CN103347085A - Public auditing designing method of multiple writing models of cloud data security - Google Patents
Public auditing designing method of multiple writing models of cloud data security Download PDFInfo
- Publication number
- CN103347085A CN103347085A CN2013102921459A CN201310292145A CN103347085A CN 103347085 A CN103347085 A CN 103347085A CN 2013102921459 A CN2013102921459 A CN 2013102921459A CN 201310292145 A CN201310292145 A CN 201310292145A CN 103347085 A CN103347085 A CN 103347085A
- Authority
- CN
- China
- Prior art keywords
- data
- audit
- cloud server
- cloud
- owner
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a public auditing designing method of multiple writing models of cloud data security, and belongs to the technical field of cloud computing security. The public auditing designing method of the multiple writing models of the cloud data security comprises the following steps that (1) secret key distribution is conducted, wherein secret key materials are distributed to a cloud server, a third party auditor and a multiple data owner from a secret key server in the secret key distribution stage; (2) data writing stage, the multiple data owner needs to carry out communication with the cloud server CS about data storage and signature; (3) multiple writing model auditing stage, the third party auditor carries out auditing on shared data block set on the cloud server. The public auditing designing method of the multiple writing models of the cloud data security can reduce communication cost of an auditing protocol, and can reduce the operation cost of the auditor. Meanwhile, the public auditing designing method of the multiple writing models of the cloud data security supports multiple writing data source authorization and authentication which are not supported by an existing scheme, and meets the requirement of new safe and high-efficient characteristics of the multiple writer public auditing.
Description
Technical field
The present invention relates to a kind of public audit method for designing that writes model of cloud data security more, belong to cloud computing safe practice field.
Background technology
Cloud computing now becomes more and more popular, and data are outsourced in the cloud in the cloud computing.Its advantage is apparent: alleviate data owner's storage administration burden, have the conventional data visit in independent geographical position, and avoid hardware, software, capital expenditures such as personnel's maintenance.Yet the outsourcing data can cause new safety problem.First problem is the integrality of data.Second problem is the truthless Cloud Server CSP of provider.
In order to solve this two problems, need proof to see it is that the CSP of Cloud Server provider is storing data for data owner and user, and data can not revised by the entity beyond the data owner.Because data are stored among the Cloud Server CS, rather than the data owner.Owing to need very high communications cost, be that traditional cryptography primitive of purpose can not directly be used with the protected data integrality.In addition, in cloud computing environment, should before visit data, detect corrupted data.Compare with traditional cryptography primitive, audit is a better choice that can realize storage correctness target in the cloud computing, and it is widely adopted.Audit sampling can make the transfer of data cost reduce.Audit Report is assessed data damage risk before can be implemented in visit data.
A kind of audit program based on symmetric key has been proposed thus.But there are following serious problems in this scheme: (1) if herself data on Cloud Server CS of each data owner DO audit, the communications burden on the Cloud Server CS will be very heavy.When a plurality of data owner DOs audited simultaneously, Denial of Service attack will produce.(2) owing to some data owner of currency reason may not support audit.(3) public credibility of data owner DO audit a little less than.When data collision takes place, be difficult to obtain objective and legal argument timely.
Therefore, need outside the 3rd audit side TPA.Because Cloud Server CS is only audited by the minority third party side of audit rather than a lot of data owner, and data owner DO does not participate in audit phase, audit burden on Cloud Server CS and the data owner DO is all reduced widely, and the Denial of Service attack on the Cloud Server CS also reduces.Because the 3rd audit side TPA is independent of Cloud Server CS and data owner DO, her public credibility is stronger.Based on the Audit Report of the auditing result of the 3rd audit side TPA issue, not only can help the data owner that the cloud data, services of signature is separately carried out risk assessment, and be conducive to the CSP of Cloud Server provider and improve their cloud based on service platform.
Produced the public audit program based on the bilinearity pairing thus.But this scheme is because following safety and efficiency is not suitable for writing person's model more: (1) is the communications cost height of audit in batches.The height that assesses the cost on (2) the 3rd audit side TPA and a plurality of data owner DOs.(3) licensing issue.May cause taking place on the authorization server Denial of Service attack DDOS during writing data blocks simultaneously as many data owner attacks.
Summary of the invention
In order to solve above-mentioned safety and efficiency, the present invention proposes a kind of public audit method for designing that writes model of cloud data security more, this method can provide the encryption key distribution efficiently that satisfies above-mentioned security performance, signature and audit algorithm and agreement.Because data block, makes communications cost and the reduction of the computing cost on the 3rd audit side TPA on the audit agreement by fully polymerization, and effective mandate and data source authentication method are provided aspect the audit of person's model writing more.Its final goal be make up reliable cloud data efficiently write the public audit design system of model more.
The present invention adopts following technical scheme for solving its technical problem:
A kind of public audit method for designing that writes model of cloud data security comprised as the next stage more:
(1) the encryption key distribution stage: key material is distributed to Cloud Server CS, the 3rd audit side TPA and multidata owner DOs from key server, guarantees that the data owner DO that is only having key could write the set of data blocks of sharing;
(2) data write phase: multidata owner DOs need just store data and signature and Cloud Server CS and communicate, and Cloud Server CS must guarantee to have only the multidata owner Dos through mandate could store the set of data blocks of sharing;
(3) write the model audit phase: the shared set of data blocks on the Cloud Server CS of the 3rd audit side TPA is audited more, and the key material that this stage generates the key distribution phase is applied on the data and signature of data write phase generation.
Beneficial effect of the present invention is as follows:
That the present invention guarantees to audit Cloud Server CS is the 3rd audit side TPA, and the data of transmitting in the audit agreement gather, be that the 3rd audit side TPA and Cloud Server CS can't imitate data owner DO generation signature, the 3rd audit side TPA also can't imitate Cloud Server CS.Can also guarantee not have the duplicity Cloud Server in that do not have really to store under the situation of multidata owner DOs data can be from the 3rd audit side TPA by audit phase, and the data of multidata owner DOs can not revealed to the 3rd audit side TPA.
The present invention is a kind of communications cost that can reduce the audit agreement, can reduce public's auditing method of audit side's computing cost again.Simultaneously, it supported existing scheme can not support write data source mandate and authentication more, satisfied the new safety and the efficient characteristics that write the public audit of person more.
By safety analysis and performance evaluation, this method meets desired fail safe target and has obtained efficient preferably.The research of this method is to improving public's audit technique of cloud data, so promote China's cloud data service development and the prosperity internet economy significant.
Description of drawings
Fig. 1 is the system model that writes person's audit program more.
Fig. 2 is the trust model figure of this method for designing.
Fig. 3 is encryption key distribution stage flow chart.
Fig. 4 is data write phase flow chart.
Fig. 5 writes person's audit phase flow chart more.
Embodiment
Below in conjunction with accompanying drawing the invention is described in further details.
Do not write the system model of person's audit program as shown in Figure 1 more.It comprises the entity that this scheme relates to, the agreement of linking up between these entities, and the algorithm that moves in agreement.
The present invention has defined five kinds of entities: one group of multidata owner Dos, user, Cloud Server CS, the 3rd audit side TPA and key server.Key server is used for the key of management Cloud Server CS, the 3rd audit side TPA and multidata owner DOs, also is used for authorizing multidata owner DOs writing data blocks.Multidata owner DOs need just store data and signature and Cloud Server CS and communicate, and Cloud Server CS must guarantee to have only the multidata owner DOs through authorizing can store shared set of data blocks.Shared set of data blocks on the Cloud Server CS of the 3rd audit side TPA is audited, and the key material that the key distribution phase generates is applied on the data and signature of data write phase generation.
The design basis of this programme is: trust model." trust model " refers to one group of trusting relationship of setting up in advance (being escape way) in safety approach.Design a safety approach, must at first define trust model.This programme breaks the wall of mistrust in advance between key server (as aaa server), data owner DO, Cloud Server CS, the 3rd audit side TPA and concerns PTR.The trust model of this method for designing is illustrated in fig. 2 shown below:
On the whole, the invention provides a kind of public audit method for designing that writes model of cloud data security, this method can reduce the communications cost of audit agreement more, can reduce public's auditing method of audit side's computing cost again.Simultaneously, it supported existing scheme can not support write data source mandate and authentication more, satisfied the new safety and the efficient characteristics that write the public audit of person more.
Concrete division is as follows:
(1) of the present inventionly proposed a kind of new cipher key distribution mechanisms, having comprised:
Cipher key distribution mechanisms realized key material from key server to Cloud Server CS, the distribution of the 3rd audit side TPA and data owner DO.Key server goes out Cloud Server CS according to this function calculation then by certain rule and method construct Lagrange's interpolation function, and each self-corresponding key of the 3rd audit side TPA and data owner DO is also distributed to this three corresponding entities.
This embodiment makes each data owner DO after the initialization, Cloud Server CS, and the 3rd audit side TPA has key material separately.Guaranteed that the data owner DO that is only having key just can write the set of data blocks of sharing.
(2) of the present inventionly proposed a kind of new data writing mechanism, having comprised:
The data writing mechanism has realized that multidata owner DOs can communicate with regard to storing data and signature problem and Cloud Server CS.After the data block of data owner DO was signed, Cloud Server CS determined whether to store data by the legitimacy of integrity check algorithm inspection signature according to assay.
This embodiment makes Cloud Server CS can guarantee to have only the multidata owner DOs through authorizing can store shared set of data blocks.
(3) the present invention proposes a kind of new person's model Audit Mechanism that writes more, comprising:
Do not write the audit that person's model Audit Mechanism has realized the shared set of data blocks on the Cloud Server CS of the 3rd audit side TPA more.The 3rd audit side TPA verifies the data that Cloud Server CS utilizes the proof algorithm to obtain by verification algorithm, thereby reaches the purpose of audit.
This embodiment finishes on embodiment one and two basis and writes the model audit process more, thereby has realized the key material that the key distribution phase generates is applied on the data and signature of data write phase generation.
By above-mentioned audit process, thereby judge whether most pieces are correctly stored in the file.
The technical scheme that is provided by the embodiment of the invention described above as can be seen, this invention is a kind of communications cost that can reduce the audit agreement, can reduce public's auditing method of audit side's computing cost again.Simultaneously, it supported existing scheme can not support write data source mandate and authentication more, satisfied the new safety and the efficient characteristics that write the public audit of person more.
Embodiments of the invention comprise the three parts content: (1) encryption key distribution stage; (2) data write phase; (3) write the model audit phase more.
Breaking the wall of mistrust the model stage, key server is an entity of being trusted, it respectively with Cloud Server CS, the 3rd audit side TPA and the data owner DO relation of breaking the wall of mistrust.
In the encryption key distribution stage, realized key material from key server to Cloud Server CS, the distribution of the 3rd audit side TPA and multidata owner DOs.
In the data write phase, realized that multidata owner DOs can communicate with regard to problem and the Cloud Server CS of storage data and signature.
Write person's audit phase more, realizing the audit of the shared set of data blocks on the Cloud Server CS of the 3rd audit side TPA.
The above-mentioned three parts content model that at first breaks the wall of mistrust is given Cloud Server CS by the key server distributing key then, and the 3rd audit side TPA and data owner DO connect down and finish the data write phase, and realization at last writes person's audit phase more.
For ease of the understanding to the embodiment of the invention, will describe embodiments of the invention below.
Embodiment one
Encryption key distribution is finished in the present embodiment design.Encryption key distribution purpose be: give Cloud Server CS, the 3rd audit side TPA and data owner DO distribution key material separately.Include but not limited to following steps (adopting form to represent):
| Step | Content |
| 100 | Elliptic curve of key server structure and Lagrange's interpolation function, and by the parameter generation authentication of elliptic curve and the key of auditing. |
| 102 | Key server goes out the key material of data owner DO correspondence according to the Lagrange's interpolation function calculation, and distributes to this data owner DO. |
| 104 | Key server is according to the key material of Lagrange's interpolation function calculation Cloud Server CS correspondence, and distributes to this data owner's Cloud Server CS. |
| 106 | Key server is distributed to TPA with the key material of the 3rd audit side TPA correspondence. |
The agreement flow process of present embodiment is illustrated in fig. 3 shown below.
Step among the embodiment one is described as follows:
(1) step 100: key server is at first created an elliptic curve according to basic point G and exponent number n
The parameter of elliptic curve is by Cloud Server CS, and the 3rd audit side TPA and multidata owner DOs know.Key server uses two keys that generate at random
Make up the Lagrange's interpolation function.Calculate authentication and audit key then
(2) step 102: key server will
(wherein
Be elliptic curve,
Be the parameter that is calculated at the data owner DO that authorizes by the Lagrange's interpolation function) distribute to corresponding data owner DO.
(3) step 104: key server will
(wherein
Be elliptic curve,
Be authentication and audit key,
A number that produces at random for key server,
Be by the Lagrange's interpolation function at
The parameter that calculates) distributes to Cloud Server CS.
(4) step 106: key server will
(wherein
Be elliptic curve,
Be authentication and audit key) distribute to the 3rd audit side TPA.
Embodiment two
The data write phase is finished in the present embodiment design.The purpose in this stage is: data owner DO is, and data block is signed, and the integrality of certifying signature.Include but not limited to following steps (adopting form to represent):
| Step | Content |
| 108 | The data block of data owner DO sign and will sign result and related data sends to Cloud Server CS. |
| 110 | Cloud Server CS determines thus by the legitimacy of integrity check algorithm inspection signature whether Cloud Server CS stores these data. |
The agreement flow process of present embodiment is illustrated in fig. 4 shown below.
Step among the embodiment two and agreement flow chart are described as follows:
(1) step 108: as certain data owner
(
Be the set that all data owners constitute,
Represent an element in this set) to give piece
(
Represent the set that all data blocks constitute) when signing (if sign be
), at first calculate
, then
Send to Cloud Server CS(and note,
Be the point on the curve,
With
Be a kind of with character string
With
Convert the coding method of a point on the curve to).
(2) step 110: Cloud Server CS receives
The bilinearity proof of algorithm is used in the back, then whether data is stored as this result of merit and sends to data owner DO.
Embodiment three
The present embodiment design is finished and is write the model audit phase more.The purpose in this stage is: realize the audit of the shared set of data blocks on the Cloud Server CS of the 3rd audit side TPA.Include but not limited to following steps (adopting form to represent):
| Step | Content |
| 112 | The 3rd audit side TPA selects group mark data to send to Cloud Server CS. |
| 114 | Cloud Server CS utilizes the proof algorithm to produce after receiving flag data
 |
| 116 | The data that the 3rd audit side TPA utilizes verification algorithm audit multidata owner DOs to write. |
The agreement flow process of present embodiment is illustrated in fig. 5 shown below.
The step that reaches the agreement flow chart among the embodiment three is described as follows:
(1) step 112: when the 3rd audit side TPA will examine the data that multidata owner DOs writes, he had selected the suitable flag data of a combination
Send to Cloud Server CS.
(2) step 114: receive flag data
After, Cloud Server CS calculates according to the proof algorithm
, and it is sent to the 3rd audit side TPA(note,
With
Be the point on the curve).
(3) step 116: when receiving
After, the 3rd audit side TPA examines the data that multidata owner DOs writes by verification algorithm.
Claims (1)
1. the public audit method for designing that writes model of a cloud data security is characterized in that more, comprises as the next stage:
(1) the encryption key distribution stage: key material is distributed to Cloud Server CS from key server, and the 3rd audit side TPA and multidata owner DOs guarantee that the data owner DO that is only having key could write the set of data blocks of sharing;
(2) data write phase: multidata owner DOs need just store data and signature and Cloud Server CS and communicate, and Cloud Server CS must guarantee to have only the multidata owner Dos through mandate could store the set of data blocks of sharing;
(3) write the model audit phase: the shared set of data blocks on the Cloud Server CS of the 3rd audit side TPA is audited more, and the key material that this stage generates the key distribution phase is applied on the data and signature of data write phase generation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310292145.9A CN103347085B (en) | 2013-07-12 | 2013-07-12 | The public audit method for designing of many writes model of cloud data security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310292145.9A CN103347085B (en) | 2013-07-12 | 2013-07-12 | The public audit method for designing of many writes model of cloud data security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103347085A true CN103347085A (en) | 2013-10-09 |
| CN103347085B CN103347085B (en) | 2016-03-23 |
Family
ID=49281859
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310292145.9A Expired - Fee Related CN103347085B (en) | 2013-07-12 | 2013-07-12 | The public audit method for designing of many writes model of cloud data security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103347085B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916393A (en) * | 2014-03-31 | 2014-07-09 | 公安部第三研究所 | Cloud data privacy protection public auditing method based on symmetric keys |
| US10686886B2 (en) | 2016-10-19 | 2020-06-16 | Mirosoft Technology Licensing, LLC | Establishing secure sessions for stateful cloud services |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012006638A1 (en) * | 2010-07-09 | 2012-01-12 | State Street Corporation | Systems and methods for private cloud computing |
| CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
| CN102611749A (en) * | 2012-01-12 | 2012-07-25 | 电子科技大学 | Cloud-storage data safety auditing method |
| CN102833346A (en) * | 2012-09-06 | 2012-12-19 | 上海海事大学 | Storage metadata based security protection system and method for cloud sensitive data |
-
2013
- 2013-07-12 CN CN201310292145.9A patent/CN103347085B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012006638A1 (en) * | 2010-07-09 | 2012-01-12 | State Street Corporation | Systems and methods for private cloud computing |
| CN102611749A (en) * | 2012-01-12 | 2012-07-25 | 电子科技大学 | Cloud-storage data safety auditing method |
| CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
| CN102833346A (en) * | 2012-09-06 | 2012-12-19 | 上海海事大学 | Storage metadata based security protection system and method for cloud sensitive data |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103916393A (en) * | 2014-03-31 | 2014-07-09 | 公安部第三研究所 | Cloud data privacy protection public auditing method based on symmetric keys |
| CN103916393B (en) * | 2014-03-31 | 2017-04-05 | 公安部第三研究所 | Cloud data-privacy protection public's auditing method based on symmetric key |
| US10686886B2 (en) | 2016-10-19 | 2020-06-16 | Mirosoft Technology Licensing, LLC | Establishing secure sessions for stateful cloud services |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103347085B (en) | 2016-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Lin et al. | BCPPA: A blockchain-based conditional privacy-preserving authentication protocol for vehicular ad hoc networks | |
| Ma et al. | Redactable blockchain in decentralized setting | |
| CN110120868B (en) | Smart power grid safety data aggregation method and system based on block chain technology | |
| CN106936566B (en) | Outsourcing document signing method based on block chain technology | |
| EP3746966A1 (en) | System and method for secure transaction verification in a distributed ledger system | |
| Feng et al. | An efficient privacy-preserving authentication model based on blockchain for VANETs | |
| Li et al. | Toward secure and privacy-preserving distributed deep learning in fog-cloud computing | |
| CN107979840A (en) | A kind of the car networking V2I Verification Systems and method of Key-insulated safety | |
| CN113301022B (en) | Internet of things equipment identity security authentication method based on block chain and fog calculation | |
| CN103501352A (en) | Cloud storage data security auditing method allowing group-user identity revocation | |
| CN103733564A (en) | Digital signatures with implicit certificate chains | |
| CN112839041B (en) | Block chain-based power grid identity authentication method, device, medium and equipment | |
| CN101951388A (en) | Remote attestation method in credible computing environment | |
| CN103227780A (en) | Method for designing public auditable storage verifiable scheme for cloud data | |
| CN113940032A (en) | Method and apparatus for recording work history and certifying reputation in blockchain networks | |
| CN103259662A (en) | Novel procuration signature and verification method based on integer factorization problems | |
| CN106341232A (en) | Anonymous entity identification method based on password | |
| CN101741842A (en) | Method for realizing dependable SSH based on dependable computing | |
| CN103916393B (en) | Cloud data-privacy protection public's auditing method based on symmetric key | |
| CN114503146A (en) | Method and apparatus for registration and authentication of miner identity in a blockchain network | |
| CN103888262A (en) | Secret key changing and signature updating method for cloud data audit | |
| Wang et al. | Privacy-preserving energy storage sharing with blockchain | |
| Rajasekaran et al. | ABRIS: Anonymous blockchain based revocable and integrity preservation scheme for vehicle to grid network | |
| Zhou et al. | An efficient identity authentication scheme with dynamic anonymity for VANETs | |
| CN103414731A (en) | Identity-based aggregate signature method with parallel key-insulation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wan Changsheng Inventor after: Zhou Lin Inventor after: Chou Ruiteng Inventor before: Wan Changsheng Inventor before: Zhou Lin |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160323 Termination date: 20170712 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |