WO2018032379A1 - Untrusted remote transaction file secure storage system for block chain - Google Patents

Untrusted remote transaction file secure storage system for block chain Download PDF

Info

Publication number
WO2018032379A1
WO2018032379A1 PCT/CN2016/095583 CN2016095583W WO2018032379A1 WO 2018032379 A1 WO2018032379 A1 WO 2018032379A1 CN 2016095583 W CN2016095583 W CN 2016095583W WO 2018032379 A1 WO2018032379 A1 WO 2018032379A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
transaction
key
user
storage system
Prior art date
Application number
PCT/CN2016/095583
Other languages
French (fr)
Chinese (zh)
Inventor
张丛
Original Assignee
深圳市樊溪电子有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市樊溪电子有限公司 filed Critical 深圳市樊溪电子有限公司
Publication of WO2018032379A1 publication Critical patent/WO2018032379A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • the invention relates to the transaction data security problem of a blockchain, in particular to a blockchain untrusted remote transaction file security storage system.
  • blockchain is a secure account book database, composed of data blocks, users can constantly update and upgrade here.
  • the platform looks for data.
  • the blockchain can speed up transaction processing, reduce costs, reduce middlemen, improve market insight, and increase business transparency.
  • Computing and storage are the two basic tasks of computer systems. With the explosive growth of information, storage components will experience direct storage based on single-server, to cluster-based grid storage based on LAN, and finally to WAN-based data grids.
  • Blockchain technology is the most extreme development at present. The intrinsic characteristics of this data storage medium include intelligent storage. The quality of storage service can guarantee service differentiation and performance guarantee for user applications.
  • Storage is object-oriented mass storage, and Network storage must be confidential and complete.
  • the existing Internet does not have a good or convenient way to ensure the confidentiality, integrity, availability, and data of the data stored in the blockchain and the data stored on the storage device. Non-repudiation and the reliability of the entire network storage system, especially the generation of trusted computing technology in blockchain in recent years, puts higher demands on network storage security.
  • the file accesses the system call and converts to a trusted transaction file access request in turn; (3) revokes the user key module, quickly revokes the user's key, removes the key block from the original transaction data file to revoke the user, and then generates The new block encryption key FEK and re-encrypt the file, and update the remaining block encryption key of each user with the new block encryption key FEK; (4)
  • the plaintext save module uses the plaintext save module to save the restored file system The necessary plaintext is repeated to perform an integrity check to encrypt all transaction data access and control information; (5) Timestamp module, in one use The specified interval, time stamping the new transaction file; (6) Multi-transaction file backup module, backing up the transaction file to multiple servers.
  • the public key sending module sends the user's public key to the file owner to add the user, a new read or write user, and the public key is used to encrypt the encryption key and attach it to the original transaction data of the transaction file.
  • the new user's key is attached to the original transaction data, and the user can access the transaction file.
  • an encryption master key MEK and a signature master key MSK are saved for each transaction file user, and each transaction file has a unique symmetric encryption key FEK and a signature key. FSK.
  • the symmetric encryption key FEK is provided to all users, and the signature key FSK is only provided to users who have "write” rights.
  • all transaction files are divided into two parts: the original transaction data file source-file and the transaction data file d-file.
  • the original transaction data file source-file includes: a block encryption master key MEK of the transaction file owner, a user's block encryption key FEK, and if there is a write right, a signature key FSK is also included, and a The file owner's signature master key MSK signed the original transaction data hash value block, text If the owner or user has a key stored in the original data of a file, then he can decrypt the file.
  • the file security storage system also uses the new version of the prompt guarantee principle to ensure that all of the user's transaction files are the latest version to prevent replay attacks.
  • the file secure storage system can use any file delivery mechanism that conforms to the delivery protocol.
  • the revocation user key module uses the active policy to revoke the key, and once the user is terminated, the corresponding transaction file cannot be accessed through the new transaction file guarantee.
  • the untrusted remote transaction file secure storage system for the blockchain although more expensive than the ordinary file security storage system, is slower, but the security factor is greatly improved.
  • FIG. 1 is a schematic structural diagram of an untrusted remote transaction file secure storage system for a blockchain according to an embodiment of the present invention.
  • the essence of a transaction is a relational data structure that contains information about the value transfer of the trading participants. These transaction information is called the accounting ledger.
  • the transaction needs to go through three creation, verification, and writing blockchains. The transaction must be digitally signed to ensure the legality of the transaction.
  • Block All transaction information is stored in the block, and a transaction information is a record, which is stored as a separate record in the blockchain.
  • the block consists of a block header and a data part.
  • the block header field contains various characteristics of the block itself, such as the previous block information, the merkle value, and the timestamp.
  • the block header hash value and block height are the two most important indicators for identifying the block.
  • the block primary identifier is its cryptographic hash value, a digital fingerprint obtained by performing a second hash calculation on the block header by the SHA algorithm.
  • the resulting 32-byte hash value is called the block hash value, or the block header hash value, and only the block header is used for calculation.
  • the block hash value can uniquely and unambiguously identify a block, and any node can independently obtain the block hash value by simply hashing the block header.
  • Blockchain A data structure in which blocks are chained in an orderly fashion.
  • a blockchain is like a vertical stack, with the first block being the first block at the bottom of the stack, and each block is then placed on top of the other blocks.
  • a block When a block is written to a blockchain, it will never change and is backed up to another blockchain server.
  • the system includes a client.
  • the client loads the encryption module. All transaction files are encrypted by the encryption module before being sent to the server for storage. Therefore, neither the server nor the server administrator can access the plaintext.
  • the transaction data processing burden of the end is relatively light, so that it is not necessary to separately set a secure channel when transmitting the transaction file.
  • each transaction file has a unique symmetric encryption key FEK and a signature key FSK, wherein the symmetric encryption key FEK is provided to all users, and the signature key FSK is only provided to A user who has "write" power.
  • the original transaction data file source-file includes: the block encryption master key MEK of the transaction file owner, the user's block encryption key FEK, and if there is write power, it also contains a signature key FSK, and another file has The original transaction data hash value block signed by the signature master key MSK. If the file owner or user has a key stored in the original data of a file, then he can decrypt the file.
  • It also includes revoking the user key module so that the revocation user's key can be executed very quickly and efficiently, that is, removing the key block of the user to be revoked from the original transaction data file, and then generating a new block encryption key FEK and The file is re-encrypted and the remaining block encryption key for each user is updated with the new block encryption key FEK.
  • the user key module is revoked and the active policy is used to revoke the key. Once a user is denied access, the corresponding transaction file cannot be accessed through the new transaction file guarantee.
  • It also includes a plaintext save module that uses the plaintext save module to save the plaintext necessary to restore the file system to perform an integrity check, encrypting all transaction data access and control information, which facilitates the use of legacy file system standard backups.
  • the process that is, if the system must recover from a disaster, all necessary access information needs to be provided, and the system also uses the new version of the prompt guarantee principle to ensure that all of the user's transaction files are up-to-date to prevent replay attacks.
  • Including a multi-transaction file backup module because there is no change to the underlying transaction file system, an attacker can not resist DOS attacks if it deletes all files after the server is compromised.
  • the multi-transaction file backup module backs up the transaction files to multiple servers. This can limit the danger of such an attack.
  • the new read or write user in order to add a user, the new read or write user must send the file owner the owner's public key, thereby using the public key to encrypt the encryption key and attach the original transaction data to the transaction file.
  • the key delivery mechanism has no specific provisions in this file storage system, as long as it is a mechanism that conforms to the delivery protocol.
  • the untrusted remote transaction file secure storage system for the blockchain does not have to check whether the file is a new transaction file, and the first access needs to be properly saved after the original transaction data is transmitted to the user.
  • Ordinary file security storage systems have a large overhead, so the speed is 70% slower, but the security factor is greatly improved.

Abstract

An untrusted remote transaction file secure storage system for a block chain, comprising: (1) a client, for loading an encryption module and completing encryption and transmission of all transaction files; (2) a software daemon, for capturing all transaction file access system calls and sequentially converting the calls into trusted transaction file access requests; (3) a user key revoking module, for quickly revoking a key of a user; (4) a plaintext storage module, for carrying out integrity check; (5) a timestamp module, for adding a timestamp to a new transaction file; (6) a multi-transaction file backup module, for limiting damage from a DOS attack which cannot be resisted because an underlying transaction file system is not changed; and (7) a public key sending module used for adding a user. By means of the file secure storage system, although the overheads are greater than those of a normal file secure storage system and the speed is lower, the security coefficient is greatly improved.

Description

一种用于区块链的非信任远程交易文件安全存储系统Untrusted remote transaction file secure storage system for blockchain 技术领域Technical field
本发明涉及区块链的交易数据安全问题,特别是一种区块链的非信任远程交易文件安全存储系统。The invention relates to the transaction data security problem of a blockchain, in particular to a blockchain untrusted remote transaction file security storage system.
背景技术Background technique
2009年比特币的出现带来了一种颠覆性的成果--区块链技术,区块链是一个安全的帐簿类数据库,由一个个数据区块组成,使用者可以在这个不断更新升级的平台查找数据,对于金融机构来说,区块链能加快交易处理过程、降低成本、减少中间人、提高市场洞察力,增加业务透明度。The emergence of Bitcoin in 2009 brought a subversive result - blockchain technology, blockchain is a secure account book database, composed of data blocks, users can constantly update and upgrade here. The platform looks for data. For financial institutions, the blockchain can speed up transaction processing, reduce costs, reduce middlemen, improve market insight, and increase business transparency.
计算和存储是计算机系统的两大基本任务,随着信息的爆炸性增长,存储部件会经历基于单服务器的直连存储,到基于局域网的集群网格存储,最后发展到基于广域网的数据网格,区块链技术是目前发展的最末端,这种数据存储介质的本征特质包括智能化的存储,存储服务质量可以保证为用户应用提供服务区分和性能保证,存储是面向对象的海量存储,以及网络存储必须保证是机密完整和安全的,现有的互联网还没有很好的或者方便的办法保证区块链传输过程中的数据和保存在存储设备上的数据的保密性、完整性、可用性、不可抵赖性以及整个网络存储系统的可靠性能,尤其是近年来区块链可信计算技术的产生,对网络存储安全又提出更高的要求。Computing and storage are the two basic tasks of computer systems. With the explosive growth of information, storage components will experience direct storage based on single-server, to cluster-based grid storage based on LAN, and finally to WAN-based data grids. Blockchain technology is the most extreme development at present. The intrinsic characteristics of this data storage medium include intelligent storage. The quality of storage service can guarantee service differentiation and performance guarantee for user applications. Storage is object-oriented mass storage, and Network storage must be confidential and complete. The existing Internet does not have a good or convenient way to ensure the confidentiality, integrity, availability, and data of the data stored in the blockchain and the data stored on the storage device. Non-repudiation and the reliability of the entire network storage system, especially the generation of trusted computing technology in blockchain in recent years, puts higher demands on network storage security.
发明内容 Summary of the invention
本发明的目的在于提供一种用于区块链的非信任远程交易文件安全存储系统,在这些不信任的网络文件系统上提供加密的读写访问,包括:(1)客户端,所述客户端上加载加密模块,所有的交易文件在被送到服务器端进行存储之前通过所述加密模块加密,传送交易文件可在所述客户端完成;(2)软件守护进程,用于截取所有的交易文件访问系统调用,并依次转换为可信任的交易文件访问请求;(3)吊销用户密钥模块,快速吊销用户的密钥,从原始交易数据文件中去除要吊销用户的密钥块,然后生成新的块加密密钥FEK并重新加密文件,用新的块加密密钥FEK更新剩下的每个用户的块加密密钥;(4)明文保存模块,使用该明文保存模块保存恢复文件系统所必需的明文一遍,以执行完整性检验,对所有的交易数据访问和控制信息进行加密;(5)时间戳模块,在一个用户指定的间隔,对新的交易文件加时间戳;(6)多交易文件备份模块,将交易文件备份到多个服务器上限制因为没有对底层交易文件系统改变无法抵抗DOS攻击的危害;(7)公钥发送模块,给文件拥有者发送自己的公钥以添加用户,新的读或者写用户,所述公钥用于对加密密钥进行加密,并且附加到交易文件的原始交易数据中,一旦新用户的密钥被附加到原始交易数据中,所述用户就可以访问所述交易文件。It is an object of the present invention to provide an untrusted remote transaction file secure storage system for a blockchain that provides encrypted read and write access on these untrusted network file systems, including: (1) a client, the client The encryption module is loaded on the end, and all the transaction files are encrypted by the encryption module before being sent to the server for storage, and the transaction file can be completed at the client; (2) the software daemon is used to intercept all transactions. The file accesses the system call and converts to a trusted transaction file access request in turn; (3) revokes the user key module, quickly revokes the user's key, removes the key block from the original transaction data file to revoke the user, and then generates The new block encryption key FEK and re-encrypt the file, and update the remaining block encryption key of each user with the new block encryption key FEK; (4) The plaintext save module uses the plaintext save module to save the restored file system The necessary plaintext is repeated to perform an integrity check to encrypt all transaction data access and control information; (5) Timestamp module, in one use The specified interval, time stamping the new transaction file; (6) Multi-transaction file backup module, backing up the transaction file to multiple servers. Because there is no change to the underlying transaction file system, it is not resistant to DOS attacks; (7) The public key sending module sends the user's public key to the file owner to add the user, a new read or write user, and the public key is used to encrypt the encryption key and attach it to the original transaction data of the transaction file. The new user's key is attached to the original transaction data, and the user can access the transaction file.
优选的,加密模块对交易文件加密的时候会为每个交易文件用户保存一个加密主密钥MEK和一个签名主密钥MSK,每个交易文件有唯一的对称加密密钥FEK和一个签名密钥FSK。Preferably, when the encryption module encrypts the transaction file, an encryption master key MEK and a signature master key MSK are saved for each transaction file user, and each transaction file has a unique symmetric encryption key FEK and a signature key. FSK.
优选的,对称加密密钥FEK会提供给所有的用户,而所述签名密钥FSK仅提供给拥有“写”权力的用户Preferably, the symmetric encryption key FEK is provided to all users, and the signature key FSK is only provided to users who have "write" rights.
优选的,所有的交易文件被分成两个部分:原始交易数据文件source-file和交易数据文件d-file。Preferably, all transaction files are divided into two parts: the original transaction data file source-file and the transaction data file d-file.
优选的,原始交易数据文件source-file包括:交易文件拥有者的块加密主密钥MEK,用户的块加密密钥FEK,如果有写的权力,还会包含一个签名密钥FSK,还包括一个文件拥有者的签名主密钥MSK签过名的原始交易数据哈希值块,文 件拥有者或者用户有一个密钥保存在一个文件的原始数据中,那么他就能解密这个文件。Preferably, the original transaction data file source-file includes: a block encryption master key MEK of the transaction file owner, a user's block encryption key FEK, and if there is a write right, a signature key FSK is also included, and a The file owner's signature master key MSK signed the original transaction data hash value block, text If the owner or user has a key stored in the original data of a file, then he can decrypt the file.
优选的,文件安全存储系统还使用新版本提示保证原则,确保用户所有的交易文件都是最新的版本以阻止重放攻击。Preferably, the file security storage system also uses the new version of the prompt guarantee principle to ensure that all of the user's transaction files are the latest version to prevent replay attacks.
优选的,文件安全存储系统可以使用任何符合传递协议的文件传递机制。Preferably, the file secure storage system can use any file delivery mechanism that conforms to the delivery protocol.
优选的,吊销用户密钥模块采用积极策略吊销密钥,一个用户一旦被终止访问权,就不能通过新的交易文件保证来访问相应的交易文件了。Preferably, the revocation user key module uses the active policy to revoke the key, and once the user is terminated, the corresponding transaction file cannot be accessed through the new transaction file guarantee.
采用该用于区块链的非信任远程交易文件安全存储系统,虽然比普通的文件安全存储系统开销要大,因此速度要慢,然而安全系数却大大提高。The untrusted remote transaction file secure storage system for the blockchain, although more expensive than the ordinary file security storage system, is slower, but the security factor is greatly improved.
根据下文结合附图对本发明具体实施例的详细描述,本领域技术人员将会更加明了本发明的上述以及其他目的、优点和特征。The above as well as other objects, advantages and features of the present invention will become apparent to those skilled in the <
附图说明DRAWINGS
后文将参照附图以示例性而非限制性的方式详细描述本发明的一些具体实施例。附图中相同的附图标记标示了相同或类似的部件或部分。本领域技术人员应该理解,这些附图未必是按比例绘制的。本发明的目标及特征考虑到如下结合附图的描述将更加明显,附图中:Some specific embodiments of the present invention are described in detail below by way of example, and not limitation. The same reference numbers in the drawings identify the same or similar parts. Those skilled in the art should understand that the drawings are not necessarily drawn to scale. The objects and features of the present invention will become more apparent in consideration of the following description in conjunction with the accompanying drawings.
图1为根据本发明实施例的用于区块链的非信任远程交易文件安全存储系统结构示意图。1 is a schematic structural diagram of an untrusted remote transaction file secure storage system for a blockchain according to an embodiment of the present invention.
具体实施方式detailed description
在进行具体实施方式的说明之前,为了更为清楚的表达所论述的内容,首先定义一些非常重要的概念。Before proceeding with the description of the specific embodiments, in order to more clearly express the content discussed, first define some very important concepts.
交易:交易的实质是个关系数据结构,这个数据结构中包含交易参与者价值转移的相关信息。这些交易信息被称为记账总账簿。交易需经过三个创建、验证、写入区块链。交易必须经过数字签名,保证交易的合法性。 Trading: The essence of a transaction is a relational data structure that contains information about the value transfer of the trading participants. These transaction information is called the accounting ledger. The transaction needs to go through three creation, verification, and writing blockchains. The transaction must be digitally signed to ensure the legality of the transaction.
区块:所有的交易信息存放于区块中,一条交易信息就是一条记录,作为一个独立的记录存放于区块链中。区块由区块头部和数据部分组成,区块头字段包含区块本身的各种特性,例如前一区块信息,merkle值及时间戳等。其中区块头哈希值和区块高度是标识区块最主要的两个指标。区块主标识符是它的加密哈希值,一个通过SHA算法对区块头进行二次哈希计算而得到的数字指纹。产生的32字节哈希值被称为区块哈希值,或者区块头哈希值,只有区块头被用于计算。区块哈希值可以唯一、明确地标识一个区块,并且任何节点通过简单地对区块头进行哈希计算都可以独立地获取该区块哈希值。Block: All transaction information is stored in the block, and a transaction information is a record, which is stored as a separate record in the blockchain. The block consists of a block header and a data part. The block header field contains various characteristics of the block itself, such as the previous block information, the merkle value, and the timestamp. The block header hash value and block height are the two most important indicators for identifying the block. The block primary identifier is its cryptographic hash value, a digital fingerprint obtained by performing a second hash calculation on the block header by the SHA algorithm. The resulting 32-byte hash value is called the block hash value, or the block header hash value, and only the block header is used for calculation. The block hash value can uniquely and unambiguously identify a block, and any node can independently obtain the block hash value by simply hashing the block header.
区块链:由区块按照链式结构有序链接起来的数据结构。区块链就像一个垂直的堆栈,第一个区块作为栈底的首区块,随后每个区块都被放置在其他区块之上。当区块写入区块链后将永远不会改变,并且备份到其他的区块链服务器上。Blockchain: A data structure in which blocks are chained in an orderly fashion. A blockchain is like a vertical stack, with the first block being the first block at the bottom of the stack, and each block is then placed on top of the other blocks. When a block is written to a blockchain, it will never change and is backed up to another blockchain server.
实施例:Example:
目前存在很多不信任的网络文件系统,例如网络文件系统NFS,网路文件贡献过系统CIFS等,参见图1,用于区块链的非信任远程交易文件安全存储系统在这些不信任的网络文件系统上提供加密的读写访问。系统使用一个软件守护进程截取所有的交易文件访问系统调用并依次转换为可信任的交易文件访问请求。利用这个概念,目前无需对区块链的硬件作任何的改动,就能建立一个安全的交易文件共享环境,并且没有明显改变现有网络存储系统的性能,对无力升级现有系统且现有系统安全性又非常有效的组织,如果使用区块链技术,该非信任远成交易文件安全存储系统是一个临时解决方案。There are many untrusted network file systems, such as the network file system NFS, the network file contributed to the system CIFS, etc. See Figure 1, the untrusted remote transaction file security storage system for the blockchain in these untrusted network files. Encrypted read and write access is provided on the system. The system uses a software daemon to intercept all transaction file access system calls and convert them into trusted transaction file access requests. With this concept, it is now possible to establish a secure transaction file sharing environment without any changes to the hardware of the blockchain, without significantly changing the performance of the existing network storage system, and being unable to upgrade existing systems and existing systems. Security and very effective organization, if using blockchain technology, this non-trust far away transaction file secure storage system is a temporary solution.
该系统包括一个客户端,客户端上加载加密模块,所有的交易文件在被送到服务器端进行存储之前通过加密模块加密,所以无论是服务器或是服务器的管理员都不能接触明文,同样该客户端的交易数据处理负担较轻,从而传送交易文件的时候不必单独设置安全通道。The system includes a client. The client loads the encryption module. All transaction files are encrypted by the encryption module before being sent to the server for storage. Therefore, neither the server nor the server administrator can access the plaintext. The transaction data processing burden of the end is relatively light, so that it is not necessary to separately set a secure channel when transmitting the transaction file.
加密模块对交易文件加密的时候会为每个交易文件用户保存一个加密主密 钥MEK和一个签名主密钥MSK,每个交易文件有唯一的对称加密密钥FEK和一个签名密钥FSK,其中对称加密密钥FEK会提供给所有的用户,而签名密钥FSK仅提供给拥有“写”权力的用户。When the encryption module encrypts the transaction file, it saves an encrypted primary key for each transaction file user. Key MEK and a signature master key MSK, each transaction file has a unique symmetric encryption key FEK and a signature key FSK, wherein the symmetric encryption key FEK is provided to all users, and the signature key FSK is only provided to A user who has "write" power.
所有的交易文件由此被分成两个部分,原始交易数据文件source-file和交易数据文件d-file。原始交易数据文件source-file包括:交易文件拥有者的块加密主密钥MEK,用户的块加密密钥FEK,如果有写的权力,还会包含一个签名密钥FSK,另外还有一个文件拥有者的签名主密钥MSK签过名的原始交易数据哈希值块。如果文件拥有者或者用户有一个密钥保存在一个文件的原始数据中,那么他就能解密这个文件。All transaction files are thus divided into two parts, the original transaction data file source-file and the transaction data file d-file. The original transaction data file source-file includes: the block encryption master key MEK of the transaction file owner, the user's block encryption key FEK, and if there is write power, it also contains a signature key FSK, and another file has The original transaction data hash value block signed by the signature master key MSK. If the file owner or user has a key stored in the original data of a file, then he can decrypt the file.
还包括吊销用户密钥模块,从而使得吊销用户的密钥也可以很快很有效的执行,即从原始交易数据文件中去除要吊销用户的密钥块,然后生成新的块加密密钥FEK并重新加密文件,用新的块加密密钥FEK更新剩下的每个用户的块加密密钥。吊销用户密钥模块,采用积极策略吊销密钥,一个用户一旦被终止访问权,就不能通过新的交易文件保证来访问相应的交易文件了。It also includes revoking the user key module so that the revocation user's key can be executed very quickly and efficiently, that is, removing the key block of the user to be revoked from the original transaction data file, and then generating a new block encryption key FEK and The file is re-encrypted and the remaining block encryption key for each user is updated with the new block encryption key FEK. The user key module is revoked and the active policy is used to revoke the key. Once a user is denied access, the corresponding transaction file cannot be accessed through the new transaction file guarantee.
还包括明文保存模块,使用该明文保存模块保存恢复文件系统所必需的明文一遍,以执行完整性检验,对所有的交易数据访问和控制信息进行加密,这有助于使用遗留的文件系统标准备份过程,即如果系统必须从一个灾难中恢复,所有的必要访问信息需要被提供,该系统还使用新版本提示保证原则,确保用户所有的交易文件都是最新的版本以阻止重放攻击。It also includes a plaintext save module that uses the plaintext save module to save the plaintext necessary to restore the file system to perform an integrity check, encrypting all transaction data access and control information, which facilitates the use of legacy file system standard backups. The process, that is, if the system must recover from a disaster, all necessary access information needs to be provided, and the system also uses the new version of the prompt guarantee principle to ensure that all of the user's transaction files are up-to-date to prevent replay attacks.
包括一个时间戳模块,在一个用户指定的间隔,对新的交易文件加时间戳。Includes a timestamp module that time stamps new transaction files at a user-specified interval.
包括一个多交易文件备份模块,因为没有对底层交易文件系统改变,所以一个攻击者若攻陷服务器后删除所有的文件,就无法抵抗DOS的攻击,多交易文件备份模块将交易文件备份到多个服务器上可以限制这样攻击的危害。Including a multi-transaction file backup module, because there is no change to the underlying transaction file system, an attacker can not resist DOS attacks if it deletes all files after the server is compromised. The multi-transaction file backup module backs up the transaction files to multiple servers. This can limit the danger of such an attack.
包括一个公钥发送模块,为了添加用户,新的读或者写用户必须给文件拥有者发送自己的公钥,从而用此公钥来对加密密钥进行加密,并且附加到交易文件的原交易数据中,一旦新用户的密钥被附加到原交易数据中,该用户就可 以访问这些文件了,密钥传递机制在此文件存储系统中没有具体的规定,只要是符合传递协议的机制都可以使用。Including a public key sending module, in order to add a user, the new read or write user must send the file owner the owner's public key, thereby using the public key to encrypt the encryption key and attach the original transaction data to the transaction file. In the new user's key, once the new user's key is attached to the original transaction data, the user can In order to access these files, the key delivery mechanism has no specific provisions in this file storage system, as long as it is a mechanism that conforms to the delivery protocol.
用于区块链的非信任远程交易文件安全存储系统因为没此都要检查文件是否为新的交易文件,并且第一次访问需要把原始交易数据传送给用户后还要进行适当的保存,比普通的文件安全存储系统开销要大,因此速度慢70%,然而安全系数却大大提高。The untrusted remote transaction file secure storage system for the blockchain does not have to check whether the file is a new transaction file, and the first access needs to be properly saved after the original transaction data is transmitted to the user. Ordinary file security storage systems have a large overhead, so the speed is 70% slower, but the security factor is greatly improved.
虽然本发明已经参考特定的说明性实施例进行了描述,但是不会受到这些实施例的限定而仅仅受到附加权利要求的限定。本领域技术人员应当理解可以在不偏离本发明的保护范围和精神的情况下对本发明的实施例能够进行改动和修改。 The present invention has been described with reference to the specific illustrative embodiments, and is not limited by the scope of the appended claims. It will be appreciated by those skilled in the art that the embodiments of the invention can be modified and modified without departing from the scope and spirit of the invention.

Claims (8)

  1. 一种用于区块链的非信任远程交易文件安全存储系统,在这些不信任的网络文件系统上提供加密的读写访问,其特征在于包括:An untrusted remote transaction file secure storage system for a blockchain, providing encrypted read and write access on these untrusted network file systems, comprising:
    (1)客户端,所述客户端上加载加密模块,所有的交易文件在被送到服务器端进行存储之前通过所述加密模块加密,传送交易文件可在所述客户端完成;(1) a client, where the client loads an encryption module, and all the transaction files are encrypted by the encryption module before being sent to the server for storage, and the delivery transaction file can be completed at the client;
    (2)软件守护进程,用于截取所有的交易文件访问系统调用,并依次转换为可信任的交易文件访问请求;(2) a software daemon process for intercepting all transaction file access system calls and converting them into trusted transaction file access requests in turn;
    (3)吊销用户密钥模块,快速吊销用户的密钥,从原始交易数据文件中去除要吊销用户的密钥块,然后生成新的块加密密钥FEK并重新加密文件,用新的块加密密钥FEK更新剩下的每个用户的块加密密钥;(3) Revoke the user key module, quickly revoke the user's key, remove the key block from the original transaction data file to revoke the user, then generate a new block encryption key FEK and re-encrypt the file, encrypt with the new block The key FEK updates the remaining block encryption key of each user;
    (4)明文保存模块,使用该明文保存模块保存恢复文件系统所必需的明文一遍,以执行完整性检验,对所有的交易数据访问和控制信息进行加密;(4) The plaintext saving module uses the plaintext saving module to save the plaintext necessary for restoring the file system, to perform an integrity check, and encrypt all transaction data access and control information;
    (5)时间戳模块,在一个用户指定的间隔,对新的交易文件加时间戳;(5) A timestamp module that time stamps new transaction files at a user-specified interval;
    (6)多交易文件备份模块,将交易文件备份到多个服务器上限制因为没有对底层交易文件系统改变无法抵抗DOS攻击的危害;(6) Multi-transaction file backup module, which backs up transaction files to multiple servers. Because there is no change to the underlying transaction file system, it cannot resist the harm of DOS attacks;
    (7)公钥发送模块,给文件拥有者发送自己的公钥以添加用户,新的读或者写用户,所述公钥用于对加密密钥进行加密,并且附加到交易文件的原始交易数据中,一旦新用户的密钥被附加到原始交易数据中,所述用户就可以访问所述交易文件。(7) A public key sending module that sends the user's public key to the file owner to add the user, a new read or write user, the public key used to encrypt the encryption key, and the original transaction data attached to the transaction file. The user can access the transaction file once the new user's key is attached to the original transaction data.
  2. 根据权利要求1所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所述加密模块对交易文件加密的时候会为每个交易文件用户保存一个加密主密钥MEK和一个签名主密钥MSK,每个交易文件有唯一的对称加密密钥FEK和一个签名密钥FSK。The untrusted remote transaction file secure storage system for a blockchain according to claim 1, wherein the encryption module saves an encrypted primary key for each transaction file user when encrypting the transaction file. The key MEK and a signature master key MSK, each transaction file has a unique symmetric encryption key FEK and a signature key FSK.
  3. 根据权利要求2所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所述对称加密密钥FEK会提供给所有的用户,而所述签名 密钥FSK仅提供给拥有“写”权力的用户。A non-trusted remote transaction file secure storage system for a blockchain according to claim 2, wherein said symmetric encryption key FEK is provided to all users, and said signature The key FSK is only available to users who have "write" power.
  4. 根据权利要求1所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所有的交易文件被分成两个部分:原始交易数据文件source-file和交易数据文件d-file。A non-trusted remote transaction file secure storage system for a blockchain according to claim 1, wherein all transaction files are divided into two parts: an original transaction data file source-file and a transaction data file d. -file.
  5. 根据权利要求4所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所述原始交易数据文件source-file包括:交易文件拥有者的块加密主密钥MEK,用户的块加密密钥FEK,如果有写的权力,还会包含一个签名密钥FSK,还包括一个文件拥有者的签名主密钥MSK签过名的原始交易数据哈希值块,文件拥有者或者用户有一个密钥保存在一个文件的原始数据中,那么他就能解密这个文件。The untrusted remote transaction file secure storage system for a blockchain according to claim 4, wherein the original transaction data file source-file comprises: a block encryption master key MEK of the transaction file owner The user's block encryption key FEK, if there is a write right, will also include a signature key FSK, and also include a file owner's signature master key MSK signed the original transaction data hash value block, the file has The user or user has a key stored in the original data of a file, then he can decrypt the file.
  6. 根据权利要求1所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所述文件安全存储系统还使用新版本提示保证原则,确保用户所有的交易文件都是最新的版本以阻止重放攻击。The untrusted remote transaction file security storage system for a blockchain according to claim 1, wherein the file security storage system further uses a new version prompt guarantee principle to ensure that all transaction files of the user are The latest version to prevent replay attacks.
  7. 根据权利要求1所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所述文件安全存储系统可以使用任何符合传递协议的文件传递机制。The untrusted remote transaction file secure storage system for a blockchain according to claim 1, wherein the file secure storage system can use any file delivery mechanism conforming to a delivery protocol.
  8. 根据权利要求1所述的一种用于区块链的非信任远程交易文件安全存储系统,其特征在于:所述吊销用户密钥模块采用积极策略吊销密钥,一个用户一旦被终止访问权,就不能通过新的交易文件保证来访问相应的交易文件了。 The untrusted remote transaction file security storage system for a blockchain according to claim 1, wherein the revocation user key module uses a positive policy to revoke a key, and once a user is terminated, It is not possible to access the corresponding transaction file through the new transaction file guarantee.
PCT/CN2016/095583 2016-08-13 2016-08-16 Untrusted remote transaction file secure storage system for block chain WO2018032379A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610665556.1A CN106131048B (en) 2016-08-13 2016-08-13 Non-trust remote transaction file safe storage system for block chain
CN201610665556.1 2016-08-13

Publications (1)

Publication Number Publication Date
WO2018032379A1 true WO2018032379A1 (en) 2018-02-22

Family

ID=57259108

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/095583 WO2018032379A1 (en) 2016-08-13 2016-08-16 Untrusted remote transaction file secure storage system for block chain

Country Status (2)

Country Link
CN (1) CN106131048B (en)
WO (1) WO2018032379A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108898419A (en) * 2018-05-31 2018-11-27 中国联合网络通信集团有限公司 Incentive message processing method, device and block chain node
CN109831479A (en) * 2018-12-20 2019-05-31 深圳智乾区块链科技有限公司 The data processing method and system of block chain

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107944255B (en) * 2016-10-13 2020-08-04 深圳市图灵奇点智能科技有限公司 Block chain-oriented key management method
CN107070660B (en) * 2017-03-03 2020-03-17 上海唯链信息科技有限公司 Storage design method of block chain encryption radio frequency chip
EP3379447B1 (en) * 2017-03-22 2022-04-27 Siemens Aktiengesellschaft Method and device for tamper-proof storing of information relating to object-specific measures
CN107066561A (en) * 2017-03-30 2017-08-18 中国联合网络通信集团有限公司 Data managing method and platform
CN107067720B (en) * 2017-04-01 2020-10-27 成都信息工程大学 Urban real-time traffic system and method based on block chain
CN107094145B (en) * 2017-05-02 2019-09-17 北京汇通金财信息科技有限公司 Data processing method, server and system based on block chain
CN108881120B (en) * 2017-05-12 2020-12-04 创新先进技术有限公司 Data processing method and device based on block chain
EP3435270B1 (en) * 2017-07-27 2020-09-23 Siemens Aktiengesellschaft Device and method for cryptographically protected operation of a virtual machine
CN108768994B (en) * 2018-05-22 2021-07-27 北京小米移动软件有限公司 Data matching method and device and computer readable storage medium
CN108846289A (en) * 2018-06-08 2018-11-20 北京京东尚科信息技术有限公司 Election information processing method and processing system and election system and storage medium
CN109063498A (en) * 2018-07-27 2018-12-21 深圳市新名泽科技有限公司 Digital asset storage method, device, restoration methods and device
CN109039649B (en) * 2018-08-03 2021-08-06 北京大学深圳研究生院 Key management method and device based on block chain in CCN and storage medium
CN109344630B (en) * 2018-09-18 2021-07-02 百度在线网络技术(北京)有限公司 Block generation method, device, equipment and storage medium
CN110933042B (en) * 2019-11-06 2021-09-14 福建福链科技有限公司 Data security messenger method and system suitable for alliance chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1658550A (en) * 2004-04-16 2005-08-24 威盛电子股份有限公司 Apparatus and method for performing cipher operation
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN104580487A (en) * 2015-01-20 2015-04-29 成都信升斯科技有限公司 Mass data storage system and processing method
CN104601579A (en) * 2015-01-20 2015-05-06 成都市酷岳科技有限公司 Computer system for ensuring information security and method thereof
CN105812126A (en) * 2016-05-19 2016-07-27 齐鲁工业大学 Lightweight back-up and efficient restoration method of health block chain data encryption keys

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10230526B2 (en) * 2014-12-31 2019-03-12 William Manning Out-of-band validation of domain name system records

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1658550A (en) * 2004-04-16 2005-08-24 威盛电子股份有限公司 Apparatus and method for performing cipher operation
CN102014133A (en) * 2010-11-26 2011-04-13 清华大学 Method for implementing safe storage system in cloud storage environment
CN104580487A (en) * 2015-01-20 2015-04-29 成都信升斯科技有限公司 Mass data storage system and processing method
CN104601579A (en) * 2015-01-20 2015-05-06 成都市酷岳科技有限公司 Computer system for ensuring information security and method thereof
CN105812126A (en) * 2016-05-19 2016-07-27 齐鲁工业大学 Lightweight back-up and efficient restoration method of health block chain data encryption keys

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108898419A (en) * 2018-05-31 2018-11-27 中国联合网络通信集团有限公司 Incentive message processing method, device and block chain node
CN109831479A (en) * 2018-12-20 2019-05-31 深圳智乾区块链科技有限公司 The data processing method and system of block chain

Also Published As

Publication number Publication date
CN106131048B (en) 2020-05-19
CN106131048A (en) 2016-11-16

Similar Documents

Publication Publication Date Title
WO2018032379A1 (en) Untrusted remote transaction file secure storage system for block chain
US10917234B2 (en) Blockchain for on-chain management of off-chain storage
US11108753B2 (en) Securing files using per-file key encryption
CN108076057B (en) Data security system and method based on block chain
US11777712B2 (en) Information management in a database
CN106330452B (en) Safety network attachment device and method for block chain
Li et al. A hybrid cloud approach for secure authorized deduplication
WO2018032377A1 (en) Read-only security file storage system for block chain, and method thereof
US20200322128A1 (en) Zero-knowledge proof for blockchain endorsement
WO2018032374A1 (en) Encrypted storage system for block chain and method using same
Miller et al. Strong security for distributed file systems
US9160535B2 (en) Truly anonymous cloud key broker
JP2013524352A (en) System and method for securing data in motion
WO2018032375A1 (en) Survivable storage system and method for block chain
CN1773994A (en) Method for realizing data safety storing business
US10671748B2 (en) Secrets as a service
CN107612910A (en) A kind of distributed document data access method and system
US11893577B2 (en) Cryptographic key storage system and method
US11258601B1 (en) Systems and methods for distributed digital rights management with decentralized key management
WO2018032378A1 (en) Program-controlled encrypted file storage system for block chain, and method thereof
US20180137291A1 (en) Securing files at rest in remote storage systems
WO2023078055A1 (en) Method and system for securely sharing data between first area and second area
EP3754531B1 (en) Virtualization for privacy control
WO2017020720A1 (en) Method and device for data access
Tian et al. A trusted control model of cloud storage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16913139

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16913139

Country of ref document: EP

Kind code of ref document: A1