CN115378659A - High-reliability file encryption and fine-grained access control method based on user identity - Google Patents
High-reliability file encryption and fine-grained access control method based on user identity Download PDFInfo
- Publication number
- CN115378659A CN115378659A CN202210898083.5A CN202210898083A CN115378659A CN 115378659 A CN115378659 A CN 115378659A CN 202210898083 A CN202210898083 A CN 202210898083A CN 115378659 A CN115378659 A CN 115378659A
- Authority
- CN
- China
- Prior art keywords
- file
- encryption
- client
- key
- storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000012795 verification Methods 0.000 claims abstract description 20
- 230000004044 response Effects 0.000 claims abstract description 19
- 238000013507 mapping Methods 0.000 claims abstract description 13
- 238000004806 packaging method and process Methods 0.000 claims description 21
- 238000011217 control strategy Methods 0.000 claims description 11
- 235000019580 granularity Nutrition 0.000 claims description 2
- 238000000926 separation method Methods 0.000 abstract description 3
- 241001362551 Samba Species 0.000 description 5
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000011232 storage material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a high-reliability file encryption and fine-grained access control method based on user identity.A pre-configured strategy is obtained by an encryption storage gateway according to user information provided during client authentication, a virtual storage resource is constructed and sent to a client, and a mapping relation between the virtual storage resource requested by the client and a real target storage service is established; when the encrypted storage gateway receives an access request of a client, according to the type of the request protocol identifier, the response information of the client request is obtained and reprocessed and then returned to the client in a mode of repackaging the request to be sent to the real target storage service or calling the encrypted storage gateway client API to access the real target storage service. The invention can realize fine-grained control and safe use of files stored in a network according to user roles, key management and cryptographic algorithm operation separation, and encrypted data safety verification.
Description
Technical Field
The invention relates to the technical field of network storage, in particular to a high-reliability file encryption and fine-grained access control method based on user identity.
Background
The current network storage such as samba and NFS realizes access control through a user authentication technology, files uploaded by a user are not encrypted and stored at a server, and sensitive information is easily acquired by a server administrator or other users having authority to access the network storage service. Under the scene with higher security requirement, the user needs to encrypt and protect the sensitive file and upload the sensitive file to the network storage device. The operation process is complex, and the operation process is not beneficial to being used in the situation that the storage and the service system are separated in the cloud environment. In addition, some of the implemented network storage file encryption systems have simple processing modes for encrypted files, and cannot ensure the reliability of encrypted data formats in complex network and storage environments.
Disclosure of Invention
Aiming at the application occasions of separating a service system from storage in the current cloud environment, the invention provides a high-reliability file encryption and fine-grained access control method based on user identity, designs a high-strength and high-reliability multifunctional encryption storage gateway with one file and one secret key, and can realize fine-grained control and safe use of files stored in a network according to user roles, separation of secret key management and cryptographic algorithm operation, and safe verification of encrypted data.
The technical scheme adopted by the invention is as follows:
a high-reliability file encryption and fine-grained access control method based on user identity comprises the following steps:
and (3) mapping establishment: the encryption storage gateway acquires a pre-configured strategy according to user information provided during client authentication, constructs a virtual storage resource and sends the virtual storage resource to the client, and simultaneously establishes a mapping relation between the virtual storage resource requested by the client and a real target storage service;
and (3) access control: when the encrypted storage gateway receives an access request of a client, according to the type of a request protocol identifier, response information of the client request is obtained and reprocessed and then returned to the client in a mode of repackaging the request to be sent to a real target storage service or calling an encrypted storage gateway client API to access the real target storage service.
Furthermore, aiming at different clients, the encryption storage gateway is configured with corresponding storage strategies and access control strategies with different fine granularities, and automatically encrypts when uploading files and automatically decrypts when downloading files.
Further, the method for the encryption storage gateway to execute file encryption and decryption and the access control policy comprises the following steps:
s1, packaging setting: setting the format of the encrypted file as the packaging format of an encrypted information header and a file ciphertext data block, and packaging the whole encrypted file into a file;
s2, user login: verifying user information and acquiring a storage strategy and an access control strategy of a user;
s3, mapping establishment: acquiring mounting and connection information of a user, matching a real network storage address and a real storage directory from a storage strategy, and establishing mapping between a user access directory and a real target directory;
s4, file creation: establishing a private file encryption key to a key management system by using the identity of an encryption storage gateway, recording the matching relation between the key and a user, and generating an encryption information head of an encrypted file;
s5, file writing: encrypting plaintext data by using the file encryption key generated in the step S4, packaging the write-in request, sending a real storage server, and sending a response of successful write-in to the client;
s6, reading a file: sending a reading request of the encapsulated file to a real storage server to acquire ciphertext data, and decrypting the ciphertext data by using the file encryption key generated in the step S4;
s7, opening a file: and packaging the file opening request and sending the file opening request to a real storage service, reading an encryption information header of the encrypted file, acquiring a file encryption key identifier, respectively verifying the encryption key identifier and the key verification data, and sending a response of successful file opening to the client after the file encryption key identifier and the key verification data pass.
Further, in step S4, the generated encryption header includes a key identifier, an encryption algorithm, a file plaintext length, and key check data.
Further, step S5 comprises the following sub-steps:
s501, analyzing key information of a file writing protocol, wherein the key information comprises a file path, a writing position, a writing length and plaintext data;
s502, acquiring an encryption block to which current data belongs according to the writing position and the writing length, and filling the data into integral multiples of the slice length according to 0;
s503, encrypting plaintext data by using the file encryption key generated in the step S4 to obtain the lengths of the ciphertext and the Mac check, and recalculating the real position and the length of the ciphertext data block in the encrypted file;
s504, packaging the write-in request, sending a real storage server, and sending a response of successful write-in to the client.
Further, step S6 comprises the following sub-steps:
s601, analyzing key information of a file reading protocol, wherein the key information comprises a file path, a reading position and a reading length;
s602, calculating the real position and the length of data to be read in an encrypted file, wherein the length is the integral multiple of the size of an encryption block;
s603, sending a reading request of the encapsulated file to a real storage server to acquire ciphertext data;
and S604, decrypting the ciphertext data by using the file encryption key generated in the step S4, and sending a response of successful reading to the client.
Further, step S7 comprises the following sub-steps:
s701, analyzing the key information of the file path of the file opening protocol;
s702, verifying the access control strategy, packaging a file opening request after the access control strategy passes the verification, and sending the file opening request to a real storage server;
s703, reading an encryption information header of the encrypted file, acquiring a file encryption key identifier, and verifying whether the encryption key identifier is matched with a user;
s704, if the key information is matched with the key information, applying the key information to a key management system by using the identity of the encrypted storage gateway;
and S705, after the key application is successful, verifying the key verification data in the encrypted information header, and sending a response of successful file opening to the client after the verification is passed.
Further, when the request sent by the client contains the file length and/or the occupied space information, the length of the plaintext is obtained from the encrypted identifier of the file and is returned to the client, and the ciphertext length of the file is not returned to the client.
The invention has the beneficial effects that:
(1) The network storage server and the client side carry out encryption storage, decryption use and access strategy control on the files according to the user identity and the group to which the user belongs; slicing a file plaintext according to a configurable size, and encrypting each data block by taking a sliced data block as a unit and integrally using a symmetric encryption algorithm with Mac verification to ensure the safety and the integrity of encrypted data; encrypting the file according to the slicing blocks to balance the characteristic requirements of file content security and file random access to the maximum extent; the file ciphertext data is divided into an encryption identification area and a file ciphertext data block, and the encryption identification area stores key information such as file plaintext length, data validity period, encryption key Identification (ID), protection algorithm and the like; the protection keys of the files are different, and each key is generated and managed in the KMS so as to prevent the risk of revealing plain text after data is out of control.
(2) The encryption storage gateway realizes the analysis of a storage protocol and the calling of an encryption and decryption algorithm, the key storage and access control are realized by the KMS, the password operation is operated by the password hardware equipment, the separation of a key, the algorithm and a service flow can be realized, and the overall safety of the system is ensured. The rear end of the encryption storage gateway can be connected with a plurality of different types of network storage services in a hanging mode, the gateway does not change the protocol of the real target storage service, different storage agent services are still provided for the client side, the use of the client side is not changed, and the storage gateway provides NFS storage service to the outside if NFS storage service is connected; and the samba storage service is connected, and the storage gateway provides the samba storage service to the outside. The encryption storage gateway establishes an incidence relation between the virtual user and the real storage service by using a concept of the virtual user, the client completes identity authentication by using the virtual user distributed and managed by the encryption storage gateway so as to provide a personalized encryption scheme according to the user identity, and the real storage service stores the encrypted file after the user identity is encrypted. The transparent encryption and decryption of the network storage file and the effective identity-based fine-grained access control are realized under the condition that the client side is unaware.
(3) The structure of the encrypted file and the ciphertext data are bound in one file, so that backup and recovery are facilitated, the encrypted file is not easy to lose, and the robustness of the system is ensured; file encryption and decryption and authority judgment are completed on the encryption storage gateway, and a user does not need to participate manually; the file encryption key is applied to the key management system by the identity of the encryption storage gateway, and other ways cannot be obtained, so that sensitive files can be effectively prevented from being leaked; the encrypted file is sliced according to blocks and encrypted by using a symmetric cryptographic algorithm with Mac verification, so that the integrity of file data is ensured to the maximum extent, the random reading and writing characteristics of the file are ensured, and no obvious performance loss is caused.
(4) The encryption storage gateway is combined with a key management system to realize a double verification mechanism for the use of the encryption file key, so that the use safety and the sharing safety of the user sensitive file are ensured. The encryption storage gateway is compatible with common network storage protocols such as samba and nfs, provides samba and nfs services for the client and is completely transparent to the client.
Drawings
Fig. 1 is a schematic diagram of the relationship between an encryption storage gateway and users and storage services according to an embodiment of the present invention.
Detailed Description
In order to more clearly understand the technical features, objects, and effects of the present invention, specific embodiments of the present invention will now be described. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment provides a high-reliability file encryption and fine-grained access control method based on user identity, and when a client side using network storage needs to access storage service, the address of an encrypted storage gateway replaces a real storage service address, and an authentication request is initiated to a storage server by virtual user identity. As shown in fig. 1, the method includes:
and (3) mapping establishment: the encryption storage gateway acquires a pre-configured strategy according to user information provided during client authentication, constructs a virtual storage resource and sends the virtual storage resource to the client, and simultaneously establishes a mapping relation between the virtual storage resource requested by the client and a real target storage service;
and (3) access control: when the encrypted storage gateway receives an access request of a client, according to the type of the request protocol identifier, the response information of the client request is obtained and reprocessed and then returned to the client in a mode of repackaging the request to be sent to the real target storage service or calling the encrypted storage gateway client API to access the real target storage service.
In this embodiment, the client cannot directly access the real storage service associated with the encrypted storage gateway. All access requests of the client are taken over by the encrypted storage gateway, so that personalized storage strategies and access control strategies can be configured for different clients, and automatic encryption during file uploading, automatic decryption during file downloading, fine-grained access control of files and the like can be realized. Specifically, the key process of the encryption storage gateway for executing file encryption and decryption and access control can be executed according to the following steps:
s1, packaging setting: setting the format of the encrypted file as the packaging format of an encrypted information header and a file ciphertext data block, and packaging the whole encrypted file into a file;
s2, user login: verifying user information and acquiring a storage strategy and an access control strategy of a user;
s3, mapping establishment: acquiring mounting and connection information of a user, matching a real network storage address and a real storage directory from a storage strategy, and establishing mapping between a user access directory and a real target directory;
s4, file creation: establishing a private file encryption key to a key management system by using the identity of an encryption storage gateway, recording the matching relation between the key and a user, and generating an encryption information head of an encrypted file; preferably, the generated encryption information header comprises a key identifier, an encryption algorithm, a file plaintext length and key verification data;
s5, file writing: encrypting plaintext data by using the file encryption key generated in the step S4, packaging the write-in request, sending a real storage server, and sending a response of successful write-in to the client;
s6, reading a file: sending the reading request of the packaged file to a real storage server to acquire ciphertext data, and decrypting the ciphertext data by using the file encryption key generated in the step S4;
s7, opening a file: and packaging the file opening request and sending the file opening request to a real storage service, reading an encryption information header of the encrypted file, acquiring a file encryption key identifier, respectively verifying the encryption key identifier and the key verification data, and sending a response of successful file opening to the client after the file encryption key identifier and the key verification data pass.
Preferably, step S5 comprises the following sub-steps:
s501, analyzing key information of a file writing protocol, wherein the key information comprises a file path, a writing position, a writing length and plaintext data;
s502, acquiring an encryption block to which current data belongs according to the writing position and the writing length, and filling the data into integral multiples of the slice length by 0;
s503, encrypting plaintext data by using the file encryption key generated in the step S4 to obtain the lengths of the ciphertext and the Mac check, and recalculating the real position and the length of the ciphertext data block in the encrypted file;
s504, packaging the write-in request, sending a real storage server, and sending a response of successful write-in to the client.
Preferably, step S6 comprises the following sub-steps:
s601, analyzing key information of a file reading protocol, wherein the key information comprises a file path, a reading position and a reading length;
s602, calculating the real position and the length of data to be read in an encrypted file, wherein the length is the integral multiple of the size of an encryption block;
s603, sending a reading request of the packaged file to a real storage server to acquire ciphertext data;
and S604, decrypting the ciphertext data by using the file encryption key generated in the step S4, and sending a response of successful reading to the client.
Preferably, step S7 comprises the following sub-steps:
s701, analyzing the file path key information of the file opening protocol;
s702, verifying an access control strategy, packaging a file opening request after passing the access control strategy, and sending the file opening request to a real storage server;
s703, reading an encryption information header of the encrypted file, acquiring a file encryption key identifier, and verifying whether the encryption key identifier is matched with a user;
s704, if the key information is matched with the key information, applying the key information to a key management system by using the identity of the encryption storage gateway;
and S705, after the key application is successful, verifying the key verification data in the encrypted information header, and sending a response of successful file opening to the client after the verification is passed.
Preferably, when the request sent by the client includes the file length and/or the occupied space information, only the length of the plaintext obtained from the encrypted identifier of the file is returned to the client, and the ciphertext length of the file is not returned to the client.
The embodiment combines a key management system, an identity authentication system and a user management system provided by the embodiment to realize identity authentication, authority judgment and key recovery of a user. Preferably, the public key signature algorithm used is the SM2 signature algorithm (GM/T0003), the encryption algorithm used is the SM4 encryption algorithm (GM/T0002), and the hash algorithm used is the SM3 hash algorithm (GM/T0004), while supporting the common international public and unpublished algorithms. The network storage file encryption method is compatible with CIFS and NFS network storage protocols, and the encryption storage of the network storage file can be realized without any modification of an application system.
It should be noted that the foregoing method embodiments are described as a series of acts or combinations for simplicity in description, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Claims (8)
1. A high-reliability file encryption and fine-grained access control method based on user identity is characterized by comprising the following steps:
and (3) mapping establishment: the encryption storage gateway acquires a pre-configured strategy according to user information provided during client authentication, constructs a virtual storage resource and sends the virtual storage resource to the client, and simultaneously establishes a mapping relation between the virtual storage resource requested by the client and a real target storage service;
and (3) access control: when the encrypted storage gateway receives an access request of a client, according to the type of the request protocol identifier, the response information of the client request is obtained and reprocessed and then returned to the client in a mode of repackaging the request to be sent to the real target storage service or calling the encrypted storage gateway client API to access the real target storage service.
2. The method according to claim 1, wherein the encryption storage gateway is configured with corresponding storage policies and access control policies of different fine granularities for different clients, and automatically encrypts the files when uploading the files and automatically decrypts the files when downloading the files.
3. The method for high-reliability file encryption and fine-grained access control based on user identity as claimed in claim 2, wherein the method for the encryption storage gateway to execute the file encryption/decryption and access control policy comprises the following steps:
s1, packaging setting: setting the format of the encrypted file as the packaging format of an encrypted information header and a file ciphertext data block, and packaging the whole encrypted file into a file;
s2, user login: verifying user information and acquiring a storage strategy and an access control strategy of a user;
s3, mapping establishment: acquiring mounting and connection information of a user, matching a real network storage address and a real storage directory from a storage strategy, and establishing mapping between a user access directory and a real target directory;
s4, file creation: establishing a private file encryption key to a key management system by using the identity of the encryption storage gateway, recording the matching relation between the key and a user, and generating an encryption information head of the encrypted file;
s5, file writing: encrypting plaintext data by using the file encryption key generated in the step S4, packaging the write-in request, sending a real storage server, and sending a response of successful write-in to the client;
s6, reading a file: sending a reading request of the encapsulated file to a real storage server to acquire ciphertext data, and decrypting the ciphertext data by using the file encryption key generated in the step S4;
s7, opening a file: and packaging the file opening request and sending the file opening request to a real storage service, reading an encryption information header of the encrypted file, acquiring a file encryption key identifier, respectively verifying the encryption key identifier and the key verification data, and sending a response of successful file opening to the client after the file encryption key identifier and the key verification data pass.
4. The method according to claim 3, wherein the generated header of encryption information in step S4 includes key identification, encryption algorithm, file plaintext length and key check data.
5. The method for high-reliability file encryption and fine-grained access control based on user identity as claimed in claim 3, wherein step S5 comprises the following sub-steps:
s501, analyzing key information of a file writing protocol, wherein the key information comprises a file path, a writing position, a writing length and plaintext data;
s502, acquiring an encryption block to which current data belongs according to the writing position and the writing length, and filling the data into integral multiples of the slice length by 0;
s503, encrypting plaintext data by using the file encryption key generated in the step S4 to obtain the lengths of the ciphertext and the Mac check, and recalculating the real position and the length of the ciphertext data block in the encrypted file;
s504, packaging the write-in request, sending a real storage server, and sending a response of successful write-in to the client.
6. The method for high-reliability file encryption and fine-grained access control based on user identity as claimed in claim 3, wherein step S6 comprises the following sub-steps:
s601, analyzing key information of a file reading protocol, including a file path, a reading position and a reading length;
s602, calculating the real position and the length of data to be read in an encrypted file, wherein the length is the integral multiple of the size of an encryption block;
s603, sending a reading request of the packaged file to a real storage server to acquire ciphertext data;
and S604, decrypting the ciphertext data by using the file encryption key generated in the step S4, and sending a response of successful reading to the client.
7. The method for high-reliability file encryption and fine-grained access control based on user identity as claimed in claim 3, wherein step S7 comprises the following sub-steps:
s701, analyzing the file path key information of the file opening protocol;
s702, verifying the access control strategy, packaging a file opening request after the access control strategy passes the verification, and sending the file opening request to a real storage server;
s703, reading an encryption information header of the encrypted file, acquiring a file encryption key identifier, and verifying whether the encryption key identifier is matched with a user;
s704, if the key information is matched with the key information, applying the key information to a key management system by using the identity of the encrypted storage gateway;
and S705, after the key application is successful, verifying the key verification data in the encrypted information header, and sending a response of successful file opening to the client after the verification is passed.
8. The user identity-based highly reliable file encryption and fine-grained access control method according to any one of claims 3 to 7, wherein when a request sent by a client contains file length and/or occupied space information, only the length of a plaintext obtained from an encryption identifier of a file is returned to the client, and the ciphertext length of the file is not returned to the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210898083.5A CN115378659B (en) | 2022-07-28 | 2022-07-28 | High-reliability file encryption and fine-granularity access control method based on user identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210898083.5A CN115378659B (en) | 2022-07-28 | 2022-07-28 | High-reliability file encryption and fine-granularity access control method based on user identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115378659A true CN115378659A (en) | 2022-11-22 |
| CN115378659B CN115378659B (en) | 2024-04-16 |
Family
ID=84064488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210898083.5A Active CN115378659B (en) | 2022-07-28 | 2022-07-28 | High-reliability file encryption and fine-granularity access control method based on user identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115378659B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050013441A1 (en) * | 2003-07-18 | 2005-01-20 | Yaron Klein | Method for securing data storage in a storage area network |
| CN101729550A (en) * | 2009-11-09 | 2010-06-09 | 西北大学 | Digital content safeguard system based on transparent encryption and decryption method thereof |
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN103841113A (en) * | 2014-03-20 | 2014-06-04 | 武汉理工大学 | Safe network file system based on user mode file system |
| CN103905466A (en) * | 2014-04-22 | 2014-07-02 | 郭伟 | Data access control system and method for storage system |
| CN103916456A (en) * | 2013-01-09 | 2014-07-09 | 国际商业机器公司 | Transparent Encryption/decryption Gateway For Cloud Storage Services |
| CN103927489A (en) * | 2014-04-22 | 2014-07-16 | 陈幼雷 | System and method for trusted storage of data |
| CN104092672A (en) * | 2014-06-26 | 2014-10-08 | 安徽云盾信息技术有限公司 | Method for encrypting and decrypting information by means of ciphertext storage gateway |
| CN104660578A (en) * | 2014-04-22 | 2015-05-27 | 董唯元 | System and method for realizing security storage and access control of data |
| EP3035641A1 (en) * | 2013-09-18 | 2016-06-22 | ZTE Corporation | Method for file upload to cloud storage system, download method and device |
| CN107438071A (en) * | 2017-07-28 | 2017-12-05 | 北京信安世纪科技有限公司 | cloud storage security gateway and access method |
| CN112953930A (en) * | 2021-02-09 | 2021-06-11 | 苏宁易购集团股份有限公司 | Cloud storage data processing method and device and computer system |
-
2022
- 2022-07-28 CN CN202210898083.5A patent/CN115378659B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050013441A1 (en) * | 2003-07-18 | 2005-01-20 | Yaron Klein | Method for securing data storage in a storage area network |
| CN101729550A (en) * | 2009-11-09 | 2010-06-09 | 西北大学 | Digital content safeguard system based on transparent encryption and decryption method thereof |
| CN103916456A (en) * | 2013-01-09 | 2014-07-09 | 国际商业机器公司 | Transparent Encryption/decryption Gateway For Cloud Storage Services |
| EP3035641A1 (en) * | 2013-09-18 | 2016-06-22 | ZTE Corporation | Method for file upload to cloud storage system, download method and device |
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN103841113A (en) * | 2014-03-20 | 2014-06-04 | 武汉理工大学 | Safe network file system based on user mode file system |
| CN103905466A (en) * | 2014-04-22 | 2014-07-02 | 郭伟 | Data access control system and method for storage system |
| CN103927489A (en) * | 2014-04-22 | 2014-07-16 | 陈幼雷 | System and method for trusted storage of data |
| CN104660578A (en) * | 2014-04-22 | 2015-05-27 | 董唯元 | System and method for realizing security storage and access control of data |
| CN104092672A (en) * | 2014-06-26 | 2014-10-08 | 安徽云盾信息技术有限公司 | Method for encrypting and decrypting information by means of ciphertext storage gateway |
| CN107438071A (en) * | 2017-07-28 | 2017-12-05 | 北京信安世纪科技有限公司 | cloud storage security gateway and access method |
| CN112953930A (en) * | 2021-02-09 | 2021-06-11 | 苏宁易购集团股份有限公司 | Cloud storage data processing method and device and computer system |
Non-Patent Citations (3)
| Title |
|---|
| QIONGYU ZHANG; LIEHUANG ZHU; HUISHAN BIAN; XIAOYAO PENG: "Cloud Storage-oriented Secure Information Gateway", 2012 INTERNATIONAL CONFERENCE ON CLOUD AND SERVICE COMPUTING, 17 January 2013 (2013-01-17) * |
| 张昕: "基于一次一密的可信存储网关", 南京师大学报(自然科学版), 30 June 2018 (2018-06-30) * |
| 潘踩云: "基于属性加密的安全存储***的设计与实现", 中国优秀硕士学位论文全文数据库 (信息科技辑), 15 March 2017 (2017-03-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115378659B (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12008131B2 (en) | Systems and methods for a cryptographic file system layer | |
| US20230362133A1 (en) | Systems and Methods for Uploading Streamed Objects to a Cloud Storage System | |
| US11968186B2 (en) | Secure data parser method and system | |
| US10447674B2 (en) | Key exchange through partially trusted third party | |
| CN109150519B (en) | Anti-quantum computing cloud storage security control method and system based on public key pool | |
| US8225108B2 (en) | Method and system for mixed symmetric and asymmetric encryption of .ZIP files | |
| CN108985099B (en) | Proxy cloud storage security control method and system based on public key pool | |
| CN108989033B (en) | Cloud storage security control method and system based on public key pool | |
| US20150249687A1 (en) | Systems and methods for securing data in the cloud | |
| US20170171219A1 (en) | Signed envelope encryption | |
| US10375032B2 (en) | System and method for data segmentation and distribution across multiple cloud storage points | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| Zhang et al. | Towards secure data distribution systems in mobile cloud computing | |
| CN104852949A (en) | Cloud storage data management method and system based on hybrid encryption mechanism | |
| US11757625B2 (en) | Multi-factor-protected private key distribution | |
| CN109787747B (en) | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools | |
| US20210281608A1 (en) | Separation of handshake and record protocol | |
| CN112217862A (en) | Data communication method, device, terminal equipment and storage medium | |
| CN109302283B (en) | Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool | |
| CN115378659B (en) | High-reliability file encryption and fine-granularity access control method based on user identity | |
| CN114143098B (en) | Data storage method and data storage device | |
| Nandini et al. | Implementation of hybrid cloud approach for secure authorized deduplication | |
| Hema et al. | Hybrid Cryptographic Algorithm to Improve Security in Cloud File Storage | |
| Albahdal et al. | Evaluation of security supporting mechanisms in cloud storage | |
| KR20210064046A (en) | A method and apparatus for verifying logging confidentiality and integrity in distributed computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |