CN105100076A - Cloud data security system based on USB Key - Google Patents

Cloud data security system based on USB Key Download PDF

Info

Publication number
CN105100076A
CN105100076A CN201510381592.0A CN201510381592A CN105100076A CN 105100076 A CN105100076 A CN 105100076A CN 201510381592 A CN201510381592 A CN 201510381592A CN 105100076 A CN105100076 A CN 105100076A
Authority
CN
China
Prior art keywords
data
usbkey
client
clouds
cloud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510381592.0A
Other languages
Chinese (zh)
Inventor
李清玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201510381592.0A priority Critical patent/CN105100076A/en
Publication of CN105100076A publication Critical patent/CN105100076A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud data security system based on a USB Key. The cloud data security system comprises a client and a cloud, the client is connected with the USB Key, the USB Key structurally comprises a control unit, a calculating unit, a storage unit, a cache unit and an input and output I/O logic module, and a digital certificate and a plurality of encryption algorithms and integrity detection algorithms are built in the USB Key; according to different security requirements of cloud data, different encryption algorithms are selected to finish encryption calculation of the cloud data, so as to satisfy the security demands and transmission security of different users; and the integrity detection algorithms are used for detecting the integrity of the cloud data with a block as a unit. Compared with the prior art, the cloud data security system based on USB Key can select different encryption algorithms according to the importance of the data and guarantee the integrity of the data at the same time, so as to satisfy the security demands of the users in a cloud calculation environment, and the cloud data security system is strong in practicability and is easy to promote.

Description

A kind of cloud data security system based on USB Key
Technical field
The present invention relates to field of information security technology, specifically a kind of practical, based on the cloud data security system of USBKey.
Background technology
Along with fast development and the application of cloud computing technology, more and more receive the concern of people.But the problem of data safety in cloud computing has become the key issue that restriction cloud computing is fast-developing and promote.In cloud computing, the data of all users all leave high in the clouds in, and result of calculation is returned to client by network.This brand-new network service mode, its security threat faced also is unprecedented.CSA points out in cloud computing safety message " TheNotoriousNineCloudComputingTopThreats (2013) ", and data corruption and loss of data are the topmost security threats that cloud computing faces.Due to being separated of data ownership and control, data have departed from the controlled range of user, cannot effectively control and manage concentratedly, the risk that there is unsafe factor He divulge a secret; Due to the concentrated storage of data, a lot of cloud tenant shares cloud computing resources and storage resources, and how effectively to isolate tenant data and to realize fine-grained access control, be have challenging problem; The concentrated storage of data, more easily suffers attack and the destruction of malicious attacker, as distributed denial of service attack DDoS etc.; In addition, in system for cloud computing, provider server obtains the priority access power of high in the clouds data, and malice administrative staff can check arbitrarily user's sensitive data, and even malice is deleted or Update Table, causes immeasurable loss to user.All these requires that cloud computing environment should provide safety precautions and management system, ensures that user data is not illegally used and reveals.
In addition, USBKey is a kind of hardware device of USB interface, and built-in single-chip microcomputer or intelligent card chip have certain memory space, can store private key and the digital certificate of user, and the public key algorithm utilizing USBKey built-in realizes the discriminating to user identity.Along with the development of USBKey technology and related manufacturing process, intelligent card function is further strengthened.
Based on this, a kind of cloud data security system based on USBKey is now provided, this system is by the flexibility characteristics of USBKey, carry out hardware enhancing to USBKey, embedded digital certificate and multiple encryption algorithms, integrity detection algorithm, make it have the function such as identity verify, data encrypting and deciphering, and according to the importance of data, different cryptographic algorithm can be selected, ensure the integrality of data simultaneously, meet the demand of secure user data under cloud computing environment.
Summary of the invention
Technical assignment of the present invention is for above weak point, provide a kind of practical, based on the cloud data security system of USBKey.
A kind of cloud data security system based on USBKey, comprise client and high in the clouds, described client's side link has USBKey, the structure of this USBKey comprises control unit, computing unit, memory cell, buffer unit, input and output I/O logic module, this USBKey embedded digital certificate and some cryptographic algorithm, integrity detection algorithm; According to the different safety requirements of high in the clouds data, select different cryptographic algorithm to complete the computations of cloud data, meet confidentiality requirement and the transmission security of different user; Utilize integrity detection algorithm, in units of block, detect the integrality of high in the clouds data.
In described USBKey,
Control unit is the core of this USBKey, for realizing coordinated operation and the control of other functional unit of USBKey;
Computing unit is used for the cloud data calculating operation needed for completing user, supports common crypto algorithm and integrity detection algorithm;
Memory cell is used for storage program and various data, and in chip running, independently complete the access of program or data;
Buffer unit is buffer zone, when USBKey carries out a large amount of cloud data calculating operation, and buffer memory data to be calculated and calculating intermediate object program;
Input and output I/O logic module is the input-output unit of USBKey, realizes the access transport between server data in subscription client and cloud computing environment.
Cloud data calculating operation needed for described computing unit completing user comprises the operation of deblocking, block encryption, block integrity detection; The common crypto algorithm supported comprises the close algorithm of DES, 3DES, AES and state; The integrity detection algorithm supported comprises MD5, SHA serial algorithm.
Described memory cell comprises RAM, read-only ROM and Flash flash memory, stores customer digital certificate and USBKey device certificate, provides the identity verify of user and equipment; Also store the cloud data encryption key of some, complete key management.
Described client is provided with following software: USBKey driving, access control module, identity verify module, negotiating algorithm module, key management module, deblocking integrate module, data encrypting and deciphering module, integrity detection module, cloud data management module module; High in the clouds part is then provided with access control module, identity verify module, negotiating algorithm module, integrity detection module.
Described client upload ciphertext part literary composition is given high in the clouds and is deciphered after downloading cryptograph files from this high in the clouds, and it is uploaded downloading process and is:
Client and high in the clouds are to USBKey device drives and initialization: import user and apparatus figure certificate, read in data to USBKey from client and complete computing, and by USBKey input and output I/O logic module, data are sent to high in the clouds storage with the form of ciphertext;
Client obtains encrypt data from high in the clouds, after USBKey deciphering and integrity detection, is processed data by user.
User data upload is to the process in high in the clouds:
1) access control: after USBKey is inserted into client USB port by user, USBKey sends cloud access request to high in the clouds;
After high in the clouds inspection is legal, this USBkey is allowed to be linked in cloud computing environment;
2) identity verify: user proposes data upload to high in the clouds request, cloud server differentiates the identity of request user;
3), after identity verify passes through, data processing and transmission is carried out:
A) negotiating algorithm: according to the importance of cloud data, client and high in the clouds negotiation data cryptographic algorithm and integrity detection algorithm, generate cloud data encryption key, be saved in the memory cell of USBKey by the metadata information of encryption key after its encrypted private key;
B) deblocking and encryption: user is according to preset data file partition strategy, data file is divided into the data block of fixed size, use the cloud data encryption key of aforementioned generation to adopt the cryptographic algorithm of consulting to be encrypted to each data block, utilize integrity detection algorithm to generate the digest value of this data block ciphertext simultaneously;
C) transfer of data: client, by data ciphertext and digest value splicing, then sends to high in the clouds by the order of piecemeal successively;
D) integrity detection: after high in the clouds receives ciphertext and ciphertext digest value, after disassembling into corresponding ciphertext and ciphertext digest value, the integrity detection algorithm consulted is used to detect the integrality of ciphertext, when inspection by after, acknowledge message is sent to client,, data ciphertext and digest value are saved in Cloud Server meanwhile, and preserve the metadata information of subscriber data file;
E) transmission response: after client receives high in the clouds acknowledge message, carries out record to the data block ID of wherein correct reception; If this data block does not correctly receive, then carry out the re-transmission of this data block, until all data block ciphertexts and ciphertext digest value all correctly send high in the clouds to;
F) client metadata is preserved: preserved by the blocking information of data file, complete cloud process in data.
In described access control step, in the request that client sends, comprise the mark ID of this USBKey, access client ip address or MAC Address, access request time, USBKey digital certificate;
After high in the clouds receives access request, first verify legitimacy and the validity of USBKey digital certificate;
By rear, identify ID to the USBKey in message and compare with the mark ID in digital certificate, whether both inspections are consistent: if inconsistent, then refuse the interface requests of client; Both conform to, then allow USBKey to access cloud computing environment;
Corresponding, in identity verify step, client sends the customer digital certificate that USBKey stores to high in the clouds, and high in the clouds checks legitimacy and the validity of customer digital certificate, by rear, and the identity verify of completing user.
Described encrypt data acquisition process is:
1) data download request: client sends data download request to high in the clouds, comprises Data Filename, client user ID, request time information;
2) high in the clouds access control: high in the clouds is compared with the user ID ID in its digital certificate the client user ID in data downloading request message, by after successively data block ciphertext and corresponding digest value will be sent to client according to deblocking order;
3) integrity checking: client gets the metadata information of this data file from USBKey memory cell.
Described metadata information comprises key ciphertext, for data file encryption, file size, cryptographic algorithm and parameter, integrity detection algorithm, temporal information, block number, block ID.
After client obtains encrypt data, the process of carrying out data processing is:
Client utilizes PKI by encryption key decrypt ciphertext, obtains data encryption key;
Client receives each data block ciphertext of high in the clouds transmission and the digest value of ciphertext, utilizes ciphertext digest value and corresponding integrity detection algorithm, checks the integrality of this data block ciphertext; If check by rear, client utilizes ciphertext enciphering/deciphering double secret key and corresponding decipherment algorithm, obtains the plaintext of this data block;
Client, by the plaintext of each data block, is a complete data file according to block ID sequence integration, completes cloud data downloading process.
A kind of cloud data security system based on USBKey of the present invention, has the following advantages:
A kind of cloud data security system based on USBKey that the present invention proposes, can be used for safe transmission and the integrity detection of protecting different brackets data in cloud environment, provides double factor identity verify, key management functions; The fail safe of user and high in the clouds transfer of data can not only be protected; and can according to the significance level of data; select cryptographic algorithm and the integrity detection algorithm of different intensity; can differentiate user identity according to digital certificate simultaneously; and support certain key management functions; fail safe is high, flexibility is strong, complete function, practical, be easy to promote.
Accompanying drawing explanation
Accompanying drawing 1 is the hardware configuration schematic diagram of USBKey of the present invention.
Accompanying drawing 2 is client of the present invention and high in the clouds modular structure schematic diagram.
Embodiment
Below in conjunction with the drawings and specific embodiments, the invention will be further described.
The invention provides a kind of cloud data security system based on USBKey, comprise client and high in the clouds, described client's side link has USBKey, this USBKey has control unit, computing unit (general-purpose computations, symmetric cryptography, integrality), memory cell (RAM, ROM, flash memory), buffer unit, input and output I/O logic module and corresponding driving and management software, embedded digital certificate and multiple encryption algorithms, integrity detection algorithm; According to the different safety requirements of cloud data, different cryptographic algorithm can be selected to complete the computations of cloud data, meet confidentiality requirement and the transmission security of different user; Utilizing integrity detection algorithm, can block be the integrality that unit detects cloud data.
As shown in Figure 1, in described USBKey, comprise control unit, computing unit, memory cell, buffer unit, input and output I/O logic module, wherein:
The core of control unit: USBKey, realizes coordinated operation and the control of other functional unit of USBKey.
Computing unit: the cloud data calculating operation needed for completing user, as operations such as deblocking, block encryption and decryption, block integrity detection, supports that common crypto algorithm is as the close algorithm of DES, 3DES, AES and state; Also support integrity detection algorithm MD5, SHA serial algorithm.
Memory cell: the major function of memory cell is storage program and various data, and can in chip running high speed, the access independently completing program or data.Memory cell comprises RAM, read-only ROM and Flash (flash memory), stores customer digital certificate and USBKey device certificate, provides the identity verify of user and equipment; Also can store the cloud data encryption key of some, support the key management of lightweight.The wherein information such as metadata, file encryption key of flash memory storage user and USBKey digital certificate, file and encryption/integrity detection algorithm;
Buffer unit: in order to improve the speed of data access and process, jumbo buffer unit is set in USBKey, this buffer unit as buffer zone, when USBKey carries out a large amount of cloud data calculating operation, buffer memory data to be calculated and calculate intermediate object program etc.
Input and output I/O logic module: the input-output unit of USBKey, realizes the access transport between server data in subscription client and cloud computing environment.
As shown in Figure 2, described client is provided with following software: USBKey driving, access control module, identity verify module, negotiating algorithm module, key management module, deblocking integrate module, data encrypting and deciphering module, integrity detection module, cloud data management module module; High in the clouds part is then provided with access control module, identity verify module, negotiating algorithm module, integrity detection module.
Described client upload ciphertext part literary composition is given high in the clouds and is deciphered after downloading cryptograph files from this high in the clouds, and it is uploaded downloading process and is:
Client and high in the clouds are to USBKey device drives and initialization: import user and apparatus figure certificate, read in data to USBKey from client and complete computing, and by USBKey input and output I/O logic module, data are sent to high in the clouds storage with the form of ciphertext;
Client obtains encrypt data from high in the clouds, after USBKey deciphering and integrity detection, is processed data by user.
User data upload to the process in high in the clouds is:
1) access control: after USBKey is inserted into client USB port by user, USBKey sends cloud access request to high in the clouds.The mark ID of this USBKey, access client ip address or MAC Address, access request time, USBKey digital certificate etc. is comprised in request.After high in the clouds receives access request, first verify legitimacy and the validity of USBKey digital certificate.By rear, identify ID to the USBKey in message and compare with the mark ID in digital certificate, whether both inspections are consistent.If inconsistent, then refuse the interface requests of client.Both conform to, then allow USBKey to access cloud computing environment.
2) identity verify: user proposes in data after cloud request, Cloud Server requires the identity differentiating request user.Client sends the customer digital certificate that USBKey stores to high in the clouds, and high in the clouds checks legitimacy and the validity of customer digital certificate, by rear, and the identity verify of completing user.
3) data processing and transmission:
A) negotiating algorithm: according to the importance of cloud data, client and high in the clouds negotiation data cryptographic algorithm and integrity detection algorithm, and generate cloud data encryption key, by the key ciphertext of encryption key after its encrypted private key, be saved in the flash memory of USBKey for the metadata information such as data file encryption, file size, cryptographic algorithm and parameter, integrity detection algorithm, time.
B) deblocking and encryption: user is according to preset data file partition strategy, data file is divided into the data block of fixed size (as 128M), use the cloud data encryption key of aforementioned generation to adopt the cryptographic algorithm of consulting to be encrypted to each data block, utilize integrity detection algorithm to generate the digest value of this data block ciphertext simultaneously.
C) transfer of data: client, by data ciphertext and digest value splicing, then sends to high in the clouds by the order of piecemeal successively.
D) integrity detection: after high in the clouds receives ciphertext and ciphertext digest value, after disassembling into corresponding ciphertext and ciphertext digest value, uses the integrity detection algorithm consulted to detect the integrality of ciphertext.If check by rear, send acknowledge message to client., data ciphertext and digest value are saved in Cloud Server meanwhile, and preserve the metadata information of subscriber data file.
E) transmission response: after client receives high in the clouds acknowledge message, carries out record to the data block ID of wherein correct reception.If this data block does not correctly receive, then carry out the re-transmission of this data block, until all data block ciphertexts and ciphertext digest value all correctly send high in the clouds to.
F) client metadata is preserved: by the blocking information of data file as meta-data preservations such as data block number, data block ID, complete cloud process in data.
After completing USBKey access control and user identity discriminating, data downloading process is:
(1), data download request: client sends data download request to high in the clouds, comprises the information such as Data Filename, client user ID, request time.
(2), high in the clouds access control: high in the clouds is compared with the user ID ID in its digital certificate the client user ID in data downloading request message.By after successively data block ciphertext and corresponding digest value will be sent to client according to deblocking order.
(3), integrity checking: client gets the metadata information of this data file from USBKey flash memory, as cryptographic algorithm and encryption key ciphertext, integrity detection algorithm, block number, block ID etc.
Client utilizes PKI by encryption key decrypt ciphertext, obtains data encryption key.
Client receives each data block ciphertext of high in the clouds transmission and the digest value of ciphertext, utilizes ciphertext digest value and corresponding integrity detection algorithm, checks the integrality of this data block ciphertext.If check by rear, client utilize ciphertext add (solutions) decryption key to and corresponding decipherment algorithm, obtain the plaintext of this data block.
Client, by the plaintext of each data block, is a complete data file according to block ID sequence integration, completes cloud data downloading process.
Embodiment:
Upload 2G data file report.dat to high in the clouds process for user now, the hardware configuration wherein related to is as shown in accompanying drawing 1, Fig. 2, when using this system carry out transfer of data and download, the access control of step 1), step 2) identity authentication all as described above, wherein the data processing of step 3) and the specific implementation process of transmitting step are:
A) negotiating algorithm: according to the importance of cloud data, client and negotiation data cryptographic algorithm AES(256 position, high in the clouds, CFB pattern) and integrity detection algorithm SHA-2, and generate cloud data encryption key k(256), by the key ciphertext of encryption key after its encrypted private key, be saved in the flash memory of USBKey for metadata informations such as data file encryption report.dat, file size 2G, cryptographic algorithm AES and parameter (256, CFB pattern), integrity detection algorithm SHA-2, times (2015-05-2110:32:54).
B) deblocking and encryption: data file, according to preset data file partition strategy, is divided into data block that fixed size is 128M and is numbered by user b 0, b 1..., b 15, each data block is used to the cloud data encryption key of aforementioned generation kthe cryptographic algorithm AES consulted is adopted to be encrypted c i= e k( b i), utilize integrity detection algorithm SHA-2 to generate the digest value of this data block ciphertext simultaneously m i= sHA-2( c i ).
C) transfer of data: client is by data ciphertext and digest value splicing c i|| m i, then send to high in the clouds successively by the order of piecemeal.
D) integrity detection: high in the clouds receives ciphertext and ciphertext digest value c i|| m iafter, disassemble into corresponding ciphertext c iand ciphertext digest value m iafter, use the integrity detection algorithm SHA-2 consulted to detect the integrality of ciphertext.If check by rear, send acknowledge message to client.Meanwhile, by data ciphertext c iand digest value m ibe saved in Cloud Server, and preserve subscriber data file metadata information (Data Filename report.dat, file size 2G, creation-time 2015-05-2110:33:40, data block number 16, data block ID: b 0, b 1..., b 15, memory location).
E) transmission response: after client receives high in the clouds acknowledge message, to the data block of wherein correct reception b icarry out record.If this data block does not correctly receive, then carry out the re-transmission of this data block, until all data block ciphertexts and ciphertext digest value all correctly send high in the clouds to.
F) client metadata is preserved: by the blocking information of data file report.dat as block number (16), data block block ID( b 0, b 1..., b 15) etc. meta-data preservation, complete cloud process in data.
Other step as described above.
The present invention is reconstructed USBKey, provides the close algorithm of conventional symmetric encipherment algorithm and state, integrity detection algorithm; Cell stores user and USBKey digital certificate, and the metadata that storing data files is relevant, and the cryptographic algorithm of consulting and integrity detection algorithm.USBKey drives and software comprises client and high in the clouds part, realizes the functions such as cloud Data Encryption Transmission, integrity detection.Solve the shortcoming that client functionality in prior art is single, lack flexibility, by apparatus figure certificate, realize the access control of USBKey; By customer digital certificate, realize user identity and differentiate; Multiple encryption algorithms and integrity detection algorithm are provided, are applicable to the requirement of the different encryption strength of data different brackets in cloud computing environment; The key management of certain function is provided.
The present invention is applicable to hardware encipher product, can be widely used in cloud computing environment, and protection cloud data transmission security, can bring considerable economic benefit.
Above-mentioned embodiment is only concrete case of the present invention; scope of patent protection of the present invention includes but not limited to above-mentioned embodiment; claims of any a kind of cloud data security system based on USBKey according to the invention and the those of ordinary skill of any described technical field to its suitable change done or replacement, all should fall into scope of patent protection of the present invention.

Claims (10)

1. the cloud data security system based on USBKey, it is characterized in that, comprise client and high in the clouds, described client's side link has USBKey, the structure of this USBKey comprises control unit, computing unit, memory cell, buffer unit, input and output I/O logic module, this USBKey embedded digital certificate and some cryptographic algorithm, integrity detection algorithm; According to the different safety requirements of high in the clouds data, select different cryptographic algorithm to complete the computations of cloud data, meet confidentiality requirement and the transmission security of different user; Utilize integrity detection algorithm, in units of block, detect the integrality of high in the clouds data.
2. a kind of cloud data security system based on USBKey according to claim 1, is characterized in that, in described USBKey,
Control unit is the core of this USBKey, for realizing coordinated operation and the control of other functional unit of USBKey;
Computing unit is used for the cloud data calculating operation needed for completing user, supports common crypto algorithm and integrity detection algorithm;
Memory cell is used for storage program and various data, and in chip running, independently complete the access of program or data;
Buffer unit is buffer zone, when USBKey carries out a large amount of cloud data calculating operation, and buffer memory data to be calculated and calculating intermediate object program;
Input and output I/O logic module is the input-output unit of USBKey, realizes the access transport between server data in subscription client and cloud computing environment.
3. a kind of cloud data security system based on USBKey according to claim 2, it is characterized in that, the cloud data calculating operation needed for described computing unit completing user comprises the operation of deblocking, block encryption, block integrity detection; The common crypto algorithm supported comprises the close algorithm of DES, 3DES, AES and state; The integrity detection algorithm supported comprises MD5, SHA serial algorithm;
Described memory cell comprises RAM, read-only ROM and Flash flash memory, stores customer digital certificate and USBKey device certificate, provides the identity verify of user and equipment; Also store the cloud data encryption key of some, complete key management.
4. a kind of cloud data security system based on USBKey according to claim 2, it is characterized in that, described client is provided with following software: USBKey driving, access control module, identity verify module, negotiating algorithm module, key management module, deblocking integrate module, data encrypting and deciphering module, integrity detection module, cloud data management module module; High in the clouds part is then provided with access control module, identity verify module, negotiating algorithm module, integrity detection module.
5. a kind of cloud data security system based on USBKey according to claim 4, is characterized in that, described client upload ciphertext part literary composition is given high in the clouds and deciphered after downloading cryptograph files from this high in the clouds, and it is uploaded downloading process and is:
Client and high in the clouds are to USBKey device drives and initialization: import user and apparatus figure certificate, read in data to USBKey from client and complete computing, and by USBKey input and output I/O logic module, data are sent to high in the clouds storage with the form of ciphertext;
Client obtains encrypt data from high in the clouds, after USBKey deciphering and integrity detection, is processed data by user.
6. a kind of cloud data security system based on USBKey according to claim 5, it is characterized in that, user data upload is to the process in high in the clouds:
1) access control: after USBKey is inserted into client USB port by user, USBKey sends cloud access request to high in the clouds;
After high in the clouds inspection is legal, this USBkey is allowed to be linked in cloud computing environment;
2) identity verify: user proposes data upload to high in the clouds request, cloud server differentiates the identity of request user;
3), after identity verify passes through, data processing and transmission is carried out:
A) negotiating algorithm: according to the importance of cloud data, client and high in the clouds negotiation data cryptographic algorithm and integrity detection algorithm, generate cloud data encryption key, be saved in the memory cell of USBKey by the metadata information of encryption key after its encrypted private key;
B) deblocking and encryption: user is according to preset data file partition strategy, data file is divided into the data block of fixed size, use the cloud data encryption key of aforementioned generation to adopt the cryptographic algorithm of consulting to be encrypted to each data block, utilize integrity detection algorithm to generate the digest value of this data block ciphertext simultaneously;
C) transfer of data: client, by data ciphertext and digest value splicing, then sends to high in the clouds by the order of piecemeal successively;
D) integrity detection: after high in the clouds receives ciphertext and ciphertext digest value, after disassembling into corresponding ciphertext and ciphertext digest value, the integrity detection algorithm consulted is used to detect the integrality of ciphertext, when inspection by after, acknowledge message is sent to client,, data ciphertext and digest value are saved in Cloud Server meanwhile, and preserve the metadata information of subscriber data file;
E) transmission response: after client receives high in the clouds acknowledge message, carries out record to the data block ID of wherein correct reception; If this data block does not correctly receive, then carry out the re-transmission of this data block, until all data block ciphertexts and ciphertext digest value all correctly send high in the clouds to;
F) client metadata is preserved: preserved by the blocking information of data file, complete cloud process in data.
7. a kind of cloud data security system based on USBKey according to claim 6, it is characterized in that, in described access control step, in the request that client sends, comprise the mark ID of this USBKey, access client ip address or MAC Address, access request time, USBKey digital certificate;
After high in the clouds receives access request, first verify legitimacy and the validity of USBKey digital certificate;
By rear, identify ID to the USBKey in message and compare with the mark ID in digital certificate, whether both inspections are consistent: if inconsistent, then refuse the interface requests of client; Both conform to, then allow USBKey to access cloud computing environment;
Corresponding, in identity verify step, client sends the customer digital certificate that USBKey stores to high in the clouds, and high in the clouds checks legitimacy and the validity of customer digital certificate, by rear, and the identity verify of completing user.
8. a kind of cloud data security system based on USBKey according to claim 5, it is characterized in that, described encrypt data acquisition process is:
1) data download request: client sends data download request to high in the clouds, comprises Data Filename, client user ID, request time information;
2) high in the clouds access control: high in the clouds is compared with the user ID ID in its digital certificate the client user ID in data downloading request message, by after successively data block ciphertext and corresponding digest value will be sent to client according to deblocking order;
3) integrity checking: client gets the metadata information of this data file from USBKey memory cell.
9. a kind of cloud data security system based on USBKey according to claim 6,7 or 8, it is characterized in that, described metadata information comprises key ciphertext, for data file encryption, file size, cryptographic algorithm and parameter, integrity detection algorithm, temporal information, block number, block ID.
10. a kind of cloud data security system based on USBKey according to claim 5, is characterized in that, after client obtains encrypt data, the process of carrying out data processing is:
Client utilizes PKI by encryption key decrypt ciphertext, obtains data encryption key;
Client receives each data block ciphertext of high in the clouds transmission and the digest value of ciphertext, utilizes ciphertext digest value and corresponding integrity detection algorithm, checks the integrality of this data block ciphertext; If check by rear, client utilizes ciphertext enciphering/deciphering double secret key and corresponding decipherment algorithm, obtains the plaintext of this data block;
Client, by the plaintext of each data block, is a complete data file according to block ID sequence integration, completes cloud data downloading process.
CN201510381592.0A 2015-07-03 2015-07-03 Cloud data security system based on USB Key Pending CN105100076A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510381592.0A CN105100076A (en) 2015-07-03 2015-07-03 Cloud data security system based on USB Key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510381592.0A CN105100076A (en) 2015-07-03 2015-07-03 Cloud data security system based on USB Key

Publications (1)

Publication Number Publication Date
CN105100076A true CN105100076A (en) 2015-11-25

Family

ID=54579623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510381592.0A Pending CN105100076A (en) 2015-07-03 2015-07-03 Cloud data security system based on USB Key

Country Status (1)

Country Link
CN (1) CN105100076A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453384A (en) * 2016-11-09 2017-02-22 鹤荣育 Security cloud disk system and security encryption method thereof
CN106656972A (en) * 2016-10-14 2017-05-10 郑州云海信息技术有限公司 Data encryption method and device
CN106712929A (en) * 2016-12-30 2017-05-24 桂林电子科技大学 Encryption method for big data
CN107172078A (en) * 2017-06-27 2017-09-15 武汉蓝星软件技术有限公司 A kind of security control method and system of the core frame platform based on application service
CN107241345A (en) * 2017-06-30 2017-10-10 西安电子科技大学 Cloud computing resources management method based on UKey
CN107612875A (en) * 2016-08-31 2018-01-19 中国洛阳电子装备试验中心 A kind of safe cloud data transfer control method
CN108566431A (en) * 2018-04-20 2018-09-21 郑州云海信息技术有限公司 A kind of distributed memory system and construction method
CN108696533A (en) * 2018-06-20 2018-10-23 记忆科技(深圳)有限公司 Ensure the method, apparatus and computer equipment of data transfer layer transmission safety
CN110289957A (en) * 2019-07-03 2019-09-27 山东浪潮通软信息科技有限公司 File interaction encipher-decipher method between a kind of general system
CN111565210A (en) * 2019-12-05 2020-08-21 广州纪光新媒体***有限公司 Culture construction processing terminal supporting content import of cloud disk and mobile storage device
CN111726354A (en) * 2020-06-17 2020-09-29 梅州市悦思智能科技有限公司 Data transmission encryption equipment based on Internet of things
CN112039657A (en) * 2020-07-20 2020-12-04 北京邮电大学 Method, device, equipment and storage medium for generating key
CN112130773A (en) * 2020-11-24 2020-12-25 北京联想协同科技有限公司 Data access method, device and storage medium
CN112291055A (en) * 2019-07-24 2021-01-29 广东知业科技有限公司 Industrial internet data communication encryption method
CN113626838A (en) * 2021-07-19 2021-11-09 杭州加速科技有限公司 PCIE (peripheral component interface express) -based block encryption storage method and device
CN113836553A (en) * 2021-09-22 2021-12-24 北京计算机技术及应用研究所 Distributed storage data protection method for dynamic reconstruction of cryptographic algorithm
CN114615094A (en) * 2022-05-11 2022-06-10 蜂联智能(深圳)有限公司 Storage method and device based on Internet of things and security chip
CN115935400A (en) * 2023-03-10 2023-04-07 山东科技职业学院 Data encryption storage system based on industrial internet

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420692A (en) * 2011-12-28 2012-04-18 广州杰赛科技股份有限公司 Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation
CN103118089A (en) * 2013-01-22 2013-05-22 华中科技大学 Safe storage method based on a plurality of cloud storage systems and system thereof
CN103457742A (en) * 2013-09-18 2013-12-18 浪潮电子信息产业股份有限公司 Security suite library system based on USB KEY
US20140297895A1 (en) * 2013-03-29 2014-10-02 International Business Machines Corporation Universal serial bus (usb) key functioning as multiple usb keys so as to efficiently configure different types of hardware

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420692A (en) * 2011-12-28 2012-04-18 广州杰赛科技股份有限公司 Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation
CN103118089A (en) * 2013-01-22 2013-05-22 华中科技大学 Safe storage method based on a plurality of cloud storage systems and system thereof
US20140297895A1 (en) * 2013-03-29 2014-10-02 International Business Machines Corporation Universal serial bus (usb) key functioning as multiple usb keys so as to efficiently configure different types of hardware
CN103457742A (en) * 2013-09-18 2013-12-18 浪潮电子信息产业股份有限公司 Security suite library system based on USB KEY

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YANGQING ZHU等: "《Research on Data Security Access Model of Cloud Computing Platform》", 《2015 2ND INTERNATIONAL CONFERENCE ON INFORMATION SCIENCE AND CONTROL ENGINEERING》 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107612875A (en) * 2016-08-31 2018-01-19 中国洛阳电子装备试验中心 A kind of safe cloud data transfer control method
CN106656972A (en) * 2016-10-14 2017-05-10 郑州云海信息技术有限公司 Data encryption method and device
CN106453384A (en) * 2016-11-09 2017-02-22 鹤荣育 Security cloud disk system and security encryption method thereof
CN106712929A (en) * 2016-12-30 2017-05-24 桂林电子科技大学 Encryption method for big data
CN107172078B (en) * 2017-06-27 2020-09-04 武汉蓝星软件技术有限公司 Security management and control method and system of core framework platform based on application service
CN107172078A (en) * 2017-06-27 2017-09-15 武汉蓝星软件技术有限公司 A kind of security control method and system of the core frame platform based on application service
CN107241345A (en) * 2017-06-30 2017-10-10 西安电子科技大学 Cloud computing resources management method based on UKey
CN107241345B (en) * 2017-06-30 2020-07-17 西安电子科技大学 Cloud computing resource management method based on UKey
CN108566431A (en) * 2018-04-20 2018-09-21 郑州云海信息技术有限公司 A kind of distributed memory system and construction method
CN108696533A (en) * 2018-06-20 2018-10-23 记忆科技(深圳)有限公司 Ensure the method, apparatus and computer equipment of data transfer layer transmission safety
CN110289957A (en) * 2019-07-03 2019-09-27 山东浪潮通软信息科技有限公司 File interaction encipher-decipher method between a kind of general system
CN112291055A (en) * 2019-07-24 2021-01-29 广东知业科技有限公司 Industrial internet data communication encryption method
CN112291055B (en) * 2019-07-24 2024-03-29 广东知业科技有限公司 Industrial Internet data communication encryption method
CN111565210A (en) * 2019-12-05 2020-08-21 广州纪光新媒体***有限公司 Culture construction processing terminal supporting content import of cloud disk and mobile storage device
CN111726354A (en) * 2020-06-17 2020-09-29 梅州市悦思智能科技有限公司 Data transmission encryption equipment based on Internet of things
CN112039657A (en) * 2020-07-20 2020-12-04 北京邮电大学 Method, device, equipment and storage medium for generating key
CN112039657B (en) * 2020-07-20 2021-05-25 北京邮电大学 Method, device, equipment and storage medium for generating key
CN112130773A (en) * 2020-11-24 2020-12-25 北京联想协同科技有限公司 Data access method, device and storage medium
CN113626838A (en) * 2021-07-19 2021-11-09 杭州加速科技有限公司 PCIE (peripheral component interface express) -based block encryption storage method and device
CN113836553A (en) * 2021-09-22 2021-12-24 北京计算机技术及应用研究所 Distributed storage data protection method for dynamic reconstruction of cryptographic algorithm
CN113836553B (en) * 2021-09-22 2023-10-20 北京计算机技术及应用研究所 Distributed storage data protection method for dynamic reconstruction of cryptographic algorithm
CN114615094A (en) * 2022-05-11 2022-06-10 蜂联智能(深圳)有限公司 Storage method and device based on Internet of things and security chip
CN115935400A (en) * 2023-03-10 2023-04-07 山东科技职业学院 Data encryption storage system based on industrial internet

Similar Documents

Publication Publication Date Title
CN105100076A (en) Cloud data security system based on USB Key
CN109033855B (en) Data transmission method and device based on block chain and storage medium
US9698979B2 (en) QKD key management system
US9735962B1 (en) Three layer key wrapping for securing encryption keys in a data storage system
CN103138939B (en) Based on the key access times management method of credible platform module under cloud memory module
CN100487715C (en) Date safety storing system, device and method
WO2022199290A1 (en) Secure multi-party computation
EP2745212A1 (en) Virtual zeroisation system and method
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
US11316671B2 (en) Accelerated encryption and decryption of files with shared secret and method therefor
CN103246842A (en) Methods and devices for authentication and data encryption
CN101605137A (en) Safe distribution file system
CN105072107A (en) System and method for enhancing data transmission and storage security
CN111274599A (en) Data sharing method based on block chain and related device
CN111970114B (en) File encryption method, system, server and storage medium
CN103973698B (en) User access right revoking method in cloud storage environment
CN104065485A (en) Power grid dispatching mobile platform safety guaranteeing and controlling method
CN102986161A (en) Method for the cryptographic protection of an application
CN108965279A (en) Data processing method, device, terminal device and computer readable storage medium
CN104735020A (en) Method, device and system for acquiring sensitive data
CN105871858A (en) Method and system for ensuring high data safety
CN103944721A (en) Method and device for protecting terminal data security on basis of web
CN106257858A (en) The data ciphering method of a kind of remote storage device, Apparatus and system
Hussien et al. Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20151125

WD01 Invention patent application deemed withdrawn after publication