CN117201204A - Cloud storage system, data reading and writing method and device and storage medium - Google Patents
Cloud storage system, data reading and writing method and device and storage medium Download PDFInfo
- Publication number
- CN117201204A CN117201204A CN202311471163.3A CN202311471163A CN117201204A CN 117201204 A CN117201204 A CN 117201204A CN 202311471163 A CN202311471163 A CN 202311471163A CN 117201204 A CN117201204 A CN 117201204A
- Authority
- CN
- China
- Prior art keywords
- data
- layer
- storage service
- key
- storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 121
- 230000002688 persistence Effects 0.000 claims abstract description 149
- 230000003993 interaction Effects 0.000 claims abstract description 67
- 230000008569 process Effects 0.000 claims abstract description 57
- 239000012634 fragment Substances 0.000 claims description 133
- 230000002085 persistent effect Effects 0.000 claims description 41
- 238000004590 computer program Methods 0.000 claims description 23
- 230000002045 lasting effect Effects 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 17
- 230000008859 change Effects 0.000 claims description 9
- 230000006870 function Effects 0.000 abstract description 15
- 238000007726 management method Methods 0.000 description 46
- 238000005516 engineering process Methods 0.000 description 22
- 238000010586 diagram Methods 0.000 description 19
- 101000794228 Homo sapiens Mitotic checkpoint serine/threonine-protein kinase BUB1 beta Proteins 0.000 description 15
- 102100030144 Mitotic checkpoint serine/threonine-protein kinase BUB1 beta Human genes 0.000 description 15
- 238000004891 communication Methods 0.000 description 12
- 101100247669 Quaranfil virus (isolate QrfV/Tick/Afghanistan/EG_T_377/1968) PB1 gene Proteins 0.000 description 5
- 101100242901 Quaranfil virus (isolate QrfV/Tick/Afghanistan/EG_T_377/1968) PB2 gene Proteins 0.000 description 5
- 101150025928 Segment-1 gene Proteins 0.000 description 5
- 101150082826 Segment-2 gene Proteins 0.000 description 5
- 101100242902 Thogoto virus (isolate SiAr 126) Segment 1 gene Proteins 0.000 description 5
- 101100194052 Thogoto virus (isolate SiAr 126) Segment 2 gene Proteins 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 101100331197 Arabidopsis thaliana DEK2 gene Proteins 0.000 description 3
- 101150011387 DEK1 gene Proteins 0.000 description 3
- 101100331195 Oryza sativa subsp. japonica ADL1 gene Proteins 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000002452 interceptive effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 101100366702 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) SSK2 gene Proteins 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013506 data mapping Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
Abstract
The embodiment of the application provides a cloud storage system, a data reading and writing method, equipment and a storage medium. In the embodiment of the application, a general hierarchical encryption scheme aiming at cloud storage is provided, the requirements of data encryption and decryption and key management can be met uniformly, the processes of data encryption and decryption and key management are cooperated and unified through layering a cloud storage system, key management is carried out by adopting the mutual cooperation of a user master key and a storage service key in a user interaction layer and a storage service layer, the processes of data encryption and decryption are controlled by adopting the mutual cooperation of the storage service key and a data encryption key in the storage service layer and a storage persistence layer, the key management and data encryption and decryption functions are decoupled, and the flexibility and the expandability are improved. Furthermore, the storage service layer can directly multiplex the encryption capability provided by the data persistence layer, so that the data does not need to be encrypted for multiple times at each layer, and the encryption cost is saved.
Description
Technical Field
The present application relates to the field of cloud storage technologies, and in particular, to a cloud storage system, a data reading and writing method, a device, and a storage medium.
Background
With explosive growth of user data, various distributed storage systems on the cloud, such as block storage, file systems, object storage, table storage, databases and the like, accept more and more data of users, and supporting encryption of user data is a common means for protecting user data security.
The encryption and decryption scheme which is commonly used for the cloud storage system is as follows: the access layer of the storage system is responsible for managing the user key, and when the user writes data, the data is encrypted according to the user key and then stored in a lasting mode; when the user reads the data, the encrypted data is read from the persistent storage medium, decrypted according to the user key and provided to the user.
The encryption and decryption scheme adopted by the existing cloud storage system is difficult to design and realize, when the user key needs to be updated for security upgrade, the encrypted data needs to be decrypted and then re-encrypted, the cost is high, and the flexibility and the expandability are poor.
Disclosure of Invention
Aspects of the application provide a cloud storage system, a data read-write method, a device and a storage medium, which are used for improving the flexibility and the expandability of the cloud storage system and reducing the encryption cost of the cloud storage system.
The embodiment of the application provides a cloud storage system, which comprises: a user interaction layer, a storage persistence layer, and at least one storage service layer located between the user interaction layer and the storage persistence layer; the user interaction layer comprises a key management node for managing a user master key and providing the user master key for a storage service layer adjacent to the user interaction layer; the storage service layer comprises a storage service node which is used for generating a storage service key of the lower layer, encrypting and decrypting the storage service key of the upper layer according to the key provided by the upper layer in the data reading and writing process, and providing the storage service key of the upper layer for the next layer so as to encrypt and decrypt the key of the next layer; the storage persistence layer comprises a storage persistence node which is used for generating a data encryption key, encrypting and decrypting the data encryption key according to a storage service key provided by a storage service layer adjacent to the data encryption key in the data reading and writing process, and encrypting and decrypting user data according to the data encryption key.
The embodiment of the application also provides a cloud storage system, which comprises: a user interaction layer and a storage persistence layer; the user interaction layer comprises a key management node for managing a user master key and providing the user master key to the storage persistence layer; the storage persistence layer comprises a storage persistence node which is used for generating a data encryption key, encrypting and decrypting the user data according to the data encryption key and encrypting and decrypting the data encryption key according to the user master key in the data reading and writing process.
The embodiment of the application also provides a data read-write method which is suitable for the key management node in the user interaction layer in the cloud storage system, and the method comprises the following steps: managing a user master key; and providing a user master key for a storage service layer adjacent to the user interaction layer in the cloud storage system so as to realize encryption and decryption processing of user data by the cooperation of the storage service layer adjacent to the user interaction layer and the storage persistence layer.
The embodiment of the application also provides a data read-write method which is suitable for the storage service node in at least one storage service layer in the cloud storage system, and the method comprises the following steps: generating a lower layer storage service key, encrypting and decrypting the lower layer storage service key according to a key provided by the upper layer in the data reading and writing process, wherein the lower layer storage service key is a storage service key of a target storage service layer to which the storage service node belongs, and the key provided by the upper layer is a user master key or a storage service key of the upper layer of the target storage service layer; the layer storage service key is provided to a next layer, which is implemented as a next layer storage service layer adjacent to the target storage service layer or a storage persistence layer in the cloud storage system.
The embodiment of the application also provides a data read-write method which is suitable for the storage persistence node in the storage persistence layer in the cloud storage system, and the method comprises the following steps: receiving a storage service key provided by a storage service layer adjacent to a storage persistence layer in a cloud storage system; and generating a data encryption key, encrypting and decrypting the user data according to the data encryption key in the data reading and writing process, and encrypting and decrypting the data encryption key according to a storage service key provided by a storage service layer adjacent to the data encryption key.
The embodiment of the application also provides a data read-write method which is suitable for the storage persistence node in the cloud storage system, and the method comprises the following steps: receiving a user master key provided by a key management node in a user interaction layer in a cloud storage system; and generating a data encryption key, encrypting and decrypting the user data according to the data encryption key in the data reading and writing process, and encrypting and decrypting the data encryption key according to the user master key.
The embodiment of the application also provides electronic equipment, which comprises: a memory and a processor; a memory for storing a computer program; and the processor is coupled with the memory and used for executing the computer program to realize each step in the data reading and writing method provided by the embodiment of the application.
The embodiment of the application also provides a computer readable storage medium storing a computer program, which when executed by a processor, causes the processor to implement the steps in the data read-write method provided by the embodiment of the application.
In the embodiment of the application, a general hierarchical encryption scheme aiming at cloud storage is provided, the requirements of data encryption and decryption and key management can be met uniformly, the processes of data encryption and decryption and key management are cooperated and unified through layering a cloud storage system, key management is carried out by adopting the mutual cooperation of a user master key and a storage service key in a user interaction layer and a storage service layer, the processes of data encryption and decryption are controlled by adopting the mutual cooperation of the storage service key and a data encryption key in the storage service layer and a storage persistence layer, the key management and data encryption and decryption functions are decoupled, and the flexibility and the expandability are improved. Furthermore, the storage service layer can directly multiplex the encryption capability provided by the data persistence layer, so that the data does not need to be encrypted for multiple times at each layer, and the encryption cost is saved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
Fig. 1 is a schematic structural diagram of a cloud storage system according to an exemplary embodiment of the present application;
FIG. 2 is a schematic diagram of an interactive flow for writing data according to an exemplary embodiment of the present application;
FIG. 3 is a schematic diagram of an interaction flow of read data according to an exemplary embodiment of the present application;
fig. 4 is a schematic structural diagram of another cloud storage system according to an exemplary embodiment of the present application;
FIGS. 5 a-5 d are schematic flow diagrams of a data read-write method according to an exemplary embodiment of the present application;
FIGS. 6 a-6 c are schematic diagrams illustrating a data read-write device according to an exemplary embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
In view of the above technical problems, in the embodiments of the present application, a general hierarchical encryption scheme for cloud storage is provided, which can uniformly meet the requirements of data encryption and decryption and key management, and the processes of data encryption and decryption and key management are coordinated and unified by layering a cloud storage system, and key management is performed by adopting the mutual coordination of a user master key and a storage service key in a user interaction layer and a storage service layer, and the processes of controlling data encryption and decryption by adopting the mutual coordination of the storage service key and a data encryption key in the storage service layer and a storage persistence layer, so that the key management and data encryption and decryption functions are decoupled, thereby improving flexibility and expandability. Furthermore, the storage service layer can directly multiplex the encryption capability provided by the data persistence layer, so that the data does not need to be encrypted for multiple times at each layer, and the encryption cost is saved.
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a cloud storage system according to an exemplary embodiment of the present application. As shown in fig. 1, the system includes: the storage system comprises a user interaction layer 10, a storage persistence layer 20 and at least one storage service layer A1-An between the user interaction layer 10 and the storage persistence layer 20, wherein n is equal to or less than 1 and is a positive integer. Wherein, the hierarchical relationship in the cloud storage system can be expressed as: the user interaction layer 10- > storage service layer A1- > storage service layer A2- > … - > storage service layer An- > storage persistence layer 20.
The user interaction layer 10 comprises, among other things, a key management node (Key Management Service, KMS) 101 for managing user master keys (Customer Master Key, CMK), which key management node 101 can be seamlessly integrated with most cloud products, which means that a user can control the encryption of data stored within the cloud products by means of the user master keys in the KMS. By means of the KMS user can control the access rights of the user master key and decide the usage rights of the user master key. The key management node 101 may provide the user master key to a storage service layer adjacent to the user interaction layer to provide storage services through the user master key. For example, the user master key is provided to at least one storage service layer in advance, or may be provided to a storage service node of a storage service layer adjacent to the user interaction layer in case the storage service layer requests the user master key during reading or writing data.
Wherein the storage service layers An include storage service nodes Bn, each of which may include one or more storage service nodes. The storage service node Bn is configured to generate a lower-layer storage service key (Storage Service Key, SSK) and to receive a key provided by a layer above the storage service layer. For each storage service node, the storage service key of the storage service layer to which the storage service node belongs is the storage service key of the layer, and the storage service key of the last storage service layer of the storage service layer to which the storage node belongs is the storage service key of the last layer. For the storage service layer A1, the upper layer is the user interaction layer 10, and the key provided by the upper layer is the user master key CMK; for the storage service layer An (n+.1), the upper layer is the storage service layer An-1, and the key provided by the upper layer is the storage service key SSKn-1 of the storage service layer An-1. The storage service node Bn can also encrypt and decrypt the storage service key of the layer according to the key provided by the upper layer in the data reading and writing process. For example, for the storage service layer A1, the storage service node B1 encrypts the local storage service key with a user master key, for example, encrypts the local storage service key SSK1 with a user master key CMK to obtain an encrypted storage service key (Encrypted Storage Service Key, ESSK) 1, and decrypts the encrypted storage service key ESSK1 with the user master key CMK to obtain the local storage service key SSK1; for the storage service layer An (n is not equal to 1), the storage service node Bn adopts the storage service key of the storage service layer An-1 to encrypt and decrypt the storage service key of the layer. For example, the storage service node Bn encrypts the storage service key SSKn of the layer by using the storage service key SSKn-1 of the storage service layer An-1 to obtain An encrypted storage service key ESSKn, and the storage service node Bn decrypts the encrypted storage service key ESSKn by using the storage service key SSKn-1 of the storage service layer An-1 to obtain the storage service key SSKn of the layer. The storage service layer An can also provide the storage service key of the layer to the next layer for the next layer to encrypt and decrypt the key. The next layer in the storage service layer may be the storage service layer or the storage persistence layer.
The storage persistence layer 20 includes a storage persistence node 201, and the storage persistence node 201 can generate a data encryption key (Data Encryption Key, DEK) and perform encryption and decryption processing on user data according to the data encryption key in a data read-write process. In the case where the storage service layer An adjacent to the storage persistence layer 20 provides the present layer storage service key to the storage persistence layer, the storage persistence layer 20 receives the storage service key provided by the storage service layer An. The storage persistence node 201 may further perform encryption and decryption processing on the data encryption key according to the storage service key provided by the storage service layer An adjacent thereto. Optionally, in the process of data reading and writing, the storage persistence node 201 may specifically perform encryption and decryption processing on user data according to the data encryption key: and in the process of writing data, encrypting the user data by adopting a data encryption key, storing the encrypted user data in a lasting manner, and in the process of reading the data, reading the encrypted user data stored in the lasting layer, and decrypting the encrypted user data by adopting the data encryption key to obtain the user data.
In this embodiment, the storage service layer includes, in addition to the storage service node, the following: and storing the service management node. The storage service management node is responsible for managing metadata of the cloud storage disk and managing and controlling the cloud storage disk. For example, create, delete, mount, and offload cloud storage disks, which storage service node of the storage service layer is responsible for scheduling IO requests of the cloud storage disks. For another example, specifying a data synchronization and layout policy for the cloud storage disk, etc., the data synchronization and layout policy may embody a correspondence between the persistent file and the storage service node. In addition, the storage service node Bn may also provide a data interaction service of the cloud storage disk, for example, be responsible for processing the IO request from the cloud storage access node, and optionally, the storage service node Bn may also be responsible for mapping management and switching scheduling of the logical address information of the corresponding cloud storage disk to the corresponding persistent file. For example, the storage service node stores the data to be stored in the IO request of the user to a storage persistence layer of the cloud storage disk, and records the corresponding data mapping relation so as to facilitate subsequent reading.
Wherein the storage persistence layer includes, in addition to the storage persistence node, the storage persistence node further including: and (5) persisting the management node. The persistence management node is responsible for managing metadata of the storage persistence layer, optionally providing a management service for the persistence file, for example, being responsible for creating or deleting the persistence file, and for example, maintaining a correspondence relationship between the persistence file and the storage service node Bn. Further, the persistence management node can also persist data on the corresponding storage service node according to the data synchronization and layout policy specified by the service layer. The storage service node is responsible for responding to the persistence operation and subsequent read access of the corresponding data. Further, the storage persistence layer can provide a software development kit (Software Development Kit, SDK) for a storage service node of the storage service layer, so that the storage service node can conveniently create, delete, read and write files of the persistence layer, and the read and write operation of the user IO can be completed.
In this embodiment, the cloud storage system may employ different storage technologies, for example, block storage, file storage, table storage, object storage, or the like. The storage service nodes in the storage service layer differ for different storage technologies. For example, in the case where the storage technology is implemented as Block storage, the storage service node is implemented as a data Server (BS), and for example, in the case where the storage technology is implemented as object storage, the storage service node is implemented as an object storage Server (Object Storage Service, OSS). For another example, where the storage technology is implemented as file storage, the storage service node is implemented as a file storage server (File Storage Service). Different storage technologies are implemented by using different storage service layers, and the storage persistence layer is universal no matter which storage technology is used, and has a default encryption technology, for example, the default uses the data encryption key DEK to encrypt and store data. For example, the storage persistence node 201 may be implemented as a Chunk Server (CS). In the embodiment of the application, a general hierarchical encryption scheme aiming at cloud storage is provided, the requirements of data encryption and decryption and key management can be met uniformly, the processes of data encryption and decryption and key management are cooperated and unified through layering a cloud storage system, key management is carried out by adopting the mutual cooperation of a user master key and a storage service key in a user interaction layer and a storage service layer, the processes of data encryption and decryption are controlled by adopting the mutual cooperation of the storage service key and a data encryption key in the storage service layer and a storage persistence layer, the key management and data encryption and decryption functions are decoupled, and the flexibility and the expandability are improved. Furthermore, the storage service layer can directly multiplex the encryption capability provided by the data persistence layer, so that the data does not need to be encrypted for multiple times at each layer, and the encryption cost is saved.
In this embodiment, the cloud storage system may provide storage services for cloud computing instances (e.g., virtual machines or containers) on computing nodes. Optionally, the cloud storage system further comprises: storage access layer 30, storage access layer 30 includes storage access node 301 deployed in a computing node. Wherein the storage access node 301 may be deployed on a computing node as a service process of a cloud storage system for providing access services to the cloud storage system to cloud computing instances running on the computing node. Specifically, the storage access node may present, through virtualization technology, cloud storage disks provided for it by the cloud storage system to the cloud computing instance; a user may send an Input/Output (IO) request (also referred to as a read-write request) to a cloud computing instance, which sends a read-write request to storage access node 301; the storage access node 301 may receive a read-write request from a cloud computing instance to a cloud storage disk, and send the read-write request to a backend storage cluster corresponding to the cloud storage disk, for example, send the read-write request to a storage service node in a storage service layer adjacent to the read-write request, so that at least one storage service layer An and the storage persistence layer 20 perform data read-write operation. The storage access node 301 returns the response result to the cloud computing instance after receiving the response result of the storage cluster. The storage access node can interact with the cloud computing instance through a virtualization manager on the computing node responsible for managing the cloud computing instance. The virtualization manager may be a virtual machine monitor (Virtual Machine Monitor, VMM), also referred to as a Hypervisor. Alternatively, the Hypervisor or VMM may be embodied as a virtual operating system simulator (QEMU) or Vmware, but is not limited thereto.
The cloud storage disk may be addressed by logical block addressing (Logical Block Addressing, LBA), where the entire storage space is divided into a plurality of LBA intervals, and a certain amount of data is stored in the LBA intervals. The size of the LBA interval is not limited, and may be, for example, 4GB, 8GB, 16GB, or the like. The LBA address information can be mapped with the physical address information of the storage persistence node so as to realize the reading and writing of the cloud storage disk.
In an alternative embodiment, the process of implementing the data read-write operation by the user interaction layer, the at least one storage service layer and the storage persistence layer in cooperation with each other is not limited. Embodiments in which at least one storage service layer and a storage persistence layer perform data read and write operations are described in detail below.
Case B1: write operation:
the storage service node Bn in the storage service layer may generate a lower-layer storage service key when the user writes the first data, and receive a key provided by a previous layer, where the previous layer is the user interaction layer 10 or a previous storage service layer adjacent to the storage service layer. The manner of receiving the key provided by the previous layer is not limited, and for example, the key provided by the previous layer may be requested in real time when the user writes the first data, or the key may be requested from the previous layer during the power-up initialization of the storage service node, and the key provided by the previous layer may be received when the key is returned from the previous layer. And encrypting the storage service key of the layer according to the key provided by the upper layer, and storing the encrypted ciphertext of the storage service key of the layer, wherein the ciphertext is called an encrypted storage service layer key ESSK. For example, if the key provided by the upper layer of the storage service node in the storage service layer A1 is CMK and the storage service key of the storage service layer A1 is SSK1, the storage service key SSK1 may be encrypted according to the key CMK provided by the upper layer to obtain the ciphertext ESSK1. For another example, if the key provided by the upper layer of the storage service node in the storage service layer A2 is SSK1 and the storage service key of the storage service layer A2 is SSK2, the ciphertext ESSK2 may be obtained by encrypting the storage service key SSK2 according to the key SSK1 provided by the upper layer. The storage service node Bn in the storage service layer may send the first data and the present layer storage service key to a next layer, which is a next layer storage service layer or storage persistence layer 20 adjacent to the storage service layer.
The storage persistence node 201 may generate a data encryption key when a user writes first data, encrypt the first data according to the data encryption key and persistence-store the encrypted data ciphertext, and encrypt the data encryption key according to a storage service key provided by a storage service layer adjacent thereto and store the encrypted ciphertext of the encrypted data encryption key (Encrypted Data Encryption Key, EDEK).
Alternatively, the generation of the lower layer storage service key by the storage service node Bn may be implemented as: when data to be stored is received, dividing the data to be stored into at least one data fragment, and generating at least one layer storage service key for the at least one data fragment; the data to be stored is first data or data fragments sent by a storage service layer of an upper layer. Wherein dividing the data to be stored into one data slice means that the data to be stored is no longer subdivided into data slices. The at least one data slice may share one storage service key SSK, or may use one storage service key SSK for each data slice, or may share one storage service key for a part of the data slices, which is not limited. The storage service key SSK may be determined specifically according to the granularity of the user data. For example, for object storage, each storage space (bucket) is assigned an SSK; for block storage, each disk (disk) is assigned an SSK; for table storage, each table is assigned an SSK.
Optionally, the encryption of the local layer storage service key by the storage service node Bn according to the key provided by the previous layer and the storing of the ciphertext of the local layer storage service key obtained by encryption may be implemented as: and respectively encrypting at least one local layer storage service key according to the key corresponding to the data to be stored provided by the upper layer, storing ciphertext of the at least one local layer storage service key, and establishing a first corresponding relation among the key corresponding to the data to be stored, the identifier of the at least one data fragment and the ciphertext of the at least one local layer storage service key. Accordingly, the storage service node sends the first data and the storage service key of the layer to the next layer, which can be implemented as: and transmitting the at least one data fragment, the at least one local layer storage service key and a second corresponding relation between the at least one data fragment and the at least one local layer storage service key to the next layer.
Alternatively, the data encryption key generated by the storage persistence node 201 may be implemented as: receiving at least one data fragment corresponding to first data sent by a storage service layer adjacent to the data fragment, at least one storage service key and a second corresponding relation between the at least one data fragment and the at least one storage service key; dividing the data fragments into a plurality of data chunks for any one data fragment, and generating at least one data encryption key for the plurality of data chunks; for example, one data encryption key DEK may be generated for each data chunk, one data encryption key DEK may be shared by a plurality of data chunks, or one data encryption key DEK may be shared by a part of the data chunks. The storage persistence node 201 encrypts the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage persistence node and stores the ciphertext of the encrypted data encryption key, which may be implemented as: and encrypting at least one data encryption key according to the second corresponding relation by utilizing the storage service key corresponding to the data fragments aiming at any data fragment so as to obtain the ciphertext of the at least one data encryption key.
Optionally, the storage persistence node 201 encrypts the first data according to the data encryption key and persistence stores the encrypted data ciphertext, which is implemented as: encrypting the corresponding data chunks according to at least one data encryption key, storing ciphertext of a plurality of data chunks obtained by encryption into at least one persistent file, and recording identification information of the data chunks contained in metadata of the at least one persistent file and ciphertext of the data encryption key used for encrypting the data chunks. The ciphertext of the plurality of data chunks may be stored in one persistent file, or the ciphertext of each data chunk may be stored in one persistent file, or the ciphertext of the data chunks using the same data encryption key may be stored in one persistent file, which is not limited. In addition, the metadata of the persistent file may be recorded with identification information of the data block included therein and ciphertext of the data encryption key used for encrypting the data block. An interactive flow chart among the user interaction layer, the storage service layer and the storage persistence layer corresponding to the data writing process is provided below. In fig. 2, the cloud storage system is illustrated as including 1 storage service layer, but is not limited thereto.
Step 21, a user initiates a write request for a cloud storage disk to the storage access node 301 through a cloud computing instance on the computing node, for writing first data.
Step 22, the storage access node 301 sends the first data to the storage service node B1 in the storage service layer A1.
Step 23, the key management node 101 of the user interaction layer provides the user master key CMK to the storage service node B1 of the storage service layer A1.
Step 24, the storage service node B1 receives the first data and the user master key CMK, and generates a layer storage service key SSK1.
Alternatively, the storage service node B1 may divide the first data into at least one data slice, and generate at least one layer-specific storage service key for the at least one data slice. For example, the first data is divided into data fragment 1 and data fragment 2, a storage service key is allocated for each data fragment, the data fragment 1 corresponds to the storage service key SSK11, and the data fragment 2 corresponds to the storage service key SSK12.
Step 25, the storage service node B1 encrypts the storage service key SSK1 by using the user master key CMK, and obtains and stores the encrypted storage service key ESSK 1.
Optionally, under the condition that the first data is divided into at least one data fragment, a first corresponding relation among a key corresponding to the first data, an identifier of the at least one data fragment and ciphertext of at least one local layer storage service key provided by the user interaction layer can be established, so that the first corresponding relation can be queried when the data is read subsequently. For example, the storage service key SSK11 is encrypted with the key CMK to obtain the ciphertext ESSK11, and the storage service key SSK12 is encrypted with the CMK to obtain the ciphertext ESSK12. The first correspondence may be: segment1 > CMK > ESSK11, segment2 > CMK > ESSK12.
Step 26, the storage service node B1 provides the layer storage service key SSK1 and the first data to the storage persistence node 201 of the storage persistence layer 20.
Alternatively, the at least one data fragment into which the first data is partitioned, the at least one layer-by-layer storage service key, and the second correspondence between the at least one data fragment and the at least one layer-by-layer storage service key may be transmitted to the storage persistence layer. For example, the second correspondence may be segment 1- > SSK11 and segment 2- > SSK12.
Step 27, the storage persistence node 201 receives the storage service key SSK1 and generates the data encryption key DEK.
Optionally, the storage persistence node 201 receives at least one data fragment corresponding to the first data sent by the storage service layer, at least one storage service key, and a second correspondence between the at least one data fragment and the at least one storage service key; for any one data slice, dividing the data slice into a plurality of data chunks, and generating at least one data encryption key for the plurality of data chunks. For example, dividing the data fragment segment1 into data chunks chunk11 and data chunks chunk12, generating a data encryption key DEK1 for the data chunk11 and the data chunk 12; the data fragment segment2 is divided into a data chunk21 and a data chunk22, and a data encryption key DEK2 is generated for the data chunk21 and the data chunk 22.
Step 28, the storage persistence node 201 encrypts the first data by using the data encryption key DEK to obtain a data ciphertext.
Optionally, for any data fragment, according to the second correspondence, encrypting at least one data encryption key by using a storage service key corresponding to the data fragment, so as to obtain ciphertext of at least one data encryption key. For example, when the second correspondence is segment 1- > SSK11 and segment 2- > SSK12, the data encryption key DEK1 may be encrypted with the storage service key SSK11 to obtain the ciphertext EDEK1, and the data encryption key DEK2 may be encrypted with the storage service key SSK12 to obtain the ciphertext EDEK2.
Step 29, the storage persistence node 201 encrypts the data encryption key DEK according to the storage service key SSK1, and obtains and stores the encrypted data encryption key EDEK.
Optionally, the corresponding data chunks may be encrypted according to at least one data encryption key, and ciphertext of the plurality of data chunks obtained by encryption may be stored in at least one persistent file, and identification information of the data chunks included in metadata of the at least one persistent file and ciphertext of the data encryption key used for encrypting the data chunks are recorded.
For example, the Data chunk11 and the Data chunk12 are Encrypted with a Data encryption key DEK1 to obtain ciphertext (ED) 1; encrypting the data chunk21 and the data chunk22 by adopting a data encryption key DEK2 to obtain a ciphertext ED2; ciphertext ED1 is stored in one persistent file, and in metadata are recorded chunk11, chunk12, and ciphertext EDEK1, ciphertext ED2 is stored in another persistent file, and in metadata are recorded chunk21, chunk22, and ciphertext EDEK2.
Case B2: and (3) a read operation.
When the user reads the second data, the storage service node Bn in the storage service layer An acquires the key provided by the previous layer. The embodiment for acquiring the data key provided by the upper layer is not limited. The manner in which the key is obtained may also vary depending on the cloud storage technology employed by the cloud storage system. For example, in the case where the cloud storage system employs block storage, when the computing node mounts a cloud storage disk provided by the cloud storage system, a storage service node in the storage service layer acquires a key provided by a previous layer, and stores the key locally. For another example, in the case that the cloud storage system adopts object storage, a storage service node in the storage service layer acquires a key provided by a previous layer in real time in a data reading and writing process. The storage service node Bn decrypts the ciphertext of the storage service key of the layer according to the key provided by the upper layer to obtain the storage service key of the layer, and sends the identification information of the second data and the storage service key of the layer to the next layer, wherein the identification information of the second data is the LBA address of the second data in the cloud storage disk.
Accordingly, when the user reads the second data, the storage persistence node 201 receives the storage service key provided by the storage service layer adjacent to the second data, and decrypts the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the second data, so as to obtain the data encryption key; and decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data. Accordingly, the storage service node Bn may also receive the second data returned by its adjacent next storage service layer or storage persistence layer and send it to the previous layer.
Optionally, the storage service node Bn decrypts the ciphertext of the storage service key of the layer according to the key provided by the previous layer, so as to obtain the storage service key of the layer, which may be implemented as: inquiring the first corresponding relation according to the key provided by the upper layer to obtain the identification of at least one data fragment corresponding to the second data and the ciphertext of at least one local storage service key; decrypting the ciphertext of the at least one layer storage service key according to the key provided by the upper layer to obtain the at least one layer storage service key. The storage service node Bn sends the identification information of the second data and the storage service key of the layer to the next layer, which may be implemented as: and transmitting the identification information of the at least one data fragment, the at least one local layer storage service key and a third corresponding relation between the identification information of the at least one data fragment and the at least one local layer storage service key to the next layer.
Alternatively, the storage persistence node 201 receives the storage service key provided by the storage service layer adjacent thereto, which may be implemented as: receiving the identification information of at least one data fragment sent by the adjacent storage service layer An, at least one storage service key and a third corresponding relation between the identification information of at least one data fragment and at least one local storage service key;
alternatively, the storage persistence node 201 decrypts the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage persistence node to obtain the data encryption key, which may be implemented as: determining at least one persistent file according to the corresponding relation between at least one data fragment contained in the second data and at least one persistent file, and acquiring the identification information of the contained data chunks and the ciphertext of a data encryption key used for encrypting the data chunks from metadata of the at least one persistent file; and decrypting the ciphertext of the data encryption key used for encrypting each data chunk by utilizing at least one storage service key according to the corresponding relation between the data chunks and the data fragments and the third corresponding relation, so as to obtain the data encryption key. The storage persistence node 201 decrypts the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sends the second data to the storage service layer adjacent to the second data, which may be implemented as: decrypting ciphertext of each data chunk according to the data encryption key corresponding to each data chunk to obtain at least one data fragment, wherein each data fragment comprises a plurality of data chunks.
An interactive flow chart between a user interaction layer, a storage service layer and a storage persistence layer corresponding to the data reading process is provided below. In fig. 3, the cloud storage system includes 1 storage service layer as an example, but is not limited thereto.
In step 31, a user initiates a read request for the cloud storage disk to the storage access node 301 through a cloud computing instance on the computing node, where the read request includes identification information of the second data to be read.
Step 32, the storage access node 301 sends the identification information of the second data to the storage service node B1 in the storage service layer A1.
Step 33, the key management node 101 of the user interaction layer provides the user master key CMK to the storage service node B1 of the storage service layer A1.
In step 34, the storage service node B1 receives the user master key CMK, and decrypts the ciphertext ESSK1 of the storage service key by using the user master key CMK to obtain the storage service SSK1.
Optionally, according to the user master key CMK, querying the first corresponding relationship to obtain an identifier of at least one data fragment corresponding to the second data and a ciphertext of at least one local storage service key; decrypting the ciphertext of the at least one layer storage service key according to the key provided by the upper layer to obtain the at least one layer storage service key. For example, the first correspondence is: segment1 > CMK > ESSK11, segment2 > CMK > ESSK12; and obtaining the identification information of the data fragments of the second data through the identification information of the second data, wherein the identification information is respectively as follows: segment1 and segment2; inquiring the first corresponding relation through the user master key CMK and the identification information of the data fragments of the second data to obtain ciphertext ESSK11 and ESSK12 of the layer storage service key; ciphertext ESSK11 and ESSK12 can be decrypted according to the user master key CMK to obtain the layer storage service keys SSK11 and SSK12.
In the present embodiment, the description is given taking the example in which the key management node 101 of the user interaction layer provides the user master key CMK to the storage service node B1 of the storage service layer A1 during the data reading process, but the present invention is not limited thereto. The manner in which the storage service node B1 obtains the user master key CMK may vary depending on the storage technology employed by the cloud storage system. In addition to being provided by the key management node 101, the storage service node B1 may store the user master key CMK locally during data writing, and may read directly from the local during data reading, for example. The key management node 101 is not limited to the manner in which the user master key CMK is provided to the storage service node B1, and may be based on the storage technology used, and may be compatible with the storage technology used.
Step 35, the storage service SSK1 and the identification information of the second data are provided to the storage persistence node 201 of the storage persistence layer 20.
Optionally, the identification information of the at least one data fragment, the at least one layer storage service key, and a third correspondence between the identification information of the at least one data fragment and the at least one layer storage service key are sent to the next layer. For example, the third correspondence may be: segment1 > SSK11, segment2 > SSK12.
In step 36, the storage persistence node 201 receives the storage service SSK1 and the identification information of the second data, and decrypts the ciphertext EDEK of the data encryption key by using the storage service SSK1 to obtain the data encryption key DEK.
Optionally, determining at least one persistent file according to a corresponding relation between at least one data fragment contained in the second data and the at least one persistent file, and acquiring identification information of the contained data chunks and ciphertext of a data encryption key used for encrypting the data chunks from metadata of the at least one persistent file; and decrypting the ciphertext of the data encryption key used for encrypting each data chunk by utilizing at least one storage service key according to the corresponding relation between the data chunks and the data fragments and the third corresponding relation, so as to obtain the data encryption key.
Step 37, the storage persistence node 201 determines the ciphertext of the second data according to the identification information of the second data;
and step 38, decrypting the ciphertext of the second data by adopting the data encryption key DEK to obtain the second data.
Optionally, the ciphertext of each data chunk is decrypted according to the data encryption key corresponding to each data chunk to obtain at least one data fragment, where each data fragment includes a plurality of data chunks.
Step 39, the storage persistence node 201 sends the second data to the storage serving node B1.
Step 40, the storage serving node B1 returns the second data to the storage access node 301.
Step 41, the storage access node 301 provides the second data to the user through the cloud computing instance on the computing node.
In An alternative embodiment, the user interaction layer may update the user master key in the event that the user master key changes, and provide the updated user master key to the storage service layer An adjacent thereto. For example, after the user creates the user master key, the user interaction layer 10 may enable rotation rights for the user master key, periodically updating the user master key. For another example, the user master key leaks, the user interaction layer updates the leaked user master key, and the updated user master key is provided to the storage service layer An adjacent thereto.
Optionally, the storage service node in the storage service layer adjacent to the user interaction layer may further decrypt the storage service key of the layer from the ciphertext of the storage service key of the layer by using the user master key before the user master key is changed, and re-encrypt the storage service key of the layer by using the user master key after the user master key is changed, so as to obtain a new ciphertext of the storage service key of the layer.
Wherein a storage service key SSK is introduced between the user interaction layer and the storage persistence layer to provide a higher level of data protection capability. For example, when the user master key CMK leaks, the new user master key CMK can be used to encrypt the storage service key SSK to replace the original ESSK, and under the condition that the data of the storage persistence layer is not required to be decrypted and then re-encrypted, the access of the original CMK to the user data can be prevented, so that the flexibility and the expandability of the cloud storage system are improved.
In an alternative embodiment, the data encryption key may be periodically rotated in order to ensure data security. The storage persistence node in the storage persistence layer can also update the data encryption key, decrypt the user data from the data ciphertext obtained by encrypting the user data by using the data encryption key before updating, and encrypt the user data again by using the data encryption key after updating to obtain a new data ciphertext; and encrypting the updated data encryption key according to the storage service key provided by the adjacent storage service layer to obtain the ciphertext of the updated data encryption key, and replacing the ciphertext of the data encryption key before updating. Wherein, when the data encryption key DEK needs to rotate, the participation of the user master key CMK is not needed, and the cooperation with the storage service key SSK is completed, thereby minimizing the perception of the user.
In the embodiment of the application, the cloud storage system is layered, the encryption function and roles are assigned to different layers, and the storage service layer is tightly matched with the storage persistence layer through multiple envelope encryption, so that the data encryption flow is completed. The main advantages are as follows:
1) The user data encryption is uniformly processed by the storage persistence layer, so that the design and realization of each storage service layer can be simplified, and uniform encryption and decryption hardware unloading is convenient to accelerate. For example, in the case that the storage persistence layer supports hardware offloading, the encryption and decryption process of the storage persistence layer can be performed by hardware offloading under the condition that the storage persistence layer adopts technologies such as a hardware accelerator card, a field programmable gate array (Field Programmable Gate Array, FPGA) and the like, so as to improve the speed of data encryption and decryption. The unified data encryption and decryption processing of the storage persistence layer strengthens the flow convergence and operation and maintenance simplification of data security, is convenient for unifying security and encryption standards, and examines and improves the security level. The cost and experience of the data security understanding of the user are greatly improved.
2) The storage service layer pays attention to user key management and authentication, and flexibility and expandability of the encryption function are reserved to the maximum extent. The storage service layer can directly multiplex the encryption capability provided by the data persistence layer (only one-time data encryption is needed, and the consumption of computing resources is saved), and the capability of customizing the encryption of the upper layer of the storage service layer is reserved, but the whole storage service layer still follows the flow and the safety standard defined by layered encryption, and the fundamental data safety service capability is ensured to be enjoyed.
3) The encryption cooperation of the storage service layer and the storage persistence layer is realized by the principle of multiple envelope encryption. The user master key CMK and the storage service key SSK in at least one storage service layer form a multiple envelope encryption mode. By inserting the storage service key SSK in the encryption process, the storage service layer and the storage persistence layer are tightly matched to ensure data security, minimize coupling and exposure, and reduce attack risk and implementation dependence.
In addition to the cloud storage system shown in fig. 1, fig. 4 provides another cloud storage system, and the cloud storage system shown in fig. 4 is different from the cloud storage system shown in fig. 1 in that: the cloud storage system shown in fig. 4 does not include a storage service layer, and the embodiment shown in fig. 4 focuses on that the cloud storage system adopts a hierarchical structure to perform data encryption and decryption operations, so that a key management function and a data encryption and decryption function are decoupled, and the flexibility and the expandability of the system are improved. As shown in fig. 4, the cloud storage system includes: a user interaction layer 10 and a storage persistence layer 20.
The user interaction layer 10 comprises, among other things, a key management node 101 for managing user master keys and providing the user master keys CMK to the storage persistence layer.
The storage persistence layer 20 includes a storage persistence node 201, which is configured to generate a data encryption key, encrypt and decrypt user data according to the data encryption key and encrypt and decrypt the data encryption key according to a user master key during data reading and writing.
In an optional embodiment, the storage persistence layer includes a storage persistence node that generates a data encryption key when the user writes the first data, encrypts the first data according to the data encryption key to obtain a data ciphertext and persists the data ciphertext; encrypting the data encryption key according to the user master key to obtain a ciphertext of the data encryption key and storing the ciphertext in a lasting manner; when the user reads the second data, decrypting the ciphertext of the data encryption key according to the user master key to obtain the data encryption key; and decrypting the data ciphertext of the second data according to the data encryption key to obtain the second data, and sending the second data to the computing node of the user.
The detailed implementation and the beneficial effects of each step in the system of this embodiment have been described in the foregoing embodiments, and will not be described in detail herein.
Fig. 5a is a schematic flow chart of a data read-write method according to an exemplary embodiment of the present application, where the method is applicable to a key management node in a user interaction layer in a cloud storage system, as shown in fig. 5a, and the method includes:
501a, managing a user master key;
502a, providing a user master key for a storage service layer adjacent to the user interaction layer in the cloud storage system, so that the storage service layer adjacent to the user interaction layer and the storage persistence layer cooperate with each other to realize encryption and decryption processing of user data.
In an alternative embodiment, managing the user master key includes: and periodically updating the user master key, and providing the updated user master key to a storage service layer adjacent to the user interaction layer under the condition of updating the user master key.
Fig. 5b is a flow chart of another data read-write method according to an exemplary embodiment of the present application, where the method is applicable to a storage service node in at least one storage service layer in a cloud storage system, and as shown in fig. 5b, the method includes:
501b, generating a storage service key of the layer, and encrypting and decrypting the storage service key of the layer according to a key provided by the upper layer in the data reading and writing process, wherein the storage service key of the layer is a storage service key of a target storage service layer to which a storage service node belongs, and the key provided by the upper layer is a user master key or a storage service key of the upper layer of the target storage service layer;
502b, providing the storage service key of the layer to a next layer, wherein the next layer is implemented as a next layer of storage service layer adjacent to the target storage service layer or a storage persistence layer in the cloud storage system.
In an alternative embodiment, generating the local layer storage service key, and encrypting and decrypting the local layer storage service key according to the key provided by the upper layer in the data writing process includes: when a user writes first data, generating a lower-layer storage service key, and receiving a key provided by a previous layer, wherein the previous layer is realized as a user interaction layer in a cloud storage system or as a previous-layer storage service layer adjacent to the user interaction layer; and encrypting the storage service key of the layer according to the key provided by the upper layer, storing the ciphertext of the storage service key of the layer obtained by encryption, and transmitting the first data and the storage service key of the layer to the next layer, wherein the next layer is the next storage service layer or the storage persistence layer adjacent to the first data and the storage service key of the layer.
In an alternative embodiment, the encryption and decryption processing is performed on the storage service key of the layer according to the key provided by the upper layer in the data reading process, including: when the user reads the second data, acquiring a key provided by the upper layer; decrypting the ciphertext of the storage service key of the layer according to the key provided by the upper layer to obtain the storage service key of the layer; transmitting the identification information of the second data and the local storage service key to the next layer; and receiving second data returned by the next storage service layer or the storage persistence layer adjacent to the second storage service layer and sending the second data to the upper layer.
Optionally, generating the layer storage service key includes: dividing the data to be stored into at least one data fragment when the data to be stored is received; generating at least one layer store service key for at least one data fragment; the data to be stored is first data or data fragments sent by a storage service layer of the upper layer; correspondingly, encrypting the local layer storage service key according to the key provided by the upper layer and storing the ciphertext of the encrypted local layer storage service key, comprising: encrypting at least one layer of storage service key according to a key corresponding to the data to be stored, which is provided by the previous layer, respectively and storing ciphertext of at least one layer of storage service key, and establishing a first corresponding relation among the key corresponding to the data to be stored, the identifier of at least one data fragment and the ciphertext of at least one layer of storage service key; accordingly, sending the first data and the layer storage service key to a next layer includes: and transmitting the at least one data fragment, the at least one local layer storage service key and a second corresponding relation between the at least one data fragment and the at least one local layer storage service key to the next layer.
Further optionally, decrypting the ciphertext of the layer storage service key according to the key provided by the previous layer to obtain the layer storage service key, including: inquiring the first corresponding relation according to the key provided by the upper layer to obtain the identification of at least one data fragment corresponding to the second data and the ciphertext of at least one local storage service key; decrypting the ciphertext of the at least one layer storage service key according to the key provided by the upper layer to obtain the at least one layer storage service key; correspondingly, the identification information of the second data and the local layer storage service key are sent to the next layer, which comprises the following steps: and transmitting the identification information of the at least one data fragment, the at least one local layer storage service key and a third corresponding relation between the identification information of the at least one data fragment and the at least one local layer storage service key to the next layer.
In an alternative embodiment, the method provided by the embodiment of the present application further includes: under the condition that the user master key is changed, decrypting the layer storage service key from the ciphertext of the layer storage service key by using the user master key before the change, and re-encrypting the layer storage service key by using the user master key after the change to obtain a new ciphertext of the layer storage service key.
Fig. 5c is a flowchart of yet another data read-write method according to an exemplary embodiment of the present application, where the method is applicable to a storage persistence node in a storage persistence layer in a cloud storage system, and as shown in fig. 5c, the method includes:
501c, receiving a storage service key provided by a storage service layer adjacent to a storage persistence layer in the cloud storage system;
502c, generating a data encryption key, and encrypting and decrypting the user data according to the data encryption key in the data reading and writing process;
503c, encrypting and decrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the data encryption key.
In an alternative embodiment, generating a data encryption key, and in a data writing process, encrypting and decrypting user data according to the data encryption key, and encrypting and decrypting the data encryption key according to a storage service key provided by a storage service layer, including: generating a data encryption key when a user writes first data; encrypting the first data according to the data encryption key and storing the encrypted data ciphertext in a lasting manner; and encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer, and storing the ciphertext of the encrypted data encryption key.
In an alternative embodiment, in the process of reading data, encrypting and decrypting the user data according to the data encryption key, and encrypting and decrypting the data encryption key according to the storage service key provided by the storage service layer, including: receiving a storage service key provided by a storage service layer adjacent to the second data when the user reads the second data; decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer to obtain the data encryption key; and decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data.
Optionally, generating the data encryption key includes: receiving at least one data fragment corresponding to first data sent by a storage service layer adjacent to the data fragment, at least one storage service key and a second corresponding relation between the at least one data fragment and the at least one storage service key; dividing the data fragments into a plurality of data chunks for any one data fragment, and generating at least one data encryption key for the plurality of data chunks; accordingly, encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer, and storing the ciphertext of the encrypted data encryption key, including: encrypting at least one data encryption key according to the second corresponding relation by utilizing a storage service key corresponding to the data fragments aiming at any data fragment so as to obtain ciphertext of at least one data encryption key; correspondingly, encrypting the first data according to the data encryption key and storing the encrypted data ciphertext in a lasting manner, wherein the method comprises the following steps: encrypting the corresponding data chunks according to at least one data encryption key, storing ciphertext of a plurality of data chunks obtained by encryption into at least one persistent file, and recording identification information of the data chunks contained in metadata of the at least one persistent file and ciphertext of the data encryption key used for encrypting the data chunks.
In an alternative embodiment, receiving a storage service key provided by a storage service layer adjacent thereto includes: receiving the identification information of at least one data fragment sent by a storage service layer adjacent to the storage service layer, at least one storage service key and a third corresponding relation between the identification information of at least one data fragment and at least one local storage service key; correspondingly, decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer to obtain the data encryption key, including: determining at least one persistent file according to the corresponding relation between at least one data fragment contained in the second data and at least one persistent file, and acquiring the identification information of the contained data chunks and the ciphertext of a data encryption key used for encrypting the data chunks from metadata of the at least one persistent file; decrypting ciphertext of a data encryption key used for encrypting each data chunk by utilizing at least one storage service key according to the corresponding relation between the data chunks and the data fragments and the third corresponding relation, so as to obtain the data encryption key; correspondingly, decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data, wherein the method comprises the following steps: decrypting ciphertext of each data chunk according to the data encryption key corresponding to each data chunk to obtain at least one data fragment, wherein each data fragment comprises a plurality of data chunks.
In an alternative embodiment, the method provided by the embodiment of the present application further includes: updating the data encryption key, decrypting the user data from the data ciphertext obtained by encrypting the user data by using the data encryption key before updating, and encrypting the user data again by using the data encryption key after updating to obtain a new data ciphertext; and encrypting the updated data encryption key according to the storage service key provided by the adjacent storage service layer to obtain the ciphertext of the updated data encryption key, and replacing the ciphertext of the data encryption key before updating.
Fig. 5d is a flow chart of another data read-write method according to an exemplary embodiment of the present application, applicable to a storage persistent node in a cloud storage system, as shown in fig. 5d, where the method includes:
501d, receiving a user master key provided by a key management node in a user interaction layer in the cloud storage system;
502d, generating a data encryption key, encrypting and decrypting the user data according to the data encryption key and encrypting and decrypting the data encryption key according to the user master key in the data reading and writing process.
In an alternative embodiment, generating a data encryption key, encrypting and decrypting user data according to the data encryption key and encrypting and decrypting the data encryption key according to a user master key in a data reading and writing process includes: when a user writes first data, generating a data encryption key, encrypting the first data according to the data encryption key to obtain a data ciphertext and storing the data ciphertext in a lasting mode; encrypting the data encryption key according to the user master key to obtain a ciphertext of the data encryption key and storing the ciphertext in a lasting manner; when the user reads the second data, decrypting the ciphertext of the data encryption key according to the user master key to obtain the data encryption key; and decrypting the data ciphertext of the second data according to the data encryption key to obtain the second data, and sending the second data to the computing node of the user.
The detailed implementation and the beneficial effects of each step in the method of this embodiment have been described in the foregoing embodiments, and will not be described in detail herein.
It should be noted that, the execution subjects of each step of the method provided in the above embodiment may be the same device, or the method may also be executed by different devices. For example, the execution subject of step 501a to step 503a may be device a; for another example, the execution subject of steps 501a and 502a may be device a, and the execution subject of step 503a may be device B; etc.
In addition, in some of the above embodiments and the flows described in the drawings, a plurality of operations appearing in a specific order are included, but it should be clearly understood that the operations may be performed out of the order in which they appear herein or performed in parallel, the sequence numbers of the operations such as 501a, 502a, etc. are merely used to distinguish between the various operations, and the sequence numbers themselves do not represent any order of execution. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
Fig. 6a is a schematic structural diagram of a data read-write device according to an exemplary embodiment of the present application, where the device corresponds to a key management node in a user interaction layer in a cloud storage system, and as shown in fig. 6a, the device includes: a management module 61a and a providing module 62a.
A management module 61a for managing a user master key;
and the providing module 62a is configured to provide a user master key for a storage service layer adjacent to the user interaction layer in the cloud storage system, so that the storage service layer adjacent to the user interaction layer and the storage persistence layer cooperate to implement encryption and decryption processing on user data.
In an alternative embodiment, the management module is specifically configured to: and periodically updating the user master key, and providing the updated user master key to a storage service layer adjacent to the user interaction layer under the condition of updating the user master key.
Fig. 6b is a schematic structural diagram of another data read-write device according to an exemplary embodiment of the present application, where the device corresponds to a storage service node in at least one storage service layer in a cloud storage system, and as shown in fig. 6b, the device includes: a generating module 61b, an encrypting and decrypting module 62b and a first receiving and transmitting module 63b.
A generation module 61b for generating a layer-specific storage service key; the layer storage service key is a storage service key of a target storage service layer to which the storage service node belongs;
The encryption and decryption module 62b is configured to encrypt and decrypt the storage service key of the layer according to a key provided by a previous layer in the data read-write process, where the key provided by the previous layer is a user master key or a storage service key of the previous layer of the target storage service layer;
the first transceiver module 63b is configured to provide the current layer of storage service keys to a next layer, where the next layer is implemented as a next layer of storage service adjacent to the target storage service layer or a storage persistence layer in the cloud storage system.
In an alternative embodiment, the generating module is specifically configured to: generating a layer storage service key when a user writes first data; the first transceiver module is further used for receiving a key provided by a previous layer, and the previous layer is realized as a user interaction layer in the cloud storage system or as a previous storage service layer adjacent to the user interaction layer; the encryption and decryption module is specifically used for encrypting the storage service key of the layer according to the key provided by the upper layer and storing the ciphertext of the storage service key of the layer obtained by encryption; the first transceiver module is specifically configured to send the first data and the local storage service key to a next layer, where the next layer is a next storage service layer or a storage persistence layer adjacent to the next layer.
In an alternative embodiment, the first transceiver module is specifically configured to: when the user reads the second data, acquiring a key provided by the upper layer; the encryption and decryption module is specifically used for decrypting the ciphertext of the storage service key of the layer according to the key provided by the upper layer to obtain the storage service key of the layer; the first transceiver module is specifically configured to: and sending the identification information of the second data and the storage service key of the layer to the next layer, receiving the second data returned by the adjacent next storage service layer or the storage persistence layer, and sending the second data to the upper layer.
Optionally, the generating module is specifically configured to: dividing the data to be stored into at least one data partition when the data to be stored is received; generating at least one layer store service key for at least one data fragment; the data to be stored is first data or data fragments sent by a storage service layer of the upper layer; the encryption and decryption module is specifically used for: encrypting at least one layer of storage service key according to a key corresponding to the data to be stored, which is provided by the previous layer, respectively and storing ciphertext of at least one layer of storage service key, and establishing a first corresponding relation among the key corresponding to the data to be stored, the identifier of at least one data fragment and the ciphertext of at least one layer of storage service key; the first transceiver module is specifically configured to: and transmitting the at least one data fragment, the at least one local layer storage service key and a second corresponding relation between the at least one data fragment and the at least one local layer storage service key to the next layer.
Optionally, the encryption and decryption module is specifically configured to: inquiring the first corresponding relation according to the key provided by the upper layer to obtain the identification of at least one data fragment corresponding to the second data and the ciphertext of at least one local storage service key; decrypting the ciphertext of the at least one layer storage service key according to the key provided by the upper layer to obtain the at least one layer storage service key; the first transceiver module is specifically configured to: and transmitting the identification information of the at least one data fragment, the at least one local layer storage service key and a third corresponding relation between the identification information of the at least one data fragment and the at least one local layer storage service key to the next layer.
In an alternative embodiment, the encryption and decryption module is further configured to: under the condition that the user master key is changed, decrypting the layer storage service key from the ciphertext of the layer storage service key by using the user master key before the change, and re-encrypting the layer storage service key by using the user master key after the change to obtain a new ciphertext of the layer storage service key.
Fig. 6c is a schematic structural diagram of still another data read-write device according to an exemplary embodiment of the present application, where the device corresponds to a storage persistence node in a storage persistence layer in a cloud storage system, and the device includes: a second transceiver module 61c, a generating module 62c and an encrypting and decrypting module 63c.
A second transceiver module 61c, configured to receive a storage service key provided by a storage service layer adjacent to the storage persistence layer in the cloud storage system;
a generation module 62c for generating a data encryption key;
the encryption and decryption module 63c is configured to encrypt and decrypt user data according to the data encryption key in the data read/write process, and encrypt and decrypt the data encryption key according to the storage service key provided by the storage service layer adjacent to the data encryption key.
In an alternative embodiment, the generating module is specifically configured to: generating a data encryption key when a user writes first data; the encryption and decryption module is specifically used for: encrypting the first data according to the data encryption key and storing the encrypted data ciphertext in a lasting manner, and encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the first data and storing the encrypted data ciphertext of the encrypted data encryption key.
In an alternative embodiment, the second transceiver module is specifically configured to: receiving a storage service key provided by a storage service layer adjacent to the second data when the user reads the second data; the encryption and decryption module is specifically used for: decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer to obtain the data encryption key; and decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data.
Optionally, the generating module is specifically configured to: receiving at least one data fragment corresponding to first data sent by a storage service layer adjacent to the data fragment, at least one storage service key and a second corresponding relation between the at least one data fragment and the at least one storage service key; dividing the data fragments into a plurality of data chunks for any one data fragment, and generating at least one data encryption key for the plurality of data chunks; the encryption and decryption module is specifically used for: encrypting at least one data encryption key according to the second corresponding relation by utilizing a storage service key corresponding to the data fragments aiming at any data fragment so as to obtain ciphertext of at least one data encryption key; and encrypting the corresponding data chunks according to the at least one data encryption key, storing ciphertext of the plurality of data chunks obtained by encryption into at least one persistent file, and recording identification information of the data chunks contained in metadata of the at least one persistent file and ciphertext of the data encryption key used for encrypting the data chunks.
Further optionally, the second transceiver module is specifically configured to: receiving the identification information of at least one data fragment sent by a storage service layer adjacent to the storage service layer, at least one storage service key and a third corresponding relation between the identification information of at least one data fragment and at least one local storage service key; the encryption and decryption module is specifically used for: determining at least one persistent file according to the corresponding relation between at least one data fragment contained in the second data and at least one persistent file, and acquiring the identification information of the contained data chunks and the ciphertext of a data encryption key used for encrypting the data chunks from metadata of the at least one persistent file; decrypting ciphertext of a data encryption key used for encrypting each data chunk by utilizing at least one storage service key according to the corresponding relation between the data chunks and the data fragments and the third corresponding relation, so as to obtain the data encryption key; and decrypting ciphertext of each data chunk according to the data encryption key corresponding to each data chunk to obtain at least one data fragment, wherein each data fragment comprises a plurality of data chunks.
In an alternative embodiment, the apparatus further comprises: an update module and a replacement module. The updating module is used for updating the data encryption key; the encryption and decryption module is used for decrypting the user data from the data ciphertext obtained by encrypting the user data by using the data encryption key before updating, and encrypting the user data again by using the data encryption key after updating to obtain a new data ciphertext; encrypting the updated data encryption key according to the storage service key provided by the adjacent storage service layer to obtain the ciphertext of the updated data encryption key; and the replacing module is used for replacing the ciphertext of the data encryption key before updating.
The exemplary embodiment of the present application further provides a schematic structural diagram of a data read-write device, where the device corresponds to a storage persistence node in a cloud storage system, and fig. 6c may be referred to as a device drawing, and the device includes: the system comprises a second transceiver module, a generation module and an encryption and decryption module.
The second transceiver module is used for receiving a user master key provided by a key management node in a user interaction layer in the cloud storage system;
the generation module is used for generating a data encryption key;
and the encryption and decryption module is used for encrypting and decrypting the user data according to the data encryption key and encrypting and decrypting the data encryption key according to the user master key in the data reading and writing process.
In an alternative embodiment, the generating module is specifically configured to: generating a data encryption key when a user writes first data; the encryption and decryption module is used for encrypting the first data according to the data encryption key so as to obtain a data ciphertext and storing the data ciphertext in a lasting manner; encrypting the data encryption key according to the user master key to obtain a ciphertext of the data encryption key and storing the ciphertext in a lasting manner; when the user reads the second data, decrypting the ciphertext of the data encryption key according to the user master key to obtain the data encryption key; decrypting the data ciphertext of the second data according to the data encryption key to obtain the second data; the second transceiver module is further configured to: and sending the second data to the computing node of the user.
Fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present application 7, corresponding to a key management node in a user interaction layer in a cloud storage system, where, as shown in fig. 7, the device includes: a memory 74 and a processor 75.
Memory 74 is used to store computer programs and may be configured to store various other data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on the electronic device, contact data, phonebook data, messages, pictures, videos, and the like.
The memory 74 may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
A processor 75 coupled to the memory 74 for executing the computer program in the memory 74 for: managing a user master key; and providing a user master key for a storage service layer adjacent to the user interaction layer in the cloud storage system so as to realize encryption and decryption processing of user data by the cooperation of the storage service layer adjacent to the user interaction layer and the storage persistence layer.
In an alternative embodiment, the processor 75, when managing the user master key, is specifically configured to: and periodically updating the user master key, and providing the updated user master key to a storage service layer adjacent to the user interaction layer under the condition of updating the user master key.
Further, as shown in fig. 7, the electronic device further includes: communication component 76, display 77, power component 78, audio component 79, and the like. Only some of the components are schematically shown in fig. 7, which does not mean that the electronic device only comprises the components shown in fig. 7. In addition, the components within the dashed box in fig. 7 are optional components, not necessarily optional components, depending on the product form of the electronic device. The electronic device in this embodiment may be implemented as a terminal device such as a desktop computer, a notebook computer, a smart phone, or an IOT device, and may be implemented as a server device such as a conventional server, a cloud server, or a server array.
The embodiment of the application also provides electronic equipment, which corresponds to the storage service node in at least one storage service layer in the cloud storage system, and the implementation structure of the electronic equipment is the same as or similar to that of the electronic equipment shown in fig. 7, and can be realized by referring to the structure of the electronic equipment shown in fig. 7. The electronic device provided in this embodiment is different from the electronic device in the embodiment shown in fig. 7 mainly in that: the functions implemented by a processor executing a computer program stored in memory are different. The electronic device provided in this embodiment may have a processor executing a computer program stored in a memory, and may be configured to: generating a lower layer storage service key, and encrypting and decrypting the lower layer storage service key according to a key provided by the upper layer in the data reading and writing process, wherein the key provided by the upper layer is a user master key or a higher layer storage service key; the layer storage service key is provided to a next layer, which is implemented as a next layer storage service layer or a storage persistence layer in the cloud storage system.
In an alternative embodiment, the processor is configured to, when generating the service key of the layer storage, encrypt and decrypt the service key of the layer storage according to the key provided by the previous layer in the data writing process, specifically: when a user writes first data, generating a lower-layer storage service key, and receiving a key provided by a previous layer, wherein the previous layer is realized as a user interaction layer in a cloud storage system or as a previous-layer storage service layer adjacent to the user interaction layer; and encrypting the storage service key of the layer according to the key provided by the upper layer, storing the ciphertext of the storage service key of the layer obtained by encryption, and transmitting the first data and the storage service key of the layer to the next layer, wherein the next layer is the next storage service layer or the storage persistence layer adjacent to the first data and the storage service key of the layer.
In an alternative embodiment, during the process of reading data, the processor is specifically configured to: when the user reads the second data, acquiring a key provided by the upper layer; decrypting the ciphertext of the storage service key of the layer according to the key provided by the upper layer to obtain the storage service key of the layer; transmitting the identification information of the second data and the local storage service key to the next layer; and receiving second data returned by the next storage service layer or the storage persistence layer adjacent to the second storage service layer and sending the second data to the upper layer.
In an alternative embodiment, the processor, when generating the layer-specific service key, is specifically configured to: dividing the data to be stored into at least one data fragment when the data to be stored is received; generating at least one layer store service key for at least one data fragment; the data to be stored is first data or data fragments sent by a storage service layer of the upper layer; the processor is specifically configured to, when encrypting the local layer storage service key according to the key provided by the previous layer and storing the ciphertext of the local layer storage service key obtained by encryption: encrypting at least one layer of storage service key according to a key corresponding to the data to be stored, which is provided by the previous layer, respectively and storing ciphertext of at least one layer of storage service key, and establishing a first corresponding relation among the key corresponding to the data to be stored, the identifier of at least one data fragment and the ciphertext of at least one layer of storage service key; when the processor sends the first data and the local layer storage service key to the next layer, the processor is specifically configured to: and transmitting the at least one data fragment, the at least one local layer storage service key and a second corresponding relation between the at least one data fragment and the at least one local layer storage service key to the next layer.
In an alternative embodiment, the processor is specifically configured to, when decrypting the ciphertext of the layer storage service key according to the key provided by the previous layer to obtain the layer storage service key: inquiring the first corresponding relation according to the key provided by the upper layer to obtain the identification of at least one data fragment corresponding to the second data and the ciphertext of at least one local storage service key; decrypting the ciphertext of the at least one layer storage service key according to the key provided by the upper layer to obtain the at least one layer storage service key; the processor is specifically configured to, when sending the identification information of the second data and the local layer storage service key to the next layer: and transmitting the identification information of the at least one data fragment, the at least one local layer storage service key and a third corresponding relation between the identification information of the at least one data fragment and the at least one local layer storage service key to the next layer.
In an alternative embodiment, the processor is further configured to: under the condition that the user master key is changed, decrypting the layer storage service key from the ciphertext of the layer storage service key by using the user master key before the change, and re-encrypting the layer storage service key by using the user master key after the change to obtain a new ciphertext of the layer storage service key.
The embodiment of the application also provides electronic equipment, which corresponds to the storage persistence node in the storage persistence layer in the cloud storage system, and the implementation structure of the electronic equipment is the same as or similar to that of the electronic equipment shown in fig. 7, and can be realized by referring to the structure of the electronic equipment shown in fig. 7. The electronic device provided in this embodiment is different from the electronic device in the embodiment shown in fig. 7 mainly in that: the functions implemented by a processor executing a computer program stored in memory are different. The electronic device provided in this embodiment may have a processor executing a computer program stored in a memory, and may be configured to: receiving a storage service key provided by a storage service layer adjacent to a storage persistence layer in a cloud storage system; and generating a data encryption key, encrypting and decrypting the user data according to the data encryption key in the data reading and writing process, and encrypting and decrypting the data encryption key according to a storage service key provided by a storage service layer adjacent to the data encryption key.
In an alternative embodiment, the processor is configured to, when generating the data encryption key, and in a data writing process, encrypt and decrypt the user data according to the data encryption key, and encrypt and decrypt the data encryption key according to the storage service key provided by the storage service layer, specifically: generating a data encryption key when a user writes first data; encrypting the first data according to the data encryption key and storing the encrypted data ciphertext in a lasting manner, and encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the first data and storing the encrypted data ciphertext of the encrypted data encryption key.
In an alternative embodiment, the processor is specifically configured to, during the data reading process, encrypt and decrypt the user data according to the data encryption key, and encrypt and decrypt the data encryption key according to the storage service key provided by the storage service layer: receiving a storage service key provided by a storage service layer adjacent to the second data when the user reads the second data; decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer to obtain the data encryption key; and decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data.
In an alternative embodiment, the processor, when generating the data encryption key, is specifically configured to: receiving at least one data fragment corresponding to first data sent by a storage service layer adjacent to the data fragment, at least one storage service key and a second corresponding relation between the at least one data fragment and the at least one storage service key; dividing the data fragments into a plurality of data chunks for any one data fragment, and generating at least one data encryption key for the plurality of data chunks; the processor is specifically configured to, when encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the data encryption key and storing the ciphertext of the encrypted data encryption key: encrypting at least one data encryption key according to the second corresponding relation by utilizing a storage service key corresponding to the data fragments aiming at any data fragment so as to obtain ciphertext of at least one data encryption key; the processor is specifically configured to, when encrypting the first data according to the data encryption key and persistently storing the encrypted data ciphertext: encrypting the corresponding data chunks according to at least one data encryption key, storing ciphertext of a plurality of data chunks obtained by encryption into at least one persistent file, and recording identification information of the data chunks contained in metadata of the at least one persistent file and ciphertext of the data encryption key used for encrypting the data chunks.
Optionally, the processor, when receiving a storage service key provided by a storage service layer adjacent to the processor, is specifically configured to: receiving the identification information of at least one data fragment sent by a storage service layer adjacent to the storage service layer, at least one storage service key and a third corresponding relation between the identification information of at least one data fragment and at least one local storage service key; the processor is specifically configured to, when decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the processor to obtain the data encryption key: determining at least one persistent file according to the corresponding relation between at least one data fragment contained in the second data and at least one persistent file, and acquiring the identification information of the contained data chunks and the ciphertext of a data encryption key used for encrypting the data chunks from metadata of the at least one persistent file; decrypting ciphertext of a data encryption key used for encrypting each data chunk by utilizing at least one storage service key according to the corresponding relation between the data chunks and the data fragments and the third corresponding relation, so as to obtain the data encryption key; the processor is used for decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and transmitting the second data to the adjacent storage service layer when the second data is transmitted to the adjacent storage service layer, and the processor is specifically used for: decrypting ciphertext of each data chunk according to the data encryption key corresponding to each data chunk to obtain at least one data fragment, wherein each data fragment comprises a plurality of data chunks.
In an alternative embodiment, the processor is further configured to: updating the data encryption key, decrypting the user data from the data ciphertext obtained by encrypting the user data by using the data encryption key before updating, and encrypting the user data again by using the data encryption key after updating to obtain a new data ciphertext; and encrypting the updated data encryption key according to the storage service key provided by the adjacent storage service layer to obtain the ciphertext of the updated data encryption key, and replacing the ciphertext of the data encryption key before updating.
The embodiment of the application also provides electronic equipment, which corresponds to the storage persistence node in the storage persistence layer in the cloud storage system, and the implementation structure of the electronic equipment is the same as or similar to that of the electronic equipment shown in fig. 7, and can be realized by referring to the structure of the electronic equipment shown in fig. 7. The electronic device provided in this embodiment is different from the electronic device in the embodiment shown in fig. 7 mainly in that: the functions implemented by a processor executing a computer program stored in memory are different. The electronic device provided in this embodiment may have a processor executing a computer program stored in a memory, and may be configured to: receiving a user master key provided by a key management node in a user interaction layer in a cloud storage system; and generating a data encryption key, encrypting and decrypting the user data according to the data encryption key in the data reading and writing process, and encrypting and decrypting the data encryption key according to the user master key.
In an alternative embodiment, the processor is configured to, when generating the data encryption key, and in a data reading and writing process, encrypt and decrypt the user data according to the data encryption key, and encrypt and decrypt the data encryption key according to the user master key, specifically: when a user writes first data, generating a data encryption key, encrypting the first data according to the data encryption key to obtain a data ciphertext and storing the data ciphertext in a lasting mode; encrypting the data encryption key according to the user master key to obtain a ciphertext of the data encryption key and storing the ciphertext in a lasting manner; when the user reads the second data, decrypting the ciphertext of the data encryption key according to the user master key to obtain the data encryption key; and decrypting the data ciphertext of the second data according to the data encryption key to obtain the second data, and sending the second data to the computing node of the user.
The detailed implementation and the beneficial effects of the electronic device provided by the embodiments of the present application have been described in the foregoing embodiments, and will not be described in detail herein.
Accordingly, embodiments of the present application also provide a computer readable storage medium storing a computer program, where the computer program when executed is capable of implementing the steps executable by an electronic device in the method embodiments shown in fig. 5a to 5 d.
The Memory may be implemented by any type or combination of volatile or non-volatile Memory devices, such as Static Random-Access Memory (SRAM), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read Only Memory, EEPROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
The communication component is configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as a mobile communication network of WiFi,2G, 3G, 4G/LTE, 5G, etc., or a combination thereof. In one exemplary embodiment, the communication component receives a broadcast signal or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a near field communication (Near Field Communication, NFC) module to facilitate short range communications. For example, the NFC module may be implemented based on radio frequency identification (Radio Frequency Identification, RFID) technology, infrared data association (Infrared Data Association, irDA) technology, ultra Wideband (UWB) technology, blueTooth (BT) technology, and other technologies.
The display includes a screen, which may include a liquid crystal display (Liquid Crystal Display, LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or sliding action, but also the duration and pressure associated with the touch or sliding operation.
The power supply component provides power for various components of equipment where the power supply component is located. The power components may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the devices in which the power components are located.
The audio component described above may be configured to output and/or input an audio signal. For example, the audio component includes a Microphone (MIC) configured to receive external audio signals when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may be further stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, magnetic disk storage, CD-ROM (Compact Disc Read-Only Memory), optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (Central Processing Unit, CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random access memory (Random Access Memory, RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase-change memory (Phase-change Random Access Memory, PRAM), static Random Access Memory (SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital versatile disks (Digital Video Disc, DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (20)
1. A cloud storage system, comprising: a user interaction layer, a storage persistence layer, and at least one storage service layer located between the user interaction layer and the storage persistence layer;
The user interaction layer comprises a key management node, wherein the key management node is used for managing a user master key and providing the user master key for a storage service layer adjacent to the key management node;
the storage service layer comprises a storage service node, and the storage service node is used for generating a storage service key of the lower layer, encrypting and decrypting the storage service key of the upper layer according to the key provided by the upper layer in the data reading and writing process, and providing the storage service key of the lower layer for the next layer to encrypt and decrypt the key;
the storage persistence layer comprises a storage persistence node, wherein the storage persistence node is used for generating a data encryption key, encrypting and decrypting the data encryption key according to a storage service key provided by a storage service layer adjacent to the data encryption key in the data reading and writing process, and encrypting and decrypting user data according to the data encryption key.
2. The system of claim 1, wherein the storage service node in the storage service layer is specifically configured to: when a user writes first data, generating a layer storage service key, encrypting the layer storage service key according to a key provided by the upper layer to obtain a ciphertext of the layer storage service key and storing the ciphertext; the first data and the local layer storage service key are sent to the next storage service layer or the storage persistence layer adjacent to the first data, so that the next storage service layer or the storage persistence layer adjacent to the first data can be continuously written in;
The storage persistence node in the storage persistence layer is specifically configured to: when a user writes first data, generating a data encryption key, encrypting the first data according to the data encryption key to obtain a data ciphertext and storing the data ciphertext in a lasting mode; and encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the data encryption key so as to obtain the ciphertext of the data encryption key and store the ciphertext in a lasting manner.
3. The system of claim 2, wherein the storage service node in the storage service layer is specifically configured to: when the user reads the second data, decrypting the ciphertext of the storage service key of the layer according to the key provided by the upper layer to obtain the storage service key of the layer; transmitting the identification information of the second data and the local layer storage service key to a next storage service layer or a storage persistence layer adjacent to the second data so as to read the second data by the next storage service layer or the storage persistence layer adjacent to the second data; receiving the second data returned by the next storage service layer or the storage persistence layer adjacent to the second storage service layer, and returning the second data to the last storage service layer adjacent to the second storage service layer or the computing node of the user;
The storage persistence node in the storage persistence layer is specifically configured to: when a user reads the second data, decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the user so as to obtain the data encryption key; and decrypting the data ciphertext of the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data.
4. A system according to any of claims 1-3, characterized in that a storage service node in a storage service layer adjacent to the user interaction layer is further adapted to: under the condition that the user master key is changed, decrypting the encrypted layer storage service key by using the user master key before the change to obtain the layer storage service key; re-encrypting the layer storage service key by using the changed user master key;
and/or
The storage persistence node in the storage persistence layer is further configured to: updating the data encryption key, decrypting the user data by using the data encryption key before updating, and encrypting the user data again by using the data encryption key after updating; and encrypting the updated data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer, and replacing the encryption result of the data encryption key before the update.
5. A cloud storage system, comprising: a user interaction layer and a storage persistence layer;
the user interaction layer comprises a key management node for managing a user master key and providing the user master key to the storage persistence layer;
the storage persistence layer comprises a storage persistence node which is used for generating a data encryption key, encrypting and decrypting user data according to the data encryption key and encrypting and decrypting the data encryption key according to the user master key in the data reading and writing process.
6. A data read-write method, suitable for a storage service node in at least one storage service layer in a cloud storage system, the method comprising:
generating a lower layer storage service key, and encrypting and decrypting a local layer storage service key according to a key provided by a previous layer in the data reading and writing process, wherein the local layer storage service key is a storage service key of a target storage service layer to which the storage service node belongs, and the key provided by the previous layer is a user master key or a storage service key of the previous layer of the target storage service layer;
and providing the storage service key of the layer to a next layer, wherein the next layer is realized as a next storage service layer adjacent to the target storage service layer or a storage persistence layer in a cloud storage system.
7. The method of claim 6, wherein generating the layer storage service key, during the data writing, performs encryption and decryption processing on the layer storage service key according to the key provided by the previous layer, including:
when a user writes first data, generating a lower-layer storage service key and receiving a key provided by a previous layer, wherein the previous layer is realized as a user interaction layer in a cloud storage system or as a previous-layer storage service layer adjacent to the target storage service layer;
and encrypting the local layer storage service key according to the key provided by the upper layer, storing the encrypted ciphertext of the local layer storage service key, and transmitting the first data and the local layer storage service key to the next layer.
8. The method of claim 7, wherein during the data reading process, encrypting and decrypting the layer storage service key according to the key provided by the previous layer comprises:
when the user reads the second data, acquiring a key provided by the upper layer;
decrypting the ciphertext of the storage service key of the layer according to the key provided by the upper layer to obtain the storage service key of the layer;
transmitting the identification information of the second data and the local storage service key to the next layer; and
And receiving the second data returned by the next storage service layer or the storage persistence layer adjacent to the second data and sending the second data to the upper layer.
9. The method of claim 8, wherein generating the layer storage service key comprises:
dividing data to be stored into at least one data fragment when the data to be stored is received;
generating at least one layer storage service key for the at least one data fragment; the data to be stored is the first data or the data fragments sent by the upper storage service layer;
encrypting the local layer storage service key according to the key provided by the upper layer and storing the ciphertext of the encrypted local layer storage service key, wherein the method comprises the following steps:
encrypting the at least one local layer storage service key according to the key corresponding to the data to be stored provided by the previous layer, storing ciphertext of the at least one local layer storage service key, and establishing a first corresponding relation among the key corresponding to the data to be stored, the identifier of the at least one data fragment and the ciphertext of the at least one local layer storage service key;
transmitting the first data and the layer storage service key to a next layer, including: and transmitting the at least one data fragment, the at least one local layer storage service key and a second corresponding relation between the at least one data fragment and the at least one local layer storage service key to a next layer.
10. The method of claim 9, wherein decrypting the ciphertext of the layer storage service key based on the key provided by the previous layer to obtain the layer storage service key comprises:
inquiring the first corresponding relation according to the key provided by the upper layer to obtain the identification of at least one data fragment corresponding to the second data and the ciphertext of at least one local layer storage service key;
decrypting the ciphertext of the at least one layer storage service key according to the key provided by the upper layer to obtain at least one layer storage service key;
transmitting the identification information of the second data and the local storage service key to a next layer, including: and transmitting the identification information of the at least one data fragment, the at least one local layer storage service key and a third corresponding relation between the identification information of the at least one data fragment and the at least one local layer storage service key to a next layer.
11. The method according to any one of claims 6-10, further comprising:
under the condition that the user master key is changed, decrypting the layer storage service key from the ciphertext of the layer storage service key by using the user master key before the change, and re-encrypting the layer storage service key by using the user master key after the change to obtain a new ciphertext of the layer storage service key.
12. A data read-write method, suitable for a storage persistence node in a storage persistence layer in a cloud storage system, the method comprising:
receiving a storage service key provided by a storage service layer adjacent to the storage persistence layer in the cloud storage system;
generating a data encryption key, encrypting and decrypting user data according to the data encryption key in the data reading and writing process, and
and encrypting and decrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the data encryption key.
13. The method of claim 12, wherein generating a data encryption key, and during writing data, encrypting and decrypting user data according to the data encryption key, and encrypting and decrypting the data encryption key according to a storage service key provided by the storage service layer, comprises:
generating a data encryption key when a user writes first data;
encrypting the first data according to the data encryption key and storing the encrypted data ciphertext in a lasting manner, and
and encrypting the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer, and storing the ciphertext of the encrypted data encryption key.
14. The method of claim 13, wherein during data reading, encrypting and decrypting user data according to the data encryption key, and encrypting and decrypting the data encryption key according to a storage service key provided by the storage service layer, comprises:
receiving a storage service key provided by a storage service layer adjacent to the second data when the user reads the second data;
decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer to obtain the data encryption key;
and decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data.
15. The method of claim 14, wherein generating the data encryption key comprises: receiving at least one data fragment corresponding to the first data sent by a storage service layer adjacent to the data fragment, at least one storage service key and a second corresponding relation between the at least one data fragment and the at least one storage service key; dividing the data fragments into a plurality of data chunks for any one data fragment, and generating at least one data encryption key for the plurality of data chunks;
Encrypting the data encryption key according to a storage service key provided by a storage service layer adjacent to the storage service layer, and storing ciphertext of the encrypted data encryption key, wherein the method comprises the following steps: encrypting the at least one data encryption key according to the second corresponding relation by utilizing a storage service key corresponding to the data fragments aiming at any data fragment so as to obtain ciphertext of the at least one data encryption key;
encrypting the first data according to the data encryption key and storing the encrypted data ciphertext in a lasting manner, wherein the method comprises the following steps: encrypting the corresponding data chunks according to the at least one data encryption key, storing ciphertext of a plurality of data chunks obtained by encryption into at least one persistent file, and recording identification information of the data chunks contained in metadata of the at least one persistent file and ciphertext of the data encryption key used for encrypting the data chunks.
16. The method of claim 15, wherein receiving the storage service key provided by the storage service layer adjacent thereto comprises: receiving identification information of at least one data fragment sent by a storage service layer adjacent to the storage service layer, at least one storage service key and a third corresponding relation between the identification information of the at least one data fragment and the at least one local storage service key;
Decrypting the ciphertext of the data encryption key according to the storage service key provided by the storage service layer adjacent to the storage service layer to obtain the data encryption key, wherein the method comprises the following steps: determining at least one persistent file according to the corresponding relation between at least one data fragment contained in the second data and at least one persistent file, and acquiring the identification information of the contained data chunks and the ciphertext of a data encryption key used for encrypting the data chunks from metadata of the at least one persistent file; decrypting ciphertext of a data encryption key used for encrypting each data chunk by utilizing at least one storage service key according to the corresponding relation between the data chunks and the data fragments and the third corresponding relation, so as to obtain the data encryption key;
decrypting the data ciphertext corresponding to the second data according to the data encryption key to obtain the second data, and sending the second data to a storage service layer adjacent to the second data, wherein the method comprises the following steps: decrypting ciphertext of each data chunk according to the data encryption key corresponding to each data chunk to obtain at least one data fragment, wherein each data fragment comprises a plurality of data chunks.
17. The method according to any one of claims 12-16, further comprising:
updating the data encryption key, decrypting the user data from the data ciphertext obtained by encrypting the user data by using the data encryption key before updating, and encrypting the user data again by using the data encryption key after updating to obtain a new data ciphertext; and
and encrypting the updated data encryption key according to the storage service key provided by the adjacent storage service layer to obtain the ciphertext of the updated data encryption key, and replacing the ciphertext of the data encryption key before updating.
18. The data read-write method is characterized by being applicable to a storage persistence node in a cloud storage system, and comprises the following steps:
receiving a user master key provided by a key management node in a user interaction layer in a cloud storage system;
generating a data encryption key, and encrypting and decrypting user data according to the data encryption key in the data reading and writing process;
and encrypting and decrypting the data encryption key according to the user master key.
19. An electronic device, comprising: a memory and a processor; the memory is used for storing a computer program; the processor being coupled to the memory for executing the computer program for implementing the steps of the method of any one of claims 6-11, claims 12-17 and claim 18.
20. A computer readable storage medium storing a computer program, which when executed by a processor causes the processor to carry out the steps of any one of the methods of claims 6-11, 12-17 and 18.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311471163.3A CN117201204B (en) | 2023-11-07 | 2023-11-07 | Cloud storage system, data reading and writing method and device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311471163.3A CN117201204B (en) | 2023-11-07 | 2023-11-07 | Cloud storage system, data reading and writing method and device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201204A true CN117201204A (en) | 2023-12-08 |
| CN117201204B CN117201204B (en) | 2024-03-29 |
Family
ID=88998334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311471163.3A Active CN117201204B (en) | 2023-11-07 | 2023-11-07 | Cloud storage system, data reading and writing method and device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201204B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140059352A1 (en) * | 2012-01-25 | 2014-02-27 | Panasonic Corporation | Key management system, key management method, and communication device |
| KR20140117864A (en) * | 2013-03-27 | 2014-10-08 | 한양대학교 에리카산학협력단 | Method for efficient data sharing in hierarchical storage and apparatus for processing the same method |
| US9722974B1 (en) * | 2014-12-18 | 2017-08-01 | AbeBooks Inc. | Automated data re-encryption process in multi-tiered encryption system |
| US20180351928A1 (en) * | 2017-05-31 | 2018-12-06 | Samsung Sds Co., Ltd. | Encryption key management system for cloud services |
| CN109842589A (en) * | 2017-11-27 | 2019-06-04 | 中兴通讯股份有限公司 | A kind of cloud storage encryption method, device, equipment and storage medium |
| US20190325147A1 (en) * | 2018-04-18 | 2019-10-24 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for processing data, computer device and storage medium |
| CN111132150A (en) * | 2019-12-31 | 2020-05-08 | 中科曙光国际信息产业有限公司 | Method and device for protecting data, storage medium and electronic equipment |
-
2023
- 2023-11-07 CN CN202311471163.3A patent/CN117201204B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140059352A1 (en) * | 2012-01-25 | 2014-02-27 | Panasonic Corporation | Key management system, key management method, and communication device |
| KR20140117864A (en) * | 2013-03-27 | 2014-10-08 | 한양대학교 에리카산학협력단 | Method for efficient data sharing in hierarchical storage and apparatus for processing the same method |
| US9722974B1 (en) * | 2014-12-18 | 2017-08-01 | AbeBooks Inc. | Automated data re-encryption process in multi-tiered encryption system |
| US20180351928A1 (en) * | 2017-05-31 | 2018-12-06 | Samsung Sds Co., Ltd. | Encryption key management system for cloud services |
| CN109842589A (en) * | 2017-11-27 | 2019-06-04 | 中兴通讯股份有限公司 | A kind of cloud storage encryption method, device, equipment and storage medium |
| US20190325147A1 (en) * | 2018-04-18 | 2019-10-24 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Method and apparatus for processing data, computer device and storage medium |
| CN111132150A (en) * | 2019-12-31 | 2020-05-08 | 中科曙光国际信息产业有限公司 | Method and device for protecting data, storage medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 钟倩等: "《面向多租户的可信容器分层密钥管理方法》", 《计算机工程与应用》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201204B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10409990B2 (en) | Encryption and decryption method and apparatus in virtualization system, and system | |
| CN112019475B (en) | Resource access method, device, system and storage medium under server-free architecture | |
| US10594481B2 (en) | Replicated encrypted data management | |
| WO2017031954A1 (en) | Data communication method, user equipment, and server | |
| US20220006617A1 (en) | Method and apparatus for data storage and verification | |
| US20130339715A1 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| US10958650B2 (en) | Data processing method, system, and apparatus, storage medium, and device | |
| US11397820B2 (en) | Method and apparatus for processing data, computer device and storage medium | |
| US20130185569A1 (en) | Data protection system and method based on cloud storage | |
| KR20180131056A (en) | System for managing encryption keys for cloud services | |
| WO2021068963A1 (en) | Method for accessing cloud service, cloud server, and terminal | |
| CN109450620B (en) | Method for sharing security application in mobile terminal and mobile terminal | |
| US11601258B2 (en) | Selector derived encryption systems and methods | |
| CN113806777A (en) | File access realization method and device, storage medium and electronic equipment | |
| CN111897621A (en) | Virtual machine migration method, device, equipment, system and storage medium | |
| CN113987563A (en) | Data processing method, system, product, device and storage medium | |
| CN117201204B (en) | Cloud storage system, data reading and writing method and device and storage medium | |
| US20210232509A1 (en) | Storage Controller, And File Processing Method, Apparatus, And System | |
| US20190121999A1 (en) | Method and system for securely controlling access to data | |
| WO2023273947A1 (en) | Key management system and key management implementation method thereof, and computing node | |
| WO2022001878A1 (en) | System generated data set encryption key | |
| CN111181899B (en) | Data processing method, device and system and electronic equipment | |
| US10939173B2 (en) | Systems and methods for encrypting video | |
| CN113467989A (en) | Snapshot creating and reading method, equipment and storage medium | |
| CN114390520A (en) | Key updating method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |