CN109787747B - Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools - Google Patents
Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools Download PDFInfo
- Publication number
- CN109787747B CN109787747B CN201811638175.XA CN201811638175A CN109787747B CN 109787747 B CN109787747 B CN 109787747B CN 201811638175 A CN201811638175 A CN 201811638175A CN 109787747 B CN109787747 B CN 109787747B
- Authority
- CN
- China
- Prior art keywords
- key
- defense
- file
- public
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a quantum computation resistant multi-encryption cloud storage method and system based on a plurality of asymmetric key pools, wherein a user side is provided with a key fob, encrypts a ciphertext formed by encrypting a data file by using a file key again, and uploads the file key to a server in an encryption mode; the server receives a personal key, a data key, a defense public and private key pointer random number, an encrypted ciphertext and a defense key encrypted by a defense public key; the user side downloads each parameter value, a file key is obtained by using the identity private key in the own key fob, a ciphertext is obtained by using the defense public and private key pointer, and the file key decrypts the ciphertext to obtain the data file. In the whole process of cloud storage, the server cannot contact various keys and data files of a user side, ciphertext stored on the server is further encrypted by using the defense public key, meanwhile, the file key is encrypted by using the public key only disclosed for the key fob, the public key is stored by using the key fob, and the possibility that the key is stolen by malicious software is reduced due to the setting of the key fob.
Description
Technical Field
The invention relates to the field of cloud storage, in particular to a quantum computing resistant multi-encryption cloud storage method and system based on an asymmetric key pool.
Background
With the development of science and technology, cloud storage has become a trend more and more, various cloud storage technologies are endless, and in order to ensure the security of cloud storage data, various encryption methods are generally used to ensure the security of the data, for example, the security of the data can be ensured by asymmetric key encryption, where the asymmetric key encryption needs to use different keys to respectively complete encryption and decryption operations, one is publicly issued, i.e., a public key, and the other is secretly stored by a user, i.e., a private key. The information sender uses the public key to decrypt, and the information receiver uses the private key to decrypt; or the sender of the information is decrypted with the private key and the receiver of the information is decrypted with the public key.
Shared storage is adopted in the cloud storage, so that a service provider needs to control the private key, and the security of the private key is low. The invention patent document with the publication number of CN103236934A entitled "a method for cloud storage security control" discloses a method for solving the problem of low security of a private key. The invention uses two different encryption modes to encrypt and respectively store the private keys of the users.
As most people know, quantum computers have great potential in password cracking. The asymmetric (public key) encryption algorithms, such as the RSA encryption algorithm, which are mainstream today, are mostly based on two mathematical challenges, namely factorization of large integers or computation of discrete exponentials over finite fields. Their difficulty in breaking is also dependent on the efficiency with which these problems are solved. On a traditional computer, the two mathematical problems are required to be solved, and the time is taken to be exponential (namely, the cracking time increases in exponential order along with the increase of the length of the public key), which is not acceptable in practical application. The xiuer algorithm tailored for quantum computers can perform integer factorization or discrete logarithm calculation within polynomial time (i.e. the cracking time increases at the speed of k power along with the increase of the length of a public key, wherein k is a constant irrelevant to the length of the public key), thereby providing possibility for the cracking of RSA and discrete logarithm encryption algorithms.
At present, enterprises or business units have the requirement of data cloud, but public clouds are generally not easy to be trusted by the units, and the information security is considered to be possibly problematic, or keys are easy to be obtained and cracked by hackers, so that public cloud customers worry about the data cloud.
The problems existing in the prior art are as follows:
(1) there is a certain risk of storing keys on the cloud server. Public cloud customers have worries behind the cloud on the data.
(2) The invention patent document with the publication number of CN103236934A and the name of 'a method for cloud storage security control' uses a user public key to encrypt a file key, and because a quantum computer can quickly obtain a corresponding private key through the public key, the scheme is easy to crack by the quantum computer.
Disclosure of Invention
In view of the foregoing, there is a need to provide a quantum computation resistant multi-encryption cloud storage method and system based on multiple asymmetric key pools.
A quantum computation resistant multi-encryption cloud storage method based on a plurality of asymmetric key pools is characterized in that a user side is provided with a key fob, the user side encrypts a data file by using a file key to form a ciphertext and uploads the ciphertext to a server in an encrypted form, the file key is generated by using a generator in the key fob, and the user side uploads the file key to the server in an encrypted form;
generating a defense key by using a generator in a key fob, encrypting the ciphertext by using the defense key and uploading the ciphertext to the server, simultaneously generating a defense public key by using a defense public and private key pointer random number in combination with the key fob, uploading the defense public key to the server after encrypting the defense key, and simultaneously uploading the defense public key and the defense public key pointer random number;
the file key encryption mode is to encrypt the file key by using an identity public key to obtain a personal key and encrypt the file key by using a file characteristic value to obtain a data key; and the personal key and the data key are respectively used as file keys in an encrypted form and sent to the server.
There are currently many storage cloud services, including many public clouds. The server of the storage cloud is called the server for short, and the storage cloud client used by the member is the user side.
In this embodiment, the user side is a device accessing the storage cloud, and may be a mobile terminal or a fixed terminal. The user side is provided with a key fob, the issuer of the key fob is the main manager of the key fob, generally the management department of a certain enterprise or business unit; the key fob is issued as a member of the key fob's master management, typically employees at various levels of a business or institution, who use the user side for cloud data access. The user first applies for opening an account to the owner of the key fob. When the user side has approved registration, a key fob (having a unique key fob ID) will be obtained. The key fob stores the customer registration information and also has built-in authentication protocols including at least a key generation algorithm and an authentication function, or other authentication related algorithms.
In one embodiment, the user side has one or more user sides, the same key pool is stored in the key fob configured for each user side, the key pool includes a defense asymmetric key pool and an identity asymmetric key pool, the defense asymmetric key pool and the identity asymmetric key pool both include a public key area and a private key area, the user side uploading the data file generates a file key through a key fob internal generator of the own party to encrypt the data file, and the user side downloading the data file correspondingly decrypts the file key by using a true number from the server in combination with the key pool of the own party to decrypt the data file.
The user side keys in the key fobs are all downloaded from the same quantum network service station, and the key pools stored in each key fobs issued by the user side keys are completely consistent for the owner of the same key fobs. Preferably, the key pool size stored in the key fob can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G, and so forth. The capacity depends on the requirement of the supervisor on safety, and the larger the capacity is, the higher the safety is. In the present invention, the key area of the key fob is divided into a defensive asymmetric key pool (public/private key), an identity asymmetric key pool (public key), and an identity asymmetric key (private key) as shown in fig. 2. The public key of the defense asymmetric key pool corresponds to the private key one by one, the public key area of the identity asymmetric key pool has the public keys of all users of the organization, and the private key area of the identity asymmetric key pool stores the private key of the user.
In one embodiment, the method for generating the personal key by encrypting the file key with the identity public key comprises the following steps: and combining the random number of the identity public key pointer with an identity public key pointer function to obtain an identity public key pointer, extracting a corresponding identity public key from the key fob by using the identity public key pointer, and combining the identity public key with a file key to obtain the personal key.
In one embodiment, the method for generating the defense public key comprises the following steps: and combining the defense public key pointer random number with a defense public key pointer function to obtain a defense public key pointer, and extracting a corresponding defense public key from the key fob by using the defense public key pointer.
In one embodiment, the client uploads the Hash value of the data file to the server, and the Hash value is used as an identifier for identifying whether the server performs deduplication.
A quantum computation resistant multi-encryption cloud storage method based on a plurality of asymmetric key pools is characterized in that a server receives and stores multi-encryption data files from a user side, and receives and stores personal keys and data keys from the user side;
the encryption method of the multiple encrypted data file comprises the following steps: encrypting a data file by using a file key generated by a generator in a key fob to form a ciphertext, encrypting the ciphertext by using a defense key generated by the generator in the key fob to form a multiple encrypted data file, generating a defense public key by combining a defense public and private key pointer random number with the key fob, encrypting the defense key by using the defense public key, and receiving and storing the defense public and private key pointer random number, the multiple encrypted data file and the defense key encrypted by the defense public key by the server;
the personal key is generated in a mode that the file key is encrypted by using an identity public key to obtain the personal key;
the generation mode of the data key is to encrypt the file key by using the file characteristic value to obtain the data key.
In one embodiment, the server further receives and stores a Hash value of a data file from the user side, wherein the Hash value of the data file is used as an indicator for indicating whether the server performs deduplication or not;
when the server judges the duplicate removal according to the indication mark, the server sends a data key to the user side;
and when the server judges that the duplicate removal is not needed according to the indication identifier, receiving and storing the Hash value of the data file from the user side.
A quantum computation resistant multi-encryption cloud storage system based on a plurality of asymmetric key pools comprises a server and a client,
the method comprises the steps that a user side is configured with a key fob, the user side encrypts a data file by using a file key to form a ciphertext and uploads the ciphertext to a server in an encrypted form, the file key is generated by using a generator in the key fob, and the user side uploads the file key to the server in an encrypted form;
generating a defense key by using a generator in a key fob, encrypting the ciphertext by using the defense key and uploading the ciphertext to the server, simultaneously generating a defense public key by using a defense public and private key pointer random number in combination with the key fob, uploading the defense public key to the server after encrypting the defense key, and simultaneously uploading the defense public key and the defense public key pointer random number;
the file key encryption mode is to encrypt the file key by using an identity public key to obtain a personal key and encrypt the file key by using a file characteristic value to obtain a data key; the personal key and the data key are respectively used as file keys in an encrypted form and are sent to the server;
the server receives and stores a personal key, a data key, a defense public and private key pointer random number, an encrypted ciphertext and a defense key encrypted by a defense public key from a user side;
the method comprises the steps that a user side downloads a personal key, a defense public and private key pointer random number, a defense key for defending public key encryption and an encrypted ciphertext, the user side decrypts the personal key by using an identity private key in a key fob configured by the user side to obtain a file key, the defense private key is extracted by using the defense public and private key pointer random number and combining the key fob, the defense key is obtained by using the defense private key to further obtain the ciphertext, and the ciphertext is decrypted by using the file key to obtain a data file.
In one embodiment, the method for generating the defense private key comprises the following steps: and combining the defense public and private key pointer random number with a defense private key pointer function to obtain a defense private key pointer, and extracting a corresponding defense private key from the key fob by using the defense private key pointer.
The quantum computation resistant multi-encryption cloud storage method and system based on the asymmetric key pools comprise a user side and a server, wherein the user side is provided with a key fob, the user side encrypts a data file by using a file key and uploads the data file to the server in an encryption mode, and the user side uploads the file key to the server in an encryption mode; the server receives and stores a personal key, a data key, a defense public and private key pointer random number, an encrypted ciphertext and a defense key for defending public key encryption from the user side; the method comprises the steps that a user side downloads a personal key, a defense public and private key pointer random number, a defense key for defending public key encryption and an encrypted ciphertext, the user side decrypts the personal key by using an identity private key in a key fob configured by the user side to obtain a file key, the defense private key is extracted by using the defense public and private key pointer random number and combining the key fob, the defense key is obtained by using the defense private key to further obtain the ciphertext, and the ciphertext is decrypted by using the file key to obtain a data file. In the whole process of cloud storage, the server cannot contact various keys (public keys, private keys, file keys and the like) and plaintext data files of the user side, meanwhile, the personal key and the data key stored on the server are file keys encrypted by different methods, and ciphertext stored on the server is further encrypted by using the defense public key. In the embodiment, the file key is encrypted by using the public key only disclosed by the key fob, and the public key is stored by using the key fob, and the key fob is an independent hardware isolation device, so that the possibility of stealing the key by malicious software or malicious operation is greatly reduced. Because the quantum computer can not obtain the public key of the user, and can not obtain the corresponding private key, the scheme is not easy to be cracked by the quantum computer.
Drawings
Fig. 1 is a schematic structural diagram of a cloud storage system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a key region structure of a user side according to an embodiment of the present invention;
fig. 3 is a flowchart of a storage method of a defense asymmetric key pool according to an embodiment of the present invention;
fig. 4 is a flowchart of an identity asymmetric key pool storage method according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for reading a defense public/private key according to an embodiment of the present invention;
part (a) of the figure is a flow chart of a defensive public key reading mode;
part (b) of the figure is a flow chart of a defensive private key reading mode.
Fig. 6 is a flowchart of an identity public key reading method according to an embodiment of the present invention;
FIG. 7 is a timing diagram of a storage method without deduplication according to embodiment 1 of the present invention;
FIG. 8 is a timing chart of a storage method requiring deduplication according to embodiment 1 of the present invention;
FIG. 9 is a diagram illustrating a file storage area of a server according to an embodiment of the present invention;
fig. 10 is a timing chart of a reading method according to embodiment 2 of the present invention.
Detailed Description
In the following steps, the operations at the various locations involved at each user end are all performed in the matching key fob.
A quantum computation resistant multi-encryption cloud storage system based on a plurality of asymmetric key pools comprises a server and a client,
the method comprises the steps that a user side is configured with a key fob, the user side encrypts a data file by using a file key to form a ciphertext and uploads the ciphertext to a server in an encrypted form, the file key is generated by using a generator in the key fob, and the user side uploads the file key to the server in an encrypted form;
generating a defense key by using a generator in a key fob, encrypting the ciphertext by using the defense key and uploading the ciphertext to the server, simultaneously generating a defense public key by using a defense public and private key pointer random number in combination with the key fob, uploading the defense public key to the server after encrypting the defense key, and simultaneously uploading the defense public key and the defense public key pointer random number;
the file key encryption mode is to encrypt the file key by using an identity public key to obtain a personal key and encrypt the file key by using a file characteristic value to obtain a data key; the personal key and the data key are respectively used as file keys in an encrypted form and sent to the server;
the server receives and stores a personal key, a data key, a defense public and private key pointer random number, an encrypted ciphertext and a defense key encrypted by a defense public key from a user side;
the method comprises the steps that a user side downloads a personal key, a defense public and private key pointer random number, a defense key for defending public key encryption and an encrypted ciphertext, the user side decrypts the personal key by using an identity private key in a key fob configured by the user side to obtain a file key, the defense private key is extracted by using the defense public and private key pointer random number and combining the key fob, the defense key is obtained by using the defense private key to further obtain the ciphertext, and the ciphertext is decrypted by using the file key to obtain a data file.
Fig. 1 is a schematic structural diagram of a cloud storage system according to an embodiment of the present invention, where a user side includes:
and the Hash value calculating module is used for calculating the Hash value of the data file of the new user and uploading the Hash value to the server so that the server judging module can judge whether the data files with the same Hash value exist in the stored data files or not.
And the key generation module is used for generating a file key kf by a key card internal generator, namely a random number generator matched with the user side when the judgment result of the judgment module of the server is negative.
The key generation module at the user side also has a defense asymmetric key pool and an identity asymmetric key pool for storing public keys. The defense asymmetric key pool (public key) is represented as DPKP, the defense asymmetric key pool (private key) is represented as DSKP, the identity asymmetric key pool (public key) is represented as IPKP, and the identity asymmetric key (private key) is represented as ISK.
The storage mode of the defense asymmetric key pool is shown in fig. 3, and the text is described as follows: randomly taking a defense public and private key pointer random number rd for a certain user, combining the defense public and private key pointer random number rd with a specific defense public key pointer function fpp to obtain a defense public key pointer pp, and storing the defense public key pointer pp into the defense public key pk of the user from a corresponding position in a defense asymmetric key pool DPKP; and the defense private key pointer random number rd is combined with a specific defense private key pointer function fsp to obtain a defense private key pointer sp, and the defense private key pointer sp is stored into the defense private key sk of the user from a corresponding position in the defense asymmetric key pool DSKP. The defense public key pk and the defense private key sk are a pair of public and private keys.
The storage mode of the identity asymmetric key pool is shown in fig. 4, and the text description is as follows: an identity public key pointer random number rk is randomly taken for a certain user, an identity public key pointer rkp is obtained by combining a specific identity public key pointer function frkp, and the identity public key is stored in the identity public key krk of the user from the corresponding position in the corresponding identity asymmetric key pool IPKP.
The encryption and decryption module is used for encrypting the data file by using the file key; encrypting the file key kf by using two different encryption modes to form a personal key and a data key; the file key kf can be obtained after the personal key is decrypted by taking the user identity private key as a decryption key; and decrypting the data key by taking the characteristic value of the data file before encryption as a decryption key to obtain the file key kf.
The server includes:
the storage module is used for storing the Hash value of the file, the encrypted data file, the encrypted personal key and the encrypted data key;
the judging module is used for carrying out duplicate removal judgment, judging whether the same data files exist in the stored data files or not before the data files of the user are stored, and informing the key authorization module; if the judgment result is yes, the key authorization module is informed to send the encrypted data key to the user side, and if the judgment result is no, the received Hash value is sent to the storage module for storage.
And the key authorization module is used for sending the encrypted data key to the user side when the judgment result of the judgment module is yes, and sending information without the same data file to the user side when the judgment result of the judgment module is no.
The key authorization module is divided into a sending submodule and a receiving submodule. The sending submodule is used for sending data keys or information, and the receiving submodule is used for receiving personal keys of the user from the user side, the data keys and the encrypted data files and sending the data files to the storage module for storage.
The present invention will be described in further detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example 1
Step 1.1, the client uploads the Hash value of the data file to a server: before uploading the data file, the client calculates the Hash value of the data file and uploads the Hash value to the server. In order to relieve the storage pressure, the server performs ciphertext duplication removal on the file, namely, identifies the duplicate file.
Step 1.2, the server identifies the repeated files: the server takes into account the Hash value of the file to identify duplicate files, i.e. if two files have the same Hash value, it is assumed that the same data file needs deduplication. If the server determines that deduplication is not required, the server saves the received Hash value and performs step 1.3. If deduplication is required, the server performs step 1.4.
As will be understood by those skilled in the art, in some cases, the same user may upload the same data file one after another, and when the user expects to upload the uploaded data file again, the server side does not perform any operation if it determines that the data file is from the same user.
Step 1.3, if the server does not need to remove the duplicate, the sequence diagram of the file stored on the cloud server is shown in fig. 7, and the text description is as follows:
step 1.3.1 the server informs the user end to generate random numbers: and after the server stores the received Hash value, the server sends the information that the server does not have the same data file to the user side. The ue is identified as ue 1, the ID of ue 1 is ID1, and so on.
Step 1.3.2 user 1 processes the information and sends the content to be stored on the server to the server: after the user side 1 receives the information that the server does not have the same data file, the user side 1 generates a file key kf according to the matched true random number generator.
After the file key kf is obtained, the user side 1 encrypts the data file by using the file key kf to obtain a ciphertext kff, and the encryption algorithm can be a symmetric encryption algorithm;
user side 1 encrypts file key kf using public identity key krk1 to obtain personal key 1. The identity public key in the plaintext of the patent is not disclosed, and only the random number of the pointer of the identity public key is disclosed. The process of obtaining the identity public key krk from the identity public key pointer rk is shown in fig. 6, and the text describes the following:
the identity public key pointer rkp is obtained by combining the random number rk of the identity public key pointer of the user with a specific identity public key pointer function frkp, and then the identity public key krk is taken out from the corresponding position in the corresponding identity asymmetric key pool IPKP.
The user side 1 generates a file characteristic value, and encrypts a file key kf by using the file characteristic value to obtain a data key; the calculation method of the file characteristic value is a predefined algorithm, and can be but is not limited to Hash calculation, file compression or other file characteristic calculation algorithms;
after obtaining the ciphertext, the data key, and the individual key 1, the user side 1 obtains a defense public and private key pointer random number rd, and further obtains a defense public key pk, where the process is shown in fig. 5 (a), and the text description is as follows:
and combining the random number rd of the defense public key pointer with a specific defense public key pointer function fpp to obtain a defense public key pointer pp, and then taking out the defense public key pk from a corresponding position in the corresponding defense asymmetric key pool DPKP.
The user side 1 generates a defense key kd according to the matched true random number generator, encrypts a ciphertext kff by using the defense key kd, and then encrypts the defense key kd by using a defense public key pk.
The user side 1 sends the defense public and private key pointer random number rd, the defense key kd encrypted by using the defense public key pk, a ciphertext encrypted by using the defense key kd, the data key and the individual key 1 to the server.
Step 1.3.3 the server saves the corresponding information: the server stores the received defense public and private key pointer random number rd, the defense key kd encrypted by using the defense public key pk, a ciphertext encrypted by using the defense key kd, the data key and the individual key 1.
Step 1.4, if the server needs to remove the duplicate, a sequence diagram of the file stored on the cloud server is shown in fig. 8, and the text description is as follows:
step 1.4.1 the server sends the data key to the user: the server sends the data key to the user side. The ue is identified as ue 2, and the identity of ue 2 is ID 2.
Step 1.4.2 user 2 processes the information and sends the content to be stored on the server to the server: and after receiving the information, the user side 2 generates a file characteristic value according to the data file, and decrypts the data key by using the file characteristic value to obtain a file key kf.
The user end 2 obtains the identity public key krk according to the identity public key pointer random number rk, and the specific process is shown in fig. 6. The file key kf is encrypted using the identity public key to obtain the individual key 2, and then the ID2 and the individual key 2 are sent to the server.
Step 1.4.3 the server saves the corresponding information: the server receives ID2 and personal key 2 and stores it.
After n users upload the same file, the storage area of the file stores the Hash value, the ciphertext area, the data key, the IDs (1 to n), r (1 to n) and the individual keys (1 to n) encrypted by pk (1 to n) as shown in fig. 9. The ciphertext area comprises a defense public key pointer random number rd, a defense key kd encrypted by using a defense public key pk and a file ciphertext encrypted by using the defense key kd. The file cipher text is a data file encrypted by using the file key kf.
Example 2
Fig. 10 is a timing diagram of a file reading method according to an embodiment of the present invention.
Step 2.1, the user side uploads the ID and the Hash value of the data file: taking the user end n as an example, the user end uploads the Hash value of the IDn and the file which is desired to be read to the server.
Step 2.2, the server sends the corresponding information to the user side: after receiving the Hash value of the file, the server finds a storage area of the file corresponding to the Hash value, and sends the IDn, the personal key n and the content of a ciphertext area of the file storage area (namely, the defense public and private key pointer random number rd, the defense key kd encrypted by the defense public key pk and the ciphertext encrypted by the defense key kd) to the user side.
Step 2.3, the user side obtains the file key: the user side decrypts the personal key n by using the identity private key to obtain a file key kf.
Step 2.4, the user side obtains a data file: the user side extracts the defense private key sk from the defense asymmetric key pool DSKP through the defense public and private key pointer random number rd, the specific steps are as shown in (b) in FIG. 5, the defense private key sk is used for decryption to obtain a defense key kd, and then the defense key kd is used for decryption to obtain a ciphertext. And decrypting the ciphertext by using the file key to obtain a data file, and finishing reading the server file.
In the whole cloud storage process, the server side cannot contact various keys (public keys, private keys, file keys and the like) and plaintext data files of the user side. Furthermore, the individual key and the data key stored on the server are file keys encrypted using different methods, and the ciphertext stored on the server is further encrypted using the defensive public key. The patent encrypts the file key using a public key that is only public to the key fob, and uses the key fob to store the public key, the key fob being a separate hardware-isolated device, with the potential for stealing the key by malware or malicious operations being greatly reduced. Because the quantum computer can not obtain the public key of the user, and can not obtain the corresponding private key, the scheme is not easy to be cracked by the quantum computer.
The above disclosure is only an embodiment of the present invention, but the present invention is not limited thereto, and those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. It is to be understood that such changes and modifications are intended to be included within the scope of the appended claims. Furthermore, although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (8)
1. A quantum computation resistant multi-encryption cloud storage method based on a plurality of asymmetric key pools is characterized in that a user side is provided with a key fob, the user side encrypts a data file by using a file key to form a ciphertext and uploads the ciphertext to a server in an encrypted form, the file key is generated by using a generator in the key fob, and the user side uploads the file key to the server in an encrypted form;
generating a defense key by using a generator in a key fob, encrypting the ciphertext by using the defense key and uploading the ciphertext to the server, generating a defense public key by using a defense public and private key pointer random number in combination with the key fob, encrypting the defense key by using the defense public key and the private key and uploading the encrypted key to the server, wherein the uploaded key also comprises the defense public and private key pointer random number;
the file key encryption mode is to encrypt the file key by using an identity public key to obtain a personal key and encrypt the file key by using a file characteristic value to obtain a data key; the personal key and the data key are respectively used as file keys in an encrypted form and are sent to the server;
the method for generating the personal key by encrypting the file key by the identity public key comprises the following steps: and combining the random number of the identity public key pointer with an identity public key pointer function to obtain an identity public key pointer, extracting a corresponding identity public key from the key fob by using the identity public key pointer, and combining the identity public key with a file key to obtain the personal key.
2. The method of claim 1, wherein the one or more clients have the same key pool stored in a key fob configured for each client, the key pool comprises a defending asymmetric key pool and an identity asymmetric key pool, the defending asymmetric key pool and the identity asymmetric key pool each comprise a public key region and a private key region, the client uploading the data file generates a file key through a key fob generator of the own party to encrypt the data file, and the client downloading the data file correspondingly decrypts the file key by using the true random number from the server in combination with the key pool of the own party to decrypt the data file.
3. The quantum computation resistant multi-encryption cloud storage method based on multiple asymmetric key pools according to claim 1, wherein the generation method of the defense public key comprises: and combining the defense public key pointer random number with a defense public key pointer function to obtain a defense public key pointer, and extracting a corresponding defense public key from the key fob by using the defense public key pointer.
4. The quantum computation resistant multi-encryption cloud storage method based on multiple asymmetric key pools according to claim 1, wherein the client uploads a Hash value of a data file to the server, and the Hash value is used as an identifier of whether the server performs deduplication.
5. A quantum computation resistant multi-encryption cloud storage method based on a plurality of asymmetric key pools is characterized in that a server receives and stores multi-encryption data files from a user side, and receives and stores personal keys and data keys from the user side;
the encryption method of the multiple encrypted data file comprises the following steps: encrypting a data file by using a file key generated by a generator in a key fob to form a ciphertext, encrypting the ciphertext by using a defense key generated by the generator in the key fob to form a multiple encrypted data file, generating a defense public key by combining a defense public and private key pointer random number with the key fob, encrypting the defense key by using the defense public key, and receiving and storing the defense public and private key pointer random number, the multiple encrypted data file and the defense key encrypted by the defense public key by the server;
the generation mode of the personal key is to use an identity public key to encrypt the file key to obtain the personal key, and the generation method of the personal key by using the identity public key to encrypt the file key to obtain the personal key comprises the following steps: combining the random number of the identity public key pointer with an identity public key pointer function to obtain an identity public key pointer, extracting a corresponding identity public key from the key fob by using the identity public key pointer, and combining the identity public key with a file key to obtain the personal key;
the generation mode of the data key is to encrypt the file key by using the file characteristic value to obtain the data key.
6. The quantum computation resistant multi-encryption cloud storage method based on multiple asymmetric key pools according to claim 5, wherein the server further receives and stores a Hash value of a data file from the user side, wherein the Hash value of the data file is used as an indicator for indicating whether the server performs deduplication;
when the server judges the duplicate removal according to the indication mark, the server sends a data key to the user side;
and when the server judges that the duplicate removal is not needed according to the indication identifier, receiving and storing the Hash value of the data file from the user side.
7. A quantum computation resistant multi-encryption cloud storage system based on a plurality of asymmetric key pools comprises a server and a client, and is characterized in that,
the method comprises the steps that a user side is configured with a key fob, the user side encrypts a data file by using a file key to form a ciphertext and uploads the ciphertext to a server in an encrypted form, the file key is generated by using a generator in the key fob, and the user side uploads the file key to the server in an encrypted form;
generating a defense key by using a generator in a key fob, encrypting the ciphertext by using the defense key and uploading the ciphertext to the server, generating a defense public key by using a defense public and private key pointer random number in combination with the key fob, encrypting the defense key by using the defense public key and the private key and uploading the encrypted key to the server, wherein the uploaded key also comprises the defense public and private key pointer random number;
the file key encryption mode is to encrypt the file key by using an identity public key to obtain a personal key and encrypt the file key by using a file characteristic value to obtain a data key; the personal key and the data key are respectively used as file keys in an encrypted form and sent to the server;
the method for generating the personal key by encrypting the file key by the identity public key comprises the following steps: combining the random number of the identity public key pointer with an identity public key pointer function to obtain an identity public key pointer, extracting a corresponding identity public key from the key fob by using the identity public key pointer, and combining the identity public key with a file key to obtain the personal key;
the server receives and stores a personal key, a data key, a defense public and private key pointer random number, an encrypted ciphertext and a defense key encrypted by a defense public key from a user side;
the method comprises the steps that a user side downloads a personal key, a defense public and private key pointer random number, a defense key for defending public key encryption and an encrypted ciphertext, the user side decrypts the personal key in a key fob configured by the user side by using an identity private key to obtain a file key, the defense private key is extracted by combining the defense public and private key pointer random number with the key fob, the defense key is obtained by using the defense private key to further obtain the ciphertext, and the ciphertext is decrypted by using the file key to obtain a data file.
8. The quantum computing-resistant multi-encryption cloud storage system based on multiple asymmetric key pools according to claim 7, wherein the generation method of the defense private key comprises: and combining the defense public and private key pointer random number with a defense private key pointer function to obtain a defense private key pointer, and extracting a corresponding defense private key from the key fob by using the defense private key pointer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811638175.XA CN109787747B (en) | 2018-12-29 | 2018-12-29 | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811638175.XA CN109787747B (en) | 2018-12-29 | 2018-12-29 | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109787747A CN109787747A (en) | 2019-05-21 |
| CN109787747B true CN109787747B (en) | 2022-06-14 |
Family
ID=66499037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811638175.XA Active CN109787747B (en) | 2018-12-29 | 2018-12-29 | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109787747B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110930251B (en) * | 2019-10-18 | 2023-09-29 | 如般量子科技有限公司 | Anti-quantum computing cloud storage method and system based on alliance chain and implicit certificate |
| CN112187948B (en) * | 2020-10-09 | 2023-04-25 | 中国农业银行股份有限公司四川省分行 | Approval file encryption batch uploading method and device based on SpringBoot framework |
| CN113438238A (en) * | 2021-06-25 | 2021-09-24 | 北京八分量信息科技有限公司 | User information anti-theft automatic alarm system based on decentralization |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
| CN108989033A (en) * | 2018-07-31 | 2018-12-11 | 如般量子科技有限公司 | A kind of cloud storage method of controlling security and system based on public keys pond |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106611128A (en) * | 2016-07-19 | 2017-05-03 | 四川用联信息技术有限公司 | Secondary encryption-based data validation and data recovery algorithm in cloud storage |
| CN109104276B (en) * | 2018-07-31 | 2021-10-22 | 如般量子科技有限公司 | Cloud storage security control method and system based on key pool |
| CN108985099B (en) * | 2018-07-31 | 2020-08-11 | 如般量子科技有限公司 | Proxy cloud storage security control method and system based on public key pool |
-
2018
- 2018-12-29 CN CN201811638175.XA patent/CN109787747B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546181A (en) * | 2012-01-09 | 2012-07-04 | 西安电子科技大学 | Cloud storage encrypting and deciphering method based on secret key pool |
| CN108989033A (en) * | 2018-07-31 | 2018-12-11 | 如般量子科技有限公司 | A kind of cloud storage method of controlling security and system based on public keys pond |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109787747A (en) | 2019-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109151053B (en) | Anti-quantum computing cloud storage method and system based on public asymmetric key pool | |
| CN109150519B (en) | Anti-quantum computing cloud storage security control method and system based on public key pool | |
| US10785019B2 (en) | Data transmission method and apparatus | |
| CN109104276B (en) | Cloud storage security control method and system based on key pool | |
| CN108985099B (en) | Proxy cloud storage security control method and system based on public key pool | |
| CN108989033B (en) | Cloud storage security control method and system based on public key pool | |
| US9432346B2 (en) | Protocol for controlling access to encryption keys | |
| CN110969431B (en) | Secure hosting method, device and system for private key of blockchain digital coin | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| CN108352015A (en) | The anti-loss storage of Secure for the system combination wallet management system based on block chain and encryption key transfer | |
| US20110145576A1 (en) | Secure method of data transmission and encryption and decryption system allowing such transmission | |
| CN109951513B (en) | Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card | |
| CN109495251B (en) | Anti-quantum-computation intelligent home cloud storage method and system based on key fob | |
| US20150113283A1 (en) | Protecting credentials against physical capture of a computing device | |
| US11316671B2 (en) | Accelerated encryption and decryption of files with shared secret and method therefor | |
| CN109347923B (en) | Anti-quantum computing cloud storage method and system based on asymmetric key pool | |
| CN109787747B (en) | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools | |
| CN110930251A (en) | Anti-quantum computing cloud storage method and system based on alliance chain and implicit certificate | |
| CN109299618B (en) | Quantum-resistant computing cloud storage method and system based on quantum key card | |
| CN109687960B (en) | Anti-quantum computing proxy cloud storage method and system based on multiple public asymmetric key pools | |
| CN109412788B (en) | Anti-quantum computing agent cloud storage security control method and system based on public key pool | |
| CN113259317A (en) | Cloud storage data deduplication method based on identity agent re-encryption | |
| CN109302283B (en) | Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool | |
| CN115396099A (en) | Trusted trusting method and system, and obtaining method and system for asymmetric key | |
| CN109787965B (en) | Quantum computing resistant cloud storage method and system based on multiple asymmetric key pools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |