CN103763355A - Cloud data uploading and access control method - Google Patents
Cloud data uploading and access control method Download PDFInfo
- Publication number
- CN103763355A CN103763355A CN201410007172.1A CN201410007172A CN103763355A CN 103763355 A CN103763355 A CN 103763355A CN 201410007172 A CN201410007172 A CN 201410007172A CN 103763355 A CN103763355 A CN 103763355A
- Authority
- CN
- China
- Prior art keywords
- cloud data
- server
- key
- client
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a cloud data uploading and access control method. A server receives and stores cloud data with security levels; after the server receives a cloud data access request, key authentication is carried out on an access user; if key authentication is successful, the server allows the access user to carry out read and write operation on the cloud data, and otherwise, code authentication is carried out on the access user; the server obtains the security level corresponding to the cloud data when code authentication is successful, the server allows the access user to carry out read and write operation on the cloud data if the security level is normal, the server allows the access user to carry out read-only operation on the cloud data if the security level is important, and the server refuses the access request if the security level is confidential. Due to the fact that the cloud data have the corresponding security level, the access user can only be in an authority range and operate the cloud data of different security levels, and accordingly security and privacy of cloud data access are enhanced.
Description
Technical field
The present invention relates to cloud storage security field, relate in particular to the uploading of a kind of cloud data, access control method.
Background technology
Cloud storage is in cloud computing (cloud computing) conceptive extension and a derivative development new concept out.From function, realize, realize exactly the technology that strange land file access and sharing files walk altogether.Cloud storage conventionally means master data or Backup Data is put in exterior storage pond, rather than is put into local data center or special remote site.Use cloud stores service, enterprise institution's expense of just reducing investment outlay, simplifies complicated setting and management role, and data are placed in cloud and are also convenient to from more local visit data.Cloud storage has become a kind of trend of following storage development; but along with the development of cloud memory technology; the application that all kinds of search, application technology and cloud storage combine, also needs to take into full account the problem of secret file protect hidden danger aspect, and improves from fail safe, secret protection angle.
Along with developing rapidly with universal of cloud memory technology, increasing mobile platform user likes at any time by cloud, being stored and being uploaded to fast in net dish with mobile phone or the dull and stereotyped photo of taking and video or individual daily record own, can by WEB or pc client, in strange land, even immediately fetch photo and daily record very efficiently like this, but each photo that user uploads or alternative document are expressly preserved in the service end of cloud storage, in these files, be no lack of user's classified papers or user's privacy, once being cracked, individual cloud memory space will cause the leakage of sensitive information, in addition, on server, All Files is all realized to secret key encryption meeting and increase cost.
Summary of the invention
In order to solve above-mentioned arbitrary problem, the present invention proposes the uploading of a kind of cloud data, access control method.
The access control method that the invention provides a kind of cloud data, comprises the following steps: server receives the cloud data access request that client sends, described server receives after described cloud data access request, obtains the user key information of uploading corresponding to described cloud data, described in described server obtains, upload after user key information, to described client, send key authentication request, described client, after described key authentication request, sends calling party key information to described server, described server receives after the described calling party key information of described client transmission, to described, upload user key information and described calling party key information carries out key authentication, if described key authentication success, described server allows described calling party to carry out read-write operation to described cloud data, otherwise described server sends cipher authentication request to described client, described client, after described cipher authentication request, sends access code to described server, described server receives after the described access code of described client transmission, judge that whether described access code is correct, if incorrect, described server is refused described access request, if correct, described server obtains safe class corresponding to described cloud data, if described safe class is common, described server allows described calling party to carry out read-write operation to described cloud data, if described safe class is important, described server allows described calling party to carry out read-only operation to described cloud data, if described safe class is secret, described server is refused described access request.
In addition, if safe class corresponding to described cloud data is secret, described cloud data are to utilize to upload data after user encryption secret key encryption, and the cloud data after described encryption only have could be by read-write operation after being decrypted operation by decruption key.
In addition, described encryption key is for uploading client public key, and described decruption key is for uploading private key for user.
In addition, described server permission calling party carries out read-only operation to cloud data and comprises the following steps: described server carries out HASH computing to the first cloud data, generation the first summary, and described the first cloud data are the cloud data of calling party request access; Described server sends described the first cloud data to described client; Described client is to after described the first cloud data, to described the first cloud data carry out a series of read or retouching operation after, generate the second cloud data, and send the second cloud data upload request to server; Described server receives after described the second cloud data upload request, to described client, sends feedback information; Described client, after described feedback information, sends described the second cloud data to described server; Described server receives after described the second cloud data, and described the second cloud data are carried out to HASH computing, generates the second summary; Described server generates after described the second summary, judges whether described the first summary is identical with described the second summary, if different, described server sends upload request failure information.
In addition, described key authentication comprises the following steps: described server according to described in upload subscriber identity information and obtain and upload client public key; Random first packet that generates of described server, uploads client public key described in utilization described the first packet is encrypted to computing, obtains the first encrypted packets; Described server obtains after described the first encrypted packets, to described client, sends described the first encrypted packets; Described client, after described the first encrypted packets, utilizes described calling party private key to be decrypted computing to described the first encrypted packets, obtains the second packet; Described client obtains after described the second packet, utilizes server public key to be encrypted computing to described the second packet, obtains the second encrypted packets; Described client obtains after described the second encrypted packets, to described server, sends described the second encrypted packets; Described server receives after described the second encrypted packets, utilizes privacy key to be decrypted computing to described the second encrypted packets, obtains the 3rd packet; Described server obtains after described the 3rd packet, judges that whether described the 3rd packet is consistent with described the first packet, if consistent, described key authentication success.
The present invention also provides a kind of control method of uploading of cloud data, comprises the following steps: server receives the cloud data upload request that client sends, and in described upload request, comprises user profile; Described server receives after described upload request, and the safe class that sends cloud data to be uploaded to described client is selected request; Described client is selected after request to described safe class, and prompting user selects the safe class type of described cloud data to be uploaded, and described safe class at least comprises: common, important, secret; If the described safe class that user selects is common or important, described client sends described cloud data to described server, and described server is stored described cloud data after receiving described cloud data; If described safe class is secret, the encryption key of uploading user described in described client utilization is encrypted operation to described cloud data, obtain secret cloud data, and send described secret cloud data to described server, described server is stored described secret cloud data after receiving described secret cloud data, and described secret cloud data only have could be by read-write operation after being decrypted operation by decruption key.
In addition, described encryption key is for uploading client public key, and described decruption key is for uploading private key for user.
In addition, after described server receives described upload request, before the safe class that described server sends cloud data to be uploaded to described client is selected request, further comprising the steps of: described server according to described in upload subscriber identity information and obtain and upload client public key; Random first packet that generates of described server, uploads client public key described in utilization described the first packet is encrypted to computing, obtains the first encrypted packets; Described server obtains after described the first encrypted packets, to described client, sends described the first encrypted packets; Described client, after described the first encrypted packets, utilizes described calling party private key to be decrypted computing to described the first encrypted packets, obtains the second packet; Described client obtains after described the second packet, utilizes server public key to be encrypted computing to described the second packet, obtains the second encrypted packets; Described client obtains after described the second encrypted packets, to described server, sends described the second encrypted packets; Described server receives after described the second encrypted packets, utilizes privacy key to be decrypted computing to described the second encrypted packets, obtains the 3rd packet; Described server obtains after described the 3rd packet, judges that whether described the 3rd packet is consistent with described the first packet, if consistent, to described client, sends the safe class selection request of cloud data to be uploaded.
In sum, with in prior art using cloud data directly as expressly carrying out upload operation, preserving operation compared with down operation, the present invention is by being the corresponding safe class of cloud data configuration, for calling party is distributed corresponding operating right, to realize calling party can only the cloud data to different safety class operate in the extent of competence of oneself, and the present invention has realized and strengthened cloud data access fail safe and private object.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain other accompanying drawings according to these accompanying drawings.
Fig. 1 is the access control method flow chart of the cloud data that provide of the embodiment of the present invention;
Fig. 2 be the cloud data that provide of the embodiment of the present invention upload control method flow chart.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on embodiments of the invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to protection scope of the present invention.
In description of the invention, it will be appreciated that, term " " center ", " longitudinally ", " laterally ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end ", " interior ", orientation or the position relationship of indications such as " outward " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, rather than device or the element of indication or hint indication must have specific orientation, with specific orientation structure and operation, therefore can not be interpreted as limitation of the present invention.In addition, term " first ", " second " be only for describing object, and can not be interpreted as indication or hint relative importance or quantity or position.
In description of the invention, it should be noted that, unless otherwise clearly defined and limited, term " installation ", " being connected ", " connection " should be interpreted broadly, and for example, can be to be fixedly connected with, and can be also to removably connect, or connect integratedly; Can be mechanical connection, can be also electrical connection; Can be to be directly connected, also can indirectly be connected by intermediary, can be the connection of two element internals.For the ordinary skill in the art, can concrete condition understand above-mentioned term concrete meaning in the present invention.
Core of the present invention is, cloud data are divided into different safe classes, the cloud data of different safety class have respectively corresponding safe class, server carries out authentication to calling party and is the open corresponding operating right of calling party, only allow calling party within the scope of operating right separately, the cloud data with different safety class to be operated, thereby realize, strengthen cloud data access fail safe and private object.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Fig. 1 is the access control method flow chart of embodiment of the present invention cloud data, and as shown in Figure 1, the method comprises the steps:
S01, server receives the cloud data access request that client sends;
Above-mentioned cloud data access request can comprise information that can unique definite target cloud data, the information such as the such as directory location of accessed cloud data, file name, reference number of a document.
S02, described server receives after described cloud data access request, obtains the user key information of uploading corresponding to described cloud data;
S03, described server is being uploaded described in obtaining after user key information, to described client, sends key authentication request;
S04, described client is receiving after key authentication request, to described server, sends calling party key information;
S05, described server receives the described calling party key information that described client sends;
S06, calling party key information carries out key authentication to described calling party described in described server by utilizing;
S07, if the success of described key authentication, described server allows described calling party to carry out read-write operation to described cloud data, flow process finishes; Otherwise, carry out S08;
S08, if the failure of described key authentication, described server sends cipher authentication request to described client;
S09, described client is receiving after cipher authentication request, to described server, sends access code;
Above-mentioned access code can be to arrange and be stored in by user the static password that Chinese character, letter, numeral in server are formed by combining, also can be the dynamic password with certain timeliness being generated and stored at random by server, such as server was not received the described dynamic password that user inputs in 30 seconds, described dynamic password lost efficacy.Described dynamic password sends to user mobile phone by server by the reserved phone number of described cloud data upload user and confirms for user.
S10, described server receives the described access code that described client sends;
S11, described server authenticates described access code;
If described access code is static password, server mates the access code receiving with the access code of storage, if identical, access code authentication success, if different, access code authentification failure; If described access code is dynamic password, first server judges that server receives the time of described access code and whether time interval of sending out between time of described access code is less than or equal to described timeliness scope, if be greater than described timeliness scope, access code authentification failure, if be less than or equal to described timeliness scope, server mates the access code receiving with the access code of storage, if identical, access code authentication success, if different, access code authentification failure;
S12, if described access code authentification failure, described server is refused described access request, flow process finishes; Otherwise, carry out S13;
S13, if described access code authentication success, described server obtains safe class corresponding to described cloud data;
S14, if described safe class is common, described server allows described calling party to carry out read-write operation to described cloud data, flow process finishes;
S15, if described safe class is important, described server allows described calling party to carry out read-only operation to described cloud data, flow process finishes;
S16, if described safe class is secret, described server is refused described access request, flow process finishes.
In addition, if safe class corresponding to described cloud data is secret, described cloud data are to utilize to upload data after user encryption secret key encryption, and the cloud data after described encryption only have could be by read-write operation after being decrypted operation by decruption key;
In above-mentioned steps S07, described server allows described calling party to carry out read-write operation to described cloud data, comprises the following steps:
Described server sends the cloud data after described encryption to described client;
Described client is after the cloud data after described encryption, and the cloud data after utilizing user's decruption key to described encryption are decrypted operation, obtain described cloud data;
Described client obtains after described cloud data, to described cloud data read, the read-write operation such as modification;
Cloud data after described client utilizes user encryption key to read-write operation are encrypted operation, and send the described cloud data after user encryption secret key encryption to described server;
Described server receives and preserves the described cloud data after described encryption keys.
Even the data of uploading above-mentioned after user's encryption keys are obtained by other people, owing to not thering is the decruption key of uploading user, cannot read equally these data, these cloud data that just guaranteed to have security level can only be uploaded user and read and revise, and have further strengthened the fail safe and privacy of cloud data.
In addition, above-mentioned for encryption key that uploading data is encrypted, decruption key to downloading data deciphering and can be an identical group key pair for the public private key pair that user is carried out to authentication, can be also different,
If identical, above-mentioned encryption key is client public key, and above-mentioned decruption key is private key for user, further improves the fail safe and privacy of cloud data;
If different, above-mentioned encryption key and decruption key are user-defined one group and are convenient to memory and the key pair of encryption and decryption computing, the operation efficiency of raising cloud data encryption and deciphering;
In addition, described server permission calling party carries out read-only operation to cloud data and comprises the following steps: described server carries out HASH computing to the first cloud data, generation the first summary, and described the first cloud data are the cloud data of calling party request access; Described server sends described the first cloud data to described client; Described server receives the upload request to the second cloud data that obtain after described the first cloud data read-write operation that described client sends; Described server receives described client and sends described the second cloud data; Described server carries out HASH computing to described the second cloud data, generates the second summary; Described server judges whether described the first summary is identical with the second summary, if different, described server sends upload request failure information.
In addition, described key authentication comprises the following steps: described server according to described in upload subscriber identity information and obtain and upload client public key; Random first packet that generates of described server, uploads client public key described in utilization described the first packet is encrypted to computing, obtains the first encrypted packets, described in upload client public key for uploading the corresponding PKI of user's intelligent cipher key equipment; Above-mentioned the first packet can be one section of character string that comprises access time, cloud Data Position information, cloud data type information.Described server sends described the first encrypted packets to described client; The first encrypted packets described in described client, and utilize described calling party private key to be decrypted computing to described the first encrypted packets, obtaining the second packet, described calling party private key is the private key of preserving in calling party intelligent cipher key equipment; Described client utilizes server public key to be encrypted computing to described the second packet, obtains the second encrypted packets; Described client sends described the second encrypted packets to described server; Described server receives described the second encrypted packets; Described server by utilizing privacy key is decrypted computing to described the second encrypted packets, obtains the 3rd packet; Described server judges that whether described the 3rd packet is consistent with described the first packet, if consistent, described key authentication success.
In said process, because public key encryption the first packet of server by utilizing cloud data upload user obtains the first encrypted packets, so described the first encrypted packets can only be decrypted operation by cloud data upload user's private key and obtain second packet identical with described the first packet, because client is utilized described server public key to encrypt the second packet to obtain the second encrypted packets, so described the second encrypted packets also can only be decrypted operation by the private key of described server and obtain three packet identical with described the first packet, therefore, described key authentication process is the mutual authentication process between user and server, the fail safe and privacy of cloud data have further been strengthened.
Fig. 2 be embodiment of the present invention cloud data upload control method flow chart, as shown in Figure 2, the method comprises the steps:
S21, server receives the cloud data upload request that client sends, and in described upload request, comprises and uploads user profile;
The above-mentioned user profile of uploading is can unique confirmation to upload the information of user identity, as: user name, client public key information, the user identification code of uploading user.
S22, described server receives after described upload request, and the safe class that sends cloud data to be uploaded to described client is selected request;
S23, described client is selected after request to described safe class, and prompting user selects the safe class of described cloud data to be uploaded, and described safe class at least comprises: common, important, secret;
S24, if the described safe class that user selects is common or important, described client sends described cloud data to described server, described server is preserved described cloud data after receiving described cloud data;
S25, if described safe class is secret, the encryption key of uploading user described in described client utilization is encrypted operation to described cloud data, obtain secret cloud data, and send described secret cloud data to described server, described server is preserved described secret cloud data after receiving described secret cloud data, and described secret cloud data only have could be by read-write operation after being decrypted operation by decruption key.
In addition, above-mentioned for encryption key that uploading data is encrypted, decruption key to downloading data deciphering and can be an identical group key pair for the public private key pair that user is carried out to authentication, can be also different,
If identical, above-mentioned encryption key is client public key, and above-mentioned decruption key is private key for user, further improves the fail safe and privacy of cloud data;
If different, above-mentioned encryption key and decruption key are user-defined one group and are convenient to memory and the key pair of encryption and decryption computing, the operation efficiency of raising cloud data encryption and deciphering;
Compared with existing cloud memory technology, in above-mentioned upload procedure, user can be divided into from the safe class of chief commander's cloud data to be uploaded common, important, secret, and server manages described cloud data respectively according to different safe classes, has improved the fail safe and privacy of cloud data.
In addition, after described server receives described upload request, before the safe class that sends cloud data to be uploaded to described client is selected request, further comprising the steps of: described server according to described in upload subscriber identity information and obtain and upload client public key; Random first packet that generates of described server, uploads client public key described in utilization described the first packet is encrypted to computing, obtains the first encrypted packets; Described server obtains after described the first encrypted packets, to described client, sends described the first encrypted packets; Described client, after described the first encrypted packets, utilizes described calling party private key to be decrypted computing to described the first encrypted packets, obtains the second packet; Described client obtains after described the second packet, utilizes server public key to be encrypted computing to described the second packet, obtains the second encrypted packets; Described client obtains after described the second encrypted packets, to described server, sends described the second encrypted packets; Described server receives after described the second encrypted packets, utilizes privacy key to be decrypted computing to described the second encrypted packets, obtains the 3rd packet; Described server obtains after described the 3rd packet, judges that whether described the 3rd packet is consistent with described the first packet, if consistent, to described client, sends the authority selection request of cloud data to be uploaded.
In said process, because public key encryption the first packet of server by utilizing cloud data upload user obtains the first encrypted packets, so described the first encrypted packets can only be decrypted operation by cloud data upload user's private key and obtain second packet identical with described the first packet, because client is utilized described server public key to encrypt the second packet to obtain the second encrypted packets, so described the second encrypted packets also can only be decrypted operation by the private key of described server and obtain three packet identical with described the first packet, therefore, described key authentication process is the mutual authentication process between user and server, the fail safe and privacy of cloud data have further been strengthened.
Any process of otherwise describing in flow chart or at this or method are described and can be understood to, represent to comprise that one or more is for realizing module, fragment or the part of code of executable instruction of step of specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by contrary order, carry out function, this should be understood by embodiments of the invention person of ordinary skill in the field.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple steps or method can realize with being stored in software or the firmware carried out in memory and by suitable instruction execution system.For example, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: there is the discrete logic for data-signal being realized to the logic gates of logic function, there is the application-specific integrated circuit (ASIC) of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is can carry out the hardware that instruction is relevant by program to complete, described program can be stored in a kind of computer-readable recording medium, this program, when carrying out, comprises step of embodiment of the method one or a combination set of.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing module, can be also that the independent physics of unit exists, and also can be integrated in a module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and also can adopt the form of software function module to realize.If described integrated module realizes and during as production marketing independently or use, also can be stored in a computer read/write memory medium using the form of software function module.
The above-mentioned storage medium of mentioning can be read-only memory, disk or CD etc.
In the description of this specification, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, the schematic statement of above-mentioned term is not necessarily referred to identical embodiment or example.And specific features, structure, material or the feature of description can be with suitable mode combination in any one or more embodiment or example.
Although illustrated and described embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, those of ordinary skill in the art can change above-described embodiment within the scope of the invention in the situation that not departing from principle of the present invention and aim, modification, replacement and modification.Scope of the present invention is by claims and be equal to and limit.
Claims (7)
1. an access control method for cloud data, comprises the following steps:
Server receives the cloud data access request that client sends;
Described server receives after described cloud data access request, obtains the user key information of uploading corresponding to described cloud data;
Described in described server obtains, upload after user key information, to described client, send key authentication request;
Described client, after described key authentication request, sends calling party key information to described server;
Described server receives after the described calling party key information that described client sends, and to described, uploads user key information and described calling party key information carries out key authentication;
If described key authentication success, described server allows described calling party to carry out read-write operation to described cloud data,
If described key authentication failure, described server sends cipher authentication request to described client, described client, after described cipher authentication request, sends access code to described server, described server receives after the described access code of described client transmission, judge that whether described access code is correct, if incorrect, described server is refused described access request, if correct, described server obtains safe class corresponding to described cloud data, if described safe class is common, described server allows described calling party to carry out read-write operation to described cloud data, if described safe class is important, described server allows described calling party to carry out read-only operation to described cloud data, if described safe class is secret, described server is refused described access request.
2. the access control method of a kind of cloud data according to claim 1, it is characterized in that, if safe class corresponding to described cloud data is secret, described cloud data are to utilize to upload data after user encryption secret key encryption, and the cloud data after described encryption only have could be by read-write operation after being decrypted operation by decruption key.
3. the access control method of a kind of cloud data according to claim 2, is characterized in that, described encryption key is for uploading client public key, and described decruption key is for uploading private key for user.
4. according to the access control method of the arbitrary described a kind of cloud data of claims 1 to 3, it is characterized in that, described key authentication comprises the following steps:
Described server according to described in upload subscriber identity information and obtain and upload client public key;
Random first packet that generates of described server, uploads client public key described in utilization described the first packet is encrypted to computing, obtains the first encrypted packets;
Described server obtains after described the first encrypted packets, to described client, sends described the first encrypted packets;
Described client, after described the first encrypted packets, utilizes described calling party private key to be decrypted computing to described the first encrypted packets, obtains the second packet;
Described client obtains after described the second packet, utilizes server public key to be encrypted computing to described the second packet, obtains the second encrypted packets;
Described client obtains after described the second encrypted packets, to described server, sends described the second encrypted packets;
Described server receives after described the second encrypted packets, utilizes privacy key to be decrypted computing to described the second encrypted packets, obtains the 3rd packet;
Described server obtains after described the 3rd packet, judges that whether described the 3rd packet is consistent with described the first packet, if consistent, described key authentication success.
Cloud data upload a control method, comprise the following steps:
Server receives the cloud data upload request that client sends, and in described upload request, comprises and uploads user profile;
Described server receives after described upload request, and the safe class that sends cloud data to be uploaded to described client is selected request;
Described client is selected after request to described authority, and prompting user selects the safe class of described cloud data to be uploaded, and described safe class at least comprises: common, important, secret;
If the described safe class that user selects is common or important, described client sends described cloud data to described server, and described server is stored described cloud data after receiving described cloud data; If described safe class is secret, the encryption key of uploading user described in described client utilization is encrypted operation to described cloud data, obtain secret cloud data, and send described secret cloud data to described server, described server is stored described secret cloud data after receiving described secret cloud data, and described secret cloud data only have could be by read-write operation after being decrypted operation by decruption key.
A kind of cloud data according to claim 5 upload control method, it is characterized in that, described encryption key is for uploading client public key, described decruption key is for uploading private key for user.
7. according to the control method of uploading of the arbitrary described a kind of cloud data of claim 5 to 6, it is characterized in that, described server receives after described upload request, further comprising the steps of:
Described server according to described in upload subscriber identity information and obtain and upload client public key;
Random first packet that generates of described server, uploads client public key described in utilization described the first packet is encrypted to computing, obtains the first encrypted packets;
Described server obtains after described the first encrypted packets, to described client, sends described the first encrypted packets;
Described client, after described the first encrypted packets, utilizes described calling party private key to be decrypted computing to described the first encrypted packets, obtains the second packet;
Described client obtains after described the second packet, utilizes server public key to be encrypted computing to described the second packet, obtains the second encrypted packets;
Described client obtains after described the second encrypted packets, to described server, sends described the second encrypted packets;
Described server receives after described the second encrypted packets, utilizes privacy key to be decrypted computing to described the second encrypted packets, obtains the 3rd packet;
Described server obtains after described the 3rd packet, judges that whether described the 3rd packet is consistent with described the first packet, if consistent, to described client, sends the authority selection request of cloud data to be uploaded.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410007172.1A CN103763355B (en) | 2014-01-07 | 2014-01-07 | Cloud data uploading and access control method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410007172.1A CN103763355B (en) | 2014-01-07 | 2014-01-07 | Cloud data uploading and access control method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103763355A true CN103763355A (en) | 2014-04-30 |
| CN103763355B CN103763355B (en) | 2017-02-01 |
Family
ID=50530514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410007172.1A Active CN103763355B (en) | 2014-01-07 | 2014-01-07 | Cloud data uploading and access control method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103763355B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333545A (en) * | 2014-10-26 | 2015-02-04 | 重庆智韬信息技术中心 | Method for encrypting cloud storage file data |
| CN104468112A (en) * | 2014-08-13 | 2015-03-25 | 中经云数据存储科技(北京)有限公司 | Authorized access control method based on optical disc juke-box system and safety system |
| CN105450542A (en) * | 2014-08-21 | 2016-03-30 | 联想(北京)有限公司 | Data-processing method and first electronic device |
| CN105608387A (en) * | 2015-08-11 | 2016-05-25 | 宇龙计算机通信科技(深圳)有限公司 | Storage method and storage device of multimedia resources, and terminal |
| CN106027552A (en) * | 2016-06-30 | 2016-10-12 | 中经汇通电子商务有限公司 | Method and system for accessing cloud storage data by user |
| CN106293540A (en) * | 2016-08-19 | 2017-01-04 | 成都全码特时代科技有限公司 | A kind of cloud date storage method |
| CN106503133A (en) * | 2016-10-19 | 2017-03-15 | 北京小米移动软件有限公司 | Cloud disk data processing method and device |
| CN107003815A (en) * | 2014-12-09 | 2017-08-01 | 国际商业机器公司 | The automatic management of confidential data in cloud environment |
| CN107124389A (en) * | 2016-02-25 | 2017-09-01 | 北京骄阳星天纪网络科技有限公司 | A kind of cloud data encryption analysis and processing method |
| CN107370604A (en) * | 2017-07-07 | 2017-11-21 | 华中科技大学 | A kind of more granularity access control methods under big data environment |
| US9930070B2 (en) | 2015-11-11 | 2018-03-27 | International Business Machines Corporation | Modifying security policies of related resources |
| CN107872439A (en) * | 2016-09-28 | 2018-04-03 | 腾讯科技(深圳)有限公司 | A kind of personal identification method, apparatus and system |
| CN108282476A (en) * | 2018-01-19 | 2018-07-13 | 常州信息职业技术学院 | A kind of information security backup method and system |
| CN109327491A (en) * | 2017-08-01 | 2019-02-12 | 触信(厦门)智能科技有限公司 | A kind of information telephone implementation method and its system, smart machine |
| CN109756446A (en) * | 2017-11-01 | 2019-05-14 | 中车株洲电力机车研究所有限公司 | A kind of access method and system of mobile unit |
| CN112311879A (en) * | 2020-10-30 | 2021-02-02 | 平安信托有限责任公司 | Method and device for limiting network disk uploading, computer equipment and storage medium |
| CN114928464A (en) * | 2022-03-21 | 2022-08-19 | 上海课亦信息科技有限公司 | Data cloud storage scheduling system based on internet |
| CN116232593A (en) * | 2023-05-05 | 2023-06-06 | 杭州海康威视数字技术股份有限公司 | Multi-password module sensitive data classification and protection method, equipment and system |
| CN117439823A (en) * | 2023-12-20 | 2024-01-23 | 深圳市智安网络有限公司 | Cloud data intelligent authority authentication safety protection method and system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101340437A (en) * | 2008-08-19 | 2009-01-07 | 北京飞天诚信科技有限公司 | Time source regulating method and system |
| CN101340289A (en) * | 2008-08-19 | 2009-01-07 | 北京飞天诚信科技有限公司 | Replay attack preventing method and method thereof |
| CN101431410A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Authentication method for network game client and server cluster |
| CN102510338A (en) * | 2011-12-31 | 2012-06-20 | 中国工商银行股份有限公司 | System, device and method for security certificate for multi-organization interconnection system |
| US20120159590A1 (en) * | 2010-12-15 | 2012-06-21 | At&T Intellectual Property I, L.P. | Methods, systems, and computer program products for authenticating an identity of a user by generating a confidence indicator of the identity of the user based on a combination of multiple authentication techniques |
| CN102655508A (en) * | 2012-04-19 | 2012-09-05 | 华中科技大学 | Method for protecting privacy data of users in cloud environment |
| CN102761521A (en) * | 2011-04-26 | 2012-10-31 | 上海格尔软件股份有限公司 | Cloud security storage and sharing service platform |
| CN102882858A (en) * | 2012-09-13 | 2013-01-16 | 江苏乐买到网络科技有限公司 | External data transmission method for cloud computing system |
| CN103118011A (en) * | 2013-01-12 | 2013-05-22 | 合肥华云通信技术有限公司 | Method for protecting customer data in multi-tenant environment |
| CN103248479A (en) * | 2012-02-06 | 2013-08-14 | 中兴通讯股份有限公司 | Cloud storage safety system, data protection method and data sharing method |
| CN103327002A (en) * | 2013-03-06 | 2013-09-25 | 西安电子科技大学 | Cloud storage access control system based on attribute |
-
2014
- 2014-01-07 CN CN201410007172.1A patent/CN103763355B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431410A (en) * | 2007-11-09 | 2009-05-13 | 康佳集团股份有限公司 | Authentication method for network game client and server cluster |
| CN101340437A (en) * | 2008-08-19 | 2009-01-07 | 北京飞天诚信科技有限公司 | Time source regulating method and system |
| CN101340289A (en) * | 2008-08-19 | 2009-01-07 | 北京飞天诚信科技有限公司 | Replay attack preventing method and method thereof |
| US20120159590A1 (en) * | 2010-12-15 | 2012-06-21 | At&T Intellectual Property I, L.P. | Methods, systems, and computer program products for authenticating an identity of a user by generating a confidence indicator of the identity of the user based on a combination of multiple authentication techniques |
| CN102761521A (en) * | 2011-04-26 | 2012-10-31 | 上海格尔软件股份有限公司 | Cloud security storage and sharing service platform |
| CN102510338A (en) * | 2011-12-31 | 2012-06-20 | 中国工商银行股份有限公司 | System, device and method for security certificate for multi-organization interconnection system |
| CN103248479A (en) * | 2012-02-06 | 2013-08-14 | 中兴通讯股份有限公司 | Cloud storage safety system, data protection method and data sharing method |
| CN102655508A (en) * | 2012-04-19 | 2012-09-05 | 华中科技大学 | Method for protecting privacy data of users in cloud environment |
| CN102882858A (en) * | 2012-09-13 | 2013-01-16 | 江苏乐买到网络科技有限公司 | External data transmission method for cloud computing system |
| CN103118011A (en) * | 2013-01-12 | 2013-05-22 | 合肥华云通信技术有限公司 | Method for protecting customer data in multi-tenant environment |
| CN103327002A (en) * | 2013-03-06 | 2013-09-25 | 西安电子科技大学 | Cloud storage access control system based on attribute |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468112A (en) * | 2014-08-13 | 2015-03-25 | 中经云数据存储科技(北京)有限公司 | Authorized access control method based on optical disc juke-box system and safety system |
| CN105450542A (en) * | 2014-08-21 | 2016-03-30 | 联想(北京)有限公司 | Data-processing method and first electronic device |
| CN105450542B (en) * | 2014-08-21 | 2019-08-27 | 联想(北京)有限公司 | A kind of data processing method and the first electronic equipment |
| CN104333545A (en) * | 2014-10-26 | 2015-02-04 | 重庆智韬信息技术中心 | Method for encrypting cloud storage file data |
| CN104333545B (en) * | 2014-10-26 | 2017-07-14 | 国网内蒙古东部电力有限公司信息通信分公司 | The method that cloud storage file data is encrypted |
| US10474830B2 (en) | 2014-12-09 | 2019-11-12 | International Business Machines Corporation | Automated management of confidential data in cloud environments |
| US9996698B2 (en) | 2014-12-09 | 2018-06-12 | International Business Machines Corporation | Automated management of confidential data in cloud environments |
| US11062037B2 (en) | 2014-12-09 | 2021-07-13 | International Business Machines Corporation | Automated management of confidential data in cloud environments |
| CN107003815A (en) * | 2014-12-09 | 2017-08-01 | 国际商业机器公司 | The automatic management of confidential data in cloud environment |
| CN105608387A (en) * | 2015-08-11 | 2016-05-25 | 宇龙计算机通信科技(深圳)有限公司 | Storage method and storage device of multimedia resources, and terminal |
| CN105608387B (en) * | 2015-08-11 | 2019-04-12 | 宇龙计算机通信科技(深圳)有限公司 | Storage method, storage device and the terminal of multimedia resource |
| US9930070B2 (en) | 2015-11-11 | 2018-03-27 | International Business Machines Corporation | Modifying security policies of related resources |
| CN107124389A (en) * | 2016-02-25 | 2017-09-01 | 北京骄阳星天纪网络科技有限公司 | A kind of cloud data encryption analysis and processing method |
| CN106027552A (en) * | 2016-06-30 | 2016-10-12 | 中经汇通电子商务有限公司 | Method and system for accessing cloud storage data by user |
| CN106293540A (en) * | 2016-08-19 | 2017-01-04 | 成都全码特时代科技有限公司 | A kind of cloud date storage method |
| CN107872439A (en) * | 2016-09-28 | 2018-04-03 | 腾讯科技(深圳)有限公司 | A kind of personal identification method, apparatus and system |
| CN107872439B (en) * | 2016-09-28 | 2021-02-05 | 腾讯科技(深圳)有限公司 | Identity recognition method, device and system |
| CN106503133B (en) * | 2016-10-19 | 2020-06-19 | 北京小米移动软件有限公司 | Cloud disk data processing method and device |
| CN106503133A (en) * | 2016-10-19 | 2017-03-15 | 北京小米移动软件有限公司 | Cloud disk data processing method and device |
| CN107370604B (en) * | 2017-07-07 | 2019-05-31 | 华中科技大学 | A kind of more granularity access control methods under big data environment |
| CN107370604A (en) * | 2017-07-07 | 2017-11-21 | 华中科技大学 | A kind of more granularity access control methods under big data environment |
| CN109327491A (en) * | 2017-08-01 | 2019-02-12 | 触信(厦门)智能科技有限公司 | A kind of information telephone implementation method and its system, smart machine |
| CN109756446A (en) * | 2017-11-01 | 2019-05-14 | 中车株洲电力机车研究所有限公司 | A kind of access method and system of mobile unit |
| CN109756446B (en) * | 2017-11-01 | 2021-07-30 | 中车株洲电力机车研究所有限公司 | Access method and system for vehicle-mounted equipment |
| CN108282476A (en) * | 2018-01-19 | 2018-07-13 | 常州信息职业技术学院 | A kind of information security backup method and system |
| CN112311879A (en) * | 2020-10-30 | 2021-02-02 | 平安信托有限责任公司 | Method and device for limiting network disk uploading, computer equipment and storage medium |
| CN114928464A (en) * | 2022-03-21 | 2022-08-19 | 上海课亦信息科技有限公司 | Data cloud storage scheduling system based on internet |
| CN116232593A (en) * | 2023-05-05 | 2023-06-06 | 杭州海康威视数字技术股份有限公司 | Multi-password module sensitive data classification and protection method, equipment and system |
| CN116232593B (en) * | 2023-05-05 | 2023-08-25 | 杭州海康威视数字技术股份有限公司 | Multi-password module sensitive data classification and protection method, equipment and system |
| CN117439823A (en) * | 2023-12-20 | 2024-01-23 | 深圳市智安网络有限公司 | Cloud data intelligent authority authentication safety protection method and system |
| CN117439823B (en) * | 2023-12-20 | 2024-03-12 | 深圳市智安网络有限公司 | Cloud data intelligent authority authentication safety protection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103763355B (en) | 2017-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763355A (en) | Cloud data uploading and access control method | |
| JP6383019B2 (en) | Multiple permission data security and access | |
| US10298555B2 (en) | Securing files under the semi-trusted user threat model using per-file key encryption | |
| AU2013101722A4 (en) | Data security management system | |
| CN103701611B (en) | Method for accessing and uploading data in data storage system | |
| TWI498015B (en) | Apparatus and methods for distributing and storing electronic access clients | |
| CN103067399B (en) | Wireless transmitter/receiver unit | |
| EP2909786B1 (en) | Controlling mobile device access to secure data | |
| CN102624699B (en) | Method and system for protecting data | |
| Ye et al. | Security analysis of Internet-of-Things: A case study of august smart lock | |
| CN106027552A (en) | Method and system for accessing cloud storage data by user | |
| CN103310169B (en) | A kind of method protecting SD card data and protection system | |
| US20140112470A1 (en) | Method and system for key generation, backup, and migration based on trusted computing | |
| TW201251482A (en) | Apparatus and methods for storing electronic access clients | |
| US8844009B2 (en) | Resilient device authentication system | |
| CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
| JP6371184B2 (en) | Data management system, data management method, and client terminal | |
| US11329817B2 (en) | Protecting data using controlled corruption in computer networks | |
| CN103686716A (en) | Android access control system for enhancing confidentiality and integrality | |
| CN105072134A (en) | Cloud disk system file secure transmission method based on three-level key | |
| CN104333544A (en) | Encryption method for data file based on mobile terminal | |
| US9154310B1 (en) | Resilient device authentication system | |
| CN107070881B (en) | Key management method, system and user terminal | |
| TWI611302B (en) | Method And System For Securely Sharing Content | |
| KR101680536B1 (en) | Method for Service Security of Mobile Business Data for Enterprise and System thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |