[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108171078A - A kind of data security method and device towards third-party cloud platform evaluation system - Google Patents

A kind of data security method and device towards third-party cloud platform evaluation system Download PDF

Info

Publication number
CN108171078A
CN108171078A CN201711441199.1A CN201711441199A CN108171078A CN 108171078 A CN108171078 A CN 108171078A CN 201711441199 A CN201711441199 A CN 201711441199A CN 108171078 A CN108171078 A CN 108171078A
Authority
CN
China
Prior art keywords
log
instance
instances
generate
proof
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711441199.1A
Other languages
Chinese (zh)
Other versions
CN108171078B (en
Inventor
梁露露
凌晨
杨天识
刘彦钊
姚轶崭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Information Technology Security Evaluation Center
Original Assignee
China Information Technology Security Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Information Technology Security Evaluation Center filed Critical China Information Technology Security Evaluation Center
Priority to CN201711441199.1A priority Critical patent/CN108171078B/en
Publication of CN108171078A publication Critical patent/CN108171078A/en
Application granted granted Critical
Publication of CN108171078B publication Critical patent/CN108171078B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本申请公开了一种面向第三方的云平台测评系统的数据保全方法和装置。该方法对云服务平台提供的日志数据和日志证明信息进行加密处理,并以日志链的形式对日志数据进行存储。当第三方评测系统使用采集到的日志数据对一个云服务平台进行评测时,首先需要对日志数据进行日志证明信息的验证和日志链序列验证,防止日志数据在使用过程中遭到非法篡改,从而保证了对日志文件的原始性和完整性进行校验,同时采用加密的手段保护了用户隐私。

The present application discloses a data preservation method and device for a third-party cloud platform evaluation system. The method encrypts the log data and log certification information provided by the cloud service platform, and stores the log data in the form of a log chain. When a third-party evaluation system uses the collected log data to evaluate a cloud service platform, it first needs to verify the log certification information and log chain sequence verification of the log data to prevent the log data from being illegally tampered with during use, thereby The originality and integrity of the log files are guaranteed to be verified, and the privacy of users is protected by means of encryption.

Description

一种面向第三方的云平台测评系统的数据保全方法和装置A data preservation method and device for a third-party cloud platform evaluation system

技术领域technical field

本申请涉及云服务领域,更具体地说,涉及一种面向第三方的云平台测评系统的数据保全方法和装置。The present application relates to the field of cloud services, and more specifically, relates to a data preservation method and device for a third-party cloud platform evaluation system.

背景技术Background technique

云服务的快速发展为用户提供了极大便利,但同时也带来了一些安全性问题。虚拟化终端使用过程中,由于账户成为了控制资源是否允许使用的唯一控制方式,如果云平台安全和管理措施不当,会造成非授权使用、非法访问及数据泄露等安全隐患。对用户而言,通过第三方评测体系对云平台进行实时审计和评价是获知云服务商基础设施和云系统可信性的有效途径。但是在收集日志数据的过程中,同样会面临非法截获、篡改等安全隐患。另外,云服务提供商需要考虑用户的隐私保护,通常无法直接提供带有用户信息的数据。The rapid development of cloud services provides users with great convenience, but it also brings some security problems. During the use of virtualized terminals, because the account becomes the only control method to control whether resources are allowed to be used, if the security and management measures of the cloud platform are not appropriate, it will cause security risks such as unauthorized use, illegal access, and data leakage. For users, real-time auditing and evaluation of the cloud platform through a third-party evaluation system is an effective way to know the credibility of the cloud service provider's infrastructure and cloud system. However, in the process of collecting log data, there will also be security risks such as illegal interception and tampering. In addition, cloud service providers need to consider the privacy protection of users, and usually cannot directly provide data with user information.

发明内容Contents of the invention

有鉴于此,本申请提供一种面向第三方的云平台测评系统的数据保全方法和装置,既能保证第三方评测系统对日志文件的原始性和完整性进行校验,同时又从云服务提供商的角度保护了用户隐私。In view of this, this application provides a data preservation method and device for a third-party cloud platform evaluation system, which can not only ensure that the third-party evaluation system can verify the originality and integrity of log files, but also provide data from cloud services. From the perspective of merchants, user privacy is protected.

