KR102620855B1 - Dynamic update method for encrypted contents in cloud environment and cloud server - Google Patents

Abstract

The disclosed technology relates to a dynamic update method of encrypted content in a cloud environment and a cloud server, comprising: dividing input content into a plurality of blocks by the cloud server; The cloud server generating a plurality of link information connecting adjacent blocks among the plurality of blocks; Encrypting, by the cloud server, each of the plurality of blocks using data included in the block and a portion of link information on both sides connected to the block; And when the cloud server receives an update request for some of the blocks among the plurality of blocks, updating only some of the blocks using the updated partial blocks and link information connecting the partial blocks. Includes.

Description

Dynamic update method of encrypted content in a cloud environment and cloud server {DYNAMIC UPDATE METHOD FOR ENCRYPTED CONTENTS IN CLOUD ENVIRONMENT AND CLOUD SERVER}

The disclosed technology relates to a method of updating content in an encrypted state in a cloud environment and a cloud server that dynamically updates encrypted documents.

Cloud service is a technology that provides various additional services by allowing users to store data in remote storage and use it anywhere. Since COVID-19, as face-to-face activities have been converted to non-face-to-face methods, the demand for technologies suitable for the new environment is increasing, and cloud is one of these demands.

These cloud services are technologies specialized for non-face-to-face environments, enabling data sharing and collaboration between physically separated users. However, as convenient as it is, there are inevitably issues with data security, and much research has been conducted to date on the security of cloud-based services. For safe collaboration, many cloud services encrypt data using a secret key shared only between internal users, and when data is updated, decrypt it, update it, and then encrypt it again. However, this method had the problem of excessively increasing server load in a cloud environment where multiple users worked on documents simultaneously.

Korean Patent No. 10-1979267

The disclosed technology provides a method and a cloud server for dynamically updating encrypted content in a cloud environment without decrypting it.

The first aspect of the technology disclosed to achieve the above technical problem is the step of dividing the input content into a plurality of blocks by the cloud server, and the cloud server providing a plurality of link information connecting adjacent blocks among the plurality of blocks. A step of generating, the cloud server encrypting each of the plurality of blocks using some of the data included in the block and both link information connected to the block, and the cloud server encrypting some of the plurality of blocks It provides a dynamic update method of an encrypted document, including the step of updating only some of the blocks using the updated partial blocks and link information connecting the partial blocks when receiving an update request for the blocks. .

The second aspect of the technology disclosed to achieve the above technical problem is a storage device for storing content, a communication device for receiving an update request for the content, dividing the content into a plurality of blocks, and dividing the content into a plurality of blocks. Generating a plurality of link information connecting adjacent blocks and storing each of the plurality of blocks in the storage device in an encrypted state using data included in the block and some of the link information on both sides connected to the block, The aim is to provide a cloud server that dynamically updates an encrypted document, including some blocks that are updated according to an update request and a processor that updates only some of the blocks using link information connecting the partial blocks.

Embodiments of the disclosed technology may have effects including the following advantages. However, since this does not mean that the embodiments of the disclosed technology must include all of them, the scope of rights of the disclosed technology should not be understood as being limited thereby.

A method for dynamically updating encrypted content in a cloud environment and a cloud server according to an embodiment of the disclosed technology are effective in preventing data exposure by updating data in an encrypted state.

In addition, since dynamic updates are performed in an encrypted state, it has the effect of reducing server load compared to conventional technologies that perform frequent decryption.

In addition, block-level encryption has the effect of preventing the plaintext from being discovered even if data is leaked.

Figure 1 is a diagram illustrating a process for dynamically updating an encrypted document in a cloud environment according to an embodiment of the disclosed technology.
Figure 2 is a flowchart of a method for dynamically updating encrypted content in a cloud environment according to an embodiment of the disclosed technology.
Figure 3 is a block diagram of a cloud server dynamically updating encrypted content in a cloud environment according to an embodiment of the disclosed technology.
Figure 4 is a diagram showing an example of modifying, deleting, and adding encrypted content.
Figure 5 is a diagram showing the steps of encrypting a plurality of blocks and link information.

Since the present invention can make various changes and have various embodiments, specific embodiments will be illustrated in the drawings and described in detail in the detailed description. However, this is not intended to limit the present invention to specific embodiments, and should be understood to include all changes, equivalents, and substitutes included in the spirit and technical scope of the present invention.

Terms such as first, second, A, B, etc. may be used to describe various components, but the components are not limited by the terms, and are only used for the purpose of distinguishing one component from other components. It is used only as For example, a first component may be referred to as a second component, and similarly, the second component may be referred to as a first component without departing from the scope of the present invention. The term and/or includes any of a plurality of related stated items or a combination of a plurality of related stated items.

As used herein, singular expressions should be understood to include plural expressions unless the context clearly dictates otherwise. And terms such as "include" mean the presence of implemented features, numbers, steps, operations, components, parts, or combinations thereof, but one or more other features, numbers, steps, operations, components, parts, etc. It should be understood that it does not exclude the existence or addition of combinations thereof.

Before providing a detailed description of the drawings, it would be clarified that the division of components in this specification is merely a division according to the main function each component is responsible for. That is, two or more components, which will be described below, may be combined into one component, or one component may be divided into two or more components for more detailed functions.

In addition to the main functions it is responsible for, each of the components described below may additionally perform some or all of the functions handled by other components, and some of the main functions handled by each component may be performed by other components. Of course, it can also be carried out exclusively by . Therefore, the presence or absence of each component described throughout this specification should be interpreted functionally.

Figure 1 is a diagram illustrating a process for dynamically updating an encrypted document in a cloud environment according to an embodiment of the disclosed technology. Referring to Figure 1, the cloud server can establish a cloud environment with multiple collaborator terminals. Multiple collaborators can use their respective terminals to transmit written data through a secure channel established with the cloud server. The cloud server can collect data transmitted from each collaborator's terminal as content and store it in storage. Here, content can be various types of data such as documents, images, and videos created by collaborators. The cloud server can then periodically or aperiodically update the content with data transmitted from each collaborator terminal. The cloud server stores content in an encrypted state to prevent data leakage when updating documents, and updates can be performed in an encrypted state.

Meanwhile, when updating stored content, the cloud server can dynamically update the content in an encrypted state. In one embodiment, when the cloud server receives an update request for content from one of a plurality of collaborator terminals, the update may be applied as is in the encrypted state without decrypting the encrypted content into plain text and updating it. For this operation, the cloud server can store the content encrypted in advance in blocks as shown below.

First, the cloud server can divide content into a plurality of blocks. Each block corresponds to content in the plain text state and can be divided into the same ratio as the plain text. For example, multiple lines within one paragraph can be divided into multiple blocks. The cloud server can divide plain text content of arbitrary length into blocks of fixed length, like the conventional DES and AES methods. The meaning of distinction here may itself be a kind of encryption process.

Meanwhile, when the cloud server divides a plurality of blocks, it creates a plurality of link information between each block. The cloud server may generate a plurality of link information connecting adjacent blocks among the plurality of blocks. Here, link information refers to information that stores part of the information included in the block in the previous sequence and part of the information included in the block in the next sequence overlappingly. For example, first link information connecting a specific block among a plurality of blocks with an adjacent block on one side of the corresponding block and second link information connecting a specific block with an adjacent block on the other side of the block may be generated. Link information can be used to check where in the content the document to be updated will be applied when updating encrypted content in real time. In other words, it is possible to check the location where the document to be updated will be applied based on some of the information stored in the link information without decoding the information divided into blocks and returning it to the plain text state.

Meanwhile, the cloud server can encrypt a plurality of blocks on a block basis using a plurality of link information. For example, the cloud server uses data included in a specific block among a plurality of blocks, half of the first link information close to a specific block, and half of the second link information close to a specific block. The block can be encrypted. By applying this process to each block, content can be encrypted into multiple block data.

Meanwhile, the cloud server can share the secret key with multiple collaborator terminals in advance. The secret key is used to access encrypted content and can be shared through a secure channel. The secret key is not only shared with a specific terminal, but can be shared with all terminals in the cloud environment through a secure channel.

Meanwhile, the cloud server may store the content in an encrypted state according to the above-described process and then receive an update request to update part of the content from one of the plurality of collaborator terminals. The update request can be transmitted by one of the plurality of collaborator terminals through a secure channel. In response to an update request, the cloud server can update only some blocks while maintaining the remaining blocks by using some of the blocks to be updated among the plurality of blocks and link information connecting some of the blocks. The cloud server can use a plurality of link information to check where a specific block corresponding to the data to be updated is located among the plurality of blocks. In other words, the cloud server can update the content based on the information stored in the link information without decoding the block into plain text. Since the cloud server encrypts the content in blocks, the link information contained in each encrypted block can be used to check which part of the content the collaborator will modify.

Meanwhile, the cloud server update process can be basically divided into modification, deletion, and addition. First, when modifying a specific block among a plurality of blocks, the cloud server can modify the data included in the specific block into data according to the update request. And, among the link information connected to the left of the modified specific block, half of the link information close to the modified specific block and half of the link information connected to the right of the modified specific block is close to the modified specific block. Information can be modified with data contained in the specific modified block. As explained earlier, the link information connected to both sides of a specific block stores part of the data included in the specific block redundantly, so when a specific block is modified, half of the modified data can be stored redundantly.

Meanwhile, when deleting a specific block among a plurality of blocks, the cloud server uses the link information of the half close to the specific block among the link information connected to the specific block and the left side of the specific block and the link information connected to the right side of the specific block. Among the link information, half of the link information close to a specific block can be deleted. In addition, the link information of the half farthest from the specific block among the link information connected to the left of a specific block and the link information of the half farthest from the specific block among the link information connected to the right of a specific block can be combined into one link information. You can. In other words, since the data of the specific block stored in both link information was deleted when the specific block was deleted, the remaining data stored in both link information can be combined and combined into one link information.

Meanwhile, when inserting a specific block between a plurality of blocks, the cloud server can generate data according to the update request as a specific block. Naturally, the specific block created is a new block that is not included in the existing plurality of blocks. The cloud server can insert the generated block into a specific location among the plurality of blocks. In this process, the cloud server separates the link information at the location where a specific block is inserted, and adds the data contained in the specific block to the link information on the left of the separated link information and the link information on the right among the separated link information. there is. As opposed to merging the remaining link information into one during the previous deletion process, newly added data can be stored in the link information. According to this process, the cloud server can dynamically update the content in its encrypted state without decoding it into plain text.

Figure 2 is a flowchart of a method for dynamically updating encrypted content in a cloud environment according to an embodiment of the disclosed technology. Referring to FIG. 2, the method for dynamically updating an encrypted document includes steps 210 to 240 and can be performed sequentially through a cloud server.

In step 210, the cloud server divides the content into a plurality of blocks. The cloud server can encode plain text content into a plurality of blocks to prevent the content from being exposed to the outside in its original form.

In step 220, the cloud server generates a plurality of link information connecting adjacent blocks among the plurality of blocks. Link information refers to information for connecting each block by dividing and storing part of the information contained in the block. For example, part of the information of the previous block and part of the information of the next block may be stored. The cloud server can divide content into a chain structure in which multiple blocks and link information are repeated.

In step 230, the cloud server encrypts each of the plurality of blocks in block units using data included in the block and some of the link information on both sides connected to the block. As explained with reference to FIG. 1, the blocks of a specific sequence and the duplicate values stored in the link information of the previous sequence and the link information of the next sequence can be encrypted together. The cloud server encrypts and stores the content in blocks according to steps 210 to 230.

In step 240, when the cloud server receives an update request for some of the blocks among the plurality of blocks, it uses link information connecting some of the blocks and some of the blocks to be updated to update only some of the blocks while keeping the remaining blocks as is. Update. The cloud server receives an update request to update part of the content from one of the plurality of collaborator terminals in the cloud environment. Step 240 corresponds to the step of updating content after steps 210 to 230. The update request received by the cloud server may be data to be reflected in the content. When the cloud server receives data to update content, it can modify, delete, or add some blocks. When a specific block is modified, deleted, or added, link information on both sides of the block can also be updated.

Figure 3 is a block diagram of a cloud server dynamically updating encrypted content in a cloud environment according to an embodiment of the disclosed technology. Referring to FIG. 3, the cloud server 300 includes a storage device 310, a communication device 320, and a processor 330. The cloud server 300 may be implemented as a device that can perform the role of a server in a cloud environment. For example, it may be a PC, tablet or smartphone.

The storage device 310 stores encrypted content through a processor. To apply to a cloud environment, the storage device can be implemented as storage provided in a space different from the location of each collaborator's terminal. The storage device may store only content for one cloud environment or separately store content for each of multiple cloud environments.

The communication device 320 receives an update request for content by communicating with one of the plurality of collaborator terminals. The communication device receives data according to the update request through a secure channel. The communication device 320 may be implemented as a communication module or modem of the dynamic update device 300 for encrypted documents. The communication device can receive documents by communicating with a plurality of collaborator terminals via wired or wireless Internet.

The processor 330 divides the content into a plurality of blocks, generates a plurality of link information connecting adjacent blocks among the plurality of blocks, and divides each of the plurality of blocks into data contained in the block and both sides connected to the block. Some of the link information is used and stored in an encrypted state on the storage device. Afterwards, when an update request is received through a communication device, only some blocks are updated using some of the blocks to be updated and link information connecting the partial blocks. The processor 330 may be a CPU or an AP of the device 300 for dynamically updating an encrypted document. The processor may dynamically update content stored in an encrypted state in the manner described with reference to FIGS. 1 and 2.

Meanwhile, the cloud server 300 described above may be implemented as a program (or application) including an executable algorithm that can be executed on a computer. The program may be stored and provided in a temporary or non-transitory computer readable medium.

A non-transitory readable medium refers to a medium that stores data semi-permanently and can be read by a device, rather than a medium that stores data for a short period of time, such as registers, caches, and memories. Specifically, the various applications or programs described above include CD, DVD, hard disk, Blu-ray disk, USB, memory card, ROM (read-only memory), PROM (programmable read only memory), and EPROM (Erasable PROM, EPROM). Alternatively, it may be stored and provided in a non-transitory readable medium such as EEPROM (Electrically EPROM) or flash memory.

Temporarily readable media include Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDR SDRAM), and Enhanced SDRAM (Enhanced RAM). It refers to various types of RAM, such as SDRAM (ESDRAM), Synchronous DRAM (Synclink DRAM, SLDRAM), and Direct Rambus RAM (DRRAM).

Figure 4 is a diagram showing an example of modifying, deleting, and adding encrypted content. As shown in Figure 4, the cloud server can update content created by multiple collaborators in real time. The cloud server can modify, delete, and add content encrypted in blocks without decrypting it.

A in Figure 4 shows content converted into a chain form consisting of a plurality of blocks and link information. Each block is data divided into plain text by a certain length. In FIG. 4, data 1 to data 6 are shown as examples, but the number of blocks can be changed at any time. And link information is data that stores the information of the previous block and the next block in duplicate. Because the cloud server performs updates based on information stored in link information, the process of decoding blocks into plain text is omitted.

Meanwhile, B-1 in FIG. 4 shows modifying data 3 to data 7. When data 3 corresponding to the third block is modified to data 7, link 2 and link 3 connected to both sides of data 3 can be modified to link 6 and link 7, respectively. In other words, part of the information of data 3 stored in link 2 may be modified as part of data 7 and updated as link 6, and part of the information of data 3 stored in link 3 may be modified as part of data 7 and updated as link 7. .

Meanwhile, B-2 in FIG. 4 shows deleting data 4. When deleting Data 4 corresponding to the fourth block, some information of Data 4 stored in Link 7 and Link 4 connected to both sides of Data 4 may also be deleted. As Link 7 and Link 4 are deleted along with Data 4, Link 8 may be created between Data 7 and Data 5, storing some of the information of Data 7 and Data 5 in duplicate, respectively.

Meanwhile, B-3 in FIG. 4 shows adding data 8 between data 2 and data 7. As data 8 is added, link 9 can be created between data 2 and data 8, which partially stores the information of both blocks in duplicate, and link 10 can be created between data 8 and data 7, which partially stores the information of both blocks in duplicate. there is.

Figure 5 is a diagram showing the steps of encrypting a plurality of blocks and link information. According to the steps shown in FIG. 5, the cloud server can encrypt content in plain text. First, the plain text content is divided into a plurality of blocks (m1 to m6). The length or ratio of each block may be the same. And link information is created between blocks. Link information is a redundant value that stores part of the information of the previous block and the next block redundantly. For example, based on FIG. 5, link information r1 stores part of the information of blocks m1 and m2 in duplicate. For example, information corresponding to the right half of block m1 and information corresponding to the left half of block m2 may be stored in link information r1.

Meanwhile, the separated data can be expressed as Equation 1 below.

From here is plaintext This means distinguishing between means the left link information of the first block and the right link information of the last block. Only part of the information of the first block is stored in the link information on the left of the first block. Likewise, only part of the information of the last block is stored in the link information on the right side of the last block. Separated content The leftmost link information is sequentially Link information on the far right It includes a plurality of blocks and a plurality of link information in between.

Meanwhile, the block from Until ( is expressed as 1~6) to the encryption function By applying, it can be defined in the form of Equation 2 below.

That is, encrypted blocks is a separated block and The value stored redundantly on the right side of the left link information of and the value stored redundantly on the left side of the link information on the right side Includes.

As previously mentioned, in the example of Figure 5 Since is from 1 to 6, the first encrypted block and the last encrypted block can be expressed as Equation 3 below.

first encrypted block Is The value stored redundantly on the right side of the link information located on the first left side. and the value stored redundantly on the left among the link information located on the right. Includes. And the last encrypted block Is Among the link information located on the left, the value stored redundantly on the right and the value stored redundantly on the left side of the link information located at the end. Includes. Of course, the remaining blocks in between can also be encrypted in the same way. The cloud server can convert plain text content into an encrypted block state through this process.

The dynamic update method and cloud server of encrypted content in a cloud environment according to an embodiment of the disclosed technology have been described with reference to the embodiments shown in the drawings to aid understanding, but this is merely illustrative and is based on common knowledge in the field. Those who have will understand that various modifications and other equivalent embodiments are possible therefrom. Therefore, the true technical protection scope of the disclosed technology should be determined by the appended patent claims.

Claims (12)

A cloud server dividing input content into a plurality of blocks;
The cloud server generating a plurality of link information connecting adjacent blocks among the plurality of blocks;
Encrypting, by the cloud server, each of the plurality of blocks using data included in the block and some of the link information on both sides connected to the block; and
When the cloud server receives an update request for some of the blocks among the plurality of blocks, updating only some of the blocks using the updated partial blocks and link information connecting the partial blocks. However,
The corresponding block is connected to first link information connecting an adjacent block on one side of the corresponding block and second link information connecting an adjacent block on the other side of the corresponding block,
The cloud server uses the data included in the block, half of the first link information close to the block, and half of the second link information close to the block to link the block. A dynamic update method for encrypted encrypted documents. delete According to claim 1,
The link information is a dynamic update method of an encrypted document in which part of the data included in the adjacent blocks is stored redundantly. According to claim 1,
When modifying a specific block among the plurality of blocks, the cloud server modifies the data included in the specific block to data according to the update request, and selects the link information connected to the left of the modified specific block. Among the half link information close to the modified specific block and the link information connected to the right side of the modified specific block, the half link information close to the modified specific block is included in the modified specific block. A dynamic update method for encrypted documents that modify with data. According to claim 1,
When deleting a specific block among the plurality of blocks, the cloud server provides link information of the half close to the specific block among the link information connected to the specific block and the left side of the specific block and the specific block. Among the link information connected to the right of , half of the link information close to the specific block is deleted,
Among the link information connected to the left of the specific block, the link information of the half farthest from the specific block and the link information of the half farthest from the specific block among the link information connected to the right of the specific block are referred to as one link information. A dynamic update method for encrypted documents that combines with. According to claim 1,
When inserting a specific block between the plurality of blocks, the cloud server generates data according to the update request as the specific block, inserts it at a specific position among the plurality of blocks, and inserts the specific block. A dynamic update method of an encrypted document that separates link information at a given location and adds data included in the specific block to the link information on the left of the separated link information and the link information on the right of the separated link information. A storage device that stores content;
a communication device that receives an update request for the content; and
Divide the content into a plurality of blocks, generate a plurality of link information connecting adjacent blocks among the plurality of blocks, and link each of the plurality of blocks with data included in the block and link information on both sides connected to the block. A processor that stores some of the blocks in an encrypted state in the storage device and updates only some of the blocks using some of the blocks updated according to the update request and link information connecting the some of the blocks. However,
The corresponding block is connected to first link information connecting an adjacent block on one side of the corresponding block and second link information connecting an adjacent block on the other side of the corresponding block,
The processor encrypts the block using the data included in the block, half of the first link information that is close to the block, and half of the second link information that is close to the block. A cloud server that dynamically updates encrypted documents. delete According to claim 7,
The link information is a cloud server that dynamically updates an encrypted document that stores part of the data included in the adjacent blocks in duplicate. According to claim 7,
When modifying a specific block among the plurality of blocks, the processor modifies data included in the specific block into data according to the update request, and modifies the data included in the specific block among the link information connected to the left of the modified specific block. Data included in the modified specific block using half of the link information close to the modified specific block and link information connected to the right side of the modified specific block. A cloud server that dynamically updates encrypted documents that you modify. According to claim 7,
When the processor deletes a specific block among the plurality of blocks, the link information of the half close to the specific block among the link information connected to the specific block and the left side of the specific block and the link information of the specific block Among the link information connected to the right, half of the link information close to the specific block is deleted,
Among the link information connected to the left of the specific block, the link information of the half farthest from the specific block and the link information of the half farthest from the specific block among the link information connected to the right of the specific block are referred to as one link information. A cloud server that dynamically updates encrypted documents that combine into. According to claim 7,
When inserting a specific block between the plurality of blocks, the processor generates data according to the update request as the specific block and inserts it into a specific position among the plurality of blocks, and the specific block is inserted. A cloud that dynamically updates an encrypted document by separating the link information of the location and adding the data contained in the specific block to the link information on the left of the separated link information and the link information on the right of the separated link information. server.