[go: up one dir, main page]

CN105516117A - A method for safe storage of electric power data based on cloud computing - Google Patents

A method for safe storage of electric power data based on cloud computing Download PDF

Info

Publication number
CN105516117A
CN105516117A CN201510874603.9A CN201510874603A CN105516117A CN 105516117 A CN105516117 A CN 105516117A CN 201510874603 A CN201510874603 A CN 201510874603A CN 105516117 A CN105516117 A CN 105516117A
Authority
CN
China
Prior art keywords
data
user
key
storage
storage space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510874603.9A
Other languages
Chinese (zh)
Inventor
关泽武
蒋屹新
郭晓斌
许爱东
陈华军
蒙家晓
陈富汉
陈立明
黄建理
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China South Power Grid International Co ltd
Power Grid Technology Research Center of China Southern Power Grid Co Ltd
Original Assignee
China South Power Grid International Co ltd
Power Grid Technology Research Center of China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China South Power Grid International Co ltd, Power Grid Technology Research Center of China Southern Power Grid Co Ltd filed Critical China South Power Grid International Co ltd
Priority to CN201510874603.9A priority Critical patent/CN105516117A/en
Publication of CN105516117A publication Critical patent/CN105516117A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud computing-based electric power data safe storage method, which comprises the following steps: (1) a user applies for a cloud storage space through a service interface, accesses the cloud storage space into a cloud computing architecture to access data, and simultaneously selects whether the data needs to be encrypted; (2) distributing a cloud storage space to a user, if data needs to be encrypted, distributing a key according to an algorithm, and storing a mapping relation between the storage space and the key; (3) after the cloud storage space is distributed, informing a user to start the cloud storage resources; (4) the user accesses the cloud storage according to the applied service mode, and encrypted ciphertext data are landed in the storage system through encryption processing when the user writes data; (5) and when a legal user allowed by the service reads the cloud storage space data, the encrypted data block is decrypted and restored to be a plaintext and returned to the user interface.

Description

一种基于云计算的电力数据安全存储方法A method for safe storage of electric power data based on cloud computing

技术领域technical field

本发明涉及电力系统的数据处理,更具体地说,涉及一种基于云计算的电力数据安全存储方法。The invention relates to data processing of a power system, and more specifically, to a method for safely storing power data based on cloud computing.

背景技术Background technique

云计算是一种大规模分布式计算模式,继承了现有分布式安全问题和技术。然而,由于云计算应用模式具有的虚拟化环境、数据高度聚合与流动性、数据控制存储与使用分离等特点,使得电力云计算环境下数据安全产生了大量新的问题,对现有信息安全技术和管理模式提出挑战。Cloud computing is a large-scale distributed computing model that inherits existing distributed security issues and technologies. However, due to the characteristics of virtualized environment, high data aggregation and mobility, and separation of data control storage and use in the cloud computing application mode, a large number of new problems have arisen in data security in the power cloud computing environment. and management challenges.

电网无论是基础架构的共享还是资源和服务的交互使用,都符合云的本质和内涵,电力云计算的建设要最大限度的对电力资源进行统筹规划和配置,努力提高资源利用效率,力争使企业运维成本最小。Whether it is the sharing of infrastructure or the interactive use of resources and services in the power grid, it is in line with the essence and connotation of the cloud. The construction of power cloud computing should maximize the overall planning and allocation of power resources, strive to improve resource utilization efficiency, and strive to make enterprises The operation and maintenance cost is minimal.

在基于电力云计算的存储平台上,用户从各个业务系统通过特定的应用程序或者现有的存储服务接口层(比如samba)接入到云计算架构中访问数据。存储服务接口层提供多接口支持,同时处理接入服务的负载均衡逻辑,接口层之后,系统又可以大致划分为四块逻辑结构:(1)系统配置管理模块,提供友好的管理交互入口,控制管理整体系统的行为;(2)存储数据加解密模块,负责处理存储平台上数据内容的安全性;(3)存储池管理模块,管理整体集群节点的运作(节点状态,存储空间,集群状态,用户配额等);(4)系统监控管理模块,负责监控审计平台整体的业务状态和行为。在这种存储环境下,数据传输运行在自建网络上,传输路径不再是安全威胁,反而数据的存储,共享的安全性要求更高,On the storage platform based on power cloud computing, users access data from various business systems to the cloud computing architecture through specific application programs or existing storage service interface layers (such as samba). The storage service interface layer provides multi-interface support and handles the load balancing logic of the access service at the same time. After the interface layer, the system can be roughly divided into four logical structures: (1) The system configuration management module provides a friendly management interaction entry, controls Manage the behavior of the overall system; (2) storage data encryption and decryption module, responsible for processing the security of data content on the storage platform; (3) storage pool management module, manage the operation of the overall cluster nodes (node status, storage space, cluster status, (4) The system monitoring and management module is responsible for monitoring the overall business status and behavior of the audit platform. In this storage environment, data transmission runs on a self-built network, and the transmission path is no longer a security threat. Instead, data storage and sharing have higher security requirements.

发明内容Contents of the invention

本发明的目的在于:提供基于云计算的电力数据安全存储方法,在云计算环境下从架构上将数据安全和控制策略分离,从而保障数据的安全。The purpose of the present invention is to provide a secure storage method for electric power data based on cloud computing, which separates data security and control strategies from the architecture in the cloud computing environment, thereby ensuring data security.

为了实现上述目的,本发明提供了基于云计算的电力数据安全存储方法,它包括如下步骤:(1)用户通过服务接口申请云存储空间并接入到云计算架构中访问数据,同时选择数据是否需要加密;(2)向用户分配云存储空间,若数据需要加密,则按照算法分配密钥,并存放该存储空间和密钥的映射关系;(3)云存储空间分配完成以后,通知用户启用云存储资源;(4)用户按照申请的业务方式接入云存储,在用户写入数据时,将通过加密处理把加密后的密文数据落地在存储系统中;(5)业务允许的合法用户读取所述云存储空间数据时,加密的数据块被解密还原成明文返回给用户接口。In order to achieve the above object, the present invention provides a method for safely storing power data based on cloud computing, which includes the following steps: (1) The user applies for cloud storage space through the service interface and accesses the data in the cloud computing architecture, and at the same time selects whether the data Encryption is required; (2) Allocate cloud storage space to users. If the data needs to be encrypted, the key is allocated according to the algorithm, and the mapping relationship between the storage space and the key is stored; (3) After the cloud storage space is allocated, the user is notified to enable Cloud storage resources; (4) The user accesses the cloud storage according to the business method applied for. When the user writes data, the encrypted ciphertext data will be landed in the storage system through encryption processing; (5) Legal users allowed by the business When reading the data in the cloud storage space, the encrypted data block is decrypted and restored to plain text and returned to the user interface.

作为本发明的一种改进,步骤(4)中的加密和步骤(5)中的解密是基于存储空间和内容做的安全加解密,并在数据的写入读出时完成,同时将安全与服务接口做解耦。As an improvement of the present invention, the encryption in step (4) and the decryption in step (5) are based on the security encryption and decryption of storage space and content, and are completed when the data is written and read. The service interface is decoupled.

作为本发明的一种改进,在步骤(1)中,还包括:(101)每个服务接口都通过自身的访问控制机制控制用户的接入,为每个用户分配访问空间,并作读写权限控制;(102)用户通过服务接口访问对应路径时,如果是合法用户,则会通过安全云储存的文件系统接口访问到正确的内容;如果是非法用户,则在访问控制层认证失败,则该用户浏览的云存储路径下是加密内容,无法获得真正的业务数据。As an improvement of the present invention, in step (1), it also includes: (101) each service interface controls the user's access through its own access control mechanism, allocates access space for each user, and reads and writes Authority control; (102) When the user accesses the corresponding path through the service interface, if it is a legal user, it will access the correct content through the file system interface of the secure cloud storage; if it is an illegal user, the authentication fails at the access control layer, then The cloud storage path browsed by the user contains encrypted content, and real business data cannot be obtained.

作为本发明的一种改进,在步骤(2)中,还包括密钥的管理步骤:(201)提供密钥管理入口,支持密钥的产生和修改;(202)当密钥生成或者修改时,执行备份操作,将密钥加密备份在安全区域,和数据存储分离;(203)通过安全通道定期同步存储空间对应的密钥,完成密钥分发;(204)当用户写入数据时,加密模块通过对应的路径密钥将数据加密处理后写入存储介质;(205)当用户读取数据时,解密模块通过对应路径将数据解密处理后,返回给用户。As a kind of improvement of the present invention, in step (2), also comprise the management step of key: (201) provide key management entry, support the generation and modification of key; (202) when key generation or modification , perform a backup operation, encrypt and back up the key in a secure area, and separate it from the data storage; (203) regularly synchronize the key corresponding to the storage space through a secure channel, and complete the key distribution; (204) when the user writes data, encrypt The module encrypts the data through the corresponding path key and writes it to the storage medium; (205) when the user reads the data, the decryption module decrypts the data through the corresponding path and returns it to the user.

作为本发明的一种改进,还包括:将存储路径的初始拥有者设定为密钥拥有者,密钥拥有者具备对密钥的管理权限;其他对存储空间路径的共享者,仅能使用密钥做加解密数据。As an improvement of the present invention, it also includes: setting the initial owner of the storage path as the key owner, and the key owner has management authority over the key; other sharers of the storage path can only use The key is used to encrypt and decrypt data.

作为本发明的一种改进,所述服务接口为samba业务数据访问接口,一数据安全加解密模块将samba业务数据访问接口传输的数据做加解密后写入存储或者解密后返回给应用层。As an improvement of the present invention, the service interface is a samba service data access interface, and a data security encryption and decryption module encrypts and decrypts the data transmitted by the samba service data access interface and writes it into storage or returns it to the application layer after decryption.

与现有技术相比,本发明能够在电力云计算的存储平台上从架构上将数据安全和控制策略分离,从而保障数据的安全。Compared with the prior art, the present invention can separate data security and control strategy from the architecture on the storage platform of electric power cloud computing, thereby ensuring the security of data.

附图说明Description of drawings

下面结合附图和具体实施方式,对本发明的结构及其有益技术效果进行详细说明。The structure and beneficial technical effects of the present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments.

图1为本发明基于访问接口的安全策略示意图。FIG. 1 is a schematic diagram of a security policy based on an access interface in the present invention.

图2为本发明基于云存储密钥管理体系结构图。FIG. 2 is a structural diagram of the present invention based on cloud storage key management architecture.

图3为本发明的云存储密钥与存储空间关系图。FIG. 3 is a diagram of the relationship between cloud storage keys and storage space in the present invention.

图4为本发明基于samba的VFS安全加解密流程图。Fig. 4 is the flow chart of VFS security encryption and decryption based on samba in the present invention.

具体实施方式detailed description

为了使本发明的发明目的、技术方案及其有益技术效果更加清晰,以下结合附图和具体实施方式,对本发明进行进一步详细说明。应当理解的是,本说明书中描述的具体实施方式仅仅是为了解释本发明,并非为了限定本发明。In order to make the purpose of the invention, technical solution and beneficial technical effects of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific implementation methods. It should be understood that the specific implementations described in this specification are only for explaining the present invention, not for limiting the present invention.

本发明基于云计算的电力数据安全存储方法在基于电力云计算的存储平台上实施,它包括如下步骤:(1)接入用户/业务向管理员(存储平台系统)申请存储空间,访问方式(samba,nfs,ftp,S3等)及数据是否需要加密(视安全等级决定);(2)管理员分配云存储空间,若数据需要加密,则勾选配置需要加密存储,系统按照算法分配密钥,并存放该存储空间和密钥的映射关系;(3)管理员分配完成以后,通知用户/业务系统启用云存储资源;(4)用户按照自己申请的业务方式接入云存储,在用户写入数据时,平台IO层将通过加密处理,把加密后的密文数据落地在本平台的存储系统中;(5)业务允许的合法用户读取该存储空间数据时,系统将加密数据块再解密还原成明文返回给用户/业务接口。The electric power data safe storage method based on cloud computing of the present invention is implemented on the storage platform based on electric power cloud computing, and it comprises the following steps: (1) access user/business apply storage space to administrator (storage platform system), access mode ( samba, nfs, ftp, S3, etc.) and whether the data needs to be encrypted (determined by the security level); (2) The administrator allocates cloud storage space, if the data needs to be encrypted, check the configuration that requires encrypted storage, and the system assigns keys according to the algorithm , and store the mapping relationship between the storage space and the key; (3) After the administrator allocates, notify the user/business system to enable cloud storage resources; When entering data, the IO layer of the platform will encrypt the encrypted ciphertext data in the storage system of the platform; (5) when a legitimate user allowed by the business reads the data in the storage space, the system will encrypt the encrypted data block and then Decryption is restored to plain text and returned to the user/business interface.

请参阅图1,核心的数据加解密是在数据的写入读出时完成的,是基于存储空间和内容做的安全加解密,并自动将安全与接口层做了解耦。在业务接口层,只需要保持现状,对接入用户做好认证,同时控制好用户对给定空间的读写权限(每个现有接口对用户的访问控制机制都有不同的支持,比如samba,S3就有不同的访问控制机制),数据的安全访问就得到了有效保证。用户的接入访问控制还原给各个接入业务接口自身的用户安全访问控制机制,如果业务系统授权了某用户具备当前路径的读写权限,那么该用户就能正确的读写数据,否则用户只能访问到加密的数据。每个业务都通过自身的访问控制机制控制用户的接入,samba、NFS、FTP、S3和其他服务为每个用户分配访问空间,并作读写权限控制;用户通过amba、NFS、FTP、S3和其他服务接口访问对应路径时,如果是合法用户,就会通过安全云储存的文件系统接口,访问到正确的内容;如果是一个非法用户,在访问控制层认证失败,则该用户浏览的云存储路径下也都是加密内容,无法获得真正的业务数据。Please refer to Figure 1. The core data encryption and decryption is completed when the data is written and read. It is based on the security encryption and decryption of the storage space and content, and automatically decouples the security from the interface layer. At the business interface layer, it is only necessary to maintain the status quo, authenticate access users, and control the read and write permissions of users to a given space (each existing interface has different support for user access control mechanisms, such as samba , S3 has a different access control mechanism), and the safe access of data is effectively guaranteed. The user's access control is restored to the user security access control mechanism of each access service interface. If the business system authorizes a user to have the read and write permissions of the current path, the user can read and write data correctly, otherwise the user can only Can access encrypted data. Each business controls user access through its own access control mechanism. Samba, NFS, FTP, S3 and other services allocate access space for each user and control read and write permissions; users use amba, NFS, FTP, S3 When accessing the corresponding path with other service interfaces, if it is a legitimate user, it will access the correct content through the file system interface of the secure cloud storage; if it is an illegal user, the authentication fails at the access control layer, and the cloud The storage path is also encrypted, and real business data cannot be obtained.

请参阅图2,数据加解密在数据存储层上实现,对上层应用和用户加解密功能是透明的,因此加解密中最重要的密钥也是和对应的存储空间位置相关。每个存储位置将对应一个密钥。对于存储系统的应用或者用户来说,每个存储路径一定是被某个应用或者用户使用,因此密钥管理系统可以直观的将存储空间的初始用户,作为该空间的密钥的拥有者,通过密钥拥有者,存储空间,密钥将整个加解密体系的密钥管理功能闭环起来。管理平台提供密钥管理入口,支持密钥的产生和修改;当密钥生成或者修改时,系统同时执行备份操作,将密钥加密备份在安全区域,和数据存储分离;在安全云存储集群中,通过安全通道定期同步存储空间对应的密钥,完成密钥分发;当用户或者应用系统通过存储集群写入数据时,加密模块通过对应的路径密钥将数据加密处理后写入存储介质;当用户或者应用系统通过存储集群读取数据时,解密模块通过对应路径将数据解密处理后,返回给用户或者应用系统。Please refer to Figure 2. Data encryption and decryption are implemented on the data storage layer, which is transparent to upper-layer applications and user encryption and decryption functions. Therefore, the most important key in encryption and decryption is also related to the corresponding storage space location. Each storage location will correspond to a key. For the application or user of the storage system, each storage path must be used by a certain application or user, so the key management system can intuitively use the initial user of the storage space as the owner of the key of the space, through The key owner, storage space, and key close the key management function of the entire encryption and decryption system. The management platform provides a key management portal, which supports the generation and modification of keys; when a key is generated or modified, the system simultaneously performs a backup operation, encrypting and backing up the key in a secure area, and separates it from data storage; in a secure cloud storage cluster , regularly synchronize the key corresponding to the storage space through the secure channel to complete the key distribution; when the user or application system writes data through the storage cluster, the encryption module encrypts the data through the corresponding path key and writes it to the storage medium; when When a user or application system reads data through the storage cluster, the decryption module decrypts the data through the corresponding path and returns it to the user or application system.

请参阅图3,在本发明的方法中,密钥和传统的基于用户的密钥管理不同,提出的加解密发生在数据存储层,对上层应用或者用户来说,加解密数据是透明的,因此密钥的属主是基于存储空间路径的。将存储路径的初始拥有者设定为密钥拥有者,密钥拥有者具备对密钥的管理权限,使得在密钥管理上便于和传统的基于用户的体系对接;其他对存储空间路径的共享者,仅支持对密钥的使用(使用密钥做加解密数据)。Please refer to Fig. 3. In the method of the present invention, the key is different from the traditional user-based key management. The proposed encryption and decryption occurs at the data storage layer. For upper-level applications or users, the encrypted and decrypted data is transparent. Therefore, the owner of the key is based on the storage space path. The initial owner of the storage path is set as the key owner, and the key owner has the management authority over the key, which makes it easy to interface with the traditional user-based system in key management; other sharing of storage space paths Or, only support the use of the key (use the key to encrypt and decrypt data).

请参阅图4,本发明的方法是基于ceph的存储,提供了samba业务数据访问接口。但是常规的samba服务是并不支持存储数据的安全加解密。本验证平台在分析samba通信协议后,基于samba的VFS模块开发了数据的安全加解密模块。该VFS模块将samba应用接口传输的数据做加解密后写入存储或者解密后返回给应用层。samba数据读写时,通过VFS模块改写中间数据,并通过编写VFS模块来实现对数据的加解密操作(Samba的vfs源码一般在源码路径moudes下面存放,VFS模块的代码命名格式如:vfs_<module_name>.c,其中module_name为模块的名字,也是模块功能的简写;一个VFS模块的代码功能结构主要包括VFS模块的初始化、VFS函数指针结构定义、需要包含的头文件、VFS实现特定功能的函数);基于上面的VFS代码结构和加解密函数的改进,vfs加解密模块核心函数主要如表1所示:Referring to Fig. 4, the method of the present invention is based on ceph storage, and provides a samba service data access interface. However, conventional samba services do not support secure encryption and decryption of stored data. After analyzing the samba communication protocol, this verification platform develops a data security encryption and decryption module based on the samba VFS module. The VFS module encrypts and decrypts the data transmitted by the samba application interface and then writes it into storage or decrypts it and returns it to the application layer. When reading and writing samba data, rewrite the intermediate data through the VFS module, and realize the encryption and decryption of the data by writing the VFS module (Samba’s vfs source code is generally stored under the source path moudes, and the code naming format of the VFS module is as follows: vfs_<module_name >.c, where module_name is the name of the module, which is also the abbreviation of the module function; the code function structure of a VFS module mainly includes the initialization of the VFS module, the definition of the VFS function pointer structure, the header files that need to be included, and the functions that VFS implements specific functions) ;Based on the improvement of the above VFS code structure and encryption and decryption functions, the core functions of the vfs encryption and decryption module are mainly shown in Table 1:

表1核心加密函数表Table 1 Core encryption function table

该代码编译后生成VFS动态链接库my_encrypt.so并存放在VFS模块所在的位置,重启samba服务后,即可加载生效。After the code is compiled, the VFS dynamic link library my_encrypt.so is generated and stored in the location of the VFS module. After restarting the samba service, it can be loaded to take effect.

根据上述说明书的揭示和教导,本发明所属领域的技术人员还可以对上述实施方式进行适当的变更和修改。因此,本发明并不局限于上面揭示和描述的具体实施方式,对本发明的一些修改和变更也应当落入本发明的权利要求的保护范围内。此外,尽管本说明书中使用了一些特定的术语,但这些术语只是为了方便说明,并不对本发明构成任何限制。According to the disclosure and teaching of the above specification, those skilled in the art to which the present invention pertains can also make appropriate changes and modifications to the above embodiment. Therefore, the present invention is not limited to the specific embodiments disclosed and described above, and some modifications and changes to the present invention should also fall within the protection scope of the claims of the present invention. In addition, although some specific terms are used in this specification, these terms are only for convenience of description and do not constitute any limitation to the present invention.

Claims (6)

1.一种基于云计算的电力数据安全存储方法,其特征在于,它包括如下步骤:1. A method for safely storing power data based on cloud computing, characterized in that it comprises the steps: (1)用户通过服务接口申请云存储空间并接入到云计算架构中访问数据,同时选择数据是否需要加密;(1) The user applies for cloud storage space through the service interface and accesses the data in the cloud computing architecture, and at the same time chooses whether the data needs to be encrypted; (2)向用户分配云存储空间,若数据需要加密,则按照算法分配密钥,并存放该存储空间和密钥的映射关系;(2) Allocate cloud storage space to users, and if the data needs to be encrypted, then distribute the key according to the algorithm, and store the mapping relationship between the storage space and the key; (3)云存储空间分配完成以后,通知用户启用云存储资源;(3) After the cloud storage space allocation is completed, notify the user to enable cloud storage resources; (4)用户按照申请的业务方式接入云存储,在用户写入数据时,将通过加密处理把加密后的密文数据落地在存储系统中;(4) The user accesses the cloud storage according to the business method applied for, and when the user writes data, the encrypted ciphertext data will be landed in the storage system through encryption processing; (5)业务允许的合法用户读取所述云存储空间数据时,加密的数据块被解密还原成明文返回给用户接口。(5) When a legitimate user permitted by the service reads the cloud storage space data, the encrypted data block is decrypted and restored to plain text and returned to the user interface. 2.根据权利要求1基于云计算的电力数据安全存储方法,其特征在于,步骤(4)中的加密和步骤(5)中的解密是基于存储空间和内容做的安全加解密,并在数据的写入读出时完成,同时将安全与服务接口做解耦。2. according to claim 1, based on cloud computing power data security storage method, it is characterized in that, the encryption in step (4) and the decryption in step (5) are based on the security encryption and decryption of storage space and content, and in the data The writing and reading are completed, and at the same time, the security and service interfaces are decoupled. 3.根据权利要求1基于云计算的电力数据安全存储方法,其特征在于,在步骤(1)中,还包括:3. According to claim 1, the method for safely storing electric power data based on cloud computing is characterized in that, in step (1), further comprising: (101)每个服务接口都通过自身的访问控制机制控制用户的接入,为每个用户分配访问空间,并作读写权限控制;(101) Each service interface controls user access through its own access control mechanism, allocates access space for each user, and controls read and write permissions; (102)用户通过服务接口访问对应路径时,如果是合法用户,则会通过安全云储存的文件系统接口访问到正确的内容;如果是非法用户,则在访问控制层认证失败,则该用户浏览的云存储路径下是加密内容,无法获得真正的业务数据。(102) When a user accesses the corresponding path through the service interface, if it is a legal user, it will access the correct content through the file system interface of the secure cloud storage; if it is an illegal user, the authentication fails at the access control layer, and the user browses The encrypted content under the cloud storage path cannot obtain real business data. 4.根据权利要求1基于云计算的电力数据安全存储方法,其特征在于,在步骤(2)中,还包括密钥的管理步骤:4. according to claim 1, based on cloud computing power data safe storage method, it is characterized in that, in step (2), also comprises the management step of key: (201)提供密钥管理入口,支持密钥的产生和修改;(201) Provide a key management entry to support key generation and modification; (202)当密钥生成或者修改时,执行备份操作,将密钥加密备份在安全区域,和数据存储分离;(202) When the key is generated or modified, a backup operation is performed, and the key is encrypted and backed up in a secure area, which is separated from the data storage; (203)通过安全通道定期同步存储空间对应的密钥,完成密钥分发;(203) periodically synchronizing the key corresponding to the storage space through the secure channel to complete the key distribution; (204)当用户写入数据时,加密模块通过对应的路径密钥将数据加密处理后写入存储介质;(204) When the user writes data, the encryption module encrypts the data and writes it into the storage medium through the corresponding path key; (205)当用户读取数据时,解密模块通过对应路径将数据解密处理后,返回给用户。(205) When the user reads the data, the decryption module decrypts the data through the corresponding path and returns it to the user. 5.根据权利要求4基于云计算的电力数据安全存储方法,其特征在于,还包括:将存储路径的初始拥有者设定为密钥拥有者,密钥拥有者具备对密钥的管理权限;其他对存储空间路径的共享者,仅能使用密钥做加解密数据。5. According to claim 4, the method for safely storing power data based on cloud computing, further comprising: setting the initial owner of the storage path as the key owner, and the key owner has management authority over the key; Other sharers of the storage path can only use the key to encrypt and decrypt data. 6.根据权利要求1基于云计算的电力数据安全存储方法,其特征在于,所述服务接口为samba业务数据访问接口,一数据安全加解密模块将samba业务数据访问接口传输的数据做加解密后写入存储或者解密后返回给应用层。6. according to claim 1 based on the power data safe storage method of cloud computing, it is characterized in that, described service interface is samba business data access interface, after a data security encryption and decryption module encrypts and decrypts the data that samba business data access interface transmits Write to storage or return to the application layer after decryption.
CN201510874603.9A 2015-12-02 2015-12-02 A method for safe storage of electric power data based on cloud computing Pending CN105516117A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510874603.9A CN105516117A (en) 2015-12-02 2015-12-02 A method for safe storage of electric power data based on cloud computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510874603.9A CN105516117A (en) 2015-12-02 2015-12-02 A method for safe storage of electric power data based on cloud computing

Publications (1)

Publication Number Publication Date
CN105516117A true CN105516117A (en) 2016-04-20

Family

ID=55723754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510874603.9A Pending CN105516117A (en) 2015-12-02 2015-12-02 A method for safe storage of electric power data based on cloud computing

Country Status (1)

Country Link
CN (1) CN105516117A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330869A (en) * 2016-08-15 2017-01-11 江苏敏捷科技股份有限公司 Data security protection system and method based on cloud application
CN106385454A (en) * 2016-09-18 2017-02-08 安徽爱她有果电子商务有限公司 Network computing storage system based on cloud storage
CN107682329A (en) * 2017-09-26 2018-02-09 国网上海市电力公司 Method and device for power data transmission and storage
CN108322451A (en) * 2018-01-12 2018-07-24 深圳壹账通智能科技有限公司 Data processing method, device, computer equipment and storage medium
CN109543415A (en) * 2018-11-20 2019-03-29 南方电网科学研究院有限责任公司 A secure operating system architecture
CN109586924A (en) * 2019-01-02 2019-04-05 大连理工大学 A kind of intelligent distribution network data safe transmission method based on cloud computing
CN109784079A (en) * 2019-01-28 2019-05-21 广州供电局有限公司 A kind of user data protection method for power industry
CN110880986A (en) * 2019-10-30 2020-03-13 烽火通信科技股份有限公司 High-availability NAS storage system based on Ceph
CN112134943A (en) * 2020-09-21 2020-12-25 李波 Internet of things cloud storage system and method
CN112579549A (en) * 2020-12-14 2021-03-30 浪潮云信息技术股份公司 CephFS file protocol sharing system, construction method and implementation method
CN114257606A (en) * 2021-12-13 2022-03-29 阿里巴巴(中国)有限公司 Data processing method, file management system, storage medium, and program product
CN115171279A (en) * 2022-07-07 2022-10-11 杭州正华电子科技有限公司 Remote electricity meter card payment management method, system and readable medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611711A (en) * 2012-04-09 2012-07-25 中山爱科数字科技股份有限公司 A cloud data security storage method
CN103107995A (en) * 2013-02-06 2013-05-15 中电长城网际系统应用有限公司 Cloud computing environmental data secure storage system and method
CN104767745A (en) * 2015-03-26 2015-07-08 浪潮集团有限公司 A cloud data security protection method
CN105100248A (en) * 2015-07-30 2015-11-25 国家电网公司 Cloud storage security realization method based on data encryption and access control

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611711A (en) * 2012-04-09 2012-07-25 中山爱科数字科技股份有限公司 A cloud data security storage method
CN103107995A (en) * 2013-02-06 2013-05-15 中电长城网际系统应用有限公司 Cloud computing environmental data secure storage system and method
CN104767745A (en) * 2015-03-26 2015-07-08 浪潮集团有限公司 A cloud data security protection method
CN105100248A (en) * 2015-07-30 2015-11-25 国家电网公司 Cloud storage security realization method based on data encryption and access control

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330869A (en) * 2016-08-15 2017-01-11 江苏敏捷科技股份有限公司 Data security protection system and method based on cloud application
CN106385454A (en) * 2016-09-18 2017-02-08 安徽爱她有果电子商务有限公司 Network computing storage system based on cloud storage
CN107682329A (en) * 2017-09-26 2018-02-09 国网上海市电力公司 Method and device for power data transmission and storage
CN108322451B (en) * 2018-01-12 2020-09-22 深圳壹账通智能科技有限公司 Data processing method, data processing device, computer equipment and storage medium
CN108322451A (en) * 2018-01-12 2018-07-24 深圳壹账通智能科技有限公司 Data processing method, device, computer equipment and storage medium
CN109543415A (en) * 2018-11-20 2019-03-29 南方电网科学研究院有限责任公司 A secure operating system architecture
CN109586924A (en) * 2019-01-02 2019-04-05 大连理工大学 A kind of intelligent distribution network data safe transmission method based on cloud computing
CN109784079A (en) * 2019-01-28 2019-05-21 广州供电局有限公司 A kind of user data protection method for power industry
CN110880986A (en) * 2019-10-30 2020-03-13 烽火通信科技股份有限公司 High-availability NAS storage system based on Ceph
CN112134943A (en) * 2020-09-21 2020-12-25 李波 Internet of things cloud storage system and method
CN112134943B (en) * 2020-09-21 2023-08-22 李波 Internet of things cloud storage system and method
CN112579549A (en) * 2020-12-14 2021-03-30 浪潮云信息技术股份公司 CephFS file protocol sharing system, construction method and implementation method
CN114257606A (en) * 2021-12-13 2022-03-29 阿里巴巴(中国)有限公司 Data processing method, file management system, storage medium, and program product
CN114257606B (en) * 2021-12-13 2024-03-29 阿里巴巴(中国)有限公司 Data processing method, file management system, storage medium, and program product
CN115171279A (en) * 2022-07-07 2022-10-11 杭州正华电子科技有限公司 Remote electricity meter card payment management method, system and readable medium

Similar Documents

Publication Publication Date Title
CN105516117A (en) A method for safe storage of electric power data based on cloud computing
US11108753B2 (en) Securing files using per-file key encryption
US11240024B2 (en) Cryptographic key management using key proxies and generational indexes
US10691817B2 (en) Encryption for distributed storage and processing
CN102170440B (en) Method suitable for safely migrating data between storage clouds
US9516016B2 (en) Storage array password management
CN108900483B (en) Cloud storage fine-grained access control method, data uploading method and data access method
CN102394894B (en) A method for secure management of network virtual disk files based on cloud computing
JP6414863B2 (en) Encryption and decryption method and apparatus and system in virtualization system
US20120216052A1 (en) Efficient volume encryption
CN104104692B (en) A kind of virtual machine encryption method, decryption method and encryption and decryption control system
US8719923B1 (en) Method and system for managing security operations of a storage server using an authenticated storage module
US9576144B2 (en) Secured file system management
CN104023085A (en) Security cloud storage system based on increment synchronization
US11068606B2 (en) Secured encrypted shared cloud storage
Shetty et al. Data security in Hadoop distributed file system
US9514325B2 (en) Secured file system management
AU2016203740A1 (en) Simultaneous state-based cryptographic splitting in a secure storage appliance
US11418331B1 (en) Importing cryptographic keys into key vaults
CN112199431B (en) Metadata-based data sharing method and data sharing system
AU2016210698A1 (en) Storage security using cryptographic splitting
CN110633125A (en) Integrated management platform and management method based on cloud platform storage
CN106161654A (en) A kind of cloud educational system
CN117234427B (en) Data reading and writing method, device, equipment, system, storage medium and storage system
Jogdand et al. CSaaS-a multi-cloud framework for secure file storage technology using open ZFS

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160420