CN102413313A - Data integrity authentication information generation method and device as well as data integrity authentication method and device - Google Patents
Data integrity authentication information generation method and device as well as data integrity authentication method and device Download PDFInfo
- Publication number
- CN102413313A CN102413313A CN2010102953121A CN201010295312A CN102413313A CN 102413313 A CN102413313 A CN 102413313A CN 2010102953121 A CN2010102953121 A CN 2010102953121A CN 201010295312 A CN201010295312 A CN 201010295312A CN 102413313 A CN102413313 A CN 102413313A
- Authority
- CN
- China
- Prior art keywords
- data
- hash
- integrity verification
- verification information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
一种生成数据的完整性验证信息的装置和方法,该装置包括:哈希结构生成单元,通过多个数据源在特定的时间段内各自包括的数据分段的哈希值生成与该特定时间段相对应的哈希结构,使所有数据分段的哈希值分别代表哈希结构的最底层的子节点以便计算其根哈希值;公共验证信息获取单元,获取针对根哈希值的公共验证信息;完整性验证信息生成单元,为多个数据源生成在特定的时间段内各自包括的数据分段的完整性验证信息,每一个数据分段的完整性验证信息包括公共验证信息、哈希结构中的、从代表最低层的叶子节点的该数据分段的哈希值到根结点的路径信息、以及在该路径中包括的、该子节点相关的节点的哈希值。还提供对数据的完整性进行验证的装置和方法。
A device and method for generating data integrity verification information, the device comprising: a hash structure generating unit, through the generation of hash values of data segments included in a plurality of data sources within a specific time period and the specific time The hash structure corresponding to the segment, so that the hash values of all data segments represent the bottom child nodes of the hash structure so as to calculate its root hash value; the public verification information acquisition unit obtains the public verification information for the root hash value Verification information; the integrity verification information generation unit generates the integrity verification information of the data segments included in a specific time period for multiple data sources, and the integrity verification information of each data segment includes public verification information, hash Path information from the hash value of the data segment representing the leaf node of the lowest layer to the root node in the hash structure, and hash values of nodes related to the child node included in the path. Apparatus and methods for verifying the integrity of data are also provided.
Description
技术领域 technical field
本发明总体上涉及数据处理的技术领域,更具体而言,涉及用于生成数据完整性验证信息的方法和装置,以及对数据的完整性进行验证的方法和装置。 The present invention generally relates to the technical field of data processing, and more specifically, to a method and device for generating data integrity verification information, and a method and device for verifying data integrity. the
背景技术 Background technique
视频监控在社会治安、防止犯罪、案件取证等方面正在发挥越来越重要的作用,许多企事业单位、交通道路、公共场所,甚至个人住宅都安装了监控摄像头。根据《中华人民共和国刑事诉讼法》第42条的规定,视听资料经过查证属实,可作为定案的根据。但是由于视频数据容易伪造和篡改,现实中视频及录音(以下简称视频)能否作为法庭的有效证据一直存在争议。换言之,视频作为法庭证据的一个必要条件是保证视频在录制后没有经过任何篡改(例如屏蔽、删节、修改内容等)即保证完整性。 Video surveillance is playing an increasingly important role in social security, crime prevention, case evidence collection, etc. Many enterprises, institutions, traffic roads, public places, and even individual residences have installed surveillance cameras. According to Article 42 of the "Criminal Procedure Law of the People's Republic of China", audio-visual materials can be used as the basis for a verdict after verification. However, because video data is easy to forge and tamper, whether video and audio recording (hereinafter referred to as video) can be used as effective evidence in court has been controversial in reality. In other words, a necessary condition for a video to be used as court evidence is to ensure that the video has not undergone any tampering (such as shielding, abridgement, modification of content, etc.) after recording, that is, to ensure integrity. the
保证完整性在编码理论和密码学领域有很多方法,根据完整性需求的强度不同可以采用不同的方法。一种可证明安全有效防止或检测视频被篡改的方法是使用时间戳对所录制视频的完整性加以实时保护,即由监控摄像头在线实时向时间戳授权机构(TSA,Time Stamp Authority)申请时间戳,使得加盖时间戳的视频不可篡改(或可检测篡改),时间真实有效,从而保证视频的完整性可以被任意人验证或权威机构证明。因而加盖时间戳的监控视频在完整性上具有法律效力。目前国内外有许多TSA可以提供在线的时间戳服务(例如可访问http://www.faqs.org/rfcs/rfc3161.html获得相关信息),可以对任何数据加以完整性、时效性保护,并且具有法律效力(例如通过时间戳服务中心,参见http://www.tsa.cn/)。监控摄像头将 视频按照时间分成若干分段,为每个分段获取时间戳,并将视频分段和对应时间戳同时保存。任何人可以根据时间戳验证对应分段的完整性、时效性。 There are many methods to ensure integrity in the field of coding theory and cryptography, and different methods can be adopted according to the strength of integrity requirements. A method that can prove safe and effective to prevent or detect video tampering is to use time stamps to protect the integrity of the recorded video in real time, that is, the surveillance camera applies to the Time Stamp Authority (TSA, Time Stamp Authority) for time stamps online in real time , so that the time-stamped video cannot be tampered (or tamper-detectable), and the time is real and valid, so that the integrity of the video can be verified by any person or proven by an authority. Thus, time-stamped surveillance video has legal validity in terms of integrity. At present, there are many TSAs at home and abroad that can provide online timestamp services (for example, you can visit http://www.faqs.org/rfcs/rfc3161.html to obtain relevant information), which can protect the integrity and timeliness of any data, and Have legal effect (for example, through the time stamp service center, see http://www.tsa.cn/). The surveillance camera divides the video into several segments according to time, obtains a time stamp for each segment, and saves the video segment and the corresponding time stamp at the same time. Anyone can verify the integrity and timeliness of the corresponding segment based on the timestamp. the
但是在线时间戳成本较高,其涉及网络带宽成本以及单次服务费用。尤其对于安装了多个摄像头的单位其成本问题就尤为突出。例如,图1给出了通过在线时间戳对来自多个摄像头的数据进行保护的例子。如图所示,如果一个单位的视频监控系统100安装了若干个视频摄像头102-110,每个摄像头均需要单独在线向TSA申请时间戳服务,要求较宽的网络带宽,而且来自每个摄像头的视频数据量较大,所需的时间戳服务次数很多,而TSA通常是按照时间戳服务次数进行收费。所以,如果每个摄像头单独申请时间戳(验证信息),网络带宽成本以及时间戳服务费用跟摄像头的个数成正比。
However, the cost of online time stamping is relatively high, which involves network bandwidth costs and single service fees. Especially its cost problem is just particularly outstanding for the unit that multiple cameras are installed. For example, Figure 1 gives an example of securing data from multiple cameras via online timestamping. As shown in the figure, if several video cameras 102-110 are installed in the
为了节约多个摄像头所需的带宽和时间戳服务费用,应该减少时间戳的申请次数,同时使验证信息的大小不至于过大。 In order to save the bandwidth and time stamp service fees required by multiple cameras, the number of time stamp applications should be reduced, and the size of the verification information should not be too large. the
图2给出了现有技术中的一种整体哈希方法。如图2所示,整体哈希是指将某一时间段内来自若干摄像头(图2中为摄像头A-E)的视频数据分段整体进行哈希,在图2中例如是对于摄像头A-E中各自的视频数据分段A2-E2的整体进行哈希,即求取这些视频数据分段的整体的哈希值HAE2,然后将该哈希值向TSA申请一个公共时间戳Timestamp(HAE2)。这个公共时间戳可以作为所有摄像头A-E在该时间段内对应的视频数据的验证信息。这种方法的优点是大大减少了申请时间戳的次数和存储验证信息(即时间戳)的空间。但这种方法使得来自一个摄像头的视频数据不能单独存放和被验证,而需要保证所有摄像头的视频数据同时存在,才能验证其完整性。这样给视频保存、剪辑和验证均带来麻烦。 Fig. 2 shows an overall hashing method in the prior art. As shown in Figure 2, overall hashing refers to hashing video data segments from several cameras (cameras AE in Figure 2) in a certain period of time. The entire video data segment A2-E2 is hashed, that is, the overall hash value H AE2 of these video data segments is obtained, and then a public timestamp Timestamp(H AE2 ) is applied for the hash value to the TSA. This public time stamp can be used as the verification information of the corresponding video data of all cameras AE within the time period. The advantage of this method is that it greatly reduces the number of times to apply for time stamps and the space for storing verification information (that is, time stamps). However, this method prevents the video data from one camera from being stored and verified separately, and it is necessary to ensure that the video data of all cameras exist at the same time in order to verify its integrity. This brings troubles to video preservation, clipping and verification.
发明内容 Contents of the invention
鉴于上述情况,需要提供一种能够高效和便捷地完成对来自多个数据源的数据的完整性单独进行保护以及验证的装置和 方法。此外,这种装置和方法最好是成本有效的。 In view of the foregoing, it is necessary to provide a device and method capable of independently protecting and verifying the integrity of data from multiple data sources efficiently and conveniently. Furthermore, such devices and methods are preferably cost effective. the
根据本发明的实施例提供了一种用于生成数据的完整性验证信息的装置,包括: According to an embodiment of the present invention, a device for generating data integrity verification information is provided, including:
哈希结构生成单元,其被配置成通过多个数据源在特定的时间段内各自包括的数据分段的哈希值生成与该特定时间段相对应的哈希结构,使所有数据分段的哈希值分别代表该哈希结构的最底层的子节点以便计算该哈希结构的根节点的根哈希值; A hash structure generating unit configured to generate a hash structure corresponding to the specific time period through the hash values of the data segments included in each of the multiple data sources within a specific time period, so that all data segments The hash values respectively represent the bottommost sub-nodes of the hash structure in order to calculate the root hash value of the root node of the hash structure;
公共验证信息获取单元,其被配置成获取针对根哈希值的公共验证信息; A public verification information acquisition unit configured to obtain public verification information for the root hash value;
完整性验证信息生成单元,其被配置成为多个数据源生成在上述特定的时间段内各自包括的数据分段的完整性验证信息,其中每一个数据分段的完整性验证信息包括公共验证信息、哈希结构中的、从代表最低层的子节点的该数据分段的哈希值到根结点的路径信息、以及在该路径中包括的、与该子节点相关的节点的哈希值。 an integrity verification information generation unit configured to generate integrity verification information for the data segments included in each of the above-mentioned specific time periods for a plurality of data sources, wherein the integrity verification information for each data segment includes common verification information , the path information from the hash value of the data segment representing the lowest-level child node to the root node in the hash structure, and the hash values of the nodes related to the child node included in the path . the
根据本发明的实施例还提供了一种为数据提供完整性保护的系统,包括: According to an embodiment of the present invention, a system for providing integrity protection for data is also provided, including:
多个数据源,该多个数据源被划分到第一至Z级哈希区域中,其中,第一至Z级哈希区域中第L级哈希区域包括ML个哈希结构,L=1,......,Z,且其中每一个哈希结构都包括一个管理数据源,每一个管理数据源都具有如上所述根据本发明实施例的生成数据的完整性验证信息的装置,其中Z是大于等于2的整数,ML是大于等于1的整数; A plurality of data sources, the plurality of data sources are divided into the first to Z level hash areas, wherein, the Lth level hash area in the first to Z level hash areas includes M L hash structures, L= 1, ..., Z, and wherein each hash structure includes a management data source, and each management data source has the device for generating data integrity verification information according to an embodiment of the present invention as described above , where Z is an integer greater than or equal to 2, M L is an integer greater than or equal to 1;
对于第K级哈希区域中的每一个哈希结构而言,该哈希结构的管理数据源被配置成将其自身及其所管理的数据源在特定时间段中包括的数据分段的哈希值分别作为最底层的子节点来生成该哈希结构,或者,该哈希结构的管理数据源被配置成将其自身在特定时间段中包括的数据分段的哈希值以及第K-1级哈希区域中对应的至少一个哈希结构的根结点值分别作 为最底层的子节点来生成该哈希结构,其中K是大于等于1且小于等于Z的整数; For each hash structure in the K-th level hash area, the management data source of the hash structure is configured as the hash of the data segment included in itself and the data source it manages in a specific time period The hash value is used as the bottommost child node to generate the hash structure, or the management data source of the hash structure is configured to include the hash value of the data segment and the K-th The root node value of at least one hash structure corresponding to the level 1 hash area is used as the bottom child node to generate the hash structure, where K is an integer greater than or equal to 1 and less than or equal to Z;
基于第Z级哈希区域中各个哈希结构的根结点值来生成最终的根哈希值,以及,第Z级哈希区域中包括的管理数据源中预先指定的最高级管理数据源被配置成获取针对最终的根哈希值的公共验证信息;以及 The final root hash value is generated based on the root node values of each hash structure in the Z-level hash area, and the pre-specified highest-level management data source among the management data sources included in the Z-level hash area is selected configured to obtain public verification information for the final root hash; and
最高级管理数据源被配置成为第Z级哈希区域的每一个哈希结构中的、与数据源对应的最底层的子节点生成完整性验证信息,该完整性验证信息包括上述公共验证信息、在第Z级哈希区域中的、从该子节点到所述最终的根结点的路径信息、以及在该路径中包括的与该子节点相关的节点的哈希值;以及 The highest-level management data source is configured to generate integrity verification information for the lowest-level subnode corresponding to the data source in each hash structure of the Z-level hash area. The integrity verification information includes the above-mentioned public verification information, Path information from the child node to the final root node in the Z-level hash area, and hash values of nodes related to the child node included in the path; and
对于从第一级到第Z-1级哈希区域之中的第Q级哈希区域中的每一个哈希结构,该哈希结构中的管理数据源被配置成为该哈希结构中的、与数据源对应的其他底层的子节点生成完整性验证信息,该完整性验证信息包括该哈希结构的根结点的完整性验证信息、在所述第Q级哈希区域中从该子节点到根结点的路径信息、以及在该路径上与该子节点相关的节点的哈希值,其中,该哈希结构的根结点作为第Q+1级哈希区域中相应哈希结构的最低层的子节点,其完整性验证信息是通过第Q+1级哈希区域中相应哈希结构的管理数据源来生成的,其中Q是大于等于1且小于等于Z-1的整数。 For each hash structure in the Qth level hash area from the first level to the Z-1 level hash area, the management data source in the hash structure is configured as, Other underlying sub-nodes corresponding to the data source generate integrity verification information, the integrity verification information includes the integrity verification information of the root node of the hash structure, and from the sub-node in the Qth level hash area The path information to the root node and the hash value of the node related to the child node on the path, wherein the root node of the hash structure is used as the hash value of the corresponding hash structure in the Q+1 level hash area The integrity verification information of the lowest layer child node is generated through the management data source of the corresponding hash structure in the Q+1 level hash area, where Q is an integer greater than or equal to 1 and less than or equal to Z-1. the
根据本发明的实施例还提供了一种生成数据的完整性验证信息的方法,包括: According to an embodiment of the present invention, a method for generating data integrity verification information is also provided, including:
哈希结构生成步骤,其将多个数据源在特定的时间段内各自包括的数据分段的哈希值作为最底层的子节点来生成与该特定时间段相对应的哈希结构,通过该哈希结构的最低层的子节点来计算该哈希结构的根节点的根哈希值; Hash structure generation step, which uses the hash values of the data segments included in each of the multiple data sources in a specific time period as the bottom child node to generate a hash structure corresponding to the specific time period, through which The child node of the lowest level of the hash structure is used to calculate the root hash value of the root node of the hash structure;
公共验证信息获取步骤,其获取针对根哈希值的公共验证信息;和 a public verification information acquisition step that obtains public verification information for the root hash value; and
完整性验证信息生成步骤,其针对上述多个数据源在该特 定的时间段内各自包括的数据分段中的每一个数据分段,基于下列的信息来生成该数据分段的完整性验证信息:上述公共验证信息、哈希结构中的、从代表最低层的子节点的该数据分段的哈希值到根结点的路径信息、以及在该路径中包括的、与该子节点相关的节点的哈希值。 Integrity verification information generating step, which generates the integrity verification of the data segment based on the following information for each of the data segments included in the above-mentioned multiple data sources within the specific time period Information: the above public verification information, path information from the hash value of the data segment representing the lowest level child node to the root node in the hash structure, and information related to the child node included in the path The hash value of the node. the
根据本发明的实施例还提供了一种对数据的完整性进行验证的装置,包括: According to an embodiment of the present invention, a device for verifying data integrity is also provided, including:
公共验证信息验证单元,其被配置成对多个数据源的相应的数据源在特定时间段内的数据分段所具有的完整性验证信息中包括的公共验证信息进行验证;以及 A public verification information verification unit configured to verify the public verification information included in the integrity verification information of the data segments of the corresponding data sources of the plurality of data sources within a specific time period; and
完整性验证单元,其被配置成将根据上述相应的数据源的数据分段所具有的完整性验证信息以及该数据分段的哈希值计算得到的根哈希值与完整性验证信息中包含的根哈希值进行比较,并且在比较结果以及公共验证信息验证单元的验证结果两者都为正面的情况下,确定所述数据分段是完整的; An integrity verification unit configured to include in the root hash value and the integrity verification information calculated according to the integrity verification information of the data segment of the corresponding data source and the hash value of the data segment The root hash value is compared, and in the case that both the comparison result and the verification result of the public verification information verification unit are positive, it is determined that the data segment is complete;
其中,所述数据分段的完整性验证信息包括上述公共验证信息、与上述特定时间段相对应的哈希结构中的、从该数据分段的哈希值代表的最低层的子节点到根结点的路径信息、以及在该路径中包括的、与该子节点相关的节点的哈希值,其中与特定时间段相对应的哈希结构通过使上述多个数据源在特定时间段内各自包括的数据分段的哈希值代表最低层的子节点来生成,根哈希值是哈希结构的根结点的哈希值。 Wherein, the integrity verification information of the data segment includes the above-mentioned public verification information, and in the hash structure corresponding to the above-mentioned specific time period, from the lowest-level child node represented by the hash value of the data segment to the root The path information of the node, and the hash value of the node related to the child node included in the path, wherein the hash structure corresponding to the specific time period is obtained by making the above-mentioned multiple data sources each in the specific time period The hash value of the included data segment is generated on behalf of the lowest-level child nodes, and the root hash value is the hash value of the root node of the hash structure. the
根据本发明的实施例还提供了一种对数据的完整性进行验证的方法,包括: According to an embodiment of the present invention, a method for verifying the integrity of data is also provided, including:
公共验证信息验证步骤,对多个数据源的相应的数据源在特定时间段内的数据分段所具有的完整性验证信息中包括的公共验证信息进行验证; The public verification information verification step is to verify the public verification information included in the integrity verification information of the data segments of the corresponding data sources within a specific time period of the multiple data sources;
比较步骤,将根据上述相应的数据源的数据分段所具有的 完整性验证信息以及该数据分段的哈希值计算得到的根哈希值与完整性验证信息中包含的根哈希值进行比较;以及 In the comparison step, the root hash value calculated according to the integrity verification information of the data segment of the corresponding data source and the hash value of the data segment is compared with the root hash value contained in the integrity verification information compare; and
完整性确定步骤,如果比较步骤的比较结果表明所计算的根哈希值与完整性验证信息中包含的根哈希值一致,并且公共验证信息验证步骤的验证结果为正面的,则确定数据分段是完整的, In an integrity determination step, if the comparison result of the comparison step shows that the calculated root hash value is consistent with the root hash value contained in the integrity verification information, and the verification result of the public verification information verification step is positive, then determine the data score segment is complete,
其中,数据分段的完整性验证信息包括上述公共验证信息、与上述特定时间段相对应的哈希结构中的、从该数据分段的哈希值代表的最低层的子节点到根结点的路径信息、以及在该路径中包括的、与该子节点相关的节点的哈希值,其中与特定时间段相对应的哈希结构通过使上述多个数据源在特定时间段内各自包括的数据分段的哈希值代表最低层的子节点来生成,根哈希值通过该哈希结构来计算。 Wherein, the integrity verification information of the data segment includes the above-mentioned public verification information, and in the hash structure corresponding to the above-mentioned specific time period, from the lowest-level child node represented by the hash value of the data segment to the root node The path information of the path, and the hash value of the node related to the child node included in the path, wherein the hash structure corresponding to the specific time period is obtained by making the above-mentioned multiple data sources each include in the specific time period The hash value of the data segment is generated on behalf of the lowest-level child nodes, and the root hash value is calculated through the hash structure. the
根据本发明的各实施例的生成数据的完整性验证信息的方法和装置使得可以通过基于哈希结构的简单手段为来自多个数据源的数据单独进行有效的完整性保护。相应地,根据本发明的各实施例的对数据的完整性进行验证的方法和装置能够快速准确地对来自多个数据源的数据单独进行完整性验证。由此,根据本发明的各实施例的数据完整性保护和验证装置和方法能够高效、可靠地实现对来自多个数据源的数据的完整性的单独保护和验证。此外,由于采用了简单的结构配置和实现手段,实现了成本的有效降低。 The method and device for generating data integrity verification information according to various embodiments of the present invention enable independent and effective integrity protection for data from multiple data sources through a simple means based on a hash structure. Correspondingly, the method and device for verifying data integrity according to various embodiments of the present invention can quickly and accurately perform integrity verification on data from multiple data sources individually. Thus, the data integrity protection and verification apparatus and method according to the various embodiments of the present invention can efficiently and reliably realize independent protection and verification of the integrity of data from multiple data sources. In addition, due to the adoption of simple structural configuration and implementation means, effective cost reduction is realized. the
本发明的其他实施例还提供了一种视频摄像设备,该视频摄像设备包括如上所述的根据本发明的实施例的生成数据的完整性验证信息的装置。 Other embodiments of the present invention also provide a video camera device, which includes the above-mentioned apparatus for generating data integrity verification information according to the embodiments of the present invention. the
本发明的另外的实施例还提供了一种存储有机器可读取的指令代码的程序产品,该指令代码由机器读取并执行时,可执行如上所述的根据本发明的实施例的生成数据的完整性验证信息的方法和/或对数据的完整性进行验证的方法。 Another embodiment of the present invention also provides a program product storing machine-readable instruction codes. When the instruction codes are read and executed by a machine, the above-mentioned generation of Integrity of data A method of verifying information and/or a method of verifying the integrity of data. the
本发明的另外的实施例还提供了一种承载有上述的程序产 品的存储介质。 Another embodiment of the present invention also provides a storage medium carrying the above-mentioned program product. the
附图说明 Description of drawings
通过结合附图对本发明的具体实施方式的描述,本发明的以上的和其它目的、特点和优点将变得清楚。在各附图中,相同或类似的附图标记表示相同或者类似的功能部件或步骤。在附图中: The above and other objects, features and advantages of the present invention will become clear by describing specific embodiments of the present invention in conjunction with the accompanying drawings. In each drawing, the same or similar reference numerals denote the same or similar functional components or steps. In the attached picture:
图1是示出了现有技术的对多个视频摄像头的视频数据分别进行时间戳保护的配置的简化框图; Fig. 1 is the simplified block diagram of the configuration that shows the video data of a plurality of video cameras respectively carrying out timestamp protection in the prior art;
图2是示出了现有技术的对多个视频摄像头的视频数据进行的整体时间戳保护的配置的简化框图; FIG. 2 is a simplified block diagram illustrating a prior art configuration for holistic timestamp protection of video data from multiple video cameras;
图3是示出了根据本发明实施例的生成数据的完整性验证信息的装置的结构简化框图; Fig. 3 is a simplified block diagram showing the structure of a device for generating data integrity verification information according to an embodiment of the present invention;
图4是示出了图3中的生成数据的完整性验证信息的装置的操作的一种具体实例的示意简图; Fig. 4 is a schematic diagram showing a specific example of the operation of the device for generating data integrity verification information in Fig. 3;
图5是示出了图3中的生成数据的完整性验证信息的装置的操作的另一种具体实例的示意简图; Fig. 5 is a schematic diagram illustrating another specific example of the operation of the device for generating data integrity verification information in Fig. 3;
图6是示出了具有通过根据本发明的实施例的生成数据的完整性验证信息的装置所生成的完整性验证信息的封装数据的示意图; FIG. 6 is a schematic diagram showing packaged data with integrity verification information generated by an apparatus for generating data integrity verification information according to an embodiment of the present invention;
图7是示出了通过利用图3中的生成数据的完整性验证信息的装置,对于某个数据源的数据子分段通过内部子哈希链来进行完整性保护的实例的示意图; Figure 7 is a schematic diagram showing an example of integrity protection for a data sub-segment of a certain data source through an internal sub-hash chain by utilizing the device for generating data integrity verification information in Figure 3;
图8是示出了通过利用图3中的生成数据的完整性验证信息的装置,对于某个数据源的数据子分段通过内部子哈希树来进行完整性保护的实例的示意图; Fig. 8 is a schematic diagram showing an example of integrity protection for a data sub-segment of a certain data source through an internal sub-hash tree by utilizing the device for generating data integrity verification information in Fig. 3;
图9A-9B是示出了常见的可能的哈希树结构示意图; 9A-9B are schematic diagrams showing common possible hash tree structures;
图10A-10D是示出了利用根据本发明的实施例的生成完整性验证数据的装置来生成高效哈希二叉树的过程的简化框图; 10A-10D are simplified block diagrams illustrating the process of generating an efficient hash binary tree using an apparatus for generating integrity verification data according to an embodiment of the present invention;
图11是示出了配备有根据本发明的实施例的用于生成数据的完整性验证信息的装置的摄像设备的简化结构框图; FIG. 11 is a simplified structural block diagram showing an imaging device equipped with an apparatus for generating data integrity verification information according to an embodiment of the present invention;
图12A是示出了根据本发明的实施例的生成数据的完整性验证信息的系统的简化结构框图,其中多个数据源划分为多级哈希区域,每一级哈希区域中包含的哈希结构都配备一个具有如图3所示的生成数据的完整性验证信息的装置的管理数据源; Fig. 12A is a simplified structural block diagram showing a system for generating data integrity verification information according to an embodiment of the present invention, wherein multiple data sources are divided into multi-level hash areas, and the hashes contained in each level of hash areas The Greek structure is equipped with a management data source with a device for generating data integrity verification information as shown in Figure 3;
图12B是示出了作为图12A的系统的一种变形形式的生成数据的完整性验证信息的系统的简化结构框图; Figure 12B is a simplified structural block diagram illustrating a system for generating data integrity verification information as a variant of the system of Figure 12A;
图13是示出了根据本发明的实施例的用于生成数据的完整性验证信息的方法的流程简图; Fig. 13 is a schematic flow diagram illustrating a method for generating data integrity verification information according to an embodiment of the present invention;
图14是示出了根据本发明的实施例的对数据的完整性验证信息进行验证的装置的简化结构框图; Fig. 14 is a simplified structural block diagram showing a device for verifying data integrity verification information according to an embodiment of the present invention;
图15是示出了图14所示的方法的一种具体实现方式的简图; Fig. 15 is a diagram showing a specific implementation of the method shown in Fig. 14;
图16是示出了根据本发明的实施例的对数据的完整性验证信息进行验证的方法的流程简图;以及 Fig. 16 is a simplified flowchart showing a method for verifying data integrity verification information according to an embodiment of the present invention; and
图17是示出可用于实施根据本发明实施例的方法和装置的计算机系统的示意性框图。 Fig. 17 is a schematic block diagram showing a computer system that can be used to implement the method and apparatus according to the embodiments of the present invention. the
具体实施方式 Detailed ways
下面参照附图来说明本发明的实施例。应当注意,为了避免因不必要的细节而模糊了本发明,在附图中仅仅示出了与根据本发明的方案密切相关的设备结构和/或处理步骤,而省略了与本发明关系不大的其他细节。在各附图中相同或者相似的构成元素或部分利用相同或者类似的附图标记来表示。 Embodiments of the present invention will be described below with reference to the drawings. It should be noted that in order to avoid obscuring the present invention due to unnecessary details, only the device structure and/or processing steps closely related to the solution according to the present invention are shown in the accompanying drawings, while the components having little relation to the present invention are omitted. other details. In each drawing, the same or similar constituent elements or parts are denoted by the same or similar reference numerals. the
图3是示出了根据本发明实施例的生成数据的完整性验证信息的装置300的结构简化框图。如图所示,该装置300包括哈希结构生成单元310、公共验证信息获取单元320和完整性验证信息生成单元330。哈希结构生成单元310通过多个数据源在 特定的时间段内各自包括的数据分段的哈希值生成与该特定时间段相对应的哈希结构,使所有数据分段的哈希值分别代表该哈希结构的最低层的子节点以便计算该哈希结构的根哈希值。公共验证信息获取单元320获取针对该根哈希值的公共验证信息。完整性验证信息生成单元330为多个数据源生成在该特定的时间段内各自包括的数据分段的完整性验证信息。其中每一个数据分段的完整性验证信息包括该公共验证信息、该哈希结构中的、从代表该最低层的子节点的该数据分段的哈希值到该根结点的路径信息、以及在该路径中包括的、与该最底层的子节点相关的节点的哈希值。
Fig. 3 is a simplified block diagram showing the structure of an
需要说明,在此所说的“最低层的子节点”指的是在哈希结构中没有自己的下级子节点的节点。容易理解,在哈希结构为哈希树时,这种“最低层的子节点”就是叶子节点。 It should be noted that the "lowest-level child node" mentioned here refers to a node without its own lower-level child nodes in the hash structure. It is easy to understand that when the hash structure is a hash tree, this "lowest-level child node" is a leaf node. the
图4是示出了图3中的装置300的操作的一种具体实例的示意简图。
FIG. 4 is a schematic diagram illustrating a specific example of the operation of the
如图所示,在该实例中,时间戳代理410作为如图3所示的装置300的一种具体实现形式来操作。该时间戳代理410为来自多个数据源,即摄像设备A-E的视频数据生成完整性验证信息。该实例通过构造哈希链的方式来生成完整性验证信息。时间戳代理410中的哈希结构生成单元通过将某一特定时间段内来自摄像设备A-E的数据分段的哈希值照链状方式构造哈希链,然后时间戳代理410中的公共验证信息获取单元将哈希链的末节点(即根结点)值通过时间戳授权机构TSA 420加盖公共时间戳,由此得到公共验证信息Timestamp(HAE2)。例如,图中示意性地示出了每一个摄像设备在三个时间段中各自的数据分段A1-A3至E1-E3。假设对于在某个特定时间段摄像设备A-E产生的数据分段A2-E2而言,这些数据分段各自的哈希值为HA2-HE2。哈希值HA2和HB2连接后进行哈希而得到哈希值HAB2,哈希值HAB2和HC2连接后进行哈希而得到哈希值HAC2,哈希值HAC2和HD2连接后进行哈希而得到哈希值HAD2,哈希值HAD2和HE2连接后进行哈希而得到哈希值HAE2。如图所示,基于多 个数据源(即摄像设备A-E)在该特定时间段中的数据分段的哈希值构造了一个哈希链,其中可以将这些数据分段的哈希值HA2-HE2看作为代表最低层的子节点(即,没有自己的下级子节点的节点),哈希值HAB2,HAC2和HAD2分别是上一级的父节点,哈希链的最终的端点值HAE2表示该哈希链的根哈希值。哈希值的基本概念及其获得方法是本领域公知的技术,对此不再赘述。时间戳代理410中的完整性验证信息生成单元数据分段A2-E2的完整性验证信息。例如,摄像设备D在该特定时间段中的数据分段D2的完整性验证信息包括公共验证信息Timestamp(HAE2)、从该数据分段D2的哈希值HD2到根哈希值HAE2的路径信息、以及哈希链上沿着该路径的某些节点的哈希值。在哈希链中从最低层的子节点HD2到根节点HAE2的路径中包括节点HD2和HAD2,与这些节点相关的节点的哈希值HAC2和HE2就构成了数据分段D2的完整性验证信息的一部分。
As shown, in this example, the timestamp proxy 410 operates as a specific implementation of the
图5是示出了图3中的生成数据的完整性验证信息的装置300的操作的另一种具体实例的示意简图。如图所示,在该实例中,时间戳代理510作为如图3所示的装置300的另一种具体实现形式来操作。
FIG. 5 is a schematic diagram showing another specific example of the operation of the
在该实例中,时间戳代理510为来自多个数据源,即摄像设备A-E的视频数据生成完整性验证信息。该实例通过构造哈希树的方式来生成完整性验证信息。时间戳代理510主要负责哈希树的计算、时间戳申请、完整性验证信息的生成等。时间戳代理510例如可以通过连接因特网的计算机来实施,各个摄像设备A-E例如可通过局域网络与其连接,并且其具有访问在线时间戳授权机构TSA 520的凭证(例如用户名和密码)以及表征监控单位(即,多个数据源所属单位)身份的信息。
In this example,
时间戳代理510中的哈希结构生成单元通过将某一特定时间段内来自摄像设备A-E的数据分段的哈希值照树状方式构造哈希树,然后时间戳代理510中的公共验证信息获取单元将哈希树的根节点的哈希值通过时间戳授权机构TSA520加盖公共时间戳,由此得到公共验证信息Timestamp(HAE2)。例如,图 中示意性地示出了每一个摄像设备在三个时间段中各自的数据分段A1-A3至E1-E3。假设对于在某个特定时间段摄像设备A-E产生的数据分段A2-E2而言,这些数据分段各自的哈希值为HA2-HE2。哈希值HA2和HB2合并后进行哈希得到哈希值HAB2,哈希值HC2和HD2合并后进行哈希得到哈希值HCD2,哈希值HAB2和HCD2合并后进行哈希得到哈希值HAD2,哈希值HAD2和HE2合并后进行哈希得到哈希值HAE2。如图所示,基于多个数据源(即摄像设备A-E)在该特定时间段中的数据分段的哈希值构造了一个哈希树,其中可以将这些数据分段的哈希值HA2-HE2看作为该哈希树的最低层的子节点,即叶子节点,哈希值HAB2,HCD2和HAD2分别是各上级的父节点,哈希树的最终的端点值HAE2表示该哈希树的根哈希值。时间戳代理510接收来自各个摄像设备的在该特定时间段中视频数据分段的哈希值,并且例如此外还可记录各个摄像设备的编号(可用于在随后的验证过程中对摄像设备进行标识)。如上所述,时间戳代理510将这些哈希值作为二叉哈希树的叶子节点,从叶子节点出发,逐级计算哈希树的上级节点,上级节点是下级的两个子节点连接后的哈希值。值得注意的是,摄像设备的个数可能不是2的指数倍(即该二叉哈希树可能不是满二叉树),因此部分来自摄像设备的哈希值可能并不是位于哈希树的最底层(例如图5所示,摄像设备E的哈希值直到计算根节点时才用到)。按照这种两两合一的方法最终计算出根节点的哈希值。这棵由时间戳代理510计算的哈希树的所有节点值和节点位置信息例如可以暂时保存在时间戳代理510的存储器中。时间戳代理510将哈希树的根节点的值以及身份等信息按照时间戳标准(例如可参见http://www.faqs.org/rfcs/rfc3161.html获得相关信息)的需求封装后,发送给时间戳授权机构TSA 520。TSA 520返回对应的时间戳(即公共验证信Timestamp(HAE2))。在接收到该时间戳信息后,时间戳代理510中的完整性验证信息生成单元为多个摄像设备A-E在该特定时间段中的数据分段分别生成完整性验证信息。每个摄像设备的完整性验证信息均不相同,根据摄像设备对应的叶子节点在哈希树中位置而各异。一个摄像设备 的验证信息包括两部分:一部分是公共验证信息(即时间戳),另一部分是哈希树上的部分节点值及路径信息。完整性验证信息中的哈希树的路径信息获取以及该路径上部分节点的选取方法为:找到哈希树上该摄像设备在该特定时间段内的数据分段所对应的叶子节点,然后获得以此为起点到达根节点的路径(在图中用带箭头的粗虚线示出),并且依次取得该路径上的节点的兄弟节点的哈希值。路径信息包含每个所选取节点相对于路径的位置,如节点在哈希树中的层次、以及相对于该路径的左右关系。例如在图5中,摄像设备D在上述特定时间段中的数据分段的D2的完整性验证信息是([l,HC2],[l,HAB2],[r,HE2],Timestamp(HAE2)),其中节点的排列顺序表达了从叶子节点到达根节点的顺序,即路径信息,r、l表示兄弟节点相对于该路径是右节点还是左节点。对于路径信息中包含的相对于该路径的左右关系,可首先预先约定哈希树的摆放方法。例如,如果将根节点放在上方,则相关节点的哈希值HC2,HAB2,HE2的左右关系为r,r,l(即,右,右,左),而图5示出的完整性验证信息中的左右关系是在将根节点放在下方的情况下得到的结果。这种与相关节点在路径中的左右关系的l,r信息对于哈希树是必需的。但是如果哈希结构是哈希链,则可以不存储l,r信息,因为这种l,r信息暗含在完整性验证信息中哈希值的排列规则中。在下面的描述中,为了简明起见,在完整性验证信息时没有表示出l,r信息,但是这种信息实际上是存在于路径信息中的。
The hash structure generation unit in the
上述的层次信息可以单独地表示,也可以按照某种格式预先约定,比如约定排在第一个的是最低层次的相关节点的节点值,以此类推。在图5给出的实例中是按照完整性验证信息里各节点的排列顺序来推定节点的层次。 The above-mentioned level information can be represented separately, or can be pre-agreed according to a certain format, for example, it is agreed that the node value of the lowest level related node is the first one, and so on. In the example given in Fig. 5, the hierarchy of nodes is estimated according to the arrangement order of each node in the integrity verification information. the
根据上述结合图4和5的详细描述可看出,根据本发明的实施例的用于为多个数据源生成完整性验证信息的方式的益处在于:各个数据源的数据可以分开存放并具有各自单独的完整性验证信息,使得在后续验证过程(后面将详细描述)中可以 单独验证各个数据源的数据的完整性,由此提高了对数据的完整性保护的效率和准确性。此外,对于来自多个数据源的某一特定时间段内的数据,只需要申请一次时间戳,因此大大减少了时间戳的申请次数,缩减数据通信开销,由此降低了成本。 According to the above detailed description in conjunction with FIGS. 4 and 5, it can be seen that the benefit of the method for generating integrity verification information for multiple data sources according to the embodiment of the present invention is that the data of each data source can be stored separately and have their own The separate integrity verification information enables the data integrity of each data source to be independently verified in the subsequent verification process (described in detail later), thereby improving the efficiency and accuracy of data integrity protection. In addition, for data from multiple data sources within a certain period of time, only one time stamp needs to be applied for, thus greatly reducing the number of time stamp applications, reducing data communication overhead, and thus reducing costs. the
作为一种具体实现方案,时间戳代理410或510可将所生成的多个摄像设备在特定时间段中的数据分段的完整性验证信息发送给对应的摄像设备,以供随后对摄像设备的数据分段的完整性进行验证时使用。可替选地,时间戳代理410或510也可以将所生成的完整性验证信息连同该完整性信息所对应的数据分段的识别信息(例如该完整性验证信息是属于哪一个摄像设备的、在哪一个特定时间段中的数据分段的完整性验证信息)进行存储,以便在后续的验证过程中使用。此外,在将完整性验证信息分发给相应的摄像设备的情况下,当确认各个摄像设备均收到对应的完整性验证信息后,时间戳代理410或510可以将此次暂时缓存的哈希树删除,接着进行对应于下一个特定时间段的下次完整性验证信息生成处理。这种方式可以节约时间戳代理的存储空间。
As a specific implementation solution, the
在一种具体实例中,如图3所示的根据本发明实施例的生成数据的完整性验证信息的装置300还可包括数据封装单元。例如,可以将该装置300设置在数据源中,则在装置300中的完整性验证信息生成单元生成了相应数据分段的完整性验证信息之后,该数据封装单元可将该完整性验证信息设置在该相应的数据分段之后。以便形成该数据分段所属的数据源的封装数据。图6示出了这种封装数据的一种可能形式。如图所示,给出了某个数据源的封装数据,其中C1和C2表示在不同的特定时间段中的数据分段,跟随在C1之后的信息VC1即是通过根据本发明实施例的生成数据的完整性验证信息的装置300所生成的完整性验证信息。类似地,完整性验证信息VC2跟随在数据分段C2之后。如此,在后续的验证过程中,在获取需要进行完整性验证的数据分段时可容易地同时读取出与之对应的完整性验证信息。通过这样的方式,可增强待进行完整性验证的数 据分段和与之对应的完整性验证信息之间的联系,这进而便利了后续的数据完整性验证过程(下面将详细描述)的进行。
In a specific example, the
例如,上述这种结合了数据分段及其完整性验证信息的封装数据可以保存在相应的数据源内部的存储设备上,或者通过网络发送给监控中心服务器用以监视或存档。 For example, the above-mentioned encapsulated data combined with the data segment and its integrity verification information can be stored on the internal storage device of the corresponding data source, or sent to the monitoring center server through the network for monitoring or archiving. the
在另一种具体实例中,如图3所示的根据本发明实施例的生成数据的完整性验证信息的装置300还可包括对应关系创建单元,其可将完整性验证信息生成单元为多个数据源在特定的时间段内各自包括的数据分段生成的完整性验证信息集中存储,并创建完整性验证信息与相应的数据分段之间的对应关系。在后续的完整性验证过程中,可通过这种对应关系获得与待进行完整性验证的数据分段对应的完整性验证信息,以供进行完整性验证。通过将完整性验证信息集中存储,可更好地防止这些信息遭到破坏。另外,由于建立了数据分段与完整性验证信息之间的对应关系,因此保证了后续验证过程的准确性。
In another specific example, the
在上面给出的实例中,各个摄像设备将某特定时间段内的数据分段进行哈希,然后将哈希值发送给根据本发明的实施例的生成数据的完整性验证信息的装置(例如时间戳代理)以进行完整性验证信息的生成。这种情况下特定时间段的(即数据分段的)长度例如为分钟的数量级,例如1分钟。然而,在有些应用中,可能需要更加精确地定位数据源中的数据分段,即需要更短的时间分段或者数据分段长度。为了满足这种需求,图7-8给出了相应的解决方案。 In the example given above, each imaging device hashes the data segments within a certain period of time, and then sends the hash value to the device for generating data integrity verification information according to an embodiment of the present invention (such as Timestamp agent) for the generation of integrity verification information. In this case the length of the specific time period (ie the data segment) is for example on the order of minutes, for example 1 minute. However, in some applications, it may be necessary to locate data segments in the data source more precisely, that is, shorter time segments or data segment lengths are required. In order to meet this requirement, Figure 7-8 shows the corresponding solution. the
图7是示出了通过利用如图3中的生成数据的完整性验证信息的装置300,对于某个数据源的数据子分段通过内部子哈希链来进行完整性保护的实例的示意图。在该实例中仍以摄像设备作为数据源的例子来说明。如图7所示,装置300使得在多个摄像设备A-D中的一个摄像设备A中,将某个特定的时间段中的数据分段再细划分为4个数据子分段A1-A4,这些数据子分段各自的哈希值为H1-H4。通过以这些哈希值作为最低层的子节点,在摄像设备A内部构造子哈希链(与摄像设备A-D 的在特定时间段内的数据分段的哈希值构成的外部哈希树相对而言),并计算该子哈希链的子根哈希值H14(与外部哈希树的根哈希值相对而言)。将内部哈希链的根哈希值H14作为摄像头A的哈希值,通过外部哈希树(即,由摄像设备A-D在该特定的时间段中的数据分段的哈希值HA-HD作为叶子节点构造的外部的哈希树)的处理向时间戳代理(例如通过装置300实现)申请时间戳(例如可采用图5中示出的方式来进行),时间戳代理返回公共验证信息后,摄像设备A内重新进行一次验证信息的分配。即,通过在外部哈希树处理中摄像头A获得的其自身的完整性验证信息、内部哈希链的路径信息和该路径上相关节点的哈希值来形成摄像头A内部的各个数据子分段A1-A4的完整性验证信息。在一种优选实施方式中,如果数据子分段的验证是相对独立的,则为了节约存储空间,每个数据子分段仅需要存储数据子分段的哈希值,例如A1数据子分段的验证信息仅需存储H(A1),然后在四个数据子分段的后面存储A1~A4的验证信息V14,即从时间戳代理返回的用于摄像设备A的验证信息。在后续的验证时,根据其它分段的哈希值重新生成内部哈希链,使用V14内的验证信息验证内部哈希链的根节点的哈希值。当大分段内的某些数据子分段缺失,但缺失数据子分段的哈希值存在的情况下,仍可以单独验证每个剩余数据子分段的完整性,从而提高了验证的精度和颗粒度。
FIG. 7 is a schematic diagram showing an example of performing integrity protection on data sub-segments of a certain data source through internal sub-hash chains by using the
容易理解,虽然在图7中示出的是通过对一个摄像设备A构建内部子哈希链来进行完整性保护的配置,但是本领域技术人员理解,取决于实际需要以及系统实际处理能力,可以对所有摄像设备A-D或者其中任意选择的若干摄像设备执行这种配置。 It is easy to understand that although what is shown in FIG. 7 is a configuration for integrity protection by constructing an internal sub-hash chain for a camera device A, those skilled in the art understand that depending on actual needs and actual processing capabilities of the system, it can be This configuration is performed for all image pickup devices A-D or arbitrarily selected several image pickup devices among them. the
图8是示出了通过利用如图3中的生成数据的完整性验证信息的装置300,对于某个数据源的数据子分段通过内部子哈希树来进行完整性保护的实例的示意图。如图8所示,在多个摄像设备A-D中的一个摄像设备A中,装置300使得某个特定的时间段中的数据分段被再细划分为4个数据子分段A1-A4,这 些数据子分段各自的哈希值为H1-H4。通过以这些哈希值作为叶子节点,在摄像设备A内部构造子哈希树,并计算该子哈希树的子根哈希值H14。将内部哈希树的根哈希值H14作为摄像头A的哈希值,通过外部哈希树(即,由摄像设备A-D在该特定的时间段中的数据分段的哈希值HA-HD作为叶子节点构造的外部的哈希树)的处理向时间戳代理(例如通过装置300实现)申请时间戳(例如可采用图5中示出的方式来进行),时间戳代理返回公共验证信息后,摄像设备A内重新进行一次验证信息的分配。即,通过在外部哈希树处理中摄像头A获得的其自身的完整性验证信息、内部哈希树的路径信息和该路径上相关节点的哈希值来形成摄像头A内部的各个数据子分段A1-A4的完整性验证信息。与图7示出的实例类似,在一种优选实施方式中,如果数据子分段的验证是相对独立的,则为了节约存储空间,例如可以使每个数据子分段后仅需要存储数据子分段的哈希值,例如A1数据子分段的验证信息仅需存储H1,然后在四个数据子分段的后面存储A1~A4的验证信息V14,即从时间戳代理返回的验证信息。在后续的验证过程中,根据其它分段的哈希值重新生成内部哈希树,使用V14内的验证信息验证内部哈希树的根节点。当大的数据分段内的某些数据子分段缺失,但缺失数据子分段的哈希值仍存在的情况下,仍然可以单独验证每个剩余数据子分段的完整性,从而提高了后续的完整性验证的精度和颗粒度。
FIG. 8 is a schematic diagram showing an example of performing integrity protection on data sub-segments of a certain data source through an internal sub-hash tree by using the
同样地,容易理解,虽然在图8中示出的是通过对一个摄像设备A构建内部子哈希树来进行完整性保护的配置,但是本领域技术人员理解,取决于实际需要以及系统实际处理能力,可以对所有摄像设备A-D或者其中任意选择的若干摄像设备执行这种配置。 Similarly, it is easy to understand that although the configuration shown in FIG. 8 is to implement integrity protection by constructing an internal sub-hash tree for an imaging device A, those skilled in the art understand that it depends on the actual needs and the actual processing of the system. Capability, this configuration can be performed on all imaging devices A-D or arbitrarily selected several imaging devices among them. the
上述图7和图8所示的两种解决方案中,根据本发明实施例的生成数据的完整性验证信息的装置300通过在相应的数据源的内部运用链状或树状哈希结构的技术来生成数据源中更小的数据分段的完整性验证信息,从而可进一步提高验证的精度 和颗粒度。此外还可以节省存储空间,因为整个大的数据分段的验证信息只需存储一次。
In the above two solutions shown in FIG. 7 and FIG. 8, the
需要注意,上述两种解决方案可以根据不同的应用场景进行选用,以便获得更佳的技术益处。具体而言,如果大的数据分段内部的小的数据子分段的验证是相对独立的,即,一个数据子分段的验证依赖于其它数据子分段的哈希值的存在,但其它数据子分段的原始内容可以缺失。在这种情况下,每个数据子分段后仅需存储其自身的哈希值,这样链状哈希结构更容易实现,而计算哈希树需要更大的存储空间,因此使用哈希链更具有优势。如果要求大的数据分段内的各个数据子分段的验证依然绝对独立,也就是每个数据子分段分别存储验证信息而不依赖其它数据子分段的原始内容和哈希值的存在,也就是说即使其它数据子分段及其哈希值缺失,剩余的数据子分段仍可独立被验证,因为每个数据子分段的验证信息保存了验证路径及其该路径上相关节点的信息。在这种数据子分段的验证是绝对独立的情况下,则链状哈希方法需要为每个数据子分段存储更大体积的验证信息,数据子分段后的验证信息的长度跟子分段的数目成正比,而树状哈希方法使得子分段后的验证信息的长度跟子分段的数目成对数关系,因此树状哈希更具有优势。当然,容易理解,如果系统的处理能力许可,图7和8中示出的内部哈希链和哈希树的配置方式可以任意应用于数据子分段的验证是相对独立或绝对独立的各种场景。 It should be noted that the above two solutions can be selected according to different application scenarios in order to obtain better technical benefits. Specifically, if the verification of small data sub-segments inside a large data segment is relatively independent, that is, the verification of one data sub-segment depends on the existence of hash values of other data sub-segments, but other data sub-segments The original content of the data sub-segment may be missing. In this case, each data sub-segment only needs to store its own hash value, so that the chain hash structure is easier to implement, and the calculation of the hash tree requires a larger storage space, so the hash chain is used more advantageous. If it is required that the verification of each data sub-segment in a large data segment is still absolutely independent, that is, each data sub-segment stores verification information separately without relying on the existence of the original content and hash value of other data sub-segments, That is to say, even if other data sub-segments and their hash values are missing, the remaining data sub-segments can still be verified independently, because the verification information of each data sub-segment saves the verification path and its associated nodes on the path. information. In the case where the verification of such data sub-segments is absolutely independent, the chain hash method needs to store a larger volume of verification information for each data sub-segment, and the length of the verification information after the data sub-segment is the same as that of the sub-segment. The number of segments is proportional, and the tree hash method makes the length of the verification information after the sub-segment logarithmically related to the number of sub-segments, so the tree hash has more advantages. Of course, it is easy to understand that if the processing capability of the system permits, the internal hash chain and hash tree configurations shown in Figures 7 and 8 can be arbitrarily applied to various types of data sub-segments whose verification is relatively independent or absolutely independent. Scenes. the
此外,在上述图7和图8的解决方案中,内部哈希结构和外部哈希结构可以任意组合。也就是说,内部哈希结构和外部哈希结构可以都是哈希树或者哈希链;或者内部哈希结构是哈希树,外部哈希结构是哈希链;或者内部哈希结构是哈希链,外部哈希结构是哈希树。 In addition, in the above-mentioned solutions of FIG. 7 and FIG. 8 , the internal hash structure and the external hash structure can be combined arbitrarily. That is to say, both the internal hash structure and the external hash structure can be hash trees or hash chains; or the internal hash structure is a hash tree and the external hash structure is a hash chain; or the internal hash structure is a hash Greek chain, the external hash structure is a hash tree. the
虽然在图7和图8中示出只有多个数据源中的一个数据源采用了内部哈希结构的解决方案,但是本领域技术人员容易理解,根据实际需要,可以对多个数据源中的一部分乃至全部来采取上述解决方案。 Although Fig. 7 and Fig. 8 show the solution that only one of the multiple data sources adopts the internal hash structure, those skilled in the art can easily understand that according to actual needs, the hash structure of multiple data sources can be Some or even all of the above solutions can be adopted. the
在通常情况下,需要对其数据完整性进行保护和验证的多个数据源(例如监控系统内的摄像设备)的数目可能比较固定,因此通过根据本发明的实施例的生成数据的完整性验证信的装置(例如实现为时间戳代理)构造的哈希树的形状是固定的,由此可以预先指定构造一棵合适的高效的哈希树。但是,现实中存在有的些情形会使得摄像设备的数目发生动态变化,例如:新摄像设备的增加,摄像设备被撤销,设像设备因为故障不工作,各个摄像设备的保护等级不一样(例如数据分段对应的特定时间段的长度不一样)等,这使得在不同的时间段内,时间戳代理接收到的哈希值的个数是动态变化的。从而需要一种适合时间戳代理使用的动态构造高效哈希树的解决方案。 Under normal circumstances, the number of multiple data sources (such as camera equipment in the monitoring system) that needs to be protected and verified for its data integrity may be relatively fixed, so the integrity verification of the generated data according to the embodiment of the present invention The shape of the hash tree constructed by a new device (for example, implemented as a timestamp agent) is fixed, so a suitable and efficient hash tree can be constructed in advance. However, there are some situations in reality that will cause the number of camera devices to change dynamically, for example: the increase of new camera devices, the removal of camera devices, the failure of image devices due to faults, and the different protection levels of each camera device (such as The length of the specific time period corresponding to the data segment is different), etc., which makes the number of hash values received by the timestamp proxy change dynamically in different time periods. Therefore, a solution for dynamically constructing an efficient hash tree suitable for use by a timestamp proxy is required. the
当摄像设备的数目可以构成满二叉哈希树时,也即摄像设备的数目是2的指数倍时,具有最小体积的验证信息。当摄像装置的数目不是2的指数倍时,存在多种构造哈希树的方法。例如图9A和9B示出了在具有7个摄像设备的情况下构造的哈希树。如图9B中的哈希树层数较少,层数较少的哈希树具有平均最小的验证信息体积。因此构造高效的哈希树就是构造最少层数的哈希树。 When the number of camera devices can form a full binary hash tree, that is, when the number of camera devices is an exponential multiple of 2, there is minimum volume of verification information. When the number of cameras is not an exponential multiple of 2, there are various methods of constructing a hash tree. For example, FIGS. 9A and 9B show a hash tree constructed in the case of having 7 imaging devices. As shown in FIG. 9B , the hash tree has fewer layers, and the hash tree with fewer layers has the smallest verification information volume on average. Therefore, constructing an efficient hash tree is to construct a hash tree with the least number of layers. the
在根据本发明实施例的用于生成数据的完整性验证信息的装置的一个具体实例中,可以包括哈希树高度计算子单元和哈希树构造子单元,用于构造高效的哈希树。假设摄像设备的数目为N(N为大于1的自然数),且这些摄像设备在某特定时间段中产生的数据分段的数目为N,则哈希树高度计算子单元计算哈希树的高度h=ceil(log2N),ceil表示取不小于log2N的最小整数。哈希树构造子单元通过如下方式完成高效哈希树的构造:如果log2N是整数,则直接构造高度为h的满二叉树。如果log2N不是整数,例如可先以该N个数据分段的哈希值作为叶子节点来虚拟构造一棵高度为h的满二叉树,然后将N个节点,按照虚拟满二叉树的叶子节点从左到右的顺序依次确定N个节点在该虚拟满二叉树中的位置,然后去掉多余的节点,最后紧缩为一棵目标高效哈希二叉树。图10A-10D给出了叶子节 点的个数N=13的情况下构造高效二叉树的过程。哈希树高度计算子单元计算哈希树的高度h=ceil(log213)=4。由于log213不为整数,哈希树构造子单元构造如图9A所示的高度为4的虚拟满二叉树。然后,将该13个节点,按照该虚拟满二叉树的叶子节点从左到右的顺序依次确定该13个节点在该虚拟满二叉树中的位置,去掉多余的节点,如图10B-10C所示。最后得到如图10D所示的高效哈希二叉树。 In a specific example of the device for generating data integrity verification information according to an embodiment of the present invention, it may include a hash tree height calculation subunit and a hash tree construction subunit for constructing an efficient hash tree. Assuming that the number of imaging devices is N (N is a natural number greater than 1), and the number of data segments generated by these imaging devices in a certain period of time is N, the hash tree height calculation subunit calculates the height of the hash tree h=ceil(log 2 N), ceil represents the smallest integer not less than log 2 N. The hash tree construction subunit completes the construction of an efficient hash tree in the following manner: if log 2 N is an integer, directly construct a full binary tree with a height of h. If log 2 N is not an integer, for example, the hash values of the N data segments can be used as leaf nodes to virtually construct a full binary tree with a height of h, and then N nodes can be divided according to the leaf nodes of the virtual full binary tree. The order from left to right determines the position of N nodes in the virtual full binary tree in turn, then removes redundant nodes, and finally compresses it into a target efficient hash binary tree. Figures 10A-10D show the process of constructing an efficient binary tree when the number of leaf nodes is N=13. The hash tree height calculation subunit calculates the height h=ceil(log 2 13)=4 of the hash tree. Since log 2 13 is not an integer, the hash tree construction subunit constructs a virtual full binary tree with a height of 4 as shown in FIG. 9A . Then, for the 13 nodes, the positions of the 13 nodes in the virtual full binary tree are sequentially determined according to the order of the leaf nodes of the virtual full binary tree from left to right, and redundant nodes are removed, as shown in Figures 10B-10C. Finally, an efficient hash binary tree as shown in FIG. 10D is obtained.
在上面给出的各实例中,如图3中所示的生成数据的完整性验证信息的装置300中的公共验证信息获取单元通过为哈希结构的根哈希值获取时间戳来实现对各数据源在特定时间段中的数据分段的完整性的保护。根据可替选的实施方式,对数据的完整性保护手段还可以是加密或签名等。
In each example given above, the public verification information acquisition unit in the
在通过加密手段实现数据的完整性保护的情形下,通过预定的加密密钥对哈希结构的根哈希值和校验信息进行加密。例如,可以对根哈希值附加一个作为校验信息的校验码(例如长度为10比特的校验码),将这样得到的数据利用该加密密钥进行加密,将加密了的根哈希值与校验码作为公共验证信息,并且使篡改者无法获得该加密密钥,从而使得经过加密的根哈希值和校验码仅可以被拥有加密密钥的人或机构验证,进而验证相应数据的完整性。而不知道加密密钥的任何人不能对受到加密保护的数据进行任何修改,即使修改也可以被验证者发现。在对公共验证信息进行验证时,通过该预定的加密密钥来对加密的根哈希值和校验码进行解密,根据解密得到的根哈希值计算校验码。如果验证通过,即,计算得到的校验码与解密得到的校验码一致,则可确定公共验证信息的验证通过,即,验证结果是正面的。同时还可以恢复公共验证信息中包含的根哈希值,以供在后续的验证过程中使用(后面将详细描述)。根据另一个例子,还可以对根哈希值进行一次哈希计算,得到另一个哈希值(以下称为“验证哈希值”)作为校验信息,利用预定的加密密钥对根哈希值与验证哈希值的组合进行加密,将加密了的数据作为公共验证信息,并且使篡改者无法获得该加密密钥, 从而使得经过加密的根哈希值和验证哈希值仅可以被拥有加密密钥的人或机构验证,进而验证相应数据的完整性。而不知道加密密钥的任何人不能对受到加密保护的数据进行任何修改,即使修改也可以被验证者发现。在对公共验证信息进行验证时,通过该预定的加密密钥来对加密的根哈希值和验证哈希值进行解密,对解密得到的根哈希值进行一次哈希计算。如果验证通过,即,该哈希计算得到的哈希值与解密得到的验证哈希值一致,则可确定公共验证信息的验证通过,即,验证结果是正面的。类似地,该验证处理还可以恢复公共验证信息中包含的根哈希值,以供在后续的验证过程中使用。如上所述,由于在对根哈希值的加密过程中附加了校验信息(例如上述例子中的校验码和验证哈希值),因此在对公共验证信息进行验证的处理中可以借助于该校验信息而确定解密得到的根哈希值是否为原来的哈希值,也即,可以恢复公共验证信息中包含的根哈希值,以供在后续的验证过程中使用。 In the case of implementing data integrity protection by means of encryption, the root hash value and verification information of the hash structure are encrypted with a predetermined encryption key. For example, a check code (for example, a check code with a length of 10 bits) can be added to the root hash value as check information, the data obtained in this way can be encrypted with the encryption key, and the encrypted root hash can be encrypted. The value and check code are used as public verification information, and tamperers cannot obtain the encryption key, so that the encrypted root hash value and check code can only be verified by the person or organization that owns the encryption key, and then verify the corresponding Data Integrity. Anyone who does not know the encryption key cannot make any modifications to the encrypted data, even if the modification can be discovered by the verifier. When verifying the public verification information, the encrypted root hash value and check code are decrypted by the predetermined encryption key, and the check code is calculated according to the decrypted root hash value. If the verification passes, that is, the calculated check code is consistent with the decrypted check code, it can be determined that the verification of the public verification information passes, that is, the verification result is positive. At the same time, the root hash value contained in the public verification information can also be restored for use in subsequent verification processes (details will be described later). According to another example, a hash calculation can also be performed on the root hash value to obtain another hash value (hereinafter referred to as "verification hash value") as verification information, and the root hash value can be encrypted using a predetermined encryption key. Value and verification hash value are encrypted, the encrypted data is used as public verification information, and tamperers cannot obtain the encryption key, so that the encrypted root hash value and verification hash value can only be owned The person or organization verifies the encryption key, which in turn verifies the integrity of the corresponding data. Anyone who does not know the encryption key cannot make any modifications to the encrypted data, even if the modification can be discovered by the verifier. When verifying the public verification information, the encrypted root hash value and the verification hash value are decrypted by the predetermined encryption key, and a hash calculation is performed on the decrypted root hash value. If the verification passes, that is, the hash value obtained by the hash calculation is consistent with the verification hash value obtained by decryption, it can be determined that the verification of the public verification information passes, that is, the verification result is positive. Similarly, the verification process can also recover the root hash value contained in the public verification information for use in subsequent verification processes. As mentioned above, since the verification information (such as the verification code and the verification hash value in the above example) is added during the encryption process of the root hash value, in the process of verifying the public verification information, it is possible to use The verification information determines whether the decrypted root hash value is the original hash value, that is, the root hash value contained in the public verification information can be restored for use in a subsequent verification process. the
在通过数字签名手段实现数据的完整性保护的情形下,用预定的秘密私钥对哈希结构的根哈希值签名后,产生的数据分段的完整性验证信息可以由任何持有与上述预定的秘密私钥对应的公钥证书的人或机构验证,并且还可确认对数据进行签名者的身份信息。篡改者在不知道秘密私钥的情况下,无法对数据进行任何修改,即使修改也可以被验证者发现。由此可实现对数据的完整性的保护。在对公共验证信息进行验证时,通过与该秘密私钥对应的公钥证书来对经过签名的根哈希值验证,如果验证通过,则可确定公共验证信息的验证通过,即,验证结果是正面的。与上述通过对根哈希值进行加密来生成公共验证信息的情况类似,在确认验证通过的同时还可以恢复公共验证信息中包含的根哈希值,以供在后续的验证过程中使用。 In the case of implementing data integrity protection by means of digital signatures, after signing the root hash value of the hash structure with a predetermined secret private key, the integrity verification information of the generated data segments can be verified by anyone who holds the above-mentioned The person or organization verifies the public key certificate corresponding to the predetermined secret private key, and can also confirm the identity information of the person who signed the data. The tamperer cannot make any modification to the data without knowing the secret private key, and even the modification can be discovered by the verifier. As a result, protection of the integrity of the data can be achieved. When verifying the public verification information, use the public key certificate corresponding to the secret private key to verify the signed root hash value. If the verification is passed, it can be determined that the verification of the public verification information is passed, that is, the verification result is Front. Similar to the above case where the public verification information is generated by encrypting the root hash value, the root hash value contained in the public verification information can also be recovered while confirming that the verification is passed, for use in a subsequent verification process. the
此外,也可以通过上述的加密、签名、时间戳方式的任意组合来获取公共验证信息,使得经过完整性保护的数据可具有多种保护属性,以便满足用户的不同需求。 In addition, the public verification information can also be obtained through any combination of the above-mentioned encryption, signature, and time stamp methods, so that the integrity-protected data can have various protection attributes to meet different needs of users. the
在上面给出的实例中,多个数据源是视频摄像设备,待生 成完整性验证信息的数据是来自多个视频摄像设备的视频数据。但是本领域技术人员理解,根据本发明实施例的生成数据的完整性验证信息的装置还可以对来自多个任意类型的数据源的任意种类的数据,例如音频、文字、图片、任意实时数据以及这些种类的数据的组合等来生成完整性验证信息,进而实现对这些数据的完整性保护。具体生成过程与上述的视频数据的类似,在此不再赘述。 In the example given above, multiple data sources are video camera devices, and the data to be generated for integrity verification information is video data from multiple video camera devices. However, those skilled in the art understand that the device for generating data integrity verification information according to the embodiment of the present invention can also perform any type of data from multiple data sources of any type, such as audio, text, pictures, any real-time data, and Integrity verification information is generated by a combination of these types of data, and then the integrity protection of these data is realized. The specific generation process is similar to that of the above-mentioned video data, and will not be repeated here. the
如图3所示的生成数据的完整性验证信息的装置300可以作为独立的功能装置来实现,例如图4-5,7-8中所描述的那样,但是其也可以结合在待进行完整性保护的数据源中。例如,在一种可替选实施方式中,可将装置300(例如时间戳代理)与数据源(例如摄像设备)集成为一体,因而可使得这种数据源本身具有生成数据的完整性验证信息的功能。
The
图11示出了具有这种功能的摄像设备1100的一个示例的结构简化框图。如图11所示,摄像设备1100包括视频采集单元1102,如图3示出的装置300以及通信接口1104。视频采集单元1102将采集到的视频数据提供给装置300中包括的哈希结构生成单元310,该哈希结构生成单元310通过与特定的时间分段对应的各个数据分段哈希值作为最低层的子节点来形成哈希结构(例如哈希树或哈希链)。装置300中包括的公共验证信息获取单元320为从哈希结构生成单元310得到的哈希结构的根哈希值获取公共验证信息,例如可通过上述的时间戳、加密和数字签名等技术手段来实现。以时间戳方式为例,公共验证信息获取单元320经由通信接口1104从TSA(图中未示出)获得时间戳信息,该时间戳信息可经由通信接口1104传送给装置300中的完整性验证信息生成单元330,其利用该公共验证信息以及从哈希结构生成单元310得到的哈希结构信息,为相应的数据分段生成完整性验证信息。此外,所生成的完整性验证信息例如可以通过通信接口1104传送给对应的数据源。
FIG. 11 shows a simplified block diagram of an example of an imaging device 1100 having such a function. As shown in FIG. 11 , the camera device 1100 includes a
需要注意,只要使得最终获得的摄像设备能够实现对数据生成完整性验证信息的功能,如图11所示的摄像设备中各个组 成单元之间的配置方式并不限于图11给出的具体方式。例如,也可将装置300中的哈希结构生成单元310与视频采集单元结合在一起,或者将装置300中的公共验证信息获取单元320和完整性验证信息生成单元330与通信接口1104结合在一起,等等。
It should be noted that as long as the finally obtained imaging equipment can realize the function of generating integrity verification information for data, the configuration of each component unit in the imaging equipment shown in Figure 11 is not limited to the specific way shown in Figure 11 . For example, the hash
容易理解,这种集成有用于生成数据的完整性验证信息的摄像设备使得可省去单独的装置300(例如时间戳代理)来生成相应数据分段的完整性验证信息,从而有利于降低数据的完整性保护系统的结构复杂性,此外还可降低成本。 It is easy to understand that such an imaging device integrated with the integrity verification information for generating data can save a separate device 300 (such as a time stamp agent) to generate the integrity verification information of the corresponding data segment, thereby helping to reduce data integrity. Integrity protection of the structural complexity of the system, in addition to reducing costs. the
在上面描述的实例中,通过根据本发明实施的生成数据的完整性验证信息的装置300(例如实现为时间戳代理)来实现完整性验证信息的生成。但是,根据本发明另外的实施例,例如,也可以由多个数据源中的一个或者多个数据源完成时间戳代理的功能而不用设置单独的时间戳代理。
In the example described above, the generation of integrity verification information is realized by the
仍以摄像设备作为数据源的例子进行描述。事实上,时间戳代理的计算量和所需存储空间比较小,完全可以实现在某一个或多个摄像设备内,由此可降低设备维护的困难。因此,部署作为多个数据源的多个摄像设备时,例如可由用户选定或随机确定一个主摄像设备,其它摄像设备通过局域网络与该主摄像设备连接。主摄像设备连接外部网络负责哈希树的生成、时间戳申请、完整性验证信息的生成。这种主摄像设备例如可以通过上述图11中示出的摄像设备来实现。 Still taking the camera device as an example of the data source for description. In fact, the calculation amount and the required storage space of the time stamp agent are relatively small, and it can be completely implemented in one or more camera devices, thereby reducing the difficulty of device maintenance. Therefore, when deploying multiple cameras serving as multiple data sources, for example, a master camera may be selected or randomly determined by the user, and other camera devices may be connected to the master camera through a local area network. The main camera device connected to the external network is responsible for the generation of the hash tree, the application of time stamps, and the generation of integrity verification information. Such a main imaging device can be realized, for example, by the imaging device shown in FIG. 11 described above. the
在摄像设备较多的情况下,例如可以将摄像设备组成如图12A-12B所示结构。图12A是示出了根据本发明的实施例的生成数据的完整性验证信息的系统的简化结构框图,其中多个数据源划分为多级哈希区域,图12B是示出了作为图12A的系统的一种变形形式的生成数据的完整性验证信息的系统的简化结构框图。 In the case of a large number of imaging devices, for example, the imaging devices may be organized into a structure as shown in FIGS. 12A-12B . Fig. 12A is a simplified structural block diagram showing a system for generating data integrity verification information according to an embodiment of the present invention, wherein multiple data sources are divided into multi-level hash areas, and Fig. 12B is a diagram showing A simplified structural block diagram of a system for generating data integrity verification information of a variant of the system. the
在图12A-12B示出的配置中,将所有摄像设备分成多个哈希区域,即,图12A中的第一级哈希区域和第二级哈希区域,以及图12B中的第一级至第三级哈希区域。如图12A所示,第 一级哈希区域中包括四个哈希结构,在此为哈希树,可分别用a-e来表示。每一颗哈希树包括5个数据源,即,摄像设备,并且每一颗哈希树中包括一个管理摄像设备,用于负责其所管理的哈希树的生成,完整性验证信息的分配等。如图12A所示,例如,在第一级哈希区域中,摄像设备A作为摄像设备组A1~A5的管理摄像设备,摄像设备B作为摄像设备组B1~B4的管理摄像设备,摄像设备C作为摄像设备组C1~C5的管理摄像设备,摄像设备D作为摄像设备组D1~D5的管理摄像设备。在第二级哈希区域中,由摄像设备E作为管理摄像设备。如图12B所示,在第一级哈希区域中包括三个哈希结构,即哈希树a-c。每一颗哈希树包括4个数据源,即,摄像设备,并且每一颗哈希树中包括一个管理摄像设备,用于负责其所管理的哈希树的生成,完整性验证信息的分配等。如图12B所示,摄像设备A,B,C分别作为摄像设备组(A1~A3,A),(B1~B3,B),(C1~C3,C)的管理摄像设备。类似地,在第二级哈希区域中包括两颗哈希树d和e,分别由摄像设备D和E作为管理摄像设备。容易理解,多个数据源所能够划分成的哈希区域的级数、每一级哈希区域中包括的哈希结构(例如,哈希树或哈希链)的数量、以及每一个哈希结构中包括的摄像设备的个数可以根据实际需要相应地调整而不限于图12A-12B中所示出的具体配置例子。 In the configuration shown in Figures 12A-12B, all camera devices are divided into multiple hash areas, namely, the first-level hash area and the second-level hash area in Figure 12A, and the first-level hash area in Figure 12B to the third-level hash area. As shown in Figure 12A, the first-level hash area includes four hash structures, which are hash trees here, which can be represented by a-e respectively. Each hash tree includes 5 data sources, that is, camera equipment, and each hash tree includes a management camera device, which is responsible for the generation of the hash tree it manages and the distribution of integrity verification information wait. As shown in FIG. 12A , for example, in the first-level hash area, imaging device A is the management imaging device of imaging device groups A1-A5, imaging device B is the management imaging device of imaging device groups B1-B4, and imaging device C As the management imaging device of the imaging device groups C1 to C5, the imaging device D serves as the management imaging device of the imaging device groups D1 to D5. In the second-level hash area, the camera device E is used as the management camera device. As shown in FIG. 12B, the first-level hash area includes three hash structures, namely hash trees a-c. Each hash tree includes 4 data sources, that is, camera equipment, and each hash tree includes a management camera device, which is responsible for the generation of the hash tree it manages and the distribution of integrity verification information wait. As shown in FIG. 12B , imaging devices A, B, and C are respectively used as management imaging devices of the imaging device groups (A1-A3, A), (B1-B3, B), and (C1-C3, C). Similarly, two hash trees d and e are included in the second-level hash area, and camera devices D and E are respectively used as management camera devices. It is easy to understand, the number of levels of hash areas that multiple data sources can be divided into, the number of hash structures (for example, hash trees or hash chains) included in each level of hash area, and the number of each hash area The number of imaging devices included in the structure can be adjusted accordingly according to actual needs and is not limited to the specific configuration examples shown in FIGS. 12A-12B . the
上述的管理摄像设备例如也可以通过上述图11中示出的摄像设备来实现。下面简要描述每一个管理摄像设备如何生成其所管理的哈希树。先以图12A为例,例如管理摄像设备A将其自身及其所管理的摄像设备A1-A4在特定时间段中包括的数据分段的哈希值分别作为最底层的子节点来生成哈希树a,而管理摄像设备E通过将其自身在特定时间段中包括的数据分段的哈希值以及前一级,即第一级哈希区域中对应的哈希树a-d的根结点值分别作为最底层的子节点来生成哈希树e。再参见图12B,例如,第二级哈希区域中的一个管理摄像设备D可以将其自身及其所管理的摄像设备D1-D3在特定时间段中包括的数据分段的哈希值分别作为最底层的子节点来生成哈希树d。第二级哈希区域中的另一个管理摄像设备E可以将其自身在特定 时间段中包括的数据分段的哈希值以及前一级,即第一级哈希区域中对应的哈希树a-c的根结点值分别作为最底层的子节点来生成哈希树e。图12A-12B中其他管理摄像设备生成其所管理的哈希树的过程与上述是类似的,不再逐一赘述。 The above-mentioned management camera equipment can also be realized by the above-mentioned camera equipment shown in FIG. 11 , for example. The following briefly describes how each management camera device generates the hash tree it manages. First take Figure 12A as an example, for example, the management camera device A uses the hash values of the data segments included in itself and the camera devices A1-A4 it manages in a specific period of time as the bottom-level child nodes to generate hash values. tree a, and manage the camera device E by the hash value of its own data segment included in a specific time period and the root node value of the corresponding hash tree a-d in the previous level, that is, the first level hash area The hash tree e is generated as the bottommost child node respectively. Referring again to FIG. 12B , for example, a management camera device D in the second-level hash area can use the hash values of the data segments included in itself and the camera devices D1-D3 it manages in a specific time period as The lowest child node to generate the hash tree d. Another management camera device E in the second-level hash area can combine the hash value of the data segment it includes in a specific time period with the previous level, that is, the corresponding hash tree in the first-level hash area The root node values of a-c are respectively used as the bottom child nodes to generate the hash tree e. The process of generating the hash tree managed by other management camera devices in FIGS. 12A-12B is similar to the above, and will not be repeated one by one. the
接着,对各级哈希区域中管理摄像设备生成验证信息的过程进行概述。 Next, the process of managing the verification information generated by the camera equipment in the hash areas at all levels is outlined. the
在图12A和12B的配置中,管理摄像设备E和F分别位于最高级哈希区域中的哈希树中,其可被称为是“最高级管理摄像设备”(即,前述的主摄像设备)。这种最高级管理摄像设备用于根据在最高级哈希区域中各个哈希结构的根结点值来生成最终的根哈希值,并且,该最高级管理摄像设备获取针对该最终的根哈希值进行了保护的(例如通过时间戳方式,加密方式或者数字签名方式等)信息作为公共验证信息。需要注意,虽然在图12A和12B中,最高级哈希区域中只包括一个哈希结构,但是这并不是限定性的,根据实际需要,最高级哈希区域中同样可以包括多个哈希结构。在这种情况下,可预先指定由这些哈希结构中哪一个的管理摄像设备作为最高级管理摄像设备。 In the configurations of FIGS. 12A and 12B , the management camera devices E and F are respectively located in the hash tree in the highest-level hash area, which can be referred to as "the highest-level management camera device" (that is, the aforementioned main camera device ). This highest-level management camera is used to generate the final root hash value according to the root node value of each hash structure in the highest-level hash area, and the highest-level management camera obtains the final root hash The information protected by the hash value (for example, by means of time stamp, encryption or digital signature, etc.) is used as public verification information. It should be noted that although in Figures 12A and 12B, only one hash structure is included in the highest-level hash area, this is not limiting. According to actual needs, multiple hash structures can also be included in the highest-level hash area . In this case, it may be specified in advance which of these hash structures manages the imaging device as the highest-level management imaging device. the
在最高级的哈希区域中,最高级管理数据源为该最高级哈希区域的每一个哈希结构中的、与数据源对应的最底层的子节点生成完整性验证信息,该完整性验证信息包括上述的公共验证信息、在该最高级哈希区域中的、从该子节点到最终的根结点的路径信息、以及在该路径中包括的与该子节点相关的节点的哈希值。 In the highest-level hash area, the highest-level management data source generates integrity verification information for the lowest-level sub-node corresponding to the data source in each hash structure of the highest-level hash area. The information includes the above-mentioned public verification information, path information from the child node to the final root node in the highest-level hash area, and hash values of nodes related to the child node included in the path . the
对于除了最高级哈希区域以外的其他级哈希区域中的某个哈希结构,该哈希结构中的管理摄像设备为该哈希结构中的、与摄像设备对应的其他底层的子节点生成完整性验证信息。该完整性验证信息包括该哈希结构的根结点的完整性验证信息、在该级哈希区域中从该子节点到根结点的路径信息、以及在该路径上与该子节点相关的节点的哈希值。如上所述,该哈希结构的根结点由于作为上一级哈希区域中相应哈希结构的最低层的子节点,其完整性验证信息可以通过该上一级哈希区域中相 应哈希结构的管理摄像设备来生成。 For a hash structure in a hash area other than the highest-level hash area, the management camera equipment in the hash structure generates for other bottom-level child nodes corresponding to the camera equipment in the hash structure Integrity verification information. The integrity verification information includes the integrity verification information of the root node of the hash structure, the path information from the child node to the root node in the hash area of this level, and the information related to the child node on the path The hash value of the node. As mentioned above, since the root node of the hash structure is the child node of the lowest layer of the corresponding hash structure in the upper-level hash area, its integrity verification information can be passed through the corresponding hash in the upper-level hash area. It is generated by the management camera equipment of the Greek structure. the
参见图12A和12B,例如,在图12A中,由摄像设备A1-A4在该特定时间段中数据分段的哈希值所代表的叶子节点经两次结合得到节点A’,然后由管理摄像设备A在该特定时间段中包括的数据分段的哈希值与节点A’的哈希值结合得到节点A”的哈希值。从图中可看出,通过管理摄像设备A所管理的摄像设备组中所有的摄像设备在特定时间段中包括的数据分段的哈希值作为叶子节点来构建哈希树a。类似地,通过管理摄像设备B-D得到各哈希树b-d的根节点B”,C”,D”的哈希值。节点A”-D”的哈希值经两次结合得到节点E’的哈希值。通过由最高级摄像设备E在特定的时间段中包括的数据分段的哈希值以及各个根节点B”,C”,D”和E”的哈希值形成哈希树e。由最高级摄像设备E来负责哈希树e的生成,计算得到哈希树e的根节点E”的哈希值,并最终由最高级摄像设备E负责时间戳的申请。摄像设备A-E中的每一个例如都可以具有图11中示出的结构和配置。通过例如基于时间戳的公共验证信息、哈希树路径信息和路径上的相应节点的哈希值所构成的完整性验证信息来生成用于各摄像设备的完整性验证信息。例如,可以通过最高级摄像设备E将所生成的完整性验证信息分发到各个摄像设备。例如,可通过上述结合图5描述的操作来生成各摄像设备的完整性验证信息,细节在此不再赘述。 Referring to Figures 12A and 12B, for example, in Figure 12A, the leaf nodes represented by the hash values of the data segments of the camera equipment A1-A4 in the specific time period are combined twice to obtain node A', and then the management camera The hash value of the data segment included in device A in the specific time period is combined with the hash value of node A' to obtain the hash value of node A". It can be seen from the figure that through the management of camera device A managed The hash values of the data segments included in the camera equipment group in a specific time period are used as leaf nodes to construct the hash tree a. Similarly, the root node B of each hash tree b-d is obtained by managing the camera equipment B-D ", C", D" hash value. The hash value of node A"-D" is combined twice to obtain the hash value of node E'. A hash tree e is formed by hash values of data segments included in a specific period of time by the highest-level imaging device E and hash values of the respective root nodes B", C", D", and E". The highest-level camera device E is responsible for the generation of the hash tree e, and calculates the hash value of the root node E" of the hash tree e, and finally the highest-level camera device E is responsible for the application of the time stamp. The camera devices A-E Each, for example, can have the structure and configuration shown in Figure 11. For example, the integrity verification information composed of public verification information based on time stamp, hash tree path information and the hash value of the corresponding node on the path is generated Integrity verification information for each imaging device. For example, the generated integrity verification information can be distributed to each imaging device by the highest-level imaging device E. For example, each imaging device can be generated by the operation described above in conjunction with Fig. 5 The integrity verification information of , the details will not be repeated here.
如图12B所示,各级管理摄像设备A,B,C,D,E,F分别负责第一级至第三级哈希区域中哈希树a,b,c,d,e,f的生成。管理摄像设备A,B,C将哈希树a,b,c的根节点a3,b3和c3发送给管理摄像设备E。管理摄像设备D和E将哈希树d,e的根节点d3和e3发送给最高级管理摄像设备F,由其负责哈希树f的生成,并针对根结点f2申请时间戳。相应地,最高级管理摄像设备F获得加盖了时间戳的根节点作为公共验证信息,并将该公共验证信息和哈希树f各个叶子节点e3,d3和F对应的验证信息(路径信息和某些相关节点的哈希值)发送给管理摄像设备E和D及F自身。由管理摄像设备E和D 分别负责哈希树e,d中与各摄像设备相关的验证信息的生成和分发。 As shown in Figure 12B, the management cameras at all levels A, B, C, D, E, and F are respectively responsible for the hash trees a, b, c, d, e, and f in the first-level to third-level hash areas. generate. The management camera devices A, B and C send the root nodes a3, b3 and c3 of the hash trees a, b and c to the management camera device E. The management camera devices D and E send the hash tree d, the root nodes d3 and e3 of e to the highest management camera device F, which is responsible for the generation of the hash tree f, and applies for a time stamp for the root node f2. Correspondingly, the highest-level management camera device F obtains the root node stamped with the time stamp as public verification information, and combines the public verification information with the verification information corresponding to each leaf node e3, d3 and F of the hash tree f (path information and Hash value of some related nodes) is sent to the management camera devices E and D and F itself. The management camera devices E and D are respectively responsible for the generation and distribution of verification information related to each camera device in the hash tree e and d. the
根据本发明的图12A-12B中所示的实施例的系统,负责计算哈希树的摄像设备(即各级管理摄像设备)分别仅需要负责少部分的哈希树生成,有效地进行了负载均匀分配,提高了系统的效率,避免造成系统瓶颈。 According to the system of the embodiment shown in FIGS. 12A-12B of the present invention, the imaging devices responsible for calculating the hash tree (that is, the management imaging devices at all levels) only need to be responsible for a small part of the hash tree generation, effectively reducing the load. Uniform distribution improves system efficiency and avoids system bottlenecks. the
容易理解,对于上述图12A-12B示出的系统的配置还可以进行各种变化。例如,各级哈希区域中包含的哈希树也可以采取其他哈希结构,例如哈希链,或者部分为哈希树,部分为哈希链,等等。而且,根据实际需要,可以配置任意级数的哈希区域,而不限于图12A-12B中示出的具体级数。 It is easy to understand that various changes can be made to the configuration of the system shown in FIGS. 12A-12B above. For example, the hash trees included in the hash areas at all levels may also adopt other hash structures, such as hash chains, or partly hash trees and partly hash chains, and so on. Moreover, according to actual needs, hash regions of any number of stages can be configured, not limited to the specific number of stages shown in FIGS. 12A-12B . the
本发明的实施例还提供了一种生成数据的完整性验证信息的方法。图13给出了这种方法的流程简图。如图13所示,方法1300开始于步骤S1310,包括哈希结构生成步骤S1320、公共验证信息获取步骤1330和完整性验证信息生成步骤S1340,并在步骤S1350结束。在哈希结构生成步骤S1320,将多个数据源在特定的时间段内各自包括的数据分段的哈希值作为最低层的子节点来生成与所述特定时间段相对应的哈希结构,并通过该哈希结构的最低层的子节点来计算该哈希结构的根哈希值。在公共验证信息获取步骤S1330,获取针对该根哈希值的公共验证信息。在完整性验证信息生成步骤S1340,针对多个数据源在该特定的时间段内各自包括的数据分段中的每一个数据分段,基于下列的信息来生成该数据分段的完整性验证信息:公共验证信息、哈希结构中的、从代表最低层的子节点的该数据分段的哈希值到根结点的路径信息、以及在该路径中包括的、与该子节点相关的节点的哈希值。
The embodiment of the present invention also provides a method for generating data integrity verification information. Figure 13 shows a simplified flowchart of this method. As shown in FIG. 13 , the
在根据上述方法1300的一种具体实例中,可以为待进行数据完整性保护的多个数据源中的至少一个数据源生成与特定时间段相对应的哈希子结构,以便对该至少一个数据源中更小的数据分段提供完整性验证信息。从而提高了后续的完整性验证的精度和颗粒度。例如,可以通过上述图7和8中示出的配置 来实现这种实例。具体细节可参见上面针对图7-8的描述,在此不再赘述。与图7-8中的情形类似,所生成的哈希子结构可以是哈希树或者哈希链,或者,为某些数据源生成子哈希树,为某些数据源生成子哈希链。
In a specific example according to the
在根据上述方法1300的另一种具体实例中,可以对针对具有上述图12A-12B所示的配置的系统来生成的完整性验证信息。具体处理细节例如可参见上述针对图12A-12B的描述,不再逐一详述。
In another specific example according to the above-mentioned
在根据上述方法1300的又一种具体实例中,可以在哈希结构(例如哈希树和哈希链)中叶子节点动态改变的情况下,构造高效的哈希树,即最少层数的哈希树。具体细节可参见上面针对图9A-9B,10A-10D的描述,在此不再赘述。
In yet another specific example according to the above-mentioned
在根据上述方法1300的又一种具体实例中,还可包括数据封装步骤,在生成了相应数据分段的完整性验证信息之后,该数据封装步骤可将该完整性验证信息设置在该相应的数据分段之后,以便形成该数据分段所属的数据源的封装数据。具体细节可参见上面结合图6进行的描述,在此不再赘述。
In yet another specific example according to the
在根据上述方法1300的另一种具体实例中,还可包括对应关系创建步骤,其可将完整性验证信息生成步骤为多个数据源在特定的时间段内各自包括的数据分段生成的完整性验证信息集中存储,并创建完整性验证信息与相应的数据分段之间的对应关系。在后续的完整性验证过程中,可通过这种对应关系获得与待进行完整性验证的数据分段对应的完整性验证信息,以供进行完整性验证。通过将完整性验证信息集中存储,可更好地防止这些信息遭到破坏。另外,由于建立了数据分段与完整性验证信息之间的对应关系,因此保证了后续验证过程的准确性。
In another specific example according to the above-mentioned
容易理解,与上述结合图3对根据本发明的实施例的生成数据的完整性验证信息的装置300类似,在根据本发明的实施例的上述方法1300中,公共验证信息获取步骤S1330通过为哈希结构的根哈希值获取时间戳来实现对各数据源在特定时间段 中的数据分段的完整性的保护。然而,根据可替选的实施方式,对数据的完整性保护手段还可以是加密或签名等,或者也可以通过上述的加密、签名、时间戳的任意组合来获取公共验证信息,使得经过保护的数据可具有多种保护属性,以便满足用户的不同需求。
It is easy to understand that, similar to the above-mentioned
根据本发明该实施例的方法1300以及其中各步骤的处理例如可以通过具有上述图3-12等中所示的配置的用于生成完整性验证信息的装置或系统来实现。具体细节可参见对上述各图的描述,在此不再赘述。
The
生成数据的完整性验证信息,是为了在后续的验证处理中根据该完整性验证信息来对该数据的完整性进行验证。为此,根据本发明的实施例,还提供一种对数据的完整性进行验证的装置。图14示出了这种装置1400的结构简图。该装置1400包括公共验证信息验证单元1410和完整性验证单元1420。公共验证信息验证单元1410对多个数据源的相应的数据源在特定时间段内的数据分段所具有的完整性验证信息中包括的公共验证信息进行验证。完整性验证单元1420将根据相应的数据源的数据分段所具有的完整性验证信息以及该数据分段的哈希值计算得到的根哈希值与完整性验证信息中包含的根哈希值进行比较,并且在比较结果以及上述公共验证信息验证单元的验证结果两者都为正面的情况下,确定所述数据分段是完整的。其中,数据分段的完整性验证信息包括公共验证信息、与特定时间段相对应的哈希结构中的、从该数据分段的哈希值代表的最低层的子节点到根结点的路径信息、以及在该路径中包括的与该最低层的子节点相关的节点的哈希值。与特定时间段相对应的哈希结构通过使多个数据源在该特定时间段内各自包括的数据分段的哈希值代表最低层的子节点来生成,并且根哈希值是所述哈希结构的根结点的哈希值。 The purpose of generating the integrity verification information of the data is to verify the integrity of the data according to the integrity verification information in subsequent verification processing. Therefore, according to an embodiment of the present invention, a device for verifying data integrity is also provided. FIG. 14 shows a schematic diagram of the structure of such a device 1400 . The apparatus 1400 includes a public verification information verification unit 1410 and an integrity verification unit 1420 . The common verification information verification unit 1410 verifies the common verification information included in the integrity verification information of the data segments of the corresponding data sources within a specific time period of the plurality of data sources. The integrity verification unit 1420 combines the root hash value calculated according to the integrity verification information of the data segment of the corresponding data source and the hash value of the data segment with the root hash value contained in the integrity verification information A comparison is made, and in a case where both the comparison result and the verification result of the above public verification information verification unit are positive, it is determined that the data segment is complete. Wherein, the integrity verification information of the data segment includes public verification information, the path from the lowest-level child node represented by the hash value of the data segment to the root node in the hash structure corresponding to a specific time period information, and the hash values of the nodes involved in the path that are related to the child nodes of the lowest level. The hash structure corresponding to the specific time period is generated by making the hash values of the data segments included in each of the plurality of data sources within the specific time period represent the child nodes of the lowest layer, and the root hash value is the hash value The hash value of the root node of the Greek structure. the
图15给出了图14中所示的完整性验证装置1400实现验证操作的一个例子的具体操作的流程。通过利用根据本发明上述实施例的方法为每一个数据源,例如摄像设备,在特定的时间 段中的数据分段所生成的完整性验证信息,可以例如通过任何个人验证或可信第三方利用根据本发明的实施例的完整性验证装置1400来验证这些数据分段的完整性以及录制的准确时间段。如图15所示,假设需要对图5中示出的摄像设备C在某特定时间段中的数据分段C2的完整性进行验证。根据该数据分段的完整性验证信息(HD2,HAB2,HE2,Timestamp(HAE2))来进行验证。如上面在针对图5的描述中所指出的,为了叙述简明起见,在该例子中给出的完整性验证信息以及本说明书中其他地方给出的完整性验证信息中没有表示出l,r等表路径信息中各相关节点的左右关系的信息元素,但是这种信息元素实际上是存在于路径信息中的。此外,路径信息中的层次信息例如可通过预先约定的规则,由完整性验证信息中各节点的哈希值的排列顺序等等来表达。在图15所示出的验证过程中,首先验证公共验证信息(即公共时间戳),可以从时间戳内获取TSA在视频录制时加盖时间戳的可信的准确时间。时间戳的验证需要使用TSA所提供的根证书(该根证书例如包括哈希结构的根哈希值以及为该根哈希值分配时间戳信息等),在1510,按照相关标准(例如可参考http://www.faqs.org/rfcs/rfc3161.html获得相关信息),基于公共验证信息Timestamp(HAE2)提取出时间信息和根哈希值,并验证这些数据的完整性。如果该处理中完整性验证不通过,则直接得到验证失败的结果。如果该处理中完整性验证通过,则利用该数据分段的完整性验证信息(HAB2,HD2,HE2,Timestamp(HAE2))来计算得到待验证数据分段的根哈希值。具体而言,提取出完整性验证信息中包括的兄弟节点值及路径信息,按照两两合一逐级计算的方式,恢复出哈希树的根节点值HAE2,。然后,在1520,将从完整性验证信息中提取出的根哈希值HAE2与1520中计算出的根节点值HAE2,进行比较。如果这两个值相同,则表明该数据分段的完整性验证通过,否则验证不通过。 FIG. 15 shows a specific operation flow of an example of the verification operation implemented by the integrity verification apparatus 1400 shown in FIG. 14 . By using the method according to the above-mentioned embodiments of the present invention for each data source, such as a camera device, the integrity verification information generated by the data segment in a specific time period can be used, for example, by any personal verification or trusted third party The integrity verification apparatus 1400 according to the embodiment of the present invention verifies the integrity of these data segments and the accurate time period of recording. As shown in FIG. 15 , it is assumed that the integrity of the data segment C2 of the imaging device C shown in FIG. 5 for a certain period of time needs to be verified. The verification is performed according to the integrity verification information (H D2 , H AB2 , H E2 , Timestamp(H AE2 )) of the data segment. As pointed out above in the description of FIG. 5, for the sake of brevity, l, r, etc. An information element that represents the left-right relationship of each relevant node in the path information, but this information element actually exists in the path information. In addition, the hierarchical information in the path information can be expressed by, for example, a pre-agreed rule, an arrangement order of the hash values of each node in the integrity verification information, and the like. In the verification process shown in FIG. 15 , the public verification information (namely, the public time stamp) is firstly verified, and the credible and accurate time stamped by the TSA during video recording can be obtained from the time stamp. The verification of the time stamp needs to use the root certificate provided by TSA (the root certificate includes, for example, the root hash value of the hash structure and the time stamp information assigned to the root hash value, etc.), at 1510, according to relevant standards (for example, refer to http://www.faqs.org/rfcs/rfc3161.html for relevant information), extract time information and root hash value based on the public verification information Timestamp (H AE2 ), and verify the integrity of these data. If the integrity verification fails in this process, the verification failure result is directly obtained. If the integrity verification is passed in this process, the root hash value of the data segment to be verified is calculated by using the integrity verification information (H AB2 , HD2 , H E2 , Timestamp(H AE2 )) of the data segment. Specifically, the brother node values and path information included in the integrity verification information are extracted, and the root node value H AE2 of the hash tree is recovered in a two-in-one step-by-step calculation manner. Then, at 1520 , compare the root hash value H AE2 extracted from the integrity verification information with the root node value H AE2 calculated at 1520 . If the two values are the same, it indicates that the integrity verification of the data segment is passed, otherwise the verification fails.
在上述处理中,例如,根据完整性验证信息(HAB2,HD2,HE2,Timestamp(HAE2))来计算根结点的哈希值HAE2,也可以与1510中公共时间戳的验证的处理同步进行,而不是在1510的验 证结果为正面的前提下才进行。 In the above processing, for example, the hash value H AE2 of the root node is calculated according to the integrity verification information (H AB2 , HD2 , H E2 , Timestamp(H AE2 )), which can also be combined with the verification of the public timestamp in 1510 The processing is performed synchronously, rather than on the premise that the verification result at 1510 is positive.
在其他可替选的实施方式中,完整性验证单元1420不必在公共验证信息验证单元1410的验证结果为正面的情况下才根据待验证完整性的数据分段的完整性验证信息来计算根哈希值并将其与完整性验证信息中包含的根哈希值进行比较,而是可以与公共验证信息验证单元1410所进行的验证处理并列地或甚至在前地进行根哈希值的计算和比较。最后在比较结果和公共验证信息验证单元1410的验证结果两者都为正面的情况下才确定数据是完整的;换言之,如果两者中任意之一为负面的,则表明数据的完整性遭到破坏。 In other alternative implementations, the integrity verification unit 1420 does not need to calculate the root hash based on the integrity verification information of the data segment whose integrity is to be verified when the verification result of the public verification information verification unit 1410 is positive. hash value and compare it with the root hash value contained in the integrity verification information, but the calculation and calculation of the root hash value may be performed in parallel with or even prior to the verification process performed by the public verification information verification unit 1410. Compare. Finally, when both the comparison result and the verification result of the public verification information verification unit 1410 are positive, it is determined that the data is complete; destroy. the
在如上述图7-8所示的配置中为至少一个数据源在某个特定时间段内再细分的若干个数据子分段生成完整性验证信息的情况下,根据本发明实施例的装置1400的一个具体实例,可以对这种数据子分段的完整性进行验证。 In the case of generating integrity verification information for several sub-segments of data subdivided by at least one data source within a specific period of time in the configuration shown in FIGS. 7-8 above, the device according to an embodiment of the present invention A specific example of 1400 can verify the integrity of such sub-segments of data. the
以图8中示出的配置为例。假设摄像设备A中在某个特定时间段内的数据分段被划分成4个数据子分段A1-A4,通过这些数据子分段的哈希值形成子哈希树。该子哈希树的子根结点的子根哈希值H14作为摄像设备A在该特定时间段的数据分段的哈希值。通过摄像设备A-D在该特定时间段中的数据分段的哈希值来形成哈希树,并且该哈希树的根哈希值为HABCD。通过时间戳代理为该根哈希值获得公共验证信息。由此,可获得摄像设备A中各数据子分段的完整性验证信息,在此可将这种针对数据子分段的完整性验证信息称为次级完整性验证信息,以便与针对摄像设备B-D的特定时间段中的时间分段的完整性验证信息相区别。对于每一个数据子分段而言,这种次级完整性验证信息包括该数据子分段所属的数据分段的完整性验证信息(例如可通过上述结合图5描述的方式来获得)、哈希子结构中的、从与该数据子分段的哈希值所代表的叶子节点到与该哈希子结构的子根结点的路径信息、以及该路径中与该叶子节点相关的节点(即,兄弟节点)的哈希值。例如,假设摄像设备A-D在该特定时间段中数据分段的哈希值分别为HA-HD,且 时间戳代理为根哈希值HABCD获得的公共验证信息是Timestamp(HABCD),则摄像设备A的完整性验证信息为(HB,HCD,Timestamp(HABCD))。例如数据子分段A1的次级完整性验证信息为(H2,H34,HB,HCD,Timestamp(HABCD))。根据本发明实施例的验证数据的完整性的装置1400中的完整性验证单元1420通过如下方式对该数据子分段的次级完整性验证信息进行验证。根据数据子分段A1的次级完整性验证信息以及该数据子分段的哈希值H1来计算子根哈希值。计算方式与参照图15描述的方式类似,即,根据次级完整性验证信息中包括的路径信息以及该路径上相关兄弟节点的哈希值来得到子根哈希值H14。然后,以该子根哈希值作为该数据子分段所属的数据分段的哈希值,根据该哈希值以及该数据分段的完整性验证信息(HB,HCD,Timestamp(HABCD))来计算外部哈希树的根哈希值,并且将计算得到的根哈希值与完整性验证信息中包含的根哈希值进行比较。如果上述比较结果表明两者一致,并且同时公共验证信息验证单元1410的验证结果为正面的,则确定数据子分段A1是完整的。如果上述比较结果和公共验证信息验证单元1410的验证结果任意之一为负面的,则确定数据子分段A1的完整性被破坏。 Take the configuration shown in Figure 8 as an example. Assume that the data segments in the camera device A within a certain period of time are divided into four data sub-segments A1-A4, and the hash values of these data sub-segments form a sub-hash tree. The sub-root hash value H 14 of the sub-root node of the sub-hash tree is used as the hash value of the data segment of the imaging device A in the specific time period. A hash tree is formed by the hash values of the data segments of the imaging device AD in the specific time period, and the root hash value of the hash tree is H ABCD . Obtain public verification information for this root hash through a timestamp proxy. Thus, the integrity verification information of each data sub-segment in the imaging device A can be obtained, and this integrity verification information for the data sub-segment can be referred to as secondary integrity verification information, so as to be consistent with the integrity verification information for the imaging device A The integrity verification information of the time segment in the specific time segment of the BD is distinguished. For each data sub-segment, this secondary integrity verification information includes the integrity verification information of the data segment to which the data sub-segment belongs (for example, it can be obtained in the manner described above in conjunction with FIG. 5 ), hash In the substructure, the path information from the leaf node represented by the hash value of the data subsection to the subroot node of the hash substructure, and the nodes related to the leaf node in the path (that is, sibling node) hash value. For example, assuming that the hash values of the data segments of the camera device AD in the specific time period are respectively H A -H D , and the public verification information obtained by the timestamp agent for the root hash value H ABCD is Timestamp(H ABCD ), Then the integrity verification information of the imaging device A is (H B , H CD , Timestamp(H ABCD )). For example, the secondary integrity verification information of the data sub-segment A1 is (H 2 , H 34 , H B , H CD , Timestamp(H ABCD )). The integrity verification unit 1420 in the apparatus 1400 for verifying data integrity according to the embodiment of the present invention verifies the secondary integrity verification information of the data sub-segment in the following manner. The sub-root hash value is calculated according to the secondary integrity verification information of the data sub-segment A1 and the hash value H1 of the data sub-segment. The calculation method is similar to that described with reference to FIG. 15 , that is, the child root hash value H 14 is obtained according to the path information included in the secondary integrity verification information and the hash values of related sibling nodes on the path. Then, use the sub-root hash value as the hash value of the data segment to which the data sub-segment belongs, and verify the integrity information (H B , H CD , Timestamp(H ABCD )) to calculate the root hash value of the external hash tree, and compare the calculated root hash value with the root hash value contained in the integrity verification information. If the above comparison result shows that the two are consistent, and at the same time, the verification result of the public verification information verification unit 1410 is positive, then it is determined that the data sub-segment A1 is complete. If any one of the above comparison result and the verification result of the public verification information verification unit 1410 is negative, it is determined that the integrity of the data sub-segment A1 is destroyed.
对于图7中示出的在某个摄像设备中形成子哈希链的情形,其对于数据子分段的完整性验证的处理与上述图8中的情形类似,在此不再逐一赘述。 For the situation in which a sub-hash chain is formed in a camera device shown in FIG. 7 , the processing of the integrity verification of the data sub-segment is similar to the above-mentioned situation in FIG. 8 , and will not be repeated here. the
如上述结合图12A-12B的系统配置中,在数据源(例如摄像设备)较多的情况下,可以将摄像设备划分为若干个哈希区域,每一个哈希区域中包含的哈希结构由一个管理摄像设备负责该哈希结构的生成,并由最终由最高级的管理摄像设备来负责生成完整性验证信息。在对每一个数据源(例如摄像设备)在特定的时间段内各自包括的数据分段进行完整性验证时,利用公共验证信息验证单元来验证与该数据分段对应的完整性验证信息中包含的公共验证信息。完整性验证单元将根据该数据分段所具有的完整性验证信息以及该数据分段的哈希值而计算 得到的根哈希值与完整性验证信息中包含的最终的根哈希值进行比较,在这种比较的结果以及公共验证信息验证单元的验证结果两者都为正面的情况下,相应的数据分段是完整的。其中,根据该数据分段的完整性验证信息中包括的与该数据分段的哈希值代表的最低层的子节点相关的路径信息、以及在该路径中包括的相关的兄弟节点的哈希值,来计算要与该数据分段的完整性验证信息中包含的最终的根哈希值进行比较的根哈希值。 As mentioned above in conjunction with the system configuration of Figures 12A-12B, in the case of many data sources (such as camera equipment), the camera equipment can be divided into several hash areas, and the hash structure contained in each hash area is determined by A management camera is responsible for generating the hash structure, and finally the highest management camera is responsible for generating integrity verification information. When performing integrity verification on the data segments included in each data source (such as camera equipment) within a specific time period, the public verification information verification unit is used to verify that the integrity verification information corresponding to the data segment contains public authentication information for . The integrity verification unit compares the root hash value calculated according to the integrity verification information of the data segment and the hash value of the data segment with the final root hash value contained in the integrity verification information , in case that the result of this comparison and the verification result of the public verification information verification unit are both positive, the corresponding data segment is complete. Among them, according to the path information related to the child node of the lowest layer represented by the hash value of the data segment included in the integrity verification information of the data segment, and the hash value of the related sibling nodes included in the path value to calculate the root hash value to be compared with the final root hash value contained in the data segment's integrity verification information. the
如果待进行完整性验证的数据是如图6中示出的封装数据,则装置1400中的公共验证信息验证单元1410和完整性验证信息验证单元1420从相应的封装数据中直接获得待验证的数据分段以及该数据分段的完整性验证信息,以便例如按照图15中示出的过程进行完整性验证。对于将图7-8中的数据子分段按照图6所示的方式来进行封装的情形,装置1400类似地直接获得相应的子分段的完整性验证信息以便进行完整性验证。 If the data to be verified by integrity is packaged data as shown in Figure 6, the public verification information verification unit 1410 and the integrity verification information verification unit 1420 in the device 1400 directly obtain the data to be verified from the corresponding packaged data segment and the integrity verification information of the data segment, so as to perform integrity verification according to the process shown in FIG. 15 , for example. For the case of encapsulating the data sub-segments in FIGS. 7-8 in the manner shown in FIG. 6 , similarly, the apparatus 1400 directly obtains the integrity verification information of the corresponding sub-segments for integrity verification. the
如果数据分段的完整性验证信息不直接设置在相应的数据分段之后而是另行存储,但是构建数据分段与完整性验证信息之间的对应关系。则装置1400中的公共验证信息验证单元1410和完整性验证信息验证单元1420从对应关系中获得相应的数据分段的完整性验证信息,以便按照图15中示出的过程进行完整性验证。对于将图7-8中的数据子分段按照图6所示的方式来进行封装的情形,装置1400类似地通过对应关系获得相应的子分段的完整性验证信息以便进行完整性验证。 If the integrity verification information of the data segment is not directly set behind the corresponding data segment but is stored separately, a corresponding relationship between the data segment and the integrity verification information is constructed. Then the public verification information verification unit 1410 and the integrity verification information verification unit 1420 in the apparatus 1400 obtain the integrity verification information of the corresponding data segment from the corresponding relationship, so as to perform integrity verification according to the process shown in FIG. 15 . For the case of encapsulating the data sub-segments in FIGS. 7-8 in the manner shown in FIG. 6 , the apparatus 1400 similarly obtains the integrity verification information of the corresponding sub-segments through the corresponding relationship for integrity verification. the
如上所述,除了通过为哈希结构的根哈希值获取时间戳来实现对各数据源在特定时间段中的数据分段的完整性的保护以外,根据可替选的实施方式,对数据的完整性保护手段还可以是加密或签名等。在通过加密手段实现数据的完整性保护的情形下,在对数据的完整性进行验证时,根据本发明实施例的装置1400通过使用预定的加密密钥来对加密了的公共验证信息进行解密并且利用公共验证信息中包含的校验信息(例如前述的校验码和验证哈希值等)来实现验证,如果验证通过,还可以恢复出公共验证信息中包含的根哈希值,以供在后续的验证过 程中使用。以此方式,可避免不知道加密密钥的任何一方能对受到加密保护的数据进行任何修改,或者即使修改也可以被验证方发现。在通过数字签名手段实现数据的完整性保护的情形下,用预定的秘密私钥对哈希结构的根哈希值签名后,根据本发明实施例的装置1400通过使用与该预定的秘密私钥对应的公钥证书来对经过签名的根哈希值验证,如果验证通过,则可确定公共验证信息的验证通过,同时还可以恢复公共验证信息中包含的根哈希值,以供在后续的验证过程中使用。以此方式,可以避免篡改者在不知道秘密私钥的情况下对数据进行任何修改,或者即使修改也可以被验证方发现。 As mentioned above, in addition to achieving the protection of the integrity of the data segments of each data source in a specific time period by obtaining a timestamp for the root hash value of the hash structure, according to an alternative embodiment, the data The means of integrity protection can also be encryption or signature. In the case where the integrity protection of data is realized by means of encryption, when verifying the integrity of the data, the device 1400 according to the embodiment of the present invention decrypts the encrypted public verification information by using a predetermined encryption key and The verification information contained in the public verification information (such as the aforementioned verification code and verification hash value, etc.) is used to achieve verification. If the verification is passed, the root hash value contained in the public verification information can also be recovered for future use. It will be used in the subsequent verification process. In this way, it is avoided that any modification to the encrypted data can be made by any party who does not know the encryption key, or even the modification can be discovered by the authenticating party. In the case of implementing data integrity protection by means of digital signatures, after signing the root hash value of the hash structure with a predetermined secret private key, the device 1400 according to the embodiment of the present invention uses the predetermined secret private key to The corresponding public key certificate is used to verify the signed root hash value. If the verification is passed, it can be determined that the verification of the public verification information has passed. At the same time, the root hash value contained in the public verification information can also be restored for subsequent use. used during verification. In this way, any modification of the data by a tamperer without knowledge of the secret private key can be avoided, or even the modification can be discovered by the verifier. the
相应地,根据本发明的实施例还提供了一种对数据的完整性进行验证的方法。图16示出了这种方法1600的流程简图。如图所示,方法1600开始于步骤S1610,包括公共验证信息验证步骤S1620,比较步骤S1630和完整性确定步骤S1640,并在步骤S1650结束。在公共验证信息验证步骤S1620,对多个数据源的相应的数据源在特定时间段内的数据分段所具有的完整性验证信息中包括的公共验证信息进行验证。在比较步骤S1630,将根据相应的数据源的数据分段所具有的完整性验证信息以及该数据分段的哈希值计算得到的根哈希值与完整性验证信息中包含的根哈希值进行比较。在完整性确定步骤S1640,如果比较步骤S1630的比较结果表明所计算的根哈希值与完整性验证信息中包含的根哈希值一致,并且公共验证信息验证步骤S1620的验证结果为正面的,则确定该数据分段是完整的。其中,数据分段的完整性验证信息包括公共验证信息、与特定时间段相对应的哈希结构中的、从该数据分段的哈希值代表的最低层的子节点到根结点的路径信息、以及在该路径中包括的、与该子节点相关的节点的哈希值。与特定时间段相对应的哈希结构通过使多个数据源在特定时间段内各自包括的数据分段的哈希值代表最低层的子节点来生成,并且根哈希值通过该哈希结构来计算。
Correspondingly, an embodiment of the present invention also provides a method for verifying data integrity. FIG. 16 shows a simplified flowchart of such a
在如上述图7-8所示的配置中为至少一个数据源在某个 特定时间段内再细分的若干个数据子分段完整性验证信息的情况下,根据本发明实施例的方法1600的一个具体实例,对这种数据子分段的完整性进行验证。例如可通过上述图14中示出的装置1400来实现这种完整性验证,具体验证方法的处理细节可参见上述参照图7,8,15对装置1400的操作的描述,在此不再逐一赘述。
In the configuration shown in Figures 7-8 above, in the case of the integrity verification information of several data sub-segments subdivided by at least one data source within a certain period of time, the
根据本发明该实施例的方法1600还能够针对在具有图12A-12B中示出的系统配置的情况下得到的完整性验证信息进行验证。具体验证过程例如可参见上面参照图12A-12B对装置1400的操作的描述,在此不再赘述。
The
如果待进行完整性验证的数据是如图6中示出的封装数据,则根据本实施例的方法1600从相应的封装数据中直接获得待验证的数据分段以及该数据分段的完整性验证信息,以便按照图15中示出的过程进行完整性验证。对于将图7-8中的数据子分段按照图6所示的方式来进行封装的情形,方法1600类似地直接获得相应的子分段的次级完整性验证信息以便进行完整性验证。
If the data to be verified for integrity is encapsulated data as shown in FIG. 6, the
如果数据分段的完整性验证信息不直接设置在相应的数据分段之后而是另行存储,但是构建数据分段与完整性验证信息之间的对应关系。则根据本实施例的进行完整性验证的方法1600从对应关系中获得相应的数据分段的完整性验证信息,以便按照图15中示出的过程进行完整性验证。对于将图7-8中的数据子分段按照图6所示的方式来进行封装的情形,方法1600类似地通过对应关系获得相应的子分段的次级完整性验证信息以便进行完整性验证。
If the integrity verification information of the data segment is not directly set behind the corresponding data segment but is stored separately, a corresponding relationship between the data segment and the integrity verification information is constructed. Then, according to the
如上所述,在通过加密手段实现数据的完整性保护的情形下,根据本发明的实施例的方法1600通过利用对哈希结构的根哈希值进行加密的预定的加密密钥以及公共验证信息中包含的校验信息(例如前述的校验码和验证哈希值等)来实现公共验证信息的验证。此外,在通过数字签名手段实现数据的完整性保护的情形下,根据本发明实施例的方法1600通过使用与对数 据进行数字签名时使用的预定的秘密私钥相对应的公钥证书来实现公共验证信息的验证。具体实现细节例如可参加上面针对用于验证数据的完整性的装置1400的描述,在此不再赘述。
As mentioned above, in the case of implementing data integrity protection by means of encryption, the
根据本发明各实施例的生成数据的完整性验证信息的装置、方法以及用于对数据的完整性进行验证的装置和方法,为存在多个摄像设备(数据源的一种示例)的视频监控系统提供了一种高效的完整性保护方案,使得对所有摄像设备的不同视频数据分段,仅需要申请一次时间戳,跟摄像设备的个数无关。从而可以高效地实现对各个摄像设备的特定时间段内的数据分段的单独的完整性保护。此外,也大大节约了网络带宽和时间戳费用。而各个摄像设备所存储的验证信息的长度与摄像设备的个数成对数关系,有效地防止了验证信息的膨胀。在利用加密手段或者数字签名手段来实现对根节点值的完整性进行保护的情况下,同样也可以提供高效、精确的数据完整性保护。此外还可以简化系统配置,降低成本。 The device and method for generating data integrity verification information and the device and method for verifying data integrity according to various embodiments of the present invention are video surveillance systems with multiple camera equipment (an example of a data source) The system provides an efficient integrity protection scheme, so that for different video data segments of all camera devices, only one time stamp needs to be applied, regardless of the number of camera devices. Thus, individual integrity protection of data segments within a specific time period of each camera device can be efficiently implemented. In addition, network bandwidth and time stamp costs are greatly saved. The length of the verification information stored in each camera device is in a logarithmic relationship with the number of the camera devices, which effectively prevents the expansion of the verification information. In the case of using encryption means or digital signature means to protect the integrity of the root node value, efficient and accurate data integrity protection can also be provided. In addition, the system configuration can be simplified and the cost can be reduced. the
假设摄像设备的个数为N,且在某特定时间段产生的数据分段的数目也是N,则所构造高效二叉树的高度为h=ceil(log2N),ceil表示取不小于log2N的最小整数。从每个叶子节点到达根节点的路径长度为h,因而验证信息里存储路径上兄弟节点的个数为路径的长度h,而h与摄像设备的个数成近似对数关系。例如当一个监控系统有1000个摄像设备,构造的哈希树的高度是10,因此每个分段的验证信息需要存储10个哈希值。 Assuming that the number of camera equipment is N, and the number of data segments generated in a certain period of time is also N, then the height of the constructed efficient binary tree is h=ceil(log 2 N), and ceil means that it is not less than log 2 N The smallest integer of . The length of the path from each leaf node to the root node is h, so the number of sibling nodes on the path stored in the verification information is the length h of the path, and h has an approximate logarithmic relationship with the number of camera devices. For example, when a monitoring system has 1000 camera devices, the height of the constructed hash tree is 10, so the verification information of each segment needs to store 10 hash values.
下面通过一个具体的应用例子来说明相关的有益效果。假设一个系统中有100个摄像设备,设监控摄像设备的视频码率为2Mbps,每30秒申请一次时间戳。首先二叉树的高度为7,则每个摄像设备的30秒视频数据需要存储的验证信息为7个哈希值和一个公共时间戳,假设使用SHA256,哈希值的长度为256bits,时间戳的大小假设为3000bits,因此每个30秒分段的验证信息长度为7*256+3000=4792bits=600bytes。而30秒的视频数据长度为2M*30bits=7.5Mbytes,因此验证信息占整 个视频数据的600/7.5M=0.01%。因此因为验证信息的加入而引起的码率膨胀可以忽略。时间戳代理需要构造一棵层数为7的二叉树,需要哈希最多256个哈希值,即需要的计算量是对256*256/8=8Kbytes的数据进行哈希运算。现在的普通计算机或微控制器或嵌入式设备例如摄像设备完全能够胜任此计算量。时间戳代理需要存储空间为256个哈希值和时间戳,约需要存储空间为(256*256+3000)/8=9Kbytes,这样的存储空间对于普通计算机或微控制器或嵌入式设备均不是太高的要求。 A specific application example is used below to illustrate related beneficial effects. Suppose there are 100 camera devices in a system, and the video bit rate of the monitoring camera devices is set to 2Mbps, and a time stamp is applied for every 30 seconds. First, the height of the binary tree is 7, and the verification information that needs to be stored for the 30-second video data of each camera device is 7 hash values and a public timestamp. Assuming that SHA256 is used, the length of the hash value is 256bits, and the size of the timestamp It is assumed to be 3000 bits, so the length of verification information of each 30-second segment is 7*256+3000=4792 bits=600 bytes. And the video data length of 30 seconds is 2M*30bits=7.5Mbytes, so verification information accounts for 600/7.5M=0.01% of the whole video data. Therefore, the code rate expansion caused by the addition of verification information can be ignored. The timestamp proxy needs to construct a binary tree with 7 layers, and needs to hash up to 256 hash values, that is, the amount of calculation required is to perform hash operations on 256*256/8=8Kbytes of data. Today's ordinary computers or microcontrollers or embedded devices such as camera equipment are fully capable of this calculation. The time stamp proxy requires storage space for 256 hash values and time stamps, approximately (256*256+3000)/8=9Kbytes, such storage space is not suitable for ordinary computers, microcontrollers or embedded devices Too much to ask. the
根据本发明的实施例的生成完整性验证信息的装置和方法,以及用于对数据的完整性进行验证的装置和方法所提供的完整保护的安全等级与各个摄像设备分别申请时间戳的方法相同,其安全等级均基于哈希函数的抗第二原象能力。可见,根据本发明的上述解决方案显著提高了完整性保护的效率和精确性。 The device and method for generating integrity verification information according to the embodiment of the present invention, and the device and method for verifying the integrity of data provide the same security level of integrity protection as the method of applying for time stamps for each imaging device , the security level of which is based on the anti-second preimage ability of the hash function. It can be seen that the above solution according to the present invention significantly improves the efficiency and accuracy of integrity protection. the
在此需要说明,篇幅所限,上面列举的各实施例和具体应用示例都是示意性的而非穷举性的,也不是意在要对本发明构成限制。例如,上面各实施例中示出的各种具体的实例和具体实现方式可以分别根据需要进行任意的组合,而不是仅仅限于上面具体实例和实现方式给出的组合模式。此外,在上面对各实施例和具体实例的描述中,与数字有关的表述“1”,“2”,“一”,“二”,“第一”,“第二”等等仅仅是为了区别由这些数字修饰的部件或者元素,而不是为了表明这些部件或者元素之间的顺序或者重要性程度等等。 It should be noted here that, due to space limitations, the embodiments and specific application examples listed above are illustrative rather than exhaustive, and are not intended to limit the present invention. For example, the various specific examples and specific implementations shown in the above embodiments can be combined arbitrarily according to needs, and are not limited to the combination modes given in the above specific examples and implementations. In addition, in the above descriptions of the various embodiments and specific examples, expressions "1", "2", "one", "two", "first", "second" etc. related to numerals are merely The purpose is to distinguish the parts or elements decorated by these numbers, not to indicate the order or importance among these parts or elements. the
此外,上述图3-5,7-8,11,12,14中示出的生成完整性验证信息的装置以及对数据的完整性进行验证的装置或系统中的各个组成单元、子单元以及部件可以通过软件、固件、硬件或其组合的方式进行配置。配置可使用的具体手段或方式为本领域技术人员所熟知,在此不再赘述。在通过软件或固件实现的情况下,可从存储介质或网络向具有专用硬件结构的计算机(例如图17所示的通用计算机1700)安装构成该软件的程序,该计算机在安装有各种程序时,能够执行各种功能等。
In addition, each component unit, subunit and component in the device for generating integrity verification information and the device or system for verifying data integrity shown in Figures 3-5, 7-8, 11, 12, and 14 above It can be configured by means of software, firmware, hardware or a combination thereof. Specific means or manners that can be used for configuration are well known to those skilled in the art, and will not be repeated here. In the case of realization by software or firmware, the program constituting the software can be installed from a storage medium or a network to a computer having a dedicated hardware configuration (for example, a general-
如图17所示,中央处理单元(CPU)1701根据只读存储器 (ROM)1702中存储的程序或从存储部分1708加载到随机存取存储器(RAM)1703的程序执行各种处理。在RAM 1703中,还根据需要存储当CPU 1701执行各种处理等等时所需的数据。CPU 1701、ROM 1702和RAM 1703经由总线1704彼此连接。输入/输出接口1705也连接到总线1704。
As shown in FIG. 17 , a central processing unit (CPU) 1701 executes various processes according to programs stored in a read only memory (ROM) 1702 or loaded from a
下述部件连接到输入/输出接口1705:输入部分1706(包括键盘、鼠标等等)、输出部分1707(包括显示器,比如阴极射线管(CRT)、液晶显示器(LCD)等,和扬声器等)、存储部分1708(包括硬盘等)、通信部分1709(包括网络接口卡比如LAN卡、调制解调器等)。通信部分1709经由网络比如因特网执行通信处理。根据需要,驱动器1710也可连接到输入/输出接口1705。可拆卸介质1711比如磁盘、光盘、磁光盘、半导体存储器等等可以根据需要被安装在驱动器1710上,使得从中读出的计算机程序根据需要被安装到存储部分1708中。
The following components are connected to the input/output interface 1705: an input section 1706 (including a keyboard, a mouse, etc.), an output section 1707 (including a display such as a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.), Storage section 1708 (including hard disk, etc.), communication section 1709 (including network interface card such as LAN card, modem, etc.). The
在通过软件实现上述系列处理的情况下,从网络例如因特网或存储介质例如可拆卸介质1711安装构成软件的程序。
In the case of realizing the above-described series of processing by software, the programs constituting the software are installed from a network such as the Internet or a storage medium such as the
本领域的技术人员应当理解,这种存储介质不局限于图17所示的其中存储有程序、与设备相分离地分发以向用户提供程序的可拆卸介质17011。可拆卸介质1711的例子包含磁盘(包含软盘(注册商标))、光盘(包含光盘只读存储器(CD-ROM)和数字通用盘(DVD))、磁光盘(包含迷你盘(MD)(注册商标))和半导体存储器。或者,存储介质可以是ROM 1702、存储部分1708中包含的硬盘等等,其中存有程序,并且与包含它们的设备一起被分发给用户。
Those skilled in the art should understand that such a storage medium is not limited to the removable medium 17011 shown in FIG. 17 in which the program is stored and distributed separately from the device to provide the program to the user. Examples of the
本发明还提出一种存储有机器可读取的指令代码的程序产品。所述指令代码由机器读取并执行时,可执行上述根据本发明实施例的生成数据的完整性验证信息的方法,或者用于对数据的完整性进行验证的方法。 The invention also proposes a program product storing machine-readable instruction codes. When the instruction code is read and executed by a machine, the above-mentioned method for generating data integrity verification information according to the embodiment of the present invention, or the method for verifying data integrity may be executed. the
相应地,用于承载上述存储有机器可读取的指令代码的程序产品的存储介质也包括在本发明的公开中。所述存储介质包括但不限于软盘、光盘、磁光盘、存储卡、存储棒等等。 Correspondingly, a storage medium for carrying the program product storing the above-mentioned machine-readable instruction codes is also included in the disclosure of the present invention. The storage medium includes, but is not limited to, a floppy disk, an optical disk, a magneto-optical disk, a memory card, a memory stick, and the like. the
在上面对本发明具体实施例的描述中,针对一种实施方式 描述和/或示出的特征可以以相同或类似的方式在一个或更多个其它实施方式中使用,与其它实施方式中的特征相组合,或替代其它实施方式中的特征。 In the above description of specific embodiments of the present invention, features described and/or illustrated for one embodiment can be used in one or more other embodiments in the same or similar manner, and features in other embodiments Combination or replacement of features in other embodiments. the
应该强调,术语“包括/包含”在本文使用时指特征、要素、步骤或组件的存在,但并不排除一个或更多个其它特征、要素、步骤或组件的存在或附加。 It should be emphasized that the term "comprising/comprising" when used herein refers to the presence of a feature, element, step or component, but does not exclude the presence or addition of one or more other features, elements, steps or components. the
此外,根据本发明的各实施例的方法和处理不限于按照说明书中描述的时间顺序来执行,也可以按照其他的时间顺序地、并行地或独立地执行。因此,本说明书中描述的各种方法和处理的执行顺序不对本发明的技术范围构成限制。 In addition, the methods and processes according to the various embodiments of the present invention are not limited to being executed in the chronological order described in the specification, and may also be executed in other chronological order, in parallel, or independently. Therefore, the execution order of various methods and processes described in this specification does not limit the technical scope of the present invention. the
尽管上面已经通过对本发明的具体实施例的描述对本发明进行了披露,但是应该理解,上述的所有实施例和示例均是示例性的,而非限制性的。本领域的技术人员可在所附权利要求的精神和范围内设计对本发明的各种修改、改进或者等同物。这些修改、改进或者等同物也应当被认为包括在本发明的保护范围内。 Although the present invention has been disclosed above by describing specific embodiments of the present invention, it should be understood that all the above-mentioned embodiments and examples are illustrative rather than restrictive. Those skilled in the art can devise various modifications, improvements or equivalents to the present invention within the spirit and scope of the appended claims. These modifications, improvements or equivalents should also be considered to be included in the protection scope of the present invention. the
Claims (33)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102953121A CN102413313A (en) | 2010-09-26 | 2010-09-26 | Data integrity authentication information generation method and device as well as data integrity authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102953121A CN102413313A (en) | 2010-09-26 | 2010-09-26 | Data integrity authentication information generation method and device as well as data integrity authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102413313A true CN102413313A (en) | 2012-04-11 |
Family
ID=45915124
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102953121A Pending CN102413313A (en) | 2010-09-26 | 2010-09-26 | Data integrity authentication information generation method and device as well as data integrity authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102413313A (en) |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664893A (en) * | 2012-04-23 | 2012-09-12 | 重庆理工大学 | Adaptive retransmission and signature segmented embedding data transmission method |
| CN104429091A (en) * | 2012-09-26 | 2015-03-18 | 尼尔森(美国)有限公司 | Methods and apparatus for identifying media |
| CN104486614A (en) * | 2014-12-10 | 2015-04-01 | 央视国际网络无锡有限公司 | MP4 (Mobile Pentium 4) video format corruption detection method |
| CN104579556A (en) * | 2014-12-05 | 2015-04-29 | 苏州沃斯麦机电科技有限公司 | Inter-multiple-node data integral transmission system |
| CN104579557A (en) * | 2014-12-05 | 2015-04-29 | 苏州沃斯麦机电科技有限公司 | Data integrity transmission method among multiple nodes |
| CN104579558A (en) * | 2014-12-05 | 2015-04-29 | 苏州沃斯麦机电科技有限公司 | Method for detecting integrity in data transmission process |
| CN103067363B (en) * | 2012-12-20 | 2015-06-17 | 华中科技大学 | Index conversion method for public data integrity checking |
| CN104735160A (en) * | 2015-04-08 | 2015-06-24 | 鹰潭嘉坤云计算科技有限公司 | Method and system for monitoring fire water supply information |
| CN105187218A (en) * | 2015-09-30 | 2015-12-23 | 谈建 | Digital record signature method for multicore infrastructure and verification method |
| CN105227680A (en) * | 2015-10-26 | 2016-01-06 | 广东佳学信息科技有限公司 | A kind of smart machine file download Validity control method |
| CN105608530A (en) * | 2015-12-18 | 2016-05-25 | 北京四方继保自动化股份有限公司 | Operation, distribution and dispatching data integrity verification method for power distribution network |
| CN106230880A (en) * | 2016-07-12 | 2016-12-14 | 何晓行 | A kind of storage method of data and application server |
| WO2017008658A1 (en) * | 2015-07-14 | 2017-01-19 | 阿里巴巴集团控股有限公司 | Storage checking method and system for text data |
| CN106454385A (en) * | 2015-08-04 | 2017-02-22 | 中国科学院深圳先进技术研究院 | Video frame tampering detection method |
| CN106686333A (en) * | 2016-11-02 | 2017-05-17 | 四川秘无痕信息安全技术有限责任公司 | Method for producing video added watermarks for Android equipment |
| CN107452207A (en) * | 2016-06-01 | 2017-12-08 | 高德软件有限公司 | Floating car data source evaluation method, apparatus and system |
| CN107480535A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | The reliable hardware layer design method and device of a kind of two-way server |
| CN107612988A (en) * | 2017-09-12 | 2018-01-19 | 北京泛融科技有限公司 | A kind of account book synchronization system and method based on Internet of Things |
| CN107707395A (en) * | 2017-09-28 | 2018-02-16 | 浙江大华技术股份有限公司 | A kind of data transmission method, device and system |
| CN108337479A (en) * | 2018-02-05 | 2018-07-27 | 深圳华博高科光电技术有限公司 | Video monitoring system and video frequency monitoring method |
| CN108809467A (en) * | 2018-05-22 | 2018-11-13 | 深圳华博高科光电技术有限公司 | Monitor the method, apparatus and computer readable storage medium of picture certification |
| CN109154971A (en) * | 2016-03-30 | 2019-01-04 | 艾升集团有限公司 | The verifying of the integrality of data |
| CN109194483A (en) * | 2018-08-10 | 2019-01-11 | 北京首汽智行科技有限公司 | Data verification method based on block chain |
| US10303887B2 (en) | 2015-09-14 | 2019-05-28 | T0.Com, Inc. | Data verification methods and systems using a hash tree, such as a time-centric merkle hash tree |
| CN111373388A (en) * | 2017-12-28 | 2020-07-03 | 卓普网盘股份有限公司 | Efficiently propagating differentiated values |
| CN111565331A (en) * | 2020-04-10 | 2020-08-21 | 苏州鑫竹智能建筑科技有限公司 | Optimization method for wireless transmission of video image data |
| CN112131609A (en) * | 2020-08-27 | 2020-12-25 | 国网湖北省电力有限公司电力科学研究院 | Merkle tree-based power quality data exchange format file integrity verification method and system |
| US10937083B2 (en) | 2017-07-03 | 2021-03-02 | Medici Ventures, Inc. | Decentralized trading system for fair ordering and matching of trades received at multiple network nodes and matched by multiple network nodes within decentralized trading system |
| CN112559547A (en) * | 2020-12-24 | 2021-03-26 | 北京百度网讯科技有限公司 | Method and device for determining consistency among multiple storage object copies |
| KR20210047666A (en) * | 2019-10-22 | 2021-04-30 | 한국전자기술연구원 | Device for generating Hash chain and Method for generating Hash chain to have integrity based on continuous data |
| WO2021114918A1 (en) * | 2019-12-13 | 2021-06-17 | 华为技术有限公司 | Integrity checking method and apparatus, terminal device and verification server |
| CN113190863A (en) * | 2019-03-29 | 2021-07-30 | 神讯电脑(昆山)有限公司 | Verification code generation method, data verification method and electronic device |
| US20210272108A1 (en) * | 2020-07-22 | 2021-09-02 | Baidu Online Network Technology (Beijing ) Co., Ltd. | Method and apparatus of processing deposit, and storage medium |
| CN113536956A (en) * | 2021-06-23 | 2021-10-22 | 华南理工大学 | A method for detecting tampering of multimedia data |
| CN113632418A (en) * | 2019-04-03 | 2021-11-09 | 特里布泰克解决方案有限公司 | Device and method for integrity checking of sensor data streams |
| WO2021243594A1 (en) * | 2020-06-03 | 2021-12-09 | 铨鸿资讯有限公司 | Collective verification-based method for verifying partial data |
| CN114169014A (en) * | 2021-12-13 | 2022-03-11 | 中国人民解放军战略支援部队信息工程大学 | Integrity checking method and related device |
| US12149634B2 (en) | 2021-12-28 | 2024-11-19 | Axis Ab | Methods and devices for compressing signed media data |
| CN119691791A (en) * | 2024-11-18 | 2025-03-25 | 珠海正北科技开发有限公司 | Data verification method, device, storage medium and electronic device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741010A (en) * | 2004-08-24 | 2006-03-01 | 侯方勇 | Method and apparatus for optimizing test of Hasche tree integrity |
| CN1841255A (en) * | 2005-03-30 | 2006-10-04 | 侯方勇 | Method and apparatus for protecting confidentiality and integrity of data storage |
| JP2006313964A (en) * | 2005-05-06 | 2006-11-16 | Ricoh Co Ltd | Data processing apparatus, data processing system, image forming apparatus, and image processing system |
| CN101278298A (en) * | 2005-10-05 | 2008-10-01 | 国际商业机器公司 | Systems and methods for performing trust-preserving migration of data objects from source to target |
| US20100088522A1 (en) * | 2008-10-02 | 2010-04-08 | John Barrus | Method and Apparatus for Tamper Proof Camera Logs |
| CN101741845A (en) * | 2009-12-08 | 2010-06-16 | 中国科学院声学研究所 | A Fragment-Based Content Authentication Method |
-
2010
- 2010-09-26 CN CN2010102953121A patent/CN102413313A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741010A (en) * | 2004-08-24 | 2006-03-01 | 侯方勇 | Method and apparatus for optimizing test of Hasche tree integrity |
| CN1841255A (en) * | 2005-03-30 | 2006-10-04 | 侯方勇 | Method and apparatus for protecting confidentiality and integrity of data storage |
| JP2006313964A (en) * | 2005-05-06 | 2006-11-16 | Ricoh Co Ltd | Data processing apparatus, data processing system, image forming apparatus, and image processing system |
| CN101278298A (en) * | 2005-10-05 | 2008-10-01 | 国际商业机器公司 | Systems and methods for performing trust-preserving migration of data objects from source to target |
| US20100088522A1 (en) * | 2008-10-02 | 2010-04-08 | John Barrus | Method and Apparatus for Tamper Proof Camera Logs |
| CN101741845A (en) * | 2009-12-08 | 2010-06-16 | 中国科学院声学研究所 | A Fragment-Based Content Authentication Method |
Cited By (64)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664893A (en) * | 2012-04-23 | 2012-09-12 | 重庆理工大学 | Adaptive retransmission and signature segmented embedding data transmission method |
| CN104429091A (en) * | 2012-09-26 | 2015-03-18 | 尼尔森(美国)有限公司 | Methods and apparatus for identifying media |
| CN104429091B (en) * | 2012-09-26 | 2018-02-02 | 尼尔森(美国)有限公司 | Method and apparatus for identifying media |
| CN103067363B (en) * | 2012-12-20 | 2015-06-17 | 华中科技大学 | Index conversion method for public data integrity checking |
| CN104579558A (en) * | 2014-12-05 | 2015-04-29 | 苏州沃斯麦机电科技有限公司 | Method for detecting integrity in data transmission process |
| CN104579556A (en) * | 2014-12-05 | 2015-04-29 | 苏州沃斯麦机电科技有限公司 | Inter-multiple-node data integral transmission system |
| CN104579557A (en) * | 2014-12-05 | 2015-04-29 | 苏州沃斯麦机电科技有限公司 | Data integrity transmission method among multiple nodes |
| CN104486614A (en) * | 2014-12-10 | 2015-04-01 | 央视国际网络无锡有限公司 | MP4 (Mobile Pentium 4) video format corruption detection method |
| CN104735160A (en) * | 2015-04-08 | 2015-06-24 | 鹰潭嘉坤云计算科技有限公司 | Method and system for monitoring fire water supply information |
| WO2017008658A1 (en) * | 2015-07-14 | 2017-01-19 | 阿里巴巴集团控股有限公司 | Storage checking method and system for text data |
| CN106454385A (en) * | 2015-08-04 | 2017-02-22 | 中国科学院深圳先进技术研究院 | Video frame tampering detection method |
| CN106454385B (en) * | 2015-08-04 | 2019-06-25 | 中国科学院深圳先进技术研究院 | Video frame altering detecting method |
| US10303887B2 (en) | 2015-09-14 | 2019-05-28 | T0.Com, Inc. | Data verification methods and systems using a hash tree, such as a time-centric merkle hash tree |
| US10831902B2 (en) | 2015-09-14 | 2020-11-10 | tZERO Group, Inc. | Data verification methods and systems using a hash tree, such as a time-centric Merkle hash tree |
| CN105187218A (en) * | 2015-09-30 | 2015-12-23 | 谈建 | Digital record signature method for multicore infrastructure and verification method |
| CN105187218B (en) * | 2015-09-30 | 2018-11-23 | 谈建 | A kind of digitized record signature, the verification method of multi-core infrastructure |
| CN105227680A (en) * | 2015-10-26 | 2016-01-06 | 广东佳学信息科技有限公司 | A kind of smart machine file download Validity control method |
| CN105608530B (en) * | 2015-12-18 | 2020-01-14 | 北京四方继保自动化股份有限公司 | Power distribution network operation, distribution and dispatching data integrity checking method |
| CN105608530A (en) * | 2015-12-18 | 2016-05-25 | 北京四方继保自动化股份有限公司 | Operation, distribution and dispatching data integrity verification method for power distribution network |
| US11658831B2 (en) | 2016-03-30 | 2023-05-23 | The Ascent Group Ltd | Validation of the integrity of data |
| CN109154971B (en) * | 2016-03-30 | 2022-12-06 | 艾升集团有限公司 | Verification of Data Integrity |
| CN109154971A (en) * | 2016-03-30 | 2019-01-04 | 艾升集团有限公司 | The verifying of the integrality of data |
| CN107452207A (en) * | 2016-06-01 | 2017-12-08 | 高德软件有限公司 | Floating car data source evaluation method, apparatus and system |
| CN106230880A (en) * | 2016-07-12 | 2016-12-14 | 何晓行 | A kind of storage method of data and application server |
| CN106686333A (en) * | 2016-11-02 | 2017-05-17 | 四川秘无痕信息安全技术有限责任公司 | Method for producing video added watermarks for Android equipment |
| US11948182B2 (en) | 2017-07-03 | 2024-04-02 | Tzero Ip, Llc | Decentralized trading system for fair ordering and matching of trades received at multiple network nodes and matched by multiple network nodes within decentralized trading system |
| US10937083B2 (en) | 2017-07-03 | 2021-03-02 | Medici Ventures, Inc. | Decentralized trading system for fair ordering and matching of trades received at multiple network nodes and matched by multiple network nodes within decentralized trading system |
| CN107480535A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | The reliable hardware layer design method and device of a kind of two-way server |
| CN107612988B (en) * | 2017-09-12 | 2024-02-02 | 北京泛融科技有限公司 | Account book synchronization system and method based on Internet of things |
| CN107612988A (en) * | 2017-09-12 | 2018-01-19 | 北京泛融科技有限公司 | A kind of account book synchronization system and method based on Internet of Things |
| CN107707395A (en) * | 2017-09-28 | 2018-02-16 | 浙江大华技术股份有限公司 | A kind of data transmission method, device and system |
| US11704336B2 (en) | 2017-12-28 | 2023-07-18 | Dropbox, Inc. | Efficient filename storage and retrieval |
| CN111373388B (en) * | 2017-12-28 | 2024-03-15 | 卓普网盘股份有限公司 | Methods and devices for effectively communicating differentiated values |
| US12169505B2 (en) | 2017-12-28 | 2024-12-17 | Dropbox, Inc. | Updating a local tree for a client synchronization service |
| US12135733B2 (en) | 2017-12-28 | 2024-11-05 | Dropbox, Inc. | File journal interface for synchronizing content |
| US12061623B2 (en) | 2017-12-28 | 2024-08-13 | Dropbox, Inc. | Selective synchronization of content items in a content management system |
| CN111373388A (en) * | 2017-12-28 | 2020-07-03 | 卓普网盘股份有限公司 | Efficiently propagating differentiated values |
| US11669544B2 (en) | 2017-12-28 | 2023-06-06 | Dropbox, Inc. | Allocation and reassignment of unique identifiers for synchronization of content items |
| US11657067B2 (en) | 2017-12-28 | 2023-05-23 | Dropbox Inc. | Updating a remote tree for a client synchronization service |
| US11836151B2 (en) | 2017-12-28 | 2023-12-05 | Dropbox, Inc. | Synchronizing symbolic links |
| CN108337479A (en) * | 2018-02-05 | 2018-07-27 | 深圳华博高科光电技术有限公司 | Video monitoring system and video frequency monitoring method |
| CN108809467A (en) * | 2018-05-22 | 2018-11-13 | 深圳华博高科光电技术有限公司 | Monitor the method, apparatus and computer readable storage medium of picture certification |
| CN109194483A (en) * | 2018-08-10 | 2019-01-11 | 北京首汽智行科技有限公司 | Data verification method based on block chain |
| CN113190863B (en) * | 2019-03-29 | 2024-01-30 | 神讯电脑(昆山)有限公司 | Verification code generation method, data verification method and electronic device |
| CN113190863A (en) * | 2019-03-29 | 2021-07-30 | 神讯电脑(昆山)有限公司 | Verification code generation method, data verification method and electronic device |
| CN113632418A (en) * | 2019-04-03 | 2021-11-09 | 特里布泰克解决方案有限公司 | Device and method for integrity checking of sensor data streams |
| CN113632418B (en) * | 2019-04-03 | 2025-07-04 | 特里布泰克解决方案有限公司 | Apparatus and method for integrity checking of sensor data stream |
| KR102408728B1 (en) * | 2019-10-22 | 2022-06-14 | 한국전자기술연구원 | Device for generating Hash chain and Method for generating Hash chain to have integrity based on continuous data |
| KR20210047666A (en) * | 2019-10-22 | 2021-04-30 | 한국전자기술연구원 | Device for generating Hash chain and Method for generating Hash chain to have integrity based on continuous data |
| CN112989430B (en) * | 2019-12-13 | 2025-04-04 | 华为技术有限公司 | Integrity verification method, device, terminal equipment and verification server |
| WO2021114918A1 (en) * | 2019-12-13 | 2021-06-17 | 华为技术有限公司 | Integrity checking method and apparatus, terminal device and verification server |
| CN112989430A (en) * | 2019-12-13 | 2021-06-18 | 华为技术有限公司 | Integrity verification method and device, terminal equipment and verification server |
| CN111565331A (en) * | 2020-04-10 | 2020-08-21 | 苏州鑫竹智能建筑科技有限公司 | Optimization method for wireless transmission of video image data |
| WO2021243594A1 (en) * | 2020-06-03 | 2021-12-09 | 铨鸿资讯有限公司 | Collective verification-based method for verifying partial data |
| US20210272108A1 (en) * | 2020-07-22 | 2021-09-02 | Baidu Online Network Technology (Beijing ) Co., Ltd. | Method and apparatus of processing deposit, and storage medium |
| CN112131609A (en) * | 2020-08-27 | 2020-12-25 | 国网湖北省电力有限公司电力科学研究院 | Merkle tree-based power quality data exchange format file integrity verification method and system |
| CN112559547B (en) * | 2020-12-24 | 2023-09-19 | 北京百度网讯科技有限公司 | Method and device for determining consistency among multiple storage object copies |
| CN112559547A (en) * | 2020-12-24 | 2021-03-26 | 北京百度网讯科技有限公司 | Method and device for determining consistency among multiple storage object copies |
| CN113536956A (en) * | 2021-06-23 | 2021-10-22 | 华南理工大学 | A method for detecting tampering of multimedia data |
| CN113536956B (en) * | 2021-06-23 | 2023-06-27 | 华南理工大学 | Method for detecting multimedia data tampering |
| CN114169014B (en) * | 2021-12-13 | 2024-09-17 | 中国人民解放军战略支援部队信息工程大学 | Integrity checking method and related device |
| CN114169014A (en) * | 2021-12-13 | 2022-03-11 | 中国人民解放军战略支援部队信息工程大学 | Integrity checking method and related device |
| US12149634B2 (en) | 2021-12-28 | 2024-11-19 | Axis Ab | Methods and devices for compressing signed media data |
| CN119691791A (en) * | 2024-11-18 | 2025-03-25 | 珠海正北科技开发有限公司 | Data verification method, device, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102413313A (en) | Data integrity authentication information generation method and device as well as data integrity authentication method and device | |
| CN111130757B (en) | Multi-cloud CP-ABE access control method based on block chain | |
| CN108322306B (en) | A privacy protection-oriented cloud platform trusted log audit method based on a trusted third party | |
| CN110300112B (en) | Block chain key hierarchical management method | |
| CN107196934B (en) | A blockchain-based cloud data management method | |
| CN108664770B (en) | High-reliability existence proving method based on block chain technology | |
| CN103414690B (en) | One can openly be verified the high in the clouds data property held method of calibration | |
| CN115811412B (en) | Communication method and device, SIM card, electronic equipment and terminal equipment | |
| Muthurajkumar et al. | Secured temporal log management techniques for cloud | |
| WO2012071728A1 (en) | Data encryption method, apparatus and system for cloud storage | |
| CN114372296A (en) | Block chain-based user behavior data auditing method and system | |
| CN110278462A (en) | A kind of mobile film projection authorization management method based on block chain | |
| CN112906056A (en) | Cloud storage key security management method based on block chain | |
| WO2024088082A1 (en) | Method and device for auditing data integrity, and storage medium | |
| CN110866265A (en) | Data storage method, device and storage medium based on block chain | |
| CN117454442A (en) | Anonymous, secure and traceable distributed digital forensics methods and systems | |
| CN118690396A (en) | A data storage method and system based on blockchain | |
| CN120415825A (en) | Electronic data evidence verification method and system based on layered hashing and smart contracts | |
| CN116170801B (en) | A 5G message-based application method for depositing and solidifying certificates | |
| CN113938496B (en) | Block chain network method and system based on Internet of things equipment | |
| CN115834035A (en) | Multimedia data storage method, computer equipment and storage device | |
| CN113591103A (en) | Identity authentication method and system between intelligent terminals of power internet of things | |
| Armknecht et al. | Sharing proofs of retrievability across tenants | |
| Ren et al. | Analysis of delegable and proxy provable data possession for cloud storage | |
| Ren et al. | Security analysis of delegable and proxy provable data possession in public cloud storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120411 |