CN117938414A - Sensitive data cloud secure storage system based on password and biological authentication - Google Patents

Sensitive data cloud secure storage system based on password and biological authentication Download PDF

Info

Publication number
CN117938414A
CN117938414A CN202310246940.8A CN202310246940A CN117938414A CN 117938414 A CN117938414 A CN 117938414A CN 202310246940 A CN202310246940 A CN 202310246940A CN 117938414 A CN117938414 A CN 117938414A
Authority
CN
China
Prior art keywords
key
user
password
encrypted
biological
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310246940.8A
Other languages
Chinese (zh)
Inventor
周毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongxu Digital Future Beijing Information Technology Co ltd
Original Assignee
Dongxu Digital Future Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongxu Digital Future Beijing Information Technology Co ltd filed Critical Dongxu Digital Future Beijing Information Technology Co ltd
Priority to CN202310246940.8A priority Critical patent/CN117938414A/en
Publication of CN117938414A publication Critical patent/CN117938414A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a sensitive data cloud secure storage system based on password and biological authentication, which comprises: the system comprises a key server, a user and a cloud storage server; when a user registers and data is stored, an encryption password related key is generated by utilizing a long-term private key of a key server and an encryption password of the user, and an encryption biological related key and a biological template are generated by utilizing an encryption biological sample; encrypting the biological template by using an encryption password related key to obtain an encrypted biological template, and storing the encrypted biological template in a key server; and generating an encryption key of the user data and an authentication credential of the cloud storage server by utilizing the encryption password related key and the encryption biology related key, logging in and registering to the cloud storage server by utilizing the authentication credential of the cloud storage server, encrypting the user data by utilizing the encryption key, and storing the encrypted user data in the cloud storage server. The invention realizes the double-factor high-safety protection of the user data.

Description

Sensitive data cloud secure storage system based on password and biological authentication
Technical Field
The invention relates to the technical field of data security storage, in particular to a sensitive data cloud security storage system based on passwords and biological authentication.
Background
With the rapid development of cloud computing technology, uploading user data to a cloud storage server for storage has become an increasingly popular data storage mode. By using cloud storage, a user can access personal data stored on a cloud storage server through different terminals at any time and any place, so that convenience and mobility of user data access are greatly improved.
However, the continuous data leakage event also sounds the alarm of the data security problem to the people, so that the user has to consider taking necessary measures to secure the user data when uploading the data to the cloud storage server for storage. The current common data security solutions mainly have two main categories: one is a solution that relies on a cloud storage server to provide key management, and the other is a solution that relies on a user to provide key management. In a first type of solution, the cloud storage servers are considered to be fully trusted, they are responsible for providing cryptographic services to all encryption and decryption requests, and managing the corresponding encryption and decryption keys for all users; in the second category of solutions, cloud storage servers are considered semi-trusted, i.e. honest and curious, in that they on the one hand serve the user in accordance with prescribed actions, but may also curify the actual content of the data stored by the user-they attempt to obtain the plaintext data of the user, even infringing the user's interests with these plaintext data. Under the situation, the user adopts a mode of managing the user key by himself, firstly encrypts plaintext data, and then uploads ciphertext data to the cloud storage server for storage, so that the cloud storage server is prevented from exploring the plaintext data of the user.
In the two types of data cloud storage security solutions, the solution which relies on the user to provide key management can resist attacks implemented by a semi-trusted cloud storage server, and can realize higher-level security guarantee. However, in this solution, if the user encrypts the data using a high entropy key, the number of encryption keys to be managed will be increased with the increase of the volume of the data, and a high key management burden is imposed on the user. An intuitive solution is to encrypt user data with a common password, but ciphertext data obtained by directly using the password as an encryption key is difficult to resist offline dictionary attacks, and thus cannot resist malicious attacks implemented by a semi-trusted server.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a sensitive data cloud security storage system based on password and biological authentication, which can give consideration to the easy memory characteristic of the password and the movable characteristic stored by a cloud storage server, and realize the double-factor high security protection of user data.
The technical scheme adopted for solving the technical problems is as follows: provided is a password and biometric authentication-based sensitive data cloud secure storage system, comprising: the key server is used for assisting the user side in changing the password of the user side into a password related key and storing an encrypted biological template for the user; the user end is used for providing passwords and biological samples; the cloud storage server is used for providing user login authentication service and data storage service for the user; upon user registration and data storage:
generating an encrypted password related key by using a long-term private key of a key server and an encrypted password of a user, and generating an encrypted biological related key and a biological template by using an encrypted biological sample;
Encrypting the biological template by using an encryption password related key to obtain an encrypted biological template, and storing the encrypted biological template in a key server;
and generating an encryption key of the user data and an authentication credential of the cloud storage server by utilizing the encryption password related key and the encryption biology related key, logging in and registering to the cloud storage server by utilizing the authentication credential of the cloud storage server, encrypting the user data by utilizing the encryption key, and storing the encrypted user data in the cloud storage server.
The method for generating the encrypted password related key by using the long-term private key of the key server and the encrypted password of the user comprises the following steps of:
the user side calculates R=H 1(pw)r according to the encryption password pw of the user side, wherein R is a random number, and the user identity identifier ID and R are sent to a key server together;
after receiving the identity identifiers ID and R sent by the user, the key server calculates s id=H2 (msk, ID) and using the long-term private key msk And transmitting W id to the user terminal;
the user uses W id to calculate the relative key of encryption password Calculating (bk, tpl) = KEYTPLGEN (BT) using the encrypted biological sample bt, where bk represents the encrypted biological correlation key, tpl represents the biological template;
Wherein, H 1()、H2 () and H 3 () are both cryptographic hash functions, and KEYTPLGEN () is a biological key generation function.
The calculation of (bk, tpl) = KEYTPLGEN (BT) using the encrypted biological sample bt is specifically:
Assuming that the length of the encrypted biological sample bt is 1920 bits, each bit in the encrypted biological sample bt is changed into a symbol with 11 bits by filling 0, and the obtained character string is recorded as
From the slaveRandomly selecting a codon rc in the code, and combining the codon rc with a character string/>Performing exclusive OR operation to obtain a message d;
Randomly selecting a 1024-bit random number k, and calculating an encrypted biometric key by using the random number k and the character string bt Wherein, H () is a cryptographic hash function; then, a binary set tpl= (d, k) composed of the message d and the random number k is used as a biological template.
The method comprises the steps of generating an encryption key of user data and an authentication credential of a cloud storage server by utilizing an encryption password related key and an encryption biology related key, logging in and registering to the cloud storage server by utilizing a login credential of the cloud storage server, encrypting the user data by utilizing the encryption key, and storing the encrypted user data in the cloud storage server, wherein the method comprises the following steps:
The user side calculates alpha id||ekid||skid=H4 (bk, pk) by using an encryption password related key pk and an encryption biological related key bk, wherein alpha id is a user authentication certificate, ek id is an encryption key of user data, sk id is verification data, encryption of plaintext data Msg of the user is carried out by using an encryption key ek id of the user data to obtain secret ct=enc (ek id, msg), and verification code t=h 5(skid, etpl, ct) is calculated by using the verification data sk id, the encrypted biological template etpl and the ciphertext ct;
The user logs in and registers to the cloud storage server by using the user identity identifier ID and the user authentication credential a id;
After successful registration, the user side stores the ciphertext verification code pair (ct, t) in the cloud storage server;
Where H 4 () and H 5 () are cryptographic hash functions and Enc () is a symmetric encryption algorithm function.
The sensitive data cloud security storage system based on password and biological authentication is characterized in that when data is retrieved:
Generating a decryption password related key by using a long-term private key of a key server and a decryption password of a user side, retrieving an encrypted biological template from the key server, obtaining the biological template through decryption, and recovering a decryption biological related key by using the biological template and a decryption biological sample;
Generating a decryption key of the user data and an authentication credential of the cloud storage server by using the decryption password-related key and the decryption biometric-related key, and retrieving the encrypted user data from the cloud storage server by using the authentication credential;
and decrypting the encrypted user data by using the decryption key to obtain the original data.
The method for generating the decryption password related key by using the long-term private key of the key server and the decryption password of the user side, retrieving the encrypted biological template from the key server, obtaining the biological template through decryption, and recovering the decryption biological related key by using the biological template and the decryption biological sample specifically comprises the following steps:
The user side calculates R ' =H 1(pw′)r according to the decryption password pw ' of the user side, wherein R is a random number, and the user identity identifier ID and R ' are sent to the key server together;
After receiving the identity identifiers ID and R 'sent by the user, the key server calculates s' id=H2 (msk, ID) and (ID) using the long-term private key msk Finding out an encrypted biological template etpl, and sending the W' id and the encrypted biological template etpl to a user side;
The user uses W' id to calculate the relative key of decryption password Decrypting the encrypted biological template etpl with the decryption password related key pk ' to obtain a biological template tpl ', and recovering a decryption biological related key bk ' = KEYRELEASE (tpl ', bt ') by using the biological template tpl ' and the decrypted biological sample bt ';
Wherein, H 1()、H2 () and H 3 () are both cryptographic hash functions, and KEYRELEASE () is a related key recovery function.
The recovery of the decrypted biometric related key bk ' = KEYRELEASE (tpl ', bt ') using the biometric template tpl ' and the decrypted biometric sample bt ' is specifically:
assuming that the length of the decrypted biological sample bt 'is 1920 bits, each bit in the decrypted biological sample bt' is changed into a symbol with 11 bits by filling 0, and the obtained character string is recorded as
Using message d and character string in biological template tplBy/>Calculating a code rc ', and recovering the code rc' into the code rc by using an RS code error correction mechanism;
Recovering an encrypted biological sample of a user using code rc Using encrypted biological samples/>And a random number k to calculate a decryption bio-related key/>H () is a cryptographic hash function.
The decryption key for generating the user data by using the decryption password related key and the decryption biology related key and the authentication credential of the cloud storage server, and the encrypted user data is retrieved from the cloud storage server by using the authentication credential specifically comprises:
The user side generates alpha ' id||ek′id||sk′id=H4 (bk ', pk ') by using a decryption password related key pk ' and a decryption organism related key bk ', wherein alpha ' id is a user authentication credential, ek ' id is a decryption key of user data, sk ' id is verification data, and the cloud storage server is logged in by using an identity identifier ID and the user authentication credential alpha ' id;
The cloud storage server searches the verification tuple by taking the identity identifier ID as an index, verifies through a login program, and sends a ciphertext verification code pair (ct, t) to the user side after verification is passed, wherein ct is ciphertext, and t is a verification code;
The user side verifies the verification code t through the verification data sk id, and after the verification is passed, the ciphertext ct is decrypted by utilizing the decryption key ek id of the user data to obtain plaintext data Msg of the user.
Advantageous effects
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects: the invention can obtain correct sensitive data only by the user having the correct password and the biological sample, realizes the double-factor high-safety protection of the user data, and ensures high mobility by only remembering one password without having equipment for locally storing the biological template. The key server is only used for storing the encrypted biological template, the encrypted biological template is generated by the password related key, the biological template information cannot be obtained under the condition that the key server cannot obtain the password of the user, the user sensitive data cannot be obtained, and the cloud storage server cannot obtain the user sensitive data under the condition that the key related to the password is not available, so that the safety of the user sensitive data is ensured. In addition, the cloud storage server does not need to support other cryptography operations except login authentication, and is suitable for most commercial cloud storage servers.
Drawings
FIG. 1 is a schematic diagram of a sensitive data cloud secure storage system based on password and biometric authentication according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a user registration and data security storage phase in an embodiment of the invention;
FIG. 3 is a schematic diagram of a user data secure retrieval phase in an embodiment of the invention.
Detailed Description
The application will be further illustrated with reference to specific examples. It is to be understood that these examples are illustrative of the present application and are not intended to limit the scope of the present application. Furthermore, it should be understood that various changes and modifications can be made by one skilled in the art after reading the teachings of the present application, and such equivalents are intended to fall within the scope of the application as defined in the appended claims.
The embodiment of the invention relates to a sensitive data cloud security storage system based on password and biological authentication, which is shown in fig. 1 and comprises 3 entities including a key server KS, a user side C and a cloud storage server CS.
A key server KS having a long-term private key msk and maintaining a list LK for assisting the user in changing his password to a high-entropy password-related key and storing an encrypted biometric template for the user;
The user side C is a main body that needs to store data, and only needs to memorize a password pw with low entropy and provide a biological sample bt, and needs not to be a security device that can store a biological template locally;
The cloud storage server CS provides a storage service for the user to store the data ciphertext of the user, which only needs to support the user login authentication service and the data storage service, and does not need to support additional cryptographic operations.
In the registration stage of a user, a user side C inputs a password pw and a biological sample bt, firstly, generates a password related key pk by using the password pw and a long-term private key msk with the assistance of a key server KS, generates a biological related key bk and a biological template tpl by using the biological sample bt, and then obtains an encrypted biological template etpl of the biological template tpl by using the password related key pk and stores the encrypted biological template etpl at the key server KS. Then, an encryption key of the user data and a login credential of the cloud storage server are generated by using the password-related key pk and the biometric-related key bk together, and the user data is encrypted by using the encryption key and stored in the cloud storage server CS.
In the data retrieval stage, the user terminal C inputs the password pw ' and the biological sample bt ', first generates the password-related key pk ' with the aid of the key server KS by using the password pw ' and the long-term private key msk, retrieves the encrypted biological template etpl from the key server KS, and decrypts the encrypted biological template ppl by using pk '. Then, the biological template tpl and the biological sample bt 'are used for recovering the biological related key bk', the password related key pk 'and the biological related key bk' are used for jointly generating a decryption key of the user data and login credentials of the cloud storage server, the login credentials are used for retrieving the encrypted user data from the cloud storage server CS, and the decryption key is used for decrypting the encrypted user data to obtain the original data.
The invention is further illustrated by the following examples.
In this embodiment, the key server KS has a long-term private key msk and maintains a list lk= { LK id }, and each client C has a password pw and a biological sample bt, so that the cloud storage server CS can implement a login authentication mechanism in a general sense and provide a storage service. The user side C encrypts the biological sample of the user and the user data with the aid of the key server KS, and stores the encrypted biological template at the key server KS and the encrypted user data at the cloud storage server CS.
In this embodiment, H 1(),…,H5 () is a cryptographic hash function, (Enc, dec) represents a symmetric encryption and decryption algorithm; (AuthReg, login) represents a Login-registration-authentication subroutine embedded in the cloud storage server, wherein the Login-registration subroutine β id=AuthReg(ID,αid represents that the user registers identity and credentials (ID, α id) for the user at the server and generates server-authentication credentials β id, and the Login-authentication subroutine Login (ID, α idid) represents that the user inputs (ID, α id) and the server inputs β id to verify that the Login was successful, and if successful, outputs 1, otherwise outputs 0. The simplest implementation method can directly set beta id=αid and complete Login verification by verifying whether alpha idid is equal in Login (ID, alpha idid).
In this embodiment, referring to fig. 2, the user registration and data security storage stage specifically includes the following:
Step 1.1: the user end C inputs the password pw and the biological sample bt, selects a random number R, calculates R=H 1(pw)r, and then sends the user identity identifier ID and R to the key server KS together;
Step 1.2: after receiving the identity identifiers ID and R sent by the user C, the key server KS calculates s id=H2 (msk, ID) and And sending W id as a message to the client C;
Step 1.3: the user C calculates the related key of the password by using W id Generating a bio-related key (bk, tpl) = KEYTPLGEN (BT) using the bio-sample bt, then obtaining an encrypted bio-template etpl =enc (pk, tpl) for the bio-template tpl using the password-related key pk, and transmitting the encrypted bio-template etpl to the key server KS; the user side C also calculates α id||ekid||skid=H4 (bk, pk) by using the password related key pk and the biometric related key bk together, encrypts the user data Msg by using ek id as an encryption key to obtain ciphertext ct=enc (ek id, msg), and calculates the verification code t=h 5(skid, etpl, ct by using sk id. Then, the user terminal C uses the identity ID and the user authentication credentials alpha id to register on the cloud storage server CS, and after the registration is successful, the ciphertext verification code pair (ct, t) is stored at the cloud storage server CS;
Step 1.4: after receiving the encrypted biometric template etpl, the key server KS stores the user identification ID in the previous message together with it as LK id = (ID, etpl) into the list LK;
step 1.5: the cloud storage server CS first runs its built-in login registration program to obtain login verification credentials β id=AuthReg(ID,αid), and then stores the message tuples LC id=(id,bid, ct, t) into the list LC.
The generation of the bio-related key (bk, tpl) = KEYTPLGEN (BT) by using the biological sample bt in step 1.3 specifically includes the following steps:
Step 3.1: assuming that the biological sample bt has a length of 1920 bits, each bit thereof is changed into a symbol having a length of 11 bits by filling 0, and the obtained character string is recorded as
Step 3.2: randomly selecting a code rc from [1920,768,1153] 211 -RS code, and mixing it with the above character stringPerforming exclusive OR operation to obtain a message d;
Step 3.3: randomly selecting a 1024-bit random number k, calculating and outputting a biological related key Wherein, H () is a cryptographic hash function; then, a binary set tpl= (d, k) composed of the message d and the random number k is used as a biological template.
In the embodiment of the present invention, the secure retrieval stage of user data is shown in fig. 3, and specifically includes the following contents:
Step 2.1: the user end C inputs the password pw 'and the biological sample bt', selects a random number R, calculates R '=H 1(pw′)r, and then sends (ID, R') to the key server KS;
step 2.2: after receiving (ID, R '), key server KS calculates s' id=H2 (msk, ID) and Finding out the encrypted bio-templates etpl from the list, and then sending (W' id, etpl) as a message to the client C;
Step 2.3: after receiving W' id, user C first calculates relevant key of password Etpl is decrypted to recover the biological template tpl ' =dec (pk ', etpl), and the biological sample bt ' is used to recover the biological related key bk ' = KEYRELEASE (tpl ', bt '), and the password related key pk ' and the biological related key bk ' are used together to generate α ' id||ek′id||sk′id=H4 (bk ', pk '). Then, the user side C logs in the cloud storage server by using (ID, alpha' id);
Step 2.4: after receiving the Login request of the client C, the cloud storage server CS first uses the ID as an index to find the tuple LC id=(id,bid, ct, t from the server list LC, and then runs the Login verification program logic (ID, α idid) built therein. If α' id=αid, the login authentication procedure will output 1, otherwise the login authentication procedure outputs 0. Under the condition of logging in the verification program output 1, the cloud storage server CS sends a ciphertext verification code pair (ct, t) to the user side C;
Step 2.5: after receiving the ciphertext verification code pair (ct, t), the user terminal C first verifies whether the verification code is t correct by sk' id, and the adopted method is to verify whether the equation t=h 5(sk′id, etpl, ct is true. When the verification is passed, the message ciphertext ct is decrypted by using ek 'id to obtain plaintext data msg=dec (ek' id, ct).
Wherein, recovering the birth-related key bk ' = KEYRELEASE (tpl ', bt ') using tpl ' and the biological sample bt ' in step 2.3 is specifically:
Step 4.1: assuming that the biological sample bt' has a length of 1920 bits, each bit thereof is changed into a symbol having a length of 11 bits by filling 0, and the obtained character string is recorded as
Step 4.2: calculated by using biological template tpl' = (d, k)The string can be seen as RS codons containing error information. If the error bits in rc' are fewer than/>The original code rc can be recovered from the error correction mechanism of the RS error correction code;
step 4.3: recovery of a user's original biological sample using rc Then utilize/>And k calculates and outputs a biologically relevant key/>H () is a cryptographic hash function.
It is easy to find that the user can obtain correct sensitive data only by having the correct password and the biological sample, so that the double-factor high-safety protection of the user data is realized, the user only needs to memorize one password, the device for locally storing the biological template is not needed, and the high mobility is ensured. The key server is only used for storing the encrypted biological template, the encrypted biological template is generated by the password related key, the biological template information cannot be obtained under the condition that the key server cannot obtain the password of the user, the user sensitive data cannot be obtained, and the cloud storage server cannot obtain the user sensitive data under the condition that the key related to the password is not available, so that the safety of the user sensitive data is ensured. In addition, the cloud storage server does not need to support other cryptography operations except login authentication, and is suitable for most commercial cloud storage servers.

Claims (8)

1. A password and biometric authentication-based sensitive data cloud secure storage system, comprising: the key server is used for assisting the user side in changing the password of the user side into a password related key and storing an encrypted biological template for the user; the user end is used for providing passwords and biological samples; the cloud storage server is used for providing user login authentication service and data storage service for the user; upon user registration and data storage:
generating an encrypted password related key by using a long-term private key of a key server and an encrypted password of a user, and generating an encrypted biological related key and a biological template by using an encrypted biological sample;
Encrypting the biological template by using an encryption password related key to obtain an encrypted biological template, and storing the encrypted biological template in a key server;
and generating an encryption key of the user data and an authentication credential of the cloud storage server by utilizing the encryption password related key and the encryption biology related key, logging in and registering to the cloud storage server by utilizing the authentication credential of the cloud storage server, encrypting the user data by utilizing the encryption key, and storing the encrypted user data in the cloud storage server.
2. The sensitive data cloud security storage system based on password and biometric authentication according to claim 1, wherein the generating an encrypted password-related key by using the long-term private key of the key server and the encrypted password of the user side, and the generating an encrypted biometric-related key and a biometric template by using the encrypted biometric sample is specifically:
the user side calculates R=H 1(pw)r according to the encryption password pw of the user side, wherein R is a random number, and the user identity identifier ID and R are sent to a key server together;
after receiving the identity identifiers ID and R sent by the user, the key server calculates s id=H2 (msk, ID) and using the long-term private key msk And transmitting W id to the user terminal;
the user uses W id to calculate the relative key of encryption password Calculating (bk, tpl) = KEYTPLGEN (BT) using the encrypted biological sample bt, where bk represents the encrypted biological correlation key, tpl represents the biological template;
Wherein, H 1()、H2 () and H 3 () are both cryptographic hash functions, and KEYTPLGEN () is a biological key generation function.
3. The password and biometric authentication-based sensitive data cloud secure storage system of claim 2, wherein the calculation of (bk, tpl) = KEYTPLGEN (BT) using encrypted biometric samples is specifically:
Assuming that the length of the encrypted biological sample bt is 1920 bits, each bit in the encrypted biological sample bt is changed into a symbol with 11 bits by filling 0, and the obtained character string is recorded as
From the slaveRandomly selecting a codon rc in the code, and combining the codon rc with a character string/>Performing exclusive OR operation to obtain a message d;
Randomly selecting a 1024-bit random number k, and calculating an encrypted biometric key by using the random number k and the character string bt Wherein, H () is a cryptographic hash function; then, a binary set tpl= (d, k) composed of the message d and the random number k is used as a biological template.
4. The sensitive data cloud security storage system based on password and biometric authentication according to claim 1, wherein the encryption key and the authentication credential of the cloud storage server are generated by using the encryption password related key and the encryption biometric related key together, login registration is performed to the cloud storage server by using the login credential of the cloud storage server, the user data is encrypted by using the encryption key, and the encrypted user data is stored in the cloud storage server, specifically:
The user side calculates alpha id||ekid||skid=H4 (bk, pk) by using an encryption password related key pk and an encryption biological related key bk, wherein alpha id is a user authentication certificate, ek id is an encryption key of user data, sk id is verification data, encryption of plaintext data Msg of the user is carried out by using an encryption key ek id of the user data to obtain secret ct=enc (ek id, msg), and verification code t=h 5(skid, etpl, ct) is calculated by using the verification data sk id, the encrypted biological template etpl and the ciphertext ct;
The user logs in and registers to the cloud storage server by using the user identity identifier ID and the user authentication credential a id;
After successful registration, the user side stores the ciphertext verification code pair (ct, t) in the cloud storage server;
Where H 4 () and H 5 () are cryptographic hash functions and Enc () is a symmetric encryption algorithm function.
5. The password and biometric authentication-based sensitive data cloud secure storage system of claim 1, wherein upon data retrieval:
Generating a decryption password related key by using a long-term private key of a key server and a decryption password of a user side, retrieving an encrypted biological template from the key server, obtaining the biological template through decryption, and recovering a decryption biological related key by using the biological template and a decryption biological sample;
Generating a decryption key of the user data and an authentication credential of the cloud storage server by using the decryption password-related key and the decryption biometric-related key, and retrieving the encrypted user data from the cloud storage server by using the authentication credential;
and decrypting the encrypted user data by using the decryption key to obtain the original data.
6. The sensitive data cloud security storage system based on password and biometric authentication according to claim 5, wherein the generating a decryption password related key by using the long-term private key of the key server and the decryption password of the user side, retrieving the encrypted biometric template from the key server, obtaining the biometric template through decryption, and recovering the decrypted biometric related key by using the biometric template and the decrypted biometric sample is specifically:
The user side calculates R ' =H 1(pw′)r according to the decryption password pw ' of the user side, wherein R is a random number, and the user identity identifier ID and R ' are sent to the key server together;
After receiving the identity identifiers ID and R 'sent by the user, the key server calculates s' id=H2 (msk, ID) and (ID) using the long-term private key msk Finding out an encrypted biological template etpl, and sending the W' id and the encrypted biological template etpl to a user side;
The user uses W' id to calculate the relative key of decryption password Decrypting the encrypted biological template etpl with the decryption password related key pk ' to obtain a biological template tpl ', and recovering a decryption biological related key bk ' = KEYRELEASE (tpl ', bt ') by using the biological template tpl ' and the decrypted biological sample bt ';
Wherein, H 1()、H2 () and H 3 () are both cryptographic hash functions, and KEYRELEASE () is a related key recovery function.
7. The password and biometric authentication-based sensitive data cloud secure storage system of claim 6, wherein the recovering of the decrypted biometric related key bk ' = KEYRELEASE (tpl ', bt ') using the biometric template tpl ' and the decrypted biometric sample bt ' is specifically:
assuming that the length of the decrypted biological sample bt 'is 1920 bits, each bit in the decrypted biological sample bt' is changed into a symbol with 11 bits by filling 0, and the obtained character string is recorded as
Using message d and character string in biological template tplBy/>Calculating a code rc ', and recovering the code rc' into the code rc by using an RS code error correction mechanism;
Recovering an encrypted biological sample of a user using code rc Using encrypted biological samples/>And a random number k to calculate a decryption bio-related key/>H () is a cryptographic hash function.
8. The sensitive data cloud security storage system based on password and biometric authentication of claim 5, wherein the generating of the decryption key for the user data, the authentication credentials of the cloud storage server using the decryption password-related key and the decryption biometric-related key, and the retrieving of the encrypted user data from the cloud storage server using the authentication credentials is specifically:
The user side generates alpha ' id||ek′id||sk′id=H4 (bk ', pk ') by using a decryption password related key pk ' and a decryption organism related key bk ', wherein alpha ' id is a user authentication credential, ek ' id is a decryption key of user data, sk ' id is verification data, and the cloud storage server is logged in by using an identity identifier ID and the user authentication credential alpha ' id;
The cloud storage server searches the verification tuple by taking the identity identifier ID as an index, verifies through a login program, and sends a ciphertext verification code pair (ct, t) to the user side after verification is passed, wherein ct is ciphertext, and t is a verification code;
The user side verifies the verification code t through the verification data sk 'id, and after the verification is passed, the ciphertext ct is decrypted by utilizing the decryption key ek' id of the user data to obtain plaintext data Msg of the user.
CN202310246940.8A 2023-03-15 2023-03-15 Sensitive data cloud secure storage system based on password and biological authentication Pending CN117938414A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310246940.8A CN117938414A (en) 2023-03-15 2023-03-15 Sensitive data cloud secure storage system based on password and biological authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310246940.8A CN117938414A (en) 2023-03-15 2023-03-15 Sensitive data cloud secure storage system based on password and biological authentication

Publications (1)

Publication Number Publication Date
CN117938414A true CN117938414A (en) 2024-04-26

Family

ID=90756233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310246940.8A Pending CN117938414A (en) 2023-03-15 2023-03-15 Sensitive data cloud secure storage system based on password and biological authentication

Country Status (1)

Country Link
CN (1) CN117938414A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098232A (en) * 2007-07-12 2008-01-02 兰州大学 Dynamic password and multiple biological characteristics combined identification authenticating method
CN102017509A (en) * 2008-05-15 2011-04-13 高通股份有限公司 Identity based symmetric cryptosystem using secure biometric model
KR20120122181A (en) * 2011-04-28 2012-11-07 한신대학교 산학협력단 User authentication method and system using biometric one-time password
CN103124269A (en) * 2013-03-05 2013-05-29 桂林电子科技大学 Bidirectional identity authentication method based on dynamic password and biologic features under cloud environment
CN109462608A (en) * 2018-12-19 2019-03-12 杭州安恒信息技术股份有限公司 Data encryption processing method, apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098232A (en) * 2007-07-12 2008-01-02 兰州大学 Dynamic password and multiple biological characteristics combined identification authenticating method
CN102017509A (en) * 2008-05-15 2011-04-13 高通股份有限公司 Identity based symmetric cryptosystem using secure biometric model
KR20120122181A (en) * 2011-04-28 2012-11-07 한신대학교 산학협력단 User authentication method and system using biometric one-time password
CN103124269A (en) * 2013-03-05 2013-05-29 桂林电子科技大学 Bidirectional identity authentication method based on dynamic password and biologic features under cloud environment
CN109462608A (en) * 2018-12-19 2019-03-12 杭州安恒信息技术股份有限公司 Data encryption processing method, apparatus and system

Similar Documents

Publication Publication Date Title
US6959394B1 (en) Splitting knowledge of a password
US8719952B1 (en) Systems and methods using passwords for secure storage of private keys on mobile devices
US7739733B2 (en) Storing digital secrets in a vault
JP4885853B2 (en) Renewable and private biometrics
US6678821B1 (en) Method and system for restricting access to the private key of a user in a public key infrastructure
EP1043862B1 (en) Generation of repeatable cryptographic key based on varying parameters
JP5451785B2 (en) System and method for providing contactless authentication
US7111172B1 (en) System and methods for maintaining and distributing personal security devices
US7409543B1 (en) Method and apparatus for using a third party authentication server
WO2017164159A1 (en) 1:n biometric authentication, encryption, signature system
US20200259637A1 (en) Management and distribution of keys in distributed environments
JP2017073829A (en) Authenticating device and user
US12052243B2 (en) Personalized security system
US20160112413A1 (en) Method for controlling security of cloud storage
Hossain et al. ICAS: Two-factor identity-concealed authentication scheme for remote-servers
Al‐Saggaf Key binding biometrics‐based remote user authentication scheme using smart cards
CN115766098A (en) Personal health data sharing method based on block chain and proxy re-encryption
RU2698424C1 (en) Authorization control method
Yao et al. An inter-domain authentication scheme for pervasive computing environment
Liu et al. RETRACTED ARTICLE: Cloud enabled robust authenticated key agreement scheme for telecare medical information system
US20230155825A1 (en) Cryptographic device, system and method therof
CN117938414A (en) Sensitive data cloud secure storage system based on password and biological authentication
JPH09330298A (en) Password registering method, verifying method, password updating method, password registering system, verifying system and password updating system
CN113382067A (en) Novel personal health record scheme based on attribute encryption
JP2005100255A (en) Password-changing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination