CN112507034B - A data storage method and system - Google Patents
A data storage method and systemDownload PDFInfo
- Publication number
- CN112507034B CN112507034BCN202110170267.5ACN202110170267ACN112507034BCN 112507034 BCN112507034 BCN 112507034BCN 202110170267 ACN202110170267 ACN 202110170267ACN 112507034 BCN112507034 BCN 112507034B
- Authority
- CN
- China
- Prior art keywords
- public
- private key
- key pair
- trusted
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2246—Trees, e.g. B+trees
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2255—Hash tables
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
Translated fromChinese
Description
Technical Field
The embodiment of the specification relates to the field of data storage, in particular to a data storage method and system.
Background
Currently, public and private key pairs in cryptography have wide application in network security, where users can digitally sign based on their own private keys.
When a user stores data in the credible account book database, the user needs to perform digital signature on the stored data by using a private key of the user, so that the user is prevented from being repudiated. After receiving the data to be stored sent by the user, the trusted account book database can check the digital signature by using the public key of the user. If the verification is passed, the data to be stored can be stored in the credible ledger database.
In general, the private key of the user is stored locally and is easily lost.
Disclosure of Invention
In order to solve the above technical problems, the present specification provides a data storage method and system. The technical scheme is as follows.
A data storage method, the key server generates and stores the public and private key pair according to the user request in advance, and returns the unique identification of the public and private key pair in the local of the key server to the user; the method comprises the following steps:
a user sends a signature request to a key server, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts a hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to a user;
the user sends the data to be stored and the digital signature to a trusted storage end; the trusted storage terminal maintains a trusted account book database;
the trusted storage side verifies the digital signature based on a public key in the designated public-private key pair provided by the key server side; and if the verification is passed, storing the data to be stored into the credible account book database.
A data storage system, comprising: the system comprises a user side, a key server side and a trusted storage side; the key server stores a public and private key pair generated in advance according to a user side request, and the user side stores a unique identification of the public and private key pair in the local key server;
the user side is used for: sending a signature request to a key server, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server is used for: determining a corresponding appointed public and private key pair according to the unique identifier, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returning the digital signature to a user side;
the user side is used for: sending the data to be stored and the digital signature to a trusted storage end; the trusted storage terminal maintains a trusted account book database;
the trusted storage side is used for: verifying the digital signature based on a public key in the designated public and private key pair provided by the key server; and if the verification is passed, storing the data to be stored into the credible account book database.
Through the technical scheme, the public and private key pair is generated and stored at the key server, and needs to participate in the key server when a private key signature or a public key signature is used, so that the public and private key pair can not be stored locally at a user side, the security of the public and private key pair is improved, and the public and private key pair is difficult to lose from the key server.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present specification, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic structural diagram of a global Mercker tree provided in an embodiment of the present disclosure;
FIG. 2 is a schematic system structure diagram of an application data storage method provided in an embodiment of the present specification;
FIG. 3 is a flow chart illustrating a data storage method provided by an embodiment of the present disclosure;
FIG. 4 is an interaction diagram of a data storage method provided by an embodiment of the present specification;
fig. 5 is a schematic structural diagram of a data storage system according to an embodiment of the present disclosure.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present specification, the technical solutions in the embodiments of the present specification will be described in detail below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all the embodiments. All other embodiments derived by one of ordinary skill in the art from the embodiments given herein are intended to fall within the scope of the disclosure.
Currently, public and private key pairs in cryptography have wide application in network security, where users can digitally sign based on their own private keys.
When a user stores data in the credible account book database, the user needs to perform digital signature on the stored data by using a private key of the user, so that the user is prevented from being repudiated. After receiving the data to be stored sent by the user, the trusted account book database can check the digital signature by using the public key of the user. If the verification is passed, the data to be stored can be stored in the credible ledger database.
In theory, the private key is only mastered by the user, and the digital signature can be used for proving the identity of the user and preventing the user from repudiation. If the private key is lost, network security problems can arise. For example, it is difficult for a user to digitally sign after losing a private key; or the lawbreaker can use the private key lost by the user to store illegal data in the trusted account book database, and use the private key lost by the user to perform digital signature, so that the illegal data is stored in the trusted account book database, and the user cannot easily distinguish that the operation is not executed.
In general, the private key of the user is stored locally and is easily lost.
In order to avoid the loss of the public and private key pair of the user, the specification provides a data storage method, wherein data storage refers to storing data in a trusted ledger database.
A trusted ledger database is a technique that ensures from a technical level that stored data is not modified. The following is explained for the trusted ledger database.
The trusted ledger database may be maintained by a trusted storage. The trusted ledger database may be a centralized database. Therefore, data storage is carried out based on the credible ledger database, and compared with other decentralized or distributed data storage schemes, the data storage method is high in storage efficiency and low in storage cost.
The structure of the trusted account book database may be the same as that of a general database or the block chain structure. In an alternative embodiment, the trusted ledger in the trusted ledger database may be a block chain ledger. The description is not intended to be limiting. If the structure of the trusted account book database is the same as the block chain structure, it is difficult to modify the stored information, otherwise, modification and recalculation are required for each subsequent block.
The credibility of the credible ledger database can be reflected by the following 3 aspects.
1. Global mercker tree.
For each piece of information in the credible account book database, one leaf node of the global Merck tree corresponds to the leaf node.
In an alternative embodiment, for each piece of information in the trusted ledger database, a hash value of the information may be calculated as a leaf node, and added to the global merkel tree.
In the global merkel tree, new hash values may be calculated comprehensively for the hash values corresponding to the two child nodes (specifically, the hash values corresponding to the two child nodes may be added and then the sum hash value is calculated, or the hash values corresponding to the two child nodes are concatenated and then the hash value of the concatenation result is calculated) as parent nodes of the two child nodes. And obtaining the parent node through continuous calculation, and determining the hash value corresponding to the root node in the global Merckel tree.
In order to facilitate better understanding of the global merkel tree, fig. 1 is a schematic structural diagram of a global merkel tree provided in the present specification.
The method comprises two global Mercker tree structures, wherein in one structure, every two leaf nodes are grouped and a father node is calculated; and grouping the nodes obtained by calculation pairwise to calculate a father node. If a missing single child node exists in each two groups, the hash value corresponding to the child node can be copied to obtain two child node calculation father nodes. By continuously calculating the parent node, the hash value (i.e. root hash) corresponding to the root node can be finally determined.
In another structure, for each newly added leaf node, the leaf node and the current root node can be used together as two child nodes, a parent node is obtained through calculation, and the parent node obtained through calculation is used as the root node.
It is understood that, in an alternative embodiment, for each additional information in the trusted account book database, a corresponding hash value may be calculated to obtain a leaf node, and then an update root hash is calculated based on the above two groups, or an update root hash is calculated according to the leaf node and the current root node.
In an alternative embodiment, the root hash corresponding to the time point may be returned to the client at each time point scheduled at a preset time (i.e., periodically or aperiodically). Since the client retains the root hash of the history, the client has the ability to verify whether the trusted storage side modified the information, which can discover the modification to the information.
It should be noted that the global merkel tree may not be updated continuously, that is, the global merkel tree and the root hash may not be updated every time one piece of information is stored, but the global merkel tree and the root hash may be updated immediately according to all stored information when the root hash needs to be generated and returned to the client, so as to improve the utilization rate of the computing resources and reduce the time delay required for storage.
Through the global Merck tree, all information in the credible ledger database can be associated, if any information is subsequently modified, the whole global Merck tree is modified, the father node and the root hash are recalculated, and the difficulty of subsequently modifying the information is increased, so that the information stored in the credible ledger database is difficult to modify by a credible storage end, the credible storage of a technical level is realized, and the trust of a business level is not needed.
2. And (4) signing by multiple parties.
In an alternative embodiment, the information in the trusted ledger database may be digitally signed by the device sending the information, thereby preventing repudiation by the device and preventing subsequent modification of the information by the trusted storage. If the trusted storage terminal carries out subsequent modification on the information, the modified information cannot be matched with the digital signature, namely, the signature verification cannot pass.
In another alternative embodiment, for information in the trusted ledger database, in order to clarify the time when the information is stored in the trusted ledger database, and also in order to prevent the trusted storage side from communicating with the information sending side, a timestamp may be added to the information. In order to ensure the credibility of the timestamp, the information (or the unique identifier of the information, such as a hash value of the information) may be sent to the trusted time service mechanism by the trusted storage, digitally signed by the trusted time service structure for the received information and the current time point, and returned to the trusted storage. Obviously, the trusted time service will only sign based on the current point in time. If the trusted storage terminal and the information sender communicate badly and modify the stored information, the trusted time service mechanism cannot sign the information at the past time point and only signs the information based on the current time point, so that the subsequent modification of the information at different time points can be verified.
Because the trusted time service signature is carried out on each piece of information, the storage time delay is larger, and the subsequent modification usually occurs in a longer time after the information is stored, the trusted time service signature can be carried out on all the information stored in the time at intervals, so that the storage time delay is reduced; and the trusted time service signature can be carried out on the information every time a preset number of pieces of information are stored, so that the storage time delay is reduced.
In addition, in an optional embodiment, after the trusted storage side stores a certain piece of information, a signature of the trusted storage side for the information may be returned to the information sender, so as to determine that the trusted storage side has stored the information, and the trusted storage side is difficult to repudiate.
3. Public network account book.
In an alternative embodiment, the root hash of the history may be stored into the public network ledger for a global merkel tree. The public network account book can be acquired by any device in the public network, and the trusted storage end cannot determine which devices acquire the historical root hash in the public network account book, so that the trusted storage end is warned to not perform subsequent modification on the historical root hash based on the public property, and the credibility degree is improved.
Through the analysis of the credible account book database, credible storage at the technical level can be realized, and the trust at the business level is not needed.
Therefore, for the trusted account book database, the user is required to perform digital signature on the data to be stored by using the user private key.
In order to protect the private key of the user from being leaked, the method provided by the specification further comprises a key server.
The key service end may be a device providing key-related services, and the specific services may include a key generation service, a key protection service, and the like.
In this specification, at least 1 kind of key generation algorithm may be stored in the key server, and may be used to generate a public-private key pair, and may store the generated public-private key pair, so that only the user and an object authorized by the user may access the public-private key pair corresponding to the user, thereby improving the security of the public-private key pair.
A data storage method provided in the present specification is explained in detail below with reference to the drawings.
First, the device related to the method is explained, and as shown in fig. 2, a system structure diagram of an application data storage method provided in this specification is shown. The system comprises a user side, a key service side and a trusted storage side.
The user terminal may be a user device that needs to store data into the trusted ledger database, and the trusted storage terminal may be a device that maintains the trusted ledger database.
Fig. 3 is a schematic flow chart of a data storage method provided in this specification. The key server can generate and store a public and private key pair in advance according to the request of the user side, and can return the unique identification of the public and private key pair in the local of the key server to the user side. Therefore, the key server can store a public and private key pair generated in advance according to the request of the user side, and the user side can store the unique identification of the public and private key pair at the local part of the key server.
The following is explained for the key server.
In an alternative embodiment, the key server may store at least two key generation algorithms.
The user side request can appoint a key generation algorithm in at least two key generation algorithms stored in the key service side, so that the key service side generates and stores a corresponding public and private key pair. Namely, the key server can generate and store the corresponding public and private key pair in advance according to the key generation algorithm specified by the request of the user side in at least two key generation algorithms.
In another alternative embodiment, the key server may generate and store a public-private key pair in advance according to key parameters in the user side request; or the key server can also generate and store a public-private key pair by taking a locally generated random number as a key parameter in advance according to the request of the user side.
In order to further improve the security of the public-private key pair, especially the security of the private key, and prevent the private key from being revealed to the key server, in an alternative embodiment, the key server may be deployed with a trusted execution environment; the trusted execution environment is completely isolated from the normal execution environment, and the key server cannot normally acquire data in the trusted execution environment. Therefore, the generation process of the public-private key pair can be executed in the trusted execution environment, so that it is difficult for the key server to determine the specific generation process and the generated public-private key pair, and the generated public-private key pair can also be stored in the trusted execution environment.
Specifically, the key server generates and stores a public-private key pair in the trusted execution environment according to a request of the user side in the trusted execution environment.
Of course, in order to prevent the generated public and private key pair from being lost, in an alternative embodiment, the key server may include a plurality of devices, and each device stores the public and private key pair generated by the key server through distributed storage. And the public and private key pair is prevented from being lost by utilizing the backup of a plurality of devices. The key service end may specifically include a main device and at least one spare device, where the main device stores the generated public and private key pair, and the other spare devices store backups of the generated public and private key pair.
The following is explained with respect to a specific data storage method, which may include at least the following steps.
S101: and the user side sends a signature request to the key server side, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair.
S102: and the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side.
Corresponding to the above-mentioned embodiments related to the trusted execution environment, in an alternative embodiment, since the public-private key pair is stored in the trusted execution environment of the key server, the process of obtaining the digital signature may also be executed in the trusted execution environment.
The method specifically comprises the following steps: determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in a trusted execution environment; in a trusted execution environment, the hash value of the data to be stored is encrypted by using a private key in a specified public and private key pair to obtain a digital signature.
S103: the user side sends the data to be stored and the digital signature to the trusted storage side; the trusted storage terminal maintains a trusted account book database.
S104: the trusted storage end verifies the digital signature based on a public key in a designated public and private key pair provided by the key server end; and if the verification is passed, storing the data to be stored into the credible account book database.
The following explains how the key server provides the public key to the trusted storage.
In an alternative embodiment, the key server determines that the public key can be provided to the trusted storage according to the authorization of the user side. That is, the key server may receive an authorization request sent by the user side, where the authorization request may include an identifier of the trusted storage side and a unique identifier of a designated public-private key pair.
The identification of the trusted storage can be used for sending data to the trusted storage; the unique identification of the designated public-private key pair may be used to determine a single designated public-private key pair that the user-side authorizes the trusted storage to obtain.
Based on the authorization request, the key server side can directly send the public key to the trusted storage side, so that the trusted storage side can store the public key conveniently; or the trusted storage side applies for the key server side when the digital signature needs to be verified, and the key server side determines the corresponding authorized public key (namely, the public key which can be acquired by the trusted storage side) according to the identifier of the trusted storage side.
Specifically, in an alternative embodiment, the key server may determine a designated public-private key pair according to the unique identifier in the authorization request; and sending the public key in the designated public and private key pair to the trusted storage end based on the identification of the trusted storage end.
In another alternative embodiment, the key server allows the trusted storage to obtain the public key in the designated public-private key pair in the key server based on the authorization request.
Because the trusted storage end may be authorized with a plurality of public and private key pairs, that is, the trusted storage end may obtain a plurality of public and private key pairs in the key service end, when the specific trusted storage end obtains the public key in the designated public and private key pair in the key service end, the corresponding at least one public and private key pair may be determined in the plurality of public and private key pairs based on the user identifier or the unique identifier of the designated public and private key pair.
Certainly, because the security requirement of the public key is not high, the trusted storage side can also directly obtain the public keys in all authorized public and private key pairs, so that the subsequent verification of the signature is facilitated, and the public keys do not need to be obtained from the key service side again.
Through the method and the process, a public-private key pair is generated and stored at the key server, and when a private key is used for signing or a public key is obtained, the key server needs to participate, for example, the key server performs digital signature on data to be stored, and the trusted storage end obtains the public key from the key server to perform verification of the digital signature. The public and private key pairs are not stored locally at the user side, and the key service side only allows the user and an object authorized by the user to obtain the public key, so that the security of the public and private key pairs is improved, and the public and private key pairs are difficult to lose or leak from the key service side.
In addition, the security of the public and private key pair can be further improved by means of a trusted execution environment and distributed storage backup, and the public and private key pair is prevented from being lost or leaked.
For further understanding, fig. 4 is an interaction diagram of a data storage method provided in this specification.
Wherein the interaction involves a user side, a key server side and a trusted storage side.
A specific interaction flow may include the following two phases, a key generation phase and a data storage phase.
Wherein, the following steps can be included for the key generation phase.
The user side sends a key generation request to the key server side; the request may be used to determine a key generation algorithm among at least two key generation algorithms stored at the key service to generate a public-private key pair for the user.
And the key server generates a public and private key pair of the user based on the determined key generation algorithm, stores the public and private key pair to the local, and determines a unique identifier corresponding to the public and private key pair to return to the user side so that the user side can determine the public and private key pair to carry out digital signature according to the unique identifier.
The user side sends an authorization request to the key server side; the request may be for causing the key service to allow the trusted storage to use a public key of a specified public-private key pair. For details, reference may be made to the above explanations of the process flows.
The key generation phase is now complete.
And for the data storage phase, the following steps may be included.
The user side sends a signature request to the key server side; the request may include a hash value of the data to be stored and a unique identification specifying a public-private key pair.
And the key server side determines a corresponding appointed public and private key pair in the stored public and private key pairs according to the unique identifier, encrypts the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side.
And the user side sends the data to be stored and the digital signature to the trusted storage side.
The trusted storage end sends a public key acquisition request to the key server end, and the key server end can return all public keys which are allowed to be acquired by the trusted storage end to the trusted storage end.
The trusted storage end verifies the received digital signature based on a public key in a designated public and private key pair; and after the verification is confirmed to pass, storing the data to be stored into the credible account book database.
At this point, the data storage phase is complete.
The present specification also provides a system embodiment. Fig. 5 is a schematic structural diagram of a data storage system provided in this specification. The system may include: auser side 201, akey service side 202 and a trustedstorage side 203.
Thekey server 202 may store a public-private key pair generated in advance according to a user request, and theuser 201 stores a unique identifier of the public-private key pair locally at thekey server 202.
Theuser terminal 201 may be configured to: and sending a signature request to thekey server 202, wherein the request comprises a hash value of data to be stored and a unique identifier of a specified public and private key pair.
Thekey server 202 may be configured to: and determining a corresponding appointed public and private key pair according to the unique identifier, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returning the digital signature to theuser side 201.
Theuser terminal 201 may be configured to: sending the data to be stored and the digital signature to the trustedstorage 203; trustedstore 203 may maintain a database of trusted ledgers.
The trustedstorage 203 may be configured to: verifying the digital signature based on a public key in a designated public and private key pair provided by thekey service side 202; and if the verification is passed, storing the data to be stored into the credible account book database.
Thekey server 202 may store at least two key generation algorithms, which may be specifically used for: and generating and storing a corresponding public and private key pair in advance according to a key generation algorithm appointed by a user request in at least two key generation algorithms.
Thekey server 202 may be specifically configured to: generating and storing a public and private key pair in advance according to key parameters in a user side request; or generating and storing a public-private key pair by taking a locally generated random number as a key parameter according to a user side request in advance.
Thekey server 202 may be deployed with a trusted execution environment; correspondingly, thekey server 202 may specifically be configured to: in the trusted execution environment, a public and private key pair is generated and stored in the trusted execution environment according to a user side request in advance.
Thekey server 202 may be specifically configured to: determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in a trusted execution environment; in a trusted execution environment, the hash value of the data to be stored is encrypted by using a private key in a specified public and private key pair to obtain a digital signature.
Thekey server 202 may also be configured to: receiving an authorization request sent by a user side, wherein the authorization request comprises an identifier of a trusted storage side and a unique identifier of a designated public and private key pair; based on the authorization request, the trusted storage is allowed to use a public key in a specified public-private key pair.
For a related explanation of the system embodiments reference may be made to the method embodiments described above.
The foregoing is only a detailed description of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, many modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as protection for the embodiments of the present disclosure.
Claims (15)
1. A data storage method, the key server generates and stores the public and private key pair according to the request of the user terminal in advance, and returns the unique identification of the public and private key pair at the local of the key server to the user terminal; the method comprises the following steps:
a user side sends a signature request to a key server side, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server side determines a corresponding appointed public and private key pair according to the unique identifier, encrypts a hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returns the digital signature to the user side;
the user side sends the data to be stored and the digital signature to a trusted storage side; the trusted storage terminal maintains a trusted account book database; wherein a global merkel tree is maintained in the trusted ledger database; returning the current root hash of the global Mercker tree to the user terminal at each time point planned by a preset time plan; the history root hash of the global Mercker tree is stored in a public network account book which can be obtained by any device in a public network;
the trusted storage side verifies the digital signature based on a public key in the designated public-private key pair provided by the key server side; and if the verification is passed, storing the data to be stored into the credible account book database.
2. The method of claim 1, wherein the key server stores at least two key generation algorithms;
the key server generates and stores a public and private key pair in advance according to a user side request, and specifically comprises the following steps:
and the key server generates and stores a corresponding public and private key pair in advance according to a key generation algorithm specified by the request of the user side in the at least two key generation algorithms.
3. The method of claim 1, wherein the key server generates and stores a public-private key pair in advance according to a user side request, and specifically comprises:
the key server generates and stores a public and private key pair in advance according to key parameters in the user side request;
or
The key server generates and stores a public and private key pair by taking a locally generated random number as a key parameter according to the request of the user side in advance.
4. The method of claim 1, the key server deployed with a trusted execution environment;
the key server generates and stores a public and private key pair in advance according to a user side request, and specifically comprises the following steps:
and the key server side generates and stores the public and private key pair in the trusted execution environment in advance according to the request of the user side in the trusted execution environment.
5. The method of claim 4, wherein the determining a corresponding designated public and private key pair according to the unique identifier and encrypting the hash value of the data to be stored by using a private key in the designated public and private key pair to obtain a digital signature specifically includes:
determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in the trusted execution environment; and in the trusted execution environment, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature.
6. The method of claim 1, wherein the key server comprises a plurality of devices, and each device stores a public-private key pair generated by the key server.
7. The method of claim 1, further comprising:
a key server receives an authorization request sent by a user side, wherein the authorization request comprises an identifier of a trusted storage side and a unique identifier of a designated public and private key pair;
a key server allows the trusted storage to use a public key of the designated public-private key pair based on the authorization request.
8. The method of claim 1, the trusted ledger being a block-chained ledger.
9. A data storage system, comprising: the system comprises a user side, a key server side and a trusted storage side; the key server stores a public and private key pair generated in advance according to a user side request, and the user side stores a unique identification of the public and private key pair in the local key server;
the user side is used for: sending a signature request to a key server, wherein the request comprises a hash value of data to be stored and a unique identifier of a designated public and private key pair;
the key server is used for: determining a corresponding appointed public and private key pair according to the unique identifier, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature, and returning the digital signature to a user side;
the user side is used for: sending the data to be stored and the digital signature to a trusted storage end; the trusted storage terminal maintains a trusted account book database; wherein a global merkel tree is maintained in the trusted ledger database; returning the current root hash of the global Mercker tree to the user terminal at each time point planned by a preset time plan; the history root hash of the global Mercker tree is stored in a public network account book which can be obtained by any device in a public network;
the trusted storage side is used for: verifying the digital signature based on a public key in the designated public and private key pair provided by the key server; and if the verification is passed, storing the data to be stored into the credible account book database.
10. The system of claim 9, the key server stores at least two key generation algorithms;
the key server is specifically configured to: and generating and storing a corresponding public and private key pair in advance according to a key generation algorithm appointed by the user side request in the at least two key generation algorithms.
11. The system of claim 9, wherein the key server is specifically configured to:
generating and storing a public and private key pair in advance according to key parameters in a user side request;
or
And generating and storing a public and private key pair by taking a locally generated random number as a key parameter according to a user side request in advance.
12. The system of claim 9, the key server deployed with a trusted execution environment;
the key server is specifically configured to: in the trusted execution environment, a public and private key pair is generated and stored in the trusted execution environment according to a user side request in advance.
13. The system of claim 12, wherein the key server is specifically configured to:
determining a corresponding appointed public and private key pair according to the unique identifier in a public and private key pair stored in the trusted execution environment; and in the trusted execution environment, encrypting the hash value of the data to be stored by using a private key in the appointed public and private key pair to obtain a digital signature.
14. The system of claim 9, the key server further configured to:
receiving an authorization request sent by a user side, wherein the authorization request comprises an identifier of a trusted storage side and a unique identifier of a designated public and private key pair;
based on the authorization request, the trusted storage is allowed to use a public key of the specified public-private key pair.
15. The system of claim 9, the trusted ledger being a block-chained ledger.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110170267.5ACN112507034B (en) | 2021-02-07 | 2021-02-07 | A data storage method and system |
| CN202110766889.4ACN113468270A (en) | 2021-02-07 | 2021-02-07 | Data storage method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110170267.5ACN112507034B (en) | 2021-02-07 | 2021-02-07 | A data storage method and system |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110766889.4ADivisionCN113468270A (en) | 2021-02-07 | 2021-02-07 | Data storage method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112507034A CN112507034A (en) | 2021-03-16 |
| CN112507034Btrue CN112507034B (en) | 2021-06-01 |
Family
ID=74952791
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110170267.5AActiveCN112507034B (en) | 2021-02-07 | 2021-02-07 | A data storage method and system |
| CN202110766889.4APendingCN113468270A (en) | 2021-02-07 | 2021-02-07 | Data storage method and system |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110766889.4APendingCN113468270A (en) | 2021-02-07 | 2021-02-07 | Data storage method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN112507034B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119210688A (en)* | 2024-11-27 | 2024-12-27 | 山东正中信息技术股份有限公司 | Distributed password management system and method based on blockchain |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20120053929A (en)* | 2010-11-18 | 2012-05-29 | 이혜지 | The agent system for digital signature using sign private key with double encryption and method thereof features to store in web storage |
| US10693658B2 (en)* | 2016-02-12 | 2020-06-23 | Visa International Service Association | Methods and systems for using digital signatures to create trusted digital asset transfers |
| CN110011801B (en)* | 2018-11-16 | 2020-10-20 | 创新先进技术有限公司 | Remote attestation method and device for trusted application, and electronic device |
| CN109951290B (en)* | 2019-01-31 | 2022-03-01 | 创新先进技术有限公司 | Time service authentication method, device and equipment for chain type account book |
| CN110071808A (en)* | 2019-04-09 | 2019-07-30 | 郭浩 | A kind of the secure digital identity verification method and device of block chain user |
| CN110163006B (en)* | 2019-04-18 | 2020-07-07 | 阿里巴巴集团控股有限公司 | Signature verification method, system, device and equipment in block chain type account book |
| CN110266494B (en)* | 2019-05-23 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Time service authentication method, device and equipment in block chain type account book |
| CN110245518B (en)* | 2019-05-31 | 2024-05-17 | 创新先进技术有限公司 | Data storage method, device and equipment |
| SG11202010205SA (en)* | 2019-11-13 | 2020-11-27 | Alipay Hangzhou Inf Tech Co Ltd | Managing trust points in ledger systems |
- 2021
- 2021-02-07CNCN202110170267.5Apatent/CN112507034B/enactiveActive
- 2021-02-07CNCN202110766889.4Apatent/CN113468270A/enactivePending
Also Published As
| Publication number | Publication date |
|---|---|
| CN113468270A (en) | 2021-10-01 |
| CN112507034A (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111159288B (en) | Method, system, device and medium for storing, verifying and realizing chained structure data | |
| US11615060B2 (en) | Constructing a multiple entity root of trust | |
| CN110912706B (en) | An Identity-Based Dynamic Data Integrity Audit Method | |
| CN107196966B (en) | Identity authentication method and system based on block chain multi-party trust | |
| CN110011781B (en) | Homomorphic encryption method and medium for transaction amount encryption and supporting zero knowledge proof | |
| US20220086009A1 (en) | Method for generating stateful hash based signatures of messages to be signed | |
| CN101286842B (en) | Method for distributing key using public key cryptographic technique and on-line updating of the public key | |
| CN111130757A (en) | Multi-cloud CP-ABE access control method based on block chain | |
| US20100217986A1 (en) | Authenticated secret sharing | |
| US11050745B2 (en) | Information processing apparatus, authentication method, and recording medium for recording computer program | |
| CN111989891A (en) | Data processing method, related device and block chain system | |
| EP3130104A1 (en) | System and method for sequential data signatures | |
| Hoang et al. | Privacy-preserving blockchain-based data sharing platform for decentralized storage systems | |
| CN110414981A (en) | A homomorphic encryption method supporting ZKPs and a blockchain transaction amount encryption method | |
| CN111339199B (en) | Block chain key recovery method and device | |
| CN112565264B (en) | Cloud storage data integrity detection method based on block chain | |
| CN113434875A (en) | Lightweight access method and system based on block chain | |
| CN113868715B (en) | Signature method and system based on quantum key | |
| CN110784300A (en) | A Key Synthesis Method Based on Multiplicative Homomorphic Encryption | |
| Mukundan et al. | Replicated Data Integrity Verification in Cloud. | |
| CN112507034B (en) | A data storage method and system | |
| CN115001723B (en) | Group communication method and system based on tree structure and asymmetric key pool | |
| CN113362065A (en) | Online signature transaction implementation method based on distributed private key | |
| HK40048349B (en) | Data storage method and system | |
| HK40048349A (en) | Data storage method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code | Ref country code:HK Ref legal event code:DE Ref document number:40048349 Country of ref document:HK |