CN115022044A

Movatterモバイル変換

Info

Publication number: CN115022044A
Application number: CN202210624345.9A
Authority: CN
Inventors: 程伟; 冯汉枣; 林兵; 梁高翔; 王妍霖
Original assignee: China Unicom Guangdong Industrial Internet Co Ltd
Current assignee: China Unicom Guangdong Industrial Internet Co Ltd
Priority date: 2022-06-02
Filing date: 2022-06-02
Publication date: 2022-09-06

Abstract

The invention relates to the technical field of cloud storage, in particular to a multi-cloud-architecture-based storage method and electronic equipment. According to the invention, the user data is divided into the data modules and respectively stored in the sub-level cloud terminals belonging to different service providers, so that the data is effectively prevented from being stored and illegally applied by the cloud service providers. On the basis, the data module is subjected to the first coding encryption and the second coding encryption, so that the protection of a cloud service platform is enjoyed, service providers of the cloud server can be prevented from exchanging user data with each other, and the safety of the user data is further improved. In addition, the scheme also ensures data consistency and effectively prevents the invasion of cloud viruses by scanning and safety checking the data module and rechecking and checking the data of the data module.

Description

Storage method and system based on multi-cloud architecture

Technical Field

The invention relates to the technical field of cloud storage, in particular to a multi-cloud-architecture-based storage method and system.

Background

The cloud storage is an online storage mode on the network, that is, data is stored in a plurality of virtual servers generally hosted by a third party, rather than dedicated servers, a hosting company operates a large-scale data center, and a person who needs data storage hosting meets the requirement of data storage through a mode of purchasing or leasing storage space from the person. The data center operator prepares the storage virtualized resources at the back end according to the requirements of the customer, and provides the resources in a storage resource pool manner, so that the customer can use the storage resource pool to store files or objects. In fact, these resources may be distributed on a plurality of server hosts, and the cloud disk service is one of the important applications of cloud storage, and the market demand is huge, but research finds that the public cloud disk service with the largest number of users has serious problems in terms of data security, service reliability and the like. In the field of enterprise-level cloud storage technology, researchers have proposed integrating a plurality of servers providing cloud storage together to form a cloud service platform of a multi-cloud server architecture, so as to make up for the defects of the cloud service platform of a single cloud server architecture.

However, although more and more cloud server vendors exist, users usually only select a certain server vendor service, and all data and computation are completed on a cloud server of the same service vendor, so that once the users upload and store data in the cloud server, the service vendor can own and control the data stored by the users, and since a reliable trust relationship cannot be established between the users and the service vendor, the service vendor can perform unloading and illegal application on the user data, which causes a great potential safety hazard to the users to store the data in the cloud server, and the users are reluctant to store the data in the cloud server, thereby seriously hindering the application and development of the cloud storage technology.

With the continuous development of cloud storage technology, the existing cloud service platform can well meet the storage requirements of users. However, the problem of potential safety hazard when a single service provider provides cloud storage service has not been solved. Because the service provider needs to manage and maintain the cloud server, the authority of the service provider on the cloud service platform is often too large, so that the service provider can randomly acquire the data stored on the cloud server by the user. In addition, the cloud service platform itself may also be at risk of external intrusion, for example: the vulnerability of the cloud service platform is attacked by special messages, so that the downtime of equipment and the leakage of network topology information are directly caused. Another example is: the cloud service platform is subjected to interface flow congestion and equipment processing blocking interrupt service caused by a large number of messages. An effective data protection mechanism is not established in the existing cloud service platform, so that the user data has leakage risks, the user right cannot be guaranteed, and one of the problems which are urgently solved in the technical field of cloud storage is achieved. Therefore, a storage method and an electronic device based on a multi-cloud architecture, which can improve data security, are needed.

Disclosure of Invention

The invention aims to overcome at least one defect of the prior art, and provides a storage method and electronic equipment based on a multi-cloud architecture, which are used for solving the problems that a single service provider can acquire data uploaded by a user on a cloud service platform, and the user data is at risk of being transferred and illegally applied by the service provider.

The technical scheme adopted by the invention is as follows:

a multi-cloud architecture-based storage method comprises the following steps:

classifying a cloud service platform into a plurality of sub-level clouds; the plurality of sub-level cloud ends belong to different service providers;

receiving user data and verifying;

carrying out data partitioning on the user data passing the verification to obtain a plurality of data modules;

dividing the data modules into the sublevel cloud ends of at least two service providers for storage;

and encrypting the data of the data module stored on the sublevel cloud.

As a further aspect of the present invention, receiving user data and performing authentication includes:

receiving user data; the user data includes: identity information and information to be stored;

identifying the identity information to determine the identity of the user;

if the identification fails, re-identifying the identity information;

if the identification is passed, scanning and safety inspection are carried out on the information to be stored;

if the scanning or the security check is not passed, the information to be stored needs to be received again;

and if the scanning and the safety inspection are passed, compressing the information to be stored.

As a further aspect of the present invention, the data partitioning is performed on the user data passing the verification to obtain a plurality of data modules, including:

splitting the compressed information to be stored to obtain a plurality of data modules;

acquiring authority information; and the permission information is used for setting the permission of the sublevel cloud.

As a further aspect of the present invention, the dividing the plurality of data modules into the sub-cloud of at least two service providers for storage includes:

performing first encoding encryption on a plurality of data modules;

distributing the data modules encrypted by the first codes to the sub-level cloud ends of corresponding service providers for storage;

setting the corresponding authority of the sub-level cloud according to the authority information;

and generating a key according to the address of the sublevel cloud and the authority information, and feeding the key back to the user.

As a further aspect of the present invention, the data encryption of the data module stored on the child cloud includes:

performing a second encoding encryption on the data module stored on the child cloud; and the data module of each sub-level cloud terminal adopts different algorithms to perform second coding encryption.

As a further aspect of the present invention, the encryption algorithm of the second encoding encryption includes: symmetric encryption algorithms, asymmetric encryption algorithms, and hash algorithms.

As a further aspect of the present invention, the symmetric encryption algorithm includes: an electronic codebook mode ECB, an encryption block chain mode CBC, a ciphertext feedback mode CFB, an output feedback mode OFB and a counter mode CTR.

As a further aspect of the invention, the hierarchy is implemented by a subnet mask.

As a further aspect of the present invention, the scanning includes: format name confirmation, information filtering, information repeated deletion and information sorting.

A multi-cloud architecture based storage system comprising:

the classification module is used for classifying the cloud service platform into a plurality of sub-level cloud ends; the plurality of sub-level cloud ends belong to different service providers;

the verification module is used for receiving user data and verifying the user data;

the partition module is used for carrying out data partition on the user data passing the verification to obtain a plurality of data modules;

the dividing module is used for dividing the data modules into the sub-level cloud ends of at least two service providers for storage;

and the encryption module is used for encrypting the data of the data module stored on the sublevel cloud.

Compared with the prior art, the invention has the beneficial effects that: according to the scheme, the user data are divided into the data modules and are respectively stored in the sub-level cloud sides belonging to different service providers, so that the data are effectively prevented from being transferred and illegally applied by the cloud service providers. On this basis, this scheme not only enjoys the protection of high in the clouds service platform through carrying out first code encryption and second code encryption to data module, can also prevent that cloud server's service provider from carrying out the interchange user data, further improves user data's security. In addition, the scheme ensures the data consistency by scanning the data module and rechecking and checking the data of the data module. The scanning adopted by the scheme can check whether the data is in accordance with the specification or not according to the reasonable value range and the mutual relation of each variable, and find whether the data exceeds the normal range or not and whether the data is logically unreasonable or contradictory. According to the scheme, the user data are subjected to security check, so that the invasion of cloud viruses is effectively prevented.

Drawings

FIG. 1 is a flow chart of a storage method of the present invention;

FIG. 2 is a schematic diagram of a storage system according to the present invention.

Detailed Description

The drawings are only for purposes of illustration and are not to be construed as limiting the invention. For a better understanding of the following embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product; it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.

Examples

The embodiment provides a storage method based on a multi-cloud architecture, as shown in fig. 1, including:

s10, classifying the cloud service platform into a plurality of sub-level cloud ends; the plurality of sub-level cloud ends belong to different service providers;

the cloud service platform can effectively overcome the defects of high management difficulty and weak business expansibility in the traditional physical renting and VPS service, can be configured according to the needs of users, can be flexibly adjusted, can realize quick supply and deployment, and realizes elastic scalability in a cluster.

The cloud service platform belongs to different service providers through a plurality of sub-level cloud portions separated in a grading mode, and the cloud service platform has the effects that data are stored independently, so that the data are prevented from being stored by a cloud server of the same service provider, and the data are easily stolen completely. The cloud service platform is also protected by a data partition unit and a data encryption unit, the data partition unit comprises a data partition module, the data encryption unit comprises an encryption device, and the encryption device comprises a firewall, digital encryption and instruction encryption. A complete data is split by the partition module in the partition module, so that the data is divided into a plurality of subdata, and the split data is protected by the encryption unit, thereby effectively preventing the danger of stealing the data.

As a further aspect of step S10, the ranking is implemented by a subnet mask. The subnet mask is a virtual IP technology generated for solving IP address allocation under the background of shortage of IPv4 address resources, and the cloud service platform is divided into a plurality of subnets through the subnet mask, so that on one hand, the allocation efficiency of IP addresses is obviously improved, and the situation of IP address resource shortage is effectively solved, on the other hand, a larger internal network is divided into a plurality of small-scale subnets, and the routing function of a three-layer switch is utilized to realize subnet interconnection, so that the network is better managed.

S20, receiving user data and verifying;

in a preferred embodiment, step S20 includes:

before the user terminal uses the cloud service platform, identity information needs to be input. And the cloud service platform compares the input identity information with the information in the database so as to determine the identity of the user. The condition of stealing cloud information is avoided to a certain extent, and the user data is prevented from being illegally used.

Identifying the identity information to determine the identity of the user, wherein the following information can be used as the identity information: user id, login password, certificate number, set problem and sign information and the like, and can also be based on the identity verification of a shared key, and the server side and the user have one or a group of passwords together. When a user needs to identify identity information, the user submits the identity information through inputting or through equipment with a password, the cloud service platform checks whether the identity information submitted by the user is consistent with the identity information stored by the cloud service platform after receiving the identity information submitted by the user, if so, the user is judged to be a legal user, and if not, the user is judged to fail in identity identification, and the user is required to submit new identity information again.

If the identification fails, re-identifying the identity information;

and if the scanning and the safety check are passed, compressing the information to be stored.

The scanning includes: format name confirmation, information filtering, information repeated deletion and information sorting.

The information to be stored is scanned, the information can be reexamined and verified, and the validity of the file can be guaranteed through format name confirmation; the information filtering can screen illegal contents; the repeated deletion of the information can delete the repeated content of the information to be stored, thereby saving the storage space; the information arrangement can correct existing errors, process invalid values and missing values and the like.

The security check mainly adopts virus codes to compare with the information to be stored uploaded by a user, selects keywords from data to compare with binary program codes of the virus, stops uploading and kills the virus immediately after defects are found, and prevents the virus from invading a database to cause data leakage or collapse. Because the uploaded data are segmented, the data before the defects are found can be stored through the cloud end and cannot be lost.

S30, carrying out data partitioning on the user data passing the verification to obtain a plurality of data modules;

in a preferred embodiment, step S30 includes:

The data partition is used for dividing the information to be stored uploaded by the user so as to separate the information to be stored into a plurality of data modules; the information to be stored comprises files in various formats.

S40, dividing the plurality of data modules into the subcloud ends of at least two service providers for storage;

the data modules are completely independent and stored by different sub-level cloud ends, so that no relation exists among the data modules. The user data is separately stored on the sub-level cloud ends of two or more service providers, and even if a single sub-level cloud end is broken, the data outflow cannot cause great damage. In addition, the data modules are respectively divided into different service providers for storage, so that a single service provider can be prevented from acquiring all data uploaded to the cloud by a user.

In a preferred embodiment, step S40 includes:

performing first encoding encryption on a plurality of data modules;

in order to deal with the risk of cloud storage data leakage, encrypting data is an effective solution, and in order to ensure security, the encryption must be independent of the cloud service platform, that is, an encryption mechanism cannot be completely provided by the cloud service platform, unless the secret key can be proved to be invisible to the cloud platform. The first encoding encryption is: and through a database or a database engine with an encryption function, encrypting the data when the data of the data module is written into the sub-level cloud database. And when the subsequent user needs to read the data of the sub-level cloud, the data module is decrypted through the database or the database engine. And the database or the database engine is selected by the user according to the encryption position and different applicable scenes. According to the scheme, a Cloud Database Security Broker (CDSB) is adopted, plaintext data can be obtained by accessing a sub-level Cloud through a gateway, only a ciphertext can be obtained by directly accessing the sub-level Cloud through the gateway, and the encryption mode has high universality, is suitable for a SaaS Database and an IaaS Database. The SaaS type database provides a packaged database for a cloud service provider to a user, and the user purchases a database service to obtain the use right of a database instance and can store and use own data in the database. Most cloud services currently provide such database services. In this scenario, the cloud service provider owns the ROOT authority of the database hosting OS, and thus owns the highest database authority, and all data of the user can be directly operated without difficulty. The IaaS type database (tenant self-built database) provides computer infrastructure for cloud service providers to users, and the users install operating systems and databases after purchasing services. Currently, mainstream cloud service providers provide the service of purchasing a cloud host. Because the database is installed by itself, the cloud service provider cannot directly acquire the content of the database. But the data files of the database are stored on storage provided by the cloud provider, and the provider can directly copy the user data files to obtain the data.

The first code encryption is that the separated data module is encrypted before being written into the sub-level cloud database, so that the sub-level cloud cannot open data, a protection effect is achieved, and after the data module is encrypted, user data cannot be stolen through direct copying.

Setting the authority of the corresponding sub-level cloud according to the authority information;

The sub-level cloud ends are independent from each other, each sub-level cloud end can only check information stored by the sub-level cloud end, and each sub-level cloud end corresponds to a single secret key. If the user needs to obtain all the data uploaded to the cloud, a key corresponding to the key needs to be input into each sub-level cloud, the sub-level cloud establishes a connection with the corresponding sub-level cloud through the key, the sub-level cloud receives the key and then identifies the key, and after the key is successfully identified, the information stored by the user is transmitted. The key comprises: and the address and the authority information of the service provider to which the sub-level cloud belongs and the sub-level cloud. The address of the sublevel cloud is distributed to the cloud service platform, and the service provider and the authority information of the sublevel cloud are set for the user. The authority information includes: visitor id, access password, and access rights. Because the complete secret key is only mastered in the hands of the user, each service provider only has the access right of the sub-cloud, the service provider of the sub-cloud cannot acquire all data modules uploaded by the user, and the service provider of the sub-cloud cannot know the relation among the data modules, so that the condition that data are exchanged with each other among the service providers behind the cloud is ensured.

The cloud service platform takes the initial user of the child cloud as the owner of the secret key of the child cloud. According to the scheme, the key management function of the whole encryption and decryption system is closed-loop through the key, and the cloud service platform provides a key management entrance and supports generation and modification of the key. When the key is generated or modified, the sub-level cloud sides simultaneously execute backup operation, the key is encrypted and backed up in the corresponding area, and the key is separated from user data. The cloud service platform sets a corresponding key through the authority information input by the user, and completes key distribution in the modes of communication software, e-mail and the like. And when the authority information input by the user is verified by the cloud service platform to be correct, the subordinate cloud end writes the authority information into the storage medium through a corresponding path.

And S50, encrypting the data of the data module stored on the sublevel cloud.

Through carrying out encryption processing on the plurality of separated data modules, the data stored by different subordinate cloud terminals cannot be associated, and meanwhile, the content cannot be acquired by the subordinate cloud terminals, so that the encryption protection effect is further achieved.

In a preferred embodiment, step S50 includes:

The encryption algorithms of all the sub-level cloud ends are different, and the data modules cannot be decrypted in the same decryption mode.

As a further aspect of step S50, the encryption algorithm of the second encoding encryption includes: symmetric encryption algorithms, asymmetric encryption algorithms, and hash algorithms.

As a further aspect of step S50, the symmetric encryption algorithm includes: an electronic codebook mode ECB, an encryption block chain mode CBC, a ciphertext feedback mode CFB, an output feedback mode OFB and a counter mode CTR.

And the sub-level cloud end is matched with a firewall through a shared encryption algorithm to realize the safe storage of data. The shared encryption algorithm comprises: symmetric encryption algorithms, asymmetric encryption algorithms, and hash algorithms.

Specifically, the cloud server of a plurality of service providers is constructed to form a cloud service platform, automation and intellectualization are achieved, all storage resources are integrated, storage efficiency is improved, waste of storage space is solved through virtualization technology, data can be automatically redistributed, the utilization rate of the storage space is improved, load balancing and fault redundancy functions are achieved, scale effect and elastic expansion can be achieved through cloud storage, operation cost is reduced, and resource waste is avoided.

According to the scheme, the plurality of sub-level cloud ends are established, and the user data are stored after being split, so that each sub-level cloud end cannot obtain complete user data, the user can be effectively prevented from uploading and storing the data in the cloud server, and a cloud service provider can own and control the data stored by the user. The sub-level cloud terminals are independent from each other, and data are protected through encryption means, so that the data of the sub-level cloud terminals not only enjoy the protection of a cloud service platform, but also have an independent protection mechanism.

According to the scheme, the data module is scanned, and the data of the data module is rechecked and checked, so that the data consistency is guaranteed. Because data generally has data errors and data collisions, scanning can filter out unsatisfactory data. The scanning adopted by the scheme can check whether the data is in accordance with the specification or not according to the reasonable value range and the mutual relation of each variable, and find whether the data exceeds the normal range or not and whether the data is logically unreasonable or contradictory.

According to the scheme, the user data is subjected to security check, and the invasion of cloud viruses is effectively prevented. The security check is used for virus killing of all files in the cloud, and comprises the following steps: monitoring and identifying, virus scanning and clearing, automatic upgrading, active defense, data recovery, hacker intrusion prevention, network flow control and the like.

According to the scheme, the data module is subjected to the first coding encryption and the second coding encryption, the danger of stealing data is effectively prevented, each sub-level data is subjected to data protection by using a shared encryption algorithm, the data encryption technology for the safe storage of the data and the matching use of a firewall is realized, the safety and the confidentiality of an information system and the data are improved, on one hand, the user data are prevented from being decoded by the outside, on the other hand, a service provider of the cloud server is prevented from exchanging the user data with each other, and the user data are transferred and illegally applied.

A multi-cloud architecture based storage system, as shown in fig. 2, comprising:

the hierarchy is implemented by subnet masks.

A verification module for receiving user data and performing verification;

as a further aspect of the verification module, the verification module includes:

a receiving unit for receiving user data; the user data includes: identity information and information to be stored;

the identification unit is used for identifying the identity information and determining the identity of the user;

if the identification fails, re-identifying the identity information;

As a further aspect of the identification unit, the identification unit includes:

an identity recognizer, a scanner, a security checker, and a compressor.

As a further aspect of the scanner, the scanner includes:

format name confirming mechanism, information filtering mechanism, information repeated deleting mechanism and information arranging mechanism.

as a further aspect of the partitioning module, the partitioning module includes:

the splitting unit is used for splitting the compressed information to be stored to obtain a plurality of data modules;

an acquisition unit configured to acquire authority information; and the permission information is used for setting the permission of the sublevel cloud.

as a further aspect of the dividing module, the dividing module includes:

the first coding unit is used for carrying out first coding encryption on the data modules;

the storage unit is used for distributing the data modules subjected to the encryption of the first codes to the sub-level cloud ends of corresponding service providers for storage;

the authority unit is used for setting the corresponding authority of the sub-level cloud according to the authority information;

and the key unit is used for generating a key according to the address of the sublevel cloud and the authority information and feeding the key back to the user.

As a further aspect of the encryption module, the encryption module includes:

the second coding unit is used for carrying out second coding encryption on the data module stored on the sublevel cloud; and the data module of each sub-level cloud terminal adopts different algorithms to carry out second coding encryption.

As a further aspect of the second encoding unit, the second encoding unit includes:

a symmetric encryptor, an asymmetric encryptor, and a hasher.

As a further aspect of the symmetric encryptor, the symmetric encryptor includes:

the cipher code system comprises an electronic cipher code book mechanism, an encryption block chain mechanism, a cipher text feedback mechanism, an output feedback mechanism and a counter mechanism.

A working principle of a storage system based on a multi-cloud architecture is as follows: before a user logs in the storage system, identity information needs to be input, and identity verification is carried out through the identity recognizer, so that the identity of the user is determined, and the condition of stealing information is avoided to a certain extent. Identity verification has a number of ways, for example: question verification and identity information verification. The server and the user have one or a group of passwords together, when the user needs to perform identity authentication, the user submits the passwords shared by the user and the server through inputting or equipment in which the passwords are stored, the identity recognizer checks whether the passwords submitted by the user are consistent with the passwords stored by the server after receiving the passwords submitted by the user, if so, the user is judged to be a legal user, and if not, the identity authentication is judged to fail, so that the information can be prevented from being stolen preliminarily by the method.

And uploading the information to be stored after the user successfully logs in. Firstly, the information to be stored is transmitted to the scanner by utilizing a wireless network, the scanner manages the uploaded information to be stored, the security checker performs virus check in the process of uploading data, can effectively prevent the invasion of cloud viruses, can check and kill all files in the cloud, and the security checker has the functions of integrated monitoring and identification, virus scanning and clearing, automatic upgrading, active defense and the like. The data in the database is a collection of data oriented to a certain theme, extracted from a plurality of business systems, or historical data, so that the data is various, and data errors and data conflicts cannot be avoided. In this embodiment, the uploaded data is examined and verified by the format name confirmation mechanism, the information filtering mechanism, the information deduplication mechanism, and the information arrangement mechanism of the scanner, so as to delete duplicate information, correct existing errors, ensure data consistency, and process invalid values and missing values. After the data is examined and checked, the data is split through the partition module, a complete data is split through the split unit in the partition module, the data is divided into a plurality of data modules, and the data modules are encrypted and protected through the encryption module. The data encryption and decryption are realized on a data storage layer of the cloud server, and the encryption and decryption functions of upper-layer applications and users are transparent, so that the most important key in the encryption and decryption is also related to the corresponding storage space position, and each sub-level cloud corresponds to one key. Since each storage path is certainly used by an application or a user of the storage system, the storage system uses the initial user of the storage space as the owner of the key of the space, and the key management function of the whole encryption and decryption system is closed by the key owner, the storage space and the key. The storage system is provided with a key unit which supports the generation and modification of keys; when the user generates or modifies the key, the storage system executes backup operation at the same time, encrypts and backs up the key in a safe area, and separates the key from data storage.

And the storage system periodically synchronizes the key corresponding to the sub-level cloud through the secure channel to complete key distribution. When a user writes data, the encryption module encrypts the data through a corresponding path and a key and writes the encrypted data into a storage medium. When the user needs to read the data, the encryption module decrypts the data through the corresponding path and the key and returns the data to the user side. The encryption module can effectively prevent the data from being stolen, and each sublevel cloud end utilizes a data encryption sharing algorithm to protect the data, so that the safe storage of the data and the cooperation of a firewall are realized.

In this embodiment, measures are taken from two aspects of software and hardware, respectively, and according to different functions, the data encryption technology can be divided into a data transmission encryption technology, a data storage encryption technology, an authentication technology for data integrity and a key management technology, where the data transmission encryption technology is intended to encrypt a data stream in transmission, and there are two technologies, namely, line encryption and end-to-end encryption. The line encryption focuses on the line without considering the information source and the information sink, and provides security protection for secret information through different keys of each line. End-to-end encryption means that information is automatically encrypted by the sending end and packet-encapsulated by TCP/IP and then passed through the internet as unreadable and unrecognizable data. When the data reaches the destination, the data is automatically recombined and decrypted to form readable data, the data storage encryption technology aims to prevent the data in the storage link from being decrypted, and the data storage encryption technology can be divided into ciphertext storage and access control, wherein the data storage encryption technology is generally realized by methods of encryption algorithm conversion, additional encryption codes, an encryption module and the like; the latter is to examine and limit the user qualification and authority to prevent illegal users from accessing data or legal users from unauthorized accessing data. The purpose of data integrity authentication techniques is to verify the identity of the person involved in the transfer, access and processing of information and the content of the associated data, typically including the authentication of passwords, keys, identities, data and the like. The system realizes the safety protection of data by comparing and verifying whether the characteristic value input by the object conforms to the preset parameter, the key management technology comprises secret measures in each link of key generation, distribution, storage, replacement, destruction and the like, and a cloud database safety agent independent of a storage cloud deck is arranged.

The data are split and then stored respectively by establishing the plurality of sub-level cloud ends, so that the sub-level cloud ends of each stored data can not obtain complete information, the data are effectively prevented from being uploaded and stored in the cloud server by a user, and the data stored by the user can be owned and controlled by a cloud service provider.

It should be understood that the above-mentioned embodiments of the present invention are only examples for clearly illustrating the technical solutions of the present invention, and are not intended to limit the specific embodiments of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention claims should be included in the protection scope of the present invention claims.

Claims

1. A storage method based on a multi-cloud architecture is characterized by comprising the following steps:

receiving user data and verifying;

and encrypting the data of the data module stored on the sublevel cloud.

2. The multi-cloud-architecture-based storage method according to claim 1, wherein receiving user data and performing verification comprises:

identifying the identity information to determine the identity of the user;

if the identification fails, re-identifying the identity information;

3. The multi-cloud-architecture-based storage method according to claim 2, wherein the data partitioning of the verified user data to obtain a plurality of data modules comprises:

4. The multi-cloud-architecture-based storage method according to claim 3, wherein partitioning the data modules to the child cloud ends of at least two service providers for storage comprises:

performing first encoding encryption on a plurality of data modules;

5. The multi-cloud-architecture-based storage method according to claim 4, wherein the data encryption of the data module stored on the child cloud end comprises:

6. The multi-cloud-architecture-based storage method according to claim 5, wherein the encryption algorithm of the second encoding encryption comprises: symmetric encryption algorithms, asymmetric encryption algorithms, and hash algorithms.

7. The multi-cloud-architecture-based storage method according to claim 6, wherein the symmetric encryption algorithm comprises: an electronic codebook mode ECB, an encryption block chain mode CBC, a ciphertext feedback mode CFB, an output feedback mode OFB and a counter mode CTR.

8. The multi-cloud-architecture-based storage method according to claim 1, wherein the hierarchy is implemented by subnet masks.

9. The multi-cloud-architecture-based storage method according to claim 2, wherein the scanning comprises: format name confirmation, information filtering, information repeated deletion and information sorting.

10. A multi-cloud architecture based storage system, comprising:

a verification module for receiving user data and performing verification;

and the encryption module is used for encrypting the data of the data module stored on the subcloud.