CN101753539B - Network data storage method and server - Google Patents

Network data storage method and server Download PDF

Info

Publication number
CN101753539B
CN101753539B CN2008102279004A CN200810227900A CN101753539B CN 101753539 B CN101753539 B CN 101753539B CN 2008102279004 A CN2008102279004 A CN 2008102279004A CN 200810227900 A CN200810227900 A CN 200810227900A CN 101753539 B CN101753539 B CN 101753539B
Authority
CN
China
Prior art keywords
data file
file
data
key
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008102279004A
Other languages
Chinese (zh)
Other versions
CN101753539A (en
Inventor
王绪胜
王凡
杨汉强
马淑桂
刘伟晏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Archives Science & Tech Inst
BEIJING FOUNDER E-GOVERNMENT INFORMATION TECHNOLOGY Co Ltd
State Archives Bureau
Peking University
Peking University Founder Group Co Ltd
Original Assignee
Archives Science & Tech Inst
BEIJING FOUNDER E-GOVERNMENT INFORMATION TECHNOLOGY Co Ltd
State Archives Bureau
Peking University
Peking University Founder Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Archives Science & Tech Inst, BEIJING FOUNDER E-GOVERNMENT INFORMATION TECHNOLOGY Co Ltd, State Archives Bureau, Peking University, Peking University Founder Group Co Ltd filed Critical Archives Science & Tech Inst
Priority to CN2008102279004A priority Critical patent/CN101753539B/en
Publication of CN101753539A publication Critical patent/CN101753539A/en
Application granted granted Critical
Publication of CN101753539B publication Critical patent/CN101753539B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a network data storage method and a server. The disturbing network data storage method provided by the invention comprises the following steps: judging whether a data file needs to be encrypted and/or signed or not by the server according to configuration information of the storage region of the data file; encrypting a network data stream uploaded at a client when the data file needs to be encrypted but does not need to be signed according to the judgment, and writing the encrypted data stream into the data file; writing the network data stream uploaded at the client into the data file when the data file needs to be signed but does not need to be encrypted according to the judgment, and signing the data file; and encrypting the network data stream uploaded at the client when the data file needs to be encrypted and signed according to the judgment, writing the encrypted network data stream into the data file, and signing the data file. The invention improves the openness, the expansibility, the robustness and the reading/writing visit efficiency of the network storage server on the premise of ensuring the confidentiality and the completeness of the data storage.

Description

A kind of network data storage method and server
Technical field
The present invention relates to network safety filed, relate in particular to a kind of network data storage method and server.
Background technology
Along with the TCP/IP development of internet technology; FTP (File Transfer Protocol; FTP) and distributed creation in World Wide Web (WWW) and Version Control (Web-based Distributed Authoring and Versioning; WEBDAV) agreement has obtained application more and more widely; Server end utilizes FTP and WEBDAV agreement for client the network storage to be provided, and has formed the network storage of supporting standard agreement, and the user can use the client of supporting FTP or WEBDAV to carry out the visit of server side file read (download of network data) and write access operations such as (uploading network data) through network.
For realizing supporting the network storage of FTP and WEBDAV agreement; Tend to deployment corresponding server system (ftp server and WEBDAV server) is installed at server side; The file system that existing ftp server and WEBDAV server are based on server end mostly provides stores service; And the storage of file employing plain code, the method for this employing plain code storage file can't guarantee the confidentiality and the integrality of data.
For confidentiality and the integrality that guarantees file; Existing solution is normally used extra special secure file system at server end; Be encapsulated in behind the file encryption of secure file system with a plurality of needs to be keep secret in certain single file of bottom document system, and at the key information of internal system uniform maintenance fileinfo (like filename, file size etc.) and each file.Adopt secure file system to have following problem as the backstage of ftp server and WEBDAV server:
1, secure file system generally is a private system, does not have unified interface, and is open not enough;
2, the AES of whole secure file system is the unification fixed, and autgmentability is not enough;
3, because the All Files in the secure file system is all concentrated in the single file that is encapsulated in the bottom document system, during certain specific file in the read access secure file system, need from the single file of bottom document system, this document is extracted earlier; During certain specific file in the write access secure file system, need this document be write in the single file of bottom document system, read efficient is lower.
4, the AES relative fixed of secure file system; And secure file system is with the fileinfo and the key centralized management of inside; The zone (disk sector) of storage file information or key part is damaged, and can cause whole secure file system to take place and can't visit, and system robustness is not enough.
Summary of the invention
The invention provides a kind of network data storage method and server,, improve opening, autgmentability, robustness and the read efficient of network storage server in order under the prerequisite of confidentiality that guarantees storage and integrality.
A kind of network data upload method that the embodiment of the invention provides comprises:
Server is according to the configuration information of storage area under the data file, judges whether said data file need encrypt and/or whether need sign;
When judging that said data file need encrypt need not sign the time, the network data flow that client is uploaded is encrypted, and the said network data flow that will encrypt writes said data file;
When judging that said data file need sign need not encrypt the time, the network data flow that said client is uploaded writes said data file, and said data file is signed;
When judging that said data file need be encrypted and sign, the network data flow that said client is uploaded is encrypted, the network data flow of encrypting is write said data file, said data file is signed.
To a plurality of storage areas of dividing in advance, whether whether the data file that disposes its storage respectively need encryption and AES and/or need be signed and the parameter information of signature algorithm;
Saidly client uploaded network data flow encrypt, comprising:
AES according to storage area configuration under the said data file generates encryption key;
According to the encryption key of said AES and generation, the network data flow that client is uploaded is encrypted;
Said the data file is signed, comprising:
According to the signature algorithm of storage area configuration under the said data file, said data file is signed.
Said encryption key is encrypted;
Encryption key with said AES, after encrypting and/or said signature algorithm, signature result generate key file and storage; Said key file is corresponding one by one with said data file.
The key file that said server is corresponding according to client-requested data downloaded file judges whether said data file has been encrypted and/or whether signed;
When judging that said data file encrypted when unsigning, the data flow of said data file is deciphered, and the said data flow that will decipher outputs to said client;
When judging that said data file has been signed unencryption, to said data file certifying signature, and after checking is passed through, the data flow of said data file is outputed to said client;
When the said data file of judgement has been signed and has been encrypted, to said data file certifying signature, and after checking is passed through, the data flow of said data file is deciphered, decrypted data stream is outputed to said client.
Said to data file verification signature, comprising:
According to signature algorithm that comprises in the corresponding key file of said data file and signature result, to the data file certifying signature that reads;
Said data flow to the data file is deciphered, and comprising:
Encryption key after encrypting in the said key file is deciphered, obtained decruption key; Use the AES in said decruption key and the said key file that the data flow of said data file is deciphered.
A kind of network storage server that the embodiment of the invention provides comprises: judge module, encrypting module, signature blocks and configuration information memory module;
Said judge module, the configuration information of storage area under the data file that is used for storing according to the configuration information memory module judges whether said data file need encrypt and/or whether need sign;
Said encrypting module is used for judging said data file when said judge module and need encrypts need not sign the time, the network data flow that client is uploaded is encrypted, and the network data flow of encrypting is write said data file; And when said judge module is judged said data file and need encrypted and sign, after said data file is encrypted and write to the network data flow that said client is uploaded, said data file is sent to said signature blocks;
Said signature blocks is used for judging said data file when said judge module and need signs need not encrypt the time, and the network data flow that said client is uploaded writes said data file, and said data file is signed; And receive the data file that encrypting module transmits, the said data file that receives is signed;
Said configuration information memory module is used to store the configuration information of each storage area.
The network storage server that the embodiment of the invention provides also comprises:
Configuration module; Whether whether the data file that is used for a plurality of storage areas of dividing are in advance disposed its storage respectively need encryption and AES and/or need be signed and the parameter information of signature algorithm, and the said parameter information that will dispose is stored in the said configuration information memory module.
Said encrypting module also is used for the AES according to storage area configuration under the said data file of said configuration information memory module storage, generates encryption key; According to the encryption key of said AES and generation, the network data flow that reads is encrypted, generate the network data flow of encrypting;
Said signature blocks also is used for the signature algorithm according to storage area configuration under the said data file of said configuration information memory module storage, and the data file is signed.
The network storage server that the embodiment of the invention provides also comprises:
The key file generation module is used for said encryption key is encrypted; And the encryption key with said AES, after encrypting and/or said signature algorithm, signature result generate key file, and corresponding one by one with said data file;
The key file memory module is used to store said key file.
The network storage server that the embodiment of the invention provides also comprises: authentication module and deciphering module;
Said judge module also is used for the key file corresponding according to client-requested data downloaded file, and whether whether judgement request data downloaded file encrypted and/or signed;
Said authentication module is used for when said judge module judges that said data file has been signed unencryption, to said data file certifying signature, and after checking is passed through, the data flow of said data file is outputed to said client; And when said judge module judgment data file has been signed and encrypted,, and after checking is passed through, said data file is sent to said deciphering module to said data file certifying signature;
Said deciphering module is used for judging said data file when said judge module and has encrypted when unsigning, and the data flow of said data file is deciphered, and decrypted data stream is outputed to said client; And receive the data file that said authentication module sends, and the data flow of the said data file that receives is deciphered, decrypted data stream is outputed to said client.
Authentication module in the network storage server that the embodiment of the invention provides also is used for the signature algorithm that comprises according to said key file and the result that signs, to the data file certifying signature that reads;
Deciphering module in the network storage server that the embodiment of the invention provides also is used for the encryption key after the encryption of said key file is deciphered, and obtains decruption key; Use the AES in said decruption key and the said key file that the data flow of said data file is deciphered.
Beneficial effect of the present invention is following:
A kind of network data storage method and server that the embodiment of the invention provides; Server receives the data upload request that client is initiated; Create data file; According to the configuration information of storage area under the data file, the network data flow that client is uploaded is encrypted, the network data flow after encrypting is write data file; After maybe the network data flow of uploading being write data file, the data file is signed, or after the network data flow that client is uploaded encrypted, the network data flow after encrypting is write data file, and the data file is signed.Network storage method that the embodiment of the invention provides and server; Owing to can data file be disperseed to be stored in a plurality of storage areas of dividing in advance, the not high problem of efficient of the read of having avoided the file of all encryptions in the secure file system of the prior art all to be stored in single file being brought; Moreover, because the parameter information of the encryption of the configuration of different storage zone and/or signature can be different, not only improved the autgmentability of system, also guaranteed the integrality and the confidentiality of network stored data.
Further; In the network storage method that the embodiment of the invention provides; Also encryption key with AES, after encrypting and/or signature algorithm, signature result generate key file; And corresponding one by one with data file, the key file of certain data files is cracked or damages, and can the safety of other data files not impacted; The secure file system of having avoided the existing network storage server to adopt is managed the key of all encrypt files concentratedly bring drawback, has improved the robustness of system further.Because the existence of key file; Make the deciphering of data file not rely on the configuration parameter of affiliated storage area; Therefore can revise the configuration parameter of storage area at any time as required; Further improve the autgmentability of system, also further guaranteed the integrality and the confidentiality of network stored data.
The network data storage method that inventive embodiments provides; File system through adopting existing network server OS self can realize; Because the file system of operating system has unified interface to upper system, has guaranteed the opening of network storage server.
Description of drawings
Data upload flow chart in the network data storage method that Fig. 1 provides for the embodiment of the invention;
The flow chart of the generation key file that Fig. 2 provides for the embodiment of the invention;
Data are downloaded flow chart in the network data storage method that Fig. 3 provides for the embodiment of the invention;
The structural representation of the network storage server that Fig. 4 provides for the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing, a kind of network data storage method provided by the invention and server are carried out detailed explanation with concrete embodiment.
The network data storage method that the embodiment of the invention provides improves to server side.The network data storage method that the embodiment of the invention provides can be applied to common network storage server such as FTP or WEBDAV server etc.; The file system of utilizing the existing operating system of FTP or WEBDAV server to provide just can realize, and do not need the backstage storage system of the special secure file system of extra employing as network data.Like this, because the external interface of file system of operating system is unified interface (the for example FTP of standard or WEBDAV interface), guaranteed the opening of network storage server.From the angle of read and write access, directly the efficient of access server operating system self file system also is superior to the efficient through the other secure file system of server OS visit.
The network data storage method that the embodiment of the invention provides; Can divide a plurality of storage areas in advance that server is the local memory space; Each storage area for example can the respective file system a catalogue, like " Server1/area1 ", " Server1/area2 " or the like.Can also realize operations such as storage area increase, deletion and modifications.
And; For each storage area; Whether whether need in advance need encryption and AES and/or need sign and the parameter information of signature algorithm is configured respectively to the data file of wherein storage; The configuration information of each storage area is separate, can be to different area configurations different encrypted algorithm and different signature algorithms, and the data file encipher only that a certain zone can be set is not signed; And the data file in another one zone not only need be encrypted and also need be signed, or the like.No longer enumerate at this.In concrete use, can also as required the configuration information of storage area be made amendment.
Network data below in conjunction with client is initiated is uploaded flow process, and the network data storage method that the embodiment of the invention provides is described.
The network data storage method that the embodiment of the invention provides, as shown in Figure 1, may further comprise the steps:
Step S101, server receive the data upload request that client is initiated.
For client, can be as required, request with uploaded data stream with the stored in form of file in any one storage area of server side.
Step S102, server create data file in storage area according to the storage area information that carries data file in this data upload request.
Can be in the data upload request that client is sent through unified resource positioning mark (the Uniform Resource Locator that carries storage area; URL) which storage area is indicated specifically is, for example " ftp: //Server1/area1 ", " http://Server1/area2 " etc.
Step S103, according to the configuration information of storage area under the data file, whether the judgment data file needs to encrypt; If judged result is not, execution in step S104, if, execution in step S105;
Step S104, the network data flow of uploading write direct create in the good data file, then execution in step S108.
Step S105, the AES that disposes according to storage area under this data file generate encryption key.
Encryption key among this step S105 is to generate in real time at random, and the encryption key that in the process of stream that at every turn uploads data, generates is all inequality.
Step S106, according to the encryption key that the AES and the step S105 of storage area configuration under this data file generates, the network data flow of uploading is encrypted.
Step S107, the network data flow of encrypting write create in the good data file.
Step S108, according to the configuration information of storage area under the data file, whether the judgment data file needs signature; If judged result is for being that execution in step S109 if not, jumps to step S110.
Step S109, according to the signature algorithm of storage area configuration under this data file, this data file is signed.Signature is carried out following step S110 after accomplishing.
Step S110, return the affirmation message of uploading success to client.
In the embodiment of the invention; Can also be on the basis of above-mentioned flow process; Increase the flow process that generates key file; Generating the flow process of key file can be independently and outside the flow process shown in Figure 1, also can be included among the flow process shown in Figure 1, closes as a whole flow process with above-mentioned steps S101 to step S110.Clear for explanatorily, use and illustrate with the flow chart of Fig. 2.
As shown in Figure 2, the flow process of generation key file in the embodiment of the invention may further comprise the steps:
Step S201, according to the configuration information of storage area under the data file, whether the judgment data file need be encrypted and whether need signature, when arbitrary judged result when being, execution in step S202; If not, judge that promptly this data file neither need encrypt in the time of also need not signing, directly jump to step S208 and finish current flow process.
This step S201 can be after step S104 shown in Figure 1 or step S107, carries out before the step S108.
Step S202, according to the data file of setting and the rule of correspondence of key file, create key file.
The embodiment of the invention does not limit key file and adopts which kind of particular type, for example text file type or relational database record etc.
Step S203, according to the configuration information of storage area under the data file, whether the judgment data file needs signature, if, carry out following step S204, if not, jump to step S206.
This step S203 can be same step with the step S108 among Fig. 1.
Step S204, with signature algorithm, the signature result write key file.
This step S204 can carry out after step S109 shown in Figure 1.
Step S205, according to the configuration information of storage area under the data file, whether the judgment data file needs to encrypt, if, execution in step S206, if not, directly execution in step S208.
Step S206, use public-key encryption key is encrypted.
Server is can pre-configured public and private key right, in this step, uses the PKI of configuration that encryption key is encrypted.
Step S207, the encryption key with AES, after encrypting write key file.
Step S208, process ends.
This flow process can be carried out last step S110 shown in Figure 1 after finishing.
In the embodiment of the invention, when creating key file, can adopt the predefined rule of correspondence,, and can be stored in the same storage area corresponding one by one between the key file of creating and the data file.For instance, the rule of correspondence of key file and data file can be following:
The filename of key file can adopt the filename of data file to add distinctive suffix composition.As shown in the table:
Table 1
File name Size Type
5-421.txt 3KB Text document
5-421.txt.cipher 1KB The CIPHER file
5-422.GIF 129KB The TIF image
5-422.GIF.cipher 1KB The CIPHER file
In the last table 1, file 5_421.txt by name and 5_422.GIF are data files, and 5_421.txt.cipher and 5_422.GIF.cipher are respectively the corresponding key files of above-mentioned two data files.
Obviously, in the embodiment of the invention, the rule of correspondence of key file and data file is not limited to above-mentioned corresponded manner.
In the file system of embodiment of the invention server side, the file attribute of above-mentioned key file can be set to hide, and when the server side locating file, server side can not show corresponding key file through network in domestic consumer.
There is the user of authority that the data file of server side is made amendment or when deleting, need revises or delete its corresponding key file simultaneously.
To upload flow process corresponding with the network data in the network storage method that the embodiment of the invention provides; When client was initiated the network data download request, the network data storage method that the embodiment of the invention provides was in the server side handling process; As shown in Figure 3, may further comprise the steps:
Step S301, server receive the network data download request that client is initiated.
Step S302, according to the URL and the file identification information of this data file of carrying in this request, in the field of storage of correspondence, read this data file.
Step S303, the key file corresponding according to this data file judge whether this data file signs, if, execution in step S304; If not, execution in step S308.
Among this step S303; Can be through the rule of correspondence between data file and the key file; Find the corresponding key file of this data file, judge whether this data file signs (if the encryption key after only having comprised AES in this key file and having encrypted can be judged so that this data file has been encrypted to unsign according to the particular content that comprises in the key file; If only comprised signature algorithm and signature result in this key file; Can judge this data file unencryption of having signed so,, can judge that so this data file encrypts and sign) if comprise above-mentioned two category informations in this key file simultaneously.
Step S304, according to the signature algorithm that comprises in this key file and the signature result, to the data file certifying signature that reads.
Whether step S305, judgement checking are passed through; During authentication failed, execution in step S306.When checking is passed through, execution in step S307.
Step S306, return to client and wrong affirmation message to occur.
Step S307, the key file corresponding according to this data file judge whether this data file encrypts, if execution in step S308 if not, jumps to step S310.
The private key of step S308, use configuration is deciphered the encryption key after the encryption in this key file, obtains decruption key.
Decruption key that step S309, use step S308 obtain and the AES in this key file are deciphered the network data flow after obtaining deciphering to the data flow of data file.
Step S310, with the data flow transmission of data file to client.
Step S311, return and download successful affirmation message.
According to the network data storage method that the embodiment of the invention provides, the embodiment of the invention also provides a kind of network storage server, and is as shown in Figure 4, comprising: judge module 401, encrypting module 402, signature blocks 403 and configuration information memory module 404; Wherein:
Judge module 401 is used for the configuration information according to storage area under this data file of configuration information memory module 404 storage, judges whether this data file need encrypt and/or whether need sign;
Encrypting module 402 is used for judging data file when judge module 401 and need encrypts need not sign the time, the network data flow that client is uploaded is encrypted, and the network data flow of encrypting is write this data file; And when judge module 401 is judged this data file and need encrypted and sign, after this data file is encrypted and write to the network data flow that reads, this data file is sent to signature blocks 403;
Signature blocks 403 is used for judging this data file when judge module 401 and need signs need not encrypt the time, and the network data flow that client is uploaded writes this data file, and this data file is signed; And receive the data file that encrypting module 402 transmits, the data file that receives is signed;
Configuration information memory module 404 is used to store the configuration information of each storage area.
The network storage server that the embodiment of the invention provides; As shown in Figure 4; Can also comprise: configuration module 405; Whether whether the data file that is used for a plurality of storage areas of dividing are in advance disposed its storage respectively need encryption and AES and/or need be signed and the parameter information of signature algorithm, and the parameter information of configuration is stored in the configuration information memory module 404.
Encrypting module 402 also is used for the AES according to storage area configuration under this data file of configuration information memory module 404 storages, generates encryption key; According to the encryption key of this AES and generation, the network data flow that reads is encrypted, generate the network data flow of encrypting;
Signature blocks 403 also is used for the signature algorithm according to storage area configuration under this data file of configuration information memory module 404 storages, and the data file is signed.
The network storage server that the embodiment of the invention provides, as shown in Figure 4, can also comprise: key file generation module 406 and key file memory module 407;
Key file generation module 406 is used to use public-key encryption key is encrypted; And the encryption key with AES, after encrypting and/or said signature algorithm, signature result generate key file, and corresponding one by one with this data file;
Key file memory module 407 is used for the storage key file.
Network data in a kind of network data storage method that provides according to the embodiment of the invention is downloaded flow process, and the network storage server that the embodiment of the invention provides is as shown in Figure 4, can also comprise following two modules: authentication module 408 and deciphering module 409;
Judge module 401 also is used for the key file corresponding according to client-requested data downloaded file, and whether whether judgement request data downloaded file encrypted and/or signed;
Authentication module 408 is used for when judge module 401 judges that these data files have been signed unencryption, to this data file certifying signature, and after checking is passed through, the data flow of this data file is outputed to client; And when judge module 401 these data files of judgement have been signed and encrypted,, and after checking is passed through, this data file is sent to deciphering module 409 to this data file certifying signature;
Deciphering module 409 is used for judging these data files when judge module 401 and has encrypted when unsigning, and the data flow of this data file is deciphered, and decrypted data stream is outputed to client; And Receipt Validation module 408 data file of sending, the data flow of the data file that receives is deciphered, decrypted data stream is outputed to client.
Authentication module 408 in the network storage server that the embodiment of the invention provides also is used for the signature algorithm that comprises according to the corresponding key file of this data file and the result that signs, to the data file certifying signature that reads.
Deciphering module 409 also is used for the AES that uses private key and key file to comprise, and the encryption key after the encryption in the key file is deciphered, and obtains decruption key; Use decruption key that the data flow of this data file is deciphered.
A kind of network data storage method and server that the embodiment of the invention provides; Server receives the data upload request that client is initiated; Create data file; According to the configuration information of storage area under the data file, the network data flow that client is uploaded is encrypted, the network data flow after encrypting is write data file; After maybe the network data flow of uploading being write data file, the data file is signed, or after the network data flow that client is uploaded encrypted, the network data flow after encrypting is write data file, and the data file is encrypted.When client-requested is carried out network data when downloading, correspondingly, according to the configuration information of storage area under the data file, the operation that the data file is verified and/or deciphered, with checking through and/or deciphering after document data flow send client to.
Network storage method that the embodiment of the invention provides and server; Owing to can data file be disperseed to be stored in a plurality of storage areas of dividing in advance, the not high problem of efficient of the read of having avoided the file of all encryptions in the secure file system of the prior art all to be stored in same file being brought; Moreover, because the parameter information of the encryption of the configuration of different storage zone and/or signature can be different, not only improved the autgmentability of system, also further guaranteed the integrality and the confidentiality of network stored data.
Further; In the network storage method that the embodiment of the invention provides; Also encryption key with AES, after encrypting and/or signature algorithm, signature result generate key file and corresponding one by one with data file; The key file of certain data files is cracked or damages; Can the safety of other data files not impacted, the secure file system of having avoided the existing network storage server to adopt is managed the key of all encrypt files concentratedly bring drawback, has improved the robustness of system further.Because the existence of key file; Make the deciphering of data file not rely on the configuration parameter of affiliated storage area; Therefore can revise the configuration parameter of storage area at any time as required; Further improve the autgmentability of system, also further guaranteed the integrality and the confidentiality of network stored data.
In addition; The network data storage method that inventive embodiments provides; Can directly adopt the file system of existing network server OS self to carry out the operation of uploading and downloading of data; Because the file system of operating system has unified interface (the for example FTP of standard or WEBDAV interface) to upper system, has guaranteed the opening of network storage server.From the angle of read and write access, directly the efficient of access server operating system self file system also is superior to the efficient through the other secure file system of server OS visit.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (10)

1. a network data storage method is characterized in that, comprising:
Server is according to the configuration information of storage area under the data file, judges whether said data file need encrypt and/or whether need sign;
When judging that said data file need encrypt need not sign the time, the network data flow that client is uploaded is encrypted, and the said network data flow that will encrypt writes said data file;
When judging that said data file need sign need not encrypt the time, the network data flow that said client is uploaded writes said data file, and said data file is signed;
When judging that said data file need be encrypted and sign, the network data flow that said client is uploaded is encrypted, the network data flow of encrypting is write said data file, said data file is signed.
2. the method for claim 1 is characterized in that, also comprises:
To a plurality of storage areas of dividing in advance, whether whether the data file that disposes its storage respectively need encryption and AES and/or need be signed and the parameter information of signature algorithm;
Saidly client uploaded network data flow encrypt, comprising:
AES according to storage area configuration under the said data file generates encryption key;
According to the encryption key of said AES and generation, the network data flow that client is uploaded is encrypted;
Said the data file is signed, comprising:
According to the signature algorithm of storage area configuration under the said data file, said data file is signed.
3. method as claimed in claim 2 is characterized in that, also comprises:
Said encryption key is encrypted;
Encryption key with said AES, after encrypting and/or said signature algorithm, signature result generate key file and storage; Said key file is corresponding one by one with said data file.
4. method as claimed in claim 3 is characterized in that, also comprises:
The key file that said server is corresponding according to client-requested data downloaded file judges whether said data file has been encrypted and/or whether signed;
When judging that said data file encrypted when unsigning, the data flow of said data file is deciphered, and the said data flow that will decipher outputs to said client;
When judging that said data file has been signed unencryption, to said data file certifying signature, and after checking is passed through, the data flow of said data file is outputed to said client;
When the said data file of judgement has been signed and has been encrypted, to said data file certifying signature, and after checking is passed through, the data flow of said data file is deciphered, decrypted data stream is outputed to said client.
5. method as claimed in claim 4 is characterized in that, and is said to data file verification signature, comprising:
According to signature algorithm that comprises in the corresponding key file of said data file and signature result, to the data file certifying signature that reads;
Said data flow to the data file is deciphered, and comprising:
Encryption key after encrypting in the said key file is deciphered, obtained decruption key; Use the AES in said decruption key and the said key file that the data flow of said data file is deciphered.
6. a network storage server is characterized in that, comprising: judge module, encrypting module, signature blocks and configuration information memory module;
Said judge module, the configuration information of storage area under the data file that is used for storing according to the configuration information memory module judges whether said data file need encrypt and/or whether need sign;
Said encrypting module is used for judging said data file when said judge module and need encrypts need not sign the time, the network data flow that client is uploaded is encrypted, and the network data flow of encrypting is write said data file; And when said judge module is judged said data file and need encrypted and sign, after said data file is encrypted and write to the network data flow that said client is uploaded, said data file is sent to said signature blocks;
Said signature blocks is used for judging said data file when said judge module and need signs need not encrypt the time, and the network data flow that said client is uploaded writes said data file, and said data file is signed; And receive the data file that encrypting module transmits, the said data file that receives is signed;
Said configuration information memory module is used to store the configuration information of each storage area.
7. server as claimed in claim 6; It is characterized in that; Also comprise: configuration module; Whether whether the data file that is used for a plurality of storage areas of dividing are in advance disposed its storage respectively need encryption and AES and/or need be signed and the parameter information of signature algorithm, and the said parameter information that will dispose is stored in the said configuration information memory module;
Said encrypting module also is used for the AES according to storage area configuration under the said data file of said configuration information memory module storage, generates encryption key; According to the encryption key of said AES and generation, the network data flow that reads is encrypted, generate the network data flow of encrypting;
Said signature blocks also is used for the signature algorithm according to storage area configuration under the said data file of said configuration information memory module storage, and the data file is signed.
8. server as claimed in claim 7 is characterized in that, also comprises:
The key file generation module is used for said encryption key is encrypted; And the encryption key with said AES, after encrypting and/or said signature algorithm, signature result generate key file, and corresponding one by one with said data file;
The key file memory module is used to store said key file.
9. server as claimed in claim 8 is characterized in that, also comprises: authentication module and deciphering module;
Said judge module also is used for the key file corresponding according to client-requested data downloaded file, and whether whether judgement request data downloaded file encrypted and/or signed;
Said authentication module is used for when said judge module judges that said data file has been signed unencryption, to said data file certifying signature, and after checking is passed through, the data flow of said data file is outputed to said client; And when said judge module judgment data file has been signed and encrypted,, and after checking is passed through, said data file is sent to said deciphering module to said data file certifying signature;
Said deciphering module is used for judging said data file when said judge module and has encrypted when unsigning, and the data flow of said data file is deciphered, and decrypted data stream is outputed to said client; And receive the data file that said authentication module sends, and the data flow of the said data file that receives is deciphered, decrypted data stream is outputed to said client.
10. server as claimed in claim 9 is characterized in that, said authentication module also is used for the signature algorithm that comprises according to said key file and the result that signs, to the data file certifying signature that reads;
Said deciphering module also is used for the encryption key after the encryption of said key file is deciphered, and obtains decruption key; Use the AES in said decruption key and the said key file that the data flow of said data file is deciphered.
CN2008102279004A 2008-12-01 2008-12-01 Network data storage method and server Expired - Fee Related CN101753539B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102279004A CN101753539B (en) 2008-12-01 2008-12-01 Network data storage method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102279004A CN101753539B (en) 2008-12-01 2008-12-01 Network data storage method and server

Publications (2)

Publication Number Publication Date
CN101753539A CN101753539A (en) 2010-06-23
CN101753539B true CN101753539B (en) 2012-06-06

Family

ID=42479949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102279004A Expired - Fee Related CN101753539B (en) 2008-12-01 2008-12-01 Network data storage method and server

Country Status (1)

Country Link
CN (1) CN101753539B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078866B (en) * 2013-01-14 2015-11-04 成都西可科技有限公司 Mobile platform transparent encryption method
CN103973715B (en) * 2014-05-29 2017-03-22 广东轩辕网络科技股份有限公司 Cloud computing security system and method
CN105656866B (en) * 2014-12-02 2019-10-22 华为技术有限公司 Data ciphering method and system
CN104751072A (en) * 2015-03-17 2015-07-01 山东维固信息科技股份有限公司 Secrete-related control system providing completely transparent user experience based on real-time encryption and decryption technology
CN106209754B (en) * 2015-05-08 2019-01-22 中标软件有限公司 To the method and system of software package automatic signature in version control system
CN105100087A (en) * 2015-07-08 2015-11-25 上海迈外迪网络科技有限公司 Management method, management server and system for SQL (Structured Query Language) database
WO2017206134A1 (en) * 2016-06-02 2017-12-07 Beijing Yi Zhang Yun Feng Technology Co., Ltd. Dynamic communication of capability using headers
CN108011857B (en) * 2016-11-01 2021-02-26 北京京东尚科信息技术有限公司 Data dynamic encryption transmission configuration method and device
CN107277141B (en) * 2017-06-21 2020-03-31 京东方科技集团股份有限公司 Data judgment method applied to distributed storage system and distributed storage system
CN108880811B (en) * 2018-09-30 2021-11-23 北京集创北方科技股份有限公司 Biometric identification system and communication method thereof
CN114095175A (en) * 2021-10-19 2022-02-25 网络通信与安全紫金山实验室 Data security method and device capable of gray level check and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567255A (en) * 2003-09-02 2005-01-19 四川大学 Method for controlling storage and access of security file system
CN101247232A (en) * 2008-03-27 2008-08-20 上海金鑫计算机系统工程有限公司 Encryption technique method based on digital signature in data communication transmission

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567255A (en) * 2003-09-02 2005-01-19 四川大学 Method for controlling storage and access of security file system
CN101247232A (en) * 2008-03-27 2008-08-20 上海金鑫计算机系统工程有限公司 Encryption technique method based on digital signature in data communication transmission

Also Published As

Publication number Publication date
CN101753539A (en) 2010-06-23

Similar Documents

Publication Publication Date Title
CN101753539B (en) Network data storage method and server
CN107846282B (en) Block chain technology-based electronic data distributed storage method and system
US11076290B2 (en) Assigning an agent device from a first device registry to a second device registry
CN110535662B (en) Method and system for realizing user operation record based on block chain data certificate storage service
US9819494B2 (en) Digital signature service system based on hash function and method thereof
CN105847228A (en) Access control framework for information centric networking
US20210328767A1 (en) Hash updating methods and apparatuses of blockchain integrated station
US20100005318A1 (en) Process for securing data in a storage unit
CN101651714B (en) Downloading method and related system and equipment
KR101285281B1 (en) Security system and its security method for self-organization storage
JP2007028014A (en) Digital signature program, digital signature system, digital signature method and signature verification method
JP2012521155A (en) Method for manufacturing a product including a certificate and a key
CN101176102A (en) System and method for managing encrypted content using logical partitions
CN112995784B (en) Video data slice encryption method, device and system
CN109064596B (en) Password management method and device and electronic equipment
JP2004110197A (en) Information processing method and method of managing access authority for use at center system
CN104901968A (en) Method for managing and distributing secret keys in secure cloud storage system
CN104753870A (en) Data transmission method and system
CN107094075A (en) A kind of data block dynamic operation method based on convergent encryption
CN107368749B (en) File processing method, device, equipment and computer storage medium
CN112149184A (en) Block chain external storage system and method based on time-limited access
CN102694796A (en) Method, device and server for encrypted file management
CN115766270A (en) File decryption method, file encryption method, key management method, device and equipment
KR102282788B1 (en) Blockchain system for supporting change of plain text data included in transaction
JP3810966B2 (en) Cryptographic communication center apparatus, cryptographic communication system, and recording medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120606