为了实现上述目的,现提出的方案如下:In order to achieve the above purpose, the proposed scheme is as follows:

一种面向云平台第三方测评系统的数据保全方法,所述方法面向第三方测评系统,包括:A data preservation method for a cloud platform third-party evaluation system, the method for a third-party evaluation system, comprising:

获取云平台的日志数据,并对所述日志数据进行解析以生成多个第一日志实例;Obtain log data of the cloud platform, and analyze the log data to generate multiple first log instances;

对所述多个第一日志实例进行加密,生成多个第二日志实例;Encrypting the multiple first log instances to generate multiple second log instances;

根据日志实例的最后一次修改时间,按照先后顺序对所述多个第二日志实例进行排列,生成日志链;According to the last modification time of the log instance, arrange the plurality of second log instances in sequence to generate a log chain;

获取云平台提供的所述第二日志实例的日志证明信息,生成日志证明信息实例;Obtaining the log certification information of the second log instance provided by the cloud platform, and generating a log certification information instance;

检索每一个虚拟IP的第二日志实例以及所述第二日志实例对应的日志证明实例;Retrieving a second log instance of each virtual IP and a log proof instance corresponding to the second log instance;

对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。Encrypting the second log instance and the log proof instance corresponding to the second log instance to generate a third log instance including proof information.

优选的,所述对所述多个第一日志实例进行加密,生成多个第二日志实例,包括:Preferably, said encrypting said multiple first log instances to generate multiple second log instances includes:

采用第三方测评系统的公钥对所述多个第一日志实例进行加密,生成多个第二日志实例。The multiple first log instances are encrypted by using the public key of the third-party evaluation system to generate multiple second log instances.

优选的,所述对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例,包括:Preferably, the encrypting the second log instance and the log proof instance corresponding to the second log instance to generate a third log instance containing proof information includes:

采用云平台的私钥对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。Encrypting the second log instance and the log proof instance corresponding to the second log instance by using the private key of the cloud platform to generate a third log instance including the proof information.

优选的,还包括:将所述第二日志实例和所述日志链存储至第三方测评系统的日志数据库。Preferably, the method further includes: storing the second log instance and the log chain in a log database of a third-party evaluation system.

优选的,还包括:将所述第三日志实例存储至所述第三方测评系统的日志证明数据库。Preferably, the method further includes: storing the third log instance in the log certification database of the third-party evaluation system.

一种面向云平台第三方测评系统的数据保全装置,所述装置面向第三方测评系统,包括:A data security device for a third-party evaluation system on a cloud platform, the device is oriented to a third-party evaluation system, comprising:

第一数据采集单元,用于获取云平台的日志数据,并对所述日志数据进行解析以生成多个第一日志实例;The first data acquisition unit is configured to acquire log data of the cloud platform, and analyze the log data to generate a plurality of first log instances;

第一加密单元,用于对所述多个第一日志实例进行加密,生成多个第二日志实例;a first encryption unit, configured to encrypt the multiple first log instances to generate multiple second log instances;

日志链生成单元,用于根据日志实例的最后一次修改时间,按照先后顺序对所述多个第二日志实例进行排列,生成日志链;A log chain generation unit, configured to arrange the plurality of second log instances in order according to the last modification time of the log instance, to generate a log chain;

第二数据采集单元,用于获取云平台提供的所述第二日志实例的日志证明信息,生成日志证明信息实例;The second data acquisition unit is configured to acquire log certification information of the second log instance provided by the cloud platform, and generate a log certification information instance;

检索单元,用于检索每一个虚拟IP的第二日志实例以及所述第二日志实例对应的日志证明实例;A retrieval unit, configured to retrieve a second log instance of each virtual IP and a log proof instance corresponding to the second log instance;

第二加密单元,用于对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。The second encryption unit is configured to encrypt the second log instance and the log proof instance corresponding to the second log instance, to generate a third log instance containing proof information.

优选的,所述第一加密单元采用第三方测评系统的公钥对所述多个第一日志实例进行加密,生成多个第二日志实例。Preferably, the first encryption unit encrypts the multiple first log instances by using the public key of the third-party evaluation system to generate multiple second log instances.

优选的,所述第二加密单元采用云平台的私钥对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。Preferably, the second encryption unit encrypts the second log instance and the log certification instance corresponding to the second log instance by using the private key of the cloud platform to generate a third log instance containing certification information.

优选的:所述日志链生成单元还用于将所述第二日志实例和所述日志链存储至第三方测评系统的日志数据库。Preferably: the log chain generating unit is further configured to store the second log instance and the log chain in a log database of a third-party evaluation system.

优选的,所述第二加密单元还用于将所述第三日志实例存储至所述第三方测评系统的日志证明数据库。Preferably, the second encryption unit is further configured to store the third log instance in the log certification database of the third-party evaluation system.

经由上述技术方案可知,本申请公开了一种面向第三方的云平台测评系统的数据保全方法和装置。该方法对云服务平台提供的日志数据和日志证明信息进行加密处理,并以日志链的形式对日志数据进行存储。当第三方评测系统使用采集到的日志数据对一个云服务平台进行评测时,首先需要对日志数据进行日志证明信息的验证和日志链序列验证,防止日志数据在使用过程中遭到非法篡改,从而保证了对日志文件的原始性和完整性进行校验,同时采用加密的手段保护了用户隐私。It can be seen from the above technical solutions that the present application discloses a data preservation method and device for a third-party cloud platform evaluation system. The method encrypts the log data and log certification information provided by the cloud service platform, and stores the log data in the form of a log chain. When a third-party evaluation system uses the collected log data to evaluate a cloud service platform, it first needs to verify the log certification information and log chain sequence verification of the log data to prevent the log data from being illegally tampered with during use, thereby The originality and integrity of the log files are verified, and the privacy of users is protected by means of encryption.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

图1示出了本发明一个实施例公开的一一种面向第三方的云平台测评系统的数据保全方法流程示意图;Fig. 1 shows a schematic flow diagram of a data preservation method for a third-party cloud platform evaluation system disclosed by an embodiment of the present invention;

图2是证明信息验证流程;Figure 2 is the certification information verification process;

图3是日志链序列验证流程;Figure 3 is the log chain sequence verification process;

图4示出了本发明另一个实施例公开的一种面向第三方的云平台测评系统的数据保全装置的结构示意图。Fig. 4 shows a schematic structural diagram of a third-party-oriented cloud platform evaluation system data protection device disclosed in another embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

参见图1示出了本发明一个实施例公开的一种面向云平台第三方测评系统的数据保全方法的流程示意图。Referring to FIG. 1 , a schematic flowchart of a data preservation method for a third-party evaluation system on a cloud platform disclosed by an embodiment of the present invention is shown.

在本实施例中,该方法包括:In this embodiment, the method includes:

S101:获取云平台的日志数据,并对所述日志数据进行解析以生成多个第一日志实例。S101: Obtain log data of the cloud platform, and parse the log data to generate multiple first log instances.

首先与云平台建立通信,以收集不同类型的日志数据(包括网络日志、进程日志、操作系统日志),并对日志数据进行解析以生成第一日志实例,下面以网络日志进行说明。First establish communication with the cloud platform to collect different types of log data (including network logs, process logs, and operating system logs), and analyze the log data to generate a first log instance. The following uses network logs to illustrate.

一个网络日志实例定义如下:A weblog instance is defined as follows:

LE=<FromIP,ToIP,TL,Port,UserID,Content>LE=<FromIP,ToIP,TL,Port,UserID,Content>

其中,FromIP是源IP,ToIP是目的IP,TL是网络操作的UTC时间,Port为端口号,UserID为云平台用户的ID,Content为操作记录的其它内容。Among them, FromIP is the source IP, ToIP is the destination IP, TL is the UTC time of the network operation, Port is the port number, UserID is the ID of the cloud platform user, and Content is other content recorded in the operation.

S102:对所述多个第一日志实例进行加密,生成多个第二日志实例。S102: Encrypt the multiple first log instances to generate multiple second log instances.

为了保护数据安全,使用第三方评测系统的公钥PKA来对日志实例中的数据信息进行加密,生成加密之后的第二日志实例(Encrypted Log Entry,ELE),表示如下:In order to protect data security, the public key PKA of the third-party evaluation system is used to encrypt the data information in the log instance to generate the encrypted second log instance (Encrypted Log Entry, ELE), which is expressed as follows:

ELE=<EPKA(ToIP,Port,UserID,FromIP,TL,Content)>ELE=<EPKA(ToIP,Port,UserID,FromIP,TL,Content)>

S103:根据日志实例的最后一次修改时间,按照先后顺序对所述多个第二日志实例进行排列,生成日志链。S103: According to the last modification time of the log instance, arrange the plurality of second log instances in sequence to generate a log chain.

ELE产生之后,根据文件的最后一次修改时间(包含在文件的时间戳信息中),按照先后顺序将其排列为日志链(Log chain,LC),如果有非法篡改会造成日志链重排。日志链表示如下:After the ELE is generated, according to the last modification time of the file (included in the timestamp information of the file), it is arranged into a log chain (Log chain, LC) in sequence, and if there is illegal tampering, the log chain will be rearranged. The log chain is represented as follows:

LC=<ELE,LCprev>LC=<ELE,LCprev>

LCprev是当前日志实例的先序日志实例。LCprev is the preorder log instance of the current log instance.

进而,将第二日志实例和日志链存储至日志数据库,表示为DBLE,由ELE和LC组成:Furthermore, the second log instance and log chain are stored in the log database, expressed as DBLE, composed of ELE and LC:

DBLE=<ELE,LC>DBLE=<ELE,LC>

S104:获取云平台提供的所述第二日志实例的日志证明信息,生成日志证明信息实例。S104: Obtain log certification information of the second log instance provided by the cloud platform, and generate a log certification information instance.

获取云服务商提供的日志证明信息并生成日志证明信息实例,包括原始日志文件的校验值、各类时间戳信息,表示为pro:Obtain the log certification information provided by the cloud service provider and generate a log certification information instance, including the verification value of the original log file and various timestamp information, expressed as pro:

Pro=<H(LE),time-stamp 1,time-stamp 2,...>Pro=<H(LE),time-stamp 1,time-stamp 2,...>

将更新的日志证明实例发送到日志证明数据库进行存储。Send the updated log proof instance to the log proof database for storage.

S105:检索每一个虚拟IP的第二日志实例以及所述第二日志实例对应的日志证明实例。S105: Retrieve a second log instance of each virtual IP and a log proof instance corresponding to the second log instance.

在预设时间对日志数据库和日志证明数据库进行检索,获取每一个虚拟IP的第二日志实例以及第二日志实例对应的日志证明信息,表示为AED:Retrieve the log database and the log proof database at the preset time, obtain the second log instance of each virtual IP and the log proof information corresponding to the second log instance, expressed as AED:

AED=<ELE,Pro>AED=<ELE,Pro>

S106:对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。S106: Encrypt the second log instance and the log proof instance corresponding to the second log instance, to generate a third log instance including proof information.

采用云平台的私钥对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例,表示如下:The private key of the cloud platform is used to encrypt the second log instance and the log proof instance corresponding to the second log instance, and generate a third log instance containing proof information, which is expressed as follows:

LogPro=<AED,Tp,SigSKC(AED,Tp)>LogPro=<AED,Tp,SigSKC(AED,Tp)>

Tp代表该文件的生成时间,SigSKC(AED,Tp)是使用云服务商的私钥SKC对(AED,TP)进行加密产生的数字签名。Tp represents the generation time of the file, and SigSKC(AED,Tp) is a digital signature generated by encrypting (AED,TP) with the private key SKC of the cloud service provider.

当第三方评测系统使用采集到的日志数据对一个云服务平台进行评测时,首先对日志数据进行证明信息的验证和日志链序列验证。图2是证明信息验证流程,先分别使用云平台公钥和第三方测评系统私钥将第三日志实例和第三日志实例对应的日志证明实例进行解密,如果能成功解密则再用解密的日志证明实例对第三日志实例进行验证,如果验证通过再进行日志链序列的验证,以验证日志文件的完整性。图3是日志链序列验证流程,假设有一个日志链:(ELE0,LC0)(ELE1,LC1)….When the third-party evaluation system uses the collected log data to evaluate a cloud service platform, the verification of the proof information and the sequence of the log chain are first performed on the log data. Figure 2 is the proof information verification process. First, use the public key of the cloud platform and the private key of the third-party evaluation system to decrypt the third log instance and the log proof instance corresponding to the third log instance. If the decryption is successful, then use the decrypted log The proof instance verifies the third log instance, and if the verification is passed, then the verification of the log chain sequence is performed to verify the integrity of the log file. Figure 3 is the log chain sequence verification process, assuming there is a log chain: (ELE0, LC0) (ELE1, LC1)….

因为LC1是第二个日志实例的先序,也就是(ELE0,LC0),所以如果日志链经过了非法篡改,序列会发生变化(因为是按照最后一次修改时间戳排列的),如果(ELE0,LC0)和LC1相同说明没有被非法篡改。该验证方法能够验证日志文件的原始性,防止使用过程中存在非法篡改。Because LC1 is the sequence of the second log instance, that is (ELE0, LC0), if the log chain has been illegally tampered with, the sequence will change (because it is arranged according to the last modification timestamp), if (ELE0, LC0) is the same as LC1, indicating that it has not been illegally tampered with. This verification method can verify the originality of log files and prevent illegal tampering during use.

与现有技术相比,本发明由云服务商提供日志证明信息,并使用云服务商的私钥生成数字签名,保护云平台用户隐私;日志文件以日志链的形式存储,通过序列验证防止使用过程中遭到非法篡改。Compared with the prior art, the present invention provides log certification information by the cloud service provider, and uses the private key of the cloud service provider to generate a digital signature to protect the privacy of the cloud platform user; log files are stored in the form of log chains, and are prevented from being used through sequence verification Illegally tampered with in the process.

参见图4示出了本发明另一个实施例公开的一种面向第三方的云平台测评系统的数据保全装置的结构示意图。Referring to FIG. 4 , it shows a schematic structural diagram of a third-party-oriented cloud platform evaluation system data protection device disclosed in another embodiment of the present invention.

由图4可知,该装置包括:第一数据采集单元1、第一加密单元2、日志链生成单元3、第二数据采集单元4、检索单元5、第二加密单元6。As can be seen from FIG. 4 , the device includes: a first data collection unit 1 , a first encryption unit 2 , a log chain generation unit 3 , a second data collection unit 4 , a retrieval unit 5 , and a second encryption unit 6 .

第一数据采集单元1用于获取云平台的日志数据,并对所述日志数据进行解析以生成多个第一日志实例。The first data acquisition unit 1 is configured to acquire log data of the cloud platform, and analyze the log data to generate multiple first log instances.

对于网络实例而言,该网络实例可表示为For a network instance, the network instance can be expressed as

LE=<FromIP,ToIP,TL,Port,UserID,Content>LE=<FromIP,ToIP,TL,Port,UserID,Content>

其中,FromIP是源IP,ToIP是目的IP,TL是网络操作的UTC时间,Port为端口号,UserID为云平台用户的ID,Content为操作记录的其它内容。Among them, FromIP is the source IP, ToIP is the destination IP, TL is the UTC time of the network operation, Port is the port number, UserID is the ID of the cloud platform user, and Content is other content recorded in the operation.

进而,第一加密单元2采用第三方评测系统的公钥PKA来对第一日志实例中的数据信息进行加密,生成加密之后的第二日志实例(EncryptedLog Entry,ELE),表示如下:Furthermore, the first encryption unit 2 uses the public key PKA of the third-party evaluation system to encrypt the data information in the first log instance to generate an encrypted second log instance (EncryptedLog Entry, ELE), which is expressed as follows:

ELE=<EPKA(ToIP,Port,UserID,FromIP,TL,Content)>ELE=<EPKA(ToIP,Port,UserID,FromIP,TL,Content)>

日志链生成单元3用于根据日志实例的最后一次修改时间,按照先后顺序对第二日志实例进行排列,生成日志链。其中,该日志链表示如下:The log chain generation unit 3 is configured to arrange the second log instances in sequence according to the last modification time of the log instances to generate a log chain. Among them, the log chain is expressed as follows:

LC=<ELE,LCprev>LC=<ELE,LCprev>

LCprev是当前日志实例的先序日志实例。LCprev is the preorder log instance of the current log instance.

进而,将第二日志实例和日志链存储至日志数据库,表示为DBLE,由ELE和LC组成。Furthermore, the second log instance and log chain are stored in the log database, denoted as DBLE, composed of ELE and LC.

第二数据采集单元4用于获取云平台提供的所述第二日志实例的日志证明信息,生成日志证明信息实例,进而将更新的日志证明信息实例存储在第三方测评系统的日志证明数据库中。The second data acquisition unit 4 is used to obtain the log certification information of the second log instance provided by the cloud platform, generate a log certification information instance, and store the updated log certification information instance in the log certification database of the third-party evaluation system.

在每天固定的时间点,检索单元5在日志数据库和日志证明数据库中检索每一个虚拟IP的第二日志实例以及所述第二日志实例对应的日志证明实例,表示为AED:At a fixed time point every day, the retrieval unit 5 retrieves the second log instance of each virtual IP in the log database and the log proof database and the log proof instance corresponding to the second log instance, expressed as AED:

AED=<ELE,Pro>AED=<ELE,Pro>

其中,ELE为第二日志实例,Pro为第二日志实例对应的日志证明信。Wherein, ELE is the second log instance, and Pro is the log certification letter corresponding to the second log instance.

第二加密单元6对采用云平台的私钥所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例,并将第三日志实例发送至第三方测评系统的日志证明数据库中存储,其中第三日志实例表示如下:The second encryption unit 6 encrypts the second log instance using the private key of the cloud platform and the log proof instance corresponding to the second log instance, generates a third log instance that includes proof information, and converts the third log instance The logs sent to the third-party evaluation system prove to be stored in the database, and the third log instance is expressed as follows:

LogPro=<AED,Tp,SigSKC(AED,Tp)>LogPro=<AED,Tp,SigSKC(AED,Tp)>

Tp代表该文件的生成时间,SigSKC(AED,Tp)是使用云服务商的私钥SKC对(AED,TP)进行加密产生的数字签名。Tp represents the generation time of the file, and SigSKC(AED,Tp) is a digital signature generated by encrypting (AED,TP) with the private key SKC of the cloud service provider.

需要说明的是该系统实施例与方法实施例相对应,其执行过程和执行原理相同,在此不作赘述。It should be noted that the system embodiment corresponds to the method embodiment, and its execution process and execution principle are the same, which will not be repeated here.

最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1.一种面向云平台第三方测评系统的数据保全方法,其特征在于,包括:1. A data preservation method for a cloud platform third-party evaluation system, characterized in that it comprises: 获取云平台的日志数据,并对所述日志数据进行解析以生成多个第一日志实例;Obtain log data of the cloud platform, and analyze the log data to generate multiple first log instances; 对所述多个第一日志实例进行加密,生成多个第二日志实例;Encrypting the multiple first log instances to generate multiple second log instances; 根据日志实例的最后一次修改时间,按照先后顺序对所述多个第二日志实例进行排列,生成日志链;According to the last modification time of the log instance, arrange the plurality of second log instances in sequence to generate a log chain; 获取云平台提供的所述第二日志实例的日志证明信息,生成日志证明信息实例;Obtaining the log certification information of the second log instance provided by the cloud platform, and generating a log certification information instance; 检索每一个虚拟IP的第二日志实例以及所述第二日志实例对应的日志证明实例;Retrieving a second log instance of each virtual IP and a log proof instance corresponding to the second log instance; 对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。Encrypting the second log instance and the log proof instance corresponding to the second log instance to generate a third log instance including proof information. 2.根据权利要求1所述的方法,其特征在于,所述对所述多个第一日志实例进行加密,生成多个第二日志实例,包括:2. The method according to claim 1, wherein said encrypting said multiple first log instances to generate multiple second log instances comprises: 采用第三方测评系统的公钥对所述多个第一日志实例进行加密,生成多个第二日志实例。The multiple first log instances are encrypted by using the public key of the third-party evaluation system to generate multiple second log instances. 3.根据权利要求1所述的方法,其特征在于,所述对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例,包括:3. The method according to claim 1, wherein the second log instance and the log proof instance corresponding to the second log instance are encrypted to generate a third log instance containing proof information, include: 采用云平台的私钥对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。Encrypting the second log instance and the log proof instance corresponding to the second log instance by using the private key of the cloud platform to generate a third log instance including the proof information. 4.根据权利要求1所述的方法,其特征在于,还包括:将所述第二日志实例和所述日志链存储至第三方测评系统的日志数据库。4. The method according to claim 1, further comprising: storing the second log instance and the log chain in a log database of a third-party evaluation system. 5.根据权利要求1所述的方法,其特征在于,还包括:将所述第三日志实例存储至所述第三方测评系统的日志证明数据库。5. The method according to claim 1, further comprising: storing the third log instance in a log proof database of the third-party evaluation system. 6.一种面向云平台第三方测评系统的数据保全装置,所述装置面向第三方测评系统,其特征在于,包括:6. A data security device for a cloud platform third-party evaluation system, said device is oriented to a third-party evaluation system, characterized in that it includes: 第一数据采集单元,用于获取云平台的日志数据,并对所述日志数据进行解析以生成多个第一日志实例;The first data acquisition unit is configured to acquire log data of the cloud platform, and analyze the log data to generate a plurality of first log instances; 第一加密单元,用于对所述多个第一日志实例进行加密,生成多个第二日志实例;a first encryption unit, configured to encrypt the multiple first log instances to generate multiple second log instances; 日志链生成单元,用于根据日志实例的最后一次修改时间,按照先后顺序对所述多个第二日志实例进行排列,生成日志链;A log chain generation unit, configured to arrange the plurality of second log instances in order according to the last modification time of the log instance, to generate a log chain; 第二数据采集单元,用于获取云平台提供的所述第二日志实例的日志证明信息,生成日志证明信息实例;The second data acquisition unit is configured to acquire log certification information of the second log instance provided by the cloud platform, and generate a log certification information instance; 检索单元,用于检索每一个虚拟IP的第二日志实例以及所述第二日志实例对应的日志证明实例;A retrieval unit, configured to retrieve a second log instance of each virtual IP and a log proof instance corresponding to the second log instance; 第二加密单元,用于对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。The second encryption unit is configured to encrypt the second log instance and the log proof instance corresponding to the second log instance, to generate a third log instance containing proof information. 7.根据权利要求6所述的装置,其特征在于,所述第一加密单元采用第三方测评系统的公钥对所述多个第一日志实例进行加密,生成多个第二日志实例。7. The device according to claim 6, wherein the first encryption unit encrypts the multiple first log instances using a public key of a third-party evaluation system to generate multiple second log instances. 8.根据权利要求6所述的装置,其特征在于,所述第二加密单元采用云平台的私钥对所述第二日志实例以及所述第二日志实例对应的日志证明实例进行加密,生成包含有证明信息的第三日志实例。8. The device according to claim 6, wherein the second encryption unit encrypts the second log instance and the log proof instance corresponding to the second log instance using a private key of the cloud platform to generate A third log instance containing proof information. 9.根据权利要求6所述的装置,其特征在于,所述日志链生成单元还用于将所述第二日志实例和所述日志链存储至第三方测评系统的日志数据库。9. The device according to claim 6, wherein the log chain generating unit is further configured to store the second log instance and the log chain in a log database of a third-party evaluation system. 10.根据权利要求6所述装置,其特征在于,所述第二加密单元还用于将所述第三日志实例存储至所述第三方测评系统的日志证明数据库。10. The device according to claim 6, wherein the second encryption unit is further configured to store the third log instance in a log certification database of the third-party evaluation system.
CN201711441199.1A 2017-12-27 2017-12-27 A data preservation method and device for a third-party cloud platform evaluation system Active CN108171078B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711441199.1A CN108171078B (en) 2017-12-27 2017-12-27 A data preservation method and device for a third-party cloud platform evaluation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711441199.1A CN108171078B (en) 2017-12-27 2017-12-27 A data preservation method and device for a third-party cloud platform evaluation system

Publications (2)

Publication Number Publication Date
CN108171078A true CN108171078A (en) 2018-06-15
CN108171078B CN108171078B (en) 2021-08-31

Family

ID=62521695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711441199.1A Active CN108171078B (en) 2017-12-27 2017-12-27 A data preservation method and device for a third-party cloud platform evaluation system

Country Status (1)

Country Link
CN (1) CN108171078B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109697605A (en) * 2019-01-11 2019-04-30 深圳讼融通网络科技有限公司 Generation method, system and the readable storage medium storing program for executing of property preservation data record
CN111444519A (en) * 2019-01-16 2020-07-24 西门子股份公司 Protect log data integrity

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6339828B1 (en) * 1997-05-28 2002-01-15 Symantec Corporation System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
CN101039186A (en) * 2007-05-08 2007-09-19 中国科学院软件研究所 Method for auditing safely system log
US20110150221A1 (en) * 2009-12-18 2011-06-23 Kabushiki Kaisha Toshiba Account aggregation system, information processing apparatus and encryption key management method of the account aggregation system
CN107104804A (en) * 2017-05-10 2017-08-29 成都麟成科技有限公司 A kind of platform integrity verification method and device
CN107395355A (en) * 2017-06-12 2017-11-24 广东工业大学 A kind of cloud storage data integrity verification method based on implicit trusted third party

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6339828B1 (en) * 1997-05-28 2002-01-15 Symantec Corporation System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
CN101039186A (en) * 2007-05-08 2007-09-19 中国科学院软件研究所 Method for auditing safely system log
US20110150221A1 (en) * 2009-12-18 2011-06-23 Kabushiki Kaisha Toshiba Account aggregation system, information processing apparatus and encryption key management method of the account aggregation system
CN107104804A (en) * 2017-05-10 2017-08-29 成都麟成科技有限公司 A kind of platform integrity verification method and device
CN107395355A (en) * 2017-06-12 2017-11-24 广东工业大学 A kind of cloud storage data integrity verification method based on implicit trusted third party

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109697605A (en) * 2019-01-11 2019-04-30 深圳讼融通网络科技有限公司 Generation method, system and the readable storage medium storing program for executing of property preservation data record
CN111444519A (en) * 2019-01-16 2020-07-24 西门子股份公司 Protect log data integrity
CN111444519B (en) * 2019-01-16 2023-08-22 西门子股份公司 Protecting the integrity of log data

Also Published As

Publication number Publication date
CN108171078B (en) 2021-08-31

Similar Documents

Publication Publication Date Title
JP7295068B2 (en) Federated key management
KR102055116B1 (en) Data security service
Sundareswaran et al. Promoting distributed accountability in the cloud
JP6678457B2 (en) Data security services
US20120317414A1 (en) Method and system for securing documents on a remote shared storage resource
CN108737374A (en) The method for secret protection that data store in a kind of block chain
CN107528865B (en) File downloading method and system
CN109254734B (en) Data storage method, device and equipment and computer readable storage medium
WO2017063465A1 (en) Innovation and creativity data processing method, device and system and certificate storage device
US20160134495A1 (en) Logging device and log aggregation device
US10536276B2 (en) Associating identical fields encrypted with different keys
CN107995147B (en) Metadata encryption and decryption method and system based on distributed file system
CN108171078B (en) A data preservation method and device for a third-party cloud platform evaluation system
CN113792346B (en) Trusted data processing method, device and equipment
CN110493011B (en) Block chain-based certificate issuing management method and device
Varghese et al. Integrity verification in multi cloud storage
CN112383504A (en) Electric power thing networking block chain data management system
CN112699085B (en) Audit log management method and device
Nasreen et al. Cloud forensics: A centralized cloud provenance investigation system using MECC
Sarddar et al. Safety as a Service (SFaaS) Model-The New Invention in Cloud computing to establish a Secure Logical Communication Channel between Data Owner and the Cloud Service Provider before Storing, Retrieving or Accessing any Data in the Cloud
CN118245984B (en) CAD software use authority verification method, device, equipment and storage medium
CN117473553B (en) Privacy compliance detection method, device, equipment and readable storage medium
CN113542194B (en) User behavior tracing method, device, equipment and storage medium
CN108304729A (en) Method for reporting log by client and electronic equipment
Rao et al. Design of Security Technique through Secure Logging for Cloud Forensics

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant