Nothing Special   »   [go: up one dir, main page]

CN103795780A - Cloud storage data protection method and device - Google Patents

Cloud storage data protection method and device Download PDF

Info

Publication number
CN103795780A
CN103795780A CN201310656699.2A CN201310656699A CN103795780A CN 103795780 A CN103795780 A CN 103795780A CN 201310656699 A CN201310656699 A CN 201310656699A CN 103795780 A CN103795780 A CN 103795780A
Authority
CN
China
Prior art keywords
cloud server
data
pki
online
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201310656699.2A
Other languages
Chinese (zh)
Inventor
李翔宇
张潇
冯圣中
谭光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Advanced Technology of CAS
Original Assignee
Shenzhen Institute of Advanced Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Advanced Technology of CAS filed Critical Shenzhen Institute of Advanced Technology of CAS
Priority to CN201310656699.2A priority Critical patent/CN103795780A/en
Publication of CN103795780A publication Critical patent/CN103795780A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明适用于信息安全技术领域,提供了一种云存储数据的保护方法及装置,包括:接收云服务器下发的公钥,所述云服务器下发的公钥与登录客户端的用户账户唯一对应;向所述云服务器上传原始数据,以使所述云服务器利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应;利用所述云服务器下发的公钥从所述云服务器获取到所述原始数据。在本发明中,即使云存储的数据遭到了泄露,第三方也很难获取到真实的数据,由此保障了云存储数据的安全性,保障了云服务器用户的信息安全。

The present invention is applicable to the technical field of information security, and provides a cloud storage data protection method and device, including: receiving a public key issued by a cloud server, and the public key issued by the cloud server is uniquely corresponding to the user account logged in to the client ; Upload original data to the cloud server, so that the cloud server utilizes a pre-stored private key to encrypt the original data, generate encrypted data and save it, and the pre-stored private key is issued with the cloud server corresponding to the public key; the original data is acquired from the cloud server by using the public key issued by the cloud server. In the present invention, even if the data stored in the cloud is leaked, it is difficult for a third party to obtain the real data, thereby ensuring the security of the cloud storage data and the information security of the cloud server user.

Description

云存储数据的保护方法及装置Cloud storage data protection method and device

技术领域technical field

本发明属于信息安全技术领域,尤其涉及一种云存储数据的保护方法及装置。The invention belongs to the technical field of information security, and in particular relates to a method and device for protecting cloud storage data.

背景技术Background technique

云存储是在云计算概念上延伸和发展出来的一个新的概念,是指通过集群应用、网格技术或者分布式文件系统等功能,将网络中大量各种不同类型的存储设备通过应用软件集合起来协同工作,以共同对外提供数据存储和业务访问功能的一个系统。当云计算系统运算和处理的核心是大量数据的存储和管理时,云计算系统中就需要配置大量的存储设备,那么云计算系统就转变成为一个云存储系统,所以云存储是一个以数据存储和管理为核心的云计算系统。Cloud storage is a new concept extended and developed from the concept of cloud computing. It refers to the collection of a large number of different types of storage devices in the network through application software through functions such as cluster applications, grid technology, or distributed file systems. Work together to jointly provide a system of data storage and business access functions. When the core of cloud computing system computing and processing is the storage and management of large amounts of data, a large number of storage devices need to be configured in the cloud computing system, then the cloud computing system will be transformed into a cloud storage system, so cloud storage is a data storage and management as the core cloud computing system.

相比于传统的在本地存储数据的方法,云存储更能够保证数据的安全性,同时也节约了本地的存储空间,因此,越来越多的用户开始采用云存储来备份数据,通过注册成为云服务器用户,获得一定的云存储空间,登陆云服务器后即可以将手机端或者电脑端的文件上传到云服务器保存,当需要时可以从云服务器进行下载。然而,现有的云服务器都将用户上传的文件以明文形式保存,一旦云服务器的数据遭到泄露,明文形式的数据则极可能被他人获取利用,从而对用户的信息安全产生极大的威胁。Compared with the traditional method of storing data locally, cloud storage can better ensure data security and save local storage space. Therefore, more and more users start to use cloud storage to back up data. Cloud server users get a certain amount of cloud storage space. After logging in to the cloud server, they can upload the files on the mobile phone or computer to the cloud server for storage, and can download from the cloud server when needed. However, the existing cloud servers store the files uploaded by users in plain text. Once the data of the cloud server is leaked, the data in plain text is likely to be obtained and used by others, which poses a great threat to the information security of users. .

发明内容Contents of the invention

本发明实施例的目的在于提供一种云存储数据的保护方法,解决现有的云存储数据采用明文形式存储,导致云存储数据的安全性得不到保障的问题。The purpose of the embodiments of the present invention is to provide a method for protecting cloud storage data, which solves the problem that the existing cloud storage data is stored in plain text, resulting in that the security of the cloud storage data cannot be guaranteed.

本发明实施例是这样实现的,一种云存储数据的保护方法,包括:The embodiment of the present invention is achieved in this way, a method for protecting cloud storage data, comprising:

接收云服务器下发的公钥,所述云服务器下发的公钥与登录客户端的用户账户唯一对应;Receive the public key issued by the cloud server, the public key issued by the cloud server is uniquely corresponding to the user account logged into the client;

向所述云服务器上传原始数据,以使所述云服务器利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应;Upload the original data to the cloud server, so that the cloud server uses the pre-stored private key to encrypt the original data, generate encrypted data and save it, and the pre-stored private key is the same as the one issued by the cloud server The public key corresponds to;

利用所述云服务器下发的公钥从所述云服务器获取到所述原始数据。The original data is obtained from the cloud server by using the public key issued by the cloud server.

本发明实施例的另一目的在于提供一种云存储数据的保护方法,包括:Another object of the embodiments of the present invention is to provide a method for protecting cloud storage data, including:

向客户端下发公钥,所述公钥与登录所述客户端的用户账户唯一对应;issuing a public key to the client, the public key uniquely corresponding to the user account logged into the client;

接收所述客户端上传的原始数据;receiving the original data uploaded by the client;

利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应。The original data is encrypted by using a pre-stored private key, and encrypted data is generated and saved, and the pre-stored private key corresponds to the public key issued by the cloud server.

本发明实施例的另一目的在于提供一种云存储数据的保护装置,包括:Another object of the embodiments of the present invention is to provide a protection device for cloud storage data, including:

公钥接收单元,用于接收云服务器下发的公钥,所述云服务器下发的公钥与登录客户端的用户账户唯一对应;The public key receiving unit is used to receive the public key issued by the cloud server, and the public key issued by the cloud server is uniquely corresponding to the user account logged into the client;

上传单元,用于向所述云服务器上传原始数据,以使所述云服务器利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应;an uploading unit, configured to upload original data to the cloud server, so that the cloud server encrypts the original data with a pre-stored private key, generates and stores encrypted data, and the pre-stored private key is the same as the The public key issued by the cloud server corresponds to;

获取单元,用于利用所述云服务器下发的公钥从所述云服务器获取到所述原始数据。An obtaining unit, configured to obtain the original data from the cloud server by using the public key issued by the cloud server.

本发明实施例的另一目的在于提供一种云存储数据的保护装置,包括:Another object of the embodiments of the present invention is to provide a protection device for cloud storage data, including:

下发单元,用于向客户端下发公钥,所述公钥与登录所述客户端的用户账户唯一对应;An issuing unit, configured to issue a public key to the client, the public key uniquely corresponding to the user account logged into the client;

数据接收单元,用于接收所述客户端上传的原始数据;a data receiving unit, configured to receive the original data uploaded by the client;

加密保存单元,用于利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应。An encryption storage unit, configured to encrypt the original data with a pre-stored private key corresponding to the public key issued by the cloud server, generate and store encrypted data.

在本发明实施例中,对于云存储的数据,云服务器采用非对称加密的方式,将这部分数据由明文加密成密文之后再进行存储,并且由云服务器保存私钥,客户端保存对应的公钥,这样即使云存储的数据遭到了泄露,第三方也很难获取到真实的数据,由此保障了云存储数据的安全性,保障了云服务器用户的信息安全。In the embodiment of the present invention, for the data stored in the cloud, the cloud server adopts an asymmetric encryption method to encrypt this part of data from plaintext into ciphertext before storing, and the cloud server saves the private key, and the client saves the corresponding Public key, so that even if the data stored in the cloud is leaked, it is difficult for a third party to obtain the real data, thereby ensuring the security of cloud storage data and the information security of cloud server users.

附图说明Description of drawings

图1是本发明实施例提供的云存储数据的保护方法客户端的实现流程图;Fig. 1 is the implementation flowchart of the cloud storage data protection method client provided by the embodiment of the present invention;

图2是本发明实施例提供的云存储数据的保护方法客户端S103的具体实现流程图;Fig. 2 is a specific implementation flowchart of the cloud storage data protection method client S103 provided by the embodiment of the present invention;

图3是本发明另一实施例提供的云存储数据的保护方法客户端S103的具体实现流程图;Fig. 3 is a specific implementation flowchart of the cloud storage data protection method client S103 provided by another embodiment of the present invention;

图4是本发明实施例提供的云存储数据的保护方法服务器的实现流程图;FIG. 4 is a flow chart of implementing a cloud storage data protection method server provided by an embodiment of the present invention;

图5是本发明另一实施例提供的云存储数据的保护方法服务器的实现流程图;Fig. 5 is a flow chart of implementing a cloud storage data protection method server provided by another embodiment of the present invention;

图6是本发明实施例提供的云存储数据的保护装置的结构框图。Fig. 6 is a structural block diagram of a device for protecting cloud storage data provided by an embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

在本发明实施例中,对于云存储的数据,云服务器采用非对称加密的方式,将这部分数据由明文加密成密文之后再进行存储,并且由云服务器保存私钥,客户端保存对应的公钥,这样即使云存储的数据遭到了泄露,第三方也很难获取到真实的数据,由此保障了云存储数据的安全性,保障了云服务器用户的信息安全。In the embodiment of the present invention, for the data stored in the cloud, the cloud server adopts an asymmetric encryption method to encrypt this part of data from plaintext into ciphertext before storing, and the cloud server saves the private key, and the client saves the corresponding Public key, so that even if the data stored in the cloud is leaked, it is difficult for a third party to obtain the real data, thereby ensuring the security of cloud storage data and the information security of cloud server users.

图1示出了本发明实施例提供的云存储数据的保护方法的实现流程,在本实施例中,流程的执行主体为与云服务器对应的客户端。在进行数据备份的过程中,用户必须先通过客户端在云服务器中进行注册,以注册成为云服务器的用户。在注册成功之后,云服务器会分配给用户一个用户账户,同时分配给该用户账户一定的存储空间,用户通过在客户端登录该用户账户后,进行操作,在本地选取需要进行数据备份的文档、视频、音频、图片等各种类型的文件,并基于客户端与云服务器之间的通信,就能够实现将选取的文件上传至云服务器的功能。Fig. 1 shows the implementation process of the cloud storage data protection method provided by the embodiment of the present invention. In this embodiment, the execution subject of the process is the client corresponding to the cloud server. In the process of data backup, the user must first register in the cloud server through the client to register as a user of the cloud server. After the registration is successful, the cloud server will allocate a user account to the user, and at the same time allocate a certain amount of storage space to the user account. After logging in to the user account on the client, the user performs operations to select locally the files that need to be backed up. Various types of files such as video, audio, and pictures, and based on the communication between the client and the cloud server, the function of uploading the selected file to the cloud server can be realized.

图1的具体实现流程详述如下:The specific implementation process of Figure 1 is described in detail as follows:

在S101中,接收云服务器下发的公钥,所述云服务器下发的公钥与登录客户端的用户账户唯一对应。In S101, a public key delivered by the cloud server is received, and the public key delivered by the cloud server uniquely corresponds to a user account logged in to the client.

由于云服务器采用非对称加密,即公私密钥加密,在该加密过程中,公钥和私钥是一个密钥对,私钥用于加密,公钥用于解密,因此,在本实施例中,为了避免不同的用户账户共同使用一个公私密钥对,从而造成数据在不同用户账户之间相互泄露的安全隐患,云服务器分配的公钥是与登录客户端的用户账户唯一对应的。与此同时,公钥由云服务器下发给客户端进行保存,而在云服务器中并不保存该公钥,由此有效地避免了因为云服务器信息泄露而导致公私密钥对均被泄露的情况出现,有效地保障了云存储数据的安全。Since the cloud server adopts asymmetric encryption, that is, public-private key encryption, in the encryption process, the public key and the private key are a key pair, the private key is used for encryption, and the public key is used for decryption. Therefore, in this embodiment , in order to avoid the common use of a public-private key pair by different user accounts, thereby causing potential security risks of data leakage between different user accounts, the public key assigned by the cloud server is uniquely corresponding to the user account logged in to the client. At the same time, the public key is sent to the client by the cloud server for storage, but the public key is not stored in the cloud server, thus effectively avoiding the leakage of public and private key pairs due to information leakage of the cloud server. When the situation arises, the security of cloud storage data is effectively guaranteed.

在本实施例中,公钥的下发可以在注册过程中就由云服务器分配给用户账户,也可以在客户端需要向云服务器上传数据时实时地分配给登录客户端的用户账户,且在下发公钥之前,云服务器需要预先生成包含该公钥的公私密钥对,并将其中的私钥保存在云服务器本地。In this embodiment, the distribution of the public key can be assigned to the user account by the cloud server during the registration process, or it can be assigned to the user account of the login client in real time when the client needs to upload data to the cloud server. Before obtaining the public key, the cloud server needs to generate a public-private key pair containing the public key in advance, and save the private key in the cloud server locally.

在S102中,向所述云服务器上传原始数据,以使所述云服务器利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应。In S102, upload the original data to the cloud server, so that the cloud server encrypts the original data with a pre-stored private key, generates encrypted data and saves it, and the pre-stored private key and the cloud The corresponding public key issued by the server.

在S102中,客户端向云服务器上传需要进行云存储的原始数据,以使云服务器利用与分配给登录客户端的用户账户的公钥相对应的私钥来对该原始数据进行加密,从而生成加密数据并保存在云服务器中。云服务器对原始数据的处理过程将在后续实施例中进行详细说明,在此不再赘述。In S102, the client uploads the original data that needs to be stored in the cloud to the cloud server, so that the cloud server encrypts the original data with the private key corresponding to the public key assigned to the user account that logs in to the client, thereby generating encrypted data. data and stored in the cloud server. The processing process of the original data by the cloud server will be described in detail in subsequent embodiments, and will not be repeated here.

在S103中,利用所述云服务器下发的公钥从所述云服务器获取到所述原始数据。In S103, the original data is acquired from the cloud server by using the public key issued by the cloud server.

在本实施例中,当客户端在云服务器进行了数据备份之后,可以利用云服务器下发的公钥来从云服务器获取到原始数据,其中,获取的方式包括在线查看和下载。In this embodiment, after the client has backed up data on the cloud server, it can use the public key issued by the cloud server to obtain the original data from the cloud server, wherein the methods of obtaining include online viewing and downloading.

对于在线查看原始数据,作为本发明的一个实施例,如图2所示,S103具体为:For online viewing of raw data, as an embodiment of the present invention, as shown in Figure 2, S103 is specifically:

在S201中,向所述云服务器发送在线查看请求,所述在线查看请求中携带了所述云服务器下发的公钥,以使所述云服务器根据该公钥解密所述保密数据,还原并在线展示出所述原始数据。In S201, an online viewing request is sent to the cloud server, the online viewing request carries the public key issued by the cloud server, so that the cloud server decrypts the confidential data according to the public key, restores and The raw data are presented online.

在本实施例中,用户通过在客户端登录云服务器分配的用户账户之后,可以通过客户端提供的web页面,对云服务器进行远程访问,发起在线查看请求,请求在线查看其上传至云服务器备份的数据。其中,所述在线查看,是指只能在云服务器端对备份数据进行查看操作,而无法编辑备份数据或者下载备份数据至客户端,因此,在线查看能够避免数据在修改或者下载过程中产生的数据泄露。In this embodiment, after the user logs in the user account assigned by the cloud server at the client, he can remotely access the cloud server through the web page provided by the client, initiate an online viewing request, and request to upload it to the cloud server for backup. The data. Wherein, the online viewing refers to that the backup data can only be viewed on the cloud server side, and the backup data cannot be edited or downloaded to the client. Therefore, online viewing can prevent data from being modified or downloaded data breach.

在本实施例中,客户端发送的在线查看请求携带了云服务器分配给当前登录的用户账户的公钥,云服务器在接收到该公钥之后,利用该公钥与用户账户的唯一对应性,找到该用户账户备份的数据的密文,并利用该公钥来解密该密文,从而还原出原始数据,并对该原始数据进行在线展示。In this embodiment, the online viewing request sent by the client carries the public key assigned by the cloud server to the currently logged-in user account. After receiving the public key, the cloud server uses the unique correspondence between the public key and the user account to Find the ciphertext of the data backed up by the user account, and use the public key to decrypt the ciphertext, thereby restoring the original data, and display the original data online.

由于云服务器需要通过客户端上传的公钥来进行解密,而客户端上传的公钥是与当前登录客户端的用户账户唯一对应的,因此,只有该加密数据的真正上传方才拥有能够解密该加密数据的正确公钥,云服务器只有拥有了正确公钥才能够成功解密出加密数据,因此,本实施例的在线查看方式能够有效地避免其他用户账户查看到该用户账户的原始数据。Since the cloud server needs to decrypt the public key uploaded by the client, and the public key uploaded by the client is uniquely corresponding to the user account currently logged into the client, only the party who actually uploaded the encrypted data can decrypt the encrypted data Only with the correct public key can the cloud server successfully decrypt the encrypted data. Therefore, the online viewing method of this embodiment can effectively prevent other user accounts from viewing the original data of the user account.

在S202中,在线查看所述云服务器展示的所述原始数据。In S202, the original data displayed by the cloud server is viewed online.

在本实施例中,当云服务器在线还原并展示出原始数据之后,客户端能够通过远程访问云服务器、在线查看到原始数据。In this embodiment, after the cloud server restores and displays the original data online, the client can remotely access the cloud server and view the original data online.

进一步地,在图2所示实施例的基础上,当所述客户端取消对所述客户端上传的数据的在线查看之后,所述云服务器在缓存中删除进行在线查看的所述客户端上传的数据。Further, on the basis of the embodiment shown in FIG. 2 , after the client cancels the online viewing of the data uploaded by the client, the cloud server deletes the data uploaded by the client for online viewing in the cache. The data.

在本实施例中,对于客户端远程在线查看的备份数据,会在在线查看的过程中,在云服务器中生成缓存文件,为了避免后续过程中不法分子从云服务器的缓存文件中提取出这部分明文数据,导致备份数据泄露,在本实施例中,当检测到客户端退出远程查看之后,云服务器会删除缓存中的这部分明文数据,从而进一步地保障了云存储数据的安全性。In this embodiment, for the backup data viewed remotely online by the client, a cache file will be generated in the cloud server during the online viewing process, in order to prevent criminals from extracting this part from the cache file of the cloud server in the subsequent process Plaintext data leads to backup data leakage. In this embodiment, when it is detected that the client exits remote viewing, the cloud server will delete this part of plaintext data in the cache, thereby further ensuring the security of cloud storage data.

对于下载原始数据,作为本发明的一个实施例,如图3所示,S103具体为:For downloading raw data, as an embodiment of the present invention, as shown in Figure 3, S103 is specifically:

在S301中,向所述云服务器发送下载请求。In S301, a download request is sent to the cloud server.

在本实施例中,用户通过在客户端登录云服务器分配的用户账户之后,可以通过客户端提供的web页面,对云服务器进行远程访问,发起数据下载请求,请求下载其上传至云服务器备份的数据。客户端在完成数据下载之后,能够进一步地对数据进行修改操作。In this embodiment, the user can remotely access the cloud server through the web page provided by the client after logging into the user account assigned by the cloud server at the client, initiate a data download request, and request to download the data uploaded to the cloud server for backup. data. After the client completes the data download, it can further modify the data.

在S302中,接收所述云服务器根据所述下载请求返回的所述加密数据。In S302, receive the encrypted data returned by the cloud server according to the download request.

在本实施例中,云服务器在接收到客户端发送的数据下载请求之后,根据登录客户端的用户账户,查找到该用户账户对应的加密数据,并返回给客户端。In this embodiment, after receiving the data download request sent by the client, the cloud server finds the encrypted data corresponding to the user account according to the user account logged into the client, and returns it to the client.

在S303中,根据所述云服务器下发的公钥对所述加密数据进行解密,还原出所述原始数据。In S303, the encrypted data is decrypted according to the public key issued by the cloud server, and the original data is restored.

在本实施例中,客户端在接收到云服务器返回的加密数据之后,利用云服务器下发的公钥对该加密数据进行解密,从而还原出原始的数据。In this embodiment, after receiving the encrypted data returned by the cloud server, the client decrypts the encrypted data using the public key delivered by the cloud server, thereby restoring the original data.

在图3实施例所述的下载过程中,数据由云服务器传输到客户端的整个过程,都是以密文的形式存在的,只有在下载到客户端之后,才有客户端根据云服务器下发的密钥自行解密,因此,可以有效地防止数据在传输过程中遭到泄露,保障了用户的信息安全。In the download process described in the embodiment in Figure 3, the entire process of data transmission from the cloud server to the client exists in the form of ciphertext, and only after the data is downloaded to the client can the client send the data according to the cloud server. The key can be decrypted by itself, therefore, it can effectively prevent the data from being leaked during the transmission process and guarantee the user's information security.

图4示出了本发明实施例提供的云存储数据的保护方法的实现流程,在本实施例中,流程的执行主体为云服务器,其执行的是与图1至图3实施例所述的客户端操作所对应的云服务器的操作,因此,相同的实现原理在本实施例中不再一一赘述。图4的具体实现流程详述如下:Fig. 4 shows the implementation process of the cloud storage data protection method provided by the embodiment of the present invention. In this embodiment, the execution subject of the process is the cloud server, which executes the same as that described in the embodiment of Fig. 1 to Fig. 3 The operation of the cloud server corresponds to the operation of the client. Therefore, the same implementation principle will not be described one by one in this embodiment. The specific implementation process of Figure 4 is described in detail as follows:

在S401中,向客户端下发公钥,所述公钥与登录所述客户端的用户账户唯一对应。In S401, a public key is issued to the client, and the public key is uniquely corresponding to a user account logged into the client.

在本实施例中,公钥的下发可以在注册过程中就由云服务器分配给用户账户,也可以在客户端需要向云服务器上传数据时实时地分配给登录客户端的用户账户,且在下发公钥之前,云服务器需要预先生成包含该公钥的公私密钥对,并将其中的私钥保存在云服务器本地。In this embodiment, the distribution of the public key can be assigned to the user account by the cloud server during the registration process, or it can be assigned to the user account of the login client in real time when the client needs to upload data to the cloud server. Before obtaining the public key, the cloud server needs to generate a public-private key pair containing the public key in advance, and save the private key in the cloud server locally.

在S402中,接收所述客户端上传的原始数据。In S402, the original data uploaded by the client is received.

在S403中,利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应。In S403, the original data is encrypted by using a pre-stored private key corresponding to the public key delivered by the cloud server to generate and store encrypted data.

在本实施例中,客户端向云服务器上传需要进行云存储的原始数据,云服务器在接收到原始数据之后,利用与分配给登录客户端的用户账户的公钥相对应的私钥来对该原始数据进行加密,从而生成加密数据并保存在云服务器中。In this embodiment, the client uploads the original data that needs to be stored in the cloud to the cloud server. The data is encrypted, thereby generating encrypted data and saving it in the cloud server.

在本实施例中,当云服务器通过加密得到了数据的密文之后,才执行数据保存的操作,由此,用户上传至云服务器备份的数据是以密文的形式在云端进行存储的,这样即使云存储的数据遭到了泄露,第三方也很难获取到真实的用户备份数据,由此保障了云存储数据的安全性,保障了云服务器用户的信息安全。In this embodiment, the data saving operation is performed only after the cloud server obtains the ciphertext of the data through encryption. Thus, the data uploaded by the user to the cloud server for backup is stored in the cloud in the form of ciphertext. Even if the cloud storage data is leaked, it is difficult for a third party to obtain the real user backup data, thereby ensuring the security of cloud storage data and the information security of cloud server users.

在本实施例中,当客户端在云服务器进行了数据备份之后,可以利用云服务器下发的公钥来从云服务器获取到原始数据,其中,获取的方式包括在线查看和下载。In this embodiment, after the client has backed up data on the cloud server, it can use the public key issued by the cloud server to obtain the original data from the cloud server, wherein the methods of obtaining include online viewing and downloading.

对于在线查看原始数据,作为本发明的一个实施例,如图5所示,在图4所示实施例的基础上,所述方法还包括:For online viewing of raw data, as an embodiment of the present invention, as shown in Figure 5, on the basis of the embodiment shown in Figure 4, the method also includes:

S404,接收所述客户端发送的在线查看请求,所述在线查看请求中携带了所述云服务器下发的公钥。S404. Receive an online viewing request sent by the client, where the online viewing request carries the public key delivered by the cloud server.

S405,提取所述在线查看请求中携带的所述云服务器下发的公钥。S405. Extract the public key delivered by the cloud server carried in the online viewing request.

S406,根据提取出的公钥解密所述保密数据,还原出所述原始数据。S406. Decrypt the confidential data according to the extracted public key, and restore the original data.

S407,在线展示所述原始数据,以使所述客户端在线查看所述原始数据。S407. Display the original data online, so that the client can view the original data online.

在本实施例中,客户端发送的在线查看请求携带了云服务器分配给当前登录的用户账户的公钥,云服务器在接收到该在线查看请求之后,提取出其中携带的公钥,利用该公钥与用户账户的唯一对应性,找到该用户账户备份的数据的密文,并利用该公钥来解密该密文,从而还原出原始数据,并对该原始数据进行在线展示。In this embodiment, the online viewing request sent by the client carries the public key assigned by the cloud server to the currently logged-in user account. After receiving the online viewing request, the cloud server extracts the public key carried in it, and uses the public key According to the unique correspondence between the key and the user account, find the ciphertext of the data backed up by the user account, and use the public key to decrypt the ciphertext, thereby restoring the original data and displaying the original data online.

由于云服务器需要通过客户端上传的公钥来进行解密,而客户端上传的公钥是与当前登录客户端的用户账户唯一对应的,因此,只有该加密数据的真正上传方才拥有能够解密该加密数据的正确公钥,云服务器只有拥有了正确公钥才能够成功解密出加密数据,因此,本实施例的在线查看方式能够有效地避免其他用户账户查看到该用户账户的原始数据。Since the cloud server needs to decrypt the public key uploaded by the client, and the public key uploaded by the client is uniquely corresponding to the user account currently logged into the client, only the party who actually uploaded the encrypted data can decrypt the encrypted data Only with the correct public key can the cloud server successfully decrypt the encrypted data. Therefore, the online viewing method of this embodiment can effectively prevent other user accounts from viewing the original data of the user account.

在本实施例中,对于客户端远程在线查看的备份数据,会在在线查看的过程中,在云服务器中生成缓存文件,为了避免后续过程中不法分子从云服务器的缓存文件中提取出这部分明文数据,导致备份数据泄露,在本实施例中,当检测到客户端退出远程查看之后,云服务器会删除缓存中的这部分明文数据,从而进一步地保障了云存储数据的安全性。In this embodiment, for the backup data viewed remotely online by the client, a cache file will be generated in the cloud server during the online viewing process, in order to prevent criminals from extracting this part from the cache file of the cloud server in the subsequent process Plaintext data leads to backup data leakage. In this embodiment, when it is detected that the client exits remote viewing, the cloud server will delete this part of plaintext data in the cache, thereby further ensuring the security of cloud storage data.

对于下载原始数据,在本实施例中,用户通过在客户端登录云服务器分配的用户账户之后,可以通过客户端提供的web页面,对云服务器进行远程访问,发起数据下载请求,请求下载其上传至云服务器备份的数据。客户端在完成数据下载之后,能够进一步地对数据进行修改操作,云服务器在接收到客户端发送的数据下载请求之后,根据登录客户端的用户账户,查找到该用户账户对应的加密数据,并返回给客户端。由于数据由云服务器传输到客户端的整个过程,都是以密文的形式存在的,只有在下载到客户端之后,才有客户端根据云服务器下发的密钥自行解密,因此,可以有效地防止数据在传输过程中遭到泄露,保障了用户的信息安全。For downloading original data, in this embodiment, after the user logs in the user account assigned by the cloud server at the client, he can remotely access the cloud server through the web page provided by the client, initiate a data download request, and request to download the uploaded data. Data backed up to the cloud server. After the client completes the data download, it can further modify the data. After receiving the data download request sent by the client, the cloud server finds the encrypted data corresponding to the user account according to the user account logged into the client, and returns to the client. Since the entire process of data transmission from the cloud server to the client exists in the form of ciphertext, only after it is downloaded to the client, the client can decrypt it by itself according to the key issued by the cloud server. Therefore, it can effectively Prevent data from being leaked during transmission and ensure user information security.

图6示出了本发明实施例提供的云存储数据的保护装置的结构框图,该装置分别位于客户端和云服务器中,用于分别运行本发明图1至图3实施例以及本发明图4和图5实施例所示的云存储数据的保护方法。为了便于说明,仅示出了与本实施例相关的部分。Fig. 6 shows a structural block diagram of a device for protecting cloud storage data provided by an embodiment of the present invention. The devices are respectively located in the client and the cloud server, and are used to run the embodiments of the present invention shown in Fig. 1 to Fig. 3 and Fig. 4 of the present invention respectively. and the method for protecting cloud storage data shown in the embodiment of FIG. 5 . For ease of description, only the parts related to this embodiment are shown.

参照图6,在客户端中,包括了:Referring to Figure 6, in the client, it includes:

公钥接收单元61,接收云服务器下发的公钥,所述云服务器下发的公钥与登录客户端的用户账户唯一对应。The public key receiving unit 61 receives the public key issued by the cloud server, and the public key issued by the cloud server is uniquely corresponding to the user account logged into the client.

上传单元62,向所述云服务器上传原始数据,以使所述云服务器利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应。Upload unit 62, uploading original data to the cloud server, so that the cloud server encrypts the original data with a pre-stored private key, generates encrypted data and saves it, and the pre-stored private key is shared with the cloud The corresponding public key issued by the server.

获取单元63,利用所述云服务器下发的公钥从所述云服务器获取到所述原始数据。The obtaining unit 63 obtains the original data from the cloud server by using the public key issued by the cloud server.

可选地,所述获取单元63包括:Optionally, the acquisition unit 63 includes:

在线查看请求发送子单元,向所述云服务器发送在线查看请求,所述在线查看请求中携带了所述云服务器下发的公钥,以使所述云服务器根据该公钥解密所述保密数据,还原并在线展示出所述原始数据。The online viewing request sending subunit sends an online viewing request to the cloud server, and the online viewing request carries the public key issued by the cloud server, so that the cloud server can decrypt the confidential data according to the public key , restore and display the original data online.

在线查看子单元,在线查看所述云服务器展示的所述原始数据。View subunits online, and view the raw data displayed by the cloud server online.

可选地,所述获取单元63包括:Optionally, the acquiring unit 63 includes:

下载请求发送子单元,向所述云服务器发送下载请求;The download request sending subunit sends a download request to the cloud server;

数据接收子单元,接收所述云服务器根据所述下载请求返回的所述加密数据;a data receiving subunit, configured to receive the encrypted data returned by the cloud server according to the download request;

还原子单元,根据所述云服务器下发的公钥对所述加密数据进行解密,还原出所述原始数据。The restoration sub-unit decrypts the encrypted data according to the public key issued by the cloud server, and restores the original data.

在云服务器中,所述装置包括:In the cloud server, the device includes:

下发单元64,向客户端下发公钥,所述公钥与登录所述客户端的用户账户唯一对应。The issuing unit 64 is configured to issue a public key to the client, where the public key uniquely corresponds to the user account that logs in to the client.

数据接收单元65,接收所述客户端上传的原始数据。The data receiving unit 65 is configured to receive the original data uploaded by the client.

加密保存单元66,利用预存储的私钥对所述原始数据进行加密,生成加密数据并保存,所述预存储的私钥与所述云服务器下发的所述公钥对应。The encryption storage unit 66 encrypts the original data with a pre-stored private key corresponding to the public key issued by the cloud server to generate and store encrypted data.

可选地,所述装置还包括:Optionally, the device also includes:

在线查看请求接收单元,接收所述客户端发送的在线查看请求,所述在线查看请求中携带了所述云服务器下发的公钥。The online viewing request receiving unit receives the online viewing request sent by the client, and the online viewing request carries the public key issued by the cloud server.

提取单元,提取所述在线查看请求中携带的所述云服务器下发的公钥。An extraction unit, configured to extract the public key issued by the cloud server carried in the online viewing request.

还原单元,根据提取出的公钥解密所述保密数据,还原出所述原始数据。The restoration unit decrypts the confidential data according to the extracted public key, and restores the original data.

在线展示单元,在线展示所述原始数据,以使所述客户端在线查看所述原始数据。The online display unit is configured to display the original data online, so that the client can view the original data online.

在本发明实施例中,对于云存储的数据,云服务器采用非对称加密的方式,将这部分数据由明文加密成密文之后再进行存储,并且由云服务器保存私钥,客户端保存对应的公钥,这样即使云存储的数据遭到了泄露,第三方也很难获取到真实的数据,由此保障了云存储数据的安全性,保障了云服务器用户的信息安全。In the embodiment of the present invention, for the data stored in the cloud, the cloud server adopts an asymmetric encryption method to encrypt this part of data from plaintext into ciphertext before storing, and the cloud server saves the private key, and the client saves the corresponding Public key, so that even if the data stored in the cloud is leaked, it is difficult for a third party to obtain the real data, thereby ensuring the security of cloud storage data and the information security of cloud server users.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. within range.

Claims (10)

1. a guard method for cloud storage data, is characterized in that, comprising:
Receive the PKI that Cloud Server issues, the PKI that described Cloud Server issues is unique corresponding with the user account of login client;
Upload initial data to described Cloud Server, so that described Cloud Server utilizes the private key of pre-stored to be encrypted described initial data, generate enciphered data and preserve, the described PKI that the private key of described pre-stored issues with described Cloud Server is corresponding;
Utilize the PKI that described Cloud Server issues to get described initial data from described Cloud Server.
2. the method for claim 1, is characterized in that, describedly utilizes PKI that described Cloud Server issues to get described initial data from described Cloud Server to comprise:
Send and check online request to described Cloud Server, described checking online in request carried the PKI that described Cloud Server issues, so that described Cloud Server is deciphered described private data according to this PKI, reduction also shows described initial data online;
Check online the described initial data that described Cloud Server is shown.
3. the method for claim 1, is characterized in that, describedly utilizes PKI that described Cloud Server issues to get described initial data from described Cloud Server to comprise:
Send download request to described Cloud Server;
Receive the described enciphered data that described Cloud Server returns according to described download request;
The PKI issuing according to described Cloud Server is decrypted described enciphered data, restores described initial data.
4. a guard method for cloud storage data, is characterized in that, comprising:
Issue PKI to client, described PKI is unique corresponding with the user account of the described client of login;
Receive the initial data of described client upload;
Utilize the private key of pre-stored to be encrypted described initial data, generate enciphered data and preserve, the described PKI that the private key of described pre-stored issues with described Cloud Server is corresponding.
5. method as claimed in claim 4, is characterized in that, described method also comprises:
Receive the request of checking online that described client sends, described checking online carried the PKI that described Cloud Server issues in request;
Extract the described PKI of checking that online the described Cloud Server that carries in request issues;
Decipher described private data according to the PKI extracting, restore described initial data;
The described initial data of online displaying, so that described client is checked described initial data online.
6. a protective device for cloud storage data, is characterized in that, comprising:
PKI receiving element, the PKI issuing for receiving Cloud Server, the PKI that described Cloud Server issues is unique corresponding with the user account of login client;
Uploading unit, for uploading initial data to described Cloud Server, so that described Cloud Server utilizes the private key of pre-stored to be encrypted described initial data, generate enciphered data and preserve, the described PKI that the private key of described pre-stored issues with described Cloud Server is corresponding;
Acquiring unit, for utilizing the PKI that described Cloud Server issues to get described initial data from described Cloud Server.
7. device as claimed in claim 6, is characterized in that, described acquiring unit comprises:
The request of checking online sends subelement, for sending to described Cloud Server the request of checking online, described checking online in request carried the PKI that described Cloud Server issues, so that described Cloud Server is deciphered described private data according to this PKI, reduction also shows described initial data online;
Check online subelement, for the described initial data of checking that online described Cloud Server is shown.
8. device as claimed in claim 6, is characterized in that, described acquiring unit comprises:
Download request sends subelement, for sending download request to described Cloud Server;
Data receiver subelement, the described enciphered data of returning according to described download request for receiving described Cloud Server;
Also atomic unit, is decrypted described enciphered data for the PKI issuing according to described Cloud Server, restores described initial data.
9. a protective device for cloud storage data, is characterized in that, comprising:
Issue unit, for issuing PKI to client, described PKI is unique corresponding with the user account of the described client of login;
Data receiver unit, for receiving the initial data of described client upload;
Encrypting storing unit, is encrypted described initial data for the private key that utilizes pre-stored, generates enciphered data and preserves, and the described PKI that the private key of described pre-stored issues with described Cloud Server is corresponding.
10. device as claimed in claim 9, is characterized in that, described device also comprises:
Check online request reception unit, the request of checking online sending for receiving described client, described checking online carried the PKI that described Cloud Server issues in request;
Extraction unit, the PKI issuing for extracting the described described Cloud Server of checking that online request is carried;
Reduction unit, for deciphering described private data according to the PKI extracting, restores described initial data;
Online display unit, for the described initial data of online displaying, so that described client is checked described initial data online.
CN201310656699.2A 2013-12-06 2013-12-06 Cloud storage data protection method and device Pending CN103795780A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310656699.2A CN103795780A (en) 2013-12-06 2013-12-06 Cloud storage data protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310656699.2A CN103795780A (en) 2013-12-06 2013-12-06 Cloud storage data protection method and device

Publications (1)

Publication Number Publication Date
CN103795780A true CN103795780A (en) 2014-05-14

Family

ID=50671050

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310656699.2A Pending CN103795780A (en) 2013-12-06 2013-12-06 Cloud storage data protection method and device

Country Status (1)

Country Link
CN (1) CN103795780A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468615A (en) * 2014-12-25 2015-03-25 西安电子科技大学 Data sharing based file access and permission change control method
CN104967601A (en) * 2015-02-12 2015-10-07 腾讯科技(深圳)有限公司 Data processing method and apparatus
CN107111721A (en) * 2014-08-12 2017-08-29 杰威航空技术有限公司 Data security system and method
WO2017193950A1 (en) * 2016-05-11 2017-11-16 中兴通讯股份有限公司 Mobile office method, server, client, and system
CN108259609A (en) * 2018-01-20 2018-07-06 福建省数字福建云计算运营有限公司 The management method and Cloud Server of a kind of family high in the clouds data
CN108933758A (en) * 2017-05-23 2018-12-04 中国电信股份有限公司 Cloud storage encipher-decipher method, device and system can be shared
CN110602132A (en) * 2019-09-24 2019-12-20 苏州浪潮智能科技有限公司 Data encryption and decryption processing method
CN112559500A (en) * 2020-11-11 2021-03-26 小安(北京)科技有限公司 Data combing technology
CN116956355A (en) * 2023-09-21 2023-10-27 中日友好医院(中日友好临床医学研究所) Cloud security medical user personal information encryption protection system and encryption protection method thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917710A (en) * 2010-08-27 2010-12-15 中兴通讯股份有限公司 Method, system and related device for mobile internet encryption communication
CN102244649A (en) * 2010-05-12 2011-11-16 杭州华三通信技术有限公司 Data transmission method among secure networks and data processors
CN102263637A (en) * 2010-05-28 2011-11-30 陈勇 Information encryption method and equipment thereof
US20120191969A1 (en) * 2011-01-21 2012-07-26 Clifford Thomas G System and method for netbackup data decryption in a high latency low bandwidth environment
CN102857338A (en) * 2012-08-31 2013-01-02 浪潮电子信息产业股份有限公司 Method for realizing secure transmission of data in cloud storage system
CN103078959A (en) * 2013-02-06 2013-05-01 浪潮电子信息产业股份有限公司 Encryption and decryption method for protecting safety of cloud storage data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244649A (en) * 2010-05-12 2011-11-16 杭州华三通信技术有限公司 Data transmission method among secure networks and data processors
CN102263637A (en) * 2010-05-28 2011-11-30 陈勇 Information encryption method and equipment thereof
CN101917710A (en) * 2010-08-27 2010-12-15 中兴通讯股份有限公司 Method, system and related device for mobile internet encryption communication
US20120191969A1 (en) * 2011-01-21 2012-07-26 Clifford Thomas G System and method for netbackup data decryption in a high latency low bandwidth environment
CN102857338A (en) * 2012-08-31 2013-01-02 浪潮电子信息产业股份有限公司 Method for realizing secure transmission of data in cloud storage system
CN103078959A (en) * 2013-02-06 2013-05-01 浪潮电子信息产业股份有限公司 Encryption and decryption method for protecting safety of cloud storage data

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107111721A (en) * 2014-08-12 2017-08-29 杰威航空技术有限公司 Data security system and method
CN104468615A (en) * 2014-12-25 2015-03-25 西安电子科技大学 Data sharing based file access and permission change control method
CN104468615B (en) * 2014-12-25 2018-03-20 西安电子科技大学 file access and modification authority control method based on data sharing
CN104967601A (en) * 2015-02-12 2015-10-07 腾讯科技(深圳)有限公司 Data processing method and apparatus
WO2017193950A1 (en) * 2016-05-11 2017-11-16 中兴通讯股份有限公司 Mobile office method, server, client, and system
CN108933758A (en) * 2017-05-23 2018-12-04 中国电信股份有限公司 Cloud storage encipher-decipher method, device and system can be shared
CN108933758B (en) * 2017-05-23 2021-04-09 中国电信股份有限公司 Sharable cloud storage encryption and decryption method, device and system
CN108259609A (en) * 2018-01-20 2018-07-06 福建省数字福建云计算运营有限公司 The management method and Cloud Server of a kind of family high in the clouds data
CN108259609B (en) * 2018-01-20 2020-10-16 福建省数字福建云计算运营有限公司 Family cloud data management method and cloud server
CN110602132A (en) * 2019-09-24 2019-12-20 苏州浪潮智能科技有限公司 Data encryption and decryption processing method
CN112559500A (en) * 2020-11-11 2021-03-26 小安(北京)科技有限公司 Data combing technology
CN116956355A (en) * 2023-09-21 2023-10-27 中日友好医院(中日友好临床医学研究所) Cloud security medical user personal information encryption protection system and encryption protection method thereof
CN116956355B (en) * 2023-09-21 2023-12-19 中日友好医院(中日友好临床医学研究所) Cloud security medical user personal information encryption protection system and encryption protection method thereof

Similar Documents

Publication Publication Date Title
CN103795780A (en) Cloud storage data protection method and device
TWI701561B (en) Data backup method and device, storage medium and server
US9767299B2 (en) Secure cloud data sharing
CN103237040B (en) A kind of storage means, server and client side
CN103107995B (en) A kind of cloud computing environment date safety storing system and method
CN100464549C (en) Method for realizing data safety storing business
JP5749236B2 (en) Key change management device and key change management method
US10735186B2 (en) Revocable stream ciphers for upgrading encryption in a shared resource environment
EP3598714A1 (en) Method, device, and system for encrypting secret key
CN104023027B (en) High in the clouds data definitiveness delet method based on ciphertext sampling burst
CN105207773A (en) Method, system and device for management, synchronization and backup of data encryption key
CN104113528A (en) Pre-posed gateway-based method and system for preventing sensitive information leakage
JP6566278B1 (en) Personal data management system
US20180285558A1 (en) Device and method for password generation in a user device
CN103607409A (en) Method for protecting cloud storage data and cloud server
CN103457995A (en) Data information storage method for terminal equipment, terminal equipment and cloud terminal server
JP2016212293A (en) Information processing apparatus, terminal apparatus, and storage method for storing data in cloud environment
CN104967591A (en) Cloud storage data read-write method and device, and read-write control method and device
CN104869103A (en) Method for searching multimedia file, terminal equipment and server
CN103236934A (en) Method for cloud storage security control
EP2942899A1 (en) Information processing method, trust server and cloud server
CN103475474A (en) Method for providing and acquiring shared enciphered data and identity authentication equipment
CN111181920A (en) Encryption and decryption method and device
US10417437B2 (en) Maintaining data security in a network device
CA2891610C (en) Agent for providing security cloud service and security token device for security cloud service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20140514

RJ01 Rejection of invention patent application after publication