CN108566277A - Deletion data copy method based on data storage location in cloud storage - Google Patents
Deletion data copy method based on data storage location in cloud storage Download PDFInfo
- Publication number
- CN108566277A CN108566277A CN201711402587.9A CN201711402587A CN108566277A CN 108566277 A CN108566277 A CN 108566277A CN 201711402587 A CN201711402587 A CN 201711402587A CN 108566277 A CN108566277 A CN 108566277A
- Authority
- CN
- China
- Prior art keywords
- cloud storage
- proofer
- user
- service device
- storage service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of deletion data copy method based on data storage location in cloud storage, implementation step is:User generates challenge, and send the challenge to proofer, corresponding message is sent to cloud storage service device by proofer respectively in different moments, cloud storage service device calculates experimental evidence, and experimental evidence is returned into proofer, proofer according to receive at the time of cloud storage service device returns to experimental evidence and the content of experimental evidence judge cloud storage service device whether the position specified positioned at user, if cloud storage service device is located at the position that user specifies, cloud storage service device stores user data, and delete data copy, otherwise, user's not transmission data.The present invention can delete the data copy that storage location meets certain geographical locality condition, improve the individual demand for meeting user while safety.
Description
Technical field
The invention belongs to field of information security technology, a kind of cloud in technical field of network information safety is further related to
Deletion data copy method based on data storage location in storage.Present invention could apply to cloud storage application scenarios, for
Meet the cloud storage service device of certain geographical locality condition, with the safe duplicate removal technology in cloud computing, deletion is stored in cloud and deposits
The user data copy in server is stored up, while deleting data copy, ensures the safety of data during transimission and storage
Property.
Background technology
It is the process of redundancy of clearing data that data copy, which is deleted, is a kind of lossless compression mode of data.With cloud computing
Continuous development, cloud computing safety problem is increasingly prominent.In the case where Cloud Server is not by users to trust, user will be on file
It needs to encrypt before passing to cloud storage service device, but data encryption has seriously affected the use of duplicate removal technology.Due to duplicate removal and add
Close is opposition, and duplicate removal is to save memory space, and encryption is then to make ciphertext not known in a large amount of random data
It does not come out.Therefore, cloud storage service device must realize the combined use of data encryption and duplicate removal technology, to realize efficient storage.
Paper " the Secure and Efficient Cloud Data that Tao Jiang, Xiaofeng Chen are delivered at it
Deduplication”With Randomized Tag”(IEEE TRANSACTION ON INFORMATION FORENSICS
AND SECURITY, VOL, 12, NO.3, MARCH 2017) in disclose a kind of method for deleting data copy.This method is first
User data is encrypted using the cryptographic Hash of data block as convergence key using convergent encryption CE methods.Secondly, by phase
With data by generating identical data ciphertext after Hash operation, identical tag values are then generated, in user by certain number
According to before being stored in cloud storage service device, cloud storage service device judges whether to have existed for identical with the tag values of the data
Tag values decide whether to store that data into cloud storage service device, if in cloud storage service device further according to judging result
Through there is the identical tag values with the tag values of the data, user is not necessarily to the data ciphertext being sent to cloud storage service device, only
Only increase the owner that a pointer indicates the data;If there is no identical as the tag values of the data in cloud storage service device
Tag values, data ciphertext is directly sent to cloud storage service device by user, and cloud storage service device stores data ciphertext.
The method solves the contradictory problems of encryption and duplicate removal.But the shortcoming that this method still has is, can not resist opponent
Collusion attack, key may reveal, and in turn result in the leakage of data.
Patent document " a kind of in the cloud storage client secure duplicate removals of ciphertext data " of the Institutes Of Technology Of Nanjing in its application
(number of patent application:201610539947.9 publication number:CN 105939191A) in disclose ciphertext client in a kind of cloud storage
Hold safe De-weight method.This method constructs the Key generation protocol of a safety based on Proxy Signature, realizes to restraining key
Secondary encryption, ensure that the safety of key, and propose a new ownership based on signature on this basis to prove
Method.It can ensure user by one it is safer it is efficient in a manner of to Cloud Server prove its possess really high in the clouds some text
Part, and it can be achieved at the same time the duplicate removal to cryptograph files.But the shortcoming that this method still has is Wu Faman
The individual demand of sufficient user, delete storage location specified location in user data, can not support position verification, it is ensured that number
According to the legitimacy of storage location.
Sometimes, according to the individual demand of user, only storage location meets the data ability of certain geographical locality condition
Delete data copy.From the perspective of user, due to the limitation of certain specific demands or certain laws and regulations, data must
It must store into certain geographical position range, from the perspective of cloud storage service device, in order to save memory space, improve system
System performance, reduces software and hardware maintenance cost, and it is very necessary to delete redundant data.But it representative can protect at present
Hinder the agreement of data storage location, such as:Lost agreements and Geoproof agreements can not support data deduplication;Current existing deletion
Data copy scheme can not support position verification.Therefore, it is necessary to design a kind of while data storage location being supported to verify and pacify
The method of full duplicate removal, i.e., the deletion data copy method based on data storage location in cloud storage are realized and only meet a positioning
Data copy could be deleted by setting the data of attribute.
Invention content
It is an object of the invention to the deficiencies for above-mentioned prior art, it is proposed that be stored based on data in a kind of cloud storage
The deletion data copy method of position.This method judges the position of cloud storage service device with position password, and applies it to and delete
Except the individual demand in data copy, meeting user, safety is improved.
The thinking that the present invention realizes is that user generates challenge, and sends the challenge to proofer, and proofer is in different moments
Corresponding message is sent to cloud storage service device respectively, cloud storage service device calculates experimental evidence, and experimental evidence is returned
To proofer, proofer is according to receiving at the time of cloud storage service device returns to experimental evidence and the content of experimental evidence judges that cloud is deposited
Whether storage server is located at the position that user specifies, according to the individual demand of user, if cloud storage service device refers to positioned at user
Fixed position, cloud storage service device store user data, and delete data copy, otherwise, user's not transmission data.
User data of the present invention to data storage location in designated position deletes data copy, includes the following steps:
(1) key and label are generated:
(1a) user calculates the cryptographic Hash of each be-encrypted data original text, using each cryptographic Hash as a convergence key;
(1b) user encrypts data original text to be encrypted with convergence key, generates corresponding data ciphertext, calculates per number
According to the cryptographic Hash of ciphertext, using each cryptographic Hash as a label;
(1c) user and cloud storage service device joint consultation, generate arranging key;
(2) user generates challenge:
(2a) user, to convergence key encryption, is generated ciphertext, ciphertext is sent to trusted third party's key with arranging key
Management server;
(2b) trusted third party Key Management server generates a random parameter;
(2c) trusted third party Key Management server calculates after random parameter and the ciphertext of reception are carried out exclusive or calculating
The cryptographic Hash of exclusive or result, using gained cryptographic Hash as challenge H;
(2d) user generates challenge Z using pseudo-random function PRF;
(3) user challenges:
Two challenge H and Z are issued proofer by user by the hidden passageway of safety;
(4) cloud storage service device calculates experimental evidence:
(4a) first proofer generates two random numbers;
Generated two random numbers are sent to remaining proofer by (4b) first proofer;
(4c) user is by the arranging key person that is sent to second test;
(4d) in addition to first proofer, remaining proofer generates two random trains respectively;
(4e) in addition to first proofer, each proofer generates two bit strings with very high minimum entropy;
(4f) user refers in cloud storage network determines data storage location;
The message that (4g) each proofer calculates its transmission is transferred to the time needed for specified data storage location;
(4h) sets moment T, and value is more than or equal to the message that all proofers send and is transferred to specified data storage location
The maximum value of required time;
(4i) subtracts the difference the time required to the message that proofer sends is transferred to specified data storage location with setting moment T
It is worth in the moment, two random numbers of generation are sent to cloud storage service device by first proofer, and second test person will negotiate
Key and the bit string of its generation are sent to cloud storage service device, and the bit string that remaining each proofer is generated is sent to
Cloud storage service device;
(4j) utilizes exclusive or method in the T moment of setting, cloud storage service device, calculates experimental evidence r and experimental evidence s;
(5) cloud storage service device calculates encryption key:
At the T moment of setting, cloud storage service device is using the bit string and arranging key received, by multiple pseudorandom
Iterative calculation generates a pseudorandom string with very high minimum entropy, the number for the number and proofer that wherein pseudorandom calculates
Value after subtracting 1 is equal, using the pseudorandom string with very high minimum entropy of generation as encryption key;
(6) proofer verifies cloud storage service device position:
Experimental evidence is sent to all proofers by (6a) cloud storage service device;
At the time of (6b) each proofer records the experimental evidence for receiving the transmission of cloud storage service device respectively;
(6c) by set the message that moment T and each proofer send be transferred to needed for specified data storage location when
Between be added, obtain proofer it is receivable to experimental evidence at the time of;
(7) judge whether cloud storage service device is located at specified position, if so, being proved to be successful, execute step (8), it is no
Then, authentication failed executes step (12);
(8) data copy is deleted:
The signal of " delete data copy " is fed back to user by (8a) first proofer, while by the letter of " duplicate removal inspection "
Number feed back to cloud storage service device;
The label of be-encrypted data is sent to cloud storage service device by (8b) user;
(9) it checks and whether there is label identical with the label of be-encrypted data in cloud storage service device;If so, executing
Step (10) otherwise executes step (11);
(10) user increases pointer:
Increase the pointer of a direction user while user does not send ciphertext to cloud storage service device;
(11) cloud storage service device stores ciphertext:
The encryption key of generation is sent to user by (11a) cloud storage service device;
(11b) user utilizes encryption keys be-encrypted data, obtains ciphertext;
Ciphertext is sent to cloud storage service device by (10c) user;
The ciphertext that the device storage of (11d) cloud storage service receives;
(12) user's not transmission data:
The signal of " not transmission data " is fed back to user by (12a) first proofer, while " will not meet position to want
Ask " signal feed back to cloud storage service device;
(12b) user does not send be-encrypted data.
The present invention has the following advantages that compared with prior art:
First, since the present invention calculates experimental evidence and proofer's verification cloud storage service device position in cloud storage service device
In the step of setting, each proofer transmits the message to cloud storage service device, and records cloud storage service device and return to verification
At the time of evidence and the content of experimental evidence, the position stored using multiple proofer's mutual authentication data, due to the use of multiple
Proofer illustrates that cloud storage service device is not located at specified position, only when all if any one proofer's authentication failed
Proofer be proved to be successful, could illustrate that cloud storage service device is located at specified position, therefore multiple opponents can be resisted and be directed to
The collusion attack of location verification overcomes the problem of prior art can not resist the collusion attack of opponent so that the present invention is deleting
While except data copy, the safety of data during transimission and storage preferably ensure that.
Second, since the present invention is in the step of proofer verifies cloud storage service device position, cloud storage service device will be tested
Card evidence is sent to all proofers, using the location information of cloud storage service device as the exclusive evidence of verification, if cloud is deposited
It stores up server and is not located at specified position, then can not be by verification, overcoming the prior art can not support data storage location to test
The problem of card so that the present invention can accurately verify data storage location whether in specified position, only cloud storage service
When device is located at designated position, it could which thereby enhance the legitimacy present invention ensure that data storage location by verification, ensure only
There is user data to store at designated position, can just delete data copy, preferably ensure that the safety of data storage location
Property.
Third, since the present invention is in the step of cloud storage service device calculates encryption key, cloud storage service device is utilized and is connect
The bit string and arranging key received is iterated to calculate by multiple pseudorandom, a pseudorandom string is generated, by the pseudorandom of generation
String is used as encryption key, when cloud storage service device stores ciphertext, when cloud storage service device is located at designated position, and cloud storage clothes
The encryption key of generation is sent to user by business device, thus ensures that only data storage location is at designated position, Yong Hucai
Key can be obtained, overcomes the prior art during encrypted, key may be revealed, and asking for data original text leakage is in turn resulted in
Topic so that this invention ensures that user could obtain encryption key when only data storage location meets the requirements, preferably ensure
The safety of encryption key.
4th, since the present invention is in the step of deleting data copy, for the cloud storage service device positioned at designated position,
The label of be-encrypted data is sent to cloud storage service device by user, for not being located at the cloud storage service device of designated position, is used
Family not transmission data, thus meets the individual demand of user, and the data by storage location in designated position delete copy, will
Position cipher protocol is combined with safe duplicate removal technology, is overcome the prior art and be cannot be satisfied users ' individualized requirement, deletes storage
Position is the data of specified location in user the shortcomings that so that the present invention data and storage position during ensuring to delete data copy
While setting safety, the service of safety deleting data copy can be provided according to the individual demand of user.
Description of the drawings
Fig. 1 is flow chart of the present invention;
Fig. 2 is that user of the present invention generates convergence key, label and challenge schematic diagram;
Fig. 3 is data storage location verification schematic diagram of the present invention;
Fig. 4 is present invention verification cloud storage service device position flow chart;
Fig. 5 is data Stored Procedure figure of the present invention.
Specific implementation mode
The invention will be further described below in conjunction with the accompanying drawings.
Referring to Fig.1, specific implementation step of the invention is further described.
Step 1, key and label are generated.
User calculates the cryptographic Hash of each be-encrypted data original text, using each cryptographic Hash as a convergence key.
User encrypts data original text to be encrypted with convergence key and generates corresponding data ciphertext, calculates each data ciphertext
Cryptographic Hash, using each cryptographic Hash as a label.
User and cloud storage service device joint consultation, generate arranging key.
Step 2, user generates challenge.
It is as follows as shown in Fig. 2, user generates challenge:
User, to convergence key encryption, is generated ciphertext, ciphertext is sent to trusted third party's key management with arranging key
Server.
Trusted third party's Key Management server generates a random parameter.
Trusted third party's Key Management server, it is different by being calculated again after random parameter and the progress exclusive or calculating of the ciphertext of reception
Or the cryptographic Hash of result, using gained cryptographic Hash as challenge H.
User generates challenge Z using pseudo-random function PRF.
Convergence key, label and challenge schematic diagram are generated with reference to 2 user of attached drawing, to the use in above-mentioned 2 steps of the present invention
Family generates convergence key, label and the process of challenge and is described further.There are three entities in attached drawing 2:User, trusted third party
Key Management server and cloud storage service device.Data are carried out Hash calculation by user, obtain convergence key, wherein Hash meter
SHA-1 can be utilized by calculating, and the hash functions such as SHA-256, due to the particularity of hash function, identical be-encrypted data passes through Hash
It calculates and generates identical cryptographic Hash, that is, generate identical convergence key, then with convergence encrypted data, it is close to obtain data
Text, then obtained data ciphertext is calculated using hash function, label is obtained, user negotiates with cloud storage service device, generates association
Quotient's key encrypts convergence key with arranging key, obtains ciphertext, and ciphertext is sent to trusted third party's cipher key management services
Device after trusted third party's Key Management server receives ciphertext, generates a random number, and then generates challenge H, and will choose
War H returns to user, and user generates challenge Z using pseudo-random function.
Challenge Z concrete methods of realizing be:User's selection parameter c, k, l and function f:{0,1}c×{0,1}k→{0,1}l,
Generate challenge Z=fW, the length of wherein c expression input datas, k expression keys, the length of l expression output datas, W expression length
For the key of k, W ∈ { 0,1 }k, key W is selected, after pseudo-random function PRF processing, exports the challenge that a regular length is l
Z。
Step 3, user challenges.
Two challenge H and Z are issued proofer by user by the hidden passageway of safety.
Step 4, cloud storage service device calculates experimental evidence.
First proofer generates two random numbers.
Generated two random numbers are sent to remaining proofer by first proofer.
User is by the arranging key person that is sent to second test.
In addition to first proofer, remaining proofer generates two random trains respectively.
In addition to first proofer, each proofer generates two bit strings with very high minimum entropy.Generate two tools
The method for having the bit string of very high minimum entropy is as follows:In addition to first proofer, each proofer generates first proofer
Two random numbers with itself generate two random trains, calculated using pseudo-random function as the input of pseudo-random function
To two pseudo random numbers, two pseudo random numbers are subjected to xor operation with challenge H and challenge Z respectively, obtain two with very high
The bit string of minimum entropy.
User refers in cloud storage network determines data storage location.
The message that each proofer calculates its transmission is transferred to the time needed for specified data storage location.
Moment T is set, value is more than or equal to the message that all proofers send and is transferred to needed for specified data storage location
The maximum value of time.
When subtracting the difference the time required to the message that proofer sends is transferred to specified data storage location with setting moment T
In quarter, two random numbers of generation are sent to cloud storage service device by first proofer, and second test person is by arranging key
It is sent to cloud storage service device with the bit string of its generation, the bit string that remaining each proofer is generated is sent to cloud and deposits
Store up server.
At the T moment of setting, cloud storage service device calculates experimental evidence r and experimental evidence s using exclusive or method.It is wherein different
Or method refers to:At the T moment at setting moment, cloud storage service device utilizes the pseudo random number received and first inspection received
After two random numbers that person generates carry out xor operation, exclusive or result and bit string are subjected to xor operation.
Step 5, cloud storage service device calculates encryption key.
At the T moment of setting, cloud storage service device is using the bit string and arranging key received, by multiple pseudorandom
Iterative calculation generates a pseudorandom string with very high minimum entropy, the number for the number and proofer that wherein pseudorandom calculates
Value after subtracting 1 is equal, using the pseudorandom string with very high minimum entropy of generation as encryption key.Wherein pseudorandom iterates to calculate
It is as follows:
The first step, the random train that cloud storage service device generates arranging key and second test person is as pseudo-random function
Input, utilize pseudo-random function calculate a pseudo random number;
Second step, the random train that result of calculation and third proofer are generated are utilized as the input of pseudo-random function
Pseudo-random function calculates a pseudo random number;
Third walks, and the random train that result of calculation and the 4th proofer are generated is utilized as the input of pseudo-random function
Pseudo-random function calculates a pseudo random number;
Repeat above step, until each proofer generate random train as the input of pseudo-random function after stop
Only iteration.
Step 6, proofer verifies cloud storage service device position.
Experimental evidence is sent to all proofers by cloud storage service device.
At the time of each proofer records the experimental evidence for receiving the transmission of cloud storage service device respectively.
Moment T will be set and be transferred to the message that each proofer sends time phase needed for specified data storage location
Add, obtain proofer it is receivable to experimental evidence at the time of.
With reference to 3 data storage location of attached drawing verify schematic diagram, in the present invention data storage location verify process do into
One step explanation.It is proofer 1 respectively assuming that there is 4 proofers, proofer 2, proofer 3 and proofer 4, subtract in setting moment T
In the difference moment the time required to going the message that proofer 1 sends to be transferred to specified data storage location, proofer 1 is generated
Two random numbers, i.e. random number 1 and random number 2 be sent to cloud storage service device, and subtracting proofer 2 in setting moment T sends
Message be transferred to specified data storage location the time required to the difference moment in, proofer 2 by arranging key and its generation
Two bit strings, i.e. bit string 1.1 and bit string 1.2 are sent to cloud storage service device, and subtracting proofer 3 in setting moment T sends out
The message sent be transferred to specified data storage location the time required to the difference moment in, two information that proofer 3 is generated
String, i.e. bit string 2.1 and bit string 2.2 are sent to cloud storage service device, and the message of the transmission of proofer 4 is subtracted in setting moment T
It is transferred in the difference moment the time required to specified data storage location, two bit strings that proofer 4 is generated, i.e. information
String 3.1 and bit string 3.2 are sent to cloud storage service device, it is ensured that the message that all proofers send is same at the T moment of setting
When reach cloud storage service device positioned at designated position, at the T moment of setting, cloud storage service device is sharp according to the message received
Experimental evidence is calculated with exclusive or method, and experimental evidence is returned into proofer.
4 verification cloud storage service device position flow chart below in conjunction with the accompanying drawings, is described further step 7.
Step 7, judge whether cloud storage service device is located at specified position, if so, being proved to be successful, execute step 8, it is no
Then, authentication failed executes step 12.Cloud storage area when wherein referring to positioned at specified position, while meeting following three conditions
The location of server:
Condition 1, each proofer record at the time of be equal to it is receivable to experimental evidence at the time of;
The cryptographic Hash of condition 2, experimental evidence r is equal with the challenge cryptographic Hash of H;
The cryptographic Hash of condition 3, experimental evidence s is equal with the challenge cryptographic Hash of Z.
5 data Stored Procedure figure below in conjunction with the accompanying drawings, to step 8, step 9, step 10, step 11, step 12 is done into one
Step description.
Step 8, data copy is deleted.
The signal of " deleting data copy " is fed back to user by first proofer, while the signal of " duplicate removal inspection " is anti-
Cloud storage service of feeding device.
The label of be-encrypted data is sent to cloud storage service device by user.
Step 9, it checks and whether there is label identical with the label of be-encrypted data in cloud storage service device, if so, holding
Otherwise row step 10 executes step 11.
Step 10, user increases pointer.
Increase the pointer of a direction user while user does not send ciphertext to cloud storage service device.
Step 11, cloud storage service device stores ciphertext.
The encryption key of generation is sent to user by cloud storage service device.
User utilizes encryption keys be-encrypted data, obtains ciphertext.
Ciphertext is sent to cloud storage service device by user.
The ciphertext that cloud storage service device storage receives.
Step 12, user's not transmission data.
The signal of " not transmission data " is fed back to user, while the letter that " will not meet status requirement " by first proofer
Number feed back to cloud storage service device.
User does not send be-encrypted data.
Claims (5)
1. a kind of deletion data copy method based on data storage location in cloud storage, which is characterized in that this method is logarithm
User data copy is deleted in specified location according to storage location, is included the following steps:
(1) key and label are generated:
(1a) user calculates the cryptographic Hash of each be-encrypted data original text, using each cryptographic Hash as a convergence key;
(1b) user encrypts data original text to be encrypted with convergence key, generates corresponding data ciphertext, it is close to calculate each data
The cryptographic Hash of text, using each cryptographic Hash as a label;
(1c) user and cloud storage service device joint consultation, generate arranging key;
(2) user generates challenge:
(2a) user, to convergence key encryption, is generated ciphertext, ciphertext is sent to trusted third party's key management with arranging key
Server;
(2b) trusted third party Key Management server generates a random parameter;
(2c) trusted third party Key Management server calculates exclusive or after random parameter and the ciphertext of reception are carried out exclusive or calculating
As a result cryptographic Hash, using gained cryptographic Hash as challenge H;
(2d) user generates challenge Z using pseudo-random function PRF;
(3) user challenges:
Two challenge H and Z are issued proofer by user by the hidden passageway of safety;
(4) cloud storage service device calculates experimental evidence:
(4a) first proofer generates two random numbers;
Generated two random numbers are sent to remaining proofer by (4b) first proofer;
(4c) user is by the arranging key person that is sent to second test;
(4d) in addition to first proofer, remaining proofer generates two random trains respectively;
(4e) in addition to first proofer, each proofer generates two bit strings with very high minimum entropy;
(4f) user refers in cloud storage network determines data storage location;
The message that (4g) each proofer calculates its transmission is transferred to the time needed for specified data storage location;
(4h) sets moment T, and value is more than or equal to the message that all proofers send and is transferred to needed for specified data storage location
The maximum value of time;
When (4i) subtracts the difference the time required to the message that proofer sends is transferred to specified data storage location with setting moment T
In quarter, two random numbers of generation are sent to cloud storage service device by first proofer, and second test person is by arranging key
It is sent to cloud storage service device with the bit string of its generation, the bit string that remaining each proofer is generated is sent to cloud and deposits
Store up server;
(4j) utilizes exclusive or method in the T moment of setting, cloud storage service device, calculates experimental evidence r and experimental evidence s;
(5) cloud storage service device calculates encryption key:
At the T moment of setting, cloud storage service device is using the bit string and arranging key received, by multiple pseudorandom iteration
It calculates, a pseudorandom string with very high minimum entropy is generated, after wherein the number of pseudorandom calculating and the number of proofer subtract 1
Value it is equal, using the pseudorandom string with very high minimum entropy of generation as encryption key;
(6) proofer verifies cloud storage service device position:
Experimental evidence is sent to all proofers by (6a) cloud storage service device;
At the time of (6b) each proofer records the experimental evidence for receiving the transmission of cloud storage service device respectively;
Setting moment T is transferred to the time phase needed for specified data storage location by (6c) with the message that each proofer sends
Add, obtain proofer it is receivable to experimental evidence at the time of;
(7) judge whether cloud storage service device is located at specified position, if so, being proved to be successful, execute step (8) and otherwise test
Card failure, executes step (12);
(8) data copy is deleted:
The signal of " deleting data copy " is fed back to user by (8a) first proofer, while the signal of " duplicate removal inspection " is anti-
Cloud storage service of feeding device;
The label of be-encrypted data is sent to cloud storage service device by (8b) user;
(9) it checks and whether there is label identical with the label of be-encrypted data in cloud storage service device, if so, thening follow the steps
(10), step (11) otherwise, is executed;
(10) user increases pointer:
Increase the pointer of a direction user while user does not send ciphertext to cloud storage service device;
(11) cloud storage service device stores ciphertext:
The encryption key of generation is sent to user by (11a) cloud storage service device;
(11b) user utilizes encryption keys be-encrypted data, obtains ciphertext;
Ciphertext is sent to cloud storage service device by (10c) user;
The ciphertext that the device storage of (11d) cloud storage service receives;
(12) user's not transmission data:
The signal of " not transmission data " is fed back to user by (12a) first proofer, while " status requirement will not be met "
Signal feeds back to cloud storage service device;
(12b) user does not send be-encrypted data.
2. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1
In the method for generating two bit strings with very high minimum entropy described in step (4e) is as follows:In addition to first proofer, often
Two random trains that two random numbers that a proofer generates first proofer are generated with itself, as pseudo-random function
Input, using pseudo-random function, is calculated two pseudo random numbers, and two pseudo random numbers are carried out with challenge H and challenge Z respectively
Xor operation obtains two bit strings with very high minimum entropy.
3. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1
In exclusive or method refers to described in step (4j):At the T moment of setting, cloud storage service device using the pseudo random number that receives with
Exclusive or result and bit string after carrying out xor operation, are carried out exclusive or by two random numbers that first proofer received generates
Operation.
4. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1
In the pseudorandom iterative calculation described in step (5) is as follows:
The first step, the random train that cloud storage service device generates arranging key with second test person is as the defeated of pseudo-random function
Enter, a pseudo random number is calculated using pseudo-random function;
Second step, using result of calculation and the random train of third proofer generation as the input of pseudo-random function, using puppet with
Machine function calculates a pseudo random number;
Third walks, the random train that result of calculation and the 4th proofer are generated as the input of pseudo-random function, using puppet with
Machine function calculates a pseudo random number;
Repeat above step, until each proofer generate random train as the input of pseudo-random function after stop changing
Generation.
5. the deletion data copy method based on data storage location, feature exist in cloud storage according to claim 1
In when referring to positioned at specified position described in step (7), while meeting following three conditions residing for cloud storage area server
Position:
Condition 1, each proofer record at the time of be equal to it is receivable to experimental evidence at the time of;
The cryptographic Hash of condition 2, experimental evidence r is equal with the challenge cryptographic Hash of H;
The cryptographic Hash of condition 3, experimental evidence s is equal with the challenge cryptographic Hash of Z.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711402587.9A CN108566277B (en) | 2017-12-22 | 2017-12-22 | Data storage position-based data copy deleting method in cloud storage |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711402587.9A CN108566277B (en) | 2017-12-22 | 2017-12-22 | Data storage position-based data copy deleting method in cloud storage |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108566277A true CN108566277A (en) | 2018-09-21 |
CN108566277B CN108566277B (en) | 2020-04-21 |
Family
ID=63530392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711402587.9A Active CN108566277B (en) | 2017-12-22 | 2017-12-22 | Data storage position-based data copy deleting method in cloud storage |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108566277B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116361201A (en) * | 2023-06-02 | 2023-06-30 | 宜宾邦华智慧科技有限公司 | Method and system for destroying stored data of mobile phone |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120166403A1 (en) * | 2010-12-24 | 2012-06-28 | Kim Mi-Jeom | Distributed storage system having content-based deduplication function and object storing method |
CN104052819A (en) * | 2014-06-27 | 2014-09-17 | 西安电子科技大学 | Method for verifying integrity of cloud data stored in multiple geographic positions |
CN104869124A (en) * | 2015-06-05 | 2015-08-26 | 飞天诚信科技股份有限公司 | Authentication method based on geographic position information |
CN105323074A (en) * | 2015-11-17 | 2016-02-10 | 西安电子科技大学 | Trusted verification method for geographic position of terminal equipment |
CN106100832A (en) * | 2016-06-12 | 2016-11-09 | 广东工业大学 | Key management method based on convergent encryption in a kind of cloud storage data deduplication |
-
2017
- 2017-12-22 CN CN201711402587.9A patent/CN108566277B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120166403A1 (en) * | 2010-12-24 | 2012-06-28 | Kim Mi-Jeom | Distributed storage system having content-based deduplication function and object storing method |
CN104052819A (en) * | 2014-06-27 | 2014-09-17 | 西安电子科技大学 | Method for verifying integrity of cloud data stored in multiple geographic positions |
CN104869124A (en) * | 2015-06-05 | 2015-08-26 | 飞天诚信科技股份有限公司 | Authentication method based on geographic position information |
CN105323074A (en) * | 2015-11-17 | 2016-02-10 | 西安电子科技大学 | Trusted verification method for geographic position of terminal equipment |
CN106100832A (en) * | 2016-06-12 | 2016-11-09 | 广东工业大学 | Key management method based on convergent encryption in a kind of cloud storage data deduplication |
Non-Patent Citations (1)
Title |
---|
JIN LI等: "Secure Deduplication with Efficient and Reliable Convergent Key Management", 《IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116361201A (en) * | 2023-06-02 | 2023-06-30 | 宜宾邦华智慧科技有限公司 | Method and system for destroying stored data of mobile phone |
CN116361201B (en) * | 2023-06-02 | 2023-08-11 | 宜宾邦华智慧科技有限公司 | Method and system for destroying stored data of mobile phone |
Also Published As
Publication number | Publication date |
---|---|
CN108566277B (en) | 2020-04-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109508552B (en) | Privacy protection method of distributed cloud storage system | |
US20220006624A1 (en) | User Terminal, Permission Information Management Method, and Permission Information Management Program | |
KR101999188B1 (en) | Secure personal devices using elliptic curve cryptography for secret sharing | |
US9800416B2 (en) | Distributed validation of digitally signed electronic documents | |
TWI722116B (en) | Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system | |
CN110022217B (en) | Advertisement media service data credible storage system based on block chain | |
CN106453612B (en) | A kind of storage of data and shared system | |
CN110213042A (en) | A kind of cloud data duplicate removal method based on no certification agency re-encryption | |
JP4855940B2 (en) | Efficient management of cryptographic key generation | |
KR100823738B1 (en) | Method for integrity attestation of a computing platform hiding its configuration information | |
CN109194466A (en) | A kind of cloud data integrity detection method and system based on block chain | |
CN105681273B (en) | Client-side deduplication method | |
JP6753403B2 (en) | Information processing equipment, authentication systems, authentication methods, and computer programs | |
CN104917741B (en) | A kind of plain text document public network secure transmission system based on USBKEY | |
CN109474606A (en) | Document transmission method, device, computer equipment and storage medium | |
WO2015072203A1 (en) | Information delivery system | |
CN109976948A (en) | Private information backup method and recovery method and system | |
CN113393225B (en) | Digital currency encryption payment method and system | |
CN103731423A (en) | Safe method for repeated data deleting | |
CN107306274A (en) | Data de-duplication method based on digital digest | |
CN111970114A (en) | File encryption method, system, server and storage medium | |
Kumar et al. | Analysis and design of an optimized secure auditing protocol for storing data dynamically in cloud computing | |
CN111211876B (en) | Method and device for sending response message aiming at data request and block chain system | |
CN106257859A (en) | A kind of password using method | |
CN108566277A (en) | Deletion data copy method based on data storage location in cloud storage |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |