CN117938387A - Data security system and method based on cryptographic algorithm in cloud computing environment - Google Patents

Data security system and method based on cryptographic algorithm in cloud computing environment Download PDF

Info

Publication number
CN117938387A
CN117938387A CN202311614155.XA CN202311614155A CN117938387A CN 117938387 A CN117938387 A CN 117938387A CN 202311614155 A CN202311614155 A CN 202311614155A CN 117938387 A CN117938387 A CN 117938387A
Authority
CN
China
Prior art keywords
data
cloud
user
module
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311614155.XA
Other languages
Chinese (zh)
Inventor
李运福
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shuzhi Qiancheng Technology Co ltd
Original Assignee
Beijing Shuzhi Qiancheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shuzhi Qiancheng Technology Co ltd filed Critical Beijing Shuzhi Qiancheng Technology Co ltd
Priority to CN202311614155.XA priority Critical patent/CN117938387A/en
Publication of CN117938387A publication Critical patent/CN117938387A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a data security system and a method under a cloud computing environment based on a national cryptographic algorithm, which are oriented to the cloud computing environment, and in order to solve the technical problems of data security access, storage and transmission, the invention provides a data security system based on a domestic cryptographic algorithm, wherein a domestic SM3 algorithm is adopted for protecting user names and login passwords, an SSL/TLS protocol based on the domestic passwords is adopted for ensuring data transmission security, an asymmetric domestic cryptographic SM2 algorithm is adopted for generating a data encryption key, and a symmetric domestic cryptographic SM4 algorithm is adopted for encrypting and decrypting data, so that data storage and access security are ensured. By utilizing the method, the full flow safety of data access, transmission and storage in the cloud computing environment is ensured. Meanwhile, the system and the method provided by the invention have stronger practical significance under the background of credit safety.

Description

Data security system and method based on cryptographic algorithm in cloud computing environment
Technical Field
The invention belongs to the technical field of data security, and particularly relates to a data security system and method under a cloud computing environment based on a cryptographic algorithm.
Background
With the increasing popularity of cloud services, more and more organizations are beginning to use cloud services. Although cloud services have been widely accepted, concerns about the security and privacy of these services remain a public challenge. With the rapid development of technology, these services can be easily accessed through smartphones, so that users can share pictures, videos, documents and other important data across various platforms in real time. However, security vulnerabilities of cloud accounts may result in a number of leaks, which may cause significant loss to cloud service users.
Because all user data is stored, managed, and processed in the cloud, the cloud computing service provider has the responsibility to mitigate any risk associated with data security and privacy. In order to enhance the security of cloud computing services, service providers need to adopt technical means to cope with various attacks such as data loss, traffic hijacking, resource isolation, malicious internal personnel and the like.
Data encryption has been one of the key measures for data security protection. Many algorithms have been proposed in the past to perform efficient data encryption. Currently, data security encryption for cloud computing is mostly realized based on foreign cryptographic algorithms, and certain potential safety hazards exist under the trafficking background.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, and provides a data security system and a data security method under a cloud computing environment based on a national cryptographic algorithm, which can maintain stable operation of a power grid, rapidly and accurately give out an optimal load transfer scheme, greatly improve work efficiency of a dispatcher and ensure safe and stable operation of the power grid.
The invention solves the technical problems by adopting the following technical scheme:
the cloud user authentication module is used for providing user registration and access authentication services, the cloud data generation module is used for formatting cloud user uploading data, the cloud data security transmission module is used for transmitting formatting data, the user public and private key generation module is used for generating a private key and a public key, the cloud data encryption module is used for encrypting data according to the private key and the public key, and the cloud data decryption module is used for decrypting data.
Moreover, the cloud user authentication module is used for providing user registration and access authentication services, so that only legal authorized users can access services and data hosted on the cloud.
And the cloud data generation module is used for formatting data which the cloud user hopes to upload to the cloud, so that the data format meets the channel transmission requirement.
And the cloud data security transmission module adopts a special line or a domestic SSL/TLS protocol to carry out data security transmission, and transmits the data to a cloud service provider end.
In addition, the public and private key generation module of the user adopts a domestic SM2 algorithm to generate a private key and public key pair of the cloud user and uploaded data thereof, and sends the private key and the public key to the data encryption module,
The cloud data encryption module is used for generating an encryption key by adopting the received private key and public key at the cloud service provider end, encrypting the data of the corresponding cloud user by using a domestic SM4 algorithm, storing the data in a cloud database,
And the cloud data decryption module is used for inquiring keys corresponding to the user and the data when the cloud user accesses the authorized data, decrypting the data by adopting a domestic SM4 algorithm, generating a plaintext, and providing the plaintext for the authorized user.
A data encryption method of a data security system in a cloud computing environment based on a cryptographic algorithm comprises the following steps:
Step 1, a cloud user registers and accesses authentication service through a cloud user authentication module;
step 2, the cloud data generation module formats data uploaded by a cloud user;
step 3, the cloud data security transmission module transmits the formatted data to the cloud service provider end,
Step 4, a public and private key generation module of the user adopts a domestic SM2 algorithm to generate a private key and public key pair of the cloud user and uploaded data thereof, and the private key and the public key are sent to a data encryption module;
step 5, the cloud data encryption module generates an encryption key at the cloud service provider end by adopting the received private key and public key, encrypts data corresponding to the cloud user by using a domestic SM4 algorithm, and stores the data in a cloud database;
And 6, inquiring keys corresponding to the user and the data when the cloud user accesses the authorized data, and decrypting the data by using a domestic SM4 algorithm by using a cloud data decryption module to generate a plaintext for the authorized user.
The invention has the advantages and positive effects that:
The invention is oriented to a cloud computing environment, and provides a data security system based on a domestic cryptographic algorithm for protecting user names and login passwords by adopting a domestic SM3 algorithm, ensuring data transmission security by adopting an SSL/TLS protocol based on a domestic password, generating a data encryption key by adopting an asymmetric domestic cryptographic SM2 algorithm, encrypting and decrypting data by adopting a symmetric domestic cryptographic SM4 algorithm, and ensuring data storage and access security. By utilizing the method, the full flow safety of data access, transmission and storage in the cloud computing environment is ensured. Meanwhile, the system and the method provided by the invention have stronger practical significance under the background of credit safety.
Drawings
FIG. 1 is a block diagram of a data security system in a cloud computing environment based on domestic passwords according to the present invention;
FIG. 2 is a flow chart of cloud user login based on a domestic cryptographic algorithm;
Fig. 3 is a flow chart of cloud data encryption and decryption based on a domestic cryptographic algorithm.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
The cloud data security system based on the national cryptographic algorithm is applied to cloud service, and as shown in fig. 1, the cloud security system comprises a cloud user authentication module, a cloud data generation module, a cloud data security transmission module, a user public and private key generation module, a cloud data encryption (storage) module and a cloud data decryption (access) module, wherein the cloud user authentication module and the cloud data generation module belong to a cloud user end, the cloud data security transmission module outputs a transmission path, the user public and private key generation module, the cloud data encryption module and the cloud data decryption module eat a cloud server end, the cloud user authentication module, the cloud data generation module, the cloud data security transmission module, the user public and private key generation module, the cloud data encryption module and the cloud data decryption module are sequentially connected, the cloud user authentication module is used for providing user registration and access authentication service, the cloud data generation module is used for formatting cloud user uploading data, the cloud data security transmission module is used for formatting data transmission, the user public key generation module is used for generating a private key and a public key, the cloud data encryption module is used for encrypting data according to the private key and the public key, and the cloud data decryption module is used for decrypting data.
The cloud user authentication module is used for providing user registration and access authentication services, and ensuring that only legal authorized users can access services and data hosted on the cloud. And the cloud user authentication module is used for authenticating according to the related requirements of the level protection in a multi-factor mode. Compared with the prior art, the cloud user authentication module is added with a mailbox registered by a cloud user or a mobile phone number sending verification code function, and the double-factor authentication capability is realized by combining a user name and a login password.
The cloud data generation module is used for formatting data which the cloud user hopes to upload to the cloud, so that the data format meets the channel transmission requirement.
The cloud data security transmission module adopts a special line or a domestic SSL/TLS protocol to carry out data security transmission, and transmits the data to a cloud service provider end.
The public and private key generating module of the user adopts a domestic SM2 algorithm to generate a private key and a public key pair of the cloud user and the uploaded data thereof, and sends the private key and the public key to the data encrypting module,
The cloud data encryption module is used for generating an encryption key by adopting the received private key and public key at the cloud service provider end, encrypting the data of the corresponding cloud user by using a domestic SM4 algorithm, storing the data in a cloud database,
The cloud data decryption module is used for inquiring keys corresponding to the user and the data when the cloud user accesses the authorized data, decrypting the data by adopting a domestic SM4 algorithm, generating a plaintext, and providing the plaintext for the authorized user. When the cloud user A is about to access the data uploaded and stored by the cloud user B, the identity of the cloud user A which obtains the access authority of the data is added into an access control list of the data, and when the cloud user A submits an access request, a decryption module of the data is directly called. For cloud users that are not in the access control list of the data, the data decryption module will not be able to be investigated.
A data encryption method of a data security system in a cloud computing environment based on a cryptographic algorithm comprises the following steps:
Step 1, a cloud user registers and accesses authentication service through a cloud user authentication module;
step 2, the cloud data generation module formats data uploaded by a cloud user;
step 3, the cloud data security transmission module transmits the formatted data to the cloud service provider end,
Step 4, a public and private key generation module of the user adopts a domestic SM2 algorithm to generate a private key and public key pair of the cloud user and uploaded data thereof, and the private key and the public key are sent to a data encryption module;
step 5, the cloud data encryption module generates an encryption key at the cloud service provider end by adopting the received private key and public key, encrypts data corresponding to the cloud user by using a domestic SM4 algorithm, and stores the data in a cloud database;
And 6, inquiring keys corresponding to the user and the data when the cloud user accesses the authorized data, and decrypting the data by using a domestic SM4 algorithm by using a cloud data decryption module to generate a plaintext for the authorized user.
Example 1:
As shown in fig. 2, the present embodiment provides a cloud user login authentication flowchart, including the following steps:
Step 1.1, a cloud user inputs a user name and a login password;
and 1.2, the cloud computing system adopts a national password SM2 algorithm to verify the digest values of the user name and the login password, and verifies whether the computed value of the system is consistent with the digest value stored by the system. Inconsistent, stopping logging, consistent and continuous;
Step 1.3, the cloud computing system sends a verification code to a mailbox or a mobile phone number registered by the cloud user;
Step 1.4, the cloud user inputs the received verification code;
And step 1.5, the cloud computing system verifies whether the verification code input by the cloud user is consistent with the verification code transmitted last time. And (3) if the verification codes are inconsistent, the verification code retransmission operation can be selected, the steps 1.3 to 1.4 are repeated, and the login can be optionally terminated. For the re-input verification code, if the continuous 5 times are inconsistent, the login is stopped. Consistent and continuous;
And step 1.6, successful login and ending.
Example 2: the present embodiment provides a flowchart of cloud data encryption and decryption as shown in fig. 3, and the encryption process includes the following steps:
step 5.1, the cloud computing system receives cloud data sent by a cloud user;
Step 5.2, the cloud computing system adopts an asymmetric domestic SM2 algorithm to generate a public key and private key pair;
step 5.3, the cloud computing system performs exclusive OR operation on the public key and the private key to generate a key corresponding to the cloud data;
Step 5.4, the cloud computing system adopts a symmetric domestic SM4 algorithm, and uses a cloud data key to encrypt cloud data so as to generate ciphertext of the cloud data;
and 5.5, the cloud computing system stores the ciphertext of the cloud data into a cloud database.
A decryption process comprising the steps of:
Step 6.1, a cloud user sends a cloud data access request;
step 6.2, the cloud computing system inquires and determines a corresponding cloud data ciphertext;
step 6.3, the cloud computing system decrypts the ciphertext of the cloud data by adopting a symmetric domestic SM4 algorithm and a secret key corresponding to the cloud data to generate a plaintext;
And 6.4, the cloud user accesses the plaintext of the corresponding cloud data.
It should be emphasized that the examples described herein are illustrative rather than limiting, and therefore the invention includes, but is not limited to, the examples described in the detailed description, as other embodiments derived from the technical solutions of the invention by a person skilled in the art are equally within the scope of the invention.

Claims (8)

1. A data security system based on a national cryptographic algorithm in a cloud computing environment is applied to cloud services, and is characterized in that: the cloud user authentication system comprises a cloud user authentication module, a cloud data generation module, a cloud data security transmission module, a user public and private key generation module, a cloud data encryption module and a cloud data decryption module, wherein the cloud user authentication module, the cloud data generation module, the cloud data security transmission module, the user public and private key generation module, the cloud data encryption module and the cloud data decryption module are sequentially connected, the cloud user authentication module is used for providing user registration and access authentication services, the cloud data generation module is used for formatting cloud user uploading data, the cloud data security transmission module is used for transmitting formatted data, the user public and private key generation module is used for generating a private key and a public key, the cloud data encryption module is used for encrypting data according to the private key and the public key, and the cloud data decryption module is used for decrypting data.
2. The data security system in a cloud computing environment based on a cryptographic algorithm of claim 1, wherein: the cloud user authentication module is used for providing user registration and access authentication services, and ensuring that only legal authorized users can access services and data hosted on the cloud.
3. The data security system in a cloud computing environment based on a cryptographic algorithm of claim 1, wherein: the cloud data generation module is used for formatting data which the cloud user hopes to upload to the cloud, so that the data format meets the channel transmission requirement.
4. The data security system in a cloud computing environment based on a cryptographic algorithm of claim 1, wherein: the cloud data security transmission module adopts a special line or a domestic SSL/TLS protocol to carry out data security transmission, and transmits the data to a cloud service provider end.
5. The data security system in a cloud computing environment based on a cryptographic algorithm of claim 1, wherein: the public and private key generation module of the user adopts a domestic SM2 algorithm to generate a private key and public key pair of the cloud user and uploaded data thereof, and sends the private key and the public key to the data encryption module.
6. The data security system in a cloud computing environment based on a cryptographic algorithm of claim 1, wherein: the cloud data encryption module is used for generating an encryption key by adopting the received private key and public key at the cloud service provider end, encrypting data of a corresponding cloud user by using a domestic SM4 algorithm, and storing the data in a cloud database.
7. The data security system in a cloud computing environment based on a cryptographic algorithm of claim 1, wherein: and the cloud data decryption module is used for inquiring keys corresponding to the user and the data when the cloud user accesses the authorized data, decrypting the data by adopting a domestic SM4 algorithm, generating a plaintext and providing the plaintext for the authorized user.
8. A data encryption method of a data security system in a cloud computing environment based on a cryptographic algorithm as in any one of claims 1 to 7, wherein: the method comprises the following steps:
Step 1, a cloud user registers and accesses authentication service through a cloud user authentication module;
step 2, the cloud data generation module formats data uploaded by a cloud user;
step 3, the cloud data security transmission module transmits the formatted data to the cloud service provider end,
Step 4, a public and private key generation module of the user adopts a domestic SM2 algorithm to generate a private key and public key pair of the cloud user and uploaded data thereof, and the private key and the public key are sent to a data encryption module;
step 5, the cloud data encryption module generates an encryption key at the cloud service provider end by adopting the received private key and public key, encrypts data corresponding to the cloud user by using a domestic SM4 algorithm, and stores the data in a cloud database;
And 6, inquiring keys corresponding to the user and the data when the cloud user accesses the authorized data, and decrypting the data by using a domestic SM4 algorithm by using a cloud data decryption module to generate a plaintext for the authorized user.
CN202311614155.XA 2023-11-29 2023-11-29 Data security system and method based on cryptographic algorithm in cloud computing environment Pending CN117938387A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311614155.XA CN117938387A (en) 2023-11-29 2023-11-29 Data security system and method based on cryptographic algorithm in cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311614155.XA CN117938387A (en) 2023-11-29 2023-11-29 Data security system and method based on cryptographic algorithm in cloud computing environment

Publications (1)

Publication Number Publication Date
CN117938387A true CN117938387A (en) 2024-04-26

Family

ID=90756327

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311614155.XA Pending CN117938387A (en) 2023-11-29 2023-11-29 Data security system and method based on cryptographic algorithm in cloud computing environment

Country Status (1)

Country Link
CN (1) CN117938387A (en)

Similar Documents

Publication Publication Date Title
US10243742B2 (en) Method and system for accessing a device by a user
US10638321B2 (en) Wireless network connection method and apparatus, and storage medium
US20190140844A1 (en) Identity-linked authentication through a user certificate system
US8763097B2 (en) System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication
CN103812871B (en) Development method and system based on mobile terminal application program security application
US20190173873A1 (en) Identity verification document request handling utilizing a user certificate system and user identity document repository
US9641344B1 (en) Multiple factor authentication in an identity certificate service
US9137223B2 (en) Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer
WO2022111187A1 (en) Terminal authentication method and apparatus, computer device, and storage medium
CN103248479A (en) Cloud storage safety system, data protection method and data sharing method
CN113612605A (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN101742508A (en) System and method for transmitting files between WAPI terminal and application server
CN101466079A (en) Method, system and WAPI terminal for transmitting e-mail
US11811739B2 (en) Web encryption for web messages and application programming interfaces
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
CN112020038A (en) Domestic encryption terminal suitable for rail transit mobile application
CN114282189A (en) Data security storage method, system, client and server
CN104243452A (en) Method and system for cloud computing access control
CN115473655A (en) Terminal authentication method, device and storage medium for access network
CN107104888B (en) Safe instant messaging method
CN104243435A (en) Communication method for HTTP based on OAuth
CN213938340U (en) 5G application access authentication network architecture
CN116709325B (en) Mobile equipment security authentication method based on high-speed encryption algorithm
Yoon et al. Security enhancement scheme for mobile device using H/W cryptographic module

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination