CN109190410B - Log behavior auditing method based on block chain in cloud storage environment - Google Patents

Log behavior auditing method based on block chain in cloud storage environment Download PDF

Info

Publication number
CN109190410B
CN109190410B CN201811126706.7A CN201811126706A CN109190410B CN 109190410 B CN109190410 B CN 109190410B CN 201811126706 A CN201811126706 A CN 201811126706A CN 109190410 B CN109190410 B CN 109190410B
Authority
CN
China
Prior art keywords
user
data
intelligent contract
data file
cloud storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811126706.7A
Other languages
Chinese (zh)
Other versions
CN109190410A (en
Inventor
周可
李春花
邓虹雨
胡家琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201811126706.7A priority Critical patent/CN109190410B/en
Publication of CN109190410A publication Critical patent/CN109190410A/en
Application granted granted Critical
Publication of CN109190410B publication Critical patent/CN109190410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6272Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a block chain-based log behavior auditing method in a cloud storage environment, wherein each interface required in the method flow is compiled by an intelligent contract, so that both sides can not deny the behavior of the interfaces, and the log record in a block chain network is completely credible. And when an audit requirement exists, an audit interface of the intelligent contract is called, and the intelligent contract checks the log record and returns the result to the user who makes the request. According to the cloud log storage method, the cloud log storage is transferred from the cloud storage provider to the block chain, and the safety and the integrity of log data are guaranteed by the characteristics of decentralization, distrust, high reliability and the like of the block chain; the block chain network provides a read-write interface and an audit structure of the log by using an intelligent contract, and a data access flow is designed aiming at the interaction between a user and a cloud service provider, so that the log can be completely recorded on the block chain network by both the user and a cloud storage, and the log record cannot be denied or tampered.

Description

Log behavior auditing method based on block chain in cloud storage environment
Technical Field
The invention belongs to the technical field of cloud storage safety, and particularly relates to a block chain-based log behavior auditing method in a cloud storage environment.
Background
A public auditing service utilizing cloud data storage may allow users to turn to an independent Third Party Auditor (TPA) when outsourced data needs to be reviewed. The TPA has professional knowledge and ability which are not possessed by a user, and can periodically audit the integrity of all data stored in the cloud storage server on behalf of the user, so that a simpler and more economic mode is provided for the user, and the data can be correctly stored in the cloud. In addition, besides helping users to evaluate the risk of the ordered cloud storage service, the auditing result of the TPA also helps cloud storage providers to improve the cloud-based service platform, and even can realize independent arbitration purpose by using the TPA. In sum, public auditing services will play an important role in this emerging cloud storage field and may become an important way to establish a trust relationship between users and cloud storage providers.
Whether the data owner or the ordinary user relies on a trusted third party for authentication and authorization, but some security problems such as data leakage and tampering which frequently occur in recent years are enough to show that: trusted third parties are not always trustworthy and may sell secure information such as the user's data or access controls for the benefit of the third party. On the other hand, the user may maliciously declare data loss and ask the service provider for high compensation. The lack of trust between the cloud storage platform and the user has influenced the development of the cloud storage technology, and new methods and new technical means are needed to solve the current problems.
At present, most of research on cloud data auditing is about data integrity, the research on cloud data operation behavior auditing is less, the operation behavior auditing based on log records is greatly helpful for confirming responsibility attribution, tracing user data, limiting illegal operation and the like, and the trust problem between a user and a cloud storage provider can be effectively relieved.
Disclosure of Invention
Aiming at the defects of the prior art, the cloud data auditing method and device aim to solve the technical problems that cloud data auditing depends on a third party and the auditing of cloud data operation behaviors is lacked in the prior art.
In order to achieve the above object, in a first aspect, an embodiment of the present invention provides a block chain-based log behavior auditing method in a cloud storage environment, where the method includes:
s1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and if not, the operation is finished;
s2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to a block chain network;
s3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
s4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, go to step S6;
s5, the cloud storage provider calls an intelligent contract to authenticate the log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees with the write-in operation request, and calls the intelligent contract to add the log record to the blockchain network;
s6, the cloud storage provider calls an intelligent contract to authenticate the log record, after feedback that the intelligent contract agrees to the read operation request is received, corresponding read operation is executed according to the read operation request, the requested data file is returned to a common user, the intelligent contract is called to add the log record to the block chain network, and the step S7 is carried out;
and S7, when the data file returned by the cloud storage server is inconsistent with the data file obtained through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
More specifically, the intelligent contract includes a plurality of interfaces, specifically as follows:
upload: the data owner records the metadata information of the data file uploaded to the cloud service provider to the blockchain network through the interface, generates an initial access record of the data file, records a log signed by a user private key to the blockchain network for broadcasting, and packages the log into blocks to achieve consensus in the blockchain network;
getfile: the method comprises the steps that a user obtains an address L of a data file in a cloud storage server through an interface, and when the user sends a remote read/write request to a cloud storage server, the user needs to obtain the address and a temporary token through the interface;
VerifyRequest: the interface is provided for a cloud storage provider to use and can only be called by the cloud storage provider, when the cloud storage provider receives an operation request of a user, the interface is called to inquire whether the user has access authority or not, and meanwhile, the interface can acquire access request information of the user and store the access request information as a log record on a blockchain network;
grant: the data owner sets the access authority of a common user to the data stored on the cloud storage server through the interface, and the interface is used for authorizing the common user, namely endowing the user with the read-write authority to the data file;
revoke: the data owner gives the read-write authority to the data file stored on the cloud storage server by the common user before revoking through the interface;
and (2) Audit: the auditing user tracks the life cycle of the data file through the interface, namely knows when the data file is created and destroyed, accessed by a common user and executed operations;
and (3) Logging: the interface is used for broadcasting the access data file of the common user in the blockchain network to generate an access log record, and adding and storing the log record to the blockchain, and the access log record is completed by the interface together.
More specifically, the address L is url.
More specifically, step S2 is specifically as follows:
s201, a data owner creates a serial number fid for each data file to be uploaded, and uploads the data file to a cloud storage provider;
s202, a data owner calls an Upload interface of an intelligent contract to record metadata information of a data file to a block chain network;
s203, the data owner sends the signed log record (uid, fid, type, H (X0), OPM, ts, sign) to the cloud storage provider;
s204, the cloud storage provider checks the correctness of each field of the log record, if the fields are correct, a Logging interface of an intelligent contract is called to add the log record to the block chain network, and if the fields are not correct, the process is ended;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
More specifically, the operation request information is (type, fit), where the type is an operation type of a user on the data file, and there are three types of types, namely Create, Read, and Write, which respectively represent uploading data, reading data, and writing data; fid is the only identification of the accessed data file; the metadata information of the data file comprises an address L of the data file on the cloud storage server, a hash value of the data file before operation and a token.
More specifically, the read operation request is (read, L, H (X0), token), and the write operation request is (write, L, H (Xn), token); the log record is generated by the private key signature of the access record (uid, fid, type, H (X0), H (Xn), OPM, ts, sign) in step S4;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; h (Xn) is the operated data hash value; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
More specifically, step S5 is specifically as follows:
s501, after receiving a request of a common user, the cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S502 is carried out, and if not, the process is ended;
s502, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the common user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S503, if not, rejecting the request of the user, and ending the process;
s503, after receiving feedback that the intelligent contract agrees to the write operation request, the cloud storage provider executes corresponding write operation according to the request of the user;
s504, the intelligent contract adds the log record to the block chain network.
More specifically, step S6 is specifically as follows:
s601, after receiving a request of a user, a cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S602 is switched to, and if not, the process is ended;
s602, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S603, otherwise, rejecting the request of the user and ending the process;
s603, after receiving feedback that the intelligent contract agrees to the read operation request, the cloud storage provider executes corresponding read operation according to the request of the user and returns the requested data file to the common user;
s604, the intelligent contract adds the log record to the block chain network, and the step S7 is carried out.
More specifically, step S7 is specifically as follows:
after receiving a data file sent by a cloud storage server, a common user calculates a hash value of the data file, compares the hash value with a latest hash value H (X0) of the data file acquired through an intelligent contract, if the hash value H is the same as the latest hash value H, the read data file is proved to be correct, otherwise, the read data file is proved to be tampered or not to be a latest version, and the user can call an Audit interface of the intelligent contract to initiate an Audit request for the data file.
In a second aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the log behavior auditing method according to the first aspect.
Generally, compared with the prior art, the above technical solution conceived by the present invention has the following beneficial effects:
1. according to the cloud log storage method and the cloud log storage system, the cloud log storage is transferred from the cloud storage provider to the block chain, and the safety and the integrity of log data are guaranteed by the characteristics of decentralization, distrust, high reliability and the like of the block chain.
2. According to the invention, the block chain network provides a read-write interface and an audit structure of the log by using the intelligent contract, and a data access flow is designed aiming at the interaction between the user and the cloud service provider, so that the log can be completely recorded on the block chain network by both the user and the cloud storage, and the log record cannot be denied or tampered.
Drawings
Fig. 1 is a schematic diagram of a block chain-based log behavior audit model in a cloud storage environment according to the present invention;
fig. 2 is a flowchart of a block chain-based log behavior auditing method in a cloud storage environment according to the present invention;
FIG. 3 is a flowchart of step S2 provided by the present invention;
FIG. 4 is a flowchart illustrating a remote write operation performed on data stored in a cloud storage server according to the present invention;
fig. 5 is a flowchart of performing a remote read operation on data stored in a cloud storage server according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic diagram of a block chain-based log behavior audit model in a cloud storage environment. As shown in fig. 1, the log behavior audit model includes the following components:
cloud storage users: the data management system consists of two types, namely a data owner and a common user, and can be an individual or an organization.Data congestion One of whom isThe data can be uploaded to a cloud storage provider, the uploading operation is broadcasted in the blockchain network at the same time, and the operation log is recorded by the blockchain;general usersAnd mainly performing read-write operation on the cloud data, and broadcasting in the block chain network and recording the operation record of the block chain network.
The cloud storage provider: and the cloud storage provider provides the virtualized resources to the user in a storage resource pool mode for free use according to the requirements of the user. The user can upload data to the cloud data server and perform remote read-write operation on the data, and meanwhile, the cloud storage provider is added into the block chain network to verify the log records together with the user.
Block chain network: the user and the cloud storage provider serve as nodes to form the whole block chain network, each node equally receives operation record information broadcasted by the user node, and the record information is packaged into blocks through a mining algorithm. The entire blockchain network stores the operational behavior log as a distributed database.
A third party auditor: the cloud storage system has professional knowledge and ability which are not possessed by a user, and can periodically audit the integrity of all data stored in the cloud storage server on behalf of the user, so that a simpler and more economic mode is provided for the user, and the data can be correctly stored in the cloud.
In order to enable both a cloud storage user and a cloud storage provider to be incapable of denying log records and to obtain confirmation of both the cloud storage user and the cloud storage provider when a log is recorded, the invention provides a block chain-based log behavior auditing method in a cloud storage environment.
Fig. 2 is a flowchart of a block chain-based log behavior auditing method in a cloud storage environment according to the present invention. As shown in fig. 2, the method comprises the steps of:
s1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and if not, the operation is finished;
s2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to a block chain network;
s3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
s4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, go to step S6;
s5, the cloud storage provider calls an intelligent contract to authenticate the log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees with the write-in operation request, and calls the intelligent contract to add the log record to the blockchain network;
s6, the cloud storage provider calls an intelligent contract to authenticate the log record, after feedback that the intelligent contract agrees to the read operation request is received, corresponding read operation is executed according to the read operation request, the requested data file is returned to a common user, the intelligent contract is called to add the log record to the block chain network, and the step S7 is carried out;
and S7, when the data file returned by the cloud storage server is inconsistent with the data file obtained through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
Step S1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and otherwise, the operation is finished.
Firstly, the system needs to be initialized, a user and a cloud service provider jointly negotiate an intelligent contract rule, then the contract is deployed on a blockchain network, the contract deployment process initiates a transaction with an acceptance address of 0, and a data field of the transaction contains a contract code which is compiled into byte codes. The transaction is broadcast over the blockchain network, received by the nodes and packaged into blocks, which now get a unique contract address from which we can invoke the contract. Since the transaction containing the contract code is packaged into blocks and agreed upon throughout the network, the contract code cannot be tampered with, and we can believe that this piece of code must be run according to the rules we have formulated. The process returns the smart contract address to the user side and the cloud service provider.
The intelligent contract comprises a plurality of interfaces, and a user, a cloud storage provider and a forensics investigator realize log recording and auditing work through the following interfaces:
upload: the data owner records the metadata information of the data file uploaded to the cloud service provider to the blockchain network through the interface, generates an initial access record of the data file, broadcasts the log record signed by the private key of the user in the blockchain network, and packs the log record into blocks to achieve consensus in the blockchain network.
The log records are treated as transaction data packaged into blocks.
Getfile: the user acquires the address L of the data file in the cloud storage server through the interface, and when the user sends a remote read/write request to the cloud storage server, the user needs to acquire the address and a temporary token through the interface.
Preferably, the address L is url. After receiving the request, the intelligent contract records the action as a pre-request log for auditing the operation action of the user in the follow-up process, and meanwhile, the token can prevent the user from directly utilizing the url acquired by calling the Getfile interface last time to make a request for the cloud storage server.
VerifyRequest: the interface is provided for a cloud storage provider to use and can only be called by the cloud storage provider, when the cloud storage provider receives an operation request of a user, the interface is called to inquire whether the user has access authority, and meanwhile, the interface can acquire access request information of the user and store the access request information as a log record on a blockchain network.
Grant: the data owner sets the access authority of a common user to the data stored on the cloud storage server through the interface, and the interface is used for authorizing the common user, namely endowing the user with the read-write authority to the data file.
Revoke: and the data owner gives the read-write permission to the data file stored on the cloud storage server to the common user before revoking through the interface.
And (2) Audit: the audit user tracks the lifecycle of the data file through the interface, i.e., knows when the data file was created and destroyed, when it was accessed by the average user, and which operations were performed.
And (3) Logging: the interface is used for broadcasting the access data file of the common user in the blockchain network to generate an access log record, and adding and storing the log record to the blockchain, and the access log record is completed by the interface together.
And S2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to the block chain network.
Step S2 corresponds to a Create access operation of the data owner to the data. After contract deployment is successful, the system is initialized. Then, each time the data owner uploads data to the cloud, the data owner calls an Upload interface of the intelligent contract to Upload file metadata and writes a log record, the process of calling the intelligent contract is a process of broadcasting a transaction in the blockchain network, the receiving address of the transaction is an intelligent contract address, a data field contains parameters provided by a sender, and the transaction contains the signature of the sender and can be verified by other nodes.
When the transaction is received by other nodes, the intelligent contract is executed and corresponding state variables are stored, then the transaction is packaged into blocks and is agreed on the whole network, the state of the intelligent contract after operation is confirmed by the whole network, and therefore file metadata and log records are written into a block chain and cannot be tampered.
The data owner can also make an access control strategy for the file through the Grant interface and the Revoke interface. When the transaction is broadcast over the blockchain network, the receiving node verifies the signature of the transaction and only the data owner can formulate a policy, otherwise the call is considered an invalid operation.
Fig. 3 is a flowchart of step S2 provided by the present invention. As shown in fig. 3, step S2 is specifically as follows:
s201, a data owner creates a serial number fid for each data file to be uploaded, and uploads the data file to a cloud storage provider;
and S202, the data owner calls an Upload interface of the intelligent contract to record the metadata information of the data file to the block chain network.
S203, the data owner sends the signed log record (uid, fid, type, H (X0), OPM, ts, sign) to the cloud storage provider.
The user's signature attached to the log record can ensure that the user cannot repudiate the action.
S204, the cloud storage provider checks the correctness of each field of the log record, if the fields are correct, a Logging interface of an intelligent contract is called to add the log record to the block chain network, and if the fields are not correct, the process is ended;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
For example, whether the user uid is correct and whether the operation type corresponds to the user uid is checked, the validity of the user signature is verified, whether the hash value of the data file is the same as that of H (X0) is calculated finally, and if the hash value is correct, the Logging interface of the intelligent contract can be called to write the log record into the block chain network.
S3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
specifically, the operation request information is (type, fit), wherein the type is an operation type of a user on the data file, and the types include Create, Read, and Write, which respectively represent uploading data, reading data, and writing data; fid is the unique identification of the data file being accessed. The metadata information of the data file comprises an address L of the data file on the cloud storage server, a hash value of the data file before operation and a token. The access control policy specified by the file owner to the file is also included, and is implemented by using an access control list in the system.
S4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, the process proceeds to step S6.
Specifically, the read operation request is (read, L, H (X0), token), the write operation request is (write, L, H (Xn), token); the log record is generated by the private key signature of the access record (uid, fid, type, H (X0), H (Xn), OPM, ts, sign) in step S4;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; h (Xn) is the operated data hash value; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
And S5, the cloud storage provider calls an intelligent contract to authenticate the log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees to the write-in operation request, and calls the intelligent contract to add the log record into the block chain network.
Fig. 4 is a flowchart illustrating a remote write operation performed on data stored in a cloud storage server according to the present invention. As shown in fig. 4, step S5 is specifically as follows:
s501, after receiving a request of a common user, the cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S502 is carried out, and if not, the process is ended;
s502, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the common user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S503, if not, rejecting the request of the user, and ending the process;
s503, after receiving feedback that the intelligent contract agrees to the write operation request, the cloud storage provider executes corresponding write operation according to the request of the user;
s504, the intelligent contract adds the log record to the block chain network.
And S6, the cloud storage provider calls an intelligent contract to authenticate the log record, after receiving feedback that the intelligent contract agrees to the read operation request, executes corresponding read operation according to the read operation request, returns the requested data file to a common user, calls the intelligent contract to add the log record to the block chain network, and the step S7 is carried out.
Fig. 5 is a flowchart of performing a remote read operation on data stored in a cloud storage server according to the present invention. As shown in fig. 5, step S6 is specifically as follows:
s601, after receiving a request of a user, a cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S602 is switched to, and if not, the process is ended;
s602, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S603, otherwise, rejecting the request of the user and ending the process;
s603, after receiving feedback that the intelligent contract agrees to the read operation request, the cloud storage provider executes corresponding read operation according to the request of the user and returns the requested data file to the common user;
s604, the intelligent contract adds the log record to the block chain network, and the step S7 is carried out.
And S7, when the data file returned by the cloud storage server is inconsistent with the data file acquired through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
After receiving data sent by the cloud storage server, a common user calculates a hash value of the data, and then compares the hash value with a latest hash value H (X0) of the data obtained through the intelligent contract, if the hash value H is the same as the latest hash value H, the read data is proved to be correct, otherwise, the data is proved to be falsified or not to be the latest version, and at the moment, the user can call an Audit interface of the intelligent contract to initiate an Audit request for the data file.
The intelligent contract is characterized in that the intelligent contract can only read data and does not need to write data because the data is damaged or maliciously tampered, but the intelligent contract also provides an interface through which a user can perform integrity audit on the data at any time. Auditing of data manipulation behavior may be based on extraction and analysis of log records. When there is audit demand, first, the audit interface of intelligent contract is called, and the intelligent contract checks the log record and returns the result to the user who has made the request.
The invention provides three auditing functions and can be used as a public auditing interface Audit to be opened for all users. The audit can be invoked by a third party auditor or any other user. These three audit functions are: obtaining the life cycle of the file, inquiring illegal users and verifying the integrity of the file.
Acquiring the file life cycle provides all operation records of the data file from uploading to deleting.
The inquiry of the illegal users provides which users try to perform illegal operations, so that some punishment measures can be taken for the users or the authority of the malicious users can be timely revoked. By comparing whether the request sent by the Getfile and the request sent by the VerifyRequest are consistent or not, if the request operations of the Getfile and the VerifyRequest are inconsistent, the user is proved to have initiated an illegal request, and the user is an illegal user.
Verifying the integrity of the file provides the user with a verification that the file he or she has obtained has been tampered with. By comparing the hash value of the data with the hash value of the data in the most recent record, if not, it is said that the integrity of the data is compromised.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A log behavior auditing method based on a block chain in a cloud storage environment is characterized by comprising the following steps:
s1, a data owner and a cloud service provider negotiate an intelligent contract together, the intelligent contract is deployed on a block chain network, if the deployment is successful, the step S2 is carried out, and if not, the operation is finished;
s2, for a data owner, after uploading a data file to a cloud storage server, calling an intelligent contract to add a log record to a block chain network;
s3, for a common user, calling an intelligent contract to input operation request information to be performed on the data file on the cloud storage server, returning the intelligent contract to the metadata information of the data file of the common user, and turning to the step S4;
s4, the common user initiates an operation request to the cloud storage server and sends a log record according to the operation request information and the metadata information, judges whether the operation request is a read operation request or a write operation request, and if the operation request is the write operation request, the step S5 is carried out; if the request is a read operation request, go to step S6;
s5, the cloud storage provider calls an intelligent contract authentication log record, executes corresponding write-in operation according to the write-in operation request after receiving feedback that the intelligent contract agrees to the write-in operation request, and calls an intelligent contract to add the log record to the blockchain network;
s6, the cloud storage provider calls an intelligent contract authentication log record, after feedback that the intelligent contract agrees to the read operation request is received, corresponding read operation is executed according to the read operation request, the requested data file is returned to a common user, the intelligent contract is called to add the log record to the block chain network, and the step S7 is carried out;
and S7, when the data file returned by the cloud storage server is inconsistent with the data file obtained through the intelligent contract, the common user calls the intelligent contract to initiate an audit request on the data file.
2. The log behavior auditing method of claim 1, where the intelligent contract includes a plurality of interfaces, specifically as follows:
upload: the data owner records the metadata information of the data file uploaded to the cloud service provider to the blockchain network through the interface, generates an initial access record of the data file, records a log signed by a user private key to the blockchain network for broadcasting, and packages the log into blocks to achieve consensus in the blockchain network;
getfile: the method comprises the steps that a user obtains an address L of a data file in a cloud storage server through an interface, and when the user sends a remote read/write request to a cloud storage server, the user needs to obtain the address and a temporary token through the interface;
VerifyRequest: the interface is provided for a cloud storage provider to use and can only be called by the cloud storage provider, when the cloud storage provider receives an operation request of a user, the interface is called to inquire whether the user has access authority or not, and meanwhile, the interface can acquire access request information of the user and store the access request information as a log record on a blockchain network;
grant: the data owner sets the access authority of a common user to the data stored on the cloud storage server through the interface, and the interface is used for authorizing the common user, namely endowing the user with the read-write authority to the data file;
revoke: the data owner gives the read-write authority to the data file stored on the cloud storage server by the common user before revoking through the interface;
and (2) Audit: the auditing user tracks the life cycle of the data file through the interface, namely knows when the data file is created and destroyed, accessed by a common user and executed operations;
and (3) Logging: the interface is used for broadcasting the access data file of the common user in the blockchain network to generate an access log record, and adding and storing the log record to the blockchain, and the access log record is completed by the interface together.
3. The log behavior auditing method of claim 2 where the address L is url.
4. The log behavior auditing method of claim 2, in which step S2 is as follows:
s201, a data owner creates a serial number fid for each data file to be uploaded, and uploads the data file to a cloud storage provider;
s202, a data owner calls an Upload interface of an intelligent contract to record metadata information of a data file to a block chain network;
s203, the data owner sends the signed log record (uid, fid, type, H (X0), OPM, ts, sign) to the cloud storage provider;
s204, the cloud storage provider checks the correctness of each field of the log record, if the fields are correct, a Logging interface of an intelligent contract is called to add the log record to the block chain network, and if the fields are not correct, the process is ended;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
5. The log behavior auditing method according to claim 2, characterized in that the operation request information is (type, fit), wherein the type is the operation type of the data file by the user, and the type has three types of Create, Read and Write, which respectively represent uploading data, reading data and writing data; fid is the only identification of the accessed data file; the metadata information of the data file comprises an address L of the data file on the cloud storage server, a hash value of the data file before operation and a token.
6. The log behavior auditing method of claim 5 where the read operation request is (read, L, H (X0), token), the write operation request is (write, L, H (Xn), token); the log record is generated by the private key signature of the access record (uid, fid, type, H (X0), H (Xn), OPM, ts, sign) in step S4;
wherein uid is a unique user identification number for remotely accessing data, fid is a unique identifier for accessed data files, type is an operation type of the data files by the user, and H (X0) is a data hash value before being operated; h (Xn) is the operated data hash value; ts is the current timestamp; sign is a signature generated by the user accessing the data at present by using the private key of the user to access the record; the OPM is an open data tracing model.
7. The log behavior auditing method of claim 2, in which step S5 is as follows:
s501, after receiving a request of a common user, the cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S502 is carried out, and if not, the process is ended;
s502, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the common user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S503, if not, rejecting the request of the user, and ending the process;
s503, after receiving feedback that the intelligent contract agrees to the write operation request, the cloud storage provider executes corresponding write operation according to the request of the user;
s504, the intelligent contract adds the log record to the block chain network.
8. The log behavior auditing method of claim 2, in which step S6 is as follows:
s601, after receiving a request of a user, a cloud storage provider checks the correctness of each field of the log record, if the correctness is right, the step S602 is switched to, and if not, the process is ended;
s602, invoking a VerifyRequest interface of the intelligent contract to verify the identity of the user, inquiring an access control strategy of a corresponding data file in the intelligent contract, if the identity of the user meets the condition, agreeing to the request, and turning to the step S603, otherwise, rejecting the request of the user and ending the process;
s603, after receiving feedback that the intelligent contract agrees to the read operation request, the cloud storage provider executes corresponding read operation according to the request of the user and returns the requested data file to the common user;
s604, the intelligent contract adds the log record to the block chain network, and the step S7 is carried out.
9. The log behavior auditing method of claim 2, in which step S7 is as follows:
after receiving a data file sent by a cloud storage server, a common user calculates a hash value of the data file, compares the hash value with a latest hash value H (X0) of the data file acquired through an intelligent contract, if the hash value H is the same as the latest hash value H, the read data file is proved to be correct, otherwise, the read data file is proved to be tampered or not to be a latest version, and the user can call an Audit interface of the intelligent contract to initiate an Audit request for the data file.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the log behavior auditing method according to any one of claims 1 to 9.
CN201811126706.7A 2018-09-26 2018-09-26 Log behavior auditing method based on block chain in cloud storage environment Active CN109190410B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811126706.7A CN109190410B (en) 2018-09-26 2018-09-26 Log behavior auditing method based on block chain in cloud storage environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811126706.7A CN109190410B (en) 2018-09-26 2018-09-26 Log behavior auditing method based on block chain in cloud storage environment

Publications (2)

Publication Number Publication Date
CN109190410A CN109190410A (en) 2019-01-11
CN109190410B true CN109190410B (en) 2020-05-19

Family

ID=64907256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811126706.7A Active CN109190410B (en) 2018-09-26 2018-09-26 Log behavior auditing method based on block chain in cloud storage environment

Country Status (1)

Country Link
CN (1) CN109190410B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084069A (en) * 2019-04-17 2019-08-02 江苏全链通信息科技有限公司 Server log monitoring method and system based on block chain

Families Citing this family (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829334B (en) * 2019-01-30 2022-12-20 复旦大学 Block chain-based data box configuration, use and accounting method and operation system thereof
CN109903046A (en) * 2019-02-02 2019-06-18 中国互联网络信息中心 User data management and device based on block chain
CN109815203A (en) * 2019-02-12 2019-05-28 山东超越数控电子股份有限公司 A kind of log audit method and system based on block chain
CN109862103B (en) * 2019-02-26 2022-02-25 上海南潮信息科技有限公司 File data secure sharing method and device based on block chain
CN109977089A (en) * 2019-03-13 2019-07-05 深圳壹账通智能科技有限公司 Blog management method, device, computer equipment and computer readable storage medium
CN110138733B (en) * 2019-04-03 2021-09-21 华南理工大学 Block chain-based object storage system trusted evidence storage and access authority control method
CN109902074B (en) * 2019-04-17 2021-02-09 江苏全链通信息科技有限公司 Data center-based log storage method and system
CN110048828A (en) * 2019-04-17 2019-07-23 江苏全链通信息科技有限公司 Log storing method and system based on data center
US11360946B2 (en) * 2019-05-17 2022-06-14 International Business Machines Corporation Tracking data transfers
CN110263584B (en) * 2019-06-19 2020-10-27 华中科技大学 Block chain-based data integrity auditing method and system
CN110365766A (en) * 2019-07-12 2019-10-22 全链通有限公司 Cloud storage method, equipment and computer readable storage medium based on block chain
CN110430248B (en) * 2019-07-23 2022-03-25 平安科技(深圳)有限公司 Block chain construction method, device, medium and electronic equipment based on cloud service
US10783054B2 (en) 2019-07-29 2020-09-22 Alibaba Group Holding Limited Method, apparatus, and device for storing operation record based on trusted execution environment
CN110457898B (en) * 2019-07-29 2020-10-30 创新先进技术有限公司 Operation record storage method, device and equipment based on trusted execution environment
CN110473094B (en) * 2019-07-31 2021-05-18 创新先进技术有限公司 Data authorization method and device based on block chain
US11252166B2 (en) 2019-07-31 2022-02-15 Advanced New Technologies Co., Ltd. Providing data authorization based on blockchain
US11251963B2 (en) 2019-07-31 2022-02-15 Advanced New Technologies Co., Ltd. Blockchain-based data authorization method and apparatus
CN110457875B (en) * 2019-07-31 2021-04-27 创新先进技术有限公司 Data authorization method and device based on block chain
US11057189B2 (en) 2019-07-31 2021-07-06 Advanced New Technologies Co., Ltd. Providing data authorization based on blockchain
CN110473096A (en) * 2019-07-31 2019-11-19 阿里巴巴集团控股有限公司 Data grant method and device based on intelligent contract
CN110414270B (en) * 2019-08-01 2022-12-06 谈建中 Personal data protection system and method based on block chain
CN110417909B (en) * 2019-08-07 2022-04-08 中国联合网络通信集团有限公司 Wireless network remote login method and system
CN110633309A (en) * 2019-08-30 2019-12-31 阿里巴巴集团控股有限公司 Block chain transaction processing method and device
US10936581B2 (en) 2019-08-30 2021-03-02 Advanced New Technologies Co., Ltd. Blockchain transaction processing method and apparatus
CN112527825B (en) * 2019-09-19 2022-12-06 上海哔哩哔哩科技有限公司 Data storage method and device and computer equipment
CN112561695B (en) * 2019-09-25 2021-07-23 支付宝(杭州)信息技术有限公司 Method and apparatus for concurrently executing transactions in a blockchain
CN110677407B (en) * 2019-09-26 2022-04-22 北京笔新互联网科技有限公司 Safety control method of lightweight block chain platform
CN111092745A (en) * 2019-10-12 2020-05-01 深圳壹账通智能科技有限公司 Log processing method and device based on block chain, computer equipment and storage medium
CN110798478B (en) * 2019-11-06 2022-04-15 中国联合网络通信集团有限公司 Data processing method and device
CN111131191A (en) * 2019-12-10 2020-05-08 山东超越数控电子股份有限公司 Method and system for auditing cloud storage service operation and cloud storage system
CN111177096A (en) * 2019-12-11 2020-05-19 招银云创(深圳)信息技术有限公司 Log management method and device, computer equipment and storage medium
US11310051B2 (en) 2020-01-15 2022-04-19 Advanced New Technologies Co., Ltd. Blockchain-based data authorization method and apparatus
WO2021154157A1 (en) * 2020-01-31 2021-08-05 Agency For Science, Technology And Research Blockchain-based data exchange
CN111339550B (en) * 2020-02-01 2023-08-29 温州理工学院 Comment information credibility method based on blockchain technology
SG11202012921XA (en) * 2020-02-14 2021-01-28 Alipay Hangzhou Inf Tech Co Ltd Data authorization based on decentralized identifiers
CN111698278B (en) * 2020-04-10 2021-06-25 湖南大学 Multi-cloud data storage method based on block chain
CN111428207B (en) * 2020-04-23 2023-11-14 重庆邮电大学 Digital copyright registration and transaction method based on blockchain technology
CN111611614B (en) * 2020-04-29 2023-09-08 南京财经大学 Cloud storage public auditing method and system for resisting malicious auditors based on blockchain
CN111797142A (en) * 2020-07-06 2020-10-20 北京荷月科技有限公司 Method and system for auditing data on link
CN111950020B (en) * 2020-07-20 2024-04-19 北京思特奇信息技术股份有限公司 Block chain-based data sharing system, method, computing device and storage medium
CN112134698B (en) * 2020-09-10 2022-10-11 江苏大学 Block chain-based quick communication authentication method and system for vehicles and vehicles in Internet of vehicles
CN112134869B (en) * 2020-09-16 2023-04-18 北方工业大学 Cloud service examination system and examination method based on block chain
CN112417496A (en) * 2020-10-28 2021-02-26 北京八分量信息科技有限公司 Method for realizing white list based on intelligent contract based on deep learning
CN112307233A (en) * 2020-10-30 2021-02-02 圆通速递有限公司 Repeated image deleting method and system in cloud storage based on block chain
CN112448946B (en) * 2020-11-09 2024-03-19 北京工业大学 Log auditing method and device based on block chain
CN112306983B (en) * 2020-11-18 2024-04-09 武汉德尔达科技有限公司 Ship electronic turbine log system and data protection method
CN112434040B (en) * 2020-11-30 2023-09-22 泰康保险集团股份有限公司 Data storage method, data acquisition method, device, system and equipment
CN112564985A (en) * 2020-12-24 2021-03-26 南京联成科技发展股份有限公司 Safe operation and maintenance management method based on block chain
CN113094754B (en) * 2021-05-08 2022-11-01 重庆银行股份有限公司 Big data platform data modification system and modification, response, cache and verification method
CN113382073B (en) * 2021-06-08 2022-06-21 重庆邮电大学 Monitoring system and method for edge nodes in cloud edge-side industrial control system
CN113486082B (en) * 2021-06-28 2023-03-28 电子科技大学 Outsourcing data access control system based on block chain
CN113285812A (en) * 2021-07-26 2021-08-20 西南石油大学 Cloud storage self-auditing method based on SGX and Ether house block chain
CN113836237A (en) * 2021-09-30 2021-12-24 北京中经惠众科技有限公司 Method and device for auditing data operation of database
US11768821B1 (en) 2022-03-23 2023-09-26 International Business Machines Corporation Blockchain based multi vendor change monitoring system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10805393B2 (en) * 2015-12-02 2020-10-13 Olea Networks, Inc. System and method for data management structure using auditable delta records in a distributed environment
CN106650478B (en) * 2016-12-28 2019-12-06 优刻得科技股份有限公司 data operation management device and method
CN107707410B (en) * 2017-10-26 2021-04-27 上海点融信息科技有限责任公司 Method for configuring system audit service, information processing device and readable storage medium
CN108446407B (en) * 2018-04-12 2021-04-30 北京百度网讯科技有限公司 Database auditing method and device based on block chain

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110084069A (en) * 2019-04-17 2019-08-02 江苏全链通信息科技有限公司 Server log monitoring method and system based on block chain

Also Published As

Publication number Publication date
CN109190410A (en) 2019-01-11

Similar Documents

Publication Publication Date Title
CN109190410B (en) Log behavior auditing method based on block chain in cloud storage environment
CN109691015B (en) Dynamic access control method and system on block chain
US11170092B1 (en) Document authentication certification with blockchain and distributed ledger techniques
CN108076057B (en) Data security system and method based on block chain
CN107480555B (en) Database access authority control method and device based on block chain
US10671733B2 (en) Policy enforcement via peer devices using a blockchain
KR20190105027A (en) Data sharing method and data sharing system
Lee et al. Modifiable public blockchains using truncated hashing and sidechains
CN110855777B (en) Node management method and device based on block chain
CN113656780B (en) Cross-chain access control method and device
CN109242404B (en) Resume information management method, resume information management device, computer equipment and readable storage medium
CN109388957B (en) Block chain-based information transfer method, device, medium and electronic equipment
CN110908786A (en) Intelligent contract calling method, device and medium
CN112712372B (en) Alliance chain cross-chain system and information calling method
CN110309672B (en) Block chain based privacy protection controllable data management method
US20220141014A1 (en) Storing secret data on a blockchain
CN114357490A (en) Data sharing method, device and system based on block chain
CN117216740A (en) Digital identity authentication method based on blockchain technology
CN112101945B (en) Method and system for supervising block chain content
CN110851851A (en) Authority management method, device and equipment in block chain type account book
CN112417403B (en) Automatic system authentication and authorization processing method based on GitLab API
CN109033882A (en) A kind of safe dissemination method of retrospective big data and system
CN115048672A (en) Data auditing method and device based on block chain, processor and electronic equipment
CN117118640A (en) Data processing method, device, computer equipment and readable storage medium
CN114707141A (en) Multi-party computing method and system based on block chain system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant