[go: up one dir, main page]

CN119026160A - A method for secure sharing of verifiable data based on network disk - Google Patents

A method for secure sharing of verifiable data based on network disk Download PDF

Info

Publication number
CN119026160A
CN119026160A CN202410374682.6A CN202410374682A CN119026160A CN 119026160 A CN119026160 A CN 119026160A CN 202410374682 A CN202410374682 A CN 202410374682A CN 119026160 A CN119026160 A CN 119026160A
Authority
CN
China
Prior art keywords
data
file
provider
shared
sharing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410374682.6A
Other languages
Chinese (zh)
Inventor
杨明
谭毓安
梁晨
李元章
王子淇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202410374682.6A priority Critical patent/CN119026160A/en
Publication of CN119026160A publication Critical patent/CN119026160A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Automation & Control Theory (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a network disk-based business system verifiable data sharing method, and belongs to the technical field of data sharing. In the method, a data provider receives a data request of a data requester, and processes and analyzes data according to the data request to form a data text file which can be shared. The data provider encrypts the shared text file to form a data file ciphertext and transmits the data file ciphertext to the shared folder. Data across organizations, across regions is requested by a data requester. The data request party establishes communication transmission data request with the data provider, when the data request party needs to acquire data, the data request party accesses the data files required by the download of the shared folder stored on the cloud server, and decrypts the data files according to the held information to acquire text file plaintext. And finally, the data provider performs tracing and verification on the uploaded shared text file. Compared with the prior art, the method has the advantages of remarkably improving data security, confidentiality, sharing efficiency, operation convenience, data integrity and the like.

Description

Verifiable data security sharing method based on network disk
Technical Field
The invention relates to a data sharing method of a service system, in particular to a network disk-based service system verifiable data sharing method which can trace shared data and belongs to the technical field of data sharing.
Background
In the current diverse, cross-domain data demand age, the requirements of business systems for data sharing have far exceeded traditional modes. Not only are high degrees of configurability, traceability, confidentiality and verifiability required, but also ever-increasing data diversification and geographic span expansion are addressed. With the continuous expansion of the geographic scope of data providers, the transmission of large amounts of data is required to support remote access, batch processing, and frequent long-distance transmission. The progress of data sharing greatly promotes the speed and efficiency of information circulation and accelerates the propagation of knowledge and resources. However, traditional data sharing methods, such as file servers, email attachments, physical media exchanges, file transfer protocols, virtual private networks, and local area network sharing, have failed to meet such complex and extensive modern data requirements.
The rise of cloud technology provides a solution to this problem. As a centralized and easily accessible platform, cloud technology has made data sharing across regions and organizations unprecedented convenient. The cloud platform significantly reduces the limitations of traditional physical media and local area network sharing by providing efficient data synchronization and fast access.
Particularly, the network disk is an important tool in modern enterprises due to the characteristics of easiness in use, flexible authority management, multi-user support and the like. The network disk not only can realize remote access, batch file processing and frequent remote data transmission, but also keeps lower maintenance cost. More importantly, the network disk ensures the security and compliance of data sharing through the refined access authority setting, log recording and audit trail functions. This is particularly important in protecting sensitive data and complying with legal regulations.
With the continuous evolution and expansion of data sharing demands, the network disk becomes an ideal choice for realizing data sharing and management for modern enterprises due to the high-efficiency, safe and convenient characteristics.
Disclosure of Invention
The invention aims at realizing high-efficiency data synchronization and quick access aiming at cross-region and cross-organization data sharing, creatively provides a network disk-based service system verifiable data sharing method, which is used for data sharing between a data provider and a data requester in a service system.
In the method, the data provider uploads the data file by creating a user account. The data requesting party downloads the data file from the shared folder, also creates a user account, and identifies the identity information, thereby facilitating the traceability of the data file downloading process. The user account not only contains the security and access control of the data, but also provides proper access rights for users of different levels. Through the multi-level authority control, accurate data management can be realized, and different users can access corresponding data according to the identity and the needs of the users. The data provider updates the data whenever they are, and these updates will be reflected in real time on the interfaces of all relevant users, ensuring that all users have access to the latest data. This high degree of flexibility and instantaneity greatly improves the efficiency and convenience of data sharing.
In the method, the service system only selects partial data for uploading, and the data which does not accord with the filtering rule is not uploaded. This is to ensure the security of the data and the consistency of the data protection policy of the enterprise. The data provider will set strict filtering rules that play a critical screening role, ensuring that only those files that meet the filtering rules and meet certain criteria can be uploaded to the cloud server. It is worth noting that all data providers follow the same set of filtering rules, which not only maintains the uniformity and standardization of the whole system, but also improves the processing efficiency and the reliability of the data. Through the set filtering mechanism, the propagation and leakage risks of sensitive data can be effectively avoided, and a safe and reliable data sharing environment is provided for enterprises. The strategy not only meets the high standard requirement of modern enterprises on data security, but also reflects the high responsibility sense of data protection.
In order to achieve the above purpose, the present invention is realized by adopting the following technical scheme.
A network disk-based verifiable data security sharing method comprises the following steps:
Step 1: the data provider receives the data request of the data requester, processes and analyzes the data according to the data request, and forms a data text file which can be shared. The data provider encrypts the shared text file to form a data file ciphertext and transmits the data file ciphertext to the shared folder.
Specifically, step 1 includes the steps of:
Step 1.1: the data of each data provider originates from a plurality of users. The data provider is responsible for processing and analyzing the data submitted by the users, and the data conforming to the filtering rules form a data file which can be shared. In the above process, different data providers need to keep data independent, and cannot access or share data files with each other.
Step 1.2: the data provider creates a session key to encrypt the shared content every time the text file is generated, and generates a data ciphertext file.
For the generation of the session key, an HMAC (Hash-based Message Authentication Code) algorithm may be used, and the generated Hash value is used as the session key. The use of the hash function is selected based on the key length, the key employing a seed key that is generated locally by the data provider.
The specific manner of encrypting the text file by the session key can adopt a Twofish method. The method is a symmetrical encryption mode, has the characteristics of high encryption speed and high safety, and effectively guarantees the safety of the data file.
Step 1.3: the data provider encrypts the session key by using the public key transmitted by the data requester to generate a session key ciphertext file, thereby ensuring security.
Step 1.4: and compressing the results of the two encryption in the same file, generating a shared data file ciphertext, and uploading the shared data file ciphertext to a cloud server hosted in a network disk. These data files are stored in a special shared folder, thereby facilitating ready access by the data requesting party. After the data provider uploads the file, corresponding data information is recorded in a local user form, so that subsequent tracing and verification are facilitated.
In this step, the data provider will obtain the data request requirements from different data requesters. As data requests are diversified, there is a difference in the data contents of the requests. Thus, the data provider needs to record and back up the content for each data request. The file names of the local backup files are consistent with those of the data files, and the file suffixes are different. The backup mechanism not only provides additional guarantee for data security, but also provides important support for traceability and verification of data.
Further, to facilitate the management of the data requesting user by the data provider and the traceability of the data file, the data provider may create a user form locally, where the form record includes information such as user identity information, local backup text file, public key, seed key, and time, each of which implements data sharing therewith. The creation of the user form is convenient for the data provider to trace the shared data, and whether the uploaded data accords with the filtering rule is checked, so that the safety of the data is ensured.
In addition, there are multiple shared folders in the server hosted by the web disk, each creation of which requests data sharing on behalf of the presence of one data requestor. Each data provider only has access rights to the shared folder created by the data provider through rights setting, and the data providers do not share data with each other. Each time the data provider establishes data sharing with the data requester, the data provider establishes a special shared folder in the cloud server and sets corresponding rights through a third party program. The establishment and authority setting of the special shared folder provide diversified data sharing and ensure the safety of data.
Step 2: the data requestor requests data across organizations, across regions. The data requesting party and the data providing party establish communication transmission data request in advance, and when the data requesting party needs to acquire data, the data requesting party accesses the shared folder stored on the cloud server to download the required data file, and decrypts the data file according to the held information to acquire the text file plaintext.
Specifically, step 2 includes the steps of:
step 2.1: the data requesting party establishes communication with the data providing party to transmit data request content, a public key and request downloading permission of files in a shared folder in the cloud server.
The data requesting party can download all the data files in the shared folder of the data provider, and the data requesting party only has the authority of downloading the data files and cannot upload the files to the shared folder.
Step 2.2: the data requesting party uses the held private key to decrypt the session key ciphertext file and obtain the session key.
Step 2.3: and the data requesting party decrypts the text file according to the ciphertext file by using the decrypted session key Wen Duishu to obtain the plaintext of the text file.
In step 2, the shared data file is stored in the cloud, so that the data requester can easily access and download the shared data even in a cross-organization or cross-region environment. By the method, an efficient and safe data request and downloading flow is realized, confidentiality of information in the transmission process is ensured, and meanwhile, flexibility and reliability of data processing are improved. The structure not only provides a necessary data access mode for a data requester, but also strengthens the safety and reliability of the whole system.
Step 3: the data provider performs tracing and verification on the uploaded shared text file.
Specifically, step 3 includes the steps of:
Step 3.1: the data provider performs tracing and verification on the data file, downloads the data file from the network disk, and obtains the matched local backup file by inquiring the record information of the local user form.
Step 3.2: and checking the content of the local backup file, and checking whether the content of the data file is matched with the content of the backup text file or not, and whether the uploading file of the data provider accords with the filtering rule or not, so as to judge whether sensitive data exists or not.
By this step, intentional or unintentional leakage of sensitive information can be prevented when processing large amounts of data. The data provider is also given more autonomous checking capability to download all files from the shared folder at any time, or to restore all previously uploaded files from the backup space. This enables the data provider to actively check and confirm whether the file content they share meets the filtering rules. The setting of the automatic backup and traceability functions greatly enhances the safety and reliability in the data sharing process, not only provides additional safety guarantee for data providers, but also brings stronger data management and control capability for the whole network disk system.
Advantageous effects
Compared with the prior art, the invention has outstanding substantive characteristics and obvious technical progress in the aspects of data security, confidentiality, sharing efficiency, operation convenience, data integrity and the like.
1. Enhanced data security
By using the session key and the public key of the data requester to perform double encryption, the method remarkably improves the security of the data file. This double encryption ensures that the data content is adequately protected even in an unsafe network environment.
2. Improved privacy protection
Each file is encrypted by using an independent session key, so that the independence and confidentiality of data sharing are ensured. The session key is generated by adopting an HMAC algorithm, and an attacker can not recover the text file input by the algorithm through the session key produced by the algorithm according to the irreversibility of the hash value. The different text files can cause different session keys, so that the security of the data is further improved. This means that even if a certain key is broken, only a single file is affected, without revealing the entire data set.
3. Data sharing efficiency improvement
Through the use of the network disk cloud service, the method provides a rapid and convenient data access mode, especially in a cross-organization or cross-region scene. The data requester can quickly download the desired encrypted data file without requiring a complicated data exchange process.
4. Flexible data management and control
Each data provider can set specific authority for own shared folder, and accurate data management is achieved. The method also supports setting different access rights according to the roles of the users, and improves the use efficiency and the safety of the data.
5. Simplified operational flow
The data requesting party obtains the data through decryption of the private key, so that frequent identity verification and authentication processes are reduced. This simplifies the data access flow, especially in scenarios where frequent access to data is required. In the whole data sharing process, the data provider establishes communication transmission public key, identity authentication and data request with the data requester only once, thereby greatly simplifying the data sharing flow. Meanwhile, the use of the public key not only simplifies complex security measures, but also reduces communication and coordination burden of the two parties in the data exchange process.
6. Data integrity and traceability
By locally backing up and recording the user form, the data provider can track and verify the shared data, enhancing the integrity and reliability of the data. The data provider can detect whether the data is tampered according to the final plaintext and the session key, and further ensure the data integrity. This is particularly important for adhering to data protection policies and preventing data tampering.
7. Filtering and protection mechanism
The data filtering rule in the method ensures that only data meeting specific standards is uploaded, thereby effectively avoiding improper propagation and leakage of sensitive data.
8. High adaptability
The method is suitable for various business scenes, especially environments with high requirements on data security and privacy, such as the fields of finance, medical treatment and the like.
Drawings
FIG. 1 is a schematic diagram of a system architecture according to the present invention;
FIG. 2 is a schematic diagram of a structure of a data upload shared folder according to the present invention;
FIG. 3 is a schematic diagram of a session key generation structure according to the present invention;
FIG. 4 is a schematic diagram of a data download structure according to the present invention;
fig. 5 is a schematic diagram of a data sharing structure according to the present invention.
Detailed description of the preferred embodiments
The invention is described in further detail below with reference to the accompanying drawings.
A service system based on network disk can verify the data sharing method.
As shown in fig. 1, a schematic system architecture provided for the method includes a data provider, a cloud server, and a data requester.
The manner in which data is interacted between the data requestor, the data provider, and the shared folder is depicted in FIG. 1. The data provider has uploading and downloading rights to the files stored in the cloud server, and the data requester can download the files and establish connection with the data provider to obtain a public key; the data provider establishes data sharing with the data requester, and then the data provider establishes a special shared folder in the cloud server and adds related information in the user form.
The data provider undertakes the analysis and processing of data files in the data sharing of the business system. A separate user account is created for each participant (including all data providers and cloud services). The account numbers are given respective specific access rights, and the roles and requirements of each user are precisely matched. In particular, the data provider, as the owner of the file or folder, has the highest level of rights. This not only means that they can freely perform any operation such as viewing, editing, uploading and deleting files, but also is given a deeper management responsibility such as granting or modifying management rights for others. Such rights settings ensure efficient operation and tight security control of the data sharing system, while also giving key personnel the necessary flexibility and control to cope with various possible business scenarios.
After successful creation of an account, the data provider establishes data sharing with each data requestor, requiring the creation of a dedicated shared folder on the network disk. The shared folder will be stored on the cloud server as shown in fig. 1 and its permissions will be carefully customized and assigned according to the account settings. This shared folder design aims to achieve efficient data sharing while providing flexible out-link access rights such as downloading, previewing, and saving files to a network disk. To enhance security and control, these extralinks will be configured with a validity period to ensure that the link automatically fails once expired. In addition, an option is provided to allow the link visitor to view the latest update of the file immediately, so that timeliness and accuracy of information are ensured. The creation of the shared folder ensures the isolation and security of the data, and simultaneously greatly facilitates the management and tracking of the file. By setting the filtering rules, file backup and shared folders, a safe and efficient data processing and sharing environment is provided for the data provider.
In terms of sharing rights, rights managers have the ability to share specific folders to a designated team or department, which further strengthens the file management policy. In addition, by establishing a collaboration group, project teams can share and manage files in a centralized and controlled environment, which not only improves team collaboration efficiency, but also ensures the safety and integrity of project information. The comprehensive management strategy aims to provide a safe and efficient data sharing and collaboration platform for enterprises.
As shown in fig. 2, a schematic structure diagram of a data provider for implementing data uploading and sharing folders is provided in the present invention, and the structure diagram is composed of four modules, and specific contents of each module are as follows:
the first module is data information, containing the original data information owned by the data provider.
The second module is a filtering rule, the system effectively identifies and screens out data containing sensitive information from the original data information in the data information, thereby forming a text file meeting the filtering rule, creating a local backup and recording the local backup in a user form. The setting of the filtering rules is based on various standards such as file types, sizes, content keywords and the like, so that only files meeting specific requirements can be successfully uploaded, and sensitive data is prevented from being transmitted to a cloud server.
The third module is an encryption unit, and for text files that meet the filtering rules, the system will encrypt and convert the text files into ciphertext. In the encryption process, a session key is generated and used for encrypting the text file to generate a data ciphertext file. First, a party providing data, i.e., a data provider, needs to generate a session key. In the invention, the HMAC algorithm is adopted, and the generated hash value is used as a session key. The length of the session key is typically set to 256 bits according to the requirements. In the invention, SHA-256 is used as a hash function, and the data provider generates a seed key for the key selection. In the invention, a session key is used for encryption, and a specific encryption algorithm adopts Twofish to encrypt the text file.
The fourth module is a transmission unit, and the encrypted file is safely uploaded to a special shared folder.
As shown in fig. 3, the data provider provides a seed key and a text file to generate a session key, comprising the following processes:
step 1: calculating the internal key value using an XOR operation, xoring the seed key with 0x36, producing an internal key value (also referred to as ipad);
step 2: calculating the external key value uses an XOR operation, xoring the seed key with 0x5C, yielding another internal key value (also referred to as opad);
Step 3: constructing an internal hash to connect the ipad with the text file, and inputting the result into the step 4;
Step 4: the external hash is constructed by performing a calculation, concatenating opad with the internal hash value, and inputting the result into the selected hash function for calculation, the final HMAC value being the output of the external hash, which is a fixed-length hash value, i.e., the session key.
As shown in fig. 4, a schematic structure diagram of a data requesting party requesting a cloud service to download a data file is provided in the present invention, and the structure diagram is composed of four modules, and the specific contents of each module are as follows:
the first module is a transmission unit, and the data requesting party and the data providing party establish communication to carry out public key transmission, identity authentication, data request and other information. After the communication is finished, the data provider can give the download authority of the shared folder to the data requester.
The second module is a ciphertext file, the data requesting party requests the cloud service to download the compressed file from the shared file and decompress the compressed file, the session key ciphertext file is generated after the session key is encrypted, and the text file encrypts the generated data ciphertext file.
The third module is a decryption unit, and the data requesting party decrypts the session key ciphertext file through the private key of the data requesting party to obtain the session key, so that the data ciphertext file is decrypted through the session key to obtain the text file.
The fourth module is a plaintext file, the plaintext of the decrypted text file is the data requested by the data requester, and the data is filtered by the data provider and does not contain sensitive data.
As shown in fig. 5, an overall architecture diagram of service system data sharing is provided for the present invention, which includes a data provider, a session key for encrypting text files, a seed key for generating the session key, a data requester, and a core shared folder. In this schematic diagram, a complete data sharing flow is shown: the data provider first encrypts the text files, compresses the encrypted text files and the encrypted session key, and uploads the compressed text files and the encrypted session key to the shared folder. Then, the data requesting party downloads the compressed files from the shared folder and decompresses the compressed files, and decrypts the compressed files by using the private key held by the data requesting party, so that the required text files are finally obtained.
According to the illustration of fig. 5, a complete process of data sharing, data file tracing and checking is described for a data provider with a data requester, comprising the following processes:
Step 1: the data request sends a data sharing request to the data provider, and the data provider analyzes and processes the shared data and uploads the shared data to the shared folder after receiving the data request of the data requester.
The method comprises the following steps:
step 1.1: the data requesting party and the data provider establish data sharing, the data requesting party can locally generate a public-private key pair, and the data requesting party and the data provider establish a communication transmission public key, perform identity authentication and data request to obtain the downloading authority of the shared folder;
Step 1.2: the data provider locally generates a seed key and obtains related information such as a public key, identity information, data request content and the like, and the data provider stores the seed key and the related information into a user form;
Step 1.3: the data provider filters data according to the filtering rules to generate text files which are also shared files, and simultaneously generates backup files locally and records the backup files in a user form so as to be convenient for tracing and verification;
step 1.4: and filtering and screening the data according to the data request of the data requesting party, converting the shared data conforming to the filtering rule into a text file, and carrying out local backup and recording in a user form.
Step 1.5: the data provider generates a session key according to the HMAC algorithm using the saved seed key and the generated text file, and since the session key is generated by the message digest algorithm, the data provider can determine the integrity of the data according to the plaintext and the session key. ;
step 1.6: the text file is encrypted by using a session key in a symmetrical encryption mode Twoflish, and the encryption result outputs a data ciphertext file;
Step 1.7: the public key is used for encrypting the session key in an asymmetric encryption mode, and the encryption result outputs a session key ciphertext file;
step 1.8: and compressing the data ciphertext file and the session key ciphertext file in the same file to generate a compressed file and uploading the compressed file to the shared folder.
Step 2: the data requesting party requests the cloud service to download the shared data, and decrypts the downloaded ciphertext to obtain the plaintext of the shared data.
The method comprises the following steps:
step 2.1: the data requesting party downloads the compressed file through the authority and decompresses the compressed file to obtain a data ciphertext file and a session key ciphertext file;
step 2.2: the data requesting party obtains the session key by decrypting the session key ciphertext file through the private key held by the data requesting party;
Step 2.3: the data ciphertext file is decrypted by the session key plaintext, and the result is a text file plaintext which is also the requested shared data.
In the network disk system, when a data requester requests a cloud service to access a shared file, the system not only provides a required data access service, but also introduces a key subsequent operation of automatically executing a backup operation of the file once the data requester downloads the file. This step is critical because it allows the system to trace back the source and content of the file, ensuring that no sensitive information is misdelivered or compromised during sharing. Step 2 not only ensures the security of the data during transmission, but also provides a compact and efficient way for the data requester to access and use the data.
Step 3: the filtering rules of the data provider are updated in real time, and the discrimination of sensitive data is changed, so that the data provider can trace and check the shared data file.
The method comprises the following steps:
step 3.1: the data provider performs tracing and checking according to the local user form inquiry and the shared data corresponds to the compressed file in the shared folder and downloads the compressed file;
Step 3.2: generating a session key through an HMAC algorithm by using the local backup file and the seed key;
Step 3.3: decompressing the downloaded compressed file to obtain a ciphertext file, and decrypting to obtain a corresponding text file plaintext;
Step 3.4: and the text file plaintext is matched with the backup file to judge whether the filtering rule is correctly executed, namely whether sensitive data exist.
The method integrates high configurability, traceability, confidentiality and verifiability, and aims to create a safe and efficient data sharing environment which completely accords with data protection standards. By utilizing the network disk system, the authority management is greatly enhanced, the user experience is optimized, and the absolute safety of sensitive data is ensured. Through the combination of accurate authority setting and careful implementation strategies, the network disk system not only provides an extremely safe and efficient data sharing platform, but also ensures the integrity and traceability of data, and fully meets the personalized and specialized requirements of enterprises. The application of the method can certainly ensure the data security and bring smoother and more efficient working experience for enterprises.

Claims (7)

1. The network disk-based verifiable data security sharing method is characterized by comprising the following steps of:
Step 1: the data provider receives the data request of the data requester, processes and analyzes the data according to the data request to form a data text file which can be shared; the data provider encrypts the shared text file to form a data file ciphertext and transmits the data file ciphertext to the shared folder;
Step 2: the data requesting party requests data of cross organization and cross region;
The method comprises the steps that a data request party and a data provider establish communication transmission data requests in advance, and when the data request party needs to acquire data, the data request party accesses a shared folder stored on a cloud server to download a required data file, and decrypts the data file according to held information to acquire a text file plaintext;
step 3: the data provider performs tracing and verification on the uploaded shared text file.
2. The network disk-based verifiable data security sharing method as claimed in claim 1, wherein the step 1 comprises the steps of:
Step 1.1: the data of each data provider originates from a plurality of users; the data provider is responsible for processing and analyzing the data submitted by the users, and the data conforming to the filtering rules form a data file which can be shared; in the process, different data providers need to keep data independence, and cannot access or share data files mutually;
Step 1.2: when the data provider generates a text file each time, a session key is re-created to encrypt shared content, and a data ciphertext file is generated;
step 1.3: the data provider encrypts a session key by using a public key transmitted by the data requester to generate a session key ciphertext file;
step 1.4: compressing the result of the two encryption in the same file, generating a shared data file ciphertext, and uploading the shared data file ciphertext to a cloud server hosted in a network disk; these data files are stored in a special shared folder; after the data provider uploads the file, corresponding data information is recorded in a local user form;
Wherein the data provider will obtain data request requirements from different data requesters; the data provider records and backs up the content of each data request; the local backup files and the data files have the same file names and different file suffixes;
The data provider creates a user form locally, the form record comprising: each user identity information with which data sharing is implemented, a local backup text file, a public key, a seed key, and time.
3. The method for securely sharing verifiable data based on network disk as claimed in claim 2, wherein in step 1.2, the generation of the session key uses HMAC algorithm, and the generated hash value is used as the session key; the use of the hash function is selected based on the key length, the key employing a seed key that is generated locally by the data provider.
4. The method for securely sharing verifiable data based on network disk as claimed in claim 2, wherein in step 1.2, the session key encrypts the text file using a twist method.
5. The method of claim 2, wherein in step 1.4, there are a plurality of shared folders in a server hosted by the network disk, each creation of a shared folder requesting data sharing on behalf of a data requestor; each data provider only has access rights to the shared folder created by the data provider through rights setting, and the data providers do not share data with each other; each time the data provider establishes data sharing with the data requester, the data provider establishes a special shared folder in the cloud server and sets corresponding rights through a third party program.
6. The network disk-based verifiable data security sharing method as claimed in claim 1, wherein the step 2 comprises the steps of:
Step 2.1: the data requesting party and the data providing party establish communication to transmit data request content and public key, and request downloading authority of files in a shared folder in the cloud server;
the data requesting party can download all data files in the shared folder of the data provider; the data requesting party only has the authority of downloading the data file and can not upload the file to the shared folder;
Step 2.2: the data requesting party uses the held private key to decrypt the session key ciphertext file to obtain the session key;
Step 2.3: the data requesting party decrypts the text file according to the ciphertext file by using the decrypted session key Wen Duishu to obtain a text file plaintext;
In step 2, the shared data file is stored in the cloud.
7. The network disk-based verifiable data security sharing method of claim 1, wherein step 3 comprises the steps of:
Step 3.1: the data provider performs tracing and verification on the data file, downloads the data file from the network disk, and obtains a local backup file matched with the local user form by inquiring the record information of the local user form;
step 3.2: and checking the content of the local backup file, and checking whether the content of the data file is matched with the content of the backup text file or not, and whether the uploading file of the data provider accords with the filtering rule or not, so as to judge whether sensitive data exists or not.
CN202410374682.6A 2024-03-29 2024-03-29 A method for secure sharing of verifiable data based on network disk Pending CN119026160A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410374682.6A CN119026160A (en) 2024-03-29 2024-03-29 A method for secure sharing of verifiable data based on network disk

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410374682.6A CN119026160A (en) 2024-03-29 2024-03-29 A method for secure sharing of verifiable data based on network disk

Publications (1)

Publication Number Publication Date
CN119026160A true CN119026160A (en) 2024-11-26

Family

ID=93532986

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410374682.6A Pending CN119026160A (en) 2024-03-29 2024-03-29 A method for secure sharing of verifiable data based on network disk

Country Status (1)

Country Link
CN (1) CN119026160A (en)

Similar Documents

Publication Publication Date Title
CN109120639B (en) Data cloud storage encryption method and system based on block chain
US7624421B2 (en) Method and apparatus for managing and displaying contact authentication in a peer-to-peer collaboration system
US6029247A (en) Method and apparatus for transmitting secured data
US11790100B2 (en) Encryption of cloud-based data
CA2714196C (en) Information distribution system and program for the same
US9866591B1 (en) Enterprise messaging platform
US11604888B2 (en) Digital storage and data transport system
EP1353470B1 (en) Method for deployment of a workable public key infrastructure
KR20210064675A (en) Security system for data trading and data storage based on block chain and method therefor
Yialelis et al. A Security Framework Supporting Domain Based Access Control in Distributed Systems.
CN112908440A (en) Health management data sharing method and device and remote medical platform
CN113992702A (en) Storage state encryption reinforcing method and system for ceph distributed file system
WO2023127963A1 (en) Key sharing system, method, program, server device, and terminal device
JP2020027221A (en) File concealment distribution system and concealment distribution method
KR20220036202A (en) Secure instant messaging method and attaratus thereof
CN113691495B (en) Network account sharing and distributing system and method based on asymmetric encryption
Chadwick Authorisation using attributes from multiple authorities
US11330003B1 (en) Enterprise messaging platform
CN110474768A (en) A kind of information safety transmission system and method having the control of group's decrypted rights
US12333045B2 (en) Distributed communication network
CN119026160A (en) A method for secure sharing of verifiable data based on network disk
US12069050B1 (en) Reciprocal authentication of digital transmissions and method
US12468833B2 (en) Digital storage and data transport system using file fragments assigned to data storage packets
CN118041695B (en) Information interaction method, device, electronic device, storage medium and program product
de Bruin et al. Analyzing the Tahoe-LAFS filesystem for privacy friendly replication and file sharing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination