CN116579026A - Cloud data integrity auditing method, device, equipment and storage medium - Google Patents
Cloud data integrity auditing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116579026A CN116579026A CN202310593144.1A CN202310593144A CN116579026A CN 116579026 A CN116579026 A CN 116579026A CN 202310593144 A CN202310593144 A CN 202310593144A CN 116579026 A CN116579026 A CN 116579026A
- Authority
- CN
- China
- Prior art keywords
- integrity
- key
- file system
- hash
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012795 verification Methods 0.000 claims abstract description 154
- 238000012550 audit Methods 0.000 claims description 95
- 230000006870 function Effects 0.000 claims description 48
- 238000004364 calculation method Methods 0.000 claims description 21
- 238000004422 calculation algorithm Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 14
- 230000000977 initiatory effect Effects 0.000 claims description 12
- 238000007781 pre-processing Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000010276 construction Methods 0.000 description 4
- 230000001351 cycling effect Effects 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013524 data verification Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention is applicable to the technical field of information security, and provides a cloud data integrity auditing method, device, equipment and storage medium, wherein the method comprises the following steps: according to a preset auditing mode, an integrity auditing challenge is initiated to a cloud service provider stored with file system data, a user integrity certification returned by the cloud service provider according to the integrity auditing challenge is received, and the integrity of a corresponding file system in the user integrity certification is verified according to a first key, a second key and prestored verification information, so that reliability and auditing efficiency of cloud data integrity auditing for the file system are improved.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a cloud data integrity auditing method, device, equipment and storage medium.
Background
The cloud storage integrity audit is a technology for verifying whether a cloud service provider correctly stores data of a user or not, and can check the integrity of the data through some mathematical operations and random sampling under the condition of not downloading the data. In order to realize cloud storage integrity audit, researchers have proposed a variety of file audit protocols based on cryptography, however, most of the existing file audit protocols are only suitable for integrity audit of a single large file, and cannot effectively process the situation of multiple files. When using a data service provided by a cloud service provider, a user often needs to store and manage a plurality of files, such as a file system of a work document library, a code repository, an important database, and the like. However, existing single file audit protocols do not provide an efficient way to organize and audit multiple files, and when audit objects are transformed into a file system, the computational and storage overhead of the audit protocol can rise dramatically as the number of files increases.
Disclosure of Invention
The invention aims to provide a cloud data integrity auditing method, device, equipment and storage medium, and aims to solve the problems of unreliable cloud data integrity audit and low audit efficiency facing a file system caused by the fact that an effective cloud data integrity auditing method cannot be provided in the prior art.
In one aspect, the present invention provides a cloud data integrity auditing method, the method comprising the steps of:
initiating an integrity audit challenge to a cloud service provider stored with file system data according to a preset audit mode;
receiving user integrity certification returned by the cloud service provider according to the integrity audit challenge;
and verifying the integrity of the corresponding file system in the user integrity certification according to the pre-generated first key, the pre-generated second key and the pre-stored verification information.
Preferably, the step of verifying the integrity of the file system in the user integrity certification comprises:
according to the first key and the verification information, a preset encryption hash function is used for verifying correctness of nodes in a node verification path of a hash tree corresponding to the file system in the user integrity certification;
and when each node in the node verification path verifies correctly, performing integrity verification on each file of the file system in the user integrity certification by using the encryption hash function according to the second key.
Preferably, the method further comprises:
generating the first key and the second key by using a preset key generation algorithm;
preprocessing the file system by using the encryption hash function according to the first key and the second key to obtain auxiliary verification information;
and sending the processed file system and the auxiliary verification information to the cloud service provider.
Preferably, the step of preprocessing the file system by using the cryptographic hash function to obtain auxiliary verification information includes:
calculating a hash message verification code of each file in the file system by using the encryption hash function according to the second key;
and calculating the auxiliary verification information corresponding to the file system according to the hash message verification code and the first key, wherein the auxiliary verification information comprises a hash table and a hash tree corresponding to the file system.
In another aspect, the present invention provides a cloud data integrity auditing apparatus, the apparatus comprising:
the challenge initiating unit is used for initiating an integrity audit challenge to a cloud service provider stored with file system data according to a preset audit mode;
the proving return unit is used for receiving the user integrity proving returned by the cloud service provider according to the integrity audit challenge; and
and the integrity verification unit is used for verifying the integrity of the corresponding file system in the user integrity certification according to the first key, the second key and the prestored verification information which are generated in advance.
Preferably, the integrity verification unit includes:
the first verification unit is used for verifying the correctness of the nodes in the node verification path of the hash tree corresponding to the file system in the user integrity certification by using a preset encryption hash function according to the first key and the verification information; and
and the second verification unit is used for carrying out integrity verification on each file of the file system in the user integrity certification by using the encryption hash function according to the second key when each node in the node verification path is verified to be correct.
Preferably, the apparatus further comprises:
a key generation unit for generating the first key and the second key using a preset key generation algorithm;
the file processing unit is used for preprocessing the file system by using the encryption hash function according to the first key and the second key to obtain auxiliary verification information; and
and the information sending unit is used for sending the processed file system and the auxiliary verification information to the cloud service provider.
Preferably, the file processing unit includes:
a first calculation unit, configured to calculate, according to the second key, a hash message authentication code of each file in the file system using the cryptographic hash function; and
and the second calculation unit is used for calculating the auxiliary verification information corresponding to the file system according to the hash message verification code and the first key, wherein the auxiliary verification information comprises a hash table and a hash tree corresponding to the file system.
In another aspect, the present invention further provides a computing device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of a cloud data integrity auditing method as described above when the computer program is executed.
In another aspect, the present invention also provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of a cloud data integrity auditing method as described above.
According to the method and the device for verifying the integrity of the file system, an integrity audit challenge is initiated to a cloud service provider stored with the file system data according to a preset audit mode, a user integrity certification returned by the cloud service provider according to the integrity audit challenge is received, and the integrity of the corresponding file system in the user integrity certification is verified according to a first key, a second key and prestored verification information, so that reliability and audit efficiency of the integrity audit of the cloud data facing the file system are improved.
Drawings
Fig. 1 is a flowchart of an implementation of a cloud data integrity audit method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of user integrity certification generation in a cloud data integrity auditing method according to an embodiment of the present invention;
fig. 3 is a flowchart of an implementation of a cloud data integrity audit method according to a second embodiment of the present invention;
fig. 4 is a schematic diagram of hash table and hash tree construction in the cloud data integrity auditing method according to the second embodiment of the present invention;
fig. 5 is a schematic structural diagram of a cloud data integrity audit device according to a third embodiment of the present invention;
fig. 6 is a schematic diagram of a preferred structure of a cloud data integrity audit device according to a third embodiment of the present invention;
fig. 7 is a schematic structural diagram of a cloud data integrity audit device according to a fourth embodiment of the present invention;
fig. 8 is a schematic structural diagram of a computing device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The following describes in detail the implementation of the present invention in connection with specific embodiments:
embodiment one:
fig. 1 shows an implementation flow of a cloud data integrity audit method according to a first embodiment of the present invention, for convenience of explanation, only a portion relevant to the embodiment of the present invention is shown, and the details are as follows:
in step S101, an integrity audit challenge is initiated to a cloud server having stored file system data according to a preset audit manner.
Embodiments of the present invention are applicable to computing devices, e.g., personal computers, servers, etc. In the embodiment of the invention, the preset audit mode is diversified, the audit challenge can be initiated randomly, the audit challenge can be initiated periodically, the audit challenge can be initiated in an event-triggered mode (for example, when a user wants to acquire a cloud-stored file), the user can self-define the occasion of initiating the audit challenge and the identification range of the challenge according to the use practice scene, and the integrity audit challenge is initiated to a cloud server stored with file system data so as to detect whether the file stored in the cloud storage has any tampering or damage.
In step S102, a user integrity certification returned by the cloud facilitator in accordance with the integrity audit challenge is received.
In the embodiment of the invention, when the cloud service provider receives an integrity audit challenge sent by a user, the cloud service provider queries an internal storage system in cloud storage according to the integrity audit challenge, locates and retrieves the requested target file, calculates a user integrity certification for the target file under audit based on auxiliary verification information, and finally returns the user integrity certification and the retrieved target file to the user, wherein the auxiliary verification information comprises a hash table and a hash tree constructed for a file system.
The process of generating the user integrity certification by the cloud service provider according to the integrity audit challenge is shown in fig. 2, specifically, the generation of the user integrity certification is realized through the following steps:
(1) Positioning and searching the position of the integrity audit challenge in the hash table, namely finding out the hash table item of the challenge;
(2) Finding the position of the hash table item of the challenge in the hash tree, namely finding the corresponding leaf node;
(3) Finding out father nodes and brother nodes according to the leaf nodes;
(4) And (3) cycling the step (3) until the root node is reached, wherein the node required from the leaf node to the root node is called a node verification path, and the leaf node and the challenging hash table form the user integrity certification.
In step S103, the integrity of the corresponding file system in the user integrity certification is verified according to the first key, the second key and the prestored verification information.
In the embodiment of the invention, the prestored verification information is the root node value of the hash tree constructed for the file system, and the integrity of the corresponding file system in the user integrity certification is verified according to the first key, the second key and the root node value which are generated in advance, so that each target file in the file system is ensured not to be tampered or lost, and the user can trust the data stored in the cloud service provider.
In verifying the integrity of the corresponding file system in the user's integrity certification, the verification of the integrity is preferably achieved by:
(1) According to the first key and the verification information, using a preset encryption hash function to verify the correctness of the nodes in the node verification path of the hash tree corresponding to the file system in the user integrity certification;
in the embodiment of the invention, when the correctness of the node in the node verification path of the hash tree corresponding to the file system in the user integrity certification is verified by using a preset encryption hash function, the correctness verification of the node is realized by the following steps:
(1) calculating whether the hash value of the hash table item in the user integrity certification is correct or not by using the encryption hash function and the first key;
(2) when the hash value of the hash table item in the user integrity certification is correct, calculating whether the hash value is consistent with the hash value of the hash table item spliced by the brother nodes in the hash tree, if so, further calculating the hash value of the result spliced by the brother nodes in the hash tree, and directly recursively calculating until reaching the root node to obtain a final calculation result;
(3) and comparing the calculation result with the root node value to determine whether the calculation result and the root node value are consistent, and when the calculation result and the root node value are consistent, proving that the node verification path is correct.
(2) When each node in the node verification path verifies correctly, the integrity verification is performed on each file of the file system in the user integrity certification using a cryptographic hash function according to the second key.
In the embodiment of the invention, each file of the file system in the user integrity certification is a target file in the file system returned by the cloud service provider, when each node in the node verification path is verified correctly, a hash message verification code of each target file is calculated by using a cryptographic hash function and a second key, and compared with a corresponding hash message verification code in a hash table in the user integrity certification, when the two are consistent, verification is successful, the target file is shown to be complete, the target file is not tampered or lost, and otherwise verification is failed.
The file system integrity verification is realized through the steps (1) - (2), so that the data verification is realized through using the encryption hash function, the complex large integer modular finger operation and elliptic curve bilinear pairing operation with overhigh calculation cost under a large number of small file scenes are avoided, and the auditing efficiency is improved.
In the embodiment of the invention, an integrity audit challenge is initiated to a cloud service provider stored with file system data according to a preset audit mode, a user integrity certification returned by the cloud service provider according to the integrity audit challenge is received, and the integrity of a corresponding file system in the user integrity certification is verified according to a first key, a second key and prestored verification information, so that reliability and audit efficiency of cloud data integrity audit for the file system are improved.
Embodiment two:
fig. 3 shows a flow of implementing the cloud data integrity audit method according to the second embodiment of the present invention, and for convenience of explanation, only the relevant parts of the embodiment of the present invention are shown, which is described in detail below:
in step S301, a first key and a second key are generated using a preset key generation algorithm.
In the embodiment of the present invention, when a user prepares to outsource a file system, 2 keys, namely, a first key and a second key are required to be generated, the first key is used for calculating auxiliary verification information after calculation, the keys are required to be securely stored in a local storage medium of the user to verify correctness of the auxiliary verification information, the second key is used for calculating a hash message verification code of each file in the file system, the hash message verification code is used as a digital signature, authenticity and integrity of data can be proven, and a key generation algorithm for generating the first key and the second key can be a symmetric encryption algorithm (such as an AES algorithm) or an asymmetric encryption algorithm (such as an RSA algorithm), and is not limited herein.
In step S302, the file system is preprocessed using a cryptographic hash function according to the first key and the second key, to obtain auxiliary authentication information.
In the embodiment of the present invention, when the file system is preprocessed by using the cryptographic hash function, the preprocessing of the file system is preferably implemented by the following steps:
(1) Calculating a hash message verification code of each file in the file system by using the encryption hash function according to the second secret key;
in the embodiment of the invention, a corresponding hash message verification code is calculated for each file in the file system by using the encryption hash function and the second key, and the hash message verification code of each file is obtained.
(2) And calculating auxiliary verification information corresponding to the file system according to the hash message verification code and the first key, wherein the auxiliary verification information comprises a hash table and a hash tree corresponding to the file system.
In the embodiment of the invention, each file in a file system is mapped into a hash table one by one according to meta information of the file, each hash table item consists of index, ID (identity), state and HMAC (hidden object access) and after the hash table is generated, a hash tree is built on the basis of the hash table, specifically, a hash function and a first key are used for carrying out hash calculation on each table item in the hash table to obtain hash values of the table items, the hash values are used as leaf nodes of the hash tree, hash values of intermediate nodes are calculated from bottom to top on the basis of the leaf nodes until a root node is calculated, thus the construction of the hash tree is completed, and auxiliary verification information comprising the hash table corresponding to the file system and the hash tree is obtained, wherein index refers to the position of the table item in the hash table, ID refers to the file name and/or storage path of the file, HMAC refers to the hash message verification code of the file, and the hash information of the hash tree comprises the hash message verification information of the file, the hash message of the hash state and/or the storage path of the file. Fig. 4 shows the construction process of the hash table and the hash tree.
The preprocessing of the file system is realized through the steps (1) - (2), so that the index and directory structure of the file system are managed by using the hash table based on semantic embedding, the quick searching and verification of the file are realized, and the hash message verification code of the file is embedded into the table entry of the hash table, so that the integrity verification of the file system can be efficiently executed later.
In step S303, the processed file system and auxiliary authentication information are transmitted to the cloud service provider.
In the embodiment of the invention, the preprocessed file system and auxiliary verification information are sent to the cloud service provider, and original file system data are deleted to save storage overhead, and meanwhile, only short verification information, namely the root node value of the hash tree, is reserved in a local storage medium and is used for verifying the correctness of a hash table and the hash tree returned by the cloud service provider.
In the embodiment of the invention, the first key and the second key are generated by using a preset key generation algorithm, the file system is preprocessed by using a cryptographic hash function according to the first key and the second key to obtain auxiliary verification information, and the processed file system and the auxiliary verification information are sent to a cloud service provider, so that the integrity and the security of data stored in the cloud service provider are ensured by using a hash table, a hash tree and other technologies.
Embodiment III:
fig. 5 shows a structure of a cloud data integrity audit device according to a third embodiment of the present invention, and for convenience of explanation, only a portion related to the embodiment of the present invention is shown, where the structure includes:
the challenge initiating unit 51 is configured to initiate an integrity audit challenge to a cloud service provider that has stored file system data according to a preset audit manner.
In the embodiment of the invention, the preset audit mode is diversified, the audit challenge can be initiated randomly, the audit challenge can be initiated periodically, the audit challenge can be initiated in an event-triggered mode (for example, when a user wants to acquire a cloud-stored file), the user can self-define the occasion of initiating the audit challenge and the identification range of the challenge according to the use practice scene, and the integrity audit challenge is initiated to a cloud server stored with file system data so as to detect whether the file stored in the cloud storage has any tampering or damage.
And the proof return unit 52 is configured to receive a user integrity proof returned by the cloud service provider according to the integrity audit challenge.
In the embodiment of the invention, when the cloud service provider receives an integrity audit challenge sent by a user, the cloud service provider queries an internal storage system in cloud storage according to the integrity audit challenge, locates and retrieves the requested target file, calculates a user integrity certification for the target file under audit based on auxiliary verification information, and finally returns the user integrity certification and the retrieved target file to the user, wherein the auxiliary verification information comprises a hash table and a hash tree constructed for a file system.
When the cloud service provider generates the user integrity certification according to the integrity audit challenge, specifically, the generation of the user integrity certification is realized through the following steps:
(1) Positioning and searching the position of the integrity audit challenge in the hash table, namely finding out the hash table item of the challenge;
(2) Finding the position of the hash table item of the challenge in the hash tree, namely finding the corresponding leaf node;
(3) Finding out father nodes and brother nodes according to the leaf nodes;
(4) And (3) cycling the step (3) until the root node is reached, wherein the node required from the leaf node to the root node is called a node verification path, and the leaf node and the challenging hash table form the user integrity certification.
The integrity verification unit 53 is configured to verify the integrity of the corresponding file system in the user integrity certificate according to the first key, the second key and the pre-stored verification information that are generated in advance.
In the embodiment of the invention, the prestored verification information is the root node value of the hash tree constructed for the file system, and the integrity of the corresponding file system in the user integrity certification is verified according to the first key, the second key and the root node value which are generated in advance, so that each target file in the file system is ensured not to be tampered or lost, and the user can trust the data stored in the cloud service provider.
As shown in fig. 6, the integrity verification unit 53 preferably includes:
a first verification unit 531, configured to perform correctness verification on nodes in a node verification path of a hash tree corresponding to the file system in the user integrity certification by using a preset cryptographic hash function according to the first key and the verification information;
in the embodiment of the invention, when the correctness of the node in the node verification path of the hash tree corresponding to the file system in the user integrity certification is verified by using a preset encryption hash function, the correctness verification of the node is realized by the following steps:
(1) calculating whether the hash value of the hash table item in the user integrity certification is correct or not by using the encryption hash function and the first key;
(2) when the hash value of the hash table item in the user integrity certification is correct, calculating whether the hash value is consistent with the hash value of the hash table item spliced by the brother nodes in the hash tree, if so, further calculating the hash value of the result spliced by the brother nodes in the hash tree, and directly recursively calculating until reaching the root node to obtain a final calculation result;
(3) and comparing the calculation result with the root node value to determine whether the calculation result and the root node value are consistent, and when the calculation result and the root node value are consistent, proving that the node verification path is correct.
A second verification unit 532, configured to perform integrity verification on each file of the file system in the user integrity certification using a cryptographic hash function according to the second key when each node in the node verification path verifies that the node is correct.
In the embodiment of the invention, each file of the file system in the user integrity certification is a target file in the file system returned by the cloud service provider, when each node in the node verification path is verified correctly, a hash message verification code of each target file is calculated by using a cryptographic hash function and a second key, and compared with a corresponding hash message verification code in a hash table in the user integrity certification, when the two are consistent, verification is successful, the target file is shown to be complete, the target file is not tampered or lost, and otherwise verification is failed.
In the embodiment of the invention, each unit of the cloud data integrity auditing device can be realized by corresponding hardware or software units, each unit can be an independent software and hardware unit, and can also be integrated into one software and hardware unit, and the invention is not limited herein.
Embodiment four:
fig. 7 shows a structure of a cloud data integrity audit device according to a fourth embodiment of the present invention, and for convenience of explanation, only a portion related to the embodiment of the present invention is shown, where the structure includes:
a key generation unit 71 for generating a first key and a second key using a preset key generation algorithm.
In the embodiment of the present invention, when a user prepares to outsource a file system, 2 keys, namely, a first key and a second key are required to be generated, the first key is used for calculating auxiliary verification information after calculation, the keys are required to be securely stored in a local storage medium of the user to verify correctness of the auxiliary verification information, the second key is used for calculating a hash message verification code of each file in the file system, the hash message verification code is used as a digital signature, authenticity and integrity of data can be proven, and a key generation algorithm for generating the first key and the second key can be a symmetric encryption algorithm (such as an AES algorithm) or an asymmetric encryption algorithm (such as an RSA algorithm), and is not limited herein.
The file processing unit 72 is configured to pre-process the file system using a cryptographic hash function according to the first key and the second key, so as to obtain auxiliary verification information.
And an information transmitting unit 73 for transmitting the processed file system and auxiliary authentication information to the cloud service provider.
In the embodiment of the invention, the preprocessed file system and auxiliary verification information are sent to the cloud service provider, and original file system data are deleted to save storage overhead, and meanwhile, only short verification information, namely the root node value of the hash tree, is reserved in a local storage medium and is used for verifying the correctness of a hash table and the hash tree returned by the cloud service provider.
The challenge initiating unit 74 is configured to initiate an integrity audit challenge to a cloud service provider that has stored file system data according to a preset audit manner.
In the embodiment of the invention, the preset audit mode is diversified, the audit challenge can be initiated randomly, the audit challenge can be initiated periodically, the audit challenge can be initiated in an event-triggered mode (for example, when a user wants to acquire a cloud-stored file), the user can self-define the occasion of initiating the audit challenge and the identification range of the challenge according to the use practice scene, and the integrity audit challenge is initiated to a cloud server stored with file system data so as to detect whether the file stored in the cloud storage has any tampering or damage.
A proof return unit 75, configured to receive a user integrity proof returned by the cloud service provider according to the integrity audit challenge.
In the embodiment of the invention, when the cloud service provider receives an integrity audit challenge sent by a user, the cloud service provider queries an internal storage system in cloud storage according to the integrity audit challenge, locates and retrieves the requested target file, calculates a user integrity certification for the target file under audit based on auxiliary verification information, and finally returns the user integrity certification and the retrieved target file to the user, wherein the auxiliary verification information comprises a hash table and a hash tree constructed for a file system.
When the cloud service provider generates the user integrity certification according to the integrity audit challenge, specifically, the generation of the user integrity certification is realized through the following steps:
(1) Positioning and searching the position of the integrity audit challenge in the hash table, namely finding out the hash table item of the challenge;
(2) Finding the position of the hash table item of the challenge in the hash tree, namely finding the corresponding leaf node;
(3) Finding out father nodes and brother nodes according to the leaf nodes;
(4) And (3) cycling the step (3) until the root node is reached, wherein the node required from the leaf node to the root node is called a node verification path, and the leaf node and the challenging hash table form the user integrity certification.
The integrity verification unit 76 is configured to verify the integrity of the corresponding file system in the user integrity certificate according to the first key, the second key and the pre-stored verification information.
In the embodiment of the invention, the prestored verification information is the root node value of the hash tree constructed for the file system, and the integrity of the corresponding file system in the user integrity certification is verified according to the first key, the second key and the root node value which are generated in advance, so that each target file in the file system is ensured not to be tampered or lost, and the user can trust the data stored in the cloud service provider.
Preferably, the file processing unit 72 includes:
a first calculating unit 721 for calculating a hash message authentication code of each file in the file system using a cryptographic hash function according to the second key;
in the embodiment of the invention, a corresponding hash message verification code is calculated for each file in the file system by using the encryption hash function and the second key, and the hash message verification code of each file is obtained.
The second calculating unit 722 is configured to calculate auxiliary verification information corresponding to the file system according to the hash message verification code and the first key, where the auxiliary verification information includes a hash table and a hash tree corresponding to the file system.
In the embodiment of the invention, each file in a file system is mapped into a hash table one by one according to meta information of the file, each hash table item consists of index, ID (identity), state and HMAC (hidden object access) and after the hash table is generated, a hash tree is built on the basis of the hash table, specifically, a hash function and a first key are used for carrying out hash calculation on each table item in the hash table to obtain hash values of the table items, the hash values are used as leaf nodes of the hash tree, hash values of intermediate nodes are calculated from bottom to top on the basis of the leaf nodes until a root node is calculated, thus the construction of the hash tree is completed, and auxiliary verification information comprising the hash table corresponding to the file system and the hash tree is obtained, wherein index refers to the position of the table item in the hash table, ID refers to the file name and/or storage path of the file, HMAC refers to the hash message verification code of the file, and the hash information of the hash tree comprises the hash message verification information of the file, the hash message of the hash state and/or the storage path of the file.
The integrity verification unit 76 includes:
a first verification unit 761, configured to perform correctness verification on nodes in a node verification path of a hash tree corresponding to a file system in the user integrity certification by using a preset cryptographic hash function according to the first key and the verification information;
in the embodiment of the invention, when the correctness of the node in the node verification path of the hash tree corresponding to the file system in the user integrity certification is verified by using a preset encryption hash function, the correctness verification of the node is realized by the following steps:
(1) calculating whether the hash value of the hash table item in the user integrity certification is correct or not by using the encryption hash function and the first key;
(2) when the hash value of the hash table item in the user integrity certification is correct, calculating whether the hash value is consistent with the hash value of the hash table item spliced by the brother nodes in the hash tree, if so, further calculating the hash value of the result spliced by the brother nodes in the hash tree, and directly recursively calculating until reaching the root node to obtain a final calculation result;
(3) and comparing the calculation result with the root node value to determine whether the calculation result and the root node value are consistent, and when the calculation result and the root node value are consistent, proving that the node verification path is correct.
A second verification unit 762, configured to perform integrity verification on each file of the file system in the user integrity certification using a cryptographic hash function according to the second key when each node in the node verification path verifies that the node is correct.
In the embodiment of the invention, each file of the file system in the user integrity certification is a target file in the file system returned by the cloud service provider, when each node in the node verification path is verified correctly, a hash message verification code of each target file is calculated by using a cryptographic hash function and a second key, and compared with a corresponding hash message verification code in a hash table in the user integrity certification, when the two are consistent, verification is successful, the target file is shown to be complete, the target file is not tampered or lost, and otherwise verification is failed.
In the embodiment of the invention, each unit of the cloud data integrity auditing device can be realized by corresponding hardware or software units, each unit can be an independent software and hardware unit, and can also be integrated into one software and hardware unit, and the invention is not limited herein.
Fifth embodiment:
fig. 8 shows the structure of a computing device provided in the fifth embodiment of the present invention, and only the portions relevant to the embodiment of the present invention are shown for convenience of explanation.
The computing device 8 of an embodiment of the present invention includes a processor 80, a memory 81, and a computer program 82 stored in the memory 81 and executable on the processor 80. The processor 80, when executing the computer program 82, implements the steps of one of the cloud data integrity auditing method embodiments described above, such as steps S101 through S103 shown in fig. 1. Alternatively, the processor 80, when executing the computer program 82, implements the functions of the units in the above-described device embodiments, for example, the functions of the units 51 to 53 shown in fig. 5.
In the embodiment of the invention, an integrity audit challenge is initiated to a cloud service provider stored with file system data according to a preset audit mode, a user integrity certification returned by the cloud service provider according to the integrity audit challenge is received, and the integrity of a corresponding file system in the user integrity certification is verified according to a first key, a second key and prestored verification information, so that reliability and audit efficiency of cloud data integrity audit for the file system are improved.
The computing device of the embodiment of the invention can be a personal computer or a server. The steps of implementing a cloud data integrity auditing method when the processor 80 executes the computer program 82 in the computing device 8 may refer to the description of the foregoing method embodiments, and will not be repeated herein.
Example six:
in an embodiment of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, which when executed by a processor, implements the steps in the above-described embodiment of a cloud data integrity auditing method, for example, steps S101 to S103 shown in fig. 1. Alternatively, the computer program, when executed by a processor, implements the functions of the units in the above-described embodiments of the apparatus, such as the functions of the units 51 to 53 shown in fig. 5.
In the embodiment of the invention, an integrity audit challenge is initiated to a cloud service provider stored with file system data according to a preset audit mode, a user integrity certification returned by the cloud service provider according to the integrity audit challenge is received, and the integrity of a corresponding file system in the user integrity certification is verified according to a first key, a second key and prestored verification information, so that reliability and audit efficiency of cloud data integrity audit for the file system are improved.
The computer readable storage medium of embodiments of the present invention may include any entity or device capable of carrying computer program code, recording medium, such as ROM/RAM, magnetic disk, optical disk, flash memory, and so on.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (10)
1. A cloud data integrity auditing method, the method comprising the steps of:
initiating an integrity audit challenge to a cloud service provider stored with file system data according to a preset audit mode;
receiving user integrity certification returned by the cloud service provider according to the integrity audit challenge;
and verifying the integrity of the corresponding file system in the user integrity certification according to the pre-generated first key, the pre-generated second key and the pre-stored verification information.
2. The method of claim 1, wherein the step of verifying the integrity of the file system in the user's integrity manifest comprises:
according to the first key and the verification information, a preset encryption hash function is used for verifying correctness of nodes in a node verification path of a hash tree corresponding to the file system in the user integrity certification;
and when each node in the node verification path verifies correctly, performing integrity verification on each file of the file system in the user integrity certification by using the encryption hash function according to the second key.
3. The method of claim 1, wherein prior to the step of initiating an integrity audit challenge to a cloud service having stored file system data, the method further comprises:
generating the first key and the second key by using a preset key generation algorithm;
preprocessing the file system by using the encryption hash function according to the first key and the second key to obtain auxiliary verification information;
and sending the processed file system and the auxiliary verification information to the cloud service provider.
4. The method of claim 3, wherein the step of preprocessing the file system using the cryptographic hash function to obtain the auxiliary authentication information comprises:
calculating a hash message verification code of each file in the file system by using the encryption hash function according to the second key;
and calculating the auxiliary verification information corresponding to the file system according to the hash message verification code and the first key, wherein the auxiliary verification information comprises a hash table and a hash tree corresponding to the file system.
5. A cloud data integrity auditing apparatus, the apparatus comprising:
the challenge initiating unit is used for initiating an integrity audit challenge to a cloud service provider stored with file system data according to a preset audit mode;
the proving return unit is used for receiving the user integrity proving returned by the cloud service provider according to the integrity audit challenge; and
and the integrity verification unit is used for verifying the integrity of the corresponding file system in the user integrity certification according to the first key, the second key and the prestored verification information which are generated in advance.
6. The apparatus of claim 5, wherein the integrity verification unit comprises:
the first verification unit is used for verifying the correctness of the nodes in the node verification path of the hash tree corresponding to the file system in the user integrity certification by using a preset encryption hash function according to the first key and the verification information; and
and the second verification unit is used for carrying out integrity verification on each file of the file system in the user integrity certification by using the encryption hash function according to the second key when each node in the node verification path is verified to be correct.
7. The apparatus of claim 5, wherein the apparatus further comprises:
a key generation unit for generating the first key and the second key using a preset key generation algorithm;
the file processing unit is used for preprocessing the file system by using the encryption hash function according to the first key and the second key to obtain auxiliary verification information; and
and the information sending unit is used for sending the processed file system and the auxiliary verification information to the cloud service provider.
8. The apparatus of claim 7, wherein the file processing unit comprises:
a first calculation unit, configured to calculate, according to the second key, a hash message authentication code of each file in the file system using the cryptographic hash function; and
and the second calculation unit is used for calculating the auxiliary verification information corresponding to the file system according to the hash message verification code and the first key, wherein the auxiliary verification information comprises a hash table and a hash tree corresponding to the file system.
9. A computing device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method of any of claims 1 to 4 when the computer program is executed.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310593144.1A CN116579026A (en) | 2023-05-24 | 2023-05-24 | Cloud data integrity auditing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310593144.1A CN116579026A (en) | 2023-05-24 | 2023-05-24 | Cloud data integrity auditing method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116579026A true CN116579026A (en) | 2023-08-11 |
Family
ID=87535593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310593144.1A Pending CN116579026A (en) | 2023-05-24 | 2023-05-24 | Cloud data integrity auditing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116579026A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117150575A (en) * | 2023-10-30 | 2023-12-01 | 西安热工研究院有限公司 | Method, system, equipment and medium for preventing manipulation of operation log of trusted industrial control system |
-
2023
- 2023-05-24 CN CN202310593144.1A patent/CN116579026A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117150575A (en) * | 2023-10-30 | 2023-12-01 | 西安热工研究院有限公司 | Method, system, equipment and medium for preventing manipulation of operation log of trusted industrial control system |
| CN117150575B (en) * | 2023-10-30 | 2024-02-23 | 西安热工研究院有限公司 | Method, system, equipment and medium for preventing manipulation of operation log of trusted industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110400221B (en) | Data processing method, system, storage medium and computer equipment | |
| KR102627490B1 (en) | Script-based blockchain interaction | |
| KR101781583B1 (en) | File management and search system based on block chain and file management and search method | |
| CN111066046B (en) | Replay attack resistant authentication protocol | |
| JP7273053B2 (en) | Blockchain communication and ordering | |
| US11949789B2 (en) | Blockchain-enabled computing | |
| KR101937220B1 (en) | Method for generating and verifying a digital signature or message authentication code based on a block chain that does not require key management | |
| US8799247B2 (en) | System and methods for ensuring integrity, authenticity, indemnity, and assured provenance for untrusted, outsourced, or cloud databases | |
| JP3964941B2 (en) | Information integrity verification method and apparatus using distributed collators | |
| KR20200011435A (en) | Parameterizable Smart Contract | |
| KR102228210B1 (en) | Node device that enables the deletion of a transaction in a block chain network and operating method thereof | |
| CN108833431B (en) | Password resetting method, device, equipment and storage medium | |
| KR101253683B1 (en) | Digital Signing System and Method Using Chained Hash | |
| CN116579026A (en) | Cloud data integrity auditing method, device, equipment and storage medium | |
| Heitzmann et al. | Efficient integrity checking of untrusted network storage | |
| CN111614658A (en) | Calculation force contract generation method based on block chain network, electronic device and medium | |
| CN112702419B (en) | Data processing method, device, equipment and storage medium based on block chain | |
| CN115550060B (en) | Trusted certificate verification method, device, equipment and medium based on block chain | |
| KR102517001B1 (en) | System and method for processing digital signature on a blockchain network | |
| US20220020010A1 (en) | Decentralized electronic contract attestation platform | |
| CN115378605A (en) | Data processing method and device based on block chain | |
| KR100642979B1 (en) | Method for signing digital documents and verifying thereof using the signed attributes and computer readable record medium on which a program therefor is recorded | |
| CN115544170B (en) | Data hosting method and device based on block chain, electronic equipment and medium | |
| CN116842587B (en) | Block chain-based credential transfer method and apparatus, electronic device and storage medium | |
| JP2002006739A (en) | Authentication information generating device and data verifying device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |