Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberCN101753539 A
Publication typeApplication
Application numberCN 200810227900
Publication dateJun 23, 2010
Filing dateDec 1, 2008
Priority dateDec 1, 2008
Also published asCN101753539B
Publication number200810227900.4, CN 101753539 A, CN 101753539A, CN 200810227900, CN-A-101753539, CN101753539 A, CN101753539A, CN200810227900, CN200810227900.4
Inventors刘伟晏, 杨汉强, 王凡, 王绪胜, 马淑桂
Applicant北京大学;北大方正集团有限公司;北京方正电子政务信息科技有限公司;国家档案局档案科学技术研究所;国家档案局
Export CitationBiBTeX, EndNote, RefMan
External Links: SIPO, Espacenet
Network data storage method and server
CN 101753539 A
Abstract
The invention discloses a network data storage method and a server. The disturbing network data storage method provided by the invention comprises the following steps: judging whether a data file needs to be encrypted and/or signed or not by the server according to configuration information of the storage region of the data file; encrypting a network data stream uploaded at a client when the data file needs to be encrypted but does not need to be signed according to the judgment, and writing the encrypted data stream into the data file; writing the network data stream uploaded at the client into the data file when the data file needs to be signed but does not need to be encrypted according to the judgment, and signing the data file; and encrypting the network data stream uploaded at the client when the data file needs to be encrypted and signed according to the judgment, writing the encrypted network data stream into the data file, and signing the data file. The invention improves the openness, the expansibility, the robustness and the reading/writing visit efficiency of the network storage server on the premise of ensuring the confidentiality and the completeness of the data storage.
Claims(10)  translated from Chinese
  1. 一种网络数据存储方法,其特征在于,包括:服务器根据数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名;当判断所述数据文件需加密不需签名时,对所述客户端上载的网络数据流进行加密,并将加密的所述网络数据流写入所述数据文件;当判断所述数据文件需签名不需加密时,将所述客户端上载的网络数据流写入所述数据文件,对所述数据文件进行签名;当判断所述数据文件需要加密和签名时,对所述客户端上载的网络数据流进行加密,将加密的网络数据流写入所述数据文件,对所述数据文件进行签名。 A network data storage method, characterized by comprising: a server according to the configuration data file storage area belongs, determines whether the data file for an encryption and / or signature is required; when it is determined that the data file for an encryption without signature When, on the client on the network traffic load is encrypted, and the encrypted data stream of the network writes the data file; when it is determined that the data file without the need to encrypt the signature will be contained on the client The network data is written to the data stream file, the data file to be signed; when it is determined that the data file needs to be encrypted and the signature of the client load on the network data stream is encrypted, the encrypted network traffic writing said data file, said data file is signed.
  2. 2. 如权利要求l所述的方法,其特征在于,还包括:对预先划分的多个存储区域,分别配置其存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息;所述对客户端上载网络数据流进行加密,包括:根据所述数据文件所属存储区域配置的加密算法,生成加密密钥; 根据所述加密算法和生成的加密密钥,对客户端上载的网络数据流进行加密; 所述对数据文件进行签名,包括:根据所述数据文件所属存储区域配置的签名算法,对所述数据文件进行签名。 2. The method according to claim l, characterized in that, further comprising: a plurality of storage areas pre-divided, respectively, whether its stored configuration data file needs to be encrypted and the encryption algorithms and / or the need for a signature and the signature algorithm parameter information; the carrier network for data traffic is encrypted on the client, comprising: an encryption algorithm in accordance with the data storage area configuration file belongs, to generate an encryption key; generated based on the encryption algorithm and encryption key on the client upload network data stream is encrypted; the data file is signed, including: the signature algorithm based on the data file belongs to a storage area configured for the data file to be signed.
  3. 3. 如权利要求2所述的方法,其特征在于,还包括: 对所述加密密钥进行加密;将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件并存储;所述密钥文件与所述数据文件一一对应。 3. The method according to claim 2, characterized by further comprising: encrypting said encryption key; the encryption algorithm, the encrypted encryption key and / or the signature algorithm, signature result is generated key file and stored; said key file and the data file to-one correspondence.
  4. 4. 如权利要求3所述的方法,其特征在于,还包括:所述服务器根据客户端请求下载的数据文件对应的密钥文件,判断所述数据文件是否已加密和/或是否已签名;当判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的所述数据流输出到所述客户端;当判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端;当判断所述数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通过后, 对所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 4. The method according to claim 3, characterized by further comprising: the server based on client requests to download a data file corresponding to the key file, it is determined whether the data file has been encrypted and / or has a signature; When judging the unsigned data file is encrypted, the data stream to decrypt the data file, the data and the decrypted stream is output to the client; when it is determined that the data file signed unencrypted, verify the signature of the data file, and after the verification is passed, the data stream of the data file is output to the client; when it is determined that the data file has been signed and encrypted when the data file to verify the signature, and, after verification by the data flow of the data file is decrypted, the decrypted data stream output to the client.
  5. 5. 如权利要求4所述的方法,其特征在于,所述对数据文件验证签名,包括: 根据所述数据文件对应的密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名;所述对数据文件的数据流进行解密,包括:将所述密钥文件中加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 5. The method according to claim 4, characterized in that the verification signature data files, comprising: a signature algorithm and the signature based on the results of the data file corresponding to the key file contains the data for the read files verify the signature; the data stream to decrypt the data file, comprising: the encrypted key file to decrypt the encryption key to obtain a decryption key; using the decryption key and the key file The encryption algorithm for data stream to decrypt the data file.
  6. 6. —种网络存储服务器,其特征在于,包括:判断模块、加密模块、签名模块和配置信息存储模块;所述判断模块,用于根据配置信息存储模块中存储的数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名;所述加密模块,用于当所述判断模块判断出所述数据文件需加密不需签名时,对所述客户端上载的网络数据流进行加密,并将加密的网络数据流写入所述数据文件;以及当所述判断模块判断出所述数据文件需加密和签名时,在对所述客户端上载的网络数据流进行加密并写入所述数据文件后,将所述数据文件传送至所述签名模块;所述签名模块,用于当所述判断模块判断出所述数据文件需签名不需加密时,将所述客户端上载的网络数据流写入所述数据文件,并对所述数据文件进行签名;以及接收加密模块传送的数据文件,对接收的所述数据文件进行签名;所述配置信息存储模块,用于存储各存储区域的配置信息。 6. - kind of network storage server, characterized by comprising: a judgment module, the encryption module, and a signature module configuration information storage module; the determination module for storing module configuration information stored in a data file storage area belongs configuration information, determines whether the data file for an encryption and / or signature is required; the encryption module, for, when said determination means determines that the data file for an encryption without signature, to the client on the carrier network the data stream is encrypted, and the encrypted network data stream is written the data file; and when the determination means determines that the data file for an encryption and signature, the load on the network of the client to encrypt the data stream and after writing the data file, the data file is transferred to the signature module; when the signature module for, when said determination means determines that the required data file does not need to encrypt the signature, the customers on the end of the network upload data stream is written the data file and the data file is signed; and a data transmission module receives the encrypted files, the data files received to be signed; the configuration information storing module, for storing configuration information of each storage area.
  7. 7. 如权利要求6所述的服务器,其特征在于,还包括:配置模块,用于对预先划分的多个存储区域分别配置其存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息,并将配置的所述参数信息存储于所述配置信息存储模块中;所述加密模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储区域配置的加密算法,生成加密密钥;根据所述加密算法和生成的加密密钥,对读取的网络数据流进行加密,生成加密的网络数据流;所述签名模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储区域配置的签名算法,对数据文件进行签名。 7. The server according to claim 6, characterized in that, further comprising: a configuration module, for storing a plurality of previously divided areas, respectively, configured for storing data files needs to be encrypted and the encryption algorithms and / or the need for a signature and a signature algorithm parameter information, and the configuration of the parameter information stored in the configuration information storing module; said encryption module is also used to configure the data file according to the configuration information stored in the storage module belongs storage area encryption algorithm, to generate an encryption key; generated based on the encryption algorithm and encryption key, the network data stream read is encrypted, the network generates the encrypted data stream; said signature module is further configured according to the configuration Signature Algorithm said data file storage module stores information belongs storage area configuration data file is signed.
  8. 8. 如权利要求7所述的服务器,其特征在于,还包括:密钥文件生成模块,用于对所述加密密钥进行加密;以及将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件,并与所述数据文件一一对应; 密钥文件存储模块,用于存储所述密钥文件。 8. The server according to claim 7, characterized in that, further comprising: a key file generation module for encrypting said encryption key; and the encryption algorithm, the encrypted encryption key and / or the signature algorithm, signature result to generate the key file, and correspond with the data file; key file storing module for storing the key file.
  9. 9. 如权利要求8所述的服务器,其特征在于,还包括:验证模块和解密模块; 所述判断模块,还用于根据客户端请求下载的数据文件对应的密钥文件,判断请求下载的数据文件是否已加密和/或是否已签名;所述验证模块,用于当所述判断模块判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端;以及当所述判断模块判断数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件发送至所述解密模块;所述解密模块,用于当所述判断模块判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的数据流输出到所述客户端;以及接收所述验证模块发送的数据文件,对接收的所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 9. The server according to claim 8, characterized in that, further comprising: an authentication module and a decryption module; the determination module is also used in accordance with the client requests to download a data file corresponding to the key file, determines requested for download if the data file is encrypted and / or has a signature; the verification module for, when said determination means determines that the data file is not encrypted when signed, verifies the signature of the data file, and after the verification by the The data file data stream output to said client; and when the determination means determines the data file has been signed and encrypted when the data file to verify the signature, and after verification by sending the data file to the decryption module; the decryption module for, when said determination means determines the unsigned data file is encrypted, the data flow of the data file is decrypted, and the decrypted data stream is output to the client; and receiving the transmitted authentication data file module, the received data stream the data file is decrypted, the decrypted data stream is output to the client.
  10. 10. 如权利要求9所述的服务器,其特征在于,所述验证模块,还用于根据所述密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名;所述解密模块,还用于对所述密钥文件中的加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 10. The server according to claim 9, characterized in that said verification module is also used in accordance with the results of the signature algorithm and signature key contained in the file, the data file is read to verify the signature; the decryption module is also used for the key file of the encrypted encryption key for decryption to obtain a decryption key; using the decryption key and the encryption algorithm key file data of the data file stream for decryption.
Description  translated from Chinese

一种网络数据存储方法及服务器 A network data storage method and server

技术领域 FIELD

[0001] 本发明涉及网络安全领域,尤其涉及一种网络数据存储方法及服务器。 [0001] The present invention relates to the field of network security, particularly to a data storage method and network server.

背景技术 BACKGROUND

[0002] 随着TCP/IP网络技术的发展,文件传输协议(File Transfer Protocol, FTP) 禾口万维网分布式创作禾口片反本控制(Web—based Distributed Authoring andVersioning, WEBDAV)协议得到了越来越广泛的应用,服务器端利用FTP和WEBDAV协议为客户端提供网络存储,形成了支持标准协议的网络存储,使用者可以使用支持FTP或WEBDAV的客户端通过网络进行服务器侧文件读访问(下载网络数据)和写访问(上载网络数据)等操作。 [0002] With the development of TCP / IP network technology, file transfer protocol (File Transfer Protocol, FTP) World Wide Web Distributed Authoring Wo Wo mouth mouth piece Fanben control (Web-based Distributed Authoring andVersioning, WEBDAV) protocol has been increasingly The more widely used, the server using FTP and WEBDAV protocol provides clients with network storage, forming a network storage support standard protocols, users can use FTP or WEBDAV support for server-side client read access files over a network (download network data) and write access (upload network data) and other operations. [0003] 为实现支持FTP和WEBDAV协议的网络存储,往往会在服务器侧安装部署相应的服务器系统(FTP服务器和WEBDAV服务器),现有的FTP服务器和WEBDAV服务器大多是基于服务器端的文件系统提供存储服务,而且文件采用明码存储,这种采用明码存储文件的方法无法保证数据的保密性和完整性。 [0003] To support FTP and WEBDAV protocol network storage, often deployed on the server side install the appropriate server system (FTP server and WEBDAV server), the existing FTP server and WEBDAV servers are mostly based on the server file system provides storage services, and files are stored in plaintext, which uses a method of storing files clearly can not guarantee the confidentiality and integrity of data.

[0004] 为了保证文件的保密性和完整性,现有的解决方案通常是在服务器端使用额外的专门的安全文件系统,安全文件系统将多个需要保密的文件加密后封装在底层文件系统的某个单一文件中,并在系统内部统一维护文件信息(如文件名、文件大小等)以及每个文件的密钥信息。 [0004] In order to ensure the confidentiality and integrity of the document, the existing solutions are usually extra special security file system on the server side, secure file system will need to post more than one secret file encryption package in the underlying file system a single file, and maintain unity within the system file information (such as file name, file size, etc.) as well as key information about each file. 采用安全文件系统作为FTP服务器和WEBDAV服务器的后台存储存在以下几个问题: The existence of the file system using security as an FTP server and WEBDAV server backend store the following questions:

[0005] 1、安全文件系统一般是私有系统,没有统一的接口,开放性不足; [0005] 1, the safety system in general is a private system, there is no unified interface, lack of openness;

[0006] 2、整个安全文件系统的加密算法是固定的统一的,扩展性不足; [0006] 2, the entire file system security encryption algorithm is fixed unified, scalable insufficient;

[0007] 3、由于安全文件系统内的所有文件都集中封装在底层文件系统的单一文件中,在 [0007] 3, due to all the files within the file system security are concentrated encapsulated in a single file in the underlying file system, in

读访问安全文件系统内的某个特定文件时,需要先从底层文件系统的单一文件中将该文件 When reading a particular file access security within the file system, you need to start with a single file in the underlying file system, the file

提取出来;在写访问安全文件系统内的某个特定文件时,需要将该文件写入底层文件系统 Extracted; when writing a particular file within a file system access security, the need for the underlying file system write to the file

的单一文件中,读/写访问效率较低。 Single file, read / write access efficiency is low.

[0008] 4、安全文件系统的加密算法相对固定,且安全文件系统将内部的文件信息和密钥集中管理,存储文件信息或密钥部分的区域(磁盘扇区)发生损坏,会导致整个安全文件系统发生无法访问,系统健壮性不足。 [0008] 4 encryption algorithms secure file system is relatively fixed, and secure file system inside the zone file information and key centralized management, storage, or a key part of the file information (disk sectors) is damaged, it will cause the entire security can not access the file system occurs, a lack of system robustness.

发明内容 SUMMARY

[0009] 本发明提供了一种网络数据存储方法及服务器,用以在保证数据存储的保密性和完整性的前提下,提高网络存储服务器的开放性、扩展性、健壮性和读/写访问效率。 [0009] The present invention provides a method of network data storage and servers, to ensure that the data is stored under the premise of confidentiality and integrity, and improve network storage server openness, scalability, robustness, and read / write access efficiency. [0010] 本发明实施例提供的一种网络数据上载方法,包括: [0010] The method as set on a network data provided by the embodiment of the present invention, comprising:

[0011] 服务器根据数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名; [0011] server according to the configuration data file storage area belongs, determines whether the data file for an encryption and / or whether such a signature;

[0012] 当判断所述数据文件需加密不需签名时,对所述客户端上载的网络数据流进行加密,并将加密的所述网络数据流写入所述数据文件; [0012] When it is determined that the data file for an encryption without signature, for the client to upload the data stream is encrypted network, the network and the encrypted data written to the data stream file;

4[0013] 当判断所述数据文件需签名不需加密时,将所述客户端上载的网络数据流写入所述数据文件,对所述数据文件进行签名; 4 [0013] When it is judged that the data file encryption without signature required when writing the data files uploaded to the client network data stream to the data file is signed;

[0014] 当判断所述数据文件需要加密和签名时,对所述客户端上载的网络数据流进行加 [0014] When it is determined that the data file needs to be encrypted and the signature of the client on the network carrier data stream applied

密,将加密的网络数据流写入所述数据文件,对所述数据文件进行签名。 Secret, encrypted network data stream is written the data file, the data file is signed on.

[0015] 对预先划分的多个存储区域,分别配置其存储的数据文件是否需要加密以及加密 If [0015] a plurality of storage areas divided in advance, are arranged for storing a data file needs to be encrypted and an encryption

算法和/或是否需要签名以及签名算法的参数信息; Algorithms and / or the need for a signature and the signature algorithm parameter information;

[0016] 所述对客户端上载网络数据流进行加密,包括: [0016] The carrier network data stream to the client is encrypted, including:

[0017] 根据所述数据文件所属存储区域配置的加密算法,生成加密密钥; [0017] According to the data file encryption algorithm belongs to a storage area configured to generate an encryption key;

[0018] 根据所述加密算法和生成的加密密钥,对客户端上载的网络数据流进行加密; [0018] According to the encryption algorithm and the generated encryption key, the network data streams uploaded from the client to encrypt;

[0019] 所述对数据文件进行签名,包括: [0019] The data file is signed, including:

[0020] 根据所述数据文件所属存储区域配置的签名算法,对所述数据文件进行签名。 [0020] According to the data file belongs Signature Algorithm storage area configured for the data file to be signed. [0021] 对所述加密密钥进行加密; [0021] for the encryption key;

[0022] 将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件并存储;所述密钥文件与所述数据文件一一对应。 [0022] to the encryption algorithm, the encrypted encryption key and / or the signature algorithm, signature result to generate the key file and stored; said key file and the data file to-one correspondence.

[0023] 所述服务器根据客户端请求下载的数据文件对应的密钥文件,判断所述数据文件是否已加密和/或是否已签名; [0023] According to client requests the server to download the data files corresponding to the key file to determine whether the data file has been encrypted and / or if it is signed;

[0024] 当判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的所述数据流输出到所述客户端; [0024] When it is determined that the data file is not encrypted signature, the data stream of the data file is decrypted, the decrypted stream data and output to the client;

[0025] 当判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端; [0025] When it is determined that the data file is not encrypted when signed, verifies the signature of the data file, and after the verification is passed, the data stream of the data file is output to the client;

[0026] 当判断所述数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通 [0026] When it is judged that the data file has been signed and encrypted when the data file for signature verification and validation through

过后,对所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 After the data stream of the data file is decrypted, the decrypted data stream is output to the client.

[0027] 所述对数据文件验证签名,包括: [0027] The signature verification data files, including:

[0028] 根据所述数据文件对应的密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名; [0028] According to the results of the signature algorithm and signature key corresponding to the data file contained in the file, to read the data file to verify the signature;

[0029] 所述对数据文件的数据流进行解密,包括: [0029] The data stream to decrypt the data file, comprising:

[0030] 将所述密钥文件中加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 [0030] The encrypted key file after the encryption key for decryption to obtain a decryption key; using the decryption key and the key file and the data file encryption algorithm to decrypt the data stream .

[0031] 本发明实施例提供的一种网络存储服务器,包括:判断模块、加密模块、签名模块和配置信息存储模块; [0031] An embodiment of the present invention to provide a network storage server embodiment, comprising: a judgment module, the encryption module, and a signature module configuration information storage module;

[0032] 所述判断模块,用于根据配置信息存储模块中存储的数据文件所属存储区域的配置信息,判断所述数据文件是否需加密和/或是否需签名; [0032] The judging module, according to the configuration information for the module configuration information is stored in a data file stored in the storage area belongs, determines whether the data file for an encryption and / or whether such a signature;

[0033] 所述加密模块,用于当所述判断模块判断出所述数据文件需加密不需签名时,对 [0033] The encryption module, when said determination means determines that the data file is not required for an encrypted signature, for

所述客户端上载的网络数据流进行加密,并将加密的网络数据流写入所述数据文件;以及 Upload the client encrypts network data stream, and the encrypted network data stream is written the data file; and

当所述判断模块判断出所述数据文件需加密和签名时,在对所述客户端上载的网络数据流 When the determination means determines that the data file for an encryption and signature, the network data to the client on the carrier stream

进行加密并写入所述数据文件后,将所述数据文件传送至所述签名模块; After the data is encrypted and written to a file, the data file is transferred to the signature module;

[0034] 所述签名模块,用于当所述判断模块判断出所述数据文件需签名不需加密时,将 [0034] The signature module, when the determination means determines that the data file is required for the signature without encryption, the

所述客户端上载的网络数据流写入所述数据文件,并对所述数据文件进行签名;以及接收 The client uploaded the network data stream is written data file and the data file is signed; and receiving

加密模块传送的数据文件,对接收的所述数文件进行签名;[0035] 所述配置信息存储模块,用于存储各存储区域的配置信息。 Data transfer file encryption module, the number of files to be received signature; [0035] the configuration information storing module, for storing configuration information of each storage area. [0036] 本发明实施例提供的网络存储服务器,还包括: [0036] The embodiment of the present invention to provide a network storage server, further comprising:

[0037] 配置模块,用于对预先划分的多个存储区域分别配置其存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息,并将配置的所述参数信息存储于所述配置信息存储模块中。 [0037] configuration module for multiple storage areas were divided in advance whether their configuration data stored in the file needs to be encrypted and the encryption algorithm and / or the need for a signature and the signature algorithm parameter information, and the configuration of the parameter information the configuration information stored in the storage module.

[0038] 所述加密模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储区域配置的加密算法,生成加密密钥;根据所述加密算法和生成的加密密钥,对读取的网络数据流进行加密,生成加密的网络数据流; [0038] The encryption module is further configured for the encryption algorithm according to the data stored in the file information storing module configuration of the storage area belongs, to generate an encryption key; generated based on the encryption algorithm and encryption key on the reading the network data stream is encrypted, the network generates the encrypted data stream;

[0039] 所述签名模块,还用于根据所述配置信息存储模块存储的所述数据文件所属存储 [0039] The signature module is also used to store the data belongs based on the configuration file information stored in the storage module

区域配置的签名算法,对数据文件进行签名。 Signature Algorithm zone configurations, the data file is signed.

[0040] 本发明实施例提供的网络存储服务器,还包括: [0040] The embodiment of the present invention to provide a network storage server, further comprising:

[0041] 密钥文件生成模块,用于对所述加密密钥进行加密;以及将所述加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件,并与所述数据文件一一对应; [0042] 密钥文件存储模块,用于存储所述密钥文件。 [0041] The key file generation module for encrypting said encryption key; and the encryption algorithm, the encrypted encryption key and / or the signature algorithm, signature result to generate the key file, and with correspond to the data file; [0042] key file storage module, for storing the key file.

[0043] 本发明实施例提供的网络存储服务器,还包括:验证模块和解密模块; Embodiment [0043] embodiment of the present invention to provide a network storage server, further comprising: an authentication module and a decryption module;

[0044] 所述判断模块,还用于根据客户端请求下载的数据文件对应的密钥文件,判断请 [0044] The judgment module is also used in accordance with the client's request to download data files corresponding to the key file, please judge

求下载的数据文件是否已加密和/或是否已签名; Whether seeking to download the data file is encrypted and / or has a signature;

[0045] 所述验证模块,用于当所述判断模块判断所述数据文件已签名未加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件的数据流输出到所述客户端;以及当所述判断模块判断数据文件已签名且已加密时,对所述数据文件验证签名,并在验证通过后,将所述数据文件发送至所述解密模块; [0045] The authentication module for, when said determination means determines that the data file is not encrypted when signed, verifies the signature of the data file, and authentication passed, the data of the data file to the output stream the client; and when said determination module determines when the data file has been signed and encrypted, verifies the signature of the data file, and, after authentication by sending the data file to the decryption module;

[0046] 所述解密模块,用于当所述判断模块判断所述数据文件已加密未签名时,对所述数据文件的数据流进行解密,并将解密的数据流输出到所述客户端;以及接收所述验证模块发送的数据文件,对接收的所述数据文件的数据流进行解密,将解密的数据流输出到所述客户端。 [0046] the decryption module for, when said determination means determines the unsigned data file is encrypted, the data flow of the data file is decrypted, and the decrypted data stream is output to the client; and receiving the authentication data sent by the module file, the data file for the received data stream to decrypt the decrypted data stream is output to the client.

[0047] 本发明实施例提供的网络存储服务器中的验证模块,还用于根据所述密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名; [0047] The examples provided by the network storage server validation module of the invention is also used in accordance with the result of the signature algorithm and signature key contained in the file, to read the data file to verify the signature;

[0048] 本发明实施例提供的网络存储服务器中的解密模块,还用于对所述密钥文件中的加密后的加密密钥进行解密,得到解密密钥;使用所述解密密钥和所述密钥文件中的加密算法对所述数据文件的数据流进行解密。 [0048] embodiment of the present invention to provide a network storage server embodiment of the decryption module is also used for the key file of the encrypted encryption key for decryption to obtain a decryption key; and the use of the decryption key said key file to the data stream encryption algorithm to decrypt the data file. [0049] 本发明有益效果如下: [0049] The present invention beneficial effects as follows:

[0050] 本发明实施例提供的一种网络数据存储方法及服务器,服务器接收客户端发起的数据上载请求,创建数据文件,根据数据文件所属存储区域的配置信息,对客户端上载的网络数据流进行加密,将加密后的网络数据流写入数据文件;或将上载的网络数据流写入数据文件后,对数据文件进行签名,或对客户端上载的网络数据流进行加密后,将加密后的网络数据流写入数据文件,并对数据文件进行签名。 Implementation [0050] The invention provides a network embodiment provides a data storage method and a server, the server receives the client initiates a data upload request, create a data file, according to the configuration data file belongs to the storage area network data on the client load flow encrypts, the network data stream encrypted data file is written; or uploaded after the network data stream after the data file is written, the data file is signed, or uploaded to the client network data traffic to be encrypted, the encrypted network data stream to write data files, and data files to be signed. 本发明实施例提供的网络存储方法及服务器,由于可以将数据文件分散存储于预先划分的多个存储区域中,避免了现有技术中的安全文件系统中所有加密的文件都存储于单一文件所带来的读/写访问的效率不高的问题;再者,由于不同存储区域的配置的加密和/或签名的参数信息可以不同,不仅提高了系 Embodiment of the present invention is a method and network storage server provided by the embodiment, since the data files are stored in a plurality of dispersed storage regions divided in advance, to avoid the prior art secure file system all encrypted files are stored in a single file bring the read / write efficiency is not high access; Furthermore, due to the configuration of the different storage areas encryption and / or signatures may be different parameter information, not only improves the system

6统的扩展性,还保证了网络存储数据的完整性和保密性。 6 system scalability, but also to ensure the integrity and confidentiality of stored data network.

[0051] 进一步地,本发明实施例提供的网络存储方法中,还将加密算法、加密后的加密密钥和/或签名算法、签名结果生成密钥文件,并与数据文件一一对应,某个数据文件的密钥文件被破解或损坏,不会对其他数据文件的安全造成影响,避免了现有网络存储服务器采用的安全文件系统将所有加密文件的密钥集中管理带来的弊端,进一步地提高了系统的健壮性。 [0051] Further, the present invention method provided by the network storage, and also the encryption algorithm, the encrypted encryption key and / or signature algorithm, the signature result to generate the key file, and the correspondence with the data file, a The key file data file is cracked or damaged, will not affect the safety of other data files, avoiding the use of the existing network storage server file system security keys encrypted files centrally manage all the evils, further improve the robustness of the system. 由于密钥文件的存在,使得数据文件的解密不依赖于所属存储区域的配置参数,因此随时可以根据需要修改存储区域的配置参数,进一步提高了系统的扩展性,还进一步保证了网络存储数据的完整性和保密性。 Because of the key file, so that decryption of the data file is not dependent on the configuration parameter belongs storage area, and therefore at any time as needed to modify the configuration parameter storage area, and further improve the system scalability, further ensuring the network stored data integrity and confidentiality.

[0052] 发明实施例提供的网络数据存储方法,通过采用现有网络服务器操作系统自身的文件系统即可实现,由于操作系统的文件系统对上层系统而言具有统一的接口,保证了网络存储服务器的开放性。 Network data storage method provided in the embodiment [0052] invention, by using existing network server operating system's file system can be realized, because the operating system's file system for the purposes of the upper system having a unified interface to ensure that the network storage server openness.

附图说明 Brief Description

[0053] 图1为本发明实施例提供的网络数据存储方法中数据上载流程图; [0054] 图2为本发明实施例提供的生成密钥文件的流程图; [0055] 图3为本发明实施例提供的网络数据存储方法中数据下载流程图; [0056] 图4为本发明实施例提供的网络存储服务器的结构示意图。 [0053] Figure 1 is a flowchart of the invention is contained in the data network data storage method provided in the embodiment; [0054] FIG. 2 is a schematic flow chart of generating a key file provided by the embodiment; [0055] Figure 3 of the present invention Network data storage method of downloading data flow diagram according to an embodiment; [0056] FIG. 4 is a block diagram representation of the invention to provide a network storage server implementation.

具体实施方式 DETAILED DESCRIPTION

[0057] 下面结合附图,以具体的实施例对本发明提供的一种网络数据存储方法及服务器进行详细的说明。 [0057] below with reference to the accompanying drawings, a data storage method and a network server to a specific embodiment of the present invention is provided in detail below.

[0058] 本发明实施例提供的网络数据存储方法,针对服务器侧进行了改进。 Network data storage method provided in the embodiment [0058] The present invention, for the server side has been improved. 本发明实施例提供的网络数据存储方法可以应用于常见的网络存储服务器如FTP或WEBDAV服务器等, 利用FTP或WEBDAV服务器现有操作系统提供的文件系统就可以实现,而不需要额外采用专门的安全文件系统作为网络数据的后台存储系统。 Network data storage method embodiment of the invention can be applied to provide a common network storage server, such as FTP servers, or WEBDAV, WEBDAV server using FTP or existing operating system file system can be achieved without the need for additional use of specialized security file system as a background network data storage system. 这样,由于操作系统的文件系统对外的接口是统一的接口(例如标准的FTP或WEBDAV接口),保证了网络存储服务器的开放性。 Thus, due to the external interface of the operating system file system is a unified interface (such as standard FTP or WEBDAV interface), to ensure the openness of the network storage server. 从读写访问的角度来说,直接访问服务器操作系统自身文件系统的效率,也优于通过服务 From the perspective of read and write access, the efficiency of direct access to the server file system of the operating system itself, but also better than by service

器操作系统访问另外的安全文件系统的效率。 Operating system access efficiency additional security file system.

[0059] 本发明实施例提供的网络数据存储方法,可以预先将服务器本地的存储空间中划分多个存储区域,每个存储区域例如可以对应文件系统的一个目录,如"Serverl/areal"、 "Serverl/area2"等等。 [0059] network data storage method according to an embodiment of the present invention, may be previously divided into a plurality of storage area server the local memory space, for example, each storage region corresponds to a directory of the file system, such as "Serverl / areal", " Serverl / area2 "and so on. 还可以实现对存储区域增加、删除和修改等操作。 May also be implemented to increase the storage area, delete, and modify operations. [0060] 并且,对于每个存储区域,需要预先对其中存储的数据文件是否需要加密以及加密算法和/或是否需要签名以及签名算法的参数信息分别进行配置,各个存储区域的配置信息是相互独立的,可以对不同的区域配置不同的加密算法和不同的签名算法,可以设置某一区域的数据文件仅加密不签名,而另外一个区域的数据文件不仅需要加密还需要进行签名,等等。 [0060] and, for each storage area, the need for which is stored in advance whether the data file needs to be encrypted and the encryption algorithms and / or the need for a signature and a signature algorithm parameter information separate configurations, the configuration information of each storage area is independent can be configured for different regions and different encryption algorithms different signature algorithm, you can set the data files of a given region is not only encrypted signature, while the other data files in a region not only need to encrypt also need to be signed, and so on. 在此不再枚举。 In this no longer enumeration. 在具体使用过程中,还可以根据需要,对存储区域的配置信息进行修改。 In the specific use, but also according to the needs of the configuration information storage area to be modified.

[0061] 下面结合客户端发起的网络数据上载流程,说明本发明实施例提供的网络数据存储方法。 [0061] The following combination of load on the network data flow initiated by the client, the network data storage method according to an embodiment of the present invention.

7[0062] 本发明实施例提供的网络数据存储方法,如图1所示,包括以下步骤: [0063] 步骤S101、服务器接收客户端发起的数据上载请求。 7 [0062] network data storage method provided by the present invention, shown in Figure 1, comprising the steps of: [0063] step S101, the load on the server receives a request initiated by the client data.

[0064] 对于客户端来说,可以根据需要,请求将上载的数据流以文件的形式存储于服务器侧的任何一个存储区域中。 Any storage area [0064] for the client, as needed, will be available on request in the form of a data stream files stored on the server side of the.

[0065] 步骤S102、服务器根据该数据上载请求中携带有数据文件的存储区域信息,在存储区域中创建数据文件。 [0065] Step S102, the server carries the information data file storage area of the carrier according to the data request, create a data file in the storage area.

[0066] 客户端发送的数据上载请求中可以通过携带存储区域的统一资源定位标识(Uniform Resource Locator, URL)来指示具体是哪个存储区域,例如"ftp:〃Server1/ areal ,,、 "http: //Server 1/area2 ,,等。 [0066] on the data contained in the request sent by the client can identify by carrying the uniform resource locator (Uniform Resource Locator, URL) storage area to indicate which specific storage area, such as "ftp: 〃Server1 / areal ,,," http: // Server 1 / area2 ,, and so on.

[0067] 步骤S103、根据数据文件所属存储区域的配置信息,判断数据文件是否需要加密; 若判断结果为否,执行步骤S104,若是,执行步骤S105 ; [0067] step S103, the data file is based on the configuration information storage area belongs, determines whether the data file needs to be encrypted; if the judging result is NO, step S104, and if so, executing step S105;

[0068] 步骤S104、将上载的网络数据流直接写入创建好的数据文件中,然后执行步骤S108。 [0068] Step S104, will be available on the network data stream to create a good data is written directly to the file, and then perform step S108.

[0069] 步骤S105、根据该数据文件所属存储区域配置的加密算法生成加密密钥。 [0069] step S105, the encryption key is generated based on the encryption algorithm to the data storage area configuration file belongs.

[0070] 本步骤S105中的加密密钥是随机实时生成的,在每次上载数据流的过程中生成 [0070] The step S105, the real-time encryption key is generated randomly, each generated in the process of uploading the data stream

的加密密钥都不相同。 The encryption key is not the same.

[0071] 步骤S106、根据该数据文件所属存储区域配置的加密算法和步骤S105生成的加密密钥,对上载的网络数据流进行加密。 [0071] Step S106, the encryption algorithm and the step of the data storage area configuration file belongs S105 generated encryption key for the network to upload data stream is encrypted.

[0072] 步骤S107、将加密的网络数据流写入创建好的数据文件中。 [0072] Step S107, the encrypted network data stream is written the created data file.

[0073] 步骤S108、根据数据文件所属存储区域的配置信息,判断数据文件是否需要签名; 若判断结果为是,执行步骤S109,若否,跳转至步骤S110。 [0073] step S108, the data file is based on the configuration information storage area belongs, determines whether the data file needs to be signed; if the judging result is YES, a step S109, and if not, go to step S110.

[0074] 步骤S109、根据该数据文件所属存储区域配置的签名算法,对该数据文件进行签 [0074] step S109, the signature algorithm based on the data storage area belongs to the configuration file, the data file is checked

名。 Name. 签名完成后,执行下述步骤SllO。 After the signature is complete, perform the following steps SllO.

[0075] 步骤S110、向客户端返回上载成功的确认消息。 [0075] Step S110, returned to the client the upload was successful confirmation message.

[0076] 本发明实施例中,还可以在上述流程的基础上,增加生成密钥文件的流程,生成密钥文件的流程可以独立与图1所示的流程之外,也可以包含在图1所示的流程之中,与上述步骤S101至步骤S110合为一个整体的流程。 [0076] embodiment of the invention, it is also possible on the basis of the above-described process, the flow increases to generate the key file, the key file is generated outside the process can be independently associated with the flow shown in FIG. 1, can also be included in Figure 1 the flow shown among the above-described steps S101 to step S110 into one whole process. 为了说明地清楚,使用用图2的流程图进行示意。 In order to clearly illustrate, by using a schematic flow diagram of Figure 2.

[0077] 如图2所示,本发明实施例中生成密钥文件的流程,包括以下步骤: [0078] 步骤S201、根据数据文件所属存储区域的配置信息,判断数据文件是否需要加密和是否需要签名,当任一判断结果为是时,执行步骤S202 ;若否,即判断该数据文件既不需要加密也并不需要签名时,直接跳转至步骤S208结束当前流程。 [0077] shown in Figure 2, for example, the key file generated in the process of the present embodiment of the invention, comprising the steps of: [0078] step S201, the data file is based on the configuration information storage area belongs, determines whether the data file needs to be encrypted and the need signature, when either the judgment result is YES, the step S202; if not, that judgment does not require encryption of the data file does not need to be signed, jump directly to step S208 to end the current process.

[0079] 本步骤S201可以在图1所示的步骤S104或步骤S107之后,步骤S108之前执行。 Step can be shown in Fig. 1 [0079] The step S201 S104 or step S107, before executing step S108.

[0080] 步骤S202、按照设定的数据文件和密钥文件的对应规则,创建密钥文件。 [0080] Step S202, in accordance with the rules set by the corresponding data files and key files, create a key file.

[0081] 本发明实施例并不限定密钥文件采用何种具体类型,例如文本文件类型或关系数 [0081] Text file type or several relations such as the embodiment of the present invention is not limited to what specific type of use of the key file,

据库记录等。 According to library records.

[0082] 步骤S203、根据数据文件所属存储区域的配置信息,判断数据文件是否需要签名, [0082] Step S203, based on the configuration information storage area of the data file belongs, to judge whether a signature data file,

若是,执行下述步骤S204、若否,跳转至步骤S206。 If so, perform the following steps S204, if not, skip to step S206.

[0083] 本步骤S203可以与图1中的步骤S108为同一个步骤。 [0083] The step S203 may be a step for the same step S108 in FIG.

8[0084] 步骤S204、将签名算法、签名结果写入密钥文件。 8 [0084] Step S204, the signature algorithm, the signature result is written in the key file. [0085] 本步骤S204可以在图1所示的步骤S109之后执行。 [0085] The step S204 may be performed after the step shown in FIG. 1 S109.

[0086] 步骤S205、根据数据文件所属存储区域的配置信息,判断数据文件是否需要加密, 若是,执行步骤S206 、若否,直接执行步骤S208 。 [0086] Step S205, the data file is based on the configuration information storage area belongs, determines whether the data file needs to be encrypted, and if so, step S206, and if not, go to Step S208. [0087] 步骤S206、使用公钥对加密密钥进行加密。 [0087] Step S206, using the public key encryption key.

[0088] 服务器可以预先配置公私密钥对,在此步骤中使用配置的公钥对加密密钥进行加密。 [0088] server can be preconfigured public and private key pairs using the configuration of the public in this step of the encryption key.

[0089] 步骤S207、将加密算法、加密后的加密密钥写入密钥文件。 [0089] Step S207, the encryption algorithm, the encryption key writing the encrypted key file. [0090] 步骤S208、结束流程。 [0090] step S208, the process flow is finished.

[0091] 本流程结束后,可以执行图1所示的最后一个步骤SllO。 After [0091] The present process ends, the last step may be performed as shown in FIG SllO.

[0092] 本发明实施例中,在创建密钥文件时,可以采用预先设定的对应规则,将创建的密钥文件与数据文件之间一一对应,并且可以存储在同一个存储区域中。 [0092] In embodiments of the invention, when you create a key file, you can use the corresponding pre-set rules, correspondence between the key file and the data file will be created and can be stored in the same storage area. 举例来说,密钥文件和数据文件的对应规则可以如下: For example, the corresponding rule key files and data files can be as follows:

[0093] 密钥文件的文件名可以采用数据文件的文件名加上特有的后缀组成。 Filename [0093] key file can use the data file name plus a unique suffix. 如下表所示: Following table:

[0094] 表1 [0095] [0094] Table 1 [0095]

文件名称 大小 类型 File Name Size Type

5-421. txt 3KB 文本文档 5-421. Txt 3KB text document

5-421. txt. cipher 1KB CIPHER文件 5-421. Txt. Cipher 1KB CIPHER file

5-422. TIF 129KB TIF图像 5-422. TIF 129KB TIF image

5-422. TIF. cipher 1KB CIPHER文件 5-422. TIF. Cipher 1KB CIPHER file

[0096] 上表1中,文件名为5_421. txt和5_422. TIF是数据文件,5_421. txt. cipher和5_422. TIF. cipher分别是上述两个数据文件对应的密钥文件。 [0096] Table 1, the file is named 5_421. Txt and 5_422. TIF is a data file, 5_421. Txt. Cipher and 5_422. TIF. Cipher are the two data files corresponding key file.

[0097] 显而易见,本发明实施例中,密钥文件和数据文件的对应规则并不局限于上述对应方式。 [0097] Obviously, the present embodiment of the invention, the correspondence rule key files and data files are not limited to the above-described manner corresponding.

[0098] 在本发明实施例服务器侧的文件系统中,上述密钥文件的文件属性可以设置为隐藏,普通用户通过网络在服务器侧查找文件时,服务器侧不会显示相应的密钥文件。 [0098] In the embodiment of the invention the file system on the server side, the file attribute of the key file may be set to hide, when the general user to find a file on the server side through the network, the server side does not display the appropriate key file. [0099] 有权限的用户对服务器侧的数据文件进行修改或删除时,需要同时修改或删除其对应的密钥文件。 When the [0099] privileged user to the server-side data file is modified or deleted, you need to modify or delete the corresponding key file.

[0100] 与本发明实施例提供的网络存储方法中的网络数据上载流程相对应,当客户端发起网络数据下载请求时,本发明实施例提供的网络数据存储方法,在服务器侧处理流程,如图3所示,包括以下步骤: [0100] on the network storage method embodiment of the invention provides the network data load process corresponds, when the client initiates network data download request, the network data storage method provided by the present invention, in the server-side processing, e.g. Figure 3, comprising the steps of:

[0101] 步骤S301、服务器接收客户端发起的网络数据下载请求。 [0101] step S301, the network data server receives a request initiated by the client download.

[0102] 步骤S302、根据该请求中携带的该数据文件的URL和文件标识信息,在对应的存储领域中读取该数据文件。 [0102] Step S302, according to the request carried in the data file URL and the file identification information, read the data file in the corresponding memory areas.

[0103] 步骤S303、根据该数据文件对应的密钥文件,判断该数据文件是否已签名,若是, 执行步骤S304 ;若否,执行步骤S308。 [0103] Step S303, based on the data file corresponding to the key file, determines whether the data file has a signature, and if so, executing step S304; if not, to step S308.

[0104] 本步骤S303中,可以通过数据文件和密钥文件之间的对应规则,找到该数据文件对应的密钥文件,根据密钥文件中包含的具体内容来判断该数据文件是否签名(如果该密钥文件中仅包含了加密算法和加密后的加密密钥,那么可以判断该数据文件已加密未签名,如果该密钥文件中仅包含了签名算法和签名结果,那么可以判断该数据文件已签名未加密,如果该密钥文件中同时包含上述两类信息,那么可以判断该数据文件已加密并且已签名)。 [0104] In this step S303, by correspondence rules between data and key files, locate the data file corresponding to the key file, depending on the content key file contains the data file to determine whether the signature (if The key file contains only the encryption algorithm and the encrypted encryption key, you can determine if the data file is encrypted unsigned, if the key file that contains only the signature algorithm and signature result, you can determine the data file Signed unencrypted, if the key file contains both types of information, you can determine whether the data file has been encrypted and signed).

[0105] 步骤S304、根据该密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名。 [0105] Step S304, based on the results of the signature algorithm and signature key contained in the file, read the data file to verify the signature.

[0106] 步骤S305、判断验证是否通过;验证失败时,执行步骤S306。 [0106] step S305, the judge verify through; when the validation fails, the step S306. 验证通过时,执行步骤S307。 When validated, step S307.

[0107] 步骤S306、向客户端返回出现错误的确认消息。 [0107] Step S306, an error is returned to the client confirmation message.

[0108] 步骤S307、根据该数据文件对应的密钥文件,判断该数据文件是否已加密,若是, 执行步骤S308,若否,跳转至步骤S310。 [0108] step S307, according to the data file corresponding to the key file to determine whether the data file is encrypted, and if so, step S308, and if not, skip to step S310.

[0109] 步骤S308、使用配置的私钥,对该密钥文件中的加密后的加密密钥进行解密,得到解密密钥。 [0109] Step S308, using the configuration of the private key, the encrypted key file to decrypt the encryption key to obtain the decryption key.

[0110] 步骤S309、使用步骤S308得到的解密密钥和该密钥文件中的加密算法,对数据文 [0110] Step S309, in step S308 using the obtained decryption key and the key file and the encryption algorithm, the data packet

件的数据流进行解密,得到解密后的网络数据流。 Decrypting a data stream, obtain network traffic decrypted.

[0111] 步骤S310、将数据文件的数据流传输至客户端。 [0111] Step S310, the data of the streaming data files to the client.

[0112] 步骤S311 、返回下载成功的确认消息。 [0112] Step S311, returns a successful download confirmation message.

[0113] 根据本发明实施例提供的网络数据存储方法,本发明实施例还提供了一种网络存储服务器,如图4所示,包括:判断模块401、加密模块402、签名模块403和配置信息存储模 [0113] The network data storage method provided in the embodiment of the present invention, embodiments of the present invention further provides a network storage server, shown in Figure 4, comprising: a determining module 401, encryption module 402, the signature module 403 and configuration information memory modules

块404 ;其中: Block 404; where:

[0114] 判断模块401,用于根据配置信息存储模块404中存储的该数据文件所属存储区域的配置信息,判断该数据文件是否需加密和/或是否需签名; [0114] judgment module 401, according to the configuration information for the configuration information stored in the storage module 404 belongs to the data file storage area, to determine whether the need to encrypt the data file, and / or whether the signature is required;

[0115] 加密模块402,用于当判断模块401判断出数据文件需加密不需签名时,对客户端上载的网络数据流进行加密,并将加密的网络数据流写入该数据文件;以及当判断模块401判断出该数据文件需加密和签名时,在对读取的网络数据流进行加密并写入该数据文件后,将该数据文件传送至签名模块403 ; [0115] encryption module 402 is used when determining module 401 determines that the data file encryption without the need for signing, uploaded to the client to encrypt network data stream and writes encrypted network data stream of the data file; and when determining module 401 determines that the data file encryption and signature required, after the network data stream is encrypted read and write to the data file, the data file is transferred to the signature module 403;

[0116] 签名模块403,用于当判断模块401判断出该数据文件需签名不需加密时,将客户端上载的网络数据流写入该数据文件,并对该数据文件进行签名;以及接收加密模块402 传送的数据文件,对接收的数据文件进行签名; [0117] 配置信息存储模块404,用于存储各存储区域的配置信息。 [0116] signature module 403, when the determination module 401 determines that the signature of the data file without the need for encryption, will be located on a network client upload data stream the data file and the data file is signed; and receiving encrypted 402 block transfer data files, data files received for signing; [0117] configuration information storage module 404 stores configuration information for each storage area.

[0118] 本发明实施例提供的网络存储服务器,如图4所示,还可以包括:配置模块405,用于对预先划分的多个存储区域分别配置其存储的数据文件是否需要加密以及加密算法和/ 或是否需要签名以及签名算法的参数信息,并将配置的参数信息存储于配置信息存储模块404中。 [0118] embodiment of the present invention to provide a network storage server embodiment, shown in Figure 4, may further include: a configuration module 405, for storing a plurality of previously divided areas are disposed for storing the data file needs to be encrypted and the encryption algorithm is and / or the need for a signature and the signature algorithm parameter information and configuration parameter information stored in the configuration information storage module 404. [0119] 加密模块402,还用于根据配置信息存储模块404中存储的该数据文件所属存储区域配置的加密算法,生成加密密钥;根据该加密算法和生成的加密密钥,对读取的网络数据流进行加密,生成加密的网络数据流; [0119] encryption module 402, also in accordance with the encryption algorithm for the data storage area configuration information file belongs to 404 stored in the storage module configured to generate an encryption key; based on the encryption algorithm and encryption key generated on the read network data stream encryption, encrypted network traffic generated;

[0120] 签名模块403,还用于根据配置信息存储模块404存储的该数据文件所属存储区域配置的签名算法,对数据文件进行签名。 [0120] signature module 403, also for the signature algorithm based on the data file storage module 404 stores configuration information storage area belongs configuration data file is signed.

[0121] 本发明实施例提供的网络存储服务器,如图4所示,还可以包括:密钥文件生成模块406和密钥文件存储模块407 ; Embodiment [0121] The present invention provides a network storage server embodiment, shown in Figure 4, may further include: a key generation module 406 and the file key file storing module 407;

[0122] 密钥文件生成模块406,用于使用公钥对加密密钥进行加密;以及将加密算法、加密后的加密密钥和/或所述签名算法、签名结果生成密钥文件,并与该数据文件一一对应; [0123] 密钥文件存储模块407,用于存储密钥文件。 [0122] key file generation module 406 for using a public key encryption key; and the encryption algorithm, the encrypted encryption key and / or the signature algorithm, signature result to generate the key file, and with This data file correspondence; [0123] key file storage module 407 for storing the key file.

[0124] 根据本发明实施例提供的一种网络数据存储方法中的网络数据下载流程,本发明实施例提供的网络存储服务器,如图4所示,还可以包括下面两个模块:验证模块408和解密模块409 ; [0124] According to one embodiment the network data storage method provided in the network data download process embodiment of the invention, the present invention provides a network storage server embodiment, shown in Figure 4, may also include the following two modules: an authentication module 408 and decryption module 409;

[0125] 判断模块401,还用于根据客户端请求下载的数据文件对应的密钥文件,判断请求下载的数据文件是否已加密和/或是否已签名; [0125] judgment module 401, also according to client requests for the downloaded data files corresponding to the key file to determine whether the request to download the data file is encrypted, and / or if it is signed;

[0126] 验证模块408,用于当判断模块401判断该数据文件已签名未加密时,对该数据文件验证签名,并在验证通过后,将该数据文件的数据流输出到客户端;以及当判断模块401 判断该数据文件已签名且已加密时,对该数据文件验证签名,并在验证通过后,将该数据文件发送至解密模块409 ; [0126] Authentication module 408 is used when the determination module 401 determines whether the encrypted data file is not signed, the signature verification of the data file, and after the verification is passed, the data stream output the data file to the client; and when determining module 401 determines whether the data file has been signed and encrypted when the data file to verify the signature, and after verification by, the data file is sent to the decryption module 409;

[0127] 解密模块409,用于当判断模块401判断该数据文件已加密未签名时,对该数据文 When the [0127] decryption module 409 is used when determining module 401 determines that the data file is encrypted unsigned, the data files

件的数据流进行解密,并将解密的数据流输出到客户端;以及接收验证模块408发送的数 Decrypting a data stream, and the decrypted data stream output to the client; authentication module 408 and the number of receiving transmitted

据文件,对接收的数据文件的数据流进行解密,将解密的数据流输出到客户端。 According to the document, the received data stream to decrypt the data file, the decrypted data stream output to the client.

[0128] 本发明实施例提供的网络存储服务器中的验证模块408,还用于根据该数据文件 [0128] Network Storage Server embodiment of the present invention is provided in the authentication module 408, based on the data file is also used for

对应的密钥文件中包含的签名算法和签名结果,对读取的数据文件验证签名。 Signature algorithm and signature key corresponding to the results contained in the file, the data file is read to verify the signature.

[0129] 解密模块409,还用于使用私钥和密钥文件中包含的加密算法,对密钥文件中的加 [0129] decryption module 409, also for the private use of the encryption algorithm and key files contained on the plus key file

密后的加密密钥进行解密,得到解密密钥;使用解密密钥对该数据文件的数据流进行解密。 After the secret encryption key for decryption to obtain the decryption key; data stream using the decryption key to decrypt the data files.

[0130] 本发明实施例提供的一种网络数据存储方法及服务器,服务器接收客户端发起的 [0130] The present invention is a method of network data storage and server example provided, the server receives a client-initiated

数据上载请求,创建数据文件,根据数据文件所属存储区域的配置信息,对客户端上载的网 Data upload request, create a data file, data file belongs based on the configuration information storage area, to the client's network upload

络数据流进行加密,将加密后的网络数据流写入数据文件;或将上载的网络数据流写入数 Network data stream encryption, the network data stream encrypted data file is written; or write the number of network data streams will be available on the

据文件后,对数据文件进行签名,或对客户端上载的网络数据流进行加密后,将加密后的网 According to the file later, the data file is signed, or uploaded to the client to encrypt network data flow, the net encrypted

络数据流写入数据文件,并对数据文件进行加密。 Network data stream to write data files, and data files are encrypted. 当客户端请求进行网络数据下载时,相应 When a client requests a network data download, the corresponding

地,根据数据文件所属存储区域的配置信息,对数据文件进行验证和/或解密的操作,将验 , According to the configuration information storage area of the data file belongs, to validate data files and / or decryption operation, the test

证通过和/或解密后的文件数据流传送给客户端。 Card through the file data and / or the decrypted stream to the client.

[0131] 本发明实施例提供的网络存储方法及服务器,由于可以将数据文件分散存储于预先划分的多个存储区域中,避免了现有技术中的安全文件系统中所有加密的文件都存储于同一个文件所带来的读/写访问的效率不高的问题;再者,由于不同存储区域的配置的加密和/或签名的参数信息可以不同,不仅提高了系统的扩展性,还进一步保证了网络存储数据的完整性和保密性。 [0131] embodiment of the present invention is a method and network storage server provided by the embodiment, since the data files are stored in a plurality of dispersed storage regions divided in advance, to avoid the prior art all encrypted secure file system files are stored in the arising from the same file read / write efficiency is not high access; Furthermore, due to the configuration of the different storage areas encryption and / or signatures may be different parameter information, not only improves the scalability of the system, but also to further ensure network integrity and confidentiality of stored data.

[0132] 进一步地,本发明实施例提供的网络存储方法中,还将加密算法、加密后的加密密钥和/或签名算法、签名结果生成密钥文件并与数据文件一一对应,某个数据文件的密钥文件被破解或损坏,不会对其他数据文件的安全造成影响,避免了现有网络存储服务器采用的安全文件系统将所有加密文件的密钥集中管理带来的弊端,进一步地提高了系统的健壮性。 [0132] Further, the present invention method provided by the network storage, and also the encryption algorithm, the encrypted encryption key and / or signature algorithm, the signature result to generate the key file and the data file correspondence, a key file data files to be cracked or damaged, will not affect the safety of other data files, avoiding the use of the existing network storage server file system security keys encrypted files centrally manage all the evils, further improve the robustness of the system. 由于密钥文件的存在,使得数据文件的解密不依赖于所属存储区域的配置参数,因此随时可以根据需要修改存储区域的配置参数,进一步提高了系统的扩展性,还进一步保证了网络存储数据的完整性和保密性。 Because of the key file, so that decryption of the data file is not dependent on the configuration parameter belongs storage area, and therefore at any time as needed to modify the configuration parameter storage area, and further improve the system scalability, further ensuring the network stored data integrity and confidentiality.

[0133] 另外,发明实施例提供的网络数据存储方法,可以直接采用现有网络服务器操作系统自身的文件系统进行数据的上载和下载的操作,由于操作系统的文件系统对上层系统而言具有统一的接口(例如标准的FTP或WEBDAV接口),保证了网络存储服务器的开放性。 Uploading and downloading operations [0133] In addition, the network data storage method according to an embodiment the invention, can be directly used existing network server operating system's own file system data, since the operating system's file system on top in terms of a unified system interface (such as standard FTP or WEBDAV interface), to ensure the openness of the network storage server. 从读写访问的角度来说,直接访问服务器操作系统自身文件系统的效率,也优于通过服务 From the perspective of read and write access, the efficiency of direct access to the server file system of the operating system itself, but also better than by service

器操作系统访问另外的安全文件系统的效率。 Operating system access efficiency additional security file system.

[0134] 显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。 [0134] Obviously, those skilled in the art may make various modifications of the present invention and modifications without departing from the spirit and scope of the invention. 这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 Thus, if such modifications and variations of the present invention and the claims of the invention belongs to the technical scope of equivalents, the present invention is also intended to include these changes and modifications included.

Referenced by
Citing PatentFiling datePublication dateApplicantTitle
CN103078866A *Jan 14, 2013May 1, 2013成都西可科技有限公司Transparent encryption method for mobile platform
CN103078866B *Jan 14, 2013Nov 4, 2015成都西可科技有限公司移动平台透明加密方法
CN103973715A *May 29, 2014Aug 6, 2014广东轩辕网络科技股份有限公司Cloud computing security system and method
CN103973715B *May 29, 2014Mar 22, 2017广东轩辕网络科技股份有限公司一种云计算安全系统和方法
CN104751072A *Mar 17, 2015Jul 1, 2015山东维固信息科技股份有限公司Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology
CN105100087A *Jul 8, 2015Nov 25, 2015上海迈外迪网络科技有限公司Management method, management server and system for SQL (Structured Query Language) database
Classifications
International ClassificationH04L12/933, H04L9/32, H04L29/06
Legal Events
DateCodeEventDescription
Jun 23, 2010C06Publication
Aug 18, 2010C10Request of examination as to substance
Jun 6, 2012C14Granted