subset of the master key, the calculation task can be safely delegated to a third party, the untrusted party is allowed to calculate the given function, and meanwhile the verifiability of the result and the privacy of input and output are ensured.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a data encryption and decryption device in a distributed data storage system according to the present application, which specifically includes: a receiving module 31, a first encryption module 32, a key derivation module 33, and a second encryption module 34. The receiving module 31 is configured to receive data to be encrypted, determine user identity information corresponding to the data to be encrypted, and determine a first encryption key corresponding to the data to be encrypted based on the user identity information. The first encryption module 32 is configured to encrypt the data to be encrypted with the first encryption key to obtain first encryption information, and store the first encryption information to a working node of a storage end. The key derivation module 33 is configured to generate a second encryption key based on the first encryption key. The second encryption module 34 is configured to encrypt the data block storing the first encryption information with the second encryption key to obtain second encryption information, and store the second encryption information to the management node of the storage end.
In an embodiment, the receiving module 31 is further configured to generate an encryption key based on the user identity information, and generate a first key-value pair based on the user identity information and the encryption secret; and determining a first encryption key corresponding to the data to be encrypted from the first key value pair based on the user identity information.
In an embodiment, the receiving module 31 is further configured to receive data query information, determine user identity information corresponding to the data query information, and determine a first encryption key corresponding to the data query information based on the user identity information.
In an embodiment, the first encryption module 32 is further configured to encrypt the data query information with the first encryption key to obtain third encrypted information.
In an embodiment, the data encryption and decryption device further includes a query module, where the query module is configured to determine a query result corresponding to the data query information based on the third encryption information. Specifically, the query module is configured to compare the third encryption information with the second encryption information in the management node; responding to the second encryption information and the third encryption information to be matched, and determining a storage address of a query result corresponding to the data query information in the working node based on the matched second encryption information; obtaining the first encryption information based on the storage address; and decrypting the first decryption information by using the first encryption key to obtain a query result corresponding to the data query information.
In an embodiment, the query module is further configured to decrypt the matched second encrypted information by using the second encryption key, to obtain a storage address of a query result corresponding to the data query information in the working node.
The second encryption key is different when each data block is encrypted.
In an embodiment, the key derivation module 33 is configured to generate the second encryption key based on the first encryption key using a pseudo-random function.
According to the data encryption and decryption device, a request is made by using a plaintext to a user side, so that a plaintext result is obtained; and the storage end requests the ciphertext to obtain a ciphertext result. The middleware simplifies the functions of the user terminal and the storage terminal, and greatly improves the safety. In addition, the method provides a process for encrypting and inquiring the file, an encryption database of a storage layer is adapted, a corresponding index file is generated according to the file type during uploading the file, after the inquiry is obtained, the index is processed according to a secret key, and then a ciphertext condition is generated to carry out matching inquiry on the index. The whole data set is prevented from being influenced by single key leakage, and different key encryption and decryption are used for each data block to improve the security. When the key derivation is carried out on the master key, the optimal range coverage scheme is adopted to construct a trusted pseudo-random function, the pseudo-random function is calculated on a strict subset of the master key, the calculation task can be safely delegated to a third party, the untrusted party is allowed to calculate the given function, and meanwhile the verifiability of the result and the privacy of input and output are ensured.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a data encryption and decryption system in a distributed data storage system according to the present application, which specifically includes: client agent 41, server agent 42, storage 43.
The client agent 41 is configured to receive data to be encrypted, determine user identity information corresponding to the data to be encrypted, and determine a first encryption key corresponding to the data to be encrypted based on the user identity information; and encrypting the data to be encrypted by using the first encryption key to obtain first encryption information.
The server agent 42 is configured to generate a second encryption key based on the first encryption key, and encrypt a data block storing the first encryption information with the second encryption key to obtain second encryption information.
The storage terminal 43 includes a working node for storing the first encryption information and a management node for storing the second encryption information.
In an embodiment, the client agent 41 is further configured to generate an encryption key based on the user identity information and to generate a first key-value pair based on the user identity information and the encryption secret; and determining a first encryption key corresponding to the data to be encrypted from the first key value pair based on the user identity information.
In an embodiment, the client agent 41 is further configured to receive data query information, determine user identity information corresponding to the data query information, and determine a first encryption key corresponding to the data query information based on the user identity information; and encrypting the data query information by using the first encryption key to obtain third encryption information.
In an embodiment, the server agent 42 is further configured to determine a query result corresponding to the data query information based on the third encryption information. Specifically, the server agent 42 is configured to compare the third encrypted information with the second encrypted information in the management node; responding to the second encryption information and the third encryption information to be matched, and determining a storage address of a query result corresponding to the data query information in the working node based on the matched second encryption information; obtaining the first encryption information based on the storage address; and decrypting the first decryption information by using the first encryption key to obtain a query result corresponding to the data query information.
Compared with the prior art, the scheme constructs the server agent 42 and the client agent 41, comprises main computing services, adopts a two-end agent mode, simplifies functions of a client and a storage end to a certain extent, solves performance problems of encrypting and decrypting a large amount of data in a cloud server and key derivation and distribution management problems caused by multiple keys under a large-scale user multiple key scene, and can achieve the aim of safely storing data. The middleware client agent performs encryption and decryption service and key derivation and distribution management on the user data, and the server agent performs safe storage management on ciphertext data, so that multi-user requests can be efficiently realized. The key derivation uses the optimal range coverage, and a trusted pseudo-random function is constructed on a strict subset of the master key, so that the influence of a single key on other keys is effectively prevented, and the data security of the user is ensured.
The foregoing is only an implementation method of the present invention, and is not limited to the patent scope of the present invention, and all equivalent structures or equivalent processes using the descriptions of the present invention and the accompanying drawings, or direct or indirect application in other related technical fields are included in the scope of the present invention.

Claims (9)

1. A method for encrypting and decrypting data in a distributed data storage system, comprising:
receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information;
encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end;
generating a second encryption key based on the first encryption key, encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to a management node of the storage end.
2. The method for encrypting and decrypting data according to claim 1, wherein said steps of receiving data to be encrypted, determining user identity information corresponding to said data to be encrypted, and determining a first encryption key corresponding to said data to be encrypted based on said user identity information, comprise:
generating an encryption key based on the user identity information and generating a first key value pair based on the user identity information and the encryption secret;
the step of determining the first encryption key corresponding to the data to be encrypted based on the user identity information comprises the following steps:
and determining a first encryption key corresponding to the data to be encrypted from the first key value pair based on the user identity information.
3. The method for encrypting and decrypting data according to claim 1, further comprising:
receiving data query information, determining user identity information corresponding to the data query information, and determining a first encryption key corresponding to the data query information based on the user identity information;
encrypting the data query information by using the first encryption key to obtain third encryption information;
and determining a query result corresponding to the data query information based on the third encryption information.
4. The method of encrypting and decrypting data according to claim 3, wherein the step of determining the query result corresponding to the data query information based on the third encryption information includes:
comparing the third encryption information with the second encryption information in the management node;
responding to the second encryption information and the third encryption information to be matched, and determining a storage address of a query result corresponding to the data query information in the working node based on the matched second encryption information;
obtaining the first encryption information based on the storage address;
and decrypting the first decryption information by using the first encryption key to obtain a query result corresponding to the data query information.
5. The method according to claim 1, wherein the step of determining the storage address of the query result corresponding to the data query information in the working node based on the matched second encryption information includes:
and decrypting the matched second encryption information by using the second encryption key to obtain a storage address of a query result corresponding to the data query information in the working node.
6. The method according to any one of claims 1 to 5, wherein the second encryption key is different when encrypting each data block.
7. The data encryption and decryption method according to any one of claims 1 to 5, wherein the step of generating a second encryption key based on the first encryption key comprises:
a second encryption key is generated based on the first encryption key using a pseudo-random function.
8. A data encryption and decryption device in a distributed data storage system, comprising:
the receiving module is used for receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information;
the first encryption module is used for encrypting the data to be encrypted by using the first encryption key to obtain first encryption information, and storing the first encryption information to a working node of a storage end;
a key derivation module for generating a second encryption key based on the first encryption key;
and the second encryption module is used for encrypting the data block storing the first encryption information by using the second encryption key to obtain second encryption information, and storing the second encryption information to the management node of the storage end.
9. A data encryption and decryption system in a distributed data storage system, comprising:
the client agent is used for receiving data to be encrypted, determining user identity information corresponding to the data to be encrypted, and determining a first encryption key corresponding to the data to be encrypted based on the user identity information; encrypting the data to be encrypted by using the first encryption key to obtain first encryption information;
the server side agent is used for generating a second encryption key based on the first encryption key, and encrypting a data block storing the first encryption information by using the second encryption key to obtain second encryption information;
the storage end comprises a working node and a management node, wherein the working node is used for storing first encryption information, and the management node is used for storing second encryption information.
CN202310259815.0A 2023-03-16 2023-03-16 Data encryption and decryption method and related device in distributed data storage system Pending CN116383838A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310259815.0A CN116383838A (en) 2023-03-16 2023-03-16 Data encryption and decryption method and related device in distributed data storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310259815.0A CN116383838A (en) 2023-03-16 2023-03-16 Data encryption and decryption method and related device in distributed data storage system

Publications (1)

Publication Number Publication Date
CN116383838A true CN116383838A (en) 2023-07-04

Family

ID=86979847

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310259815.0A Pending CN116383838A (en) 2023-03-16 2023-03-16 Data encryption and decryption method and related device in distributed data storage system

Country Status (1)

Country Link
CN (1) CN116383838A (en)

Similar Documents

Publication Publication Date Title
US9977918B2 (en) Method and system for verifiable searchable symmetric encryption
US11637689B2 (en) Efficient encrypted data management system and method
EP3058678B1 (en) System and method for dynamic, non-interactive, and parallelizable searchable symmetric encryption
CN107256248B (en) Wildcard-based searchable encryption method in cloud storage security
US20190149320A1 (en) Cryptographic key generation for logically sharded data stores
US20190147170A1 (en) Processing data queries in a logically sharded data store
Salam et al. Implementation of searchable symmetric encryption for privacy-preserving keyword search on cloud storage
CN112800445B (en) Boolean query method for forward and backward security and verifiability of ciphertext data
JP2014002365A (en) Encrypted data inquiry method and system which can protect privacy
CN114826703B (en) Block chain-based data search fine granularity access control method and system
CN112989375B (en) Hierarchical optimization encryption lossless privacy protection method
CN108171066A (en) The cross-domain searching method of keyword and system in a kind of medical treatment cloud under secret protection
WO2020144449A1 (en) A client-server computer system
CA3065767C (en) Cryptographic key generation for logically sharded data stores
CN114417073B (en) Neighbor node query method and device of encryption graph and electronic equipment
CN114254344B (en) Private data range query method of shared database based on blockchain
CN109783456B (en) Duplication removing structure building method, duplication removing method, file retrieving method and duplication removing system
CN113836571B (en) Medical data possession terminal position matching method and system based on cloud and blockchain
CN113434739B (en) Forward-safe multi-user dynamic symmetric encryption retrieval method in cloud environment
CN115168909B (en) Ciphertext data range query method and system based on comparison index
Yan et al. Secure and efficient big data deduplication in fog computing
CN116383838A (en) Data encryption and decryption method and related device in distributed data storage system
Cheng et al. Privacy leakage of certificateless public key authenticated searchable encryption via frequency analysis: Attacks and revises
CN115361218A (en) Cloud data existence verification method with query hiding characteristic
CN118094636A (en) Data retrieval method and system with multi-level authority access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination