WO2023272747A1 - Scientific research data security protection system based on cloud fusion and working method thereof - Google Patents

Scientific research data security protection system based on cloud fusion and working method thereof Download PDF

Info

Publication number
WO2023272747A1
WO2023272747A1 PCT/CN2021/104395 CN2021104395W WO2023272747A1 WO 2023272747 A1 WO2023272747 A1 WO 2023272747A1 CN 2021104395 W CN2021104395 W CN 2021104395W WO 2023272747 A1 WO2023272747 A1 WO 2023272747A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage medium
data
user
cloud server
authentication
Prior art date
Application number
PCT/CN2021/104395
Other languages
French (fr)
Chinese (zh)
Inventor
宁静仪
谢磊
叶保留
Original Assignee
南京大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京大学 filed Critical 南京大学
Publication of WO2023272747A1 publication Critical patent/WO2023272747A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the invention belongs to the technical field of computer information security and cloud computing, and specifically relates to a scientific research data security protection system based on cloud integration and a working method thereof.
  • the encryption protection mode of current storage medium mainly contains following several: 1) Encryption based on plain text password: set fixed unlocking password, can't read the file in the storage medium when can't input correct password. However, there are currently a large number of password cracking programs, and fixed passwords can be used to perform brute force cracking in parallel in linear time, making it difficult to protect the security of storage media data. 2) A hash-based encryption method, by setting a fixed encryption and decryption key, encodes and decodes the storage medium file. However, since the resources stored in the storage medium are often relatively large, it will take a lot of time to map the hash key. At the same time, if the key is lost, the files in the storage medium will be completely undecryptable, and there is a risk of information loss.
  • the purpose of the present invention is to provide a scientific research data security protection system based on cloud integration, so as to solve the problems in the prior art that data storage devices are vulnerable to malicious attacks or user data leakage.
  • the present invention adopts cloud collaboration technology to realize identity authentication for scientific research data storage devices and users, thereby realizing the effectiveness of data protection.
  • a scientific research data security protection system based on cloud integration including: a storage medium with a wireless communication chip, a cloud server, and a client; wherein,
  • the storage medium with a wireless communication chip stores the protected scientific research data, realizes data synchronization with the cloud server, and cooperates with the cloud server to realize user read and write control and self-destruct protection in the out-of-control state;
  • the cloud server realizes the information management of the storage medium and the user, provides encryption services to realize the legality authentication of the storage medium and the user, stores the protected scientific research data and keeps it consistent with the storage medium;
  • the client sends an identity authentication request to the storage medium. After the authentication is passed, the data on the storage medium is decrypted according to the key, and the read and write operations are completed.
  • the structure of the storage medium with a wireless communication chip includes: a wireless communication chip, a USB interface, and a memory, wherein the wireless communication chip supports multiple wireless communication methods, the USB interface is used to connect a client device, and the memory stores Protected research data, private keys for storage media legality verification, and hash functions for user identity verification.
  • the realization of data synchronization between the storage medium with the wireless communication chip and the cloud server refers to that the storage medium sends a data synchronization request to the cloud server every time a certain period of time passes or when the stored data changes, and According to the synchronization command of the cloud server, the data synchronization with the cloud server is completed to ensure that the data in the storage medium is consistent with the cloud server.
  • the data is synchronized with the cloud server at regular intervals; when the storage medium does not contain a power supply, the data is synchronized with the cloud server after each read and write operation by a legitimate user .
  • the storage medium with a wireless communication chip realizes cooperation with the cloud server to control the reading and writing of the user, which means that when the user connects the storage medium to the client device through the USB interface, the storage medium receives the user’s data from the client.
  • ID and password are hashed and sent to the cloud server for user legality authentication. If the cloud server passes the authentication, the key is returned to the client to complete the decryption and read and write operations of the storage medium data.
  • the self-destruction protection function of the storage medium with a wireless communication chip occurs when the storage medium data and key are obtained by an illegal user, at this time, the storage medium self-destruction module starts and erases all data inside the storage medium remove.
  • the cloud server includes a data storage module, a storage medium authentication module and a user authentication module, wherein the data storage module stores scientific research data synchronized with the storage medium, storage medium ID and public key pair information, user ID and password hash Greek value signal; the storage medium authentication module responds when the storage medium requests data synchronization, and completes the authentication of the validity of the storage medium by calling the storage medium ID and public key pair information from the data storage module; the user authentication module requests the user to read Respond when the permission is written, and complete the authentication of user identity information by calling the user ID and password hash value information from the data storage module.
  • the data storage module stores scientific research data synchronized with the storage medium, storage medium ID and public key pair information, user ID and password hash Greek value signal
  • the storage medium authentication module responds when the storage medium requests data synchronization, and completes the authentication of the validity of the storage medium by calling the storage medium ID and public key pair information from the data storage module
  • the user authentication module requests the user to read Respond when the permission is written, and complete the authentication of user
  • the storage medium After the storage medium receives the read and write request from the user, it sends the user's read and write request command to the cloud server, and implements cloud collaborative user identity authentication;
  • the cloud server After receiving the request, the cloud server authenticates the legitimacy of the user. If the authentication is passed, the key is returned to allow the user to decrypt the data on the storage medium and complete the read and write operations; if the authentication fails, the key is not returned;
  • the storage medium sends a data synchronization request to the cloud server for data update to ensure that the protected scientific research data is always consistent with the cloud server;
  • the cloud server After receiving the data synchronization request, the cloud server authenticates the validity of the storage medium. If the storage medium is judged to be legal, the data synchronization is completed; if the storage medium is illegal, the data synchronization is rejected.
  • the data stored in the cloud server is always synchronized with the scientific research data in the storage medium, and before each synchronization operation, the cloud server can authenticate the legality of the storage medium to avoid malicious write attacks.
  • High security of data storage The collaborative management and control of cloud server and storage media can effectively authenticate user identities, avoiding leakage of user privacy and malicious writing by illegal users.
  • Fig. 1 is the structure diagram of the scientific research data security protection system of cloud integration provided by the embodiment of the present invention
  • Fig. 2 is the work flowchart of the scientific research data safety protection system of cloud integration provided by the embodiment of the present invention
  • FIG. 3 is an architecture diagram of user identity authentication for cloud collaboration provided by an embodiment of the present invention.
  • FIG. 4 is a structural diagram of storage medium legality authentication provided by an embodiment of the present invention.
  • an embodiment of the present invention provides a scientific research data security protection system based on cloud integration, including: a storage medium with a wireless communication chip, a cloud server, and a client.
  • the storage medium with the wireless communication chip stores the protected scientific research data, realizes the data synchronization with the cloud server, the legality certification of the storage medium, and cooperates with the cloud to realize the user's read and write control and the self-destruct protection function in the out-of-control state.
  • the type of the storage medium includes but not limited to U disk, mobile hard disk, SD card and so on.
  • the structure of the storage medium with a wireless communication chip includes: a wireless communication chip, a USB interface and a memory, wherein the communication methods supported by the wireless communication chip include but are not limited to 3G/4G/5G, Bluetooth, Wi-Fi, etc.;
  • the storage stores protected scientific research data, private keys for storage medium legality authentication, and hash functions for user identity authentication. Therefore, the storage medium can respectively realize the communication with the cloud and the client to realize the corresponding security authentication function.
  • the data synchronization between the storage medium with the wireless communication chip and the cloud server refers to that the storage medium sends a data synchronization request to the cloud server every time a certain period of time passes or when the stored data changes to ensure that the data in the storage medium Consistent with the cloud server.
  • the storage medium has its own power supply, the data is synchronized with the cloud server at regular intervals; when the storage medium does not contain a power supply, the data is synchronized with the cloud server after each read and write operation by a legitimate user.
  • the storage medium with a wireless communication chip realizes the collaborative cloud server to control the user's reading and writing.
  • the storage medium receives the user ID and password from the client and performs After the hash operation, it is sent to the cloud server for user legality authentication. If the cloud server passes the authentication of the user, it will return the key to the client to complete the decryption and read and write operations of the storage medium data.
  • the cloud server sends an instruction to the storage medium that the current user is an illegal user.
  • the self-destruction protection function of the storage medium with a wireless communication chip occurs when the storage medium receives an instruction from the cloud server to determine that the current user is an illegal user, but receives a legal password provided by the illegal user for decrypting the content of the storage medium. key. At this time, the key may be obtained by illegal users through brute force cracking, etc., then the storage medium starts the self-destruct module to erase all data inside the storage medium and sends an abnormal state reminder to the cloud server.
  • the storage medium with the wireless communication chip includes a data synchronization module, a read-write control module, and a self-destruction protection module.
  • the data synchronization module is used to realize the data synchronization between the storage medium and the cloud server, and the data synchronization occurs at a fixed period of time (for example, when the data synchronization timer Timer1 expires) or when the stored data changes, the storage
  • the data synchronization module in the medium sends a data synchronization request to the cloud server, and completes data synchronization with the cloud server according to the synchronization command returned by the cloud server, ensuring that the data in the storage medium is consistent with the cloud server.
  • the read-write control module is used to cooperate with the cloud server to realize user read-write control. Specifically, when the user connects the storage medium to the client device through the USB interface, the read-write control module of the storage medium receives the user ID and password from the client. Use the hash function stored in the storage to perform a hash operation and send it to the cloud server for user legality authentication, and complete the decryption and read and write operations of the protected data according to the key returned by the cloud server.
  • the self-destruction protection module is used to self-destruct when the storage medium is identified as being out of control to protect data from leakage.
  • the self-destruct function is activated and all data inside the storage medium is erased, and at the same time Send an abnormal status reminder to the cloud server.
  • the cloud server is responsible for data management, storage media and user information management, and implements identity authentication and user read and write operation control for storage media and users.
  • the cloud server includes a data storage module, a storage medium authentication module and a user authentication module, wherein the data storage module stores scientific research data synchronized with the storage medium, storage medium ID and public key pair information, user ID and password hash value signals;
  • the media authentication module responds when the storage media requests data synchronization, and completes the legality authentication of the storage media by calling the storage media ID and public key from the data storage module;
  • the user authentication module responds when the storage media requests the user's read and write permissions , by calling the user ID and password hash value information from the data storage module to complete the authentication of the user identity information.
  • the client sends an authentication request to the storage medium. After the authentication is passed, the data on the storage medium is decrypted according to the key to further complete the read and write operations.
  • a working method of a cloud fusion-based scientific research data security protection system includes the following steps:
  • the storage medium After the storage medium receives the read and write request from the user, it sends the user's read and write request command to the cloud server, and implements cloud collaborative user identity authentication;
  • the cloud server After receiving the request, the cloud server authenticates the legitimacy of the user. If the authentication is passed, the key is returned to allow the user to decrypt the data on the storage medium and complete the read and write operations; if the authentication fails, the key is not returned;
  • the storage medium sends a data synchronization request to the cloud server for data update to ensure that the protected scientific research data is always consistent with the cloud server ;
  • the cloud server After receiving the data synchronization request, the cloud server authenticates the validity of the storage medium. If the storage medium is judged to be legal, the data synchronization is completed; if the storage medium is illegal, the data synchronization is rejected.
  • the user identity authentication method of the cloud collaboration in described step 2) is:
  • the user connects the USB interface of the storage medium to the client device, and sends a read and write operation command to the storage medium by inputting the user ID and the corresponding user password s at the client;
  • the storage medium After receiving the user ID u and password s from the client, the storage medium calculates the hash value H(s) of the password according to the hash function, and then sends the user ID u and the hash value H(s) to the cloud server ;
  • the user authentication module of the cloud server queries the user ID u and the corresponding hash value ⁇ ID u , h> from the data storage module.
  • the cloud server determines that the current user is an illegal user and the key is obtained by the illegal user through brute force cracking, etc., it will start the storage medium self-destruct mode, erase the stored scientific research data and send an abnormal status reminder to the cloud server.
  • the storage medium sends a data synchronization request to the cloud server
  • the cloud server invokes the storage medium authentication module to authenticate the legality of the storage medium. First generate a random number R and return it to the storage medium;
  • the storage medium encrypts the random number R with the private key K pri stored in its own memory and sends the result K pri (R) back to the cloud server;
  • the storage medium authentication module of the cloud server queries the storage medium ID and public key pair ⁇ ID d , K pub > from the data storage module, and uses the public key K pub of the storage medium to decrypt the data K pri (R). If the result obtained is the same as the random number R sent before, it is considered that the storage medium currently communicating with it is legal, and a synchronization data command is sent to the storage medium to complete data synchronization; if the result decrypted with the public key is the same as the previously generated random number If R is different, it is considered that the storage medium currently communicating with it may have been maliciously attacked or illegally tampered with, and the data synchronization request of the storage medium is rejected.
  • the present invention synchronizes with cloud data through cloud fusion technology, not only can backup and save the data in the storage medium in the cloud, but also cooperate with the cloud to authenticate the legitimacy of the storage medium and users, which fully guarantees the privacy of scientific research data and users safety.
  • the present invention minimizes the overhead of encryption and decryption, avoiding impact on user experience.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed in the present invention are a scientific research data security protection system based on cloud fusion and a working method thereof. The system comprises a storage medium having a wireless communication chip, a cloud server, and a client, wherein the storage medium is used for storing protected scientific research data, implementing data synchronization with a cloud, and implementing management and control of user's read-write operation in cooperation with the cloud; the cloud server implements information management of the storage medium and a user, provides an encryption service to implement validity authentication of the storage medium and the user, stores scientific research data, and keeps the scientific research data consistent with the storage medium; and the client sends an identity authentication request to the storage medium when the user applies for read-write operation on the storage medium, and the data in the storage medium is decrypted according to a key after the authentication is passed, thereby completing the read-write operation. According to the present invention, the validity of the storage medium having the wireless communication chip and the validity of the user are authenticated by using cloud fusion technology, and the read-write operation of the user is controlled, such that the security of the scientific research data and user privacy is ensured.

Description

一种基于云端融合的科研数据安全保护系统及其工作方法A research data security protection system based on cloud integration and its working method 技术领域technical field
本发明属于计算机信息安全与云计算技术领域,具体涉及一种基于云端融合的科研数据安全保护系统及其工作方法。The invention belongs to the technical field of computer information security and cloud computing, and specifically relates to a scientific research data security protection system based on cloud integration and a working method thereof.
背景技术Background technique
在当今信息化时代中,信息存储的便捷性和安全性成为重中之重。目前市面上的各类存储介质大多具备体积小且容量大的特点,因此通过存储介质对科研数据进行刻录和加密具有良好的便捷性和可扩展性。然而由于存储介质体积小,往往丢失后难以察觉导致数据无法找回;另一方面,大量病毒程序威胁着存储介质文件的安全性,可能导致科研数据被恶意篡改、数据及用户隐私遭到泄露等问题。In today's information age, the convenience and security of information storage has become the top priority. Most of the various storage media currently on the market have the characteristics of small size and large capacity, so burning and encrypting scientific research data through storage media has good convenience and scalability. However, due to the small size of the storage medium, it is often difficult to detect the loss and the data cannot be retrieved; on the other hand, a large number of virus programs threaten the security of the storage medium files, which may lead to malicious tampering of scientific research data, leakage of data and user privacy, etc. question.
当前存储介质的加密保护方式主要有以下几种:1)基于明文密码的加密:设定固定的解锁密码,无法输入正确密码时将无法读取存储介质中的文件。然而当前存在大量密码破解程序,使用固定的密码可以在线性时间内并行地进行暴力破解,难以保护存储介质数据的安全。2)基于哈希的加密方法,通过设定固定的加密解密密钥,对存储介质文件进行编码解码。然而由于存储介质存储的资源往往比较大,进行哈希密钥映射将消耗大量时间,同时如果密钥丢失,存储介质中的文件将完全不可解密,存在信息丢失的风险。The encryption protection mode of current storage medium mainly contains following several: 1) Encryption based on plain text password: set fixed unlocking password, can't read the file in the storage medium when can't input correct password. However, there are currently a large number of password cracking programs, and fixed passwords can be used to perform brute force cracking in parallel in linear time, making it difficult to protect the security of storage media data. 2) A hash-based encryption method, by setting a fixed encryption and decryption key, encodes and decodes the storage medium file. However, since the resources stored in the storage medium are often relatively large, it will take a lot of time to map the hash key. At the same time, if the key is lost, the files in the storage medium will be completely undecryptable, and there is a risk of information loss.
因此,需要一种新的存储方式来实现科研数据的有效保护。Therefore, a new storage method is needed to realize the effective protection of scientific research data.
发明内容Contents of the invention
针对上述现有技术的不足,本发明的目的在于提供一种基于云端融合的科研数据安全保护系统,以解决现有技术中数据存储设备易受到恶意攻击或用户数据泄露的问题。本发明采用云端协同的技术,对科研数据存储设备及用户均可以实现身份认证,从而实现了数据保护的有效性。In view of the deficiencies of the above-mentioned prior art, the purpose of the present invention is to provide a scientific research data security protection system based on cloud integration, so as to solve the problems in the prior art that data storage devices are vulnerable to malicious attacks or user data leakage. The present invention adopts cloud collaboration technology to realize identity authentication for scientific research data storage devices and users, thereby realizing the effectiveness of data protection.
为了达到上述目的,本发明采用如下技术方案:In order to achieve the above object, the present invention adopts following technical scheme:
一种基于云端融合的科研数据安全保护系统,包括:带有无线通信芯片的存储介质、云端服务器以及客户端;其中,A scientific research data security protection system based on cloud integration, including: a storage medium with a wireless communication chip, a cloud server, and a client; wherein,
带有无线通信芯片的存储介质存储被保护的科研数据,实现与云端服务器的数据同步、协同云端服务器实现用户读写管控以及失控状态下的自毁保护功能;The storage medium with a wireless communication chip stores the protected scientific research data, realizes data synchronization with the cloud server, and cooperates with the cloud server to realize user read and write control and self-destruct protection in the out-of-control state;
云端服务器实现存储介质与用户的信息管理、提供加密服务实现存储介质及用户的合法性认证、存储被保护的科研数据并与存储介质保持一致;The cloud server realizes the information management of the storage medium and the user, provides encryption services to realize the legality authentication of the storage medium and the user, stores the protected scientific research data and keeps it consistent with the storage medium;
客户端在用户申请对存储介质进行读写操作时,向存储介质发出身份认证请求,认证通过后根据密钥对存储介质数据进行解密,并完成读写操作。When the user applies for reading and writing operations on the storage medium, the client sends an identity authentication request to the storage medium. After the authentication is passed, the data on the storage medium is decrypted according to the key, and the read and write operations are completed.
进一步地,所述带有无线通信芯片的存储介质其结构包括:无线通信芯片、USB接口和存储器,其中,无线通信芯片支持多种无线通信方式,USB接口用于连接客户端设备,存储器中存储受保护的科研数据、用于存储介质合法性认证的私钥以及用于用户身份认证的哈希函数。Further, the structure of the storage medium with a wireless communication chip includes: a wireless communication chip, a USB interface, and a memory, wherein the wireless communication chip supports multiple wireless communication methods, the USB interface is used to connect a client device, and the memory stores Protected research data, private keys for storage media legality verification, and hash functions for user identity verification.
进一步地,所述带有无线通信芯片的存储介质实现与云端服务器的数据同步指的是,每经过间隔固定的一段时间或当存储数据发生更改时,存储介质向云端服务器发送数据同步请求,并根据云端服务器的同步指令,完成与云端服务器数据的同步,确保存储介质中的数据与云端服务器保持一致。Further, the realization of data synchronization between the storage medium with the wireless communication chip and the cloud server refers to that the storage medium sends a data synchronization request to the cloud server every time a certain period of time passes or when the stored data changes, and According to the synchronization command of the cloud server, the data synchronization with the cloud server is completed to ensure that the data in the storage medium is consistent with the cloud server.
进一步地,当存储介质内部自带电源时,数据每间隔一定时间与云端服务器进行一次同步;当存储介质内部不含电源时,数据在每次合法用户进行读写操作完毕后与云端服务器进行同步。Furthermore, when the storage medium has its own power supply, the data is synchronized with the cloud server at regular intervals; when the storage medium does not contain a power supply, the data is synchronized with the cloud server after each read and write operation by a legitimate user .
进一步地,所述带有无线通信芯片的存储介质实现协同云端服务器对用户进行读写管控指的是,当用户将存储介质通过USB接口与客户端设备相连时,存储介质接收来自于客户端的用户ID与口令,进行哈希操作后发送到云端服务器进行用户合法性认证,若云端服务器认证通过,则返回密钥给客户端完成对存储介质数据的解密及读写操作。Further, the storage medium with a wireless communication chip realizes cooperation with the cloud server to control the reading and writing of the user, which means that when the user connects the storage medium to the client device through the USB interface, the storage medium receives the user’s data from the client. ID and password are hashed and sent to the cloud server for user legality authentication. If the cloud server passes the authentication, the key is returned to the client to complete the decryption and read and write operations of the storage medium data.
进一步地,所述带有无线通信芯片的存储介质的自毁保护功能发生于被非法用户获取到存储介质数据及密钥时,此时,存储介质自毁模块启动并将存储介质内部所有数据擦除。Further, the self-destruction protection function of the storage medium with a wireless communication chip occurs when the storage medium data and key are obtained by an illegal user, at this time, the storage medium self-destruction module starts and erases all data inside the storage medium remove.
进一步地,所述云端服务器包括数据存储模块、存储介质认证模块及用户认证模块,其中,数据存储模块中存储与存储介质同步的科研数据、存储介质ID与公钥对信息、用户ID及口令哈希值信号;存储介质认证模块在存储介质请求数据同步时进行响应,通过从数据存储模块中调用存储介质ID和公钥对信息完成存储介质合法性的认证;用户认证模块在存储介质请求用户读写权限时进行响应,通过从数据存储模块中调用用户ID和口令哈希值信息完成用户身份信息的认证。Further, the cloud server includes a data storage module, a storage medium authentication module and a user authentication module, wherein the data storage module stores scientific research data synchronized with the storage medium, storage medium ID and public key pair information, user ID and password hash Greek value signal; the storage medium authentication module responds when the storage medium requests data synchronization, and completes the authentication of the validity of the storage medium by calling the storage medium ID and public key pair information from the data storage module; the user authentication module requests the user to read Respond when the permission is written, and complete the authentication of user identity information by calling the user ID and password hash value information from the data storage module.
基于上述云端融合的科研数据安全保护系统的保护方法,包括步骤如下:The protection method of the scientific research data security protection system based on the above-mentioned cloud fusion includes the following steps:
1)用户向存储介质发出读写数据请求;1) The user sends a read and write data request to the storage medium;
2)存储介质在接收到来自于用户的读写请求后,向云端服务器发送用户读写请求命令,实施云端协同的用户身份认证;2) After the storage medium receives the read and write request from the user, it sends the user's read and write request command to the cloud server, and implements cloud collaborative user identity authentication;
3)云端服务器接收到请求后,对用户合法性进行认证,若认证通过则返回密钥允许用户对存储介质数据进行解密并完成读写操作;若认证不通过则不返回密钥;3) After receiving the request, the cloud server authenticates the legitimacy of the user. If the authentication is passed, the key is returned to allow the user to decrypt the data on the storage medium and complete the read and write operations; if the authentication fails, the key is not returned;
4)每隔固定的时间或存储介质数据发生变化时,存储介质向云端服务器发送数据同步请求进行数据更新以确保被保护的科研数据始终与云端服务器一致;4) Every fixed time or when the data of the storage medium changes, the storage medium sends a data synchronization request to the cloud server for data update to ensure that the protected scientific research data is always consistent with the cloud server;
5)云端服务器接收到数据同步请求后对存储介质的合法性进行认证,若判断存储介质合法,则完成数据同步;若存储介质不合法则拒绝数据同步。5) After receiving the data synchronization request, the cloud server authenticates the validity of the storage medium. If the storage medium is judged to be legal, the data synchronization is completed; if the storage medium is illegal, the data synchronization is rejected.
本发明具有以下有益效果:The present invention has the following beneficial effects:
1、数据存储的高可靠性:云端服务器存储的数据始终保持与存储介质内的科研数据同步,并且每次同步操作前,云端服务器能够对存储介质合法性进行认证从而避免恶意写入攻击。1. High reliability of data storage: The data stored in the cloud server is always synchronized with the scientific research data in the storage medium, and before each synchronization operation, the cloud server can authenticate the legality of the storage medium to avoid malicious write attacks.
2、数据存储的高安全性:利用云端服务器与存储介质的协同管控可以对用户身份进行有效认证,避免了用户隐私泄露及非法用户恶意写入。2. High security of data storage: The collaborative management and control of cloud server and storage media can effectively authenticate user identities, avoiding leakage of user privacy and malicious writing by illegal users.
3、意外事件监控:当数据已存在泄露可能性时,启动自毁模式将存储介质内的科研数据擦除,防止数据泄露,但云端服务器仍然保存数据备份,既保证安全又满足数据存储需求。3. Accident monitoring: When there is a possibility of data leakage, start the self-destruct mode to erase the scientific research data in the storage medium to prevent data leakage, but the cloud server still saves data backups, which not only ensures safety but also meets data storage requirements.
附图说明Description of drawings
图1为本发明实施例提供的云端融合的科研数据安全保护系统架构图;Fig. 1 is the structure diagram of the scientific research data security protection system of cloud integration provided by the embodiment of the present invention;
图2为本发明实施例提供的云端融合的科研数据安全保护系统的工作流程图;Fig. 2 is the work flowchart of the scientific research data safety protection system of cloud integration provided by the embodiment of the present invention;
图3为本发明实施例提供的云端协同的用户身份认证的架构图;FIG. 3 is an architecture diagram of user identity authentication for cloud collaboration provided by an embodiment of the present invention;
图4为本发明实施例提供的存储介质合法性认证的架构图。FIG. 4 is a structural diagram of storage medium legality authentication provided by an embodiment of the present invention.
具体实施方式detailed description
为了便于本领域技术人员的理解,下面结合实施例与附图对本发明作进一步的说明,实施方式提及的内容并非对本发明的限定。In order to facilitate the understanding of those skilled in the art, the present invention will be further described below in conjunction with the embodiments and accompanying drawings, and the contents mentioned in the embodiments are not intended to limit the present invention.
参照图1所示,本发明实施例提供一种基于云端融合的科研数据安全保护系统,包括:带有无线通信芯片的存储介质、云端服务器以及客户端。Referring to FIG. 1 , an embodiment of the present invention provides a scientific research data security protection system based on cloud integration, including: a storage medium with a wireless communication chip, a cloud server, and a client.
其中,带有无线通信芯片的存储介质存储被保护的科研数据,实现与云端服务器的数据同步、存储介质合法性认证、协同云端实现用户读写管控及失控状态下的自毁保护功能。其中,存储介质的类型包括但不限于U盘、移动硬盘、SD卡等。Among them, the storage medium with the wireless communication chip stores the protected scientific research data, realizes the data synchronization with the cloud server, the legality certification of the storage medium, and cooperates with the cloud to realize the user's read and write control and the self-destruct protection function in the out-of-control state. Wherein, the type of the storage medium includes but not limited to U disk, mobile hard disk, SD card and so on.
带有无线通信芯片的存储介质其结构包括:无线通信芯片、USB接口和存储器,其中,无线通信芯片支持的通信方式包括但不限于3G/4G/5G、蓝牙、Wi-Fi等;USB接口用于与客户端相连,存储器中存储受保护的科研数据、用于存储介质合法性认证的私钥,以及用于用户身份认证的哈希函数。因此,该存储介质可分别实现与云端及客户端的通信实现相应的安全认证功能。The structure of the storage medium with a wireless communication chip includes: a wireless communication chip, a USB interface and a memory, wherein the communication methods supported by the wireless communication chip include but are not limited to 3G/4G/5G, Bluetooth, Wi-Fi, etc.; In connection with the client, the storage stores protected scientific research data, private keys for storage medium legality authentication, and hash functions for user identity authentication. Therefore, the storage medium can respectively realize the communication with the cloud and the client to realize the corresponding security authentication function.
带有无线通信芯片的存储介质实现与云端服务器的数据同步指的是,每经过间隔固定的一段时间或当存储数据发生更改时,存储介质向云端服务器发送数据同步请求,确保存储介质中的数据与云端服务器保持一致。当存储介质内部自带电源时,数据每间隔一定时间与云端服务器进行一次同步;当存储介质内部不含电源时,数据在每次合法用户进行读写操作完毕后与云端服务器进行同步。The data synchronization between the storage medium with the wireless communication chip and the cloud server refers to that the storage medium sends a data synchronization request to the cloud server every time a certain period of time passes or when the stored data changes to ensure that the data in the storage medium Consistent with the cloud server. When the storage medium has its own power supply, the data is synchronized with the cloud server at regular intervals; when the storage medium does not contain a power supply, the data is synchronized with the cloud server after each read and write operation by a legitimate user.
带有无线通信芯片的存储介质实现协同云端服务器对用户进行读写管控指的是,当用户将存储介质通过USB接口与客户端设备相连时,存储介质接收来自于客户端的用户ID与口令,进行哈希操作后发送到云端服务器进行用户合法性认证,若云端服务器对该用户的认证通过,则返回密钥给客户端完成对存储介质数据的解密及读写操作。可选地,若该用户的合法性认证不通过,云端服务器则向存储介质发送当前用户为非法用户的指令。The storage medium with a wireless communication chip realizes the collaborative cloud server to control the user's reading and writing. When the user connects the storage medium to the client device through the USB interface, the storage medium receives the user ID and password from the client and performs After the hash operation, it is sent to the cloud server for user legality authentication. If the cloud server passes the authentication of the user, it will return the key to the client to complete the decryption and read and write operations of the storage medium data. Optionally, if the legality authentication of the user fails, the cloud server sends an instruction to the storage medium that the current user is an illegal user.
带有无线通信芯片的存储介质的自毁保护功能发生于存储介质接收到来自于云端服务器的判定当前用户为非法用户的指令,但却接收到该非法用户提供的用于解密存储介质内容的合法密钥。此时,密钥可能被非法用户通过暴力破解等方式获取,则存储介质启动自毁模块将存储介质内部所有数据擦除并向云端服务器发送异常状态提醒。The self-destruction protection function of the storage medium with a wireless communication chip occurs when the storage medium receives an instruction from the cloud server to determine that the current user is an illegal user, but receives a legal password provided by the illegal user for decrypting the content of the storage medium. key. At this time, the key may be obtained by illegal users through brute force cracking, etc., then the storage medium starts the self-destruct module to erase all data inside the storage medium and sends an abnormal state reminder to the cloud server.
在一个实施例中,带有无线通信芯片的存储介质包括数据同步模块、读写管控模块、自毁保护模块。其中,数据同步模块用于用于实现存储介质与云端服务器的数据同步,数据同步发生在每经过间隔固定的一段时间(例如,数据同步定时器Timer1时间到)或当存储数据发生更改时,存储介质中的数据同步模块向云端服务器发送数据同步请求,并根据云端服务器返回的同步指令,完成与云端服务器数据的同步,确保存储介质中的数据与云端服务器保持一致。读写管控模块用于协同云端服务器实现用户读写管控,具 体地,当用户将存储介质通过USB接口与客户端设备相连时,存储介质的读写管控模块接收来自于客户端的用户ID与口令,利用存储中存储的哈希函数进行哈希操作后发送到云端服务器进行用户合法性认证,并根据云端服务器返回的密钥完成对受保护数据的解密及读写操作。自毁保护模块用于在识别出存储介质处于失控状态下时进行自毁以保护数据不泄露,具体而言,当存储介质内数据及密钥被非法用户获取到时,即,存储介质接收到来自于云端服务器的判定当前用户为非法用户的指令,但却接收到该非法用户提供的用于解密存储介质内容的合法密钥时,启动自毁功能并将存储介质内部所有数据擦除,同时向云端服务器发送异常状态提醒。In one embodiment, the storage medium with the wireless communication chip includes a data synchronization module, a read-write control module, and a self-destruction protection module. Wherein, the data synchronization module is used to realize the data synchronization between the storage medium and the cloud server, and the data synchronization occurs at a fixed period of time (for example, when the data synchronization timer Timer1 expires) or when the stored data changes, the storage The data synchronization module in the medium sends a data synchronization request to the cloud server, and completes data synchronization with the cloud server according to the synchronization command returned by the cloud server, ensuring that the data in the storage medium is consistent with the cloud server. The read-write control module is used to cooperate with the cloud server to realize user read-write control. Specifically, when the user connects the storage medium to the client device through the USB interface, the read-write control module of the storage medium receives the user ID and password from the client. Use the hash function stored in the storage to perform a hash operation and send it to the cloud server for user legality authentication, and complete the decryption and read and write operations of the protected data according to the key returned by the cloud server. The self-destruction protection module is used to self-destruct when the storage medium is identified as being out of control to protect data from leakage. Specifically, when the data and keys in the storage medium are obtained by an illegal user, that is, When the instruction from the cloud server determines that the current user is an illegal user, but receives the legal key provided by the illegal user for decrypting the content of the storage medium, the self-destruct function is activated and all data inside the storage medium is erased, and at the same time Send an abnormal status reminder to the cloud server.
云端服务器承担数据管理、存储介质及用户的信息管理,并对存储介质和用户实施身份认证及用户读写操作管控。云端服务器包括数据存储模块、存储介质认证模块及用户认证模块,其中,数据存储模块中存储与存储介质同步的科研数据、存储介质ID与公钥对信息、用户ID及口令哈希值信号;存储介质认证模块在存储介质请求数据同步时进行响应,通过从数据存储模块中调用存储介质ID和公钥对信息完成存储介质合法性的认证;用户认证模块在存储介质请求用户读写权限时进行响应,通过从数据存储模块中调用用户ID和口令哈希值信息完成用户身份信息的认证。The cloud server is responsible for data management, storage media and user information management, and implements identity authentication and user read and write operation control for storage media and users. The cloud server includes a data storage module, a storage medium authentication module and a user authentication module, wherein the data storage module stores scientific research data synchronized with the storage medium, storage medium ID and public key pair information, user ID and password hash value signals; The media authentication module responds when the storage media requests data synchronization, and completes the legality authentication of the storage media by calling the storage media ID and public key from the data storage module; the user authentication module responds when the storage media requests the user's read and write permissions , by calling the user ID and password hash value information from the data storage module to complete the authentication of the user identity information.
客户端在用户申请对存储介质进行读写操作时,向存储介质发出认证请求,认证通过后根据密钥对存储介质数据进行解密,进一步完成读写操作。When the user applies for reading and writing operations on the storage medium, the client sends an authentication request to the storage medium. After the authentication is passed, the data on the storage medium is decrypted according to the key to further complete the read and write operations.
参照图2所示,本发明实施例提供的一种基于云端融合的科研数据安全保护系统的工作方法,包括步骤如下:Referring to Figure 2, a working method of a cloud fusion-based scientific research data security protection system provided by an embodiment of the present invention includes the following steps:
1)用户向存储介质发出读写数据请求;1) The user sends a read and write data request to the storage medium;
2)存储介质在接收到来自于用户的读写请求后,向云端服务器发送用户读写请求命令,实施云端协同的用户身份认证;2) After the storage medium receives the read and write request from the user, it sends the user's read and write request command to the cloud server, and implements cloud collaborative user identity authentication;
3)云端服务器接收到请求后,对用户合法性进行认证,若认证通过则返回密钥允许用户对存储介质数据进行解密并完成读写操作;若认证不通过则不返回密钥;3) After receiving the request, the cloud server authenticates the legitimacy of the user. If the authentication is passed, the key is returned to allow the user to decrypt the data on the storage medium and complete the read and write operations; if the authentication fails, the key is not returned;
4)每隔固定的时间(例如,数据同步定时器Timer1时间到)或存储介质数据发生变化时,存储介质向云端服务器发送数据同步请求进行数据更新以确保被保护的科研数据始终与云端服务器一致;4) Every fixed time (for example, when the data synchronization timer Timer1 expires) or when the storage medium data changes, the storage medium sends a data synchronization request to the cloud server for data update to ensure that the protected scientific research data is always consistent with the cloud server ;
5)云端服务器接收到数据同步请求后对存储介质的合法性进行认证,若判断存储介质合法,则完成数据同步;若存储介质不合法则拒绝数据同步。5) After receiving the data synchronization request, the cloud server authenticates the validity of the storage medium. If the storage medium is judged to be legal, the data synchronization is completed; if the storage medium is illegal, the data synchronization is rejected.
参照图3所示,所述步骤2)中的云端协同的用户身份认证方法为:With reference to shown in Figure 3, the user identity authentication method of the cloud collaboration in described step 2) is:
21)用户将存储介质USB接口与客户端设备相连,通过在客户端输入用户ID与相应的用户口令s向存储介质发出读写操作命令;21) The user connects the USB interface of the storage medium to the client device, and sends a read and write operation command to the storage medium by inputting the user ID and the corresponding user password s at the client;
22)存储介质接收到来自于客户端的用户ID u及口令s后,根据哈希函数计算口令的哈希值H(s),然后将用户ID u与哈希值H(s)发送至云端服务器; 22) After receiving the user ID u and password s from the client, the storage medium calculates the hash value H(s) of the password according to the hash function, and then sends the user ID u and the hash value H(s) to the cloud server ;
23)云端服务器的用户认证模块从数据存储模块中查询用户ID u和对应的哈希值<ID u,h>。 23) The user authentication module of the cloud server queries the user ID u and the corresponding hash value <ID u , h> from the data storage module.
24)若存储介质发来的哈希值H(s)与云端服务器数据存储模块中存储的哈希值h一致,则认为当前用户为合法用户,用户认证模块调用数据存储模块查找当前存储介质内容对应的密钥key返回给存储介质,存储介质将密钥key发送给客户端使用户完成对存储介质内数据的读写操作;若存储介质发来的哈希值H(s)与云端服务器数据存储模块中存储的哈希值h不一致,则认为当前用户为非法用户,云端服务器的用户认证模块向存储介质发出拒绝读写操作的命令,从而用户无法对存储介质内的数据进行有效解密;当云端服务器判定当前用户为非法用户且密钥key通过暴力破解等方式被非法用户获取,则启动存储介质自毁模式,擦除存储的科研数据并向云端服务器发送异常状态提醒。24) If the hash value H(s) sent by the storage medium is consistent with the hash value h stored in the cloud server data storage module, the current user is considered to be a legitimate user, and the user authentication module calls the data storage module to find the content of the current storage medium The corresponding key key is returned to the storage medium, and the storage medium sends the key key to the client to enable the user to complete the operation of reading and writing data in the storage medium; if the hash value H(s) sent by the storage medium is consistent with the cloud server data If the hash value h stored in the storage module is inconsistent, the current user is considered to be an illegal user, and the user authentication module of the cloud server sends a command to the storage medium to deny read and write operations, so that the user cannot effectively decrypt the data in the storage medium; When the cloud server determines that the current user is an illegal user and the key is obtained by the illegal user through brute force cracking, etc., it will start the storage medium self-destruct mode, erase the stored scientific research data and send an abnormal status reminder to the cloud server.
参照图4所示,所述步骤5)中的对存储介质合法性认证的方法为:Shown in Fig. 4 with reference to, described step 5) in the method to storage medium legitimacy authentication is:
51)存储介质向云端服务器发出数据同步请求;51) The storage medium sends a data synchronization request to the cloud server;
52)云端服务器调用存储介质认证模块对存储介质合法性进行认证。首先生成一个随机数R返回给存储介质;52) The cloud server invokes the storage medium authentication module to authenticate the legality of the storage medium. First generate a random number R and return it to the storage medium;
53)存储介质用自己存储器内存储的私钥K pri对随机数R进行加密并将结果K pri(R)发送回云端服务器; 53) The storage medium encrypts the random number R with the private key K pri stored in its own memory and sends the result K pri (R) back to the cloud server;
54)云端服务器的存储介质认证模块从数据存储模块中查询存储介质ID和公钥对<ID d,K pub>,用该存储介质的公钥K pub对数据K pri(R)进行解密。若得到的结果与之前发送的随机数R相同,则认为当前与之通信的存储介质是合法的,向存储介质发送同步数据指令完成数据同步;若用公钥解密的结果与之前生成的随机数R不同,则认为当前与之通信的存储介质可能已遭受恶意攻击或被非法窜改,则拒绝存储介质的数据同步请求。 54) The storage medium authentication module of the cloud server queries the storage medium ID and public key pair <ID d , K pub > from the data storage module, and uses the public key K pub of the storage medium to decrypt the data K pri (R). If the result obtained is the same as the random number R sent before, it is considered that the storage medium currently communicating with it is legal, and a synchronization data command is sent to the storage medium to complete data synchronization; if the result decrypted with the public key is the same as the previously generated random number If R is different, it is considered that the storage medium currently communicating with it may have been maliciously attacked or illegally tampered with, and the data synchronization request of the storage medium is rejected.
本发明通过云端融合技术与云端的数据同步,不仅可以对存储介质中的数据在云端进行备份保存,也可以协同云端对存储介质及用户的合法性进行认证,充分保证了科研 数据及用户隐私的安全性。此外,本发明将加密解密的开销降低到最小,避免对用户的使用体验造成影响。The present invention synchronizes with cloud data through cloud fusion technology, not only can backup and save the data in the storage medium in the cloud, but also cooperate with the cloud to authenticate the legitimacy of the storage medium and users, which fully guarantees the privacy of scientific research data and users safety. In addition, the present invention minimizes the overhead of encryption and decryption, avoiding impact on user experience.
本发明具体应用途径很多,以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以作出若干改进,这些改进也应视为本发明的保护范围。There are many specific application approaches of the present invention, and the above description is only a preferred embodiment of the present invention. It should be pointed out that for those of ordinary skill in the art, some improvements can also be made without departing from the principles of the present invention. Improvements should also be regarded as the protection scope of the present invention.

Claims (10)

  1. 一种基于云端融合的科研数据安全保护系统,其特征在于,包括:带有无线通信芯片的存储介质、云端服务器以及客户端;其中,A scientific research data security protection system based on cloud fusion, characterized in that it includes: a storage medium with a wireless communication chip, a cloud server, and a client; wherein,
    带有无线通信芯片的存储介质存储被保护的科研数据,实现与云端服务器的数据同步、协同云端服务器实现用户读写管控以及失控状态下的自毁保护功能;The storage medium with a wireless communication chip stores the protected scientific research data, realizes data synchronization with the cloud server, and cooperates with the cloud server to realize user read and write control and self-destruct protection in the out-of-control state;
    云端服务器实现存储介质与用户的信息管理、提供加密服务实现存储介质及用户的合法性认证、存储被保护的科研数据并与存储介质保持一致;The cloud server realizes the information management of the storage medium and the user, provides encryption services to realize the legality authentication of the storage medium and the user, stores the protected scientific research data and keeps it consistent with the storage medium;
    客户端在用户申请对存储介质进行读写操作时,向存储介质发出身份认证请求,认证通过后根据密钥对存储介质数据进行解密,并完成读写操作。When the user applies for reading and writing operations on the storage medium, the client sends an identity authentication request to the storage medium. After the authentication is passed, the data on the storage medium is decrypted according to the key, and the read and write operations are completed.
  2. 根据权利要求1所述的基于云端融合的科研数据安全保护系统,其特征在于,所述带有无线通信芯片的存储介质包括无线通信芯片、USB接口和存储器,其中,无线通信芯片支持多种无线通信方式与云端服务器连接,USB接口用于连接客户端设备,存储器中存储被保护的科研数据、用于存储介质合法性认证的私钥以及用于用户身份认证的哈希函数。The scientific research data security protection system based on cloud fusion according to claim 1, wherein the storage medium with a wireless communication chip includes a wireless communication chip, a USB interface and a memory, wherein the wireless communication chip supports a variety of wireless The communication method is connected to the cloud server, the USB interface is used to connect the client device, the protected scientific research data is stored in the memory, the private key used for the legality authentication of the storage medium, and the hash function used for the user identity authentication.
  3. 根据权利要求1所述的基于云端融合的科研数据安全保护系统,其特征在于,所述带有无线通信芯片的存储介质实现与云端服务器的数据同步指的是:每经过间隔固定的一段时间或当存储数据发生更改时,存储介质向云端服务器发送数据同步请求,并根据云端服务器的同步指令,完成与云端服务器数据的同步,确保存储介质中的数据与云端服务器保持一致。The scientific research data security protection system based on cloud integration according to claim 1, wherein the storage medium with a wireless communication chip realizes data synchronization with the cloud server means: every time a fixed period of time or When the stored data changes, the storage medium sends a data synchronization request to the cloud server, and completes data synchronization with the cloud server according to the cloud server's synchronization command, ensuring that the data in the storage medium is consistent with the cloud server.
  4. 根据权利要求3所述的基于云端融合的科研数据安全保护系统,其特征在于,当存储介质内部自带电源时,数据每间隔一定时间与云端服务器进行一次同步;当存储介质内部不含电源时,数据在每次合法用户进行读写操作完毕后与云端服务器进行同步。The scientific research data security protection system based on cloud integration according to claim 3, wherein when the storage medium has its own power supply, the data is synchronized with the cloud server at regular intervals; when the storage medium does not contain a power supply , the data is synchronized with the cloud server after each read and write operation by a legitimate user.
  5. 根据权利要求1所述的基于云端融合的科研数据安全保护系统,其特征在于,所述带有无线通信芯片的存储介质实现协同云端服务器对用户进行读写管控指的是:当用户将存储介质通过USB接口与客户端设备相连时,存储介质接收来自于客户端的用户ID与口令,进行哈希操作后发送到云端服务器进行用户合法性认证,并根据云端服务器返回的密钥完成对存储介质数据的解密及读写操作。The scientific research data security protection system based on cloud integration according to claim 1, wherein the storage medium with a wireless communication chip realizes the collaboration of the cloud server to control the reading and writing of the user. When connected to the client device through the USB interface, the storage medium receives the user ID and password from the client, performs a hash operation, and sends it to the cloud server for user legality authentication, and completes the storage medium data according to the key returned by the cloud server. Decryption and read and write operations.
  6. 根据权利要求1所述的基于云端融合的科研数据安全保护系统,其特征在于,所述带有无线通信芯片的存储介质的自毁保护功能发生于存储介质数据及密钥被非法用户获取到时,此时存储介质自毁模块启动并将存储介质内部所有数据擦除。The scientific research data security protection system based on cloud integration according to claim 1, wherein the self-destruction protection function of the storage medium with the wireless communication chip occurs when the storage medium data and key are obtained by an illegal user , at this time the storage medium self-destruct module starts and erases all data inside the storage medium.
  7. 根据权利要求1所述的基于云端融合的科研数据安全保护系统,其特征在于,所述云端服务器包括数据存储模块、存储介质认证模块及用户认证模块,其中,数据存储模块中存储与存储介质同步的科研数据、存储介质ID与公钥对信息、用户ID及口令哈希值信号;存储介质认证模块在存储介质请求数据同步时进行响应,通过从数据存储模块中调用存储介质ID和公钥对信息完成存储介质合法性的认证;用户认证模块在存储介质请求用户读写权限时进行响应,通过从数据存储模块中调用用户ID和口令哈希值信息完成用户身份信息的认证。The scientific research data security protection system based on cloud integration according to claim 1, wherein the cloud server includes a data storage module, a storage medium authentication module, and a user authentication module, wherein the storage in the data storage module is synchronized with the storage medium Scientific research data, storage medium ID and public key pair information, user ID and password hash value signal; the storage medium authentication module responds when the storage medium requests data synchronization, by calling the storage medium ID and public key pair from the data storage module The information completes the authentication of the validity of the storage medium; the user authentication module responds when the storage medium requests the user to read and write permissions, and completes the authentication of the user identity information by calling the user ID and password hash value information from the data storage module.
  8. 基于权利要求1-7中任一项所述的云端融合的科研数据安全保护系统的工作方法,其特征在于,包括步骤如下:The working method of the scientific research data security protection system based on cloud fusion according to any one of claims 1-7, characterized in that, comprising the following steps:
    1)用户向存储介质发出读写数据请求;1) The user sends a read and write data request to the storage medium;
    2)存储介质在接收到来自于用户的读写请求后,向云端服务器发送用户读写请求命令,实施云端协同的用户身份认证;2) After the storage medium receives the read and write request from the user, it sends the user's read and write request command to the cloud server, and implements cloud collaborative user identity authentication;
    3)云端服务器接收到请求后,对用户合法性进行认证,若认证通过则返回密钥允许用户对存储介质数据进行解密并完成读写操作;若认证不通过则不返回密钥;3) After receiving the request, the cloud server authenticates the legitimacy of the user. If the authentication is passed, the key is returned to allow the user to decrypt the data on the storage medium and complete the read and write operations; if the authentication fails, the key is not returned;
    4)每隔固定的时间或存储介质数据发生变化时,存储介质向云端服务器发送数据同步请求进行数据更新以确保被保护的科研数据始终与云端服务器一致;4) Every fixed time or when the data of the storage medium changes, the storage medium sends a data synchronization request to the cloud server for data update to ensure that the protected scientific research data is always consistent with the cloud server;
    5)云端服务器接收到数据同步请求后对存储介质的合法性进行认证,若判断存储介质合法,则完成数据同步;若存储介质不合法则拒绝数据同步。5) After receiving the data synchronization request, the cloud server authenticates the validity of the storage medium. If the storage medium is judged to be legal, the data synchronization is completed; if the storage medium is illegal, the data synchronization is rejected.
  9. 基于权利要求8所述的工作方法,其特征在于,所述步骤2)中云端协同的用户身份认证包括:Based on the working method described in claim 8, it is characterized in that the user identity authentication of cloud collaboration in said step 2) includes:
    21)用户将存储介质USB接口与客户端设备相连,通过在客户端输入用户ID与相应的用户口令s向存储介质发出读写操作命令;21) The user connects the USB interface of the storage medium to the client device, and sends a read and write operation command to the storage medium by inputting the user ID and the corresponding user password s at the client;
    22)存储介质接收到来自于客户端的用户ID u及口令s后,根据哈希函数计算口令的哈希值H(s),然后将用户ID u与哈希值H(s)发送至云端服务器; 22) After receiving the user ID u and password s from the client, the storage medium calculates the hash value H(s) of the password according to the hash function, and then sends the user ID u and the hash value H(s) to the cloud server ;
    23)云端服务器的用户认证模块从数据存储模块中查询用户ID u和对应的哈希值<ID u,h>; 23) The user authentication module of the cloud server queries the user ID u and the corresponding hash value <ID u , h> from the data storage module;
    24)若存储介质发来的哈希值H(s)与云端服务器数据存储模块中存储的哈希值h不一致,则云端服务器的用户认证模块向存储介质发出拒绝读写操作的命令;若存储介质发来的哈希值H(s)与云端服务器数据存储模块中存储的哈希值h一致,则云端服务 器的用户认证模块调用数据存储模块查找当前存储介质内容对应的密钥key返回给存储介质,存储介质将密钥key发送给客户端使用户完成对存储介质内数据的读写操作。24) If the hash value H(s) sent by the storage medium is inconsistent with the hash value h stored in the cloud server data storage module, the user authentication module of the cloud server sends an order to the storage medium to refuse read and write operations; if the storage medium The hash value H(s) sent by the medium is consistent with the hash value h stored in the cloud server data storage module, then the user authentication module of the cloud server calls the data storage module to find the key key corresponding to the current storage medium content and returns it to the storage medium, the storage medium sends the key key to the client to enable the user to complete the read and write operations on the data in the storage medium.
  10. 基于权利要求8所述的工作方法,其特征在于,所述步骤5)中的对存储介质合法性认证的方法为:Based on the working method described in claim 8, it is characterized in that, the method for the legality authentication of the storage medium in the described step 5) is:
    51)存储介质向云端服务器发出数据同步请求;51) The storage medium sends a data synchronization request to the cloud server;
    52)云端服务器调用存储介质认证模块对存储介质合法性进行认证,生成一个随机数R返回给存储介质;52) The cloud server invokes the storage medium authentication module to authenticate the validity of the storage medium, generates a random number R and returns it to the storage medium;
    53)存储介质用自己存储器内存储的私钥K pri对随机数R进行加密并将结果K pri(R)发送回云端服务器; 53) The storage medium encrypts the random number R with the private key K pri stored in its own memory and sends the result K pri (R) back to the cloud server;
    54)云端服务器的存储介质认证模块从数据存储模块中查询存储介质ID和公钥对<ID d,K pub>,用该存储介质的公钥K pub对数据K pri(R)进行解密,若得到的结果与之前发送的随机数R相同,则向存储介质发送同步数据指令完成数据同步;若用公钥解密的结果与之前生成的随机数R不同,则拒绝存储介质的数据同步请求。 54) The storage medium authentication module of the cloud server queries the storage medium ID and the public key pair <ID d , K pub > from the data storage module, and decrypts the data K pri (R) with the public key K pub of the storage medium, if If the obtained result is the same as the random number R sent before, send a synchronization data command to the storage medium to complete data synchronization; if the decrypted result with the public key is different from the random number R generated before, the data synchronization request from the storage medium is rejected.
PCT/CN2021/104395 2021-06-29 2021-07-03 Scientific research data security protection system based on cloud fusion and working method thereof WO2023272747A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110724196.9A CN113342896B (en) 2021-06-29 2021-06-29 Scientific research data safety protection system based on cloud fusion and working method thereof
CN202110724196.9 2021-06-29

Publications (1)

Publication Number Publication Date
WO2023272747A1 true WO2023272747A1 (en) 2023-01-05

Family

ID=77481354

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/104395 WO2023272747A1 (en) 2021-06-29 2021-07-03 Scientific research data security protection system based on cloud fusion and working method thereof

Country Status (2)

Country Link
CN (1) CN113342896B (en)
WO (1) WO2023272747A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117807560A (en) * 2024-03-01 2024-04-02 青岛中软同衡工业科技有限公司 Safe fusion method, system and storage medium of privacy data

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102497424A (en) * 2011-12-12 2012-06-13 创新科存储技术(深圳)有限公司 Method for achieving cloud storage through mobile storage device
US20120179904A1 (en) * 2011-01-11 2012-07-12 Safenet, Inc. Remote Pre-Boot Authentication
US8407759B1 (en) * 2012-02-24 2013-03-26 Monolith Innovations, LLC Device, method, and system for secure mobile data storage
CN103916404A (en) * 2014-04-23 2014-07-09 北京淦蓝润和信息技术有限公司 Data management method and system
CN104243514A (en) * 2013-06-11 2014-12-24 鸿富锦精密工业(武汉)有限公司 Mobile storage device and data synchronizing method
CN108376224A (en) * 2018-02-24 2018-08-07 深圳市大迈科技有限公司 A kind of movable storage device and its encryption method and device
CN108959892A (en) * 2018-07-25 2018-12-07 广州倚天网络科技有限公司 A kind of data memory device and its storage method
CN112115523A (en) * 2020-09-30 2020-12-22 海南大学 Data self-destruction encryption storage device
CN112601219A (en) * 2021-03-03 2021-04-02 四川微巨芯科技有限公司 Data encryption and decryption method and system, server, storage device and mobile device

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2175405A1 (en) * 2008-10-10 2010-04-14 Essilor International (Compagnie Générale D'Optique) A processing device for processing an order request of an ophtalmic lens
CN103684798B (en) * 2013-12-31 2017-03-22 南京理工大学连云港研究院 Authentication method used in distributed user service
CN104281813B (en) * 2014-10-24 2017-04-26 深圳市车宝汇科技有限公司 Wireless remote control memory system and control method thereof
CN106686119B (en) * 2017-01-21 2017-12-26 江苏开放大学 The unmanned automobile of high in the clouds Encrypted USB flash drive device based on cloud computing information is installed
CN107886148A (en) * 2017-09-20 2018-04-06 罗杰 The management system and method for a kind of USB flash disk
CN110633172A (en) * 2019-09-24 2019-12-31 爱国者安全科技(北京)有限公司 USB flash disk and data synchronization method thereof

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120179904A1 (en) * 2011-01-11 2012-07-12 Safenet, Inc. Remote Pre-Boot Authentication
CN102497424A (en) * 2011-12-12 2012-06-13 创新科存储技术(深圳)有限公司 Method for achieving cloud storage through mobile storage device
US8407759B1 (en) * 2012-02-24 2013-03-26 Monolith Innovations, LLC Device, method, and system for secure mobile data storage
CN104243514A (en) * 2013-06-11 2014-12-24 鸿富锦精密工业(武汉)有限公司 Mobile storage device and data synchronizing method
CN103916404A (en) * 2014-04-23 2014-07-09 北京淦蓝润和信息技术有限公司 Data management method and system
CN108376224A (en) * 2018-02-24 2018-08-07 深圳市大迈科技有限公司 A kind of movable storage device and its encryption method and device
CN108959892A (en) * 2018-07-25 2018-12-07 广州倚天网络科技有限公司 A kind of data memory device and its storage method
CN112115523A (en) * 2020-09-30 2020-12-22 海南大学 Data self-destruction encryption storage device
CN112601219A (en) * 2021-03-03 2021-04-02 四川微巨芯科技有限公司 Data encryption and decryption method and system, server, storage device and mobile device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117807560A (en) * 2024-03-01 2024-04-02 青岛中软同衡工业科技有限公司 Safe fusion method, system and storage medium of privacy data
CN117807560B (en) * 2024-03-01 2024-04-30 青岛中软同衡工业科技有限公司 Safe fusion method, system and storage medium of privacy data

Also Published As

Publication number Publication date
CN113342896A (en) 2021-09-03
CN113342896B (en) 2024-03-01

Similar Documents

Publication Publication Date Title
US20210234853A1 (en) Shared Secret Vault for Applications with Single Sign On
US9805210B2 (en) Encryption-based data access management
CN109361668B (en) Trusted data transmission method
Riedel et al. A framework for evaluating storage system security
US9722977B2 (en) Secure host authentication using symmetric key crytography
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
US20030065934A1 (en) After the fact protection of data in remote personal and wireless devices
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
WO2008121157A2 (en) Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
JP2004180310A (en) Method for setting and managing confidence model between chip card and radio terminal
KR20080071528A (en) System and method of storage device data encryption and data access
JP2015504222A (en) Data protection method and system
US20090296937A1 (en) Data protection system, data protection method, and memory card
JP4947562B2 (en) Key information management device
WO2023272747A1 (en) Scientific research data security protection system based on cloud fusion and working method thereof
US9697372B2 (en) Methods and apparatuses for securing tethered data
JP2004070875A (en) Secure system
KR101327193B1 (en) A user-access trackable security method for removable storage media
KR20110128371A (en) Mobile authentication system and central control system, and the method of operating them for mobile clients
CN101604296A (en) Disk-data sector-level encryption method
KR100956255B1 (en) Method for Data Security of Mobile Storage Device
CN111737722B (en) Method and device for safely ferrying data between intranet terminals
US20240048532A1 (en) Data exchange protection and governance system
Corner Transient authentication for mobile devices
KR101386606B1 (en) Method for controlling backup storage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21947691

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE