CN117094039A

CN117094039A - Secure storage method, apparatus, device and storage medium for data file

Info

Publication number: CN117094039A
Application number: CN202311051212.8A
Authority: CN
Inventors: 赖思为; 方有轩; 叶可可; 赵思远; 杨璐纯; 辛艳双; 何旭荣
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Information Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Information Technology Co Ltd
Priority date: 2023-08-18
Filing date: 2023-08-18
Publication date: 2023-11-21

Abstract

The application discloses a safe storage method, a device, equipment and a storage medium of a data file, wherein the safe storage method of the data file comprises the following steps: receiving a user storage request; selecting a target consensus node based on a user storage request; based on the target consensus node, selecting a first encryption node according to a user storage request, and sending a target identifier of the first encryption node to other consensus nodes in the blockchain network to enable the other consensus nodes to select a corresponding second encryption node according to the target identifier; and based on the first encryption node and the second encryption node, carrying out homomorphic projection encryption calculation on the user file to be stored according to the user key to obtain the encrypted user file and the file homomorphic projection of the encrypted user file. The application carries out homomorphic projection encryption calculation on the user file to be stored, adds homomorphic projection encryption verification on the symmetrical encryption method, and improves the security of data file storage.

Description

Secure storage method, apparatus, device and storage medium for data file

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for securely storing a data file.

Background

Currently, with the development of communication technology, the amount of communication data is increasing, and users have security requirements for sensitive data storage, so that blockchain technology is proposed and widely applied. The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like, the data blocks are combined into a chain type data structure in a sequential connection mode according to time sequence in a block chain system, and the distributed account book which is not tamperable and counterfeit and is ensured in a cryptographic mode is used for storing data files of users.

In the related art, a storage system of an open alliance chain is adopted to store user data files, wherein the open alliance chain is a set of cloud management system based on block chains. Specifically, the related art is based on a storage system of an open alliance chain, adopts zk-snark algorithm with zero knowledge proof, and uses rust language programming to execute data file encryption storage and decryption extraction in a software environment. However, the method has the defects that the intermediate file of the encryption calculation is large, the encryption process is easy to be attacked by the network, and interruption occurs, so that the storage security of the user data file is low.

Disclosure of Invention

The application mainly aims to provide a safe storage method, device and equipment for data files and a storage medium, and aims to solve the technical problem that the safety of storing user data files is low in the prior art.

In order to achieve the above object, the present application provides a secure storage method of a data file, the secure storage method of the data file comprising:

receiving a user storage request, wherein the user storage request comprises a user file to be stored and a user key;

selecting a target consensus node based on the user storage request; based on the target consensus node, selecting a first encryption node according to the user storage request, and sending a target identifier of the first encryption node to other consensus nodes in a blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier;

and based on the first encryption node and the second encryption node, carrying out homomorphic projection encryption calculation on the user file to be stored according to the user key to obtain file homomorphic projections of the encrypted user file and the encrypted user file, and sending the file homomorphic projections to corresponding consensus nodes so that the consensus nodes can store the file homomorphic projections to a blockchain network.

Optionally, the step of performing homomorphic projection encryption calculation on the user file to be stored according to the user key based on the first encryption node and the second encryption node to obtain an encrypted user file and a file homomorphic projection of the encrypted user file includes:

based on the first encryption node and the second encryption node, file segmentation is carried out on the user file to be stored, and a plurality of file segmentation fragments are obtained;

according to the user key, carrying out encryption calculation on the file segmentation fragments to generate encrypted user files corresponding to the number of the file segmentation fragments;

and extracting file homomorphic projection from the encrypted user file by adopting a homomorphic projection extraction algorithm.

Optionally, the step of extracting the file homomorphic projection from the encrypted user file by adopting a homomorphic projection extraction algorithm includes:

carrying out hash value calculation on each encrypted user file to obtain a character string of each encrypted user file;

and connecting the character strings of the encrypted user files in series to obtain the homomorphic projection of the files.

Optionally, each consensus node corresponds to a plurality of encryption nodes, each encryption node has a preset identifier, and initial storage spaces between encryption nodes with the same identifier under different consensus nodes are equal.

Optionally, the step of performing homomorphic projection encryption calculation on the user file to be stored according to the user key based on the first encryption node and the second encryption node to obtain a file homomorphic projection of the encrypted user file and the encrypted user file, and sending the file homomorphic projection to a corresponding consensus node, so that the consensus node stores the file homomorphic projection to a blockchain network, and then the method includes:

receiving a user reading request, wherein the user reading request comprises a target reading file identifier and a user key;

based on a preset decryption node, respectively reading corresponding target file homomorphic projections from the blockchain network according to the target read file identification, and reading corresponding encrypted files from the first encryption node or the second encryption node;

adopting homomorphic projection verification algorithm to verify homomorphic projection and encryption of the target file to obtain verification result;

and if the verification result is that the verification is passed, decrypting the homomorphic projection of the target file by adopting the user key to obtain the target user file.

Optionally, the step of verifying the target file homomorphic projection and the encrypted file by adopting a homomorphic projection verification algorithm to obtain a verification result includes:

Adopting homomorphic projection extraction algorithm to extract homomorphic projection of comparison file from the encrypted user file;

and comparing the homomorphic projection of the comparison file with the homomorphic projection of the target file, and if the homomorphic projection of the comparison file is consistent with the homomorphic projection of the target file, determining that the verification result is verification pass.

Optionally, the user file is encrypted, decrypted and identified under a hardware trusted execution environment TEE, where the hardware trusted execution environment is a memory allocated separately in hardware, and is used for calculating sensitive data.

The application also provides a secure storage device for data files, which comprises:

the receiving module is used for receiving a user storage request, wherein the user storage request comprises a user file to be stored and a user key;

the consensus module is used for selecting a target consensus node based on the user storage request; based on the target consensus node, selecting a first encryption node according to the user storage request, and sending a target identifier of the first encryption node to other consensus nodes in a blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier;

And the encryption module is used for carrying out homomorphic projection encryption calculation on the user file to be stored according to the user key based on the first encryption node and the second encryption node to obtain file homomorphic projections of the encrypted user file and the encrypted user file, and sending the file homomorphic projections to corresponding consensus nodes so that the consensus nodes can store the file homomorphic projections to a blockchain network.

The present application also provides a secure storage device for a data file, the secure storage device for a data file comprising: a memory, a processor and a program stored on the memory for implementing a secure storage method of the data file,

the memory is used for storing a program for realizing a safe storage method of the data file;

the processor is configured to execute a program for implementing the secure storage method of the data file, so as to implement the steps of the secure storage method of the data file.

The present application also provides a storage medium having stored thereon a program for implementing a secure storage method of a data file, the program for implementing the secure storage method of a data file being executed by a processor to implement the steps of the secure storage method of a data file.

Compared with the prior art that the intermediate file of encryption calculation is large, the encryption process is easy to be attacked by the network and is interrupted, so that the safety of storing the user data file is low, the method, the device and the storage medium for safely storing the data file receive a user storage request, wherein the user storage request comprises the user file to be stored and a user key; selecting a target consensus node based on the user storage request; based on the target consensus node, selecting a first encryption node according to the user storage request, and sending a target identifier of the first encryption node to other consensus nodes in a blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier; and based on the first encryption node and the second encryption node, carrying out homomorphic projection encryption calculation on the user file to be stored according to the user key to obtain file homomorphic projections of the encrypted user file and the encrypted user file, and sending the file homomorphic projections to corresponding consensus nodes so that the consensus nodes can store the file homomorphic projections to a blockchain network. In the application, a plurality of encryption nodes are adopted to respectively carry out homomorphic projection encryption calculation on the user files to be stored, the plurality of encryption nodes are used for backing up the encrypted user files, and homomorphic projection encryption verification is added on a symmetrical encryption method, so that the storage security of the user data files is improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.

FIG. 1 is a schematic diagram of a device architecture of a hardware operating environment according to an embodiment of the present application;

FIG. 2 is a flowchart of a first embodiment of a method for securely storing data files according to the present application;

FIG. 3 is a schematic block diagram of a secure storage device for data files according to the present application;

FIG. 4 is a schematic diagram of an open alliance chain system stored on a homomorphic projection chain based on a trusted execution environment file in a secure storage method of data files according to the present application;

FIG. 5 is a schematic diagram of an encryption flow in the method for securely storing data files according to the present application;

FIG. 6 is a schematic diagram of a decryption process in the method for securely storing data files according to the present application;

FIG. 7 is a block chain network diagram of a method for securely storing data files according to the present application.

The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Detailed Description

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

As shown in fig. 1, fig. 1 is a schematic diagram of a terminal structure of a hardware running environment according to an embodiment of the present application.

The terminal of the embodiment of the application can be a PC, or can be a mobile terminal device with a display function, such as a smart phone, a tablet personal computer, an electronic book reader, an MP3 (Moving Picture Experts Group Audio Layer III, dynamic image expert compression standard audio layer 3) player, an MP4 (Moving Picture Experts Group Audio Layer IV, dynamic image expert compression standard audio layer 4) player, a portable computer and the like.

As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.

Optionally, the terminal may also include a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and so on. Among other sensors, such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display screen according to the brightness of ambient light, and a proximity sensor that may turn off the display screen and/or the backlight when the mobile terminal moves to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the acceleration in all directions (generally three axes), and can detect the gravity and the direction when the mobile terminal is stationary, and the mobile terminal can be used for recognizing the gesture of the mobile terminal (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and knocking), and the like; of course, the mobile terminal may also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, and the like, which are not described herein.

It will be appreciated by those skilled in the art that the terminal structure shown in fig. 1 is not limiting of the terminal and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

As shown in fig. 1, an operating device, a network communication module, a user interface module, and a secure storage program of a data file may be included in a memory 1005 as one type of computer storage medium.

In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be used to invoke a secure storage procedure for the data files stored in the memory 1005.

Referring to fig. 2, an embodiment of the present application provides a secure storage method of a data file, where the secure storage method of the data file includes:

step S100, receiving a user storage request, wherein the user storage request comprises a user file to be stored and a user key;

step S200, selecting a target consensus node based on the user storage request; based on the target consensus node, selecting a first encryption node according to the user storage request, and sending a target identifier of the first encryption node to other consensus nodes in a blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier;

Step S300, based on the first encryption node and the second encryption node, carrying out homomorphic projection encryption calculation on the user file to be stored according to the user key to obtain file homomorphic projections of the encrypted user file and the encrypted user file, and sending the file homomorphic projections to corresponding consensus nodes so that the consensus nodes can store the file homomorphic projections to a blockchain network.

In this embodiment, the application scenario aimed at is:

as one example, a scenario of secure storage of a data file may be that a user needs to save sensitive data to a computer. In the related art, a secure storage algorithm of a data file is proposed to solve the distortion problem occurring in a compressed video, wherein the secure storage algorithm of the data file is based on data driving, and performs an enhancement task by learning a mapping between the compressed video and a source video. In the related art, a storage system based on an open alliance chain adopts zk-snark algorithm with zero knowledge proof, and uses rust language programming to execute data file encryption storage, decryption and extraction in a software environment. However, the method has the defects that the intermediate file of the encryption calculation is large, the encryption process is easy to be attacked by the network, and interruption occurs, so that the storage security of the user data file is low. In view of this scenario, the secure storage method of the data file in this embodiment adopts multiple encryption nodes to respectively perform homomorphic projection encryption computation on the user file to be stored, the multiple encryption nodes all backup the encrypted user file, and the homomorphic projection encryption verification is added on the symmetric encryption method, so as to improve the security of storing the user data file.

As an example, the application scenario of the secure storage of the data file is not limited to the above-mentioned secure storage scenario of storing sensitive data into a computer, but also includes various data files.

The present embodiment aims at: the security of the storage of the user data file is improved.

In this embodiment, the secure storage method of the data file is applied to the secure storage device of the data file.

The method comprises the following specific steps:

in this embodiment, the user storage request refers to a storage instruction issued by a user to a computer when storing sensitive data, where the user storage request includes a user file to be stored and a user key, where the user file to be stored is a data file including the sensitive data, and the user key is a parameter, specifically, a parameter input in an algorithm for converting plaintext into ciphertext or converting ciphertext into plaintext.

In this embodiment, referring to fig. 4, the device deploys an encryption node, a decryption node and a consensus node in a manner of a dock under an open coalition chain system and a hardware trusted execution environment TEE (Trusted execution environment, TEE), and encrypts, decrypts and consensus the user file according to the encryption node, the decryption node and the consensus node, where the hardware trusted execution environment is a memory allocated separately in hardware and is used for calculating sensitive data. Specifically, the trusted execution environment (Trusted execution environment, TEE) is an independent processing environment with operation and storage functions and can provide security and integrity protection, and the basic idea is that: an isolated memory is allocated for the sensitive data in the hardware, all the computation of the sensitive data is carried out in the isolated memory, and other parts of the hardware except an authorized interface cannot access the information in the isolated memory, so that the privacy computation of the sensitive data is realized; encryption, decryption and consensus are carried out based on a hardware Trusted Execution Environment (TEE), so that isolation protection of data and computation is realized, sensitive data is ensured to be processed in an isolated and trusted environment, and thus, software attacks from a rich execution environment REE are avoided, and a data center based on a blockchain is enabled to run safely and efficiently.

In this embodiment, the open alliance chain is a set of cloud management system based on the blockchain, which supports any access that can be authorized, the open alliance chain divides a plurality of virtual machines in a large cloud or data center, builds an operation environment of the blockchain, manages the virtual machines, containers, gateway access, CA certificates and all nodes in the operation environment, and completes full-automatic deployment of the data center based on the blockchain, so as to form a series of component tool sets such as cloud API, virtual machines, container arrangement, gateway load balancing, distributed traceability, data encryption storage, zero knowledge proof verification, decentralization Identity (DID), application scene plug-in suite and the like.

In this embodiment, the device selects a target consensus node based on the user storage request; specifically, when the device receives a new file storage task (i.e., a file storage task corresponding to a user storage request), the device sends the file storage task to a plurality of consensus nodes, and the plurality of consensus nodes select one of the consensus nodes to execute node selection operation according to a polling mode.

In this embodiment, each of the consensus nodes corresponds to a plurality of encryption nodes, each encryption node has a preset identifier, and initial storage spaces between encryption nodes having the same identifier under different consensus nodes are equal, specifically, referring to fig. 7, the blockchain network includes a plurality of consensus nodes, each of the consensus nodes corresponds to a plurality of encryption nodes, and for encryption nodes having the same number under different consensus nodes, initial storage spaces of the encryption nodes are equal. For example, the encryption node A-001 corresponding to consensus node A, identified as 001; the encryption node B-001 corresponding to the consensus node B is also identified as 001; the encryption node C-001 corresponding to the consensus node C is also identified as 001; the initial storage space of the encryption node a-001, the encryption node B-001, and the encryption node C-001 are all equal, for example, equal to 100G.

In this embodiment, each common node and each encryption node may be used as a decryption node in a specific use environment, for example, the computer of the user a is an encryption node in the blockchain network, and when the user a needs to use the original file, the computer of the user a may be used as a decryption node to read the encrypted file from the other encryption nodes, and perform a series of verification and decryption operations, so as to obtain the original file finally.

In this embodiment, the device selects a first encryption node based on the target consensus node according to the user storage request, and sends a target identifier of the first encryption node to other consensus nodes in the blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier, where the first encryption node refers to an encryption node corresponding to the target consensus node, the second encryption node refers to an encryption node corresponding to other consensus nodes except the target consensus node in the blockchain network, and specifically, when the target consensus node performs a node selection operation, one encryption node is selected from multiple encryption nodes corresponding to the target consensus node according to the storage space size required by the file storage task and the remaining storage space size information of each encryption node to perform the file storage task, and the target consensus node also sends the number of the selected encryption node to the other consensus nodes, so that the other consensus nodes all select the encryption nodes with the same number according to the number to perform the file storage task. The encryption nodes are selected according to the mode, so that the conditions of the residual storage space of the encryption nodes under the same number corresponding to each common identification node are consistent, and the following conditions can be avoided: the situation that the residual storage space of the encryption nodes under the same number corresponding to each common identification node is inconsistent results in that after a new file storage task is received, each encryption node corresponding to the common identification node X has the residual storage space, but the residual storage space of each encryption node is smaller and cannot bear the file storage task, part of encryption nodes corresponding to the common identification node Y do not have the residual storage space, and the other part of encryption nodes also have larger residual storage space and can bear the file storage task. In summary, by selecting the encryption node according to the above manner, the response capability of each consensus node to the same file storage task is consistent, which is favorable for ensuring normal execution of consensus operation, and further improving the security of storing user data files.

In this embodiment, the device performs homomorphic projection encryption calculation on the user file to be stored according to the user key based on the first encryption node and the second encryption node to obtain an encrypted user file and a file homomorphic projection of the encrypted user file, and sends the file homomorphic projection to a corresponding consensus node, so that the consensus node stores the file homomorphic projection to a blockchain network, specifically, referring to fig. 5, the encryption node is responsible for receiving an original file (i.e. the user file to be stored) of the user, and invokes an encryption algorithm of the TEE in a message calling manner to implement encryption calculation of the file homomorphic projection. In a file homomorphic projection encryption process based on a trusted execution environment, after receiving a user key and a user file (plaintext), AES encryption is carried out on the user file in a TEE chip to generate a plurality of encryption sectors, the homomorphic projection of the file extracted from the encryption sectors is adopted by a homomorphic projection extraction algorithm and is sent to a consensus node, the homomorphic projection of the file is stored in a blockchain system by the consensus node, then the encryption node destroys the original file of the user, and the plurality of encryption sectors are stored. The application adopts a plurality of encryption nodes to respectively carry out homomorphic projection encryption calculation on the user files to be stored, the plurality of encryption nodes are used for backing up the encrypted user files, and homomorphic projection encryption verification is added on a symmetrical encryption method, so that the storage security of the user data files is improved.

Specifically, the step S300 includes the following steps S310 to S330:

step S310, based on the first encryption node and the second encryption node, file segmentation is carried out on the user file to be stored, and a plurality of file segmentation fragments are obtained;

in this embodiment, the device performs file segmentation on the user file to be stored based on the first encryption node and the second encryption node to obtain a plurality of file segmentation fragments, specifically, the encryption node (including the first encryption node and the second encryption node) is responsible for receiving an original file (i.e., the user file to be stored) of the user, and performs file segmentation on the original file of the user to obtain a plurality of file segmentation fragments, where each file fragment has a size of 256M, and the file fragments less than 256M are complemented with random numbers.

Step S320, according to the user key, carrying out encryption calculation on the file segmentation fragments to generate encrypted user files corresponding to the number of the file segmentation fragments;

in this embodiment, the encryption node (including the first encryption node and the second encryption node) performs encryption calculation on the file segmentation fragments according to the user key to generate encrypted user files corresponding to the number of file segmentation fragments, where the device invokes an encryption algorithm of the TEE in a message invoking manner to implement encryption calculation of file homomorphic projection, specifically, in a file homomorphic projection encryption process based on a trusted execution environment, after receiving the user key and the user file (plaintext), the device performs AES encryption on the user file in the TEE chip to generate a plurality of encryption sectors, that is, encrypted user files corresponding to the number of file segmentation fragments.

And step S330, extracting file homomorphic projection from the encrypted user file by adopting homomorphic projection extraction algorithm.

In this embodiment, the encryption node adopts a homomorphic projection extraction algorithm to extract a file homomorphic projection from the encrypted user files, specifically, the encryption node calculates a hash value of each encrypted user file, concatenates the hash values to obtain the file homomorphic projection, and then sends the file homomorphic projection to the consensus node. The common-knowledge node generates a merck tree corresponding to the file homomorphic projection, writes the tree root of the merck tree, each file homomorphic projection and a storage path of each file homomorphic projection into a next block, specifically, the common-knowledge node is responsible for accepting the file homomorphic projection generated by the encryption node within 30 seconds, generates 256-bit data elements after the calculation of sha256 of each file homomorphic projection, constructs the merck tree from the 256-bit data elements, writes the tree root of the merck tree as a common-knowledge character string into the next block of the blockchain, and simultaneously writes each file homomorphic projection and a storage path (machine name: encryption sector storage path: encryption sector ID) corresponding to the next block.

Specifically, the step S330 includes the following steps S331 to S332:

step S331, carrying out hash value calculation on each encrypted user file to obtain a character string of each encrypted user file;

step S332, concatenating the character strings of each encrypted user file to obtain a file homomorphic projection.

In this embodiment, the encryption node performs hash value calculation on each encrypted user file to obtain a string of each encrypted user file, and concatenates the strings of each encrypted user file to obtain a file homomorphic projection, specifically, the encryption node divides an AES encrypted file (i.e., encrypted user file) into 8 parts from the beginning, performs sha256 calculation on each data to obtain a 256-bit string, concatenates the 8 256-bit strings together to obtain 2k data, where the 2k data is the file homomorphic projection, that is, the string is a hash value 256-bit string, the number of encrypted user files is 8, and the encryption node concatenates the 8-bit hash value 256-bit strings of each encrypted user file to obtain the file homomorphic projection, where the file size of the file homomorphic projection is 2k.

It should be noted that, the encrypted files stored in the encrypted sectors of the encrypted node have a certain life cycle, wherein a part of the encrypted files belong to the disposable files, and when the life cycle of the encrypted files is terminated after the encrypted files are decrypted by the decryption node, the encrypted files are deleted from the encrypted sectors of the encrypted node, so that the storage space of the encrypted node is released. Another portion of the encrypted files has a fixed lifecycle and when the lifecycle of such encrypted files expires, they are also deleted from the encrypted sectors of the encrypted nodes, thereby freeing up storage space for the encrypted nodes. Each consensus node records the residual storage space size information of each corresponding encryption node, when a certain encryption node stores a new encryption file, the consensus node updates the residual storage space size information of the encryption node, and when a certain encryption node deletes the encryption file, the consensus node also updates the residual storage space size information of the encryption node.

Compared with the prior art that the intermediate file of encryption calculation is large, the encryption process is easy to be attacked by the network and is interrupted, so that the security of storing the user data file is low, the method for safely storing the data file receives a user storage request, wherein the user storage request comprises the user file to be stored and a user key; selecting a target consensus node based on the user storage request; based on the target consensus node, selecting a first encryption node according to the user storage request, and sending a target identifier of the first encryption node to other consensus nodes in a blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier; and based on the first encryption node and the second encryption node, carrying out homomorphic projection encryption calculation on the user file to be stored according to the user key to obtain file homomorphic projections of the encrypted user file and the encrypted user file, and sending the file homomorphic projections to corresponding consensus nodes so that the consensus nodes can store the file homomorphic projections to a blockchain network. In the application, a plurality of encryption nodes are adopted to respectively carry out homomorphic projection encryption calculation on the user files to be stored, the plurality of encryption nodes are used for backing up the encrypted user files, and homomorphic projection encryption verification is added on a symmetrical encryption method, so that the storage security of the user data files is improved.

Based on the first embodiment, the present application further provides another embodiment, where the method for securely storing the data file includes:

in the step S300, based on the first encryption node and the second encryption node, performing homomorphic projection encryption calculation on the user file to be stored according to the user key to obtain file homomorphic projections of the encrypted user file and the encrypted user file, and sending the file homomorphic projections to corresponding consensus nodes, so that after the step that the consensus nodes store the file homomorphic projections to a blockchain network, the method includes the following steps a100-a400:

step A100, receiving a user reading request, wherein the user reading request comprises a target reading file identifier and a user key;

in this embodiment, after the storage scenario of the data file, there is also a reading scenario of the data file, and the device receives a user reading request, where the user reading request refers to a reading instruction issued by a user to a computer when reading sensitive data, and the user reading request includes a target reading file identifier and a user key, where the target reading file identifier refers to an identifier of a file to be read by the user, and may be an identifier such as a name, a number, and the like.

Step A200, based on a preset decryption node, respectively reading corresponding target file homomorphic projections from the blockchain network according to the target read file identification, and reading corresponding encrypted files from the first encryption node or the second encryption node;

in this embodiment, the device reads the corresponding target file homomorphic projection from the blockchain network according to the target read file identifier, and reads the corresponding encrypted file from the first encrypted node or the second encrypted node, where the decryption node is responsible for reading the encrypted file of the user from the encrypted node according to each file homomorphic projection on the blockchain and the corresponding storage path (machine name: encrypted sector storage path: encrypted sector ID) thereof.

Step A300, homomorphic projection verification algorithm is adopted to verify homomorphic projection and encrypted file of the target file, and verification result is obtained;

in this embodiment, the decryption node verifies the homomorphic projection of the target file and the encrypted file by using a homomorphic projection verification algorithm to obtain a verification result, specifically, referring to fig. 6, the decryption node invokes the decryption algorithm of the TEE in a message invoking manner, verifies the encrypted file and the homomorphic projection of the file by using the homomorphic projection verification algorithm inside the TEE chip, and decrypts the encrypted file by using the user key after verification, to obtain the original file (plaintext) of the user.

Specifically, the step A300 includes the following steps A310-A320:

step A310, adopting homomorphic projection extraction algorithm to extract homomorphic projection of comparison file from the encrypted user file;

and step A320, comparing the homomorphic projection of the comparison file with the homomorphic projection of the target file, and if the homomorphic projection of the comparison file is consistent with the homomorphic projection of the target file, determining that the verification result is verification pass.

In this embodiment, the decryption node adopts a homomorphic projection extraction algorithm to extract a homomorphic projection of a comparison file from the encrypted user file, compares the homomorphic projection of the comparison file with the homomorphic projection of the target file, and if the homomorphic projection of the comparison file is consistent with the homomorphic projection of the target file, the verification result is verification passing; and if the homomorphic projection of the comparison file is inconsistent with the homomorphic projection of the target file, the verification result is verification failure. Specifically, the specific process of verifying the homomorphic projection of the file by the decryption node is as follows: the decryption node extracts the file homomorphic projection A with the size of 2k from the encrypted file, compares the file homomorphic projection A with the file homomorphic projection B with the size of 2k stored in the blockchain system, and if the file homomorphic projection A and the file homomorphic projection B are consistent, the verification is passed.

And step A400, if the verification result is that the verification is passed, decrypting the homomorphic projection of the target file by adopting the user key to obtain the target user file.

In this embodiment, if the verification result is that the verification is passed, the decryption node uses the user key to decrypt the homomorphic projection of the target file to obtain the target user file, specifically, after the verification result is that the verification is passed, the decryption node decrypts the multiple encrypted sectors (i.e., the encrypted file) through the AES decryption algorithm to obtain multiple 256M plaintext data, and finally, after the multiple 256M plaintext data are serially aggregated, the original file (i.e., the target user file) of the user is obtained.

The present application also provides a secure storage device for a data file, referring to fig. 3, the secure storage device for a data file includes:

a receiving module 10, configured to receive a user storage request, where the user storage request includes a user file to be stored and a user key;

the consensus module 20 is configured to select a target consensus node based on the user storage request; based on the target consensus node, selecting a first encryption node according to the user storage request, and sending a target identifier of the first encryption node to other consensus nodes in a blockchain network, so that the other consensus nodes select a corresponding second encryption node according to the target identifier;

The encryption module 30 is configured to perform homomorphic projection encryption calculation on the user file to be stored according to the user key based on the first encryption node and the second encryption node, obtain a file homomorphic projection of the encrypted user file and the encrypted user file, and send the file homomorphic projection to a corresponding consensus node, so that the consensus node stores the file homomorphic projection to a blockchain network.

Optionally, the encryption module 30 includes:

the splitting module is used for splitting the file of the user to be stored based on the first encryption node and the second encryption node to obtain a plurality of file splitting fragments;

the file encryption module is used for carrying out encryption calculation on the file segmentation fragments according to the user key to generate encrypted user files corresponding to the number of the file segmentation fragments;

and the extraction module is used for extracting the file homomorphic projection from the encrypted user file by adopting a homomorphic projection extraction algorithm.

Optionally, the extraction module includes:

the computing module is used for carrying out hash value computation on each encrypted user file to obtain a character string of each encrypted user file;

And the serial module is used for connecting the character strings of the encrypted user files in series to obtain the homomorphic projection of the files.

Optionally, the secure storage device of the data file further includes:

the reading request receiving module is used for receiving a user reading request, wherein the user reading request comprises a target reading file identifier and a user key;

the file reading module is used for reading corresponding target files from the blockchain network in a homomorphic projection mode according to the target read file identification based on a preset decryption node, and reading corresponding encrypted files from the first encryption node or the second encryption node;

the verification module is used for verifying homomorphic projection of the target file and the encrypted file by adopting a homomorphic projection verification algorithm to obtain a verification result;

and the decryption module is used for decrypting the homomorphic projection of the target file by adopting the user key if the verification result is that the verification is passed, so as to obtain the target user file.

Optionally, the verification module includes:

the homomorphic projection extraction module is used for extracting homomorphic projections of the comparison file from the encrypted user file by adopting a homomorphic projection extraction algorithm;

And the comparison module is used for comparing the homomorphic projection of the comparison file with the homomorphic projection of the target file, and if the homomorphic projection of the comparison file is consistent with the homomorphic projection of the target file, the verification result is verification passing.

The specific implementation manner of the secure storage device for data files of the present application is basically the same as that of each embodiment of the secure storage method for data files, and will not be described herein.

Referring to fig. 1, fig. 1 is a schematic diagram of a terminal structure of a hardware operating environment according to an embodiment of the present application.

Optionally, the secure storage device of the data file may further include a rectangular user interface, a network interface, a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and the like. The rectangular user interface may include a Display screen (Display), an input sub-module such as a Keyboard (Keyboard), and the optional rectangular user interface may also include a standard wired interface, a wireless interface. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface).

Those skilled in the art will appreciate that the secure storage device structure of the data file shown in FIG. 1 does not constitute a definition of a secure storage device for the data file, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

As shown in fig. 1, a memory 1005, which is a storage medium, may include an operating system, a network communication module, and a secure storage program of a data file. An operating system is a program that manages and controls the secure storage of data files and software resources, supporting the secure storage of data files and the running of other software and/or programs. The network communication module is used to enable communication between components within the memory 1005 and with other hardware and software in the secure storage system for data files.

In the secure storage device for data files shown in fig. 1, a processor 1001 is configured to execute a secure storage program for data files stored in a memory 1005, and implement the steps of the secure storage method for data files described in any of the above.

The specific implementation manner of the secure storage device for data files of the present application is basically the same as the embodiments of the secure storage method for data files described above, and will not be described herein again.

The present application also provides a storage medium having stored thereon a program that implements a secure storage method of a data file, the program that implements the secure storage method of a data file being executed by a processor to implement the secure storage method of a data file as follows:

The specific implementation manner of the storage medium of the present application is basically the same as the above embodiments of the secure storage method of the data file, and will not be repeated here.

The application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method for securely storing data files described above.

The specific implementation manner of the computer program product of the present application is basically the same as the above embodiments of the secure storage method of the data file, and will not be described herein again.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.

The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the application, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims

1. A method for securely storing a data file, the method comprising:

2. The method for securely storing data files according to claim 1, wherein said step of performing homomorphic projection encryption calculation on said user file to be stored based on said first encryption node and said second encryption node to obtain an encrypted user file and a file homomorphic projection of said encrypted user file comprises:

3. The method for securely storing data files according to claim 2, wherein said step of extracting file homomorphic projections from said encrypted user files using a homomorphic projection extraction algorithm comprises:

4. The method of claim 1, wherein each of the plurality of nodes corresponds to a plurality of encrypted nodes, each encrypted node has a predetermined identifier, and initial storage spaces between encrypted nodes having the same identifier under different nodes are equal.

5. The method for securely storing data files according to claim 1, wherein said step of performing homomorphic projection encryption calculation on said user file to be stored based on said first encryption node and said second encryption node to obtain a file homomorphic projection of an encrypted user file and said encrypted user file, and transmitting said file homomorphic projection to a corresponding consensus node for said consensus node to save said file homomorphic projection to a blockchain network, comprises:

6. The method for securely storing data files according to claim 5, wherein said step of verifying homomorphic projection of said target file and encrypting the file using homomorphic projection verification algorithm to obtain a verification result comprises:

7. The method for securely storing data files according to any of claims 1-6, wherein the user files are encrypted, decrypted and consensus under a hardware trusted execution environment TEE, wherein the hardware trusted execution environment is a memory allocated separately in hardware for the computation of sensitive data.

8. A secure storage device for a data file, the secure storage device comprising:

9. A secure storage device for a data file, the secure storage device for a data file comprising: a memory, a processor and a program stored on the memory for implementing a secure storage method of the data file,

the processor is configured to execute a program for implementing the secure storage method of a data file to implement the steps of the secure storage method of a data file according to any one of claims 1 to 7.

10. A storage medium having stored thereon a program for realizing the secure storage method of a data file, the program for realizing the secure storage method of a data file being executed by a processor to realize the steps of the secure storage method of a data file according to any one of claims 1 to 7.