TW201616831A - Cloud storage service method in keymap access mode - Google Patents

Cloud storage service method in keymap access mode Download PDF

Info

Publication number
TW201616831A
TW201616831A TW103136955A TW103136955A TW201616831A TW 201616831 A TW201616831 A TW 201616831A TW 103136955 A TW103136955 A TW 103136955A TW 103136955 A TW103136955 A TW 103136955A TW 201616831 A TW201616831 A TW 201616831A
Authority
TW
Taiwan
Prior art keywords
encryption
decryption
file
cloud storage
storage service
Prior art date
Application number
TW103136955A
Other languages
Chinese (zh)
Inventor
Tsung-Yi Lin
Hsiu-Fen Hsieh
Yen-Chung Chen
Tien-Hao Tsai
Jhen-Li Wang
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW103136955A priority Critical patent/TW201616831A/en
Priority to CN201510127865.9A priority patent/CN104780160A/en
Publication of TW201616831A publication Critical patent/TW201616831A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/53Network services using third party service providers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the field of computer networks, and especially relates to a cloud storage service method in a keymap access mode and provided with encryption and decryption functions, the safety of stored data can be effectively improved. The method comprises that an authentication center comprising a public key fundamental framework and an encryption and decryption key management mechanism, the authentication center serves as a source of user identity authentication and public keys, and can be supplied by a server side, a third party or a client, encryption and decryption keys are managed by a key management server and can be supplied by the server side, the third party or the client.

Description

具加解密功能之keymap存取模式雲端儲存服務 Keymap access mode cloud storage service with encryption and decryption function

本發明係關於一種具加解密功能之keymap存取模式雲端儲存服務,可有效增加存放資料的安全性。 The invention relates to a keymap access mode cloud storage service with encryption and decryption function, which can effectively increase the security of storing data.

過往的keymap存取方式,大多沒有考慮到檔案儲存於雲端的風險,未考慮到儲存時是否有加密,以至於檔案在雲端時的危險性增加,也無法符合不同用戶的需求。 In the past, most keymap access methods did not take into account the risk of files being stored in the cloud. They did not consider whether there was encryption during storage, so that the risk of files in the cloud increased, and it could not meet the needs of different users.

近來有部分儲存服務已考慮到檔案加密的問題,但是對於加密的時機、加解密金鑰管理等並無彈性的設計,無法符合不同用戶的需求。 Recently, some storage services have taken into account the issue of file encryption, but the inflexible design of encryption timing, encryption and decryption key management, etc., cannot meet the needs of different users.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本件具加解密功能之keymap存取模式雲端儲存服務。 In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally successfully developed and completed the keymap access mode cloud storage service with encryption and decryption functions.

本發明之目的,係提供一種具加解密功能之keymap存取模式雲端儲存服務,由雲端儲存服務、認證中心、加解密模組、以及金鑰管理伺服器組合而成,其中雲端儲存服務,係負責對外提供應用程式介面(Application Programming Interface,API)供用戶操作以及存取資料;認證中心,係提供個人身份與其公開金鑰與該keymap存取模式雲端儲存服務的對應;加解密模組,係提供檔案的加解密,並支援分段處理,可下載或複製檔案之指定部分,且對於該keymap存取模式雲端儲存服務之檔案加解密運算與傳輸進行平行處理;金鑰管理伺服器,係與該加解密模組介接,並為管理檔案加解密時該加解密模組所需之大量金鑰。 The object of the present invention is to provide a keymap access mode cloud storage service with encryption and decryption function, which is composed of a cloud storage service, a certification center, an encryption and decryption module, and a key management server, wherein the cloud storage service is Responsible for providing external application interface (Application Programming Interface (API) for users to operate and access data; the authentication center provides the correspondence between the personal identity and its public key and the keymap access mode cloud storage service; the encryption and decryption module provides file encryption and decryption, and supports Segment processing, the specified part of the file can be downloaded or copied, and the file encryption and decryption operation and transmission of the keymap access mode cloud storage service are processed in parallel; the key management server is connected with the encryption and decryption module. And a large number of keys required for the encryption and decryption module when encrypting and managing the file.

檔案加解密可由用戶端或服務端處理,若由服務端處理,其中加解密模組,係位於該服務端的服務提供層,可介接不同的資料庫和檔案系統層,並介接一個認證中心,管理用戶身分認證以及保留其身分與公開金鑰的配對;金鑰管理伺服器,係由服務端、第三方或由用戶端提供;雲端儲存服務,另包含服務提供層,係提供Restful API供用戶端呼叫;檔案系統層,係為分散式檔案系統;以及資料庫,係提供該服務提供層、以及該檔案系統層儲存所需資訊。 The file encryption and decryption can be processed by the client or the server. If processed by the server, the encryption and decryption module is located at the service providing layer of the server, and can interface with different databases and file system layers, and interface with a certification center. Manage user identity authentication and retain the pairing of their identity and public key; the key management server is provided by the server, third party or by the client; the cloud storage service, and the service providing layer, provides the Restful API for providing The client side call; the file system layer is a distributed file system; and the database provides the service providing layer and the information required for storing the file system layer.

服務提供層,係分為RESTful API、邏輯處理核心、及介接檔案儲存層,其中該加解密模組透過資料庫讀取RESTful API所取得之用戶要求資訊後,將檔案加密並回傳至該介接檔案儲存層,該介接檔案儲存層將加密後之檔案儲存至檔案系統層。 The service providing layer is divided into a RESTful API, a logical processing core, and an interface file storage layer. After the encryption and decryption module reads the user request information obtained by the RESTful API through the database, the file is encrypted and returned to the Referring to the file storage layer, the interface file storage layer stores the encrypted file to the file system layer.

本發明所提供一種具加解密功能之keymap存取模式雲端儲存服務,與其他習用技術相互比較時,更具備下列優點: The invention provides a keymap access mode cloud storage service with encryption and decryption function, which has the following advantages when compared with other conventional technologies:

1.用戶上傳之檔案可由過服務端加密後儲存,提升雲端儲存的安全性 1. User-uploaded files can be encrypted by the server and stored to improve the security of cloud storage.

2.加解密所用之金鑰管理伺服器可由服務端、第三方 或用戶端提供 2. The key management server used for encryption and decryption can be served by the server or a third party. Or provided by the client

3.透過整合公開金鑰基礎架構,提供身分認證以及加解密金鑰傳送過程的保護,認證中心可由服務端、第三方或用戶端提供 3. Provide protection for identity authentication and encryption and decryption key transfer process by integrating public key infrastructure. The certification center can be provided by the server, third party or client.

100‧‧‧雲端儲存服務 100‧‧‧Cloud Storage Service

101‧‧‧認證中心 101‧‧‧ Certification Center

102‧‧‧加解密模組 102‧‧‧Addition and decryption module

103‧‧‧金鑰管理伺服器 103‧‧‧Key Management Server

201‧‧‧個人身分跟公開金鑰 201‧‧‧personal identity and public key

202‧‧‧安全通道 202‧‧‧Safe passage

203、304、604‧‧‧用戶 203, 304, 604‧‧ users

301‧‧‧已解密之檔案 301‧‧‧Decrypted files

302‧‧‧解密所需之金鑰 302‧‧‧Keys needed for decryption

303‧‧‧未解密之檔案 303‧‧‧Undecrypted files

401‧‧‧加密模組 401‧‧‧Encryption Module

402‧‧‧解密模組 402‧‧‧Decryption module

403‧‧‧檔案分段處理模組 403‧‧‧File segmentation processing module

404‧‧‧檔案資訊存取模組 404‧‧‧File Information Access Module

405‧‧‧金鑰存取模組 405‧‧‧Key Access Module

406‧‧‧Meta-Data資料庫 406‧‧Meta-Data Database

407‧‧‧金鑰管理伺服器 407‧‧‧Key Management Server

501‧‧‧服務提供層 501‧‧‧ service provider

502、603‧‧‧檔案儲存層 502, 603‧‧ ‧ file storage layer

503、601‧‧‧資料庫 503, 601‧‧ ‧ database

602‧‧‧加解密模組 602‧‧‧Addition and decryption module

605‧‧‧對外提供RESTFul API 605‧‧‧Provide RESTFul API externally

606‧‧‧邏輯處理核心 606‧‧‧Logic Processing Core

607‧‧‧介接檔案儲存層 607‧‧‧Interface file storage layer

S701~S703‧‧‧用戶註冊與各組件關係流程 S701~S703‧‧‧User registration and component relationship process

S801~S807‧‧‧上傳並採服務端加密與各組件關係流程 S801~S807‧‧‧ upload and adopt server-side encryption and relationship process between components

S901~S907‧‧‧下載並採服務端解密與各組件關係流程 S901~S907‧‧‧Download and use server-side decryption and relationship process between components

S1001~S1009‧‧‧下載並採用戶端解密與各組件關係流程 S1001~S1009‧‧‧Download and use user-side decryption and relationship process between components

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖1為本發明具加解密功能之keymap存取模式雲端儲存服務之雲端儲存服務示意圖;圖2為本發明具加解密功能之keymap存取模式雲端儲存服務之認證中心及安全通道關係示意圖;圖3為本發明具加解密功能之keymap存取模式雲端儲存服務之加解密模組與傳送檔案示意圖;圖4為本發明具加解密功能之keymap存取模式雲端儲存服務之加解密模組示意圖;圖5為本發明具加解密功能之keymap存取模式雲端儲存服務之雲端儲存服務實作示意圖;圖6為本發明具加解密功能之keymap存取模式雲端儲存服務之服務提供層與加解密模組之關係示意圖;圖7為本發明具加解密功能之keymap存取模式雲端儲存服務之註冊與各組件關係圖;圖8為本發明具加解密功能之keymap存取模式雲端儲存服務之上傳並採服務端加密與各組件關係圖;圖9為本發明具加解密功能之keymap存取模式雲端儲存服務之下載並採服務端解密與各組件關係圖;圖10為本發明具加解密功能之keymap存取模式雲端儲存服務之下載並採用戶端解密與各組件關係圖。 Please refer to the detailed description of the present invention and the accompanying drawings, which can further understand the technical content of the present invention and its function. The related drawings are: FIG. 1 is a keymap access mode cloud storage service with encryption and decryption function of the present invention. FIG. 2 is a schematic diagram of a relationship between a certificate center and a secure channel of a keymap access mode cloud storage service with encryption and decryption function; FIG. 3 is a diagram of a keymap access mode cloud storage service with encryption and decryption function according to the present invention; Schematic diagram of the decryption module and the transmission file; FIG. 4 is a schematic diagram of the encryption and decryption module of the cloud storage service of the keymap access mode with encryption and decryption function; FIG. 5 is a keymap access mode cloud storage service with encryption and decryption function according to the present invention; FIG. 6 is a schematic diagram of relationship between a service providing layer and an encryption and decryption module of a cloud storage service with a keymap access mode with encryption and decryption function; FIG. 7 is a keymap access with encryption and decryption function of the present invention. Mode cloud storage service registration and component relationship diagram; Figure 8 is a keymap access mode cloud storage with encryption and decryption function The service uploading adopts the server side encryption and the relationship diagram of each component; FIG. 9 is a downloading of the keymap access mode cloud storage service with encryption and decryption function, and the server side decryption and the relationship diagram of each component; FIG. The keymap access mode of the encryption and decryption function downloads the cloud storage service and uses the user terminal to decrypt the relationship diagram of each component.

為了使本發明的目的、技術方案及優點更加清楚明白,下面結合附圖及實施例,對本發明進行進一步詳細說明。應當理解,此處所描述的具體實施例僅用以解釋本發明,但並不用於限定本發明。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

本系統針對keymap(鍵值映射)存取模式之雲端儲存服務提供檔案加解密功能,以提供高安全性的檔案存放方式;用戶端上傳檔案至雲端儲存服務空間時,可先由用戶端加密而後上傳至服務端,或上傳之後再由服務端做加密;而用戶下載檔案時,並不需告知服務端檔案是否需要解密,而是系統自動根據先前存於資料庫中的記錄來判斷服務端中的檔案是否已被加密。 The system provides file encryption and decryption functions for the cloud storage service of the keymap (key-value mapping) access mode to provide a high-security file storage mode; when the user uploads the file to the cloud storage service space, the user can first encrypt and then encrypt Upload to the server, or upload it and then encrypt it by the server; when the user downloads the file, it is not necessary to tell the server whether the file needs to be decrypted, but the system automatically judges the server according to the record previously stored in the database. Whether the file has been encrypted.

以下,結合附圖對本發明進一步說明:請參閱圖1所示,係為本發明具加解密功能之keymap存取模式雲端儲存服務之雲端儲存服務示意圖,其中本系統主要由四個的部分組成,分別為雲端儲存服務100、認證中心101、加解密模組102和金鑰管理伺服器103;其中雲端儲存服務100負責對外提供應用程式介面(Application Programming Interface,API),供用戶操作以及存取資料,認證中心101提供個人身份與其公開金鑰的對應,加解密模組102負責檔案的加解密,金鑰管理伺服器103負責加解密所用金鑰的管理。 The present invention is further described with reference to the accompanying drawings: FIG. 1 is a schematic diagram of a cloud storage service of a cloud storage service of a keymap access mode with encryption and decryption function, wherein the system is mainly composed of four parts. The cloud storage service 100, the authentication center 101, the encryption and decryption module 102, and the key management server 103 are respectively provided; wherein the cloud storage service 100 is responsible for providing an application programming interface (API) for the user to operate and access the data. The authentication center 101 provides the correspondence between the personal identity and the public key, the encryption and decryption module 102 is responsible for the encryption and decryption of the file, and the key management server 103 is responsible for the management of the key used for the encryption and decryption.

請參閱圖2所示,係為本發明具加解密功能之keymap存取模式雲端儲存服務之認證中心及安全通道關係示意圖,本系統整合了公開金鑰基礎架構(Public Key Infrastructure,PKI),公開金鑰基礎架構藉由認證中心(Certificate Authority,CA)101將用戶的個人身分跟公開金鑰201鏈結在一起,對每個認證中心101而言,用戶的身分必須是唯一的;認證中心101可做為系統身分認證以及取得用戶公開金鑰所用,公開金鑰的使用主要是提供用戶端和服務端之間的安全通道202,服務端可以將機密的資料利用公開金鑰加密後傳送至用戶端,用戶端203再透過其手中的私用金鑰將機密的資料進行解密;本系統中認證中心可由服務端、第三方或由用戶端提供。 Please refer to FIG. 2 , which is a schematic diagram of a certificate center and a secure channel relationship of a keymap access mode cloud storage service with encryption and decryption function. The system integrates a public key infrastructure (Public Key). Infrastructure, PKI), the public key infrastructure links the user's personal identity with the public key 201 by a Certificate Authority (CA) 101. For each authentication center 101, the user's identity must be The only one is that the authentication center 101 can be used for system identity authentication and obtaining the user public key. The public key is mainly used to provide a secure channel 202 between the client and the server, and the server can use the confidential data to disclose the public key. The key is encrypted and transmitted to the client, and the client 203 decrypts the confidential data through the private key in the hand; the authentication center in the system can be provided by the server, the third party or the user.

請參閱圖3所示,係為本發明具加解密功能之keymap存取模式雲端儲存服務之加解密模組與傳送檔案示意圖,當用戶端下載檔案時,除了選擇服務端將檔案解密後再回傳外,也可選擇下載至用戶端後再解密;若由服務端解密,則加解密模組可由服務端提供已解密之檔案301;若用戶端解密,則加解密模組則位於用戶端304,服務端應傳送給用戶端未解密之檔案303以及解密所需之金鑰302,為保護解密之金鑰,則會通過安全通道進行傳送。而傳給用戶端未解密之檔案303以及解密所需之金鑰302,其中解密所需之金鑰302透過用戶之公開金鑰加密作保護,待用戶端收到未解密之檔案303以及解密所需之金鑰302後,再行將檔案解密。 Please refer to FIG. 3 , which is a schematic diagram of the encryption and decryption module and the transmission file of the cloud storage service of the keymap access mode with encryption and decryption function. When the user downloads the file, the user selects the server to decrypt the file and then return it. If the client decrypts, the encryption and decryption module can provide the decrypted file 301 by the server; if the client decrypts, the encryption and decryption module is located at the user terminal 304. The server should transmit the undecrypted file 303 to the client and the key 302 required for decryption. To protect the decrypted key, it will be transmitted through the secure channel. And the file 303 which is not decrypted by the client and the key 302 required for decryption, wherein the key 302 required for decryption is protected by the public key encryption of the user, and the client receives the undecrypted file 303 and the decryption station. After the key 302 is needed, the file is decrypted again.

請參閱圖4所示,係為本發明具加解密功能之keymap存取模式雲端儲存服務之加解密模組示意圖,加解密模組是本系統中實際對檔案實施加解密行為的主要模組,可分為五個子模組:加密模組401、解密模組402、檔案分段處理模組403、檔案資訊存取模組404和金鑰存取模組405,加密模組401、解密模組402、檔案分段處理模組403負責加解 密邏輯處理,檔案資訊存取模組404和金鑰存取模組405負責與外部資訊界接;其中加密模組401負責將檔案加密,解密模組402負責將檔案解密,檔案分段處理模組403除了可支援下載或複製檔案之指定部分外,也可將加解密運算與傳輸進行平行處理,檔案資訊存取模組404可獲得是否需要解密等檔案資訊,若模組位於服務端則可介接服務端Meta-Data(檔案描述資料)資料庫406,讀取先前之紀錄,或若模組位於用戶端則可介接用戶端Meta-Data資料庫406,讀取先前之紀錄,或指定是否將下載之檔案進行解密,金鑰存取模組407介接金鑰管理伺服器以獲得檔案加解密時所需之金鑰。其中金鑰存取模組透過用戶ID、檔案名稱等可供辨識之資訊取得將檔案解密所用之加解密金鑰,金鑰管理伺服器可由服務端、第三方或由用戶端提供。 Please refer to FIG. 4 , which is a schematic diagram of the encryption and decryption module of the cloud storage service of the keymap access mode with encryption and decryption function. The encryption and decryption module is the main module for realizing the encryption and decryption behavior of the file in the system. It can be divided into five sub-modules: encryption module 401, decryption module 402, file segmentation processing module 403, file information access module 404 and key access module 405, encryption module 401, decryption module 402, the file segmentation processing module 403 is responsible for the solution The secret logic processing, the file information access module 404 and the key access module 405 are responsible for the interface with the external information; wherein the encryption module 401 is responsible for encrypting the file, and the decryption module 402 is responsible for decrypting the file, and the file segmentation processing module In addition to the specified part of the download or copy file, the group 403 can also perform the parallel processing of the encryption and decryption operation and the transmission. The file information access module 404 can obtain the file information such as decryption, and if the module is located at the server end, The server Meta-Data database 406 is used to read the previous record, or if the module is located at the user end, the client Meta-Data database 406 can be interfaced to read the previous record, or specify Whether to decrypt the downloaded file, the key access module 407 interfaces with the key management server to obtain the key required for file encryption and decryption. The key access module obtains the encryption and decryption key used for decrypting the file through the user ID, the file name and the like, and the key management server can be provided by the server, the third party or the user.

請參閱圖5所示,係為本發明具加解密功能之keymap存取模式雲端儲存服務之雲端儲存服務實作示意圖,加解密模組所實施之環境為提供keymap存取模式之雲端儲存服務,一般來說應有提供服務的服務提供層、實際儲存檔案的檔案系統層和儲存服務所需資訊(包含檔案是否加密)的資料庫,本實施例中有三大部分,服務提供層501提供了Restful API(表徵狀態轉移風格的呼叫介面)供用戶端呼叫,以及核心邏輯處理等,檔案儲存層502使用分散式檔案系統,例如為MogileFS,而資料庫503則主要提供上述二層所需資訊儲存的地方。 Please refer to FIG. 5 , which is a schematic diagram of the cloud storage service of the cloud storage service of the keymap access mode with encryption and decryption function. The environment implemented by the encryption and decryption module is a cloud storage service providing a keymap access mode. Generally, there should be a service providing layer for providing services, a file system layer for actually storing files, and a database for storing information required for storing services (including whether files are encrypted or not). In this embodiment, there are three major parts, and the service providing layer 501 provides Restful. API (calling the state transition style call interface) for the client to call, and core logic processing, etc., the file storage layer 502 uses a distributed file system, such as MogileFS, and the database 503 mainly provides the above two layers of required information storage. local.

請參閱圖6所示,係為本發明具加解密功能之keymap存取模式雲端儲存服務之服務提供層與加解密模組之關係示意圖,為提供服務端加解密的能力,我們規畫於服務 提供層中加入加解密模組,服務提供層又可依功能細分成三層:Frontend Restful Layer(前端表徵狀態轉移風格的呼叫介面層)(L1)、Core Layer(核心邏輯處理層)(L2)和Backend Mogile layer(後端介接檔案儲存層)(L3),功能分別為對外提供RESTful API介面605、邏輯處理核心606和介接檔案儲存層607,本系統整合加解密模組至L3。當檔案由檔案儲存層603上傳時,在無須由服務端加密或是下載時無須由服務端解密情況下,檔案並不會經過加解密模組;但若上傳時交由服務端加密,則當L1收到要求後會將相關資訊存至資料庫601中,加解密模組602查詢資料庫確認後對檔案加密後回傳L3,若下載時交由服務端解密,則加解密模組會先查詢資料庫確認檔案是否已被加密,若為已加密之檔案則先解密後回傳L3。 Please refer to FIG. 6 , which is a schematic diagram of the relationship between the service providing layer and the encryption and decryption module of the cloud storage service of the keymap access mode with encryption and decryption function, and the ability to provide encryption and decryption of the server. The encryption and decryption module is added to the layer, and the service provider layer can be subdivided into three layers according to functions: Frontend Restful Layer (L1), Core Layer (L2), Core Layer (L2) And the Backend Mogile layer (L3), the function is to provide a RESTful API interface 605, a logic processing core 606 and an interface file storage layer 607, respectively, and the system integrates the encryption and decryption module to L3. When the file is uploaded by the file storage layer 603, the file does not pass through the encryption and decryption module without being decrypted by the server without being encrypted by the server, but if the file is encrypted by the server when uploading, After receiving the request, L1 will save the relevant information to the database 601. After the encryption and decryption module 602 queries the database, the file is encrypted and then returned to the L3. If the server decrypts the file, the encryption and decryption module will first Check the database to confirm whether the file has been encrypted. If it is an encrypted file, decrypt it first and then return it to L3.

關於雲端儲存服務、認證中心、加解密模組、金鑰管理伺服器之間關係以常見之行為為例:請參閱圖7所示,係為用戶註冊與各組件關係圖,用戶在使用儲存服務前須先於PKI架構中,透過儲存服務向認證中心進行註冊S701,其註冊資料包含用戶提供其公開金鑰S702,此公開金鑰將作為日後服務端傳送解密金鑰至用戶的加密所用;完成註冊S703後,認證中心應保留身份及其公開金鑰的對應。 For the relationship between the cloud storage service, the authentication center, the encryption and decryption module, and the key management server, a common behavior is taken as an example: as shown in Figure 7, the user is registered with each component, and the user is using the storage service. Before the PKI architecture, the registration center S701 is registered with the certification center through the storage service, and the registration data includes the user providing its public key S702, which will be used as the encryption for transmitting the decryption key to the user in the future server; After S703, the certificate authority should retain the identity and its public key.

請參閱圖8所示,係為上傳並採服務端加密與各組件關係圖,上傳並採服務端加密S801時,用戶端提出要求並透過參數告知伺服器端是否應將資料加密,服務端向認證中心確認用戶合法性S802,若用戶合法S803則向加解密模組要求加密S804,加解密模組透過用戶ID、檔案名稱等可供辨 識之資訊像金鑰管理伺服器要求檔案解密所需之加解密金鑰S805,取得將檔案加密所需之加解密金鑰S806後,加解密模組利用此加解密金鑰將檔案加密完成S807並儲存。 Please refer to FIG. 8 , which is to upload and adopt server-side encryption and relationship diagrams of various components. When uploading and adopting server-side encryption S801, the client requests and informs the server whether the data should be encrypted through the parameters. The authentication center confirms the user's legality S802. If the user is legal S803, the encryption and decryption module is required to encrypt S804. The encryption and decryption module can be identified by the user ID and file name. The information is like the encryption and decryption key S805 required by the key management server for decrypting the file, and after obtaining the encryption and decryption key S806 required for encrypting the file, the encryption and decryption module uses the encryption and decryption key to encrypt the file to complete S807. And save.

請參閱圖9所示,係為下載並採服務端解密與各組件關係圖,下載並採服務端解密S901時,用戶端提出要求,服務端向認證中心確認用戶合法性S902,若用戶合法S903則向加解密模組要求解密,加解密模組根據資料庫中資料判斷是否需要要求解密S904,若需要解密則加解密模組透過用戶ID、檔案名稱等可供辨識之資訊向金鑰管理伺服器要求檔案解密所需之加解密金鑰S905,取得將檔案解密所需之加解密金鑰S906後,加解密模組利用此加解密金鑰將檔案解密完成後回傳明碼檔案S907。 Please refer to FIG. 9 for downloading and collecting the server-side decryption and relationship diagrams of the components. When downloading and using the server to decrypt S901, the client requests the service, and the server confirms the user's legality S902 to the authentication center. Then, the encryption and decryption module is requested to decrypt, and the encryption and decryption module determines whether it is required to decrypt S904 according to the data in the database. If decryption is required, the encryption and decryption module transmits the information to the key through the user ID, file name and other information that can be identified. After the encryption and decryption key S905 required for decrypting the file is obtained, the encryption and decryption key S906 required for decrypting the file is obtained, and the encryption and decryption module decrypts the file by using the encryption and decryption key, and then returns the clear file S907.

請參閱圖10所示,係為下載並採用戶端解密與各組件關係圖,下載並採用戶端解密S1001時,用戶端提出要求,服務端向認證中心確認用戶合法性S1002,若用戶合法S1003則向加解密模組要求解密,加解密模組則服務端根據資料庫中資料判斷是否需要要求解密S1004,若需要解密則加解密模組透過用戶ID、檔案名稱等可供辨識之資訊向金鑰管理伺服器要求檔案解密所需之加解密金鑰S1005,取得將檔案解密所用之加解密金鑰S1006並回傳服務端S1007,服務端再向認證中心要求用戶之公開金鑰S1008,取得公開金鑰S1009後,利用公開金鑰將前述之加解密金鑰加密後,連同未解密之檔案傳送回用戶,由用戶端透過其私有金鑰取得加解密金鑰後對收到之未解密檔案作解密。 Please refer to FIG. 10, which is a download and user terminal decryption and relationship diagram of each component, download and adopt the user side to decrypt S1001, the client requests, the server confirms the user legality S1002 to the authentication center, if the user is legal S1003 Then, the encryption and decryption module is requested to decrypt. The encryption and decryption module determines whether the data needs to be decrypted according to the data in the database. If the decryption module needs to be decrypted, the encryption and decryption module can use the user ID and the file name to identify the information. The key management server requires the encryption/decryption key S1005 required for file decryption, obtains the encryption/decryption key S1006 used for decrypting the file, and returns the server S1007, and the server requests the public key S1008 of the user from the certification center to obtain the disclosure. After the key S1009, the above-mentioned encryption and decryption key is encrypted by using the public key, and then transmitted to the user together with the undecrypted file, and the user obtains the encryption and decryption key through the private key, and then the undecrypted file is received after receiving the encryption and decryption key. Decrypt.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡 未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description above is specifically described with respect to one possible embodiment of the present invention, but the embodiment is not intended to limit the scope of the patent of the present invention. Equivalent implementations or modifications that do not depart from the spirit of the invention are intended to be included in the scope of the invention.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請貴局核准本件發明專利申請案,以勵發明,至感德便。 To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

100‧‧‧雲端儲存服務 100‧‧‧Cloud Storage Service

101‧‧‧認證中心 101‧‧‧ Certification Center

102‧‧‧加解密模組 102‧‧‧Addition and decryption module

103‧‧‧金鑰管理伺服器 103‧‧‧Key Management Server

Claims (7)

一種具加解密功能之keymap存取模式雲端儲存服務,其中係包括:雲端儲存服務,係負責對外提供應用程式介面(Application Programming Interface,API)供用戶操作以及存取資料;認證中心,係為管理用戶身分認證以及提供個人身份與其公開金鑰的對應;加解密模組,係提供服務端加解密,並支援下載或複製檔案之指定部分,且對於該keymap存取模式雲端儲存服務之檔案加解密運算與傳輸進行平行處理;金鑰管理伺服器,係與該加解密模組介接,並為管理檔案加解密時該加解密模組所需之大量金鑰。 A keymap access mode cloud storage service with encryption and decryption function, which includes: a cloud storage service, which is responsible for externally providing an application programming interface (API) for user operations and accessing data; a certification center is managed User identity authentication and providing personal identity to its public key; the encryption and decryption module provides server-side encryption and decryption, and supports downloading or copying the specified part of the file, and encrypting and decrypting the file storage mode cloud storage service file The operation and the transmission are processed in parallel; the key management server is connected with the encryption and decryption module, and a large number of keys required for the encryption and decryption module when the file is encrypted and decrypted. 如申請專利範圍第1項所述之具加解密功能之keymap存取模式雲端儲存服務,其中該加解密模組,係位於該服務端的服務提供層或位於用戶端,並介接不同的資料庫和檔案系統層。 The keymap access mode cloud storage service with the encryption and decryption function described in claim 1, wherein the encryption and decryption module is located at the service providing layer of the server or at the user end, and interfaces with different databases. And the file system layer. 如申請專利範圍第1項所述之具加解密功能之keymap存取模式雲端儲存服務,其中該加解密模組,係介接該金鑰管理伺服器,其該金鑰管理伺服器管理檔案加解密時加解密模組所需之大量金鑰。 The keymap access mode cloud storage service with encryption and decryption function as described in claim 1, wherein the encryption and decryption module is connected to the key management server, and the key management server manages the file plus The large number of keys required to encrypt and decrypt the module during decryption. 如申請專利範圍第1項所述之具加解密功能之keymap存取模式雲端儲存服務,其中該金鑰管理伺服器,係由服務端、第三方或由用戶端提供。 The keymap access mode cloud storage service with the encryption and decryption function described in claim 1, wherein the key management server is provided by a server, a third party or by a client. 如申請專利範圍第1項所述之具加解密功能之keymap存 取模式雲端儲存服務,其中該認證中心,係由服務端、第三方或由用戶端提供。 The keymap storage with encryption and decryption function as described in item 1 of the patent application scope The mode cloud storage service is adopted, wherein the certificate center is provided by a server, a third party or by a client. 如申請專利範圍第1項所述之具加解密功能之keymap存取模式雲端儲存服務,其中該雲端儲存服務,係包含:服務提供層,係提供Restful API供用戶端呼叫;檔案系統層,係為分散式檔案系統;以及資料庫,係提供該服務提供層、以及該檔案系統層儲存所需資訊。 For example, the keymap access mode cloud storage service with the encryption and decryption function described in claim 1, wherein the cloud storage service includes: a service providing layer, which provides a Restful API for the client to call; the file system layer, For the decentralized file system; and the database, the service providing layer is provided, and the information required for storing the file system layer is provided. 如申請專利範圍第2項所述之具加解密功能之keymap存取模式雲端儲存服務,其中該服務提供層,係分為RESTful API、邏輯處理核心、及介接檔案儲存層,其中該加解密模組透過資料庫讀取RESTful API所取得之用戶要求資訊後,將檔案加密並回傳至該介接檔案儲存層,該介接檔案儲存層將加密後之檔案儲存至檔案系統層。 The keymap access mode cloud storage service with encryption and decryption function as described in claim 2, wherein the service providing layer is divided into a RESTful API, a logical processing core, and an interface file storage layer, wherein the encryption and decryption After the module reads the user request information obtained by the RESTful API through the database, the file is encrypted and transmitted back to the interface file storage layer, and the file storage layer stores the encrypted file to the file system layer.
TW103136955A 2014-10-27 2014-10-27 Cloud storage service method in keymap access mode TW201616831A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
TW103136955A TW201616831A (en) 2014-10-27 2014-10-27 Cloud storage service method in keymap access mode
CN201510127865.9A CN104780160A (en) 2014-10-27 2015-03-23 Method for cloud storage service in keymap access mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW103136955A TW201616831A (en) 2014-10-27 2014-10-27 Cloud storage service method in keymap access mode

Publications (1)

Publication Number Publication Date
TW201616831A true TW201616831A (en) 2016-05-01

Family

ID=53621404

Family Applications (1)

Application Number Title Priority Date Filing Date
TW103136955A TW201616831A (en) 2014-10-27 2014-10-27 Cloud storage service method in keymap access mode

Country Status (2)

Country Link
CN (1) CN104780160A (en)
TW (1) TW201616831A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI791963B (en) * 2020-03-19 2023-02-11 瑞昱半導體股份有限公司 Data decryption system and data decryption method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8560846B2 (en) * 2011-01-13 2013-10-15 Hewlett-Packard Development Company, L.P. Document security system and method
KR101874081B1 (en) * 2012-06-07 2018-07-03 에스케이테크엑스 주식회사 Cloud Service Supporting Method And System based on a Enhanced Security
CN103684798B (en) * 2013-12-31 2017-03-22 南京理工大学连云港研究院 Authentication method used in distributed user service

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI791963B (en) * 2020-03-19 2023-02-11 瑞昱半導體股份有限公司 Data decryption system and data decryption method
US11604900B2 (en) 2020-03-19 2023-03-14 Realtek Semiconductor Corporation Data decryption system and data decryption method

Also Published As

Publication number Publication date
CN104780160A (en) 2015-07-15

Similar Documents

Publication Publication Date Title
CN108259169B (en) File secure sharing method and system based on block chain cloud storage
CN109144961B (en) Authorization file sharing method and device
Kumar et al. Decentralized secure storage of medical records using Blockchain and IPFS: A comparative analysis with future directions
US10594481B2 (en) Replicated encrypted data management
US9735962B1 (en) Three layer key wrapping for securing encryption keys in a data storage system
US9864874B1 (en) Management of encrypted data storage
US9088538B2 (en) Secure network storage
US9495552B2 (en) Integrated data deduplication and encryption
JP5196883B2 (en) Information security apparatus and information security system
US9626527B2 (en) Server and method for secure and economical sharing of data
CN111797415A (en) Block chain based data sharing method, electronic device and storage medium
US20140019753A1 (en) Cloud key management
JP2013513834A (en) Reliable Extensible Markup Language for Reliable Computing and Data Services
JP2017515413A (en) Secure transport of encrypted virtual machines with continuous owner access
JP2016513840A (en) Method, server, host, and system for protecting data security
US20160072772A1 (en) Process for Secure Document Exchange
CN107113314B (en) Method and device for heterogeneous data storage management in cloud computing
CN106254342A (en) The secure cloud storage method of file encryption is supported under Android platform
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
US10063655B2 (en) Information processing method, trusted server, and cloud server
US9942315B2 (en) Anonymous peer storage
KR102385328B1 (en) Method and System of Digital Rights Management
JP2006279269A (en) Information management device, information management system, network system, user terminal, and their programs
TW201616831A (en) Cloud storage service method in keymap access mode
JP2022531538A (en) Cryptographic system