KR20190077765A - Method of storing data using block-chain and Cloud System using thereof - Google Patents

Abstract

The present invention relates to a method for storing cloud data by using a block chain, and a cloud system therefor. The method comprises: a data collecting process which temporarily collects data or a log requested to be stored by a cloud service customer (CSC) terminal; a data encoding process which conducts encoding of data required to be encoded among the data; a block chain connecting process which transmits standby data or the encoded data by making a request for connection to the block chain when there are the standby data to be stored in the block chain and the encoded data; and a database storing process which stores the encoded data in a database of a client service provider (CSP). Therefore, the present invention can store data required for accident investigation by using the block chain when a security accident occurs in a cloud environment.

Description

[0001] The present invention relates to a method for storing data using a block chain and a cloud system,

The present invention relates to a method and a cloud system for storing data using a block chain. More particularly, the present invention relates to a method for storing data using a block chain for cloud forensic support, a cloud system for performing the method, and a data storage system including a block-chain network system.

In a cloud environment where many users use virtualized resources, it is difficult to know the actual stored location of data required for security incident investigation, and all the volatile data stored in the virtual instances that have already been used is destroyed. Therefore, Lt; / RTI >

Therefore, data in the cloud environment must be recorded before an accident occurs, and only the cloud service provider (CSP) can access and control all the environments in the cloud. Accordingly, there is a problem that the cloud service user (CSC: Client Service Customer) needs to store and store the data.

Therefore, a device for ensuring the integrity of the stored data is needed. In this patent, the block chain is used to ensure data integrity.

Korean Patent No. 10-1799343

It is an object of the present invention to provide a method for storing data using a block chain for cloud forensic support.

Another object of the present invention is to provide a method of enabling smooth security incident investigation by storing data necessary for an accident investigation in a cloud environment using a block chain.

A method for storing cloud data according to the present invention for solving the above-mentioned problems using a block chain includes a data collection process for temporarily collecting data requested by a cloud service user (CSC) ; A data encryption step of encrypting data requiring encryption among the data; A block chain connection process of transmitting the pending data and the encrypted data by making a connection request to a block chain when there is data waiting to be stored in the block chain and encrypted data; And a database storing process for storing the encrypted data in a database of a CSP (Client Service Provider). In case of a security incident in a cloud environment, data necessary for an accident investigation can be stored using a block chain.

In one embodiment, after the block chain connection, when the encrypted data and the hash data are transmitted, the hash data is stored in the hash block as a hash block, and the encrypted data is stored in the data node as a data block And a block generation process.

In one embodiment, after the block chain connection process, a hash value is obtained by using the hash function of the transmitted encrypted data, and it is checked whether the hash is modulated by comparing with the transmitted hash data, And an integrity management process for allowing the management server to perform the management.

In one embodiment, the method may further include a node management process for identifying the number of authorized nodes and the node type in the CSP to join the block chain after the block chain connection process.

In one embodiment, after the block chain connection process, a branch due to a temporary network error occurs when the block is created, or a procedure of summing blocks generation is prevented from falling into a deadlock state so that the block can be continuously generated And a fault tolerance management process for managing the fault tolerance.

In one embodiment, the data encryption process selects an algorithm based on a Service Level Agreement (SLA) associated with the encryption, a Cost, and a Time, And CSP-based hashing data obtained by hashing the encrypted data. Meanwhile, the block generating process includes an ID checking process for determining whether a block is allowed based on a CSP ID requested by a block-chain system (BS). A hashing data acquiring step of acquiring BS-based hashing data by performing BS-based hashing on the encrypted data; A hash table generation step of generating a hash table by comparing the CSP-based hash data with the BS-based hash data; And a hash block / data block generation process of generating the hash block and the data block based on the hash table.

In an exemplary embodiment, the integrity management process may include: searching a block having the same index in the hash node and the data node, comparing the hash value of the hash block with the resultant value obtained by hashing the data stored in the data block, 1 comparison process; And a second comparing step of comparing the hash value stored in the hash block with a hash value of data stored in the CSP environment when the result values match. At this time, if the comparison values in the first comparison process and the second comparison process are all the same, it is determined that the integrity is not violated and the data stored in the data block can be used as evidence data in the event of a security incident.

According to another aspect of the present invention, there is provided a cloud system for storing cloud data using a block chain, comprising: a data collector for temporarily collecting data and logs requested by a cloud service user (CSC) terminal; A data encryption management unit for encrypting data requiring encryption among the data; A block chain connection management unit for making a connection request to a block chain and transmitting the pending data and the encrypted data when there is data waiting to be stored in the block chain and encrypted data; And a database management unit for storing the encrypted data in a database of a CSP (Client Service Provider).

In one embodiment, the block-chain connection management unit transmits the encrypted data and the hash data to a block-chain network, the hash data is stored as a hash block in the hash node, As shown in FIG.

In one embodiment, the data encryption manager selects an algorithm based on a Service Level Agreement (SLA) associated with the encryption, a Cost, and a Time, And the CSP-based hashing data obtained by hashing the encrypted data is stored.

A block-chained network system for storing cloud data using a block chain according to another aspect of the present invention includes: a receiving unit for receiving encrypted data and hash data from a block chain connection management unit of a cloud service provider (CSP) The hash data is stored in the hash node as a hash block, and the encrypted data is stored in the data node as a data block; And a step of obtaining the hash value of the received encrypted data through the hash function and then comparing the received hash data with the received hash data to check whether the hash is modulated and causing the block generator to generate the hash block and the data block Integrity management unit.

In one embodiment, the node management unit may further include a node management unit for identifying the number of permitted nodes and the node type among the CSPs to join the block chain.

In one embodiment, a Fault Tolerance (Fault Tolerance) scheme is provided that manages to allow the block to continue to be generated by preventing a branch due to a temporary network error when the block is created, ) Management section.

In one embodiment, the encrypted data received from the block-chain connection manager is encrypted according to a selected algorithm based on a Service Level Agreement (SLA), Cost, and Time associated with the encryption. Encrypted encrypted data; And CSP-based hashing data obtained by hashing the encrypted data. Meanwhile, the block generator determines whether permission is granted based on the ID of the CSP requested to the block-chain system (BS), performs BS-based hashing on the encrypted data, Based hashing data and the BS-based hashing data to generate a hash table, and generates the hash block and the data block based on the hash table.

In one embodiment, the integrity management unit searches a block stored in the hash node and the data node at the same index, compares the hash value of the hash block with the resultant value obtained by hashing the data stored in the data block, And comparing the hash value stored in the hash block with a hash value of data stored in the CSP environment when the comparison result matches the hash value stored in the hash block, The data stored in the data block is utilized as evidence data at the time of a security incident.

According to another aspect of the present invention, there is provided a data storage system for storing cloud data using a block chain, comprising: temporarily collecting data and a log requested by a client service client (CSC) terminal for storage; A CSP (Client Service Provider) system for encrypting data requiring encryption; And a block chain control unit for receiving encrypted data and hash data from the block chain connection management unit of the CSP system and storing the hash data in a hash block as a hash block and storing the encrypted data in a data block as a data block Network system.

In one embodiment, the CSP system includes: a data collection unit for temporarily collecting data and logs requested by a cloud service user (CSC) terminal; A data encryption management unit for encrypting data requiring encryption among the data; A block chain connection management unit for making a connection request to a block chain and transmitting the pending data and the encrypted data when there is data waiting to be stored in the block chain and encrypted data; And a database management unit for storing the encrypted data in the database of the CSP system.

In one embodiment, the block-chain network system receives encrypted data and hash data from a block-chain connection management unit of the CSP system, the hash data is stored in a hash block in a hash node, A block generator for controlling the node to be stored as a data block; And a step of obtaining the hash value of the received encrypted data through the hash function and then comparing the received hash data with the received hash data to check whether the hash is modulated and causing the block generator to generate the hash block and the data block And an integrity management unit.

In one embodiment, the block-chain network system may further include a node manager for identifying the number of authorized nodes and the node type among the CSPs to participate in the block chain.

In one embodiment, the block-chain network system is configured to prevent a branch due to a temporary network error from occurring when the block is created, or to prevent the process of summing blocks from falling into a deadlock, And a fault tolerance managing unit for managing the fault tolerance.

 The data storing method and the encryption method according to the present invention are advantageous in that, when a security incident occurs in a cloud environment, data necessary for an accident investigation can be stored using a block chain.

In addition, the data storing method and the encryption method according to the present invention are advantageous in that a seamless security incident investigation method can be provided by storing the data using a block chain.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 shows a block diagram of a block chain based cloud network system to ensure the integrity of data according to the present invention.
2 shows a detailed block diagram of a data storage system for performing data storage in accordance with the present invention.
3 shows a flow chart of a method for storing cloud data according to the present invention using a block chain.
FIG. 4 is a flowchart illustrating a data storage and encryption process and a block generation process according to an exemplary embodiment of the present invention.
FIG. 5 shows a detailed flowchart of a data integrity verification (or management) process according to another embodiment of the present invention.
FIG. 6 is a graph showing a time when blocks are generated according to the RSA encryption method according to the present invention.
FIG. 7 is a graph illustrating a measurement time of blocks generated and propagated according to an increase in nodes participating in the system proposed by the present invention.
8 is a graph illustrating performance comparison between the conventional data storage method and the data storage method proposed in the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, It will be possible. The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text. It is to be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

Like reference numerals are used for similar elements in describing each drawing.

The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. The term "and / or" includes any combination of a plurality of related listed items or any of a plurality of related listed items.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.

Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Should not.

The suffix "module "," block ", and "part" for components used in the following description are given or mixed in consideration of ease of specification only and do not have their own distinct meanings or roles .

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

Hereinafter, a method for storing data according to the present invention using a block chain and a cloud system will be described. In this regard, Figure 1 shows a block diagram of a block chain based cloud network system that ensures the integrity of data according to the present invention. 2 is a detailed block diagram of a data storage system for performing data storage according to the present invention. 1 and 2, a data storage system 1000 (or a network system 1000) according to the present invention includes a client service client (CSC) terminal 100, a cloud system 200, And a block-chain network system 300. Here, the cloud system 200 may be referred to as a cloud service provider (CSP) system 200. In addition, the CSP system 200 may include a plurality of CSPs. For example, each CSP such as CSP to CSP E may include a database (DB) and a blockchain node.

On the other hand, some or all of the block-chain network system 300 may be implemented in the cloud system 200, or some or all of them may be implemented in a separate system. Meanwhile, a block chain node may include a plurality of hash nodes and a plurality of data nodes.

Meanwhile, in the proposed network system 1000, a cloud service provider (CSP) 200 directly collects data generated in a cloud environment and uses a block chain to additionally guarantee data integrity. In a single cloud service provider environment, even if data is stored using a block chain, there is a possibility that the cloud service provider (CSP) 200 may newly record the stored data and replace the new block. Accordingly, a plurality of cloud service providers (CSPs) 200 participate in a block-chain network, and data generated in each environment is stored in the same block chain. The proposed system is assumed to be a permissible block chain.

Participation in the network can only be performed by a trusted and authenticated CSP 200. Unlike the unauthorized block chain, it is possible to increase the processing speed because there is no need to perform a "mining" operation as a trust verification operation. Therefore, in this system, when the block is generated, only consensus is agreed to generate the block. If you use the same method to exploit this system, you will have to use the additional resources of the cloud environment, so the burden of the cloud environment that follows the pay-as-you-go policy will be borne by the CSC. Also, since all the data generated in the cloud environment of the CSP 200 is stored by all the CSPs 200 participating in the block-chain network, this may lead to a problem of degradation of processing performance.

Therefore, the proposed network system 1000 has a hash node storing only the hash value in order to increase the storage speed of the log, and a data node storing all the data so as to confirm the data modulation for the cloud security incident, . The hashed data is sent to the hash node to form a block, and the original data is sent to the data node to generate the block. In order to solve this problem, an appropriate index value is added to prevent the table from being tangled.

Table 1 shows identifiers and descriptions of the components of the network system 1000 according to the present invention.

Identifier Description Index Number of block Previous_hash Hash value of previous block Timestamp The time when block was created   CSP_id Identifier of the CSP User_id Identifier of the CSC Hashtree_root Root value of hashtree Data Data to store in the block

Table 1 shows the structure of each component block as described above. In the case of a hash node, a tree composed of hash values is stored in a data field. In the case of a data node, a binary tree composed of encrypted data to be described later is stored in the data field.

Referring to FIG. 1, each component of the data storage system 1000 storing cloud data according to the present invention using a block chain will be described in detail. In this regard, Figure 2 shows a detailed block diagram of a data storage system for performing data storage in accordance with the present invention.

The cloud service provider (CSP) system 200 is configured to temporarily collect data and logs requested by the cloud service user (CSC) terminal and perform encryption of data requiring encryption. The CSP system 200 includes a data collection unit 210, a data encryption management unit 220, a block chain connection management unit 230, and a database management unit 240. Here, the database management unit 240 may be referred to as a forensic database management unit 240.

The data collecting unit 210 is configured to temporarily collect data and logs requested by the cloud service user (CSC) terminal. In addition, the data encryption management unit 220 is configured to perform encryption of data requiring encryption. The block-chain connection management unit 230 is configured to transmit the pending data and the encrypted data by making a connection request to the block chain when there is pending data and encrypted data to be stored in the block chain. At this time, the encrypted data received from the block chain connection management unit is encrypted according to the algorithm selected based on the service level agreement (SLA), cost, and time associated with the encryption. ; And CSP-based hashing data obtained by hashing the encrypted data. Also, the database management unit 240 is configured to store the encrypted data in the database of the CSP system 200.

The block-chain network system 300 receives encrypted data and hash data from the block-chain connection management unit 230 of the CSP system 200. The hash data is stored as a hash block in the hash node, And controls the data node to be stored as a data block.

The block chain network system 300 includes a block generator 310, an integrity manager 320, a node manager 330, and a fault tolerance manager 340.

The block generator 310 receives the encrypted data and the hash data from the block chain connection manager 230 of the CSP system 200 and stores the hash data in a hash block in the hash node, Data block. In addition, the block generator 310 determines whether permission is granted based on the ID of the CSP requested to the block-chain system (BS), performs BS-based hashing on the encrypted data, Based hashing data. The block generator 310 may generate a hash table by comparing the CSP-based hashing data with the BS-based hashing data, and may generate the hash block and the data block based on the hash table.

In addition, the integrity management unit 320 obtains the hash value of the received encrypted data through the hash function, and checks whether the hash is modulated by comparing the received hash value with the received hash data, And to generate the data block. In addition, the integrity management unit 320 searches the hash node and the data node for blocks stored in the same index, and compares the hash value of the hash block with the resultant value obtained by hashing the data stored in the data block. Also, the integrity management unit 320 compares the hash value stored in the hash block with the hash value of the data stored in the CSP environment when the result values match. The integrity management unit 320 determines that integrity is not inconsistent if all the compared values in the first comparison process and the second comparison process are identical, and stores the data stored in the data block as evidence data Can be utilized.

In addition, the node management unit 330 is configured to identify the number of authorized nodes and the node type among the CSPs 200 to participate in the block chain. At this time, the node type may include information on the DB type, the type of stored contents, and the encryption type, as well as the permission status, thereby determining the integrity management method and the block generation method. In addition, the defect tolerance managing unit 340 is configured to prevent a branch due to a temporary network error when a block is generated, or to prevent a merging procedure of a block generation from being put into a deadlock state so that the block can be continuously generated .

A method of storing cloud data according to another aspect of the present invention using a block chain will now be described. In this regard, FIG. 3 shows a flowchart of a method for storing cloud data according to the present invention using a block chain. As shown in FIG. 3, the data storage method includes a data collection process S100, a data encryption process S200, a block chain connection process S300, and a database storage process S400.

In this regard, in the data collection process (S100), the cloud service user (CSC) terminal temporarily collects the data and log requested to be stored. Also, in the data encryption process (S200), encryption of data requiring encryption is performed. In addition, in the block chain connection process (S300), if there is data waiting to be stored in the block chain and encrypted data, a connection request is sent to the block chain to transmit the pending data and the encrypted data. Also, in the database storing process (S400), the encrypted data is stored in the database of the cloud service provider (CSP).

After the block chain connection process (S300), the node management process (S500), the integrity management process (S600), the block generation process (S700), and the fault tolerance management process (S800) . Meanwhile, the order of steps S500 to S800 described above is merely an example, and the order of the steps S500 to S800 may be changed according to an application, or only a part of the steps may be performed.

In the node management process (S500), the number of permitted nodes and the node type among the CSPs to participate in the block chain are identified. In addition, in the integrity management process S600, the hash value is obtained from the transmitted encrypted data through the hash function, and then the hash value is compared with the transmitted hash data to check whether or not modulation is performed. do. If the encrypted data and the hash data are transmitted in the block creation process (S700), the hash data is stored in the hash block as a hash block, and the encrypted data is stored in the data node as a data block. In addition, in the defect tolerance management process (S800), it is possible to prevent a branch due to a temporary network error when a block is generated, prevent a merging procedure of a block generation from being put into a deadlock state, do.

The data storage method based on the above-described data storage system 1000 and its constituent parts will now be described in more detail.

- Data storage process

When the CSC 100 using the cloud service provided by the CSP 200 generates data defining that recording is necessary for security incident investigation, the CSP 200 records the data in the block-chain network. Data stored in the cloud environment before being stored in the block-chain network 300 may include data that is difficult to disclose such as the operation policy of the CSP 200 and personal information.

Accordingly, the proposed data storage system 1000 first performs encryption of data that needs to be stored. After performing the encryption, the data will generate a hash value through a hash function. The hashed data is moved to a hash node to generate a block, and the encrypted original data is stored in a data node. The hash function and the encryption algorithm to be used are decided through the service level agreement (SLA) between the CSC and the CSP in consideration of the time and the cost, and then the final decision is made through consultation between the participating CSPs .

In this regard, FIG. 4 shows a detailed flowchart of the data storage and encryption process and the block generation process according to an embodiment of the present invention. Meanwhile, the definition of the notation used in the flowchart of FIG. 4 is shown in Table 2.

Notation Description D _x Data in X Width _x Encrypted in X environments H _x Hashed in X environments BS Blockchain System Collect Collection Store _x Storing the data in X environments Check Checking Object Comp Compare with Create Create new block HB Hash block DB Data block Pub Publish new block

3 and 4, in the data encryption process (S200), an algorithm is selected based on a service level agreement (SLA), a cost, and a time associated with encryption, And stores CSP-based hashing data obtained by hashing the encrypted data and the encrypted data. Next, the block generation process S700 includes an ID verification process S710, a hashing data acquisition process S720, a hashing data comparison process S730, a hash table generation process S740, and a hash block / data block generation process S750 ).

In this regard, in the ID check process (S710), it is determined whether the permission is permitted based on the ID of the CSP requested to the block-chain system (BS). Further, in the hashing data acquisition process (S720), BS-based hashing is performed on the encrypted data to obtain BS-based hashing data. In addition, in the hashing data comparison step S730, the hash table may be generated in the hash table generation step S740 by comparing the CSP-based hash data with the BS based hash data. In the hash block / data block generation process (S750), a hash block and a data block may be generated based on the hash table.

Next, an integrity verification process of the collected data according to another embodiment of the present invention will be described.

- The process of verifying the integrity of collected data

In this regard, if the security incident occurs and data stored in the proposed system is needed, the integrity verification procedure is as shown in FIG. That is, FIG. 5 shows a detailed flowchart of a data integrity verification (or management) process according to another embodiment of the present invention. In this regard, the definition of each notation for the flowchart in FIG. 5 is shown in Table 3.

Notation Description Index _x Index of X's data Search _x Searching data in X environments HB Hash block DB Data block D _x Data in X Comp Compare two values

Referring to FIGS. 3 and 5, the integrity management process S600 includes a block search process S610, a first comparison process S620, and a second comparison process S630. That is, in the block search process (S610), the block having the same index is searched for the hash node and the data node. In the first comparison process (S620), the hash value of the hash block is compared with the result value obtained by hashing the data stored in the data block. In the second comparison process (S630), when the result values match, the hash value stored in the hash block is compared with a hash value of data stored in the CSP environment. Accordingly, if the comparison values in the first comparison process and the second comparison process are all the same, it is determined that the integrity is not violated, and the data stored in the data block can be used as evidence data at the time of a security incident.

Next, the more detailed operation and the detailed function of each of the above-mentioned respective components of each block in FIG. 2 will be described below. The details of the functions are largely divided into four functions of the cloud service provider side and a block chain side. The details of the functions of the cloud service provider (CSC) system 200 include a data collector 210, a data encryption manager 220, a blockchain connection manager 230, A database management unit (Forensic Database Manager, 240) exists.

- Data Collector: Collects the data and logs requested by the cloud service user temporarily. At this time, an appropriate tool can be used depending on the kind of data to be collected. (eg, snort for network packet data)

- Data Encryption Manager: The proposed system may be unable to store sensitive data such as personal information because many cloud service providers use the same block chain to browse the contents of the block. Therefore, data that requires encryption performs encryption through the corresponding function.

- Blockchain Connection Manager: When there is data waiting to be stored in the block chain / encrypted data, it makes connection request to the block chain to transmit data.

- Fornesic Database Manager: The ability to store encrypted data within a cloud service provider. The data must be stored and archived in a manner that ensures integrity.

The detailed operation and detailed functions of the block-chain network system 300 are performed by a block builder 310, an integrity manager 320, a node manager 330 and a fault tolerance manager Tolerance, 340).

Block Builder: If the encrypted data and the hash value of the data are transmitted together, the hash data is stored in the hash node and the encrypted data is stored in the new block in the data node.

- Integrity Manager: It is the function to manage the integrity of data. After the hash value is obtained through the hash function of the received data before the data is stored in the block, the hash value is compared with the transmitted hash value, and the block builder is allowed to generate the block after confirming that the data has not been modulated. In addition, if data is required, the integrity of the data in the Hash node and the data node is verified against the data stored in the Forensic Database Manager of the cloud service provider.

- Node Manager: Determine the number of nodes of the cloud service provider participating in the block chain. Because only authorized cloud service providers are able to use the system, they do not have a Proof of Work (PoW) and do only consensus building blocks. .

- Fault Tolerance Manager: This block prevents the branching due to temporary network error when the block is created, prevents the agreement process of block generation from falling into deadlock, and keeps the blocks from accumulating.

In the foregoing, a method of storing data according to the present invention using a block chain and a cloud system have been described. More specifically, we have discussed a method for storing data using a block chain for cloud forensic support, a cloud system for performing the method, and a data storage system including a block-chain network system. It is needless to say that the above-described contents in the data storing method, the data storing system, the cloud system, and the block-chain network system can be used in combination with each other. Hereinafter, a performance evaluation result of the network system proposed in the present invention will be described.

- Performance evaluation of proposed system

To evaluate the performance of the system, we can measure the time at which blocks are generated by putting the data into blocks. In the case of cryptographic closed - bit coin using block - chaining technique, the compensation received for the generation of the block can be used only after 100 blocks. It can be determined that the integrity of the data stored in the block is guaranteed. Therefore, in this study, it is also possible to measure the time taken to generate 100 blocks after the data is stored in the block.

Since the data stored in the block is stored in a complete binary tree format, if the number of data is not a multiple of 2, the tree can be filled with an empty value. Therefore, the number of data stored per block can be experimented with a multiple of 2.

The type of data used in the experiment is a 15-byte log, which can generate a hash tree after performing encryption according to the number of RSA encrypted bits. In this paper, we propose two performance evaluation methods for the storage and propagation in the block.

FIG. 6 is a graph showing a time when blocks are generated according to the RSA encryption method according to the present invention. Compared to the case where data is propagated to a block using only a hash function without performing encryption, the execution time is influenced by the encryption method. RSA is a public key-based encryption method that takes a long time to perform the exponential operation, which means that in addition to the problem of slow execution time, additional resources are used in the cloud environment. Therefore, it is important for the CSC to select the degree of security required in consultation with the CSP.

Meanwhile, FIG. 7 is a graph illustrating the measurement of the time that blocks are generated and propagated according to an increase in nodes participating in the system proposed by the present invention. In the experiment shown in Fig. 5, the number of transactions is 8192, and the experiment can be performed with a maximum of 7 nodes. As in the previous experiment, it is possible to measure the time when RSA encryption is performed and the time when encryption is not performed. In this regard, it can be seen that as the number of nodes increases, the time to propagate the block to all nodes increases, but the amount of additional time to propagate gradually decreases as the number of nodes increases. Therefore, it can be seen that the proposed system does not significantly degrade the performance even if the number of nodes participating in the block-chain network increases.

Next, FIG. 8 is a graph illustrating performance comparison between the conventional data storage method and the data storage method proposed in the present invention. For cloud forensics, you can compare performance against crypto-accumulator, which encrypts and stores data for comparison with existing data storage methods. It is based on RSA-2048 encryption. Therefore, as the performance of the proposed system compared with the data insertion time, it is shown that the proposed system increases the size of the data transaction at one time by about 25% at 16384 ~ 65536 It can be confirmed that data processing is possible.

Accordingly, a method of storing data according to the present invention using a block chain, and a cloud system and performance have been described. Such data storage methods and systems can be utilized in all areas where data integrity is required in a cloud environment. In addition, it can be used in areas where data integrity must be ensured without a distributed environment or an organization that guarantees reliability.

On the other hand, in relation to the block chain-based research, a block-chain-based service is being studied to satisfy various requirements according to current business and job types. Thus, in connection with the expected effect of the present invention, the present system will be used as a methodology or guideline to ensure the integrity of various large data such as the cloud environment.

As for the prospect of the commercialization of this technology, commercialization can be actively performed if a related policy that cloud service providers must provide in service form in order to identify the range of damage of security incident in the viewpoint of cloud users.

The data storing method and the encryption method according to the present invention are advantageous in that, when a security incident occurs in a cloud environment, data necessary for an accident investigation can be stored using a block chain.

In addition, the data storing method and the encryption method according to the present invention are advantageous in that a seamless security incident investigation method can be provided by storing the data using a block chain.

According to a software implementation, not only the procedures and functions described herein, but also each component may be implemented as a separate software module. Each of the software modules may perform one or more of the functions and operations described herein. Software code can be implemented in a software application written in a suitable programming language. The software code is stored in a memory and can be executed by a controller or a processor.

Claims (20)

A method for storing cloud data using a block chain,
A data collecting step of temporarily collecting data and a log requested by a client service client (CSC) terminal;
A data encryption step of encrypting data requiring encryption among the data;
A block chain connection process of transmitting the pending data and the encrypted data by making a connection request to a block chain when there is data waiting to be stored in the block chain and encrypted data; And
And storing the encrypted data in a database of a CSP (Client Service Provider). The method according to claim 1,
After the block chain connection process,
Wherein the hash data is stored in the hash block as a hash block when the encrypted data and the hash data are transmitted and the encrypted data is stored as a data block in the data node. How to save. 3. The method of claim 2,
After the block chain connection process,
And an integrity management process for obtaining the hash value of the transmitted encrypted data through a hash function and then checking whether the hash is modulated by comparing the hash value with the transmitted hash data to perform the block generation process And storing the data. The method of claim 3,
After the block chain connection process,
Further comprising a node management step of identifying the number of authorized nodes and the node type in the CSP to join the block chain. 5. The method of claim 4,
After the block chain connection process,
A fault tolerance management process is performed in which a branch due to a temporary network error occurs when the block is generated or a fault management process is performed to prevent the process of summing up a block from being put into a deadlock state, And storing the data. 3. The method of claim 2,
The data encryption process selects an algorithm based on a service level agreement (SLA), a cost, and a time associated with the encryption, encrypts the encrypted data according to the algorithm, And CSP-based hashing data obtained by hashing the encrypted data,
The block generation process includes:
An ID checking step of determining whether or not a permission is granted based on the ID of the CSP requested to the block-chain system (BS);
A hashing data acquiring step of acquiring BS-based hashing data by performing BS-based hashing on the encrypted data;
A hash table generation step of generating a hash table by comparing the CSP-based hash data with the BS-based hash data; And
And a hash block / data block generating step of generating the hash block and the data block based on the hash table. The method according to claim 6,
The integrity management process includes:
A first comparing step of retrieving a block stored in the hash node and the data node at the same index and comparing the hash value of the hash block with the resultant value obtained by hashing the data stored in the data block; And
And comparing the hash value stored in the hash block with a hash value of data stored in the CSP environment when the result values match,
Wherein if the comparison values in the first comparison process and the second comparison process are all the same, the data stored in the data block is utilized as evidence data in the event of a security event, How to save. 1. A cloud system for storing cloud data using a block chain,
A data collecting unit for temporarily collecting data and a log requested by a client service client (CSC) terminal;
A data encryption management unit for encrypting data requiring encryption among the data;
A block chain connection management unit for making a connection request to a block chain and transmitting the pending data and the encrypted data when there is data waiting to be stored in the block chain and encrypted data; And
And a database management unit for storing the encrypted data in a database of a CSP (Client Service Provider). 9. The method of claim 8,
Wherein the block chain connection management unit comprises:
Wherein the hash data is stored in the hash block as a hash block and the encrypted data is stored in the data node as a data block. . 9. The method of claim 8,
The data encryption /
Selecting an algorithm based on a service level agreement (SLA), a cost and a time associated with the encryption, encrypting the encrypted data according to the algorithm, Lt; RTI ID = 0.0 > CSP-based hashed data. ≪ / RTI > 1. A block-chain network system for storing cloud data using a block chain,
The hash data is stored in the hash block as a hash block, and the encrypted data is stored as a data block in the data node. A block generating unit for generating a control signal for controlling the storage unit; And
A hash value is obtained from the received encrypted data through a hash function and then the hash value is compared with the received hash data to check whether or not the data has been tampered with and the integrity of the hash block and the data block (Integrity) management unit. 12. The method of claim 11,
Further comprising a node management unit for identifying the number of authorized nodes and the node type in the CSP to join the block chain. 13. The method of claim 12,
Further includes a fault tolerance management unit for managing the block to be continuously generated by preventing a branch due to a temporary network error when the block is generated or preventing a procedure for the summing of blocks from falling into a deadlock state Block chain network system. 12. The method of claim 11,
Wherein the encrypted data received from the block chain connection management unit comprises:
Encrypted data encrypted according to an algorithm selected based on Service Level Agreement (SLA), Cost, and Time associated with the encryption; And
And CSP-based hashing data obtained by hashing the encrypted data,
Wherein the block generator comprises:
Determines whether permission is granted based on the ID of the CSP requested by the block-chain system (BS)
Performing BS based hashing on the encrypted data to obtain BS based hashing data,
Based hashing data and the BS-based hashing data to generate a hash table,
And generates the hash block and the data block based on the hash table. 15. The method of claim 14,
Wherein the integrity management unit comprises:
Searching a block stored in the hash node and the data node at the same index, comparing the hash value of the hash block with the resultant value obtained by hashing the data stored in the data block,
And comparing the hash value stored in the hash block with a hash value of data stored in the CSP environment when the result values match,
Wherein if the comparison results in the first comparison process and the second comparison process are all the same, the data stored in the data block is utilized as evidence data at the time of a security incident, Chain network system. CLAIMS 1. A data storage system for storing cloud data using a block chain,
A cloud service provider (CSP) system for temporarily collecting data and logs requested by a CSC (Terminal Service Client) terminal and encrypting data requiring encryption among the data; And
The hash data is stored as a hash block in the hash node, and the encrypted data is stored in the data node as a data block. The block chain network management unit receives the encrypted data and the hash data from the block chain connection management unit of the CSP system, Data storage system. 17. The method of claim 16,
In the CSP system,
A data collecting unit for temporarily collecting data and a log requested by a client service client (CSC) terminal;
A data encryption management unit for encrypting data requiring encryption among the data;
A block chain connection management unit for making a connection request to a block chain and transmitting the pending data and the encrypted data when there is data waiting to be stored in the block chain and encrypted data; And
And a database management unit for storing the encrypted data in the database of the CSP system. 17. The method of claim 16,
The block-chain network system comprises:
The hash data is stored in the hash block as a hash block, and the encrypted data is stored in the data node as a data block. The block generation unit receives the encrypted data and the hash data from the block chain connection management unit of the CSP system, ; And
A hash value is obtained from the received encrypted data through a hash function and then the hash value is compared with the received hash data to check whether or not the data has been tampered with and the integrity of the hash block and the data block (Integrity) management unit. 19. The method of claim 18,
The block-chain network system comprises:
Further comprising: a node manager for identifying the number of authorized nodes and the node type in the CSP to join the block chain. 20. The method of claim 19,
The block-chain network system comprises:
Further includes a fault tolerance management unit for managing the block to be continuously generated by preventing a branch due to a temporary network error when the block is generated or preventing a procedure for the summing of blocks from falling into a deadlock state Data storage system.

Images