KR20170081506A - Apparatus and method for data storage using partial data encryption - Google Patents

Apparatus and method for data storage using partial data encryption Download PDF

Info

Publication number
KR20170081506A
KR20170081506A KR1020160000625A KR20160000625A KR20170081506A KR 20170081506 A KR20170081506 A KR 20170081506A KR 1020160000625 A KR1020160000625 A KR 1020160000625A KR 20160000625 A KR20160000625 A KR 20160000625A KR 20170081506 A KR20170081506 A KR 20170081506A
Authority
KR
South Korea
Prior art keywords
document file
encryption
metadata
encrypted
data storage
Prior art date
Application number
KR1020160000625A
Other languages
Korean (ko)
Inventor
이상수
윤택영
장구영
조남수
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020160000625A priority Critical patent/KR20170081506A/en
Publication of KR20170081506A publication Critical patent/KR20170081506A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Upon receiving the document file to be stored from the user device, the data storage device encrypts only the encryption target included in the encryption target list in the document file, and then stores the encrypted document file.

Description

[0001] APPARATUS AND METHOD FOR DATA STORAGE USING PARTIAL DATA ENCRYPTION [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an apparatus and method for storing data using partial data encryption, and more particularly, to a data storage apparatus and method using partial data encryption based on shape preservation encryption.

Data encryption is a commonly used technology for the privacy of data writers or the confidentiality contained in data in devices or services that store digital data. However, degradation of storage / service due to encryption / decryption has always been pointed out as a problem. In particular, when retrieving a specific keyword or information from cryptographic data stored in a database, the entire data block must be decrypted in order to find the desired data, which causes a large consumption of computing power. Of course, when the widely used encryption algorithm is used, the degradation of the storage performance due to encryption and decryption can be neglected in the case of storing small personal data, but it is recognized as a big problem in a large data management system.

Generally, block encryption algorithms such as DES or AES are used for database encryption. That is, if a block (or file) A is a block of data (or file) generated by applying a block encryption algorithm such as DES or AES to eA, the eA can be stored in an external storage device such as a memory or hard disk of the database It is common practice to decrypt A from eA using the same key used to encrypt or decrypt the original. In this case, if the length of the original text data does not match the length of the data block processed by the corresponding algorithm, the length of the generated ciphertext is different from the length of the original text. That is, in DES, 8 bytes of ciphertext is always generated for plaintext data of 1 byte or more and 8 bytes or less. For AES-128, 16 bytes of ciphertext is always generated for plaintext data of 1 byte or more and 16 bytes or less.

In recent years, a form preservation cryptosystem has been proposed, in which ciphertexts of the same length are generated from the same character set as the original text, and there is a lot of interest. According to this shape-preserving cryptosystem, if you encrypt a 10-megabyte original file named A, the encrypted file will be equal to or slightly larger than 10 megabytes. However, in the case of a text file, it is common that the entire contents of the file need not be encrypted. In other words, even if only a specific word or a part of a sentence at a specific position is encrypted, the confidentiality can be sufficiently maintained.

However, when encrypting all the contents of A with eA, the computational power of encryption is also a problem, but it is also necessary to decrypt whole eA in order to check some data from eA or even to check data not related to confidentiality. In addition, due to the length variation during encryption / decryption, the storage location in the storage device during storage may be continuously changed, and the input / output (I / O) may be delayed.

A problem to be solved by the present invention is to provide a data storage apparatus and method using a partial data cipher that can reduce the time required for encryption and decryption and minimize input / output time required for accessing a storage system.

According to one embodiment of the present invention, a method of storing data in a data storage device is provided. The data storing method includes receiving a document file to be stored from the user apparatus, performing encryption only on the encryption target included in the encryption target list in the document file, and storing the encrypted document file.

Performing the encryption may include performing shape-preserving encryption on the cipher object.

The step of performing the encryption may include receiving the encryption target list from the manager device through the metadata management device.

The step of performing the encryption may further include generating metadata including the location and length of the encrypted objects, and transmitting the metadata to the metadata management apparatus.

The data storing method may further include receiving a document file request from the user apparatus, decrypting only the encrypted object to be encrypted in the document file corresponding to the document file request, and transmitting the decrypted document file to the user apparatus Step < / RTI >

Wherein the step of decrypting comprises the steps of: transmitting the document file request to the administrator device; receiving metadata associated with the document file approved by the metadata management device when the document file request is approved by the administrator device; And decrypting only the encrypted cryptographic object using the metadata associated with the approved document file.

According to another embodiment of the present invention, a data storage device for storing data is provided. Data storage devices include memories, processors, and transceivers. The processor performs the shape preserving encryption only on the encryption target included in the encryption target list with respect to the document file requested by the user apparatus to store in the memory and generates the metadata for the encrypted document file. The transceiver transmits the metadata to the metadata management apparatus.

The metadata may include an encryption algorithm name and an encryption key used in the shape preservation encryption, and a position and a length of the shape preservation encrypted encryption objects.

Wherein the processor decrypts only the shape-preserved encrypted cryptographic object into original data using metadata associated with the requested document file upon receiving a request for the document file from the user device, And receive metadata associated with the requested document file from the device.

The processor may store the document file requested to be stored by the user device in the memory, and then store the shape-preserved encrypted document file in the same location.

According to the embodiment of the present invention, not only the entire document file is encrypted but only a necessary portion is encrypted, thereby reducing the time required for encryption and the time required for decryption when retrieving a document. It is possible to overwrite the stored space with only the cipher text, thereby minimizing the input / output time required for file access.

1 is a diagram illustrating a data processing system in accordance with an embodiment of the present invention.
2 is a diagram illustrating an example of metadata according to an embodiment of the present invention.
3 is a diagram illustrating an encryption process of a data storage device according to an embodiment of the present invention.
FIG. 4 illustrates a decoding process of a data storage device according to an embodiment of the present invention. Referring to FIG.
5 is a flowchart illustrating a method of storing data in a data storage device according to an embodiment of the present invention.
6 is a diagram illustrating a data storage device according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification and claims, when a section is referred to as "including " an element, it is understood that it does not exclude other elements, but may include other elements, unless specifically stated otherwise.

Hereinafter, an apparatus and method for storing data using partial data encryption according to an embodiment of the present invention will be described in detail with reference to the drawings.

1 is a diagram illustrating a data processing system in accordance with an embodiment of the present invention.

Referring to FIG. 1, a data processing system includes a user device 100, an administrator device 200, a data storage device 300, and a metadata management device 400.

The user device 100 is a terminal device owned by a user and provides a connection with the data storage device 300. [ The user device 100 stores the document file in the data storage device 300 and requests and receives the document file stored in the data storage device 300. [

The administrator device 200 is a terminal device owned by an administrator and provides a connection with the data storage device 300 and the metadata management device 400. [ The manager device 200 delivers the list of ciphers to which the words or phrases to be ciphered are listed and the encryption key to the meta data management device 400. [ The manager device 200 stores and manages a list of ciphers and an encryption key in which words or phrases to be ciphered are listed.

The data storage device 300 encrypts only a word or a sentence corresponding to an encryption target in the document file transmitted from the user device 100 using shape preserving encryption and encrypts only a word or a sentence corresponding to the encryption target in an encrypted document file . The data storage device 300 generates metadata for the encrypted document file and transfers the metadata to the metadata management device 400. [ Format Preserving Encryption is a technique for generating a cipher text equal to the length of a plain text, unlike a general block cipher algorithm such as DES or AES. That is, in the case of the shape preserving encryption, one byte of ciphertext is generated for one byte of plain text, and N bytes of ciphertext having the same size are generated for any N bytes of plain text. For example, if 'HongGilDong' and 'Seoul' are cipher targets, the data storage device 300 will be "I will meet HongGilDong in Seoul Station at 7 PM." In the sentence 'HongGilDong' and 'Seoul' respectively apply shape-preserving encryption. Then, a cipher text 'zpAjl' having the same length as the 'cpxAdKmal' and the cipher text having the same length as 'HongGilDong' and 'Seoul' can be generated. The data storage device 300 records the ciphertext that reflects this content in the storage device. Also, the data storage device 300 decrypts the encrypted document file according to the request of the document file from the user device 100, and transfers the decrypted document file to the user device 100. [

The metadata management apparatus 400 transfers the encryption target list and the encryption key, which are words or phrases to be encrypted, received from the manager device 200 to the data storage device 300, And stores and manages the metadata of the document file. The metadata management apparatus 400 manages the information related to the user who requested the storage of the document file and the corresponding file name together with the metadata. When the stored document file is requested, the metadata management apparatus 400 searches the corresponding metadata based on the requested user information and document file name, and transmits the retrieved metadata to the data storage device 300. [ 2 is a diagram illustrating an example of metadata according to an embodiment of the present invention.

Referring to FIG. 2, the metadata includes an algorithm name used for shape preservation encryption, additional information used for shape preservation encryption, key information used for shape preservation encryption, original document file name, and position and length of a cryptographic object.

The algorithm name used in the shape preservation cryptography is information which informs which algorithm was used for encryption among various algorithms. The additional information used for the shape preservation encryption may be additional information such as an initial vector (IV) according to the algorithm, and it is information informing the user. The key information used for the shape preservation encryption means an encryption key. The location of the cryptographic object may indicate the relative length from the beginning of the document file, may indicate the relative length from the end of the document file, and may be expressed in an agreed manner between the data storage device 300 and the metadata management device 400 .

As mentioned earlier, "I will meet HongGilDong in Seoul Station at 7 PM." If a form of ciphertext encryption is applied to 'HongGilDong' and 'Seoul' in the sentence, 'cipherAdKmal' and 'zpAjl' cipher texts are generated respectively, the entire cipher text will appear as "I will meet Attachment in zpAjl Station at 7 PM." . At this time, the position and length of the encryption target in the metadata related thereto can be expressed as "13:11, 28: 5 ". In other words, "13:11, 28: 5" indicates that the 11-character length from the 13th position and the 5-character length from the 28th length are ciphertexts including blank spaces in the entire ciphertext.

3 is a diagram illustrating an encryption process of a data storage device according to an embodiment of the present invention.

Referring to FIG. 3, the user device 100 transmits a document file to be stored to the data storage device 300 (S300).

The manager device 200 transmits the encryption target list and the encryption key to the metadata management device 400, in which words or phrases to be subjected to encryption processing are listed with respect to the document file (S310).

The metadata management apparatus 400 transmits the encryption target list and the encryption key to the data storage apparatus 300 (S320).

Upon receipt of the document file from the user device 100, the data storage device 300 checks whether there is an encryption target included in the encryption target list in the received document file. If there is an encryption target included in the encryption target list for the document file, the data storage device 300 records the shape-preserved encrypted document file after performing the shape-preserving encryption for the encryption target. At this time, we do not specify algorithms that can preserve shape-preservation encryption.

On the other hand, when the data storage device 300 receives the document file from the user device 100, the document storage device 300 may check whether there is an encryption target included in the encryption target list for the document file after storing the document file. In this case, the data storage device 300 may perform the shape-preserving encryption on the encryption target, and then store the format-preserved encrypted document file in the position where the original document file is stored.

The data storage device 300 generates metadata for the encrypted document file such as the location and length of the shape-preserved encrypted objects, the original document file name, and transmits the metadata to the metadata management apparatus 400 (S330) .

The metadata management apparatus 400 assigns a name of metadata to the metadata management apparatus 400 and stores the metadata therein. FIG. 4 illustrates a decoding process of a data storage device according to an embodiment of the present invention. Referring to FIG.

Referring to FIG. 4, the user device 100 transmits a document file request to the data storage device 300 (S400). The document file request may include information such as user information and document file name.

When the data storage device 300 receives the document file request from the user device 100, the data storage device 300 transmits the document file request to the manager device 200 (S410).

The administrator device 200 examines the document file request and determines whether the user device 100 requesting the document file is a legitimate user and transmits the document file request acknowledgment to the metadata management device 400 at step S420.

The metadata management apparatus 400 searches metadata associated with an approved document file by using the user information included in the document file request and the document file name and outputs the metadata related to the approved document file to the data storage apparatus 300. [ (S430).

The data storage device 300 decrypts the cryptographic objects encrypted in the form-preserved encrypted form in the document file requested by the user device 100 using the metadata received from the metadata management device 400 as original data.

The data storage device 300 transmits the decrypted document file to the user device 100 (S440).

As described above, the data storage device 300 according to the embodiment of the present invention does not encrypt the entire original document file but partially encrypts only the encryption target included in the encryption target list in the original document file, thereby obtaining the time required for encryption and decryption .

In addition, the partial encryption and decryption according to the embodiment of the present invention may be performed by a device other than the data storage device 300. The partial encryption and decryption may be performed by the administrator device 200, Various interworking methods between the device 300 and the metadata management device 400 may be used.

5 is a flowchart illustrating a method of storing data in a data storage device according to an embodiment of the present invention.

Referring to FIG. 5, the data storage device 300 receives a document file to be stored from the user device 100 (S500), and stores the document file (S510).

The data storage device 300 checks whether there is an encryption target included in the encryption target list in the stored document file (S520).

If there is an encryption target included in the encryption target list in the document file, the data storage device 300 performs the shape preserving encryption only on the encryption target (S530), and stores the shape-preserved encrypted document file in a position (S540).

Meanwhile, the data storage device 300 may perform the steps S520 and S530 by omitting the step S510 of storing the document file. At this time, the data storage device 300 can specify a location to store the shape-preserved encrypted document file and store the shape-preserved encrypted document file in the designated location.

The data storage device 300 generates metadata for the encrypted document file such as the location and length of the shape-preserved encrypted objects, the original document file name (S550), and transmits the metadata to the metadata management apparatus 400 (S560).

6 is a diagram illustrating a data storage device according to an embodiment of the present invention.

6, the data storage device 300 includes a processor 310, a transceiver 320, and a memory 330.

The processor 310 performs a shape preserving encryption on the encryption target included in the encryption target list for the document file requested to be stored by the user device 100 and stores the encryption target in the memory 330, , And metadata of an encrypted document file such as an original document file name. The processor 310 also decrypts the form-preserved encrypted cryptographic objects for the document file requested by the user device 100 into the original data.

The transceiver 320 provides an interface with the user device 100, the administrator device 200, and the metadata management device 400. The transceiver 320 sends and receives information related to data storage to the user device 100, the administrator device 200, and the metadata management device 400. The transceiver 320 may store the metadata of the encrypted document file in the metadata management apparatus 400 and may receive the encryption target list and the encryption key from the metadata management apparatus 400. [ The transceiver 320 may send and receive document files to and from the user device 100 and may transmit the document file requests of the user device 100 to the administrator device 200.

Memory 330 stores the shape-preserved encrypted document file. The memory 330 stores instructions for executing in the processor 310 or temporarily stores the instructions loaded from a storage device (not shown), and the processor 310 is stored in the memory 330 1 to 5 by executing the loaded instruction.

The processor 310 and the memory 330 are connected to each other via a bus (not shown), and an input / output interface (not shown) may be connected to the bus. At this time, the transceiver 320 is connected to the input / output interface, and peripheral devices such as an input device, a display, a speaker, and a storage device may be connected.

The embodiments of the present invention are not limited to the above-described apparatuses and / or methods, but may be implemented through a program for realizing functions corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded, Such an embodiment can be readily implemented by those skilled in the art from the description of the embodiments described above.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (10)

A method of storing data in a data storage device,
Receiving a document file to be stored from a user device,
Performing encryption only on a cipher subject included in the cipher list in the document file, and
Storing the encrypted document file
Lt; / RTI > The method of claim 1,
Wherein performing the encryption comprises performing shape-preserving encryption on the cryptographic object. The method of claim 1,
Wherein the step of performing the encryption includes receiving the encryption target list from the manager device through the metadata management device. The method of claim 1,
The step of performing the encryption
Generating metadata including the location and length of the encrypted cryptographic objects, and
And transmitting the metadata to a metadata management apparatus. 5. The method of claim 4,
Receiving a document file request from the user device,
Decrypting only the encrypted cryptographic object in the document file corresponding to the document file request, and
Transmitting the decrypted document file to the user device
≪ / RTI > The method of claim 5,
The decoding step
Sending the document file request to a manager device,
Receiving metadata associated with a document file approved by the metadata management apparatus when the document file request is approved by the administrator apparatus, and
And decrypting only the encrypted cryptographic object using metadata associated with the approved document file. 1. A data storage device for storing data,
Memory,
A processor for storing only the cipher objects included in the cipher target list for the document file requested to be stored by the user device in the memory by performing shape-preserving encryption, and generating metadata for the encrypted document file; and
A transceiver for transmitting the metadata to the metadata management apparatus
Lt; / RTI > 8. The method of claim 7,
Wherein the metadata includes an encryption algorithm name and an encryption key used in the shape preservation encryption, and a position and a length of the shape-preserved encrypted objects. 8. The method of claim 7,
Wherein the processor decrypts only the shape-preserved encrypted object to be original data using metadata associated with the requested document file upon receiving a request for the document file from the user apparatus,
Wherein the transceiver receives metadata associated with the requested document file from the metadata management device. 8. The method of claim 7,
Wherein the processor stores the document file requested by the user device to be stored in the memory and then stores the shape-preserved encrypted document file in the same location.
KR1020160000625A 2016-01-04 2016-01-04 Apparatus and method for data storage using partial data encryption KR20170081506A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160000625A KR20170081506A (en) 2016-01-04 2016-01-04 Apparatus and method for data storage using partial data encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160000625A KR20170081506A (en) 2016-01-04 2016-01-04 Apparatus and method for data storage using partial data encryption

Publications (1)

Publication Number Publication Date
KR20170081506A true KR20170081506A (en) 2017-07-12

Family

ID=59353179

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160000625A KR20170081506A (en) 2016-01-04 2016-01-04 Apparatus and method for data storage using partial data encryption

Country Status (1)

Country Link
KR (1) KR20170081506A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102000244B1 (en) * 2019-04-02 2019-07-16 주식회사 한국정보보호경영연구소 Blockchain system based on Zero Knowledge Proofs with Format-Preserving Encryption and control method thereof
KR20190089493A (en) * 2018-01-23 2019-07-31 이장형 Method of encrypting protocol for programmable logic controller
WO2022092347A1 (en) * 2020-10-28 2022-05-05 주식회사 스파이스웨어 Data encryption apparatus and method using supervised learning

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190089493A (en) * 2018-01-23 2019-07-31 이장형 Method of encrypting protocol for programmable logic controller
KR102000244B1 (en) * 2019-04-02 2019-07-16 주식회사 한국정보보호경영연구소 Blockchain system based on Zero Knowledge Proofs with Format-Preserving Encryption and control method thereof
WO2022092347A1 (en) * 2020-10-28 2022-05-05 주식회사 스파이스웨어 Data encryption apparatus and method using supervised learning

Similar Documents

Publication Publication Date Title
US11558358B2 (en) Secure analytics using homomorphic and injective format-preserving encryption
US20140143553A1 (en) Method and Apparatus for Encapsulating and Encrypting Files in Computer Device
US20080247540A1 (en) Method and apparatus for protecting digital contents stored in usb mass storage device
WO2020019387A1 (en) Method for acquiring video resource file, and management system
US10970366B2 (en) Method for securing a multimedia content record in a storage medium
TWI559168B (en) Data encryption system and method
CN103294961A (en) Method and device for file encrypting/decrypting
JP2008287519A (en) Data encryption, transmission and saving system and removable medium
CN110061968A (en) A kind of file encryption-decryption method based on block chain, system and storage medium
CN112597523B (en) File processing method, file conversion encryption machine, terminal, server and medium
CN109067517B (en) Encryption and decryption device, encryption and decryption method and communication method of hidden key
US11570155B2 (en) Enhanced secure encryption and decryption system
EP2999159A1 (en) Safety control method for cloud storage
CN113347143B (en) Identity verification method, device, equipment and storage medium
CN112685753B (en) Method and equipment for storing encrypted data
CN107306254B (en) Digital copyright protection method and system based on double-layer encryption
US8402278B2 (en) Method and system for protecting data
US20150350375A1 (en) Information Processing Method, Trusted Server, and Cloud Server
KR20170081506A (en) Apparatus and method for data storage using partial data encryption
US7886160B2 (en) Information processing apparatus and method, and computer program
KR20210058313A (en) Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment
JP3537959B2 (en) Information decryption device
KR101790948B1 (en) Apparatus and method for providing drm service, apparatus and method for playing contents using drm service
Barukab et al. Secure communication using symmetric and asymmetric cryptographic techniques
CN115459967A (en) Ciphertext database query method and system based on searchable encryption