CN113067816A - Data encryption method and device - Google Patents

Data encryption method and device Download PDF

Info

Publication number
CN113067816A
CN113067816A CN202110289178.2A CN202110289178A CN113067816A CN 113067816 A CN113067816 A CN 113067816A CN 202110289178 A CN202110289178 A CN 202110289178A CN 113067816 A CN113067816 A CN 113067816A
Authority
CN
China
Prior art keywords
key
data
target
server
target data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110289178.2A
Other languages
Chinese (zh)
Inventor
何喆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Weiwo Software Technology Co ltd
Original Assignee
Nanjing Weiwo Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Weiwo Software Technology Co ltd filed Critical Nanjing Weiwo Software Technology Co ltd
Priority to CN202110289178.2A priority Critical patent/CN113067816A/en
Publication of CN113067816A publication Critical patent/CN113067816A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data encryption method and a device, wherein the method comprises the following steps: acquiring a target hash value of target data; respectively sending the target hash values to N first servers, wherein N is a positive integer; receiving a signature returned by each first server according to the target hash value to obtain N signatures; obtaining a first key according to the N signatures; encrypting the target data by the first key. The embodiment of the application provides a new data encryption mode, and based on the new data encryption mode, the problems that a ciphertext is inconvenient to repeat and the safety is low can be solved.

Description

Data encryption method and device
Technical Field
The application belongs to the technical field of communication, and particularly relates to a data encryption method and device.
Background
To ensure the security and privacy of data, private data needs to be encrypted. Furthermore, deduplication of data may save storage space.
Currently, data may be encrypted using a random key, or using a hash value of a data file.
However, for the same data file provided by different users, if the random key is used to encrypt data, the obtained ciphertext is usually not easy to be deduplicated, and if the hash value is used to encrypt data, the security of the obtained ciphertext is low.
Content of application
The embodiment of the application aims to provide a data encryption method and device, and the problems that a ciphertext is inconvenient to repeat and the safety is low can be solved.
In order to solve the technical problem, the present application is implemented as follows:
in a first aspect, an embodiment of the present application provides a data encryption method, where the method includes:
acquiring a target hash value of target data;
respectively sending the target hash values to N first servers, wherein N is a positive integer;
receiving a signature returned by each first server according to the target hash value to obtain N signatures;
obtaining a first key according to the N signatures;
encrypting the target data by the first key.
In a second aspect, an embodiment of the present application provides a data encryption apparatus, including:
the acquisition module is used for acquiring a target hash value of target data;
the sending module is used for sending the target hash values to N first servers respectively, wherein N is a positive integer;
the receiving module is used for receiving the signature returned by each first server according to the target hash value to obtain N signatures;
the processing module is used for obtaining a first key according to the N signatures;
and the encryption module is used for encrypting the target data through the first secret key.
In the embodiment of the application, a target hash value of target data is obtained; respectively sending the target hash values to N first servers, wherein N is a positive integer; receiving a signature returned by each first server according to the target hash value to obtain N signatures; obtaining a first key according to the N signatures; encrypting the target data by the first key. The embodiment of the application provides a new data encryption mode, and based on the new data encryption mode, the problems that a ciphertext is inconvenient to repeat and the safety is low can be solved.
Drawings
Fig. 1 is a flowchart of a data encryption method provided in this embodiment;
fig. 2 is a structural diagram of a data encryption device provided in the present embodiment;
fig. 3 is a schematic diagram of a hardware structure of an electronic device according to this embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application are capable of operation in sequences other than those illustrated or described herein. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.
With the rapid development of cloud computing, the challenge of safely storing massive data reaches unprecedented height while data rapidly grows at the speed of geometric progression. Cloud storage is a part of the field of cloud computing, can improve production efficiency, saves cost, is easy to realize, and has the main advantages of large storage capacity, low cost, convenience in management and use, easiness in expansion and the like. Therefore, more and more users use cloud storage to store data, and popularization of cloud storage technology is promoted.
In the embodiment of the disclosure, in order to ensure the security and the privacy of data, the data is encrypted and then stored. Meanwhile, in order to save the storage space, the data can be deduplicated. In view of the fact that the encryption mode of encrypting data by using a random key is not favorable for data deduplication, so that the utilization rate of a storage space is low, while the encryption mode of encrypting data by using the same key (for example, using a hash value of data as a key) makes the security and privacy of data lower, and in order to better solve the problems of security and deduplication, the embodiment of the disclosure provides a new data encryption mode.
The data encryption method provided by the embodiment of the present application is described in detail below with reference to the accompanying drawings through specific embodiments and application scenarios thereof.
Referring to fig. 1, a data encryption method provided in this embodiment may include the following steps S101 to S105:
step S101, a target hash value of the target data is acquired.
In detail, the execution subject of the present embodiment may be a data encryption device, and the data encryption device may exist in the form of a server. In one embodiment of the present disclosure, the data encryption device may be a Key and Data Management Server (KDMS). The key and data management server can be a main node for managing data metadata information and data keys in the cloud storage system and is responsible for generating, distributing, encrypting and storing target data encryption keys.
In detail, the key and data management server may be communicatively connected with at least one first server and at least one second server. In one embodiment of the present disclosure, the first server may be a Key Server (KS) and the second server may be a Storage Server (SS). The first server may be involved in the computation of the threshold group signature and the generation of the target data encryption key, and the second server may be responsible for the storage of the data.
In detail, the target data may be data to be encrypted. In an embodiment of the present disclosure, the target data may be one data file, or may be any one of a plurality of data blocks obtained by blocking one data file. For example, after a data file is divided into blocksM data blocks can be generated, m is more than or equal to 1, and the generated jth data block can be expressed as blockj(1≤j≤m)。
In one embodiment of the present disclosure, the jth data blockjThe hash value of (c) may be H (block)j) Wherein, H (block)j)=HashSHA-256(blockj)。
In detail, for the case where the target data is one data file:
in an embodiment of the present disclosure, before the step S101, acquiring the target hash value of the target data, the method further includes: and taking the data file to be encrypted as the target data.
In this embodiment, when the data volume of the data file is low, the data file may be directly encrypted and stored as target data.
In detail, for the case where the target data is any one data block of one data file:
in an embodiment of the present disclosure, before the step S101, acquiring the target hash value of the target data, the method further includes: the method comprises the steps of carrying out blocking processing on a data file to be encrypted to obtain at least two data blocks; and taking each data block as the target data respectively.
In this embodiment, when the data volume of the data file is low, the data file may be partitioned, and each partitioned data block may be encrypted and stored as target data.
In this embodiment, the convergent encryption mechanism may implement deduplication at the data block level and may provide greater security. For example, an attacker can only obtain the entire data file by breaking all data block ciphertexts. Because the hash values of different data blocks are different, the encryption keys of different data blocks are different, so that an attacker needs to sequentially break through the encryption keys of all the data blocks to obtain the data file, and the data file breaking difficulty is high.
Step S102, the target hash values are respectively sent to N first servers, wherein N is a positive integer.
In this step, the hash value of the target data is respectively sent to each first server, so that each first server can generate and return a corresponding signature accordingly. Wherein the signatures generated by different first servers for the same hash value are different.
In detail, the number of the first servers may be 1, and preferably may also be multiple. When there are a plurality of first servers, an attacker needs to attack all the first servers in sequence to obtain the data file, and the method has higher difficulty in breaking.
Considering that the first server is possible to be attacked, the first server can be verified, and only when the first server passes the verification, the target hash value is sent to the first server which passes the verification, so that the data encryption storage security is improved.
In an embodiment of the present disclosure, to illustrate a possible implementation manner of verifying the first server, before sending the target hash values to the N first servers respectively in the step S102, the method further includes: for each first server, receiving a public key and a first value returned by the first server according to a private key of the first server; verifying the first server according to the public key and the first value returned by the first server; if the verification passes for each first server, the step S102 is executed to send the target hash value to N first servers respectively.
In this embodiment, the first server has its own private key, and may generate its own public key and a first value for authentication according to the private key. The first server generates a public key and a first value and then sends the public key and the first value to the data encryption device, so that the data encryption device can verify the first server according to the public key and the first value.
Since the private key of the first server is generally difficult to be known by an attacker, even if the attacker breaks the first server, the public key and the first value that can pass the verification cannot be provided, and thus the verification fails. Therefore, the method can avoid the situation that an attacker pretends to be the first server to perform information interaction with the data encryption device after the attacker breaks the first server, so that the data encryption storage safety can be improved.
In an embodiment of the present disclosure, preferably, the verifying the first server includes: verifying the first server through a formula; and in the case that the formula one is established, the first server is verified to be passed. Wherein the formula one is yi mod p=ti
Wherein, yiA public key returned for the ith first server, and
Figure BDA0002980558370000061
tia first value returned for the ith first server, an
Figure BDA0002980558370000062
p is a large prime number, g is a generator and
Figure BDA0002980558370000063
Figure BDA0002980558370000064
is discrete logarithm difficult to solve, xiIs a private key of the ith first server, and
Figure BDA0002980558370000065
p and g are both system parameters.
In detail, each first server may generate its own key pair (x)i,yi) Specifically, the private key can be randomly selected
Figure BDA0002980558370000066
And disclosing a public key and a first value generated from the private key to facilitate authentication of the first server.
In detail, the value of p may be defined to be not less than the set value so that p is a large prime number.
In detail, p and g as system parameters can be selected by the data encryption device described above.
In this embodiment, the reason is that
Figure BDA0002980558370000067
The discrete logarithm is difficult to solve, so that even though an attacker can break the first server, the public key and the first value corresponding to the first server are usually not easy to obtain, verification cannot be passed, and the data encryption storage security can be improved.
Step S103, receiving the signatures returned by each first server according to the target hash value, and obtaining N signatures.
In detail, the first server has its own private key, so that a signature can be generated from the private key and the target hash value. Different first servers have at least different private keys, so the signatures returned by different first servers are different.
In this embodiment, the generation right of the encryption key of the target data is distributed to the plurality of first servers. In the case that all the first servers are not attacked, an attacker can only execute online cracking attacks through the attacked first servers, but cannot execute offline cracking attacks such as brute force cracking attacks and dictionary attacks. Thus, the encryption key of the target data possesses strong security against offline hacking attacks.
After receiving the signatures returned by the first servers, the following step S104 may be performed to generate the encryption key of the target data according to the signatures, that is, to generate the following first key.
And step S104, obtaining a first key according to the N signatures.
The first server is capable of being attacked, so that the signature returned by the first server can be verified, and the first key is generated according to the signature only when the verification is passed, so that the data encryption storage security is improved.
In one embodiment of the present disclosure, to illustrate a possible implementation manner of verifying a signature, after the target hash values are respectively sent to N first servers in step S102, and before obtaining a first key according to the N signatures in step S104, the method further includes: for each first server, receiving a second value returned by the first server according to the target hash value; verifying the signature returned by the first server according to the signature returned by the first server and the second value; and if the verification of all the N signatures passes, executing the step S104, and obtaining a first key according to the N signatures.
In this embodiment, the first server may further generate a second value for verifying the signature while generating the signature, and return the second value. The first server generates a signature and a second value and then sends the signature and the second value to the data encryption device, so that the data encryption device can verify the signature returned by the first server according to the signature and the second value.
Since the private key of the first server is generally difficult to be known by an attacker, even if the attacker breaks the first server, the signature and the second value that can pass the verification cannot be provided, and thus the verification fails. Therefore, the method can avoid the situation that an attacker pretends to be the first server to perform information interaction with the data encryption device after the attacker breaks the first server, so that the data encryption storage safety can be improved.
In one embodiment of the present disclosure, preferably, the verifying the signature returned by the first server includes: verifying the signature returned by the first server through a formula; and in the case that the formula two is satisfied, the signature returned by the first server is verified to be passed. Wherein the second formula is
Figure BDA0002980558370000071
Wherein, H (block)j) For the target hash value, p is a large prime number, g is a generator
Figure BDA0002980558370000072
Figure BDA0002980558370000073
Is discrete logarithm difficult to solve, p and g are both system parameters, yiA public key returned for the ith first server, and
Figure BDA0002980558370000074
h is a second value returned by the ith first server, and h is grmodp,1<r<p-1, and r and p-1 are coprime, siA signature returned for the ith first server, and si=(H(blockj)-xi×h)×r-1mod(p-1),xiIs a private key of the ith first server, and
Figure BDA0002980558370000075
in detail, the value of p may be defined to be not less than the set value so that p is a large prime number.
In detail, the first server may be based on H (block)j) Mapping to interval (1, p-1) and taking r.
In this embodiment, the reason is that
Figure BDA0002980558370000081
The discrete logarithm is difficult to solve, so that even though an attacker can break the first server, the signature and the second value corresponding to the first server are usually not easy to obtain, verification cannot be passed, and the data encryption storage security can be improved.
Furthermore, for the case where the first key is generated from a plurality of signatures, the attacker can obtain the first key only if the entire signatures are obtained, but this is often difficult to achieve. Therefore, in the embodiment, the first key is generated by combining the EIGamal cryptographic algorithm and the threshold group signature algorithm, so that safe and reliable key distribution can be realized, and thus, offline dictionary attack can be effectively avoided.
In detail, the second formula can be obtained by the fermat theorem, which can be specifically referred to as the following:
first, from the Fermat theorem, it can be seen that: a is(p-1)1modp, i.e. there is an integer k such that ap-1K × p + 1. The generalized description is as follows: if p is a large prime number and the integers m, n satisfy: m ≡ nmod (p-1), thenFor any integer a: a ism≡anmodp. The general form is then: a isp≡amodp。
Further, since p is a large prime number, it can be considered that p is not different from p-1. Based on this, from the signatures described above: h (block)j)≡(si×r+xi×h)mod(p-1)≡(si×r+xi×h)mod p≡(si×r+xi×h)p
Then the process of the first step is carried out,
Figure BDA0002980558370000082
in one embodiment of the present disclosure, the first key may be a sum of signatures returned by the first servers. Namely, it is
Figure BDA0002980558370000083
After the first key is generated, the following step S105 may be performed to encrypt the target data according to the first key.
Step S105, encrypting the target data by the first key.
The target data is encrypted by the first key to obtain a corresponding ciphertext, and the obtained ciphertext can be stored, and the ciphertext can be stored by the third server.
In this embodiment, the hash value of the target data is sent to each first server, and a first key for encrypting the target data is obtained based on a corresponding signature returned by each first server according to the hash value of the target data. Based on the above, the uncertainty and complexity of the first key can be ensured, so that the first key is not easy to obtain maliciously, for example, an attacker is not easy to deduce a corresponding encryption key according to data content, the first keys of the same data file provided by different users can be the same, and further, the corresponding ciphertexts are the same, so that deduplication can be realized.
As can be seen from the above, based on the data encryption method provided by the embodiment of the present disclosure, the encryption keys of the same data file provided by different users are the same, and the ciphertexts obtained by encryption are the same, so that the deduplication effect can be achieved to save the storage space, and meanwhile, the encryption key has uncertainty and complexity, so that an attacker cannot easily obtain the encryption key according to the data content, and even for some predictable data information, the attacker cannot easily suffer from an offline dictionary attack, so that the security and the privacy of data storage can be improved. The data encryption method can solve the problem that contradiction exists between data privacy and data deduplication in the existing data encryption mode.
Based on the above, in an embodiment of the present disclosure, after encrypting the target data by the first key in the step S105, the method further includes: and sending a first ciphertext obtained by encrypting the target data through the first key to a second server for storage.
In the embodiment, the target data is stored in an encrypted storage mode, so that the data storage safety is ensured, the repeated storage of the target data can be realized, and the data storage space is saved.
The following describes the security of the data encryption algorithm provided in this embodiment by analyzing the following cases:
(1) due to the private key x of each first serveriAre kept secret so that an attacker wants to get the private key xiThe discrete logarithm problem must be solved: x is the number ofi=loggyiAnd the solution of the discrete logarithm problem is difficult.
(2) Considering the secret random number r and the signature siOnce exposed, the attacker can pass xi=(H(blockj)-rsi)h-1mod (p-1) solves for the private key xiHowever, by introducing the threshold group signature technology, an attacker needs to obtain all the private keys x of the first serveriThe first key is available and it is often difficult to hack all of the first server.
(3) An attacker may obtain H (block) in some wayj) To forge H (block)j) Corresponding signature (h, s)i) The attacker has to be taken from
Figure BDA0002980558370000091
Begin to solve for si. Thus, the discrete logarithm problem must be solved
Figure BDA0002980558370000092
But this solution is difficult.
(4) Since the signature verification algorithm is simply a verification equation
Figure BDA0002980558370000093
Whether or not this holds true, so that an attacker can forge a signature (h, s) that makes the equation truei) To attack, but even so, it is difficult for an attacker to obtain the correct siSo that the true convergence key of the data file is still not available.
(5) An attacker can forge the valid signatures of other first servers by the valid signature of one first server, but because the first key is generated by the first server
Figure BDA0002980558370000101
As a result, the first key is still secure unless an attacker compromised all of the first servers. But it is often difficult to breach all of the first servers.
(6) An attacker may impersonate the first server to obtain (H, H (block)j) But the data encryption device may pass (y)i,ti) Verification equation
Figure BDA0002980558370000102
And judging whether the first server is legal or not. While attackers are often not readily able to provide accurate (y)i,ti) In (1).
As can be seen from the above, the first key is generated by combining the EIGamal cryptographic algorithm and the threshold group signature algorithm, so that the first key is not easily attacked maliciously, and the security of data encryption storage is ensured.
In this embodiment, in order to better protect the privacy of the user data, the data information is not only stored in the cloud storage system in an encrypted manner, but also the encryption key of the data information, that is, the first key, is stored in the cloud storage system in an encrypted manner, so as to ensure the security of data storage. In this manner, a second key for encrypting the first key may also be obtained. The management of the second key may include generation, distribution, storage, management, and the like of the second key.
Therefore, in an embodiment of the present disclosure, after obtaining the first key according to the N signatures in the step S104, the method further includes the following steps a1 to a 2:
step A1, generating a second key according to the target hash value.
In this embodiment, the second key is generated according to the target hash value, so that the encryption keys of the first keys of the same data file provided by different users are the same, and further, the ciphertexts of the first keys are the same, thereby realizing the deduplication of the ciphertexts of the first keys.
In detail, for the case where the target data is one data file:
in an embodiment of the present disclosure, the step a1, generating a second key according to the target hash value, includes: and under the condition that the target data is a data file to be encrypted, generating the second key according to the target hash value and the offset of the target hash value.
Preferably, the second key may be X. Wherein, X is HashSHA-256(F)modoffset(F)。
Wherein, offset (F) is the offset of the Hash value of the data file F, HashSHA-256(F) The hash value of the data file is the target hash value.
In detail, for the case where the target data is any one data block of one data file:
in an embodiment of the present disclosure, the step a1, generating a second key according to the target hash value, includes: under the condition that the target data is part of a data file to be encrypted, taking the hash value of each piece of data included in the data file as the value of a leaf node of a hash tree to construct the hash tree; the value of any father node of the hash tree is obtained according to the value of each leaf node corresponding to the father node; and generating the second key according to the value of the root node of the hash tree and the offset of the target hash value.
In this embodiment, a Merkle hash tree may be constructed according to the hash value of each data block of the data file, and then an encryption key corresponding to the first key, that is, the second key, may be generated by combining the root node of the hash tree with the offset of the data block. And after the second key is obtained, the corresponding first key can be encrypted and stored.
Thus, the second keys corresponding to different target data are different. Based on this, an attacker needs to break the second key corresponding to each target data to decrypt the corresponding first key, and then can decrypt the target data through the first key, thereby obtaining the data file. However, this implementation has a high difficulty of attack.
In one embodiment of the present disclosure, the jth data block is obtained by data file blockingjFor example, if the jth data block is the target data, the second key may be Xj
Wherein, Xj=HashSHA-256(root)modoffset(blockj)。
Of these, offset (block)j) As an offset of the Hash value of the jth data block, HashSHA-256(root) is the value of the root node of the hash tree.
In one embodiment of the present disclosure, the hash value of each data block may be made a leaf node of the Merkle hash tree, and then combined with sibling nodes respectively and computed as a parent node. And repeating the steps until only one root node exists, and completing the construction of the Merkle hash tree. Wherein, the Merkle hash tree is calculated as follows: hashSHA-256(parent)=HashSHA-256(blockj)+HashSHA-256(blockj+1)。
As can be seen from the above, the secret key management mechanism based on the Merkle hash tree provided in the embodiment of the disclosure can encrypt the first secret key of the target data by combining the metadata information of the target data with the Merkle hash tree, so as to enhance the storage security of the first secret key and avoid the problem of data leakage.
Step a2, encrypting the first key with the second key.
As described above, the first key can be encrypted after the second key is obtained, and the ciphertext obtained by encrypting the first key can be stored in the second server.
In one embodiment of the present disclosure, after encrypting the first key by the second key at the step a2, the method further includes: and sending a second ciphertext obtained by encrypting the first key through the second key to a second server for storage.
In this embodiment, for the same data file provided by different users, the first keys corresponding to the data file are the same, and the second keys corresponding to the data file are the same, so that deduplication of the ciphertext corresponding to the first key can be realized, and the data key management cost is reduced.
In the embodiment, the encryption key of the target data is stored in an encryption storage mode, so that the data storage safety is ensured, the repeated storage of the encryption key of the target data can be realized, and the data storage space is saved.
For the target data, based on the stored first ciphertext of the target data and the second ciphertext of the encryption key of the target data, when the user needs to obtain the target data, the user can obtain the target data by decrypting the first ciphertext. Thus, the encryption key of the target data, i.e., the first key, needs to be obtained first. In this embodiment, the first key may be obtained in at least two ways:
mode 1: obtaining a first key by generating the first key again;
mode 2: the first key is obtained by decrypting the second ciphertext.
In detail, for the above mode 1:
in an embodiment of the present disclosure, after sending the first ciphertext obtained by encrypting the target data with the first key to the second server for storage, the method further includes: responding to an access request corresponding to the target data returned by a user, and re-executing the step of respectively sending the target hash values to the N first servers to obtain the first key again; decrypting the first ciphertext through the first key obtained again to obtain the target data; and sending the obtained target data to the user.
In this embodiment, when the user requests to obtain the target data, please refer to the above step S102 to step S104, and the target hash value of the recorded target data may be sent to each first server again, so that each first server returns a corresponding signature accordingly, and then obtains the first key according to each obtained signature. And finally, decrypting the first ciphertext through the first key to obtain target data, and returning the target data to the user.
In this embodiment, the first key is obtained by a way of regenerating instead of storing the first key, so that the situation that the stored first key is maliciously intercepted can be avoided, and the security of data encryption storage is improved.
Therefore, the above method 1 can be applied to a scenario where the number of data blocks after the data file is partitioned is large, and since the first key can be obtained by calculation and the calculation overhead is small, operations such as generating the encryption key of the first key, i.e., the second key, obtaining the second ciphertext by encrypting the first key through the second key, storing the second ciphertext, and the like do not need to be performed, thereby simplifying the data encryption storage process.
In detail, with respect to the above-described mode 2:
in one embodiment of the present disclosure, after encrypting the target data by the first key in the step S105, the method further includes: sending a first ciphertext obtained by encrypting the target data through the first key to a second server for storage; responding to an access request corresponding to the target data returned by a user, and executing a setting operation to enable the second server to return the second ciphertext and the first ciphertext; decrypting the second ciphertext returned by the second server through the second key to obtain the first key; decrypting the first ciphertext returned by the second server through the obtained first secret key to obtain the target data; and sending the obtained target data to the user.
In detail, when the user requests to access the target data, the data encryption device may generate the second key again according to the hash value of the target data, or may trigger the second server to return the second key.
In detail, when the second server stores the first ciphertext and the second ciphertext corresponding to the target data, the second server may also store the mapping relationship between these information. The second server may also store a second key corresponding to the target data.
In this embodiment, when the user requests to obtain the target data, the second server may be triggered to return the second ciphertext and the first ciphertext based on the index information provided by the user.
In one embodiment of the present disclosure, the index information may be used to indicate that the data requested by the user is the target data (for example, the index information may include an identifier of the target data), or may be used to indicate that the ciphertext to be decrypted is the second ciphertext. Based on the index information, the data encryption device can send the message m to the corresponding second server in the form of key exchange in response to the user's request for the target data, and the second server can restore the message m in combination with the mapping relation to obtain (X)j,C(s(blockj))). Wherein, blockjIs target data, s (block)j) Is a first key, C (block), used to encrypt target dataj) X) is a second ciphertext obtained by encrypting the first key using a second keyjIs the second key. The second server can obtain (X)j,C(s(blockj) ) to the data encryption apparatus, and returns a first ciphertext obtained by encrypting the target data with the first key to the data encryption apparatus. And then, the data encryption device can decrypt the second ciphertext through the second key to obtain the first key, and further decrypt the first ciphertext through the first key to obtain the target data, and the target data is returned to the user.
In addition, in another embodiment of the present disclosure, the second server may also perform an operation of decrypting to obtain the target data, and return the obtained target data to the data encryption device, or directly send the obtained target data to the user.
In one embodiment of the present disclosure, the index information may further include user identity information. Based on this, the data encryption device can also check the user identity according to the user identity information to determine whether the user has the right to access the target data, and the second server can be triggered to return the second ciphertext and the first ciphertext only after the check is passed.
In this embodiment, the first key is obtained by decrypting the ciphertext of the first key without storing the first key, so that the situation that the stored first key is maliciously intercepted can be avoided, and the security of data encryption storage is improved.
Therefore, in the above mode 2, the first key is obtained by decrypting the first key ciphertext, so that a large amount of calculation time overhead can be saved.
It should be noted that, in the data encryption method provided in the embodiment of the present application, the execution main body may be a data encryption device, or a control module in the data encryption device, which is used for executing loading of the data encryption method. In the embodiment of the present application, a data encryption device is taken as an example to execute the method for loading the data encryption, and the data encryption method provided in the embodiment of the present application is described.
Referring to fig. 2, a data encryption apparatus 200 provided in this embodiment may include: the device comprises an acquisition module 201, a sending module 202, a receiving module 203, a processing module 204 and an encryption module 205.
The obtaining module 201 obtains a target hash value of the target data. The sending module 202 sends the target hash values to N first servers, where N is a positive integer. The receiving module 203 receives the signatures returned by each first server according to the target hash value, and obtains N signatures. The processing module 204 obtains a first key from the N signatures. The encryption module 205 encrypts the target data by the first key.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a first functional module. The first functional module receives, for each of the first servers, a public key and a first value returned by the first server according to a private key of the first server before the sending module 202 sends the target hash value to N first servers, respectively; verifying the first server according to the public key and the first value returned by the first server; in the case that each of the first servers passes the verification, a setting operation is performed to cause the sending module 202 to perform the step of sending the target hash values to the N first servers, respectively.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a second functional module. The second functional module receives, for each of the first servers, a second value returned by the first server according to the target hash value after the sending module 202 sends the target hash value to the N first servers respectively and before the processing module 204 obtains the first key according to the N signatures; verifying the signature returned by the first server according to the signature returned by the first server and the second value; in case that all of the N signatures are verified, a setting operation is performed to cause the processing module 204 to perform the step of obtaining the first key according to the N signatures.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a third functional module. After the encryption module 205 encrypts the target data by using the first key, the third functional module sends a first ciphertext obtained by encrypting the target data by using the first key to a second server for storage.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a fourth functional module. The fourth functional module takes the data file to be encrypted as the target data before the obtaining module 201 obtains the target hash value of the target data.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a fifth functional module. The fifth functional module performs block processing on the data file to be encrypted to obtain at least two data blocks before the obtaining module 201 obtains the target hash value of the target data; and taking each data block as the target data respectively.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a sixth functional module. The sixth functional module generates a second key according to the target hash value after the processing module 204 obtains the first key according to the N signatures; encrypting the first key with the second key.
In one embodiment of the present disclosure, the data encryption apparatus 200 further includes a seventh functional module. After the sixth functional module encrypts the first key by the second key, the seventh functional module sends a second ciphertext obtained by encrypting the first key by the second key to a second server for storage.
In an embodiment of the present disclosure, the sixth functional module generates the second key according to the target hash value and an offset of the target hash value when the target data is a data file to be encrypted.
In an embodiment of the present disclosure, in a case that the target data is a part of a data file to be encrypted, the sixth functional module constructs a hash tree by using a hash value of each data included in the data file as a value of a leaf node of the hash tree; the value of any father node of the hash tree is obtained according to the value of each leaf node corresponding to the father node; and generating the second key according to the value of the root node of the hash tree and the offset of the target hash value.
In an embodiment of the present disclosure, the data encryption apparatus 200 further includes an eighth functional module. The eighth functional module, after the third functional module sends the first ciphertext obtained by encrypting the target data with the first key to the second server for storage, responds to an access request corresponding to the target data returned by the user, and re-executes the step of sending the target hash values to the N first servers, respectively, to obtain the first key again; decrypting the first ciphertext through the first key obtained again to obtain the target data; and sending the obtained target data to the user.
In an embodiment of the present disclosure, the data encryption apparatus 200 further includes a ninth functional module. After the encryption module 205 encrypts the target data by using the first key, the ninth functional module sends a first ciphertext obtained by encrypting the target data by using the first key to a second server for storage; responding to an access request corresponding to the target data returned by a user, and executing a setting operation to enable the second server to return the second key, the second ciphertext and the first ciphertext; decrypting the second ciphertext returned by the second server through the second secret key returned by the second server to obtain the first secret key; decrypting the first ciphertext returned by the second server through the obtained first secret key to obtain the target data; and sending the obtained target data to the user.
In an embodiment of the present disclosure, the first functional module verifies the first server through the above formula; and in the case that the formula one is established, the first server is verified to be passed.
In an embodiment of the present disclosure, the second functional module verifies the signature returned by the first server through the above formula; and in the case that the formula two is satisfied, the signature returned by the first server is verified to be passed.
The specific functions performed by the modules of the apparatus are described in the embodiment of the method, and are not described herein again.
The data encryption device in the embodiment of the present application may be a device, or may be a component, an integrated circuit, or a chip in a terminal. The device can be mobile electronic equipment or non-mobile electronic equipment. By way of example, the mobile electronic device may be a mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic device, a wearable device, an ultra-mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like, and the non-mobile electronic device may be a server, a Network Attached Storage (NAS), a Personal Computer (PC), a Television (TV), a teller machine or a self-service machine, and the like, and the embodiments of the present application are not particularly limited.
The data encryption device in the embodiment of the present application may be a device having an operating system. The operating system may be an Android (Android) operating system, an ios operating system, or other possible operating systems, and embodiments of the present application are not limited specifically.
The data encryption device provided in the embodiment of the present application can implement each process implemented by the data encryption device in the method embodiment of fig. 1, and is not described here again to avoid repetition.
In the embodiment of the application, a target hash value of target data is obtained; respectively sending the target hash values to N first servers, wherein N is a positive integer; receiving a signature returned by each first server according to the target hash value to obtain N signatures; obtaining a first key according to the N signatures; encrypting the target data by the first key. The embodiment of the application provides a new data encryption mode, and based on the new data encryption mode, the problems that a ciphertext is inconvenient to repeat and the safety is low can be solved.
Optionally, an electronic device is further provided in this embodiment of the present application, and includes a processor 1010, a memory 1009, and a program or an instruction stored in the memory 1009 and capable of running on the processor 1010, where the program or the instruction is executed by the processor 1010 to implement each process of the above data encryption method embodiment, and can achieve the same technical effect, and details are not described here to avoid repetition.
It should be noted that the electronic devices in the embodiments of the present application include the mobile electronic devices and the non-mobile electronic devices described above.
Fig. 3 is a schematic diagram of a hardware structure of an electronic device implementing an embodiment of the present application.
The electronic device 1000 includes, but is not limited to: a radio frequency unit 1001, a network module 1002, an audio output unit 1003, an input unit 1004, a sensor 1005, a display unit 1006, a user input unit 1007, an interface unit 1008, a memory 1009, and a processor 1010.
Those skilled in the art will appreciate that the electronic device 1000 may further comprise a power source (e.g., a battery) for supplying power to various components, and the power source may be logically connected to the processor 1010 through a power management system, so as to implement functions of managing charging, discharging, and power consumption through the power management system. The electronic device structure shown in fig. 3 does not constitute a limitation of the electronic device, and the electronic device may include more or less components than those shown, or combine some components, or arrange different components, and thus, the description is omitted here.
It should be understood that in the embodiment of the present application, the input Unit 1004 may include a Graphics Processing Unit (GPU) 10041 and a microphone 10042, and the Graphics Processing Unit 10041 processes image data of still pictures or videos obtained by an image capturing device (such as a camera) in a video capturing mode or an image capturing mode. The display unit 1006 may include a display panel 10061, and the display panel 10061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1007 includes a touch panel 10071 and other input devices 10072. The touch panel 10071 is also referred to as a touch screen. The touch panel 10071 may include two parts, a touch detection device and a touch controller. Other input devices 10072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described in detail herein. The memory 1009 may be used to store software programs as well as various data, including but not limited to application programs and operating systems. Processor 1010 may integrate an application processor that handles primarily operating systems, user interfaces, applications, etc. and a modem processor that handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 1010.
The processor 1010 is configured to obtain a target hash value of target data; respectively sending the target hash values to N first servers, wherein N is a positive integer; receiving a signature returned by each first server according to the target hash value to obtain N signatures; obtaining a first key according to the N signatures; encrypting the target data by the first key.
In the embodiment of the application, a target hash value of target data is obtained; respectively sending the target hash values to N first servers, wherein N is a positive integer; receiving a signature returned by each first server according to the target hash value to obtain N signatures; obtaining a first key according to the N signatures; encrypting the target data by the first key. The embodiment of the application provides a new data encryption mode, and based on the new data encryption mode, the problems that a ciphertext is inconvenient to repeat and the safety is low can be solved.
The embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the data encryption method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.
The processor is the processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and so on.
The embodiment of the present application further provides a chip, where the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is configured to run a program or an instruction to implement each process of the above data encryption method embodiment, and can achieve the same technical effect, and the details are not repeated here to avoid repetition.
It should be understood that the chips mentioned in the embodiments of the present application may also be referred to as system-on-chip, system-on-chip or system-on-chip, etc.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Further, it should be noted that the scope of the methods and apparatus of the embodiments of the present application is not limited to performing the functions in the order illustrated or discussed, but may include performing the functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
While the present embodiments have been described with reference to the accompanying drawings, it is to be understood that the invention is not limited to the precise embodiments described above, which are meant to be illustrative and not restrictive, and that various changes may be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (11)

1. A method for data encryption, comprising:
acquiring a target hash value of target data;
respectively sending the target hash values to N first servers, wherein N is a positive integer;
receiving a signature returned by each first server according to the target hash value to obtain N signatures;
obtaining a first key according to the N signatures;
encrypting the target data by the first key.
2. The method of claim 1, wherein prior to said sending said target hash values to N first servers, respectively, the method further comprises:
for each first server, receiving a public key and a first value returned by the first server according to a private key of the first server;
verifying the first server according to the public key and the first value returned by the first server;
and in the case that each first server passes the verification, performing the step of sending the target hash value to N first servers respectively.
3. The method of claim 1, wherein after sending the target hash values to N first servers, respectively, and before the obtaining a first key from the N signatures, the method further comprises:
for each first server, receiving a second value returned by the first server according to the target hash value;
verifying the signature returned by the first server according to the signature returned by the first server and the second value;
and under the condition that the verification of all the N signatures is passed, executing the step of obtaining the first key according to the N signatures.
4. The method of claim 1, wherein after the encrypting the target data with the first key, the method further comprises:
and sending a first ciphertext obtained by encrypting the target data through the first key to a second server for storage.
5. The method of claim 1, wherein prior to the obtaining the target hash value of the target data, the method further comprises:
taking a data file to be encrypted as the target data; or the like, or, alternatively,
before the obtaining the target hash value of the target data, the method further includes:
the method comprises the steps of carrying out blocking processing on a data file to be encrypted to obtain at least two data blocks;
and taking each data block as the target data respectively.
6. The method of claim 1, wherein after the obtaining a first key from the N signatures, the method further comprises:
generating a second key according to the target hash value;
encrypting the first key with the second key.
7. The method of claim 6, wherein after the encrypting the first key with the second key, the method further comprises:
and sending a second ciphertext obtained by encrypting the first key through the second key to a second server for storage.
8. The method of claim 6, wherein the generating a second key from the target hash value comprises:
under the condition that the target data is a data file to be encrypted, generating the second key according to the target hash value and the offset of the target hash value;
or the like, or, alternatively,
the generating a second key according to the target hash value includes:
under the condition that the target data is part of a data file to be encrypted, taking the hash value of each piece of data included in the data file as the value of a leaf node of a hash tree to construct the hash tree;
the value of any father node of the hash tree is obtained according to the value of each leaf node corresponding to the father node;
and generating the second key according to the value of the root node of the hash tree and the offset of the target hash value.
9. The method of claim 4, wherein after sending the first ciphertext from encrypting the target data with the first key to a second server for storage, the method further comprises:
responding to an access request corresponding to the target data returned by a user, and re-executing the step of respectively sending the target hash values to the N first servers to obtain the first key again;
decrypting the first ciphertext through the first key obtained again to obtain the target data;
and sending the obtained target data to the user.
10. The method of claim 7, wherein after the encrypting the target data with the first key, the method further comprises:
sending a first ciphertext obtained by encrypting the target data through the first key to a second server for storage;
responding to an access request corresponding to the target data returned by a user, and executing a setting operation to enable the second server to return the second ciphertext and the first ciphertext;
decrypting the second ciphertext returned by the second server through the second key to obtain the first key;
decrypting the first ciphertext returned by the second server through the obtained first secret key to obtain the target data;
and sending the obtained target data to the user.
11. A data encryption apparatus, comprising:
the acquisition module is used for acquiring a target hash value of target data;
the sending module is used for sending the target hash values to N first servers respectively, wherein N is a positive integer;
the receiving module is used for receiving the signature returned by each first server according to the target hash value to obtain N signatures;
the processing module is used for obtaining a first key according to the N signatures;
and the encryption module is used for encrypting the target data through the first secret key.
CN202110289178.2A 2021-03-17 2021-03-17 Data encryption method and device Pending CN113067816A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110289178.2A CN113067816A (en) 2021-03-17 2021-03-17 Data encryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110289178.2A CN113067816A (en) 2021-03-17 2021-03-17 Data encryption method and device

Publications (1)

Publication Number Publication Date
CN113067816A true CN113067816A (en) 2021-07-02

Family

ID=76561214

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110289178.2A Pending CN113067816A (en) 2021-03-17 2021-03-17 Data encryption method and device

Country Status (1)

Country Link
CN (1) CN113067816A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114491610A (en) * 2022-04-01 2022-05-13 国网浙江省电力有限公司 Intelligent shared financial platform and system based on Hash encryption algorithm and quantum key
CN114785527A (en) * 2022-06-17 2022-07-22 深圳市深圳通有限公司 Data transmission method, device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140032925A1 (en) * 2012-07-25 2014-01-30 Ankur Panchbudhe System and method for combining deduplication and encryption of data
CN105915332A (en) * 2016-07-04 2016-08-31 广东工业大学 Cloud storage encryption and dereplication method and cloud storage encryption and dereplication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140032925A1 (en) * 2012-07-25 2014-01-30 Ankur Panchbudhe System and method for combining deduplication and encryption of data
CN105915332A (en) * 2016-07-04 2016-08-31 广东工业大学 Cloud storage encryption and dereplication method and cloud storage encryption and dereplication system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
YITAO DUAN: "Distributed Key Generation for Encrypted Deduplication:Achieving the Strongest Privacy", 《CCSW "14: PROCEEDINGS OF THE 6TH EDITION OF THE ACM WORKSHOP ON CLOUD COMPUTING SECURITY》 *
刘年: "门限群签名方案的安全性分析", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *
郭成: "若干门限密码机制的研究", 《中国博士学位论文全文数据库 信息科技辑》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114491610A (en) * 2022-04-01 2022-05-13 国网浙江省电力有限公司 Intelligent shared financial platform and system based on Hash encryption algorithm and quantum key
CN114785527A (en) * 2022-06-17 2022-07-22 深圳市深圳通有限公司 Data transmission method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN111639361B (en) Block chain key management method, multi-person common signature method and electronic device
CN109474423B (en) Data encryption and decryption method, server and storage medium
CN109716375B (en) Block chain account processing method, device and storage medium
Zeng et al. E-AUA: An efficient anonymous user authentication protocol for mobile IoT
US9641340B2 (en) Certificateless multi-proxy signature method and apparatus
Lee et al. Three‐factor control protocol based on elliptic curve cryptosystem for universal serial bus mass storage devices
CN109728906B (en) Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool
CN109714176B (en) Password authentication method, device and storage medium
US20170373850A1 (en) Data encryption method, decryption method, apparatus, and system
CN110505067B (en) Block chain processing method, device, equipment and readable storage medium
CN113691502A (en) Communication method, communication device, gateway server, client and storage medium
CN101964789A (en) Method and system for safely accessing protected resources
CN111294203A (en) Information transmission method
CN113067816A (en) Data encryption method and device
US8954728B1 (en) Generation of exfiltration-resilient cryptographic keys
Verma Secure client-side deduplication scheme for cloud with dual trusted execution environment
Moghaddam et al. A client-based user authentication and encryption algorithm for secure accessing to cloud servers based on modified Diffie-Hellman and RSA small-e
CN115809459B (en) Data protection and decryption method, system, equipment and medium of software cryptographic module
CN110519214B (en) Application system short-distance energy-saving communication method, system and equipment based on online and offline signature and auxiliary verification signature
CN110048852B (en) Quantum communication service station digital signcryption method and system based on asymmetric key pool
Ogunleye et al. Elliptic Curve Cryptography Performance Evaluation for Securing Multi-Factor Systems in a Cloud Computing Environment
CN111737708A (en) Verifiable deletion method and system supporting efficient update of outsourced data
US9135449B2 (en) Apparatus and method for managing USIM data using mobile trusted module
CN115277078A (en) Method, apparatus, device and medium for processing gene data
CN109787773B (en) Anti-quantum computation signcryption method and system based on private key pool and Elgamal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210702