CN105491069A

CN105491069A - Integrity verification method based on active attack resistance in cloud storage

Info

Publication number: CN105491069A
Application number: CN201610024084.1A
Authority: CN
Inventors: 王保仓; 张云鹏; 庞婷; 胡予濮; 杨丹
Original assignee: Xidian University
Current assignee: Xidian University
Priority date: 2016-01-14
Filing date: 2016-01-14
Publication date: 2016-04-13
Anticipated expiration: 2036-01-14
Also published as: CN105491069B

Abstract

The invention discloses an integrity verification method for resisting active attacks, which mainly solves the problem that the prior art cannot resist active attacks. The scheme is: 1. The user evenly divides the file into blocks, generates primary tags and auxiliary tags, and selects a cryptographic hash function, pseudo-random function and pseudo-random permutation function; 2. The user sends the file block to the cloud service provider, and Delete the local file, and the user generates an inquiry message and sends it to the cloud service provider; 3. The cloud service provider generates proof information, and the user passes the proof information, and uses the one-way property of the hash function to resist active attacks; 4. The user passes the local Generate verification information to verify the certification information sent by the cloud service provider. If the verification is passed, the user data is considered complete; otherwise, the data is destroyed. The invention reduces the traffic, improves the ability to resist active attack, and can be used in cloud storage to support the client to verify the integrity of the data under the premise of losing the ownership of the data.

Description

Integrity verification method based on resisting active attacks in cloud storage

技术领域technical field

本发明属于通信安全领域，特别涉及一种数据完整性验证方法，可用于云存储中支持客户端在失去数据所有权的前提下完成数据完整性的验证。The invention belongs to the field of communication security, and in particular relates to a data integrity verification method, which can be used in cloud storage to support a client to complete data integrity verification under the premise of losing data ownership.

背景技术Background technique

云存储作为一种新型的存储模型，具有远程存储数据的能力，已经得到了广泛的应用。越来越多的公司，通过外包公司的数据到云端，以减小本地数据存储的压力。随着这些优势的出现，云存储的安全性也成为了人们所关注的焦点问题，尤其是在云存储中，当用户失去了对数据的所有权时，攻击者和不安全云服务商对用户数据造成的数据损坏成为一个主要的安全问题。因此，数据完整性验证成为了一个热门话题。As a new type of storage model, cloud storage has the ability to store data remotely and has been widely used. More and more companies are outsourcing their data to the cloud to reduce the pressure on local data storage. With the emergence of these advantages, the security of cloud storage has also become a focus of attention, especially in cloud storage, when users lose ownership of data, attackers and unsafe cloud service providers will not be able to control user data. The resulting data corruption becomes a major security concern. Therefore, data integrity verification has become a hot topic.

在由RashmiM.JogdandandR.H.Goudar撰写的”Enablingpublicverifiabilityandavailabilityforsecuredatastorageincloudcomputing”论文中首次提出了哈希树的概念，极大地提升了用户验证数据完整性的性能，但该文却没有考虑到不安全云所带来的重放攻击和本地用户在失去数据所有权时所带来的验证问题。In the paper "Enabling public verifiability and availability for secure data storage in cloud computing" written by Rashmi M. Jogdand and R. H. Goudar, the concept of hash tree was first proposed, which greatly improved the performance of user verification data integrity, but this paper did not take into account the problems brought by insecure clouds. Replay attacks and authentication problems caused by local users losing ownership of data.

针对上述安全问题MehdiSookhak，AbdullahGani，MuhammadKhurramKhanandRajkumarBuyya在论文”Dynamicremotedataauditingforsecuringbigdatastorageincloudcomputing”中提出了一种在失去数据所有权情况下的远程数据完整性验证的方法，并且此方法可以在云端动态地更新用户数据，并利用DCT模型(DivideandConquerTable)减少了数据更新带来的计算复杂度。但是该方法的缺陷在于，主动攻击者恶意地修改云端存储的用户数据后，并截获云服务商发送的完整性证明信息并加以修改，随后发送修改过的证明信息给用户，此证明信息可以欺骗用户，通过用户的验证，但实际上用户存放在云端的数据已经被恶意篡改，面对这样的主动攻击，该方法却无法抵抗。In response to the above security issues, Mehdi Sookhak, Abdullah Gani, Muhammad Khurram Khan and Rajkumar Buyya proposed a remote data integrity verification method in the case of loss of data ownership in the paper "Dynamicremoted data auditing for securing big data storage in cloud computing", and this method can dynamically update user data in the cloud and use the DCT model (DivideandConquerTable) reduces the computational complexity caused by data updates. However, the defect of this method is that after the active attacker maliciously modifies the user data stored in the cloud, and intercepts and modifies the integrity certification information sent by the cloud service provider, and then sends the modified certification information to the user, this certification information can deceive The user has passed the user's verification, but in fact the data stored in the cloud by the user has been maliciously tampered with. Faced with such an active attack, this method cannot resist.

发明内容Contents of the invention

本发明的目的在于针对上述现有技术存在的无法抵抗主动攻击的安全问题，提出一种抵抗主动攻击的数据完整性验证方法，以在完成数据完整性验证和动态更新数据的过程中避免对云端数据的恶意篡改，提高抵抗主动攻击的能力。The purpose of the present invention is to propose a data integrity verification method that resists active attacks in view of the security problems existing in the above-mentioned prior art that are unable to resist active attacks, so as to avoid data integrity verification and dynamic update of data on the cloud. Malicious tampering of data improves the ability to resist active attacks.

本发明的技术思想是：通过密码学哈希函数，如MD5，SHA-1保护云服务提供商CSP所生成的过于裸露的证明信息；利用哈希函数的单向性，使得主动攻击者在截获证明消息后，无法通过普通的计算来任意修改证明信息，从而无法通过后续用户端的验证阶段，制止恶意攻击者对用户到欺骗。The technical idea of the present invention is: protect the overly exposed certification information generated by the cloud service provider CSP through cryptographic hash functions, such as MD5 and SHA-1; After the message is certified, the proof information cannot be modified arbitrarily through ordinary calculations, so that the verification stage of the subsequent user end cannot be passed, preventing malicious attackers from deceiving the user.

根据以上思路，本发明的实现方案包括如下：According to above train of thought, the realization scheme of the present invention comprises as follows:

(1)用户初始化步骤：(1) User initialization steps:

用户将文件F分为n块，生成分块文件通过生成分块文件的主标签和辅助标签 The user divides the file F into n blocks to generate a block file pass Main tag for generating chunked files and auxiliary tags

用户选择密码学哈希函数H，伪随机函数f，伪随机置换函数π，并本地保存两个标签 The user selects a cryptographic hash function H, a pseudo-random function f, and a pseudo-random permutation function π, and saves two tags locally

(2)用户通信与询问步骤：(2) User communication and inquiry steps:

(2a)用户发送分块文件给云服务提供商CSP，随后本地删除以节省用户存储空间；(2a) The user sends the chunked file to the cloud service provider CSP, and then deleted locally To save user storage space;

(2b)用户为伪随机函数f选择第一安全参数k₁，为伪随机置换π选择第二安全参数k₂，并选择所要验证文件分块数量c，生成询问信息chal＝{c,k₁,k₂}发送给云服务提供商CSP；(2b) The user selects the first security parameter k ₁ for the pseudo-random function f, selects the second security parameter k ₂ for the pseudo-random permutation π, and selects the number of blocks of the file to be verified c, and generates query information chal={c,k ₁ ,k ₂ } to the cloud service provider CSP;

其中c不少于分块文件总数量n的10％，第一安全参数k₁的长度不少于512比特，第二的安全参数k₂的长度不少于512比特。Wherein c is not less than 10% of the total number n of block files, the length of the first security parameter k ₁ is not less than 512 bits, and the length of the second security parameter k ₂ is not less than 512 bits.

(3)抵抗主动攻击步骤：(3) Steps to resist active attack:

(3a)云服务提供商CSP接收询问信息后，通过用户所需验证的c个分块文件生成证明信息proof给用户，其中：(3a) After the cloud service provider CSP receives the query information, it passes the c block files that the user needs to verify Generate proof information proof to the user, where:

$p p r r o o o o f f = = H h (({S S}_{γ γ} (({Σ Σ}_{j j = = 11}^{c c} {a a}_{j j} \cdot &Center Dot; f f (({i i}_{j j}))))))$

其中，H(·)表示哈希函数，S_γ(·)表示代数签名函数，γ表示伽罗瓦域中的一个元素，a_j表示伪随机函数生成的第j个系数，f(i_j)表示第i_j个文件分块，i_j表示伪随机置换函数生成的第j个文件分块的序号，j表示用户所需验证的c个分块文件的序号，1≤j≤c，c表示用户选择验证文件分块数量。Among them, H( ) represents the hash function, S _γ ( ) represents the algebraic signature function, γ represents an element in the Galois field, a _j represents the jth coefficient generated by the pseudo-random function, f(i _j ) Indicates the i _j -th file block, i _j represents the serial number of the j-th file block generated by the pseudo-random permutation function, and j represents the c block files that the user needs to verify The serial number of , 1≤j≤c, c indicates the number of blocks of the verification file selected by the user.

(3b)用户通过哈希函数H的单向性特性，对主动攻击者修改证明信息proof的行为进行抵抗，使攻击者的攻击结果失败，保护证明信息proof无法任意修改；(3b) Through the one-way characteristic of the hash function H, the user resists the behavior of the active attacker to modify the proof information proof, so that the attacker's attack result fails, and the protection proof information proof cannot be modified arbitrarily;

(4)用户验证步骤：(4) User verification steps:

(4a)用户在抵抗了主动攻击的行为后，利用本地保存c个主标签和c个辅助标签生成本地用户的验证信息μ：(4a) After resisting the behavior of active attack, the user saves c primary tags locally and c auxiliary tags Generate authentication information μ for local users:

$μ μ = = {Σ Σ}_{j j = = 11}^{c c} {a a}_{j j} (({T T}_{{i i}_{j j}} &CirclePlus; &CirclePlus; {C C}_{{i i}_{j j}})),,$

其中，表示第i_j个主标签，表示第i_j个辅助标签；in, Indicates the i _jth primary label, Indicates the i _jth auxiliary label;

(4b)利用用户的验证信息μ的哈希值H(μ)对收到的证明信息proof再进行验证：(4b) Use the hash value H(μ) of the user’s verification information μ to verify the received proof information proof:

如果等式H(μ)＝proof成立，则用户认为保存在云服务提供商CSP的用户数据完整；If the equation H(μ)=proof is established, the user believes that the user data stored in the cloud service provider CSP is complete;

否则，用户认为数据被破坏。Otherwise, the user considers the data corrupted.

本发明与现有技术相比具有如下优点：Compared with the prior art, the present invention has the following advantages:

1.本发明中，用户通过本地保存的主标签和辅助标签所生成的证明信息对云服务提供商返回的证明信息进行验证，可完成对远程数据的完整性验证任务。1. In the present invention, the user verifies the certificate information returned by the cloud service provider through the certificate information generated by the locally saved main label and auxiliary label, and can complete the integrity verification task of the remote data.

2.本发明中，由于用户仅发送文件分块，而不发送用户自己生成的主标签与辅助标签，从而减少了数据的通信量。2. In the present invention, since the user only sends the file segments, instead of sending the main tag and the auxiliary tag generated by the user himself, the communication volume of data is reduced.

3.本发明中，由于云服务提供商在发送证明信息时，通过使用哈希函数保护证明信息，利用哈希函数的单向性特性，保护了证明信息不被破坏，从而抵抗了主动攻击的行为。3. In the present invention, since the cloud service provider protects the proof information by using the hash function when sending the proof information, and utilizes the one-way characteristic of the hash function, the proof information is protected from being destroyed, thereby resisting the possibility of active attack Behavior.

附图说明Description of drawings

图1为本发明的实现流程图。Fig. 1 is the realization flowchart of the present invention.

图2为本发明中抵抗主动攻击的子流程图。Fig. 2 is a subflow chart of resisting active attacks in the present invention.

具体实施方式detailed description

下面结合附图对本发明做进一步的描述。The present invention will be further described below in conjunction with the accompanying drawings.

参照图1，本发明的实现步骤如下：With reference to Fig. 1, the realization steps of the present invention are as follows:

步骤1，用户初始化。Step 1, user initialization.

(1a)对文件进行分块：(1a) Chunk the file:

当用户需要将本地文件F发送给云服务提供商CSP时，用户首先要进行文件的分块操作，文件的分块技术包括均匀分块技术，重叠分块技术，变长分块技术等，本实例选择均匀分块技术，即用户需将所要存储的文件F均匀等分成n块，设文件F长度为L，生成分块文件每个分块长度为当最后一个分块不能达到分块长度时，在其后面补0，使其长度达到 When the user needs to send the local file F to the cloud service provider CSP, the user first needs to perform the block operation of the file. The file block technology includes uniform block technology, overlapping block technology, and variable length block technology. The example selects the uniform block technology, that is, the user needs to divide the file F to be stored into n blocks evenly, and set the length of the file F to be L to generate a block file The length of each block is When the last block cannot reach the block length When , add 0 behind it to make its length reach

(1b)用户通过下式将分块文件生成分块文件的主标签和辅助标签 (1b) The user divides the block file by the following formula Main tag for generating chunked files and auxiliary tags

T_i＝S_γ(f(i)||(ID_F||i||L_i||V_i))T _i ＝S _γ (f(i)||(ID _F ||i||L _i ||V _i ))

C_i＝S_γ(ID_F||i||L_i||V_i)C _i ＝S _γ (ID _F ||i||L _i ||V _i )

其中，f(i)表示第i个分块文件，i表示分块文件f(i)在整体文件中的序号，1≤i≤n，n表示分块文件的块数，||符号表示参数的级联，ID_F表示文件的唯一身份信息，L_i表示分块文件f(i)在分治表DCT中序号，其中分治表DCT表示一种顺序存储数据的模型，该模型是由一般的顺序存储模型切割所得，并将切割所得到的存储空间进行标号即可，V_i表示分块文件f(i)在分治表DCT中的版本号，S_γ(·)表示代数签名函数，是一种具有代数性质的哈希函数，其主要代数性质满足γ表示伽罗瓦域中的一个元素；Among them, f(i) represents the i-th block file, i represents the serial number of the block file f(i) in the overall file, 1≤i≤n, n represents the number of blocks in the block file, and the || symbol represents the parameter The cascading, ID _F represents the unique identity information of the file, L _i represents the serial number of the block file f(i) in the divide-and-conquer table DCT, where the divide-and-conquer table DCT represents a model for sequentially storing data, which is composed of general The sequential storage model cutting results, and label the storage space obtained by cutting, V _i represents the version number of the block file f(i) in the partition table DCT, S _γ ( ) represents the algebraic signature function, is a hash function with algebraic properties, and its main algebraic properties satisfy γ represents an element in the Galois field;

(1c)用户选择密码学哈希函数H：(1c) The user selects a cryptographic hash function H:

在众多哈希函数算法中，数字签名算法SHA-1，信息-摘要算法5即MD5，最为常用，本实例用户选择信息-摘要算法5即MD5作为密码学哈希函数H；Among many hash function algorithms, the digital signature algorithm SHA-1 and the information-digest algorithm 5 (MD5) are the most commonly used. In this example, the user selects the information-digest algorithm 5 (MD5) as the cryptographic hash function H;

(1d)在众多伪随机函数中，基于随机表查找的伪随机函数和MonteCarlo伪随机函数最为普遍，本实例用户选择MonteCarlo伪随机函数其函数形式为：k₁表示伪随机函数的安全参数，x表示伪随机变换函数的输入长度，l表示伪随机函数输出的长度；(1d) Among the many pseudo-random functions, the pseudo-random function based on random table lookup and the MonteCarlo pseudo-random function are the most common. In this example, the user chooses the MonteCarlo pseudo-random function Its function form is: k ₁ means pseudorandom function The security parameters of , x represents the pseudo-random transformation function The input length of , l represents the pseudo-random function the length of the output;

(1e)同时，在众多伪随机置换函数中，基于循环移位置换的伪随机置换函数和Durstenfeld伪随机置换函数较为通用，本实例用户选择Durstenfeld伪随机置换函数函数形式为：k₂表示伪随机置换函数的安全参数，y表示伪随机置换函数输入和输出的长度。(1e) At