[go: up one dir, main page]

CN105678189B - Data file encryption storage and retrieval system and method - Google Patents

Data file encryption storage and retrieval system and method Download PDF

Info

Publication number
CN105678189B
CN105678189B CN201610025930.1A CN201610025930A CN105678189B CN 105678189 B CN105678189 B CN 105678189B CN 201610025930 A CN201610025930 A CN 201610025930A CN 105678189 B CN105678189 B CN 105678189B
Authority
CN
China
Prior art keywords
data file
storage system
cloud storage
content metadata
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610025930.1A
Other languages
Chinese (zh)
Other versions
CN105678189A (en
Inventor
韩德志
毕坤
戴永涛
陈付梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Maritime University
Original Assignee
Shanghai Maritime University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Maritime University filed Critical Shanghai Maritime University
Priority to CN201610025930.1A priority Critical patent/CN105678189B/en
Publication of CN105678189A publication Critical patent/CN105678189A/en
Application granted granted Critical
Publication of CN105678189B publication Critical patent/CN105678189B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/134Distributed indices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开加密数据文件存储和检索方法,包含:数据文件提取内容元数据后进行加密生成加密数据文件存储于云存储系统的存储设备;内容元数据添加数据文件在加密状态下的文件全局标识符后存储于云存储系统的内容元数据库;检索云存储系统中存储的加密数据文件时,通过倒排索引方法检索内容元数据库获得与检索关键词匹配的文件全局标识符,列出该文件全局标识符对应的加密数据文件的属性信息和内容信息作为检索结果。本发明在数据文件加密前提取内容元数据,内容元数据中添加文件在加密状态下的文件全局标识符,通过文件全局标识符检索存储在云存储系统的加密数据文件,保障数据文件在云存储环境中的安全性和隐私性同时,保障数据文件检索的便利性。

The invention discloses an encrypted data file storage and retrieval method, comprising: extracting content metadata from the data file and then encrypting to generate an encrypted data file and storing it in a storage device of a cloud storage system; adding content metadata to the file global identifier of the data file in an encrypted state Afterwards, it is stored in the content metadata database of the cloud storage system; when retrieving encrypted data files stored in the cloud storage system, the content metadata database is searched through the inverted index method to obtain the global identifier of the file matching the search keyword, and the global identifier of the file is listed The attribute information and content information of the encrypted data file corresponding to the symbol are used as the retrieval results. The invention extracts content metadata before data file encryption, adds the file global identifier of the file in the encrypted state to the content metadata, retrieves the encrypted data file stored in the cloud storage system through the file global identifier, and ensures that the data file is stored in the cloud Security and privacy in the environment while ensuring the convenience of data file retrieval.

Description

加密数据文件存储和检索系统及方法Encrypted data file storage and retrieval system and method

技术领域technical field

本发明涉及信息安全技术领域,具体涉及一种基于云存储系统的加密数据文件存储和检索系统及方法。The invention relates to the technical field of information security, in particular to a system and method for storing and retrieving encrypted data files based on a cloud storage system.

背景技术Background technique

相比传统的数据文件存储方式,云存储技术具有很多的优势:Compared with traditional data file storage methods, cloud storage technology has many advantages:

(1)成本低廉,传统方式下,用户需要购买大量的服务器、硬盘等基础设备,而且还需要定期对设备进行升级,而在云存储环境中,用户不再需要购买这些基础设备,一方面节省了购买基础设备的成本,另一方面也减少了维护的费用;(1) The cost is low. In the traditional way, users need to purchase a large number of basic equipment such as servers and hard disks, and also need to upgrade the equipment regularly. In the cloud storage environment, users no longer need to purchase these basic equipment. On the one hand, it saves The cost of purchasing basic equipment is reduced, and the cost of maintenance is also reduced on the other hand;

(2)伸缩性好,对于中小企业来说,前期很难估算需要的存储容量大小,而云存储可以很好的解决这一问题,前期可以根据当前需要购买满足需求的存储容量,当业务增长,数据量增多时,可以动态的增加存储容量而不影响之前的数据;(2) Good scalability. For small and medium-sized enterprises, it is difficult to estimate the required storage capacity in the early stage, but cloud storage can solve this problem very well. In the early stage, you can purchase storage capacity that meets the demand according to the current needs. When the business grows , when the amount of data increases, the storage capacity can be dynamically increased without affecting the previous data;

(3)数据自动备份,为了数据安全,很多用户都会将数据进行备份,而备份往往比较繁琐而且存在备份数据安全和完整性保护问题,云存储供应商一般给数据文件提供两个或两个以上的副本,充分保证数据文件的高可用性,从而将用户从数据备份的烦恼中解救出来;(3) Data is automatically backed up. For data security, many users will back up data, but backup is often cumbersome and there are problems with backup data security and integrity protection. Cloud storage providers generally provide data files with two or more The copy of the data file fully guarantees the high availability of data files, thus freeing users from the trouble of data backup;

(4)故障自动切换,传统的存储系统升级时,需要将数据从旧的存储中迁移到别的存储服务器上,等新的存储服务器上线之后,再将数据迁移回来,一方面会造成服务的中断,另一方面也会带来数据丢失的风险,而在云存储环境中这些问题都将不复存在,系统检测到异常时,会自动将服务切换到可用的冗余存储集群上,而不影响正常的服务,更不会丢失数据。(4) Automatic failover. When a traditional storage system is upgraded, data needs to be migrated from the old storage to another storage server. After the new storage server goes online, the data will be migrated back. On the one hand, it will cause service disruption. Interruption, on the other hand, will also bring the risk of data loss, and these problems will no longer exist in the cloud storage environment. When the system detects an abnormality, it will automatically switch the service to an available redundant storage cluster instead of Affect normal services, not to mention data loss.

虽然云存储具有诸多的优势,但也存在一些不足,尤其突出的一点是越来越多的用户担心:自己的数据存储在由他人管理和控制的云存储系统环境中,有可能泄露数据的内容,给个人和公司带来损失。目前解决此类问题的方法是将数据以加密的形式存储在云存储系统中。Although cloud storage has many advantages, it also has some disadvantages. The most prominent point is that more and more users worry that their data is stored in the cloud storage system environment managed and controlled by others, and the content of the data may be leaked. , bringing losses to individuals and companies. The current solution to such problems is to store data in encrypted form in cloud storage systems.

虽然将数据文件加密存储,可以保护数据文件的隐私性和安全性,但是同时也带来了一个问题:在很多场景下,用户需要根据一些特定的内容来检索数据文件,如果数据文件加密了,就导致无法检索,或者检索速度缓慢。Although encrypting and storing data files can protect the privacy and security of data files, it also brings a problem: in many scenarios, users need to retrieve data files based on some specific content. If the data files are encrypted, As a result, it cannot be retrieved, or the retrieval speed is slow.

发明内容Contents of the invention

本发明提供一种加密数据文件存储和检索系统及方法,解决加密数据文件检索困难和检索速度慢的问题,能够在数据文件处于加密状态的基础上,快速的检索出所需的加密数据文件信息。The invention provides a system and method for storing and retrieving encrypted data files, which solves the problems of difficult retrieval of encrypted data files and slow retrieval speed, and can quickly retrieve the required encrypted data file information on the basis that the data files are in an encrypted state .

为实现上述目的,本发明提供一种加密数据文件存储和检索系统,其特点是,该系统包含:In order to achieve the above object, the present invention provides a system for storing and retrieving encrypted data files, which is characterized in that the system includes:

云存储系统,其包含服务器端和存储设备;服务器端包含用户身份认证模块、内容元数据提取模块、元数据管理系统、数据文件加密模块、信息检索模块;元数据管理系统下接并管理内容元数据库、系统元数据库和存储元数据库;存储设备,其用于存储数据文件,数据文件包含加密数据文件和明文数据文件;The cloud storage system includes a server and a storage device; the server includes a user identity authentication module, a content metadata extraction module, a metadata management system, a data file encryption module, and an information retrieval module; the metadata management system downloads and manages content metadata Databases, system metadata databases and storage metadata databases; storage devices for storing data files, including encrypted data files and plaintext data files;

客户端,其包含内容元数据提取模块和数据文件加密模块。The client includes a content metadata extraction module and a data file encryption module.

一种加密数据文件存储和检索方法,其特点是,该方法包含:A method for storing and retrieving encrypted data files is characterized in that the method includes:

客户端或云存储系统服务器端提取数据文件的内容元数据后进行加密生成加密数据文件,加密数据文件及对应的内容元数据分别存储于云存储系统的存储存储设备和服务器端的内容元数据库中;内容元数据包含数据文件的属性信息和内容信息,以及数据文件在加密状态下的文件全局标识符;The client or cloud storage system server extracts the content metadata of the data file and then encrypts it to generate an encrypted data file. The encrypted data file and the corresponding content metadata are stored in the storage device of the cloud storage system and the content metadata database on the server side respectively; The content metadata includes the attribute information and content information of the data file, as well as the file global identifier of the data file in the encrypted state;

检索云存储系统中存储的加密数据文件时,服务端的加密数据文件检索模块通过倒排索引方法,在服务器端的内容元数据库中检索获得与检索关键词匹配的数据文件在加密状态下的文件全局标识符,列出该文件全局标识符对应的加密数据文件的属性信息和内容信息作为检索结果返回。When retrieving encrypted data files stored in the cloud storage system, the encrypted data file retrieval module on the server side uses the inverted index method to search in the content metadata database on the server side to obtain the file global identifier of the data file in the encrypted state that matches the search keyword character, list the attribute information and content information of the encrypted data file corresponding to the global identifier of the file and return it as the retrieval result.

上述客户端提取数据文件的内容元数据后进行加密生成加密数据文件的方法包含:The method for the client to extract the content metadata of the data file and then encrypt to generate the encrypted data file includes:

客户端提取数据文件的内容元数据;The client extracts the content metadata of the data file;

客户端加密已提取内容元数据的数据文件,生成加密数据文件;The client encrypts the data file of the extracted content metadata to generate an encrypted data file;

客户端将加密数据文件及对应的内容元数据上传至云存储系统服务器端。The client uploads the encrypted data file and the corresponding content metadata to the cloud storage system server.

上述云存储系统服务器端提取数据文件的内容元数据后进行加密生成加密数据文件的方法包含:The above cloud storage system server end extracts the content metadata of the data file and then encrypts the method for generating the encrypted data file comprising:

客户端将数据文件上传至云存储系统服务器端;The client uploads the data file to the cloud storage system server;

云存储系统服务器端提取数据文件的内容元数据;The cloud storage system server side extracts the content metadata of the data file;

云存储系统服务器端对已提取内容元数据的数据文件加密,生成加密数据文件。The server side of the cloud storage system encrypts the data file of the extracted content metadata to generate an encrypted data file.

上述提取数据文件的内容元数据包含:客户端或云存储系统服务器端的內容元数据提取模块根据数据文件的特性,对数据文件内容做初步的分析,提取能体现数据文件特性的属性信息和内容信息,并将数据文件加密后的文件全局标识符添加到内容元数据中。The content metadata of the above-mentioned extracted data files includes: the content metadata extraction module on the client side or the cloud storage system server side conducts a preliminary analysis on the content of the data file according to the characteristics of the data file, and extracts attribute information and content information that can reflect the characteristics of the data file , and add the encrypted file global identifier of the data file to the content metadata.

上述提取数据文件的内容元数据后,客户端可对存储于云存储系统服务器端内容元数据库中的内容元数据进行修改。After extracting the content metadata of the data file, the client can modify the content metadata stored in the content metadata database on the server side of the cloud storage system.

上述云存储系统服务器端将加密数据文件分布式存储在云存储系统的存储设备,并将内容元数据存储于云存储系统的内容元数据库中。The server side of the above cloud storage system stores the encrypted data files in a distributed manner in the storage device of the cloud storage system, and stores the content metadata in the content metadata database of the cloud storage system.

上述检索云存储系统服务器端中存储的加密数据文件包含:The encrypted data files stored in the server end of the above retrieval cloud storage system include:

客户端发送包含检索关键词的检索请求,云存储系统分析检索请求确定检索请求中检索关键词内容的合法性;The client sends a retrieval request containing retrieval keywords, and the cloud storage system analyzes the retrieval request to determine the validity of the retrieval keyword content in the retrieval request;

云存储系统的信息检索模块通过倒排索引方法对内容元数据库进行匹配查询,获取与检索关键词匹配的数据文件在加密状态下的文件全局标识符和文件全局标识符对应的数据文件的属性信息和内容信息作为检索结果;The information retrieval module of the cloud storage system performs a matching query on the content metadata database through the inverted index method, and obtains the file global identifier in the encrypted state of the data file matching the retrieval keyword and the attribute information of the data file corresponding to the file global identifier and content information as search results;

信息检索模块将检索结果进行排序后发送至客户端。The information retrieval module sorts the retrieval results and sends them to the client.

上述客户端根据检索结果,可选择下载检索结果中所列的文件全局标识符对应的加密数据文件;According to the search result, the above client can choose to download the encrypted data file corresponding to the file global identifier listed in the search result;

若加密数据文件是在客户端加密则云存储系统直接将加密数据文件传到用户客户端,由客户端进行解密;If the encrypted data file is encrypted on the client side, the cloud storage system will directly transmit the encrypted data file to the user client, and the client will decrypt it;

若加密数据文件是在云存储系统服务器端加密,则由云存储系统服务器端将加密数据文件解密后传到客户端。If the encrypted data file is encrypted at the server side of the cloud storage system, the server side of the cloud storage system decrypts the encrypted data file and then transmits it to the client.

上述加密数据文件的检索方法还包含倒排索引方法的优化方法,该倒排索引方法的优化方法包含:The retrieval method of the above-mentioned encrypted data file also includes an optimization method of the inverted index method, and the optimization method of the inverted index method includes:

经过垂直分割和水平移动,使数据文件内容元数据的倒排索引矩阵的零元素移到矩阵的底部和右部;After vertical division and horizontal movement, the zero elements of the inverted index matrix of the data file content metadata are moved to the bottom and right of the matrix;

再经过分块聚类,将原来的高维稀疏矩阵转变为若干个低维稠密矩阵;After block clustering, the original high-dimensional sparse matrix is transformed into several low-dimensional dense matrices;

对内容元数据检索时,将优化的稀疏矩阵中若干个的低维矩阵分别送到云存储系统中的不同处理单元进行并行处理。When retrieving content metadata, several low-dimensional matrices in the optimized sparse matrix are sent to different processing units in the cloud storage system for parallel processing.

本发明加密数据文件存储和检索系统及方法和现有技术的加密数据文件存储和检索技术相比,其优点在于, 本发明建立了一种新型的内容元数据结构,保证用户从多角度、多方位对加密数据文件的检索,保障了数据文件在云存储环境中的安全性和隐私性同时,保障了数据文件检索的便利性;Compared with the encryption data file storage and retrieval technology of the prior art, the encrypted data file storage and retrieval system and method of the present invention have the advantage that the present invention establishes a new type of content metadata structure to ensure that users Fangwei's retrieval of encrypted data files ensures the security and privacy of data files in the cloud storage environment and at the same time ensures the convenience of data file retrieval;

本发明中数据文件都是以加密方式保存在云存储系统中,即使得到加密的数据文件,没有解密密钥,数据文件也不会泄露;In the present invention, the data files are stored in the cloud storage system in an encrypted manner, even if the encrypted data files are obtained, the data files will not be leaked without the decryption key;

本发明设计一种适合于内容元数据检索的新型倒排索引方法,能够根据用户在客户端提供的关键词信息在云存储系统中快速检索出对应的加密数据文件,保证了用户加密数据文件检索的效率和精度,解决了云存储等大数据环境中的加密数据文件检索难或检索速度慢的问题;The present invention designs a new type of inverted index method suitable for content metadata retrieval, which can quickly retrieve the corresponding encrypted data files in the cloud storage system according to the keyword information provided by the user on the client end, ensuring the user's encrypted data file retrieval High efficiency and precision, which solves the problem of difficult or slow retrieval of encrypted data files in big data environments such as cloud storage;

本发明对于云存储系统中的加密数据文件和明文数据文件的检索同样适用,都能达到快速检索并返回检索结果的目的。The invention is equally applicable to the retrieval of encrypted data files and plaintext data files in the cloud storage system, and both can achieve the purpose of fast retrieval and return of retrieval results.

附图说明Description of drawings

图1为本发明加密数据文件存储和检索方法的流程示意图;Fig. 1 is the schematic flow chart of encrypted data file storage and retrieval method of the present invention;

图2为三种元数据关系图;Figure 2 is a relationship diagram of three kinds of metadata;

图3为内容元数据结构图;FIG. 3 is a structure diagram of content metadata;

图4为存储元数据结构图;FIG. 4 is a structural diagram of storage metadata;

图5为一种基于云存储系统的加密数据文件存储和检索方法实施例的方法流程图;Fig. 5 is a method flowchart of an embodiment of an encrypted data file storage and retrieval method based on a cloud storage system;

图6为加密数据文件的检索模型图;Fig. 6 is the retrieval model figure of encrypted data file;

图7为内容元数据的倒排索引示意图;FIG. 7 is a schematic diagram of an inverted index of content metadata;

图8为内容元数据的倒排索引的矩阵表示示意图;FIG. 8 is a schematic representation of a matrix representation of an inverted index of content metadata;

图9为内容元数据的倒排索引矩阵分割及其并行处理示意图。FIG. 9 is a schematic diagram of inverted index matrix segmentation and parallel processing of content metadata.

具体实施方式Detailed ways

以下结合附图,进一步说明本发明的具体实施例。Specific embodiments of the present invention will be further described below in conjunction with the accompanying drawings.

本发明揭示了一种基于云存储系统的加密数据文件存储和检索系统及方法,将原数据文件的属性信息和内容信息,以及加密数据文件的文件全局标识符存储在内容元数据库中,以实现不经过解密原数据文件的方式完成加密数据文件的检索操作。The invention discloses an encrypted data file storage and retrieval system and method based on a cloud storage system. The attribute information and content information of the original data file and the file global identifier of the encrypted data file are stored in the content metadata database to realize The retrieval operation of the encrypted data file is completed without decrypting the original data file.

本发明的技术原理:(1)通过设计特殊的数据文件内容元数据结构,内容元数据中包含有数据文件在加密状态下的文件全局标识符(FGID),在客户端或云存储系统服务器端(即云存储系统)对数据文件加密前,自动提取数据文件的内容元数据,并将其存入到云存储系统服务器端的内容元数据数据库,即存入云存储系统中,为加密数据文件的检索提供依据;(2)数据文件可选择在客户端加密或在云存储系统的服务器端加密,然后以分布式的存储方式存储在云存储系统的存储设备中,保证数据文件的安全性、隐私性、高可用性和数据完整性;(3)通过一种新型的倒排索引方法保证了云存储系统中海量内容元数据的检索速度,从而实现了加密数据文件的快速检索。该发明克服了传统加密数据文件检索困难,或解密后检索速度慢的缺陷。The technical principle of the present invention: (1) By designing a special data file content metadata structure, the content metadata contains the file global identifier (FGID) of the data file in the encrypted state, and the client or cloud storage system server end (i.e. cloud storage system) before encrypting the data files, automatically extract the content metadata of the data files and store them in the content metadata database on the server side of the cloud storage system Retrieval provides evidence; (2) Data files can be encrypted on the client side or on the server side of the cloud storage system, and then stored in the storage device of the cloud storage system in a distributed manner to ensure the security and privacy of the data files (3) Through a new inverted index method, the retrieval speed of massive content metadata in the cloud storage system is guaranteed, thereby realizing the fast retrieval of encrypted data files. The invention overcomes the defect of difficult retrieval of traditional encrypted data files or slow retrieval speed after decryption.

本发明公开的基于云存储系统的加密数据文件存储和检索系统包含:云存储系统和客户端。The encrypted data file storage and retrieval system based on the cloud storage system disclosed by the present invention includes: a cloud storage system and a client.

云存储系统包含服务器端和存储设备;服务器端包含用户身份认证模块、内容元数据提取模块、元数据管理系统、数据文件加密模块、信息检索模块;所述的元数据管理系统下接并管理内容元数据库、系统元数据库和存储元数据库;存储设备,其用于存储数据文件,数据文件包含加密数据文件和明文数据文件。客户端包含内容元数据提取模块和数据文件加密模块。The cloud storage system includes a server end and a storage device; the server end includes a user identity authentication module, a content metadata extraction module, a metadata management system, a data file encryption module, and an information retrieval module; the metadata management system downloads and manages content A metadata database, a system metadata database and a storage metadata database; a storage device used to store data files, and the data files include encrypted data files and plaintext data files. The client includes a content metadata extraction module and a data file encryption module.

如图1所示,公开了一种基于云存储系统的加密数据文件存储和检索方法,该方法包含以下步骤:As shown in Figure 1, a method for storing and retrieving encrypted data files based on a cloud storage system is disclosed, and the method includes the following steps:

S100、客户端通过身份认证界面对用户进行身份认证。S100. The client authenticates the identity of the user through the identity authentication interface.

用户认证包括访问控制和用户身份信息提供;访问控制:是限制非法用户的访问,是构建云存储环境中数据安全的第一道防线;用户信息提供:在后续的数据文件内容元数据提取中,获取用户相关的信息以及数据的访问权限设置,都需要从用户认证信息中获取。User authentication includes access control and user identity information provision; access control: restricts the access of illegal users, and is the first line of defense for building data security in a cloud storage environment; user information provision: in subsequent data file content metadata extraction, Obtaining user-related information and data access permission settings need to be obtained from user authentication information.

云存储系统用户身份认证控制非法用户的访问,拒绝非法用户的操作,保证了云存储系统的安全性,实现对云存储系统的安全防护,将非法用户拒之门外,为后续相关元数据的提取或生成提供相应的属性,也为数据文件的访问控制提供必要信息。另外,还可以确定合法用户的身份,并限制其数据访问的范围。The user identity authentication of the cloud storage system controls the access of illegal users, rejects the operation of illegal users, ensures the security of the cloud storage system, realizes the security protection of the cloud storage system, keeps illegal users out, and provides information for the subsequent related metadata. Extracting or generating provides corresponding attributes and also provides necessary information for access control of data files. In addition, it is possible to determine the identity of legitimate users and limit the scope of their data access.

在进行身份认证的同时,判断进行文件存储流程或文件检索流程,若是文件存储流程,则跳转到S200,若是文件检索流程,则跳转到S300。While performing identity authentication, it is determined to perform a file storage process or a file retrieval process, if it is a file storage process, then jump to S200, if it is a file retrieval process, then jump to S300.

S200、对用户数据文件进行文件存储流程,将用户数据文件加密并存储于云存储系统。S200, performing a file storage process on the user data file, encrypting the user data file and storing it in the cloud storage system.

S300、对加密数据文件进行文件检索流程,在云存储系统中在未解密的情况下直接对加密数据文件进行检索。S300. Perform a file retrieval process on the encrypted data file, and directly retrieve the encrypted data file in the cloud storage system without decryption.

其中,数据文件包括结构化数据文件、半结构化数据文件和非结构数据文件。结构化数据文件是指传统的各种数据库文件;非结构化的数据文件指各种文档文件、图片文件、音频文件和视频文件等;半结构化数据文件是一种不规则的数据库文件,是在数据库文件中嵌入有非结构化数据信息的数据文件。Wherein, the data files include structured data files, semi-structured data files and unstructured data files. Structured data files refer to various traditional database files; unstructured data files refer to various document files, picture files, audio files and video files, etc.; semi-structured data files are a kind of irregular database files, which are A data file with unstructured data information embedded in a database file.

如图2所示,本发明将云存储环境中的元数据分为三类元数据,分别为:系统元数据,存储元数据和内容元数据。三类元数据分别存放云端不同的元数据库中,每个加密数据文件的三类元数据都是通过该数据文件的FGID关联。FGID既是三类元数据所在表的主键,也是外键,用于唯一标识被加密数据文件,是由加密数据文件的内容决定,用FGID可检索加密数据文件的数据完整性。每一个FGID的长度为128位,也就是说能表示2128个文件。As shown in FIG. 2 , the present invention divides the metadata in the cloud storage environment into three types of metadata, namely: system metadata, storage metadata and content metadata. The three types of metadata are stored in different metadata databases in the cloud, and the three types of metadata of each encrypted data file are associated through the FGID of the data file. FGID is not only the primary key of the table where the three types of metadata are located, but also a foreign key. It is used to uniquely identify the encrypted data file. It is determined by the content of the encrypted data file. FGID can be used to retrieve the data integrity of the encrypted data file. The length of each FGID is 128 bits, that is to say, it can represent 2128 files.

系统元数据,包括云存储系统的目录信息和目录路径名、每个目录下的数据文件名和加密数据文件的文件全局标识符(FGID),以及数据文件和目录的属性等信息,是由用户加密数据文件存储后系统自动生成的。System metadata, including directory information and directory path names of the cloud storage system, data file names in each directory, file global identifiers (FGIDs) of encrypted data files, and attributes of data files and directories, are encrypted by users It is automatically generated by the system after the data file is stored.

如图3所示,内容元数据是实现数据文件检索的关键内容,能体现数据文件特性,包括所存储数据文件在明文状态下的属性信息和内容信息面,以及数据文件在加密状态下的文件全局标识符(FGID)。属性信息包括:文件名称、创建时间、文件创建者、修改时间、修改者、版本信息、文件类型等,通过属性信息能对该数据文件有一个整体的认知。内容信息包含:数据文件内容简介、关键字、文件别名、文件标签、备注、用途、内容组织结构、压缩方式、编码格式,数据文件的内容特征信息。这里,数据文件在加密状态下的文件全局标识符(FGID)项,是在加密数据文件存储后由云存储系统自动添加的。As shown in Figure 3, content metadata is the key content to realize data file retrieval, which can reflect the characteristics of data files, including the attribute information and content information surface of stored data files in plain text state, as well as the file information of data files in encrypted state. Global Identifier (FGID). Attribute information includes: file name, creation time, file creator, modification time, modifier, version information, file type, etc. Through attribute information, you can have an overall cognition of the data file. Content information includes: data file content introduction, keywords, file aliases, file labels, remarks, usage, content organization structure, compression method, encoding format, and content characteristic information of data files. Here, the file global identifier (FGID) item of the data file in the encrypted state is automatically added by the cloud storage system after the encrypted data file is stored.

如图4所示,存储元数据包括加密数据文件的基础信息和存储信息,以及加密数据文件的文件全局标识符(FGID)。基础信息包括数据文件大小、用户ID、可操作类型、复制因子、安全属性等;存储信息包括加密数据文件块ID对应的内容地址列表、块大小列表、块物理地址与内容地址映射表基地址。用户ID是该文件的所有者的ID,可操作类型包括读、写、修改等,复制因子是指该数据文件备份的份数,内容地址是该数据块的哈希函数值。存储元数据是由用户加密数据文件存储后系统自动生成的。As shown in Figure 4, storage metadata includes basic information and storage information of encrypted data files, and file global identifiers (FGIDs) of encrypted data files. Basic information includes data file size, user ID, operable type, replication factor, security attributes, etc.; storage information includes content address list corresponding to encrypted data file block ID, block size list, block physical address and content address mapping table base address. The user ID is the ID of the owner of the file, and the operable types include reading, writing, modifying, etc., the replication factor refers to the number of backup copies of the data file, and the content address is the hash function value of the data block. Storage metadata is automatically generated by the system after user encrypted data files are stored.

在云存储系统服务器端的元数据管理系统中,通过数据文件的文件全局标识符(FGID)将其三类元数据连接在一起。内容元数据的相关信息由系统自动提取,有权限的用户可在客户端通过网络对内容元数据库中的内容元数据手动修改。In the metadata management system on the server side of the cloud storage system, the three types of metadata are connected together through the file global identifier (FGID) of the data file. The relevant information of the content metadata is automatically extracted by the system, and authorized users can manually modify the content metadata in the content metadata database on the client side through the network.

其中,数据文件的加密:根据数据文件加密所处的物理位置分为:客户端加密和服务器端加密。两种加密方式分别使用不同的场景:对于安全性要求较高的数据文件可选择云存储系统服务器端加密,对于安全性要求非常高的数据文件可以选择客户端加密。Among them, the encryption of data files: according to the physical location where the data files are encrypted, it is divided into: client-side encryption and server-side encryption. The two encryption methods are used in different scenarios: cloud storage system server-side encryption can be selected for data files with high security requirements, and client-side encryption can be selected for data files with very high security requirements.

其中,元数据的存储和管理:系统元数据,存储元数据和内容元数据三类元数据分别存储在云存储系统中的三种特定的元数据数据库中,该数据库能够实现海量数据存储和高效检索,能满足海量用户的并发请求,且具自动故障恢复和数据备份的功能,保证元数据的安全性和高可用性;Among them, the storage and management of metadata: system metadata, storage metadata and content metadata are stored in three specific metadata databases in the cloud storage system, which can realize massive data storage and efficient Retrieval, which can meet the concurrent requests of a large number of users, and has the functions of automatic fault recovery and data backup, ensuring the security and high availability of metadata;

其中,加密数据文件的存储和管理:加密的数据文件由云存储系统采用分布式存储技术存储在云存储系统为用户虚拟机分配的存储设备上;所述云存储系统为基于分布式的高可用存储系统,通过增加节点数量,可以横向的扩展云存储系统的总容量;通过将若干物理数据块合并成一个较大的逻辑存储空间,降低数据管理开销;Among them, the storage and management of encrypted data files: the encrypted data files are stored on the storage device allocated by the cloud storage system for the user virtual machine by the cloud storage system using distributed storage technology; the cloud storage system is based on distributed high availability The storage system can horizontally expand the total capacity of the cloud storage system by increasing the number of nodes; reduce data management overhead by merging several physical data blocks into a larger logical storage space;

基于内容元数据的加密数据文件检索,需要先对用户的输入信息进行初步的分析,缩小检索范围,确定检索可能涉及到的元数据文件,这样在云存储系统中的海量内容元数据库中可以加快检索速度;所述检索操作并不需要解密加密数据文件,最后检索的结果是加密的数据文件或加密数据文件列表。Retrieval of encrypted data files based on content metadata requires a preliminary analysis of the user's input information, narrowing the scope of retrieval, and determining the metadata files that may be involved in the retrieval, so that it can be accelerated in the massive content metadata database in the cloud storage system. Retrieval speed; the retrieval operation does not need to decrypt encrypted data files, and the final retrieval result is encrypted data files or a list of encrypted data files.

如图5所示,为基于云存储系统的加密数据文件存储和检索方法的一种实施例,其中文件存储流程(S200)具体包含以下步骤:As shown in Figure 5, it is an embodiment of an encrypted data file storage and retrieval method based on a cloud storage system, wherein the file storage process (S200) specifically includes the following steps:

S201、客户端对用户完成身份认证后,客户端判断是否在客户端对数据文件进行加密,若是,进行客户端加密,则跳转到S202,若否,进行服务器(云存储系统服务器端)加密,则跳转到S205。S201. After the client completes the identity authentication of the user, the client judges whether to encrypt the data file on the client. If yes, perform client-side encryption, then jump to S202. If not, perform server (cloud storage system server) encryption , jump to S205.

S202、客户端的内容元数据提取模块自动提取数据文件的内容元数据。内容元数据的提取包含:自动提取和手动修改。S202. The content metadata extraction module of the client automatically extracts the content metadata of the data file. The extraction of content metadata includes: automatic extraction and manual modification.

自动提取:由客户端的內容元数据提取模块根据文件的特性,对文件内容做初步的分析,提取上述能体现数据文件特性的属性信息和内容信息。Automatic extraction: The content metadata extraction module of the client side conducts a preliminary analysis on the file content according to the characteristics of the file, and extracts the above-mentioned attribute information and content information that can reflect the characteristics of the data file.

手动修改:用户是数据文件的所有者,对数据文件的种类、属性、用途、特征等有比较全面的了解,对一些特殊的数据文件用户可在客户端通过网络对系统自动提取的内容元数据进行手动修改,这样能更准确的描述该数据文件的特性,能提高检索的准确性和效率。Manual modification: the user is the owner of the data file, and has a relatively comprehensive understanding of the type, attribute, purpose, and characteristics of the data file. For some special data files, the user can check the content metadata automatically extracted by the system on the client side through the network Manual modification can more accurately describe the characteristics of the data file and improve the accuracy and efficiency of retrieval.

这里,数据文件的内容元数据提取,由客户端的内容元数据提取模块,在数据文件加密前自动提取并送云存储系统服务器端的内容元数据库中保存,有权限的用户可以对存储在内容元数据库中内容元进行编辑修改,使内容元数据更符合用户的检索习惯,能提高用户检索的准确性和检索效率。Here, the content metadata extraction of the data file is automatically extracted by the content metadata extraction module of the client before the data file is encrypted and sent to the content metadata database on the server side of the cloud storage system for storage. Edit and revise the content metadata in the middle to make the content metadata more in line with the user's retrieval habits, which can improve the accuracy and efficiency of the user's retrieval.

S203、客户端的加密模块对数据文件进行加密,将提取内容元数据后的数据文件通过用户私钥、或对称密钥加密、或其他加密算法进行加密,生成加密数据文件。S203. The encryption module of the client encrypts the data file, and encrypts the data file after extracting the content metadata with the user private key, or symmetric key encryption, or other encryption algorithms to generate an encrypted data file.

S204、客户端将加密数据文件及对应的内容元数据上传到云存储系统的服务器端,跳转到S208。S204. The client uploads the encrypted data file and the corresponding content metadata to the server of the cloud storage system, and jumps to S208.

S205、客户端将数据文件以明文形式上传至云存储系统的服务器端。S205. The client uploads the data file to the server of the cloud storage system in plain text.

S206、云存储系统的服务器端的内容元数据提取模块自动提取数据文件的内容元数据。内容元数据的提取包含:自动提取和手动修改。S206. The content metadata extraction module at the server side of the cloud storage system automatically extracts the content metadata of the data file. The extraction of content metadata includes: automatic extraction and manual modification.

自动提取:由客户端的內容元数据提取模块根据文件的特性,对文件内容做初步的分析,提取能体现数据文件特性的属性信息和内容信息。Automatic extraction: The content metadata extraction module on the client side conducts a preliminary analysis on the file content according to the characteristics of the file, and extracts the attribute information and content information that can reflect the characteristics of the data file.

手动修改:用户是数据文件的所有者,对数据文件的种类、属性、用途、特征等有比较全面的了解,对一些特殊的数据文件用户可在客户端通过网络对系统自动提取的内容元数据进行手动修改,这样能更准确的描述该数据文件的特性,能提高检索的准确性和效率。Manual modification: the user is the owner of the data file, and has a relatively comprehensive understanding of the type, attribute, purpose, and characteristics of the data file. For some special data files, the user can check the content metadata automatically extracted by the system on the client side through the network Manual modification can more accurately describe the characteristics of the data file and improve the accuracy and efficiency of retrieval.

这里,数据文件的内容元数据提取,是由云存储系统服务器端的内容元数据提取模块,在数据文件加密前自动提取并送云存储系统服务器端的内容元数据库中保存,有权限的用户可以对存储在内容元数据库中内容元进行编辑修改,使内容元数据更符合用户的检索习惯,能提高用户检索的准确性和检索效率。Here, the content metadata extraction of the data file is automatically extracted by the content metadata extraction module on the server side of the cloud storage system before the data file is encrypted and stored in the content metadata database on the server side of the cloud storage system. In the content metadata database, the content elements are edited and modified to make the content metadata more in line with the user's retrieval habits, which can improve the accuracy and efficiency of the user's retrieval.

S207、云存储系统服务器端的加密模块对提取内容元数据后的数据文件通过用户私钥、或对称密钥加密、或其他加密算法进行加密,生成加密数据文件。数据文件加密保证了数据文件的安全性,跳转到S208。S207. The encryption module at the server end of the cloud storage system encrypts the data file after extracting the content metadata using the user's private key, or symmetric key encryption, or other encryption algorithms to generate an encrypted data file. Data file encryption ensures the security of the data file, and jumps to S208.

S208、云存储系统服务器端对通过客户端加密或服务器端加密生成的加密数据文件进行存储,存储在云存储系统中相应的存储设备。S208. The server side of the cloud storage system stores the encrypted data file generated through client-side encryption or server-side encryption, and stores it in a corresponding storage device in the cloud storage system.

当云存储系统的服务器端得到用户加密的数据文件后,将加密数据文件存储到用户虚拟机对应的存储设备中。After the server side of the cloud storage system obtains the user's encrypted data file, it stores the encrypted data file in a storage device corresponding to the user's virtual machine.

每个云租户(用户)使用云存储系统都是以用户虚拟机为单位进行的。Each cloud tenant (user) uses the cloud storage system as a unit of user virtual machine.

同时云存储系统的加密模块采用MD5算法生成加密数据文件的文件全局标识符(FGID),并送入该数据文件的内容元数据中。文件全局标识符(FGID)是该加密数据文件的唯一标识,同时也可根据文件全局标识符(FGID)检验该加密数据文件的数据完整性。At the same time, the encryption module of the cloud storage system uses the MD5 algorithm to generate the file global identifier (FGID) of the encrypted data file, and sends it to the content metadata of the data file. The file global identifier (FGID) is the unique identifier of the encrypted data file, and the data integrity of the encrypted data file can also be checked according to the file global identifier (FGID).

在加密数据文件完成存储后云存储系统生成系统元数据和存储元数据,由云存储系统根据加密数据文件存储的目录信息、存储位置信息和文件全局标识符FGID自动生成加密数据文件的系统元数据和存储元数据。After the encrypted data file is stored, the cloud storage system generates system metadata and storage metadata, and the cloud storage system automatically generates the system metadata of the encrypted data file according to the directory information, storage location information and file global identifier FGID stored in the encrypted data file and store metadata.

S209、将加密前提取的内容元数据存入云存储系统的内容元数据库中。S209. Store the content metadata extracted before encryption into the content metadata database of the cloud storage system.

进一步的,还可以在内容元数据存入云存储系统的内容元数据库后,对内容元数据数据库进行更新,有权限的用户可在客户端通过网络,对云存储系统的内容元数据库中的内容元数据进行修改,便于用户对于加密数据文件的更精确的检索。Further, after the content metadata is stored in the content metadata database of the cloud storage system, the content metadata database can be updated, and authorized users can update the content in the content metadata database of the cloud storage system through the network at the client end. The metadata is modified to facilitate more accurate retrieval of encrypted data files by users.

在基于S200的加密数据文件存储过程,可以实现对加密数据文件的检索操作,如图6所示,为基于内容元数据的加密数据文件检索模型,其大概流程为:①客户端上传检索内容至云存储系统的信息检索模块;②信息检索模块通过倒排序的方法在元数据管理系统所管理的内容元数据库中查询检索与检索内容匹配的信息;③元数据管理系统将②检索得到的与检索内容匹配的加密数据文件的文件全局标识符FGID和相应的内容元数据发给信息检索模块;④信息检索模块将元数据管理系统中检索返回的结果进行排序,然后将排序后的检索结果列表发送到客户端;⑤用户在客户端从检索结果列表中选择要下载的文件,并将所选择文件的文件全局标识符(FGID)发送到信息检索模块;⑥信息检索模块根据文件的FGID在元数据管理系统所管理的存储元数据库中,查找对应的加密数据文件存储位置信息;⑦元数据管理系统将⑥查找得到的加密数据文件存储位置信息发送到分布式存储系统;⑧分布式存储系统根据加密数据文件存储位置信息,取出加密数据文件传送到加密解密模块;⑨加密解密模块将加密数据文件解密后传到客户端,整个加密数据文件检索结束。In the storage process of encrypted data files based on S200, the retrieval operation of encrypted data files can be realized. As shown in Figure 6, it is an encrypted data file retrieval model based on content metadata. The general process is as follows: ①The client uploads the retrieval content to The information retrieval module of the cloud storage system; ②The information retrieval module queries and retrieves the information matching the retrieved content in the content metadata database managed by the metadata management system through the method of reverse sorting; ③The metadata management system combines the retrieved and retrieved The file global identifier FGID and the corresponding content metadata of the encrypted data file with matching content are sent to the information retrieval module; ④ The information retrieval module sorts the results returned by the retrieval in the metadata management system, and then sends the sorted retrieval result list to to the client; ⑤ The user selects the file to be downloaded from the search result list on the client, and sends the File Global Identifier (FGID) of the selected file to the information retrieval module; In the storage metadata database managed by the management system, search for the corresponding encrypted data file storage location information; ⑦The metadata management system sends ⑥ the encrypted data file storage location information obtained from the search to the distributed storage system; ⑧The distributed storage system according to the encryption The location information of the data file is stored, and the encrypted data file is taken out and sent to the encryption and decryption module; (9) the encryption and decryption module decrypts the encrypted data file and transmits it to the client, and the retrieval of the entire encrypted data file is completed.

在图6中,如果加密数据文件是在服务器端加密的,则模型中的加密解密模块是位于云存储系统的服务器端;如果加密数据文件是在客户端加密的,则模型中的加密解密模块是位于客户端。In Figure 6, if the encrypted data file is encrypted on the server side, the encryption and decryption module in the model is located on the server side of the cloud storage system; if the encrypted data file is encrypted on the client side, the encryption and decryption module in the model is located on the client side.

如图5所示,为基于云存储系统的加密数据文件存储和检索方法的一种实施例,其中文件检索流程(S300)具体包含以下步骤:As shown in Figure 5, it is an embodiment of an encrypted data file storage and retrieval method based on a cloud storage system, wherein the file retrieval process (S300) specifically includes the following steps:

S301、客户端通过查询界面接收查询请求,查询请求中包含有检索关键词。客户端将包含检索关键词的查询请求上传至云存储系统。S301. The client receives a query request through a query interface, and the query request includes search keywords. The client uploads the query request containing the search keywords to the cloud storage system.

云存储系统的信息检索模块对于客户端提交的查询请求进行分析,确定查询请求中检索关键词所包含内容的合法性。The information retrieval module of the cloud storage system analyzes the query request submitted by the client, and determines the legality of the content contained in the search keyword in the query request.

S302、数据检索:云存储系统的信息检索模块通过一种新型的倒排索引算法对内容元数据库进行匹配查询,并返回符合要求的加密数据文件的文件全局标识符(FGID)和部分内容元数据信息。S302. Data retrieval: the information retrieval module of the cloud storage system performs a matching query on the content metadata database through a new type of inverted index algorithm, and returns the file global identifier (FGID) and part of the content metadata of the encrypted data files that meet the requirements information.

新型的倒排索引方法是一种改进的倒排索引方法,该索引方法适合云存储系统的内容元数据库中海量内容元数据信息的快速检索。The new inverted index method is an improved inverted index method, which is suitable for the rapid retrieval of massive content metadata information in the content metadata database of the cloud storage system.

如图7并结合图8所示,是为本发明所公开的数据文件内容元数据的倒排索引及其矩阵表示。其中关键词1、关键词2、……表示内容元数据库中的内容元数据项,ID1、ID2,…、IDn表示加密数据文件的文件全局标识符FGID,图8中的行和列交叉项表示某一关键词出现在一数据文件中的次数。从图8可以看出数据文件内容元数据的倒排索引矩阵是一个稀疏矩阵,为了提高云存储系统中海量内容元数据库中的关键词检索速度,对数据文件内容元数据的倒排索引矩阵进行优化如下:经过垂直分割和水平移动,使矩阵的零元素移到矩阵的底部和右部,再经过分块聚类,将原来的高维稀疏矩阵转变为一个个低维稠密矩阵。在对内容元数据检索时,将优化的稀疏矩阵中一个个的低维矩阵分别送到云存储系统中的不同处理单元进行并行处理,这样可以大大提高海量内容元数据库中的关键词检索速度。其原理如图9所示,其中M1、M2、…、Mn表示低维稠密矩阵,P1,P2、…、Pn表示云存储系统中的并行处理单元。As shown in FIG. 7 in conjunction with FIG. 8 , it is the inverted index and its matrix representation of the data file content metadata disclosed in the present invention. Among them, keyword 1, keyword 2, ... represent the content metadata items in the content metadata database, ID1, ID2, ..., IDn represent the file global identifier FGID of the encrypted data file, and the row and column intersection items in Fig. 8 represent The number of times a keyword appears in a data file. It can be seen from Figure 8 that the inverted index matrix of the data file content metadata is a sparse matrix. In order to improve the keyword retrieval speed in the massive content metadata database in the cloud storage system, the inverted index matrix of the data file content metadata is The optimization is as follows: through vertical division and horizontal movement, the zero elements of the matrix are moved to the bottom and right of the matrix, and then through block clustering, the original high-dimensional sparse matrix is transformed into a low-dimensional dense matrix. When retrieving content metadata, each low-dimensional matrix in the optimized sparse matrix is sent to different processing units in the cloud storage system for parallel processing, which can greatly improve the keyword retrieval speed in the massive content metadata database. The principle is shown in Figure 9, where M1, M2, ..., Mn represent low-dimensional dense matrices, and P1, P2, ..., Pn represent parallel processing units in the cloud storage system.

S303、云存储系统判断是否检索成功,若是,则跳转到步骤S304,若否则,输出无对应加密数据文件的检索结果的信息发送至客户端,并跳转到S305。S303. The cloud storage system judges whether the retrieval is successful. If yes, skip to step S304. If not, output information that there is no retrieval result corresponding to the encrypted data file and send it to the client, and skip to S305.

S304、云存储系统根据加密数据文件的文件全局标识符(FGID)定位相应加密数据文件。S304. The cloud storage system locates the corresponding encrypted data file according to the file global identifier (FGID) of the encrypted data file.

同时云存储系统的信息检索模块对S302检索返回的结果进行排序,向客户端发送排序后的检索结果。At the same time, the information retrieval module of the cloud storage system sorts the results returned by the retrieval in S302, and sends the sorted retrieval results to the client.

S305、客户端接收检索结果,客户端将检索结果输出给用户,若获得包含有符合检索内容的加密数据文件的文件全局标识符的检索结果,说明有符合检索内容的检索结果,用户在客户端根据检索结果可得到所需的加密数据文件信息。S305. The client receives the search result, and the client outputs the search result to the user. If the search result of the file global identifier containing the encrypted data file matching the search content is obtained, it means that there is a search result matching the search content. According to the search result, the required encrypted data file information can be obtained.

另外,客户端根据检索结果,还可选择下载检索结果中所列的文件全局标识符对应的加密数据文件。In addition, the client may also choose to download the encrypted data file corresponding to the file global identifier listed in the search result according to the search result.

如果加密数据文件原来是在客户端加密则云存储系统直接将加密数据文件传到用户客户端,由客户端进行解密。如果加密数据文件原来是在云存储系统服务器端加密,则由云存储系统将加密数据文件解密后传到客户端。If the encrypted data file is originally encrypted on the client side, the cloud storage system will directly transmit the encrypted data file to the user client side, and the client side will decrypt it. If the encrypted data file is originally encrypted on the server side of the cloud storage system, the encrypted data file will be decrypted by the cloud storage system and then transmitted to the client.

尽管本发明的内容已经通过上述优选实施例作了详细介绍,但应当认识到上述的描述不应被认为是对本发明的限制。在本领域技术人员阅读了上述内容后,对于本发明的多种修改和替代都将是显而易见的。因此,本发明的保护范围应由所附的权利要求来限定。Although the content of the present invention has been described in detail through the above preferred embodiments, it should be understood that the above description should not be considered as limiting the present invention. Various modifications and alterations to the present invention will become apparent to those skilled in the art upon reading the above disclosure. Therefore, the protection scope of the present invention should be defined by the appended claims.

Claims (10)

1. a kind of data file encryption storage and retrieval system, which is characterized in that the system includes:
Cloud storage system, it includes server ends and storage device;It is the Server Side Include authenticating user identification module, interior Hold metadata extraction module, metadata management system, data file encrypting module, information searching module;The metadata pipe Content metadata library, system metadata library and storage metadatabase are connect and managed under reason system;The storage device, is used for Data file is stored, data file includes data file encryption and plaintext data file;
Client, it includes content metadata extraction modules and data file encryption module;
Generation encryption is encrypted after the content metadata of the client or cloud storage system server end extraction data file Data file, data file encryption and corresponding content metadata are stored respectively in the storage device and server of cloud storage system In the content metadata library at end;Attribute information of the content metadata comprising data file and content information and data file exist File global identifier under encrypted state;When the data file encryption stored in retrieval cloud storage system, the encryption of server-side Data file retrieval module is by inverted index method, and retrieval obtains in the content metadata library of server end and retrieval is crucial The file global identifier of the matched data file of word in an encrypted state lists the corresponding encryption number of this document global identifier It is returned as retrieval result according to the attribute information and content information of file.
2. a kind of storage of data file encryption and search method, which is characterized in that this method includes:
Generation encryption data is encrypted after the content metadata of client or cloud storage system server end extraction data file File, data file encryption and corresponding content metadata are stored respectively in the storage device and server end of cloud storage system In content metadata library;Attribute information of the content metadata comprising data file and content information and data file are being encrypted File global identifier under state;
When the data file encryption stored in retrieval cloud storage system, the data file encryption retrieval module of server-side passes through the row of falling Indexing means, retrieval is obtained in the content metadata library of server end is encrypting shape with the matched data file of search key File global identifier under state lists the attribute information and content letter of the corresponding data file encryption of this document global identifier Breath is returned as retrieval result.
3. data file encryption storage as claimed in claim 2 and search method, which is characterized in that the client extracts data The method for generating data file encryption is encrypted after the content metadata of file includes:
Client extracts the content metadata of data file;
Client encrypts the data file for having extracted content metadata, generates data file encryption;
Data file encryption and corresponding content metadata are uploaded to cloud storage system server end by client.
4. data file encryption storage as claimed in claim 2 and search method, which is characterized in that the cloud storage system service The method for generating data file encryption, which is encrypted, after the content metadata of device end extraction data file includes:
Data file is uploaded to cloud storage system server end by client;
Cloud storage system server end extracts the content metadata of data file;
Cloud storage system server end encrypts the data file for having extracted content metadata, generates data file encryption.
5. data file encryption storage and search method as described in Claims 2 or 3 or 4, which is characterized in that the extraction data The content metadata of file includes:The content metadata extraction module of client or cloud storage system server end is according to data text The characteristic of part, does content data file preliminary analysis, and extraction can embody the attribute information and content letter of data file characteristics Breath, and the encrypted file global identifier of data file is added in content metadata.
6. data file encryption storage and search method as described in Claims 2 or 3 or 4, which is characterized in that the extraction data After the content metadata of file, client can be to the content member number that is stored in cloud storage system server end content metadata library According to modifying.
7. data file encryption storage and search method as described in Claims 2 or 3 or 4, which is characterized in that the cloud storage system Unite server end by data file encryption distributed storage in the storage device of cloud storage system, and content metadata is stored in In the content metadata library of cloud storage system.
8. data file encryption storage as claimed in claim 2 and search method, which is characterized in that the retrieval cloud storage system The data file encryption stored in server end includes:
Client sends the retrieval request for including search key, and cloud storage system analysis retrieval request, which determines in retrieval request, to be examined The legitimacy of rope key words content;
The information searching module of cloud storage system by inverted index method to content metadatabase carry out matching inquiry, obtain with The matched data file of search key file global identifier in an encrypted state and the corresponding number of file global identifier According to the attribute information and content information of file as retrieval result;
Information searching module is sent to client after being ranked up retrieval result.
9. data file encryption storage as claimed in claim 8 and search method, which is characterized in that the client is according to retrieval As a result, may be selected to download the corresponding data file encryption of file global identifier listed in retrieval result;
It is that data file encryption is directly passed to subscription client by cloud storage system if client is encrypted if data file encryption, It is decrypted by client;
If data file encryption is encrypted in cloud storage system server end, by cloud storage system server end by encryption data Client is passed to after file decryption.
10. data file encryption storage and search method as described in claim 2 or 8 or 9, which is characterized in that the encryption number Also include the optimization method of inverted index method according to the search method of file, the optimization method of the inverted index method includes:
It by vertical segmentation and moves horizontally, the neutral element of the inverted index matrix of content data file metadata is made to move on to matrix Bottom and right part;
Using Block Cluster, original higher-dimension sparse matrix is changed into several low-dimensional dense matrix;
When to content metadata retrieval, the low-dimensional matrix of several in the sparse matrix of optimization is sent in cloud storage system respectively Different processing units carry out parallel processing.
CN201610025930.1A 2016-01-15 2016-01-15 Data file encryption storage and retrieval system and method Expired - Fee Related CN105678189B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610025930.1A CN105678189B (en) 2016-01-15 2016-01-15 Data file encryption storage and retrieval system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610025930.1A CN105678189B (en) 2016-01-15 2016-01-15 Data file encryption storage and retrieval system and method

Publications (2)

Publication Number Publication Date
CN105678189A CN105678189A (en) 2016-06-15
CN105678189B true CN105678189B (en) 2018-10-23

Family

ID=56300884

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610025930.1A Expired - Fee Related CN105678189B (en) 2016-01-15 2016-01-15 Data file encryption storage and retrieval system and method

Country Status (1)

Country Link
CN (1) CN105678189B (en)

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106131013A (en) * 2016-07-06 2016-11-16 杨炳 A kind of protecting data encryption system
CN106302472B (en) * 2016-08-09 2019-12-24 厦门乐享新网络科技有限公司 Information hiding method and device
CN106302449B (en) * 2016-08-15 2019-10-11 中国科学院信息工程研究所 An open cloud service method and system for ciphertext storage and ciphertext retrieval
DE112017003740T5 (en) * 2016-08-24 2019-05-09 Robert Bosch Gmbh Searchable-symmetric-encryption system and method for processing an inverted index
CN108268558B (en) * 2017-01-03 2020-12-04 中移(苏州)软件技术有限公司 A method and apparatus for data analysis
CN106649880B (en) * 2017-01-09 2021-02-02 北京国电通网络技术有限公司 Power statistics management system and method
CN107291851B (en) * 2017-06-06 2020-11-06 南京搜文信息技术有限公司 Ciphertext index construction method based on attribute encryption and query method thereof
GB201710013D0 (en) * 2017-06-22 2017-08-09 Scentrics Information Security Tech Ltd Control Access to data
CN107704768A (en) * 2017-09-14 2018-02-16 上海海事大学 A kind of multiple key classification safety search method of ciphertext
US10713238B2 (en) * 2017-11-14 2020-07-14 Snowflake Inc. Database metadata in immutable storage
CN108984627A (en) * 2018-06-20 2018-12-11 顺丰科技有限公司 Elasticsearch-based search method, system, device and storage medium for encrypted documents
CN108897859A (en) * 2018-06-29 2018-11-27 郑州云海信息技术有限公司 A kind of metadata retrieval method, apparatus, equipment and computer readable storage medium
CN109284290B (en) * 2018-09-20 2022-04-26 佛山科学技术学院 Data reading method based on distributed storage space
CN109542895B (en) * 2018-10-25 2019-12-06 北京开普云信息科技有限公司 resource management method and system based on metadata custom expansion
CN110929302B (en) * 2019-10-31 2022-08-26 东南大学 Data security encryption storage method and storage device
US11537727B2 (en) 2020-05-08 2022-12-27 Bold Limited Systems and methods for creating enhanced documents for perfect automated parsing
CA3149615C (en) * 2020-05-08 2023-11-28 Bold Limited Systems and methods for creating enhanced documents for perfect automated parsing
US11436377B2 (en) * 2020-06-26 2022-09-06 Ncr Corporation Secure workload image distribution and management
CN112052219A (en) * 2020-08-05 2020-12-08 中国建设银行股份有限公司 File storage and retrieval method and device, electronic equipment and readable storage medium
CN112702379A (en) * 2020-08-20 2021-04-23 纬领(青岛)网络安全研究院有限公司 Full-secret search research for big data security
CN112233666A (en) * 2020-10-22 2021-01-15 中国科学院信息工程研究所 A method and system for storing and retrieving Chinese speech ciphertext in a cloud storage environment
CN112417473A (en) * 2020-11-20 2021-02-26 季速漫 Big data security management system
CN112733180A (en) * 2021-04-06 2021-04-30 北京神州泰岳智能数据技术有限公司 Data query method and device and electronic equipment
CN113434877B (en) * 2021-06-23 2024-07-05 平安国际智慧城市科技股份有限公司 Encryption and decryption methods, devices, equipment and storage medium for user input data
CN113254982B (en) * 2021-07-13 2021-10-01 深圳市洞见智慧科技有限公司 An anonymous tracking query method and system supporting keyword query
CN113642026A (en) * 2021-08-31 2021-11-12 立信(重庆)数据科技股份有限公司 Method and device for inquiring event processing data on block chain
CN114461574A (en) * 2022-01-11 2022-05-10 广州龙建达电子股份有限公司 High compatibility archive data storage method, system, device and storage medium
CN114840487B (en) * 2022-03-25 2025-06-06 阿里巴巴(中国)有限公司 Metadata management method and device for distributed file system
BR102022011624A2 (en) 2022-06-13 2023-12-26 Samsung Eletrônica da Amazônia Ltda. METHODS FOR MANAGING FILE SYSTEM ELEMENTS AND FOR CONFIGURING USER ACCESS TO A NON-TRAINER COMPUTER READABLE STORAGE SYSTEM, SYSTEM, AND STORAGE MEDIUM
CN118227575A (en) * 2024-03-14 2024-06-21 浪潮云信息技术股份公司 File storage system and method based on national encryption and adapting to multi-source storage
CN119249462A (en) * 2024-12-04 2025-01-03 浙江蚂蚁密算科技有限公司 A method, device and storage medium for judging tampering of ciphertext data
CN121193671A (en) * 2025-11-25 2025-12-23 上海芯力基半导体有限公司 Port-driven communication method and system suitable for PCIe network architecture

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101770462A (en) * 2008-12-30 2010-07-07 日电(中国)有限公司 Device for ciphertext index and search and method thereof
CN102024054A (en) * 2010-12-10 2011-04-20 中国科学院软件研究所 Ciphertext cloud-storage oriented document retrieval method and system
CN103442057A (en) * 2013-08-27 2013-12-11 玉林师范学院 Cloud storage system based on user collaboration cloud

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9678967B2 (en) * 2003-05-22 2017-06-13 Callahan Cellular L.L.C. Information source agent systems and methods for distributed data storage and management using content signatures

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101770462A (en) * 2008-12-30 2010-07-07 日电(中国)有限公司 Device for ciphertext index and search and method thereof
CN102024054A (en) * 2010-12-10 2011-04-20 中国科学院软件研究所 Ciphertext cloud-storage oriented document retrieval method and system
CN103442057A (en) * 2013-08-27 2013-12-11 玉林师范学院 Cloud storage system based on user collaboration cloud

Also Published As

Publication number Publication date
CN105678189A (en) 2016-06-15

Similar Documents

Publication Publication Date Title
CN105678189B (en) Data file encryption storage and retrieval system and method
US10515223B2 (en) Secure cloud-based storage of data shared across file system objects and clients
US7865537B2 (en) File sharing system and file sharing method
CN101561815B (en) Distributed Ciphertext Full-text Retrieval System
US9135455B2 (en) Distributed file systems
JP7559050B2 (en) Encrypted Knowledge Graph
JP2021533619A (en) Database encryption system and method in multi-tenant database management system
CN103607405B (en) A cloud storage-oriented ciphertext search authentication method
US11256662B2 (en) Distributed ledger system
CN102024054A (en) Ciphertext cloud-storage oriented document retrieval method and system
US9886448B2 (en) Managing downloads of large data sets
US7152693B2 (en) Password security utility
CN103593476A (en) Multi-keyword plaintext and ciphertext retrieving method and device oriented to cloud storage
US8799677B2 (en) Encrypted search database device, encrypted search data adding/deleting method and adding/deleting program
CN104992124A (en) Document safety access method for cloud storage environment
CN107094075A (en) A kind of data block dynamic operation method based on convergent encryption
CN117609372A (en) A blockchain DAPPS distribution system
Krishna et al. Dynamic cluster based privacy-preserving multi-keyword search over encrypted cloud data
CN104283930B (en) Keyword search system for security index and method for establishing the system
CN114490514A (en) Metadata management method, device and equipment of file system
CN116670741B (en) Hidden search system and hidden search method
Dinesh et al. Dynamic auditing and deduplication with secure data deletion in Cloud
Prathima et al. A survey on efficient data deduplication in data analytics
WO2014114987A1 (en) Personal device encryption
Sujatha et al. An efficient enhanced prefix hash tree model for optimizing the storage and image deduplication in cloud

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20181023

CF01 Termination of patent right due to non-payment of annual fee