CN117420953A - Data storage method and device, computer equipment and readable storage medium - Google Patents

Data storage method and device, computer equipment and readable storage medium Download PDF

Info

Publication number
CN117420953A
CN117420953A CN202311287765.3A CN202311287765A CN117420953A CN 117420953 A CN117420953 A CN 117420953A CN 202311287765 A CN202311287765 A CN 202311287765A CN 117420953 A CN117420953 A CN 117420953A
Authority
CN
China
Prior art keywords
data block
data
cloud server
mapping
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311287765.3A
Other languages
Chinese (zh)
Other versions
CN117420953B (en
Inventor
张亮
葛敏辉
屈刚
白洁音
金皓纯
李慧星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Branch Of State Grid Corp ltd
Original Assignee
East China Branch Of State Grid Corp ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Branch Of State Grid Corp ltd filed Critical East China Branch Of State Grid Corp ltd
Priority to CN202311287765.3A priority Critical patent/CN117420953B/en
Publication of CN117420953A publication Critical patent/CN117420953A/en
Application granted granted Critical
Publication of CN117420953B publication Critical patent/CN117420953B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/10015Access to distributed or replicated servers, e.g. using brokers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/061Improving I/O performance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • G06F3/0622Securing storage systems in relation to access
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/064Management of blocks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The application provides a data storage method and device, computer equipment and a readable storage medium, wherein the method comprises the following steps: acquiring a data access request aiming at a designated storage unit in a cloud server, wherein the data access request is used for requesting to acquire a first data block; based on the data access request, sequentially acquiring each second data block stored in the appointed storage unit; after each second data block is obtained, judging whether the second data block is the first data block or not based on mapping information in a bloom filter corresponding to the appointed storage unit; if the second data block is the first data block, returning an invalid data block to the cloud server; and if the second data block is not the first data block, returning the second data block to the cloud server. According to the technical scheme, the security of data access of the client to the cloud server can be improved, and meanwhile, the calculated amount of the cloud server is reduced.

Description

Data storage method and device, computer equipment and readable storage medium
[ field of technology ]
The present disclosure relates to the field of computer technologies, and in particular, to a data storage method and apparatus, a computer device, and a readable storage medium.
[ background Art ]
In cloud data storage, if the client side directly stores the sensitive data in a plaintext form in the cloud server, an untrusted cloud service provider or other attacker can directly acquire the sensitive data of the client side and can infer other privacy information of the client side in a data mining mode. In this regard, the conventional countermeasure is to encrypt data contents that need to be uploaded by the client, and the encrypted key is held by the client person.
However, data encryption can only increase the security of the data itself, but cannot protect the security of the action of reading and writing data by the client. In an actual cloud storage scenario, although the data block may be encrypted, the index of the database is not encrypted, which leaks the target location accessed by the client. An untrusted cloud service provider or other attacker may infer the importance of a data block of a target location, such as counting the frequency of accesses to the data block, through the access pattern of the client. Meanwhile, the association relation among a plurality of continuous data queries can be inferred through a plurality of continuous access modes of the client, and even the accessed data content can be inferred, so that the behavior characteristics, hobbies, social ranges and the like of the client user are potentially exposed. Therefore, in application scenarios such as big data and cloud computing, encrypting only the content of the data itself cannot completely protect the privacy of the client.
In this regard, the related art proposes the concept of an unintentional random access machine (ORAM). The storage of the server is divided into i layers of data storage units (chunks) with 2i data blocks in each layer of data storage units by means of an unintentional random access machine. For each layer of data storage units, each access starts one access period (2 i accesses), and in one access period, 2i data blocks are read and rewritten one by one. When one access period is over, the data blocks of the current layer and the data blocks of the next layer are required to be combined and then shuffled, and the data blocks are put into the next layer together after shuffling.
In this way, no matter which data block the client requests to access, the client accesses all the data blocks of the data storage unit of one layer, and cannot know which data block the client actually needs, in the sense that the untrusted cloud service provider or other attacker can obtain the content through the index of the database, the access frequency of the data blocks, and the like. Thus, the access mode of the client can be protected from being easily acquired.
However, each layer of data storage units is actually a hash table, and after each access period, both layers of data storage units need to be updated due to the shuffling of the data blocks of both layers of data storage units. However, the hash value of each data block needs to be recalculated in the process, so that a great deal of calculation resources are occupied, huge pressure is brought to a server for providing cloud services, the data access speed and the data analysis efficiency related to the cloud services are indirectly influenced, and the user experience is influenced.
Therefore, how to reduce the huge calculation overhead caused by the recalculation of the hash value by the random access machine due to the shuffling of the multi-layer data blocks becomes a technical problem to be solved urgently.
[ invention ]
The embodiment of the application provides a data storage method and device, computer equipment and a readable storage medium, and aims to solve the technical problem that cloud service quality is affected due to excessive occupation of computing resources by a random access machine carelessly in the related art.
In a first aspect, an embodiment of the present application provides a data storage method, including:
acquiring a data access request aiming at a designated storage unit in a cloud server, wherein the data access request is used for requesting to acquire a first data block;
based on the data access request, sequentially acquiring each second data block stored in the appointed storage unit;
after each second data block is obtained, judging whether the second data block is the first data block or not based on mapping information in a bloom filter corresponding to the appointed storage unit, wherein the mapping information is used for reflecting that the possibility that the first data block is stored in the appointed storage unit is zero or non-zero;
If the second data block is the first data block, returning an invalid data block to the cloud server so that the cloud server can store the invalid data block to an original storage position of the second data block;
and if the second data block is not the first data block, returning the second data block to the cloud server so that the cloud server can store the second data block to an original storage position.
In an embodiment of the present application, optionally, after each obtaining one of the second data blocks, before determining whether the second data block is the first data block based on the mapping information in the bloom filter corresponding to the specified storage unit, the method further includes:
transmitting the second data block to a proxy server for the proxy server to decrypt the second data block through a first key;
receiving a decryption result of the proxy server on the second data block;
performing secondary decryption on the decryption result based on a second key to obtain a second data block of the plaintext;
before returning the second data block to the cloud server, further comprising:
encrypting the second data block of the plaintext based on the second key, and sending the encrypted second data block to the proxy server, so that the proxy server encrypts the encrypted second data block for the second time with the first key and sends the encrypted second data block to the cloud server.
In one embodiment of the present application, optionally, the first key is generated by the proxy server based on user attribute information of an owner of the second data block, and the second key is generated by the proxy server based on user attribute information of a client of the data access request and transmitted to the client.
In one embodiment of the present application, optionally, further comprising:
when the user attribute information is detected to be updated, generating a key updating instruction based on the updated user attribute information;
and sending the key updating instruction to the proxy server so that the proxy server can update the second key based on the key updating instruction.
In one embodiment of the present application, optionally, the determining, based on mapping information in the bloom filter corresponding to the specified storage unit, whether the second data block is the first data block includes:
calculating path information of the first data block through a plurality of groups of hash functions built in the bloom filter to obtain a plurality of mapping values;
determining the mapping positions of the mapping values in the mapping information in the bloom filter corresponding to the designated storage unit, wherein,
If the mapping identifiers corresponding to the mapping positions where the mapping values are respectively located are all specified identifiers, determining that the second data block is the first data block;
and if the mapping identifiers corresponding to the mapping positions of the mapping values respectively comprise at least one unspecified identifier, determining that the second data block is not the first data block.
In one embodiment of the present application, optionally, the designation is 1 and the non-designation is 0.
In a second aspect, embodiments of the present application provide a data storage device, including:
a data access request acquisition unit, configured to acquire a data access request for a specified storage unit in a cloud server, where the data access request is used to request acquisition of a first data block;
a data block obtaining unit, configured to obtain each second data block stored in the specified storage unit in sequence based on the data access request;
the mapping judgment unit is used for judging whether the second data block is the first data block or not based on mapping information in a bloom filter corresponding to the appointed storage unit after each second data block is acquired, wherein the mapping information is used for reflecting that the possibility of the first data block stored in the appointed storage unit is zero or non-zero;
The first execution unit is used for returning an invalid data block to the cloud server if the second data block is the first data block as a judgment result, so that the cloud server can store the invalid data block to an original storage position of the second data block;
and the second execution unit is used for returning the second data block to the cloud server if the second data block is not the first data block, so that the cloud server can store the second data block to an original storage position.
In one embodiment of the present application, optionally, the data storage device further includes:
the first sending unit is used for sending the second data block to the proxy server after each second data block is obtained and before the mapping judging unit judges whether the second data block is the first data block or not, so that the proxy server can decrypt the second data block through a first key;
a decryption result receiving unit, configured to receive a decryption result of the second data block by the proxy server;
the data block decryption unit is used for performing secondary decryption on the decryption result based on a second key to obtain a second data block of the plaintext;
And the data block encryption unit is used for encrypting the second data block of the plaintext based on the second key before the second execution unit returns the second data block to the cloud server, and sending the encrypted second data block to the proxy server so that the proxy server can send the encrypted second data block to the cloud server after carrying out secondary encryption by the first key.
In one embodiment of the present application, optionally, the first key is generated by the proxy server based on user attribute information of an owner of the second data block, and the second key is generated by the proxy server based on user attribute information of a client of the data access request and transmitted to the client.
In one embodiment of the present application, optionally, the data storage device further includes:
a key update instruction generating unit, configured to generate a key update instruction based on updated user attribute information when it is detected that the user attribute information is updated;
and the second sending unit is used for sending the key updating instruction to the proxy server so that the proxy server can update the second key based on the key updating instruction.
In one embodiment of the present application, optionally, the mapping judgment unit includes:
the mapping value calculation unit is used for respectively calculating the path information of the first data block through a plurality of groups of hash functions built in the bloom filter to obtain a plurality of mapping values;
a mapping position obtaining unit, configured to determine a mapping position where each of the plurality of mapping values is located in mapping information in the bloom filter corresponding to the specified storage unit;
the map judgment unit is configured to:
and if the mapping identifiers corresponding to the mapping positions of the mapping values are all specified identifiers, determining that the second data block is the first data block, and if the mapping identifiers corresponding to the mapping positions of the mapping values include at least one non-specified identifier, determining that the second data block is not the first data block.
In one embodiment of the present application, optionally, the designation is 1 and the non-designation is 0.
In a third aspect, embodiments of the present application provide a computer device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of the first aspect described above.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing computer-executable instructions for performing the method of the first aspect.
According to the technical scheme, aiming at the technical problem that the cloud service quality is affected due to the fact that the random access machine occupies too much computing resources carelessly in the related art, firstly, a data access request aiming at a designated storage unit in a cloud server is obtained, the position and the object to be accessed are shown in the data access request, namely, a first data block under the designated storage unit in the multi-layer data storage unit of the cloud server is shown.
After receiving the data access request, each second data block stored in the designated storage unit can be accessed by using the principle of an inadvertent random access machine, so that each access of the client to the cloud server is all data blocks of one layer in view of the cloud server and any third party object, and the access mode of the client cannot be inferred. Therefore, the access mode of the client can be effectively kept secret, and privacy information disclosure such as access content and access habit of a user of the client is avoided.
Further, a bloom filter is arranged in the cloud server for each layer of data storage unit, and mapping information is arranged in the bloom filter. In particular, the mapping information of each layer of data storage units may reflect the storage of data blocks in that layer, and the storage of data blocks indicates which data blocks are present in that layer. Further, the mapping information in the bloom filter corresponding to the designated storage unit is used for reflecting that the possibility that the first data block is stored in the designated storage unit is zero or non-zero.
After each second data block is obtained, it is necessary to determine whether the second data block is the first data block actually required by the client. And if the mapping information in the bloom filter reflects that the possibility that the first data block is stored in the designated storage unit is zero, indicating that the second data block is not the first data block. Conversely, if the mapping information in the bloom filter reflects that the likelihood that the first data block is stored in the designated storage unit is non-zero, the second data block is indicated as the first data block.
If the second data block is the first data block, the client side is stated to successfully acquire the data which the client side needs to access, and meanwhile, in order to avoid leakage of the access target of the client side, the invalid data block can replace the second data block to be resent to the cloud server for the cloud server to write back the original storage position of the second data block in the appointed storage unit.
If the second data block is not the first data block, the second data block is directly retransmitted to the cloud server for the cloud server to write back to the original storage position of the second data block in the appointed storage unit.
That is, whether the client successfully obtains the data that the client needs to access, the access mode is that one data block is written back after one data block is read, and the client may or may not obtain the first data block that the client needs in the designated storage unit. In summary, each access to the cloud server by the client appears to the cloud server and any third party objects to be accessing all data blocks of one layer, and each write-back action is performed on all data blocks, i.e. the client always performs the same access pattern.
In this way, the client can execute the access action required by the client, and can also secret the data actually required to be accessed by the client, the data access rule of the client and other information related to the privacy of the client user from the cloud server and any third party objects. Therefore, the security of the client for data access to the cloud server is improved, the privacy information of the client user is effectively protected, and the method has positive effects on the development of information security.
Meanwhile, the technical scheme that the random access machine carelessly needs to merge the data blocks of the current layer and the data blocks of the next layer and then shuffle the data blocks is replaced in the related technology, and because the data blocks do not need to be shuffled, the hash table of the two-layer data storage unit does not need to be recalculated, the calculation cost attached to data access is greatly reduced, and the occupation of resources of a cloud server is reduced.
In general, according to the technical scheme, the security of data access of the client to the cloud server can be improved, the privacy information of a client user can be protected, the calculated amount of the cloud server can be reduced, the calculation efficiency of the cloud server can be improved, the data access efficiency of the client can be indirectly improved, and the experience of the client user can be improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a data storage method according to one embodiment of the present application;
FIG. 2 illustrates a flow chart of a data storage method according to another embodiment of the present application;
FIG. 3 illustrates a block diagram of a data storage device according to one embodiment of the present application;
FIG. 4 illustrates a block diagram of a computer device, according to one embodiment of the present application;
FIG. 5 illustrates a block diagram of a computer device, according to one embodiment of the present application.
[ detailed description ] of the invention
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
FIG. 1 illustrates a flow chart of a data storage method according to one embodiment of the present application.
As shown in fig. 1, a data storage method according to an embodiment of the present application includes:
step 102, acquiring a data access request for a specified storage unit in a cloud server, wherein the data access request is used for requesting acquisition of a first data block.
The cloud server is a main body for storing data to be accessed by the client, in other words, the cloud server is used for carrying out cloud storage on the data related to the client. The cloud server comprises a plurality of layers of data storage units (socket), each layer of data storage units is provided with a plurality of data blocks, and each time a client makes a data access request, the client actually requests to access a certain data block in a certain layer of data storage units of the cloud server.
Further, the location and object to be accessed are shown in the data access request, i.e. the first data block under a specified storage unit in the multi-tier data storage unit of the cloud server is required to be accessed.
Step 104, based on the data access request, sequentially acquiring each second data block stored in the designated storage unit.
After receiving the data access request, each second data block stored in the designated storage unit can be accessed by using the principle of an inadvertent random access machine, so that each access of the client to the cloud server is all data blocks of one layer in view of the cloud server and any third party object, and the access mode of the client cannot be inferred. Therefore, the access mode of the client can be effectively kept secret, and privacy information disclosure such as access content and access habit of a user of the client is avoided.
Step 106, after each second data block is obtained, based on the mapping information in the bloom filter corresponding to the specified storage unit, judging whether the second data block is the first data block, if the second data block is the first data block, entering step 108, and if the second data block is not the first data block, entering step 110.
Further, a bloom filter is arranged in the cloud server for each layer of data storage unit, and mapping information is arranged in the bloom filter. In particular, the mapping information of each layer of data storage units may reflect the storage of data blocks in that layer, and the storage of data blocks indicates which data blocks are present in that layer. Further, the mapping information in the bloom filter corresponding to the designated storage unit is used for reflecting that the possibility that the first data block is stored in the designated storage unit is zero or non-zero.
After each second data block is obtained, it is necessary to determine whether the second data block is the first data block actually required by the client. And if the mapping information in the bloom filter reflects that the possibility that the first data block is stored in the designated storage unit is zero, indicating that the second data block is not the first data block. Conversely, if the mapping information in the bloom filter reflects that the likelihood that the first data block is stored in the designated storage unit is non-zero, the second data block is indicated as the first data block.
And step 108, returning an invalid data block to the cloud server so that the cloud server can store the invalid data block to the original storage position of the second data block.
And 110, returning the second data block to the cloud server for the cloud server to store the second data block to an original storage position.
If the second data block is the first data block, the client side is stated to successfully acquire the data which the client side needs to access, and meanwhile, in order to avoid leakage of the access target of the client side, the invalid data block can replace the second data block to be resent to the cloud server for the cloud server to write back the original storage position of the second data block in the appointed storage unit.
If the second data block is not the first data block, the second data block is directly retransmitted to the cloud server for the cloud server to write back to the original storage position of the second data block in the appointed storage unit.
That is, whether the client successfully obtains the data that the client needs to access, the access mode is that one data block is written back after one data block is read, and the client may or may not obtain the first data block that the client needs in the designated storage unit. In summary, each access to the cloud server by the client appears to the cloud server and any third party objects to be accessing all data blocks of one layer, and each write-back action is performed on all data blocks, i.e. the client always performs the same access pattern.
In this way, the client can execute the access action required by the client, and can also secret the data actually required to be accessed by the client, the data access rule of the client and other information related to the privacy of the client user from the cloud server and any third party objects. Therefore, the security of the client for data access to the cloud server is improved, the privacy information of the client user is effectively protected, and the method has positive effects on the development of information security.
Meanwhile, the technical scheme that the random access machine carelessly needs to merge the data blocks of the current layer and the data blocks of the next layer and then shuffle the data blocks is replaced in the related technology, and because the data blocks do not need to be shuffled, the hash table of the two-layer data storage unit does not need to be recalculated, the calculation cost attached to data access is greatly reduced, and the occupation of resources of a cloud server is reduced.
In general, according to the technical scheme, the security of data access of the client to the cloud server can be improved, the privacy information of a client user can be protected, the calculated amount of the cloud server can be reduced, the calculation efficiency of the cloud server can be improved, the data access efficiency of the client can be indirectly improved, and the experience of the client user can be improved.
Example two
Fig. 2 shows a flow chart of a data storage method according to another embodiment of the present application.
As shown in fig. 2, a data storage method according to another embodiment of the present application includes:
step 202, acquiring a data access request for a specified storage unit in a cloud server, wherein the data access request is used for requesting acquisition of a first data block.
Step 204, based on the data access request, sequentially obtaining each second data block stored in the designated storage unit.
Step 206, after each second data block is obtained, sending the second data block to a proxy server, so that the proxy server decrypts the second data block through the first key.
To further enhance the security of data access, a proxy server may be introduced to provide decryption services for clients.
Optionally, the proxy server creates a container for the client, then stores the second data block from the client into a container special for the client, and the decryption operation of the second data block is completely performed in the container, so that the second data block is isolated from the proxy server or even any other third party through the isolation function of the container, and the security of the second data block is effectively protected.
Further, in the process of uploading the second data block to the cloud server, the owner of the second data block may encrypt the second data block by means of the proxy server. In particular, the proxy server may encrypt the second data block based on user attribute information of an owner of the second data block as the first key. In this way, since the first key is obtained from the user attribute information of the owner of the second data block, it has a certain uniqueness, and is more difficult to be broken, i.e. has higher security, than a simple key.
And step 208, receiving a decryption result of the second data block by the proxy server.
And step 210, performing secondary decryption on the decryption result based on the second key to obtain a second data block of the plaintext.
The proxy server may use the second key known to the client to encrypt the second data block twice before decrypting it in the container and returning it to the client for security during transmission.
The second key is generated by the proxy server based on the user attribute information of the client of the data access request and sent to the client, so that the client can decrypt the received second data block based on the second key, and finally obtain a second data block in plaintext.
In one possible design, when the user attribute information is detected to be updated, a key update instruction is generated based on the updated user attribute information. And sending the key updating instruction to the proxy server so that the proxy server can update the second key based on the key updating instruction.
That is, the second key is automatically updated based on the update of the user attribute information of the client, so that the second key is prevented from being easily cracked by a third party due to the fact that the key is unchanged, the complexity of the second key is not deepened, meanwhile, the dynamic change of the second key can be effectively guaranteed, and the safety of data transmission between the client and the proxy server is improved.
Step 212, determining whether the second data block is the first data block based on the mapping information in the bloom filter corresponding to the specified storage unit, if the determination result is that the second data block is the first data block, proceeding to step 214, and if the second data block is not the first data block, proceeding to step 216.
Wherein the mapping information is used to reflect that the probability that the first data block is stored in the designated storage unit is zero or non-zero. In particular, the mapping information of each layer of data storage units may reflect the storage of data blocks in that layer, and the storage of data blocks indicates which data blocks are present in that layer. Further, the mapping information in the bloom filter corresponding to the designated storage unit is used for reflecting that the possibility that the first data block is stored in the designated storage unit is zero or non-zero.
After each second data block is obtained, it is necessary to determine whether the second data block is the first data block actually required by the client. And if the mapping information in the bloom filter reflects that the possibility that the first data block is stored in the designated storage unit is zero, indicating that the second data block is not the first data block. Conversely, if the mapping information in the bloom filter reflects that the likelihood that the first data block is stored in the designated storage unit is non-zero, the second data block is indicated as the first data block.
Specifically, determining whether the second data block is the first data block includes the steps of:
firstly, calculating path information of the first data block through a plurality of groups of hash functions built in the bloom filter to obtain a plurality of mapping values. That is, a plurality of mapping values corresponding to the first data block that the client needs to acquire are calculated.
It is to be understood that, in the bloom filter, different mapping values are distributed at different positions of the mapping table, and each mapping value has a mapping identifier corresponding to itself.
And then, determining the mapping positions of the mapping values in the mapping information in the bloom filter corresponding to the designated storage unit.
And if the mapping identifiers corresponding to the mapping positions where the mapping values are respectively located are all specified identifiers, determining that the second data block is the first data block. In other words, the mapping tables of the bloom filter are all provided with a specific identifier corresponding to a plurality of mapping values corresponding to the first data block, which indicates that the first data block has a certain probability of being in a data set (i.e. a specific storage unit) to which the bloom filter belongs, that is, the probability that the first data block is stored in the specific storage unit is non-zero. At this time, the first data block may be considered to be stored in the designated storage unit.
Otherwise, if the mapping identifiers corresponding to the mapping positions where the mapping values are located respectively include at least one non-specified identifier, that is, the mapping values corresponding to the first data block do not all correspond to one specified identifier in the mapping table of the bloom filter. In this case, the probability that the first data block is stored in the designated storage unit is determined to be zero, and the second data block is determined to be not the first data block.
Wherein the designated identifier is 1, and the non-designated identifier is 0. Of course, the specified identifier and the non-specified identifier may be any preset identifier other than these, and are not limited to this example.
And step 214, returning an invalid data block to the cloud server so that the cloud server can store the invalid data block to the original storage position of the second data block.
In the process of returning the invalid data block to the cloud server, optionally, the invalid data block is encrypted based on the second key, and the encrypted invalid data block is sent to the proxy server, so that the proxy server encrypts the encrypted invalid data block for the second time with the first key and sends the encrypted invalid data block to the cloud server.
And step 216, encrypting the second data block of the plaintext based on the second key, and transmitting the encrypted second data block to the proxy server, so that the proxy server can transmit the encrypted second data block to the cloud server after performing secondary encryption on the encrypted second data block by using the first key.
To further confuse the cloud server and the third party attacker, the same encryption operation is performed whether an invalid data block or a second data block is returned, so that the client performs the same operation on each acquired data block from the perspective of the cloud server and the third party attacker. Therefore, the cloud server and the third-party attacker can not identify the data block really needed by the client, and the privacy security of the client user is effectively protected.
According to the technical scheme, the security of data access of the client to the cloud server can be improved, the privacy information of a user of the client is protected, meanwhile, the proxy server is introduced to encrypt and decrypt the data blocks coming and going from the client and the cloud server by using the container with the isolation function, so that the security of the data blocks is strictly ensured, the calculated amount of the cloud server is reduced, the calculation efficiency of the cloud server is improved, the data access efficiency of the client is indirectly improved, and the experience of the user of the client is improved.
Example III
In one embodiment of the present application, a specific method of finding a block of data is encapsulated in a bloom filter of each layer of data storage units using an inadvertent random access machine as the basis for data access. Thus, when a client submits a query, the encryption bloom filter of each layer of data storage units is utilized to determine whether the data block is at the current layer.
First, in this embodiment, the client and the cloud storage server do not directly communicate, but use a hardware container as a trusted third party to take charge of data transfer between the two. The trusted third party needs to complete the key generation and distribution work with attribute characteristics according to the attribute of each accessed client besides data transfer. Meanwhile, the trusted third party also establishes a local buffer stack and a bloom filter for replacing a local mapping table for the client, and records the path information of each data block. The data is stored in the cloud storage server in a hierarchical storage structure, and the socket is used as a basic storage unit.
The client x (data owner) submits the attribute set to a trusted third party, and the trusted third party generates a master key MK and an attribute public key PK according to the attribute set submitted by the client x, stores the master key and publishes the attribute public key on a public network.
The client i (data sharer) submits the attribute set to a trusted third party, and the trusted third party generates a client attribute private key SK containing personal attribute set information according to the attribute set submitted by the client i i And communicating SK through a secure communication channel i And sending the message to the client i.
The client x acquires the attribute public key PK from the public channel, encrypts the plaintext data block M by using the attribute public key PK to generate the ciphertext data block C, and submits the ciphertext data block C to a trusted third party and a cloud storage server.
The trusted third party obtains the ciphertext data block C, randomly distributes a path address for the ciphertext data block C, records the path address in a bloom filter of a basic storage unit where the ciphertext data block C is located, and then stores the ciphertext data block C in a flash.
On the basis of the basic configuration, the technical scheme of the application is described in detail by an example.
When the client i accesses the target data block s in any basic storage unit serving as an access node, it needs to traverse all the data blocks in the access node.
The client i reads a ciphertext data block m from a basic storage unit serving as an access node, submits the ciphertext data block m to a trusted third party, and the trusted third party decrypts the ciphertext data block m for the first time based on an attribute public key PK corresponding to an owner of the ciphertext data block m to obtain a decrypted data block m'.
The trusted third party decrypts the data block m' by the attribute private key SK of the client i i After encryption, the encrypted data is sent to a client i, and the client i is based on an attribute private key SK i And performing secondary decryption on the decrypted data block M' to obtain a plaintext data block M.
At this time, the client may query the bloom filter corresponding to the access node whether the plaintext block M is the target block s. If the plaintext data block M is the target data block s, returning an invalid data block to the trusted third party; if the plaintext block M is not the target block, the block is directly encrypted and returned to the proxy.
After the trusted third party obtains the invalid data block, the invalid data block is encrypted and then delivered to the cloud storage server, and the cloud storage server stores the received content in the original position.
When all the data blocks in the access node are accessed once, the algorithm operation is finished.
When the bloom filter is set for the current node, a data set X of the bloom filter can be constructed to be a plurality of data blocks under the current node, k mutually independent hash functions are selected, the capacity of the bloom filter is set to be d, and the error rate is set to be e.
In addition, a binary string BF of all 0's is initialized X Let its length be q, then each data block of the data set X is mapped to a certain positive integer using k hash functions independent of each other. If BF X The value of the corresponding position is 0, and then 0 is changed to 1.
If any third party wants to detect whether the target data block s is in the data set X, all the mapping values of the target data block s can be calculated by using the k hash functions independent of each other, and then the mapping values are checked for BF X Whether the upper corresponding positions are all 1.
If the check is yes, it is indicated that the target data block s has a possibility of being located in the data set X, otherwise, it is indicated that the target data block s is not necessarily an element in the data set X.
According to the technical scheme, the bloom filter is adopted to further optimize the ORAM, so that the calculation cost of the ORAM is greatly reduced. In addition, in the related art stack, the hash table is updated after the data blocks of the two-layer data storage unit are shuffled, and the client is required to store the local mapping table.
FIG. 3 illustrates a block diagram of a data storage device according to one embodiment of the present application;
as shown in fig. 3, a data storage device 300 according to one embodiment of the present application includes:
a data access request acquiring unit 302, configured to acquire a data access request for a specified storage unit in a cloud server, where the data access request is used to request acquisition of a first data block;
a data block obtaining unit 304, configured to obtain each second data block stored in the specified storage unit in turn based on the data access request;
a mapping determining unit 306, configured to determine whether the second data block is the first data block based on mapping information in a bloom filter corresponding to the specified storage unit after each second data block is obtained, where the mapping information is used to reflect that a possibility that the first data block is stored in the specified storage unit is zero or non-zero;
the first execution unit 308 is configured to return an invalid data block to the cloud server if the second data block is the first data block, so that the cloud server stores the invalid data block to an original storage location of the second data block;
And the second execution unit 310 is configured to return the second data block to the cloud server if the second data block is not the first data block, so that the cloud server stores the second data block to an original storage location.
In one embodiment of the present application, optionally, the data storage device 300 further includes:
the first sending unit is used for sending the second data block to the proxy server after each second data block is obtained and before the mapping judging unit judges whether the second data block is the first data block or not, so that the proxy server can decrypt the second data block through a first key;
a decryption result receiving unit, configured to receive a decryption result of the second data block by the proxy server;
the data block decryption unit is used for performing secondary decryption on the decryption result based on a second key to obtain a second data block of the plaintext;
and the data block encryption unit is used for encrypting the second data block of the plaintext based on the second key before the second execution unit returns the second data block to the cloud server, and sending the encrypted second data block to the proxy server so that the proxy server can send the encrypted second data block to the cloud server after carrying out secondary encryption by the first key.
In one embodiment of the present application, optionally, the first key is generated by the proxy server based on user attribute information of an owner of the second data block, and the second key is generated by the proxy server based on user attribute information of a client of the data access request and transmitted to the client.
In one embodiment of the present application, optionally, the data storage device 300 further includes:
a key update instruction generating unit, configured to generate a key update instruction based on updated user attribute information when it is detected that the user attribute information is updated;
and the second sending unit is used for sending the key updating instruction to the proxy server so that the proxy server can update the second key based on the key updating instruction.
In one embodiment of the present application, optionally, the mapping determining unit 306 includes:
the mapping value calculation unit is used for respectively calculating the path information of the first data block through a plurality of groups of hash functions built in the bloom filter to obtain a plurality of mapping values;
a mapping position obtaining unit, configured to determine a mapping position where each of the plurality of mapping values is located in mapping information in the bloom filter corresponding to the specified storage unit;
The map judgment unit 306 is configured to:
and if the mapping identifiers corresponding to the mapping positions of the mapping values are all specified identifiers, determining that the second data block is the first data block, and if the mapping identifiers corresponding to the mapping positions of the mapping values include at least one non-specified identifier, determining that the second data block is not the first data block.
In one embodiment of the present application, optionally, the designation is 1 and the non-designation is 0.
The data storage device 300 uses the solution of any of the above embodiments, and therefore, has all the technical effects described above, and will not be described herein.
In addition, in one embodiment, the present application provides a computer device, which may be a server, and an internal structure diagram thereof may be as shown in fig. 4. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes non-volatile and/or volatile storage media and internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is for communicating with an external client via a network connection. The computer program may implement the data storage method according to any of the above embodiments when executed by a processor.
In one embodiment, the present application also provides a computer device, which may be a client, and an internal structure diagram thereof may be shown in fig. 5. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is for communicating with an external server via a network connection. The computer program may implement the data storage method according to any of the above embodiments when executed by a processor.
Any of the computer devices described above in embodiments of the present application exist in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys, wearable devices, and portable car navigation devices.
(4) And (3) a server: devices providing any type of computing service, such as local services and/or cloud services, the server's composition including processors, hard disks, memory, system buses, etc., the server being similar to a general-purpose computer architecture, but requiring high processing power, stability, reliability, security, scalability, manageability, etc. due to the need to provide highly reliable services.
(5) Other electronic devices with data interaction function.
In addition, embodiments of the present application provide a computer-readable storage medium storing computer-executable instructions for performing the steps of:
Acquiring a data access request aiming at a designated storage unit in a cloud server, wherein the data access request is used for requesting to acquire a first data block;
based on the data access request, sequentially acquiring each second data block stored in the appointed storage unit;
after each second data block is obtained, judging whether the second data block is the first data block or not based on mapping information in a bloom filter corresponding to the appointed storage unit, wherein the mapping information is used for reflecting that the possibility that the first data block is stored in the appointed storage unit is zero or non-zero;
if the second data block is the first data block, returning an invalid data block to the cloud server so that the cloud server can store the invalid data block to an original storage position of the second data block;
and if the second data block is not the first data block, returning the second data block to the cloud server so that the cloud server can store the second data block to an original storage position.
It should be noted that, the functions or steps that can be implemented by the computer readable storage medium or the computer device may correspond to the relevant descriptions in the foregoing method embodiments, and are not described herein for avoiding repetition.
The technical scheme of the application is described in detail by combining the drawings, through the technical scheme of the application, the computing capacity of the cloud server can be reduced while the security of data access of the client to the cloud server and the privacy information of the client user are protected, and the computing efficiency of the cloud server is improved, so that the data access efficiency of the client is indirectly improved, and the experience of the client user is improved.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
It should be understood that although the terms first, second, etc. may be used in embodiments of the present application to describe blocks of data, these blocks of data should not be limited by these terms. These terms are only used to distinguish data blocks from one another. For example, a first data block may also be referred to as a second data block, and similarly, a second data block may also be referred to as a first data block, without departing from the scope of embodiments of the present application.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.

Claims (10)

1. A method of data storage, comprising:
acquiring a data access request aiming at a designated storage unit in a cloud server, wherein the data access request is used for requesting to acquire a first data block;
based on the data access request, sequentially acquiring each second data block stored in the appointed storage unit;
after each second data block is obtained, judging whether the second data block is the first data block or not based on mapping information in a bloom filter corresponding to the appointed storage unit, wherein the mapping information is used for reflecting that the possibility that the first data block is stored in the appointed storage unit is zero or non-zero;
If the second data block is the first data block, returning an invalid data block to the cloud server so that the cloud server can store the invalid data block to an original storage position of the second data block;
and if the second data block is not the first data block, returning the second data block to the cloud server so that the cloud server can store the second data block to an original storage position.
2. The data storage method according to claim 1, wherein after each acquisition of one of the second data blocks, before the determining whether the second data block is the first data block based on the mapping information in the bloom filter corresponding to the specified storage unit, further comprises:
transmitting the second data block to a proxy server for the proxy server to decrypt the second data block through a first key;
receiving a decryption result of the proxy server on the second data block;
performing secondary decryption on the decryption result based on a second key to obtain a second data block of the plaintext;
before returning the second data block to the cloud server, further comprising:
Encrypting the second data block of the plaintext based on the second key, and sending the encrypted second data block to the proxy server, so that the proxy server encrypts the encrypted second data block for the second time with the first key and sends the encrypted second data block to the cloud server.
3. The data storage method according to claim 2, wherein the first key is generated by the proxy server based on user attribute information of an owner of the second data block, and the second key is generated by the proxy server based on user attribute information of a client of the data access request and transmitted to the client.
4. A data storage method according to claim 3, further comprising:
when the user attribute information is detected to be updated, generating a key updating instruction based on the updated user attribute information;
and sending the key updating instruction to the proxy server so that the proxy server can update the second key based on the key updating instruction.
5. The data storage method according to any one of claims 1 to 4, wherein the determining whether the second data block is the first data block based on mapping information in a bloom filter corresponding to the specified storage unit includes:
Calculating path information of the first data block through a plurality of groups of hash functions built in the bloom filter to obtain a plurality of mapping values;
determining the mapping positions of the mapping values in the mapping information in the bloom filter corresponding to the designated storage unit, wherein,
if the mapping identifiers corresponding to the mapping positions where the mapping values are respectively located are all specified identifiers, determining that the second data block is the first data block;
and if the mapping identifiers corresponding to the mapping positions of the mapping values respectively comprise at least one unspecified identifier, determining that the second data block is not the first data block.
6. The data storage method of claim 5, wherein the designated identifier is 1 and the non-designated identifier is 0.
7. A data storage device, comprising:
a data access request acquisition unit, configured to acquire a data access request for a specified storage unit in a cloud server, where the data access request is used to request acquisition of a first data block;
a data block obtaining unit, configured to obtain each second data block stored in the specified storage unit in sequence based on the data access request;
The mapping judgment unit is used for judging whether the second data block is the first data block or not based on mapping information in a bloom filter corresponding to the appointed storage unit after each second data block is acquired, wherein the mapping information is used for reflecting that the possibility of the first data block stored in the appointed storage unit is zero or non-zero;
the first execution unit is used for returning an invalid data block to the cloud server if the second data block is the first data block as a judgment result, so that the cloud server can store the invalid data block to an original storage position of the second data block;
and the second execution unit is used for returning the second data block to the cloud server if the second data block is not the first data block, so that the cloud server can store the second data block to an original storage position.
8. The data storage device of claim 7, further comprising:
the first sending unit is used for sending the second data block to the proxy server after each second data block is obtained and before the mapping judging unit judges whether the second data block is the first data block or not, so that the proxy server can decrypt the second data block through a first key;
A decryption result receiving unit, configured to receive a decryption result of the second data block by the proxy server;
the data block decryption unit is used for performing secondary decryption on the decryption result based on a second key to obtain a second data block of the plaintext;
and the data block encryption unit is used for encrypting the second data block of the plaintext based on the second key before the second execution unit returns the second data block to the cloud server, and sending the encrypted second data block to the proxy server so that the proxy server can send the encrypted second data block to the cloud server after carrying out secondary encryption by the first key.
9. A computer device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 6.
10. A computer readable storage medium storing computer executable instructions for performing the method of any one of claims 1 to 6.
CN202311287765.3A 2023-10-07 2023-10-07 Data storage method and device, computer equipment and readable storage medium Active CN117420953B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311287765.3A CN117420953B (en) 2023-10-07 2023-10-07 Data storage method and device, computer equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311287765.3A CN117420953B (en) 2023-10-07 2023-10-07 Data storage method and device, computer equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN117420953A true CN117420953A (en) 2024-01-19
CN117420953B CN117420953B (en) 2024-03-26

Family

ID=89531630

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311287765.3A Active CN117420953B (en) 2023-10-07 2023-10-07 Data storage method and device, computer equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN117420953B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100332765A1 (en) * 2009-06-29 2010-12-30 Sun Microsystems, Inc. Hierarchical bloom filters for facilitating concurrency control
US20120317130A1 (en) * 2011-06-13 2012-12-13 Fujitsu Limited Computer product, search method, search apparatus, and node
CA2876466A1 (en) * 2014-12-29 2016-06-29 Ibm Canada Limited - Ibm Canada Limitee Scan optimization using bloom filter synopsis
US9553771B1 (en) * 2015-10-23 2017-01-24 International Business Machines Corporation Bloom filter index for device discovery
US20180210959A1 (en) * 2017-01-24 2018-07-26 Microsoft Technology Licensing, Llc Front end bloom filters in distributed databases
US20180357434A1 (en) * 2017-06-08 2018-12-13 The Government Of The United States, As Represented By The Secretary Of The Army Secure Generalized Bloom Filter
WO2019185710A1 (en) * 2018-03-29 2019-10-03 NEC Laboratories Europe GmbH Method and system of preserving privacy for usage of lightweight blockchain clients
CN115981559A (en) * 2022-12-26 2023-04-18 京东科技信息技术有限公司 Distributed data storage method and device, electronic equipment and readable medium
CN116506218A (en) * 2023-06-25 2023-07-28 杭州世平信息科技有限公司 User data interactive computing privacy protection method and system in cloud environment
CN116595014A (en) * 2023-07-18 2023-08-15 中孚信息股份有限公司 Storage system, method and device for read receipt and readable storage medium
US20230259494A1 (en) * 2022-02-14 2023-08-17 Seagate Technology Llc Deduplication in multiple-tiered storage systems

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100332765A1 (en) * 2009-06-29 2010-12-30 Sun Microsystems, Inc. Hierarchical bloom filters for facilitating concurrency control
US20120317130A1 (en) * 2011-06-13 2012-12-13 Fujitsu Limited Computer product, search method, search apparatus, and node
CA2876466A1 (en) * 2014-12-29 2016-06-29 Ibm Canada Limited - Ibm Canada Limitee Scan optimization using bloom filter synopsis
US9553771B1 (en) * 2015-10-23 2017-01-24 International Business Machines Corporation Bloom filter index for device discovery
US20180210959A1 (en) * 2017-01-24 2018-07-26 Microsoft Technology Licensing, Llc Front end bloom filters in distributed databases
US20180357434A1 (en) * 2017-06-08 2018-12-13 The Government Of The United States, As Represented By The Secretary Of The Army Secure Generalized Bloom Filter
WO2019185710A1 (en) * 2018-03-29 2019-10-03 NEC Laboratories Europe GmbH Method and system of preserving privacy for usage of lightweight blockchain clients
US20230259494A1 (en) * 2022-02-14 2023-08-17 Seagate Technology Llc Deduplication in multiple-tiered storage systems
CN115981559A (en) * 2022-12-26 2023-04-18 京东科技信息技术有限公司 Distributed data storage method and device, electronic equipment and readable medium
CN116506218A (en) * 2023-06-25 2023-07-28 杭州世平信息科技有限公司 User data interactive computing privacy protection method and system in cloud environment
CN116595014A (en) * 2023-07-18 2023-08-15 中孚信息股份有限公司 Storage system, method and device for read receipt and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
刘竹松;杨张杰;: "基于布隆过滤器所有权证明的高效安全可去重云存储方案", 计算机应用, no. 03, 10 March 2017 (2017-03-10) *
吴鹏飞;沈晴霓;秦嘉;钱文君;李聪;吴中海;: "不经意随机访问机研究综述", 软件学报, no. 09, 15 September 2018 (2018-09-15) *

Also Published As

Publication number Publication date
CN117420953B (en) 2024-03-26

Similar Documents

Publication Publication Date Title
US11050561B2 (en) Multi-party security computing method and apparatus, and electronic device
US11290266B2 (en) Secure multi-party computation method and apparatus, and electronic device
EP3657376B1 (en) Hybrid-cloud data storage method and apparatus, related device, and cloud system
US11115418B2 (en) Registration and authorization method device and system
Eskandarian et al. Express: Lowering the cost of metadata-hiding communication with cryptographic privacy
Liu et al. DivORAM: Towards a practical oblivious RAM with variable block size
US9680809B2 (en) Secure data storage on a cloud environment
US10063372B1 (en) Generating pre-encrypted keys
CN110147329B (en) Method, device and terminal for dynamically detecting simulator
CN107257974A (en) System, method and apparatus for providing privacy information retrieval
CN105007302B (en) A kind of mobile terminal data storage method
JP4787080B2 (en) Distributed information sharing method and terminal device
CN110245518A (en) A kind of date storage method, device and equipment
US11398901B2 (en) Restricted partial key storage
CN115269938A (en) Keyword track hiding query method and system based on homomorphic encryption and related device
CN114826702A (en) Database access password encryption method and device and computer equipment
JP4828724B2 (en) Cryptographic system and method based on transition states
CN113726772A (en) Method, device, equipment and storage medium for realizing on-line inquiry session
CN117420953B (en) Data storage method and device, computer equipment and readable storage medium
US9973339B1 (en) Anonymous cloud data storage and anonymizing non-anonymous storage
CN117371011A (en) Data hiding query method, electronic device and readable storage medium
CN112182615A (en) Cloud computing key protection system based on SGX and ORAM technology
CN105187379A (en) Multi-party distrust-based password split managing method
CN112995109B (en) Data encryption system, data encryption method, data processing device and electronic equipment
CN115098893A (en) Data storage method and device based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant