CN108566277A - Deletion data copy method based on data storage location in cloud storage - Google Patents

Deletion data copy method based on data storage location in cloud storage Download PDF

Info

Publication number
CN108566277A
CN108566277A CN201711402587.9A CN201711402587A CN108566277A CN 108566277 A CN108566277 A CN 108566277A CN 201711402587 A CN201711402587 A CN 201711402587A CN 108566277 A CN108566277 A CN 108566277A
Authority
CN
China
Prior art keywords
cloud storage
proofer
user
service device
storage service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711402587.9A
Other languages
Chinese (zh)
Other versions
CN108566277B (en
Inventor
宗跃
张俊伟
马建峰
王丹丹
杨超
李兴华
商磊
崔文璇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201711402587.9A priority Critical patent/CN108566277B/en
Publication of CN108566277A publication Critical patent/CN108566277A/en
Application granted granted Critical
Publication of CN108566277B publication Critical patent/CN108566277B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of deletion data copy method based on data storage location in cloud storage, implementation step is:User generates challenge, and send the challenge to proofer, corresponding message is sent to cloud storage service device by proofer respectively in different moments, cloud storage service device calculates experimental evidence, and experimental evidence is returned into proofer, proofer according to receive at the time of cloud storage service device returns to experimental evidence and the content of experimental evidence judge cloud storage service device whether the position specified positioned at user, if cloud storage service device is located at the position that user specifies, cloud storage service device stores user data, and delete data copy, otherwise, user's not transmission data.The present invention can delete the data copy that storage location meets certain geographical locality condition, improve the individual demand for meeting user while safety.

Description

Deletion data copy method based on data storage location in cloud storage
Technical field
The invention belongs to field of information security technology, a kind of cloud in technical field of network information safety is further related to Deletion data copy method based on data storage location in storage.Present invention could apply to cloud storage application scenarios, for Meet the cloud storage service device of certain geographical locality condition, with the safe duplicate removal technology in cloud computing, deletion is stored in cloud and deposits The user data copy in server is stored up, while deleting data copy, ensures the safety of data during transimission and storage Property.
Background technology
It is the process of redundancy of clearing data that data copy, which is deleted, is a kind of lossless compression mode of data.With cloud computing Continuous development, cloud computing safety problem is increasingly prominent.In the case where Cloud Server is not by users to trust, user will be on file It needs to encrypt before passing to cloud storage service device, but data encryption has seriously affected the use of duplicate removal technology.Due to duplicate removal and add Close is opposition, and duplicate removal is to save memory space, and encryption is then to make ciphertext not known in a large amount of random data It does not come out.Therefore, cloud storage service device must realize the combined use of data encryption and duplicate removal technology, to realize efficient storage.
Paper " the Secure and Efficient Cloud Data that Tao Jiang, Xiaofeng Chen are delivered at it Deduplication”With Randomized Tag”(IEEE TRANSACTION ON INFORMATION FORENSICS AND SECURITY, VOL, 12, NO.3, MARCH 2017) in disclose a kind of method for deleting data copy.This method is first User data is encrypted using the cryptographic Hash of data block as convergence key using convergent encryption CE methods.Secondly, by phase With data by generating identical data ciphertext after Hash operation, identical tag values are then generated, in user by certain number According to before being stored in cloud storage service device, cloud storage service device judges whether to have existed for identical with the tag values of the data Tag values decide whether to store that data into cloud storage service device, if in cloud storage service device further according to judging result Through there is the identical tag values with the tag values of the data, user is not necessarily to the data ciphertext being sent to cloud storage service device, only Only increase the owner that a pointer indicates the data;If there is no identical as the tag values of the data in cloud storage service device Tag values, data ciphertext is directly sent to cloud storage service device by user, and cloud storage service device stores data ciphertext. The method solves the contradictory problems of encryption and duplicate removal.But the shortcoming that this method still has is, can not resist opponent Collusion attack, key may reveal, and in turn result in the leakage of data.
Patent document " a kind of in the cloud storage client secure duplicate removals of ciphertext data " of the Institutes Of Technology Of Nanjing in its application (number of patent application:201610539947.9 publication number:CN 105939191A) in disclose ciphertext client in a kind of cloud storage Hold safe De-weight method.This method constructs the Key generation protocol of a safety based on Proxy Signature, realizes to restraining key Secondary encryption, ensure that the safety of key, and propose a new ownership based on signature on this basis to prove Method.It can ensure user by one it is safer it is efficient in a manner of to Cloud Server prove its possess really high in the clouds some text Part, and it can be achieved at the same time the duplicate removal to cryptograph files.But the shortcoming that this method still has is Wu Faman The individual demand of sufficient user, delete storage location specified location in user data, can not support position verification, it is ensured that number According to the legitimacy of storage location.
Sometimes, according to the individual demand of user, only storage location meets the data ability of certain geographical locality condition Delete data copy.From the perspective of user, due to the limitation of certain specific demands or certain laws and regulations, data must It must store into certain geographical position range, from the perspective of cloud storage service device, in order to save memory space, improve system System performance, reduces software and hardware maintenance cost, and it is very necessary to delete redundant data.But it representative can protect at present Hinder the agreement of data storage location, such as:Lost agreements and Geoproof agreements can not support data deduplication;Current existing deletion Data copy scheme can not support position verification.Therefore, it is necessary to design a kind of while data storage location being supported to verify and pacify The method of full duplicate removal, i.e., the deletion data copy method based on data storage location in cloud storage are realized and only meet a positioning Data copy could be deleted by setting the data of attribute.
Invention content
It is an object of the invention to the deficiencies for above-mentioned prior art, it is proposed that be stored based on data in a kind of cloud storage The deletion data copy method of position.This method judges the position of cloud storage service device with position password, and applies it to and delete Except the individual demand in data copy, meeting user, safety is improved.
The thinking that the present invention realizes is that user generates challenge, and sends the challenge to proofer, and proofer is in different moments Corresponding message is sent to cloud storage service device respectively, cloud storage service device calculates experimental evidence, and experimental evidence is returned To proofer, proofer is according to receiving at the time of cloud storage service device returns to experimental evidence and the content of experimental evidence judges that cloud is deposited Whether storage server is located at the position that user specifies, according to the individual demand of user, if cloud storage service device refers to positioned at user Fixed position, cloud storage service device store user data, and delete data copy, otherwise, user's not transmission data.
User data of the present invention to data storage location in designated position deletes data copy, includes the following steps:
(1) key and label are generated:
(1a) user calculates the cryptographic Hash of each be-encrypted data original text, using each cryptographic Hash as a convergence key;
(1b) user encrypts data original text to be encrypted with convergence key, generates corresponding data ciphertext, calculates per number According to the cryptographic Hash of ciphertext, using each cryptographic Hash as a label;
(1c) user and cloud storage service device joint consultation, generate arranging key;
(2) user generates challenge:
(2a) user, to convergence key encryption, is generated ciphertext, ciphertext is sent to trusted third party's key with arranging key Management server;
(2b) trusted third party Key Management server generates a random parameter;
(2c) trusted third party Key Management server calculates after random parameter and the ciphertext of reception are carried out exclusive or calculating The cryptographic Hash of exclusive or result, using gained cryptographic Hash as challenge H;
(2d) user generates challenge Z using pseudo-random function PRF;
(3) user challenges:
Two challenge H and Z are issued proofer by user by the hidden passageway of safety;
(4) cloud storage service device calculates experimental evidence:
(4a) first proofer generates two random numbers;
Generated two random numbers are sent to remaining proofer by (4b) first proofer;
(4c) user is by the arranging key person that is sent to second test;
(4d) in addition to first proofer, remaining proofer generates two random trains respectively;
(4e) in addition to first proofer, each proofer generates two bit strings with very high minimum entropy;
(4f) user refers in cloud storage network determines data storage location;
The message that (4g) each proofer calculates its transmission is transferred to the time needed for specified data storage location;
(4h) sets moment T, and value is more than or equal to the message that all proofers send and is transferred to specified data storage location The maximum value of required time;
(4i) subtracts the difference the time required to the message that proofer sends is transferred to specified data storage location with setting moment T It is worth in the moment, two random numbers of generation are sent to cloud storage service device by first proofer, and second test person will negotiate Key and the bit string of its generation are sent to cloud storage service device, and the bit string that remaining each proofer is generated is sent to Cloud storage service device;
(4j) utilizes exclusive or method in the T moment of setting, cloud storage service device, calculates experimental evidence r and experimental evidence s;
(5) cloud storage service device calculates encryption key:
At the T moment of setting, cloud storage service device is using the bit string and arranging key received, by multiple pseudorandom Iterative calculation generates a pseudorandom string with very high minimum entropy, the number for the number and proofer that wherein pseudorandom calculates Value after subtracting 1 is equal, using the pseudorandom string with very high minimum entropy of generation as encryption key;
(6) proofer verifies cloud storage service device position:
Experimental evidence is sent to all proofers by (6a) cloud storage service device;
At the time of (6b) each proofer records the experimental evidence for receiving the transmission of cloud storage service device respectively;
(6c) by set the message that moment T and each proofer send be transferred to needed for specified data storage location when Between be added, obtain proofer it is receivable to experimental evidence at the time of;
(7) judge whether cloud storage service device is located at specified position, if so, being proved to be successful, execute step (8), it is no Then, authentication failed executes step (12);
(8) data copy is deleted:
The signal of " delete data copy " is fed back to user by (8a) first proofer, while by the letter of " duplicate removal inspection " Number feed back to cloud storage service device;
The label of be-encrypted data is sent to cloud storage service device by (8b) user;
(9) it checks and whether there is label identical with the label of be-encrypted data in cloud storage service device;If so, executing Step (10) otherwise executes step (11);
(10) user increases pointer:
Increase the pointer of a direction user while user does not send ciphertext to cloud storage service device;
(11) cloud storage service device stores ciphertext:
The encryption key of generation is sent to user by (11a) cloud storage service device;
(11b) user utilizes encryption keys be-encrypted data, obtains ciphertext;
Ciphertext is sent to cloud storage service device by (10c) user;
The ciphertext that the device storage of (11d) cloud storage service receives;
(12) user's not transmission data:
The signal of " not transmission data " is fed back to user by (12a) first proofer, while " will not meet position to want Ask " signal feed back to cloud storage service device;
(12b) user does not send be-encrypted data.
The present invention has the following advantages that compared with prior art:
First, since the present invention calculates experimental evidence and proofer's verification cloud storage service device position in cloud storage service device In the step of setting, each proofer transmits the message to cloud storage service device, and records cloud storage service device and return to verification At the time of evidence and the content of experimental evidence, the position stored using multiple proofer's mutual authentication data, due to the use of multiple Proofer illustrates that cloud storage service device is not located at specified position, only when all if any one proofer's authentication failed Proofer be proved to be successful, could illustrate that cloud storage service device is located at specified position, therefore multiple opponents can be resisted and be directed to The collusion attack of location verification overcomes the problem of prior art can not resist the collusion attack of opponent so that the present invention is deleting While except data copy, the safety of data during transimission and storage preferably ensure that.
Second, since the present invention is in the step of proofer verifies cloud storage service device position, cloud storage service device will be tested Card evidence is sent to all proofers, using the location information of cloud storage service device as the exclusive evidence of verification, if cloud is deposited It stores up server and is not located at specified position, then can not be by verification, overcoming the prior art can not support data storage location to test The problem of card so that the present invention can accurately verify data storage location whether in specified position, only cloud storage service When device is located at designated position, it could which thereby enhance the legitimacy present invention ensure that data storage location by verification, ensure only There is user data to store at designated position, can just delete data copy, preferably ensure that the safety of data storage location Property.
Third, since the present invention is in the step of cloud storage service device calculates encryption key, cloud storage service device is utilized and is connect The bit string and arranging key received is iterated to calculate by multiple pseudorandom, a pseudorandom string is generated, by the pseudorandom of generation String is used as encryption key, when cloud storage service device stores ciphertext, when cloud storage service device is located at designated position, and cloud storage clothes The encryption key of generation is sent to user by business device, thus ensures that only data storage location is at designated position, Yong Hucai Key can be obtained, overcomes the prior art during encrypted, key may be revealed, and asking for data original text leakage is in turn resulted in Topic so that this invention ensures that user could obtain encryption key when only data storage location meets the requirements, preferably ensure The safety of encryption key.
4th, since the present invention is in the step of deleting data copy, for the cloud storage service device positioned at designated position, The label of be-encrypted data is sent to cloud storage service device by user, for not being located at the cloud storage service device of designated position, is used Family not transmission data, thus meets the individual demand of user, and the data by storage location in designated position delete copy, will Position cipher protocol is combined with safe duplicate removal technology, is overcome the prior art and be cannot be satisfied users ' individualized requirement, deletes storage Position is the data of specified location in user the shortcomings that so that the present invention data and storage position during ensuring to delete data copy While setting safety, the service of safety deleting data copy can be provided according to the individual demand of user.
Description of the drawings
Fig. 1 is flow chart of the present invention;
Fig. 2 is that user of the present invention generates convergence key, label and challenge schematic diagram;
Fig. 3 is data storage location verification schematic diagram of the present invention;
Fig. 4 is present invention verification cloud storage service device position flow chart;
Fig. 5 is data Stored Procedure figure of the present invention.
Specific implementation mode
The invention will be further described below in conjunction with the accompanying drawings.
Referring to Fig.1, specific implementation step of the invention is further described.
Step 1, key and label are generated.
User calculates the cryptographic Hash of each be-encrypted data original text, using each cryptographic Hash as a convergence key.
User encrypts data original text to be encrypted with convergence key and generates corresponding data ciphertext, calculates each data ciphertext Cryptographic Hash, using each cryptographic Hash as a label.
User and cloud storage service device joint consultation, generate arranging key.
Step 2, user generates challenge.
It is as follows as shown in Fig. 2, user generates challenge:
User, to convergence key encryption, is generated ciphertext, ciphertext is sent to trusted third party's key management with arranging key Server.
Trusted third party's Key Management server generates a random parameter.
Trusted third party's Key Management server, it is different by being calculated again after random parameter and the progress exclusive or calculating of the ciphertext of reception Or the cryptographic Hash of result, using gained cryptographic Hash as challenge H.
User generates challenge Z using pseudo-random function PRF.
Convergence key, label and challenge schematic diagram are generated with reference to 2 user of attached drawing, to the use in above-mentioned 2 steps of the present invention Family generates convergence key, label and the process of challenge and is described further.There are three entities in attached drawing 2:User, trusted third party Key Management server and cloud storage service device.Data are carried out Hash calculation by user, obtain convergence key, wherein Hash meter SHA-1 can be utilized by calculating, and the hash functions such as SHA-256, due to the particularity of hash function, identical be-encrypted data passes through Hash It calculates and generates identical cryptographic Hash, that is, generate identical convergence key, then with convergence encrypted data, it is close to obtain data Text, then obtained data ciphertext is calculated using hash function, label is obtained, user negotiates with cloud storage service device, generates association Quotient's key encrypts convergence key with arranging key, obtains ciphertext, and ciphertext is sent to trusted third party's cipher key management services Device after trusted third party's Key Management server receives ciphertext, generates a random number, and then generates challenge H, and will choose War H returns to user, and user generates challenge Z using pseudo-random function.
Challenge Z concrete methods of realizing be:User's selection parameter c, k, l and function f:{0,1}c×{0,1}k→{0,1}l, Generate challenge Z=fW, the length of wherein c expression input datas, k expression keys, the length of l expression output datas, W expression length For the key of k, W ∈ { 0,1 }k, key W is selected, after pseudo-random function PRF processing, exports the challenge that a regular length is l Z。
Step 3, user challenges.
Two challenge H and Z are issued proofer by user by the hidden passageway of safety.
Step 4, cloud storage service device calculates experimental evidence.
First proofer generates two random numbers.
Generated two random numbers are sent to remaining proofer by first proofer.
User is by the arranging key person that is sent to second test.
In addition to first proofer, remaining proofer generates two random trains respectively.
In addition to first proofer, each proofer generates two bit strings with very high minimum entropy.Generate two tools The method for having the bit string of very high minimum entropy is as follows:In addition to first proofer, each proofer generates first proofer Two random numbers with itself generate two random trains, calculated using pseudo-random function as the input of pseudo-random function To two pseudo random numbers, two pseudo random numbers are subjected to xor operation with challenge H and challenge Z respectively, obtain two with very high The bit string of minimum entropy.
User refers in cloud storage network determines data storage location.
The message that each proofer calculates its transmission is transferred to the time needed for specified data storage location.
Moment T is set, value is more than or equal to the message that all proofers send and is transferred to needed for specified data storage location The maximum value of time.
When subtracting the difference the time required to the message that proofer sends is transferred to specified data storage location with setting moment T In quarter, two random numbers of generation are sent to cloud storage service device by first proofer, and second test person is by arranging key It is sent to cloud storage service device with the bit string of its generation, the bit string that remaining each proofer is generated is sent to cloud and deposits Store up server.
At the T moment of setting, cloud storage service device calculates experimental evidence r and experimental evidence s using exclusive or method.It is wherein different Or method refers to:At the T moment at setting moment, cloud storage service device utilizes the pseudo random number received and first inspection received After two random numbers that person generates carry out xor operation, exclusive or result and bit string are subjected to xor operation.
Step 5, cloud storage service device calculates encryption key.
At the T moment of setting, cloud storage service device is using the bit string and arranging key received, by multiple pseudorandom Iterative calculation generates a pseudorandom string with very high minimum entropy, the number for the number and proofer that wherein pseudorandom calculates Value after subtracting 1 is equal, using the pseudorandom string with very high minimum entropy of generation as encryption key.Wherein pseudorandom iterates to calculate It is as follows:
The first step, the random train that cloud storage service device generates arranging key and second test person is as pseudo-random function Input, utilize pseudo-random function calculate a pseudo random number;
Second step, the random train that result of calculation and third proofer are generated are utilized as the input of pseudo-random function Pseudo-random function calculates a pseudo random number;
Third walks, and the random train that result of calculation and the 4th proofer are generated is utilized as the input of pseudo-random function Pseudo-random function calculates a pseudo random number;
Repeat above step, until each proofer generate random train as the input of pseudo-random function after stop Only iteration.
Step 6, proofer verifies cloud storage service device position.
Experimental evidence is sent to all proofers by cloud storage service device.
At the time of each proofer records the experimental evidence for receiving the transmission of cloud storage service device respectively.
Moment T will be set and be transferred to the message that each proofer sends time phase needed for specified data storage location Add, obtain proofer it is receivable to experimental evidence at the time of.
With reference to 3 data storage location of attached drawing verify schematic diagram, in the present invention data storage location verify process do into One step explanation.It is proofer 1 respectively assuming that there is 4 proofers, proofer 2, proofer 3 and proofer 4, subtract in setting moment T In the difference moment the time required to going the message that proofer 1 sends to be transferred to specified data storage location, proofer 1 is generated Two random numbers, i.e. random number 1 and random number 2 be sent to cloud storage service device, and subtracting proofer 2 in setting moment T sends Message be transferred to specified data storage location the time required to the difference moment in, proofer 2 by arranging key and its generation Two bit strings, i.e. bit string 1.1 and bit string 1.2 are sent to cloud storage service device, and subtracting proofer 3 in setting moment T sends out The message sent be transferred to specified data storage location the time required to the difference moment in, two information that proofer 3 is generated String, i.e. bit string 2.1 and bit string 2.2 are sent to cloud storage service device, and the message of the transmission of proofer 4 is subtracted in setting moment T It is transferred in the difference moment the time required to specified data storage location, two bit strings that proofer 4 is generated, i.e. information String 3.1 and bit string 3.2 are sent to cloud storage service device, it is ensured that the message that all proofers send is same at the T moment of setting When reach cloud storage service device positioned at designated position, at the T moment of setting, cloud storage service device is sharp according to the message received Experimental evidence is calculated with exclusive or method, and experimental evidence is returned into proofer.
4 verification cloud storage service device position flow chart below in conjunction with the accompanying drawings, is described further step 7.
Step 7, judge whether cloud storage service device is located at specified position, if so, being proved to be successful, execute step 8, it is no Then, authentication failed executes step 12.Cloud storage area when wherein referring to positioned at specified position, while meeting following three conditions The location of server:
Condition 1, each proofer record at the time of be equal to it is receivable to experimental evidence at the time of;
The cryptographic Hash of condition 2, experimental evidence r is equal with the challenge cryptographic Hash of H;
The cryptographic Hash of condition 3, experimental evidence s is equal with the challenge cryptographic Hash of Z.
5 data Stored Procedure figure below in conjunction with the accompanying drawings, to step 8, step 9, step 10, step 11, step 12 is done into one Step description.
Step 8, data copy is deleted.
The signal of " deleting data copy " is fed back to user by first proofer, while the signal of " duplicate removal inspection " is anti- Cloud storage service of feeding device.
The label of be-encrypted data is sent to cloud storage service device by user.
Step 9, it checks and whether there is label identical with the label of be-encrypted data in cloud storage service device, if so, holding Otherwise row step 10 executes step 11.
Step 10, user increases pointer.
Increase the pointer of a direction user while user does not send ciphertext to cloud storage service device.
Step 11, cloud storage service device stores ciphertext.
The encryption key of generation is sent to user by cloud storage service device.
User utilizes encryption keys be-encrypted data, obtains ciphertext.
Ciphertext is sent to cloud storage service device by user.
The ciphertext that cloud storage service device storage receives.
Step 12, user's not transmission data.
The signal of " not transmission data " is fed back to user, while the letter that " will not meet status requirement " by first proofer Number feed back to cloud storage service device.
User does not send be-encrypted data.

Claims (5)

1. a kind of deletion data copy method based on data storage location in cloud storage, which is characterized in that this method is logarithm User data copy is deleted in specified location according to storage location, is included the following steps:
(1) key and label are generated:
(1a) user calculates the cryptographic Hash of each be-encrypted data original text, using each cryptographic Hash as a convergence key;
(1b) user encrypts data original text to be encrypted with convergence key, generates corresponding data ciphertext, it is close to calculate each data The cryptographic Hash of text, using each cryptographic Hash as a label;
(1c) user and cloud storage service device joint consultation, generate arranging key;
(2) user generates challenge:
(2a) user, to convergence key encryption, is generated ciphertext, ciphertext is sent to trusted third party's key management with arranging key Server;
(2b) trusted third party Key Management server generates a random parameter;
(2c) trusted third party Key Management server calculates exclusive or after random parameter and the ciphertext of reception are carried out exclusive or calculating As a result cryptographic Hash, using gained cryptographic Hash as challenge H;
(2d) user generates challenge Z using pseudo-random function PRF;
(3) user challenges:
Two challenge H and Z are issued proofer by user by the hidden passageway of safety;
(4) cloud storage service device calculates experimental evidence:
(4a) first proofer generates two random numbers;
Generated two random numbers are sent to remaining proofer by (4b) first proofer;
(4c) user is by the arranging key person that is sent to second test;
(4d) in addition to first proofer, remaining proofer generates two random trains respectively;
(4e) in addition to first proofer, each proofer generates two bit strings with very high minimum entropy;
(4f) user refers in cloud storage network determines data storage location;
The message that (4g) each proofer calculates its transmission is transferred to the time needed for specified data storage location;
(4h) sets moment T, and value is more than or equal to the message that all proofers send and is transferred to needed for specified data storage location The maximum value of time;
When (4i) subtracts the difference the time required to the message that proofer sends is transferred to specified data storage location with setting moment T In quarter, two random numbers of generation are sent to cloud storage service device by first proofer, and second test person is by arranging key It is sent to cloud storage service device with the bit string of its generation, the bit string that remaining each proofer is generated is sent to cloud and deposits Store up server;
(4j) utilizes exclusive or method in the T moment of setting, cloud storage service device, calculates experimental evidence r and experimental evidence s;
(5) cloud storage service device calculates encryption key:
At the T moment of setting, cloud storage service device is using the bit string and arranging key received, by multiple pseudorandom iteration It calculates, a pseudorandom string with very high minimum entropy is generated, after wherein the number of pseudorandom calculating and the number of proofer subtract 1 Value it is equal, using the pseudorandom string with very high minimum entropy of generation as encryption key;
(6) proofer verifies cloud storage service device position:
Experimental evidence is sent to all proofers by (6a) cloud storage service device;
At the time of (6b) each proofer records the experimental evidence for receiving the transmission of cloud storage service device respectively;
Setting moment T is transferred to the time phase needed for specified data storage location by (6c) with the message that each proofer sends Add, obtain proofer it is receivable to experimental evidence at the time of;
(7) judge whether cloud storage service device is located at specified position, if so, being proved to be successful, execute step (8) and otherwise test Card failure, executes step (12);
(8) data copy is deleted:
The signal of " deleting data copy " is fed back to user by (8a) first proofer, while the signal of " duplicate removal inspection " is anti- Cloud storage service of feeding device;
The label of be-encrypted data is sent to cloud storage service device by (8b) user;
(9) it checks and whether there is label identical with the label of be-encrypted data in cloud storage service device, if so, thening follow the steps (10), step (11) otherwise, is executed;
(10) user increases pointer:
Increase the pointer of a direction user while user does not send ciphertext to cloud storage service device;
(11) cloud storage service device stores ciphertext:
The encryption key of generation is sent to user by (11a) cloud storage service device;
(11b) user utilizes encryption keys be-encrypted data, obtains ciphertext;
Ciphertext is sent to cloud storage service device by (10c) user;
The ciphertext that the device storage of (11d) cloud storage service receives;
(12) user's not transmission data:
The signal of " not transmission data " is fed back to user by (12a) first proofer, while " status requirement will not be met " Signal feeds back to cloud storage service device;
(12b) user does not send be-encrypted data.
2. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1 In the method for generating two bit strings with very high minimum entropy described in step (4e) is as follows:In addition to first proofer, often Two random trains that two random numbers that a proofer generates first proofer are generated with itself, as pseudo-random function Input, using pseudo-random function, is calculated two pseudo random numbers, and two pseudo random numbers are carried out with challenge H and challenge Z respectively Xor operation obtains two bit strings with very high minimum entropy.
3. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1 In exclusive or method refers to described in step (4j):At the T moment of setting, cloud storage service device using the pseudo random number that receives with Exclusive or result and bit string after carrying out xor operation, are carried out exclusive or by two random numbers that first proofer received generates Operation.
4. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1 In the pseudorandom iterative calculation described in step (5) is as follows:
The first step, the random train that cloud storage service device generates arranging key with second test person is as the defeated of pseudo-random function Enter, a pseudo random number is calculated using pseudo-random function;
Second step, using result of calculation and the random train of third proofer generation as the input of pseudo-random function, using puppet with Machine function calculates a pseudo random number;
Third walks, the random train that result of calculation and the 4th proofer are generated as the input of pseudo-random function, using puppet with Machine function calculates a pseudo random number;
Repeat above step, until each proofer generate random train as the input of pseudo-random function after stop changing Generation.
5. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1 In when referring to positioned at specified position described in step (7), while meeting following three conditions residing for cloud storage area server Position:
Condition 1, each proofer record at the time of be equal to it is receivable to experimental evidence at the time of;
The cryptographic Hash of condition 2, experimental evidence r is equal with the challenge cryptographic Hash of H;
The cryptographic Hash of condition 3, experimental evidence s is equal with the challenge cryptographic Hash of Z.
CN201711402587.9A 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage Active CN108566277B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711402587.9A CN108566277B (en) 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711402587.9A CN108566277B (en) 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage

Publications (2)

Publication Number Publication Date
CN108566277A true CN108566277A (en) 2018-09-21
CN108566277B CN108566277B (en) 2020-04-21

Family

ID=63530392

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711402587.9A Active CN108566277B (en) 2017-12-22 2017-12-22 Data storage position-based data copy deleting method in cloud storage

Country Status (1)

Country Link
CN (1) CN108566277B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116361201A (en) * 2023-06-02 2023-06-30 宜宾邦华智慧科技有限公司 Method and system for destroying stored data of mobile phone

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166403A1 (en) * 2010-12-24 2012-06-28 Kim Mi-Jeom Distributed storage system having content-based deduplication function and object storing method
CN104052819A (en) * 2014-06-27 2014-09-17 西安电子科技大学 Method for verifying integrity of cloud data stored in multiple geographic positions
CN104869124A (en) * 2015-06-05 2015-08-26 飞天诚信科技股份有限公司 Authentication method based on geographic position information
CN105323074A (en) * 2015-11-17 2016-02-10 西安电子科技大学 Trusted verification method for geographic position of terminal equipment
CN106100832A (en) * 2016-06-12 2016-11-09 广东工业大学 Key management method based on convergent encryption in a kind of cloud storage data deduplication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166403A1 (en) * 2010-12-24 2012-06-28 Kim Mi-Jeom Distributed storage system having content-based deduplication function and object storing method
CN104052819A (en) * 2014-06-27 2014-09-17 西安电子科技大学 Method for verifying integrity of cloud data stored in multiple geographic positions
CN104869124A (en) * 2015-06-05 2015-08-26 飞天诚信科技股份有限公司 Authentication method based on geographic position information
CN105323074A (en) * 2015-11-17 2016-02-10 西安电子科技大学 Trusted verification method for geographic position of terminal equipment
CN106100832A (en) * 2016-06-12 2016-11-09 广东工业大学 Key management method based on convergent encryption in a kind of cloud storage data deduplication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JIN LI等: "Secure Deduplication with Efficient and Reliable Convergent Key Management", 《IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116361201A (en) * 2023-06-02 2023-06-30 宜宾邦华智慧科技有限公司 Method and system for destroying stored data of mobile phone
CN116361201B (en) * 2023-06-02 2023-08-11 宜宾邦华智慧科技有限公司 Method and system for destroying stored data of mobile phone

Also Published As

Publication number Publication date
CN108566277B (en) 2020-04-21

Similar Documents

Publication Publication Date Title
CN109508552B (en) Privacy protection method of distributed cloud storage system
US20220006624A1 (en) User Terminal, Permission Information Management Method, and Permission Information Management Program
KR101999188B1 (en) Secure personal devices using elliptic curve cryptography for secret sharing
US9800416B2 (en) Distributed validation of digitally signed electronic documents
TWI722116B (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
CN110022217B (en) Advertisement media service data credible storage system based on block chain
CN106453612B (en) A kind of storage of data and shared system
CN110213042A (en) A kind of cloud data duplicate removal method based on no certification agency re-encryption
JP4855940B2 (en) Efficient management of cryptographic key generation
KR100823738B1 (en) Method for integrity attestation of a computing platform hiding its configuration information
CN109194466A (en) A kind of cloud data integrity detection method and system based on block chain
CN105681273B (en) Client-side deduplication method
JP6753403B2 (en) Information processing equipment, authentication systems, authentication methods, and computer programs
CN104917741B (en) A kind of plain text document public network secure transmission system based on USBKEY
CN109474606A (en) Document transmission method, device, computer equipment and storage medium
WO2015072203A1 (en) Information delivery system
CN109976948A (en) Private information backup method and recovery method and system
CN113393225B (en) Digital currency encryption payment method and system
CN103731423A (en) Safe method for repeated data deleting
CN107306274A (en) Data de-duplication method based on digital digest
CN111970114A (en) File encryption method, system, server and storage medium
Kumar et al. Analysis and design of an optimized secure auditing protocol for storing data dynamically in cloud computing
CN111211876B (en) Method and device for sending response message aiming at data request and block chain system
CN106257859A (en) A kind of password using method
CN108566277A (en) Deletion data copy method based on data storage location in cloud storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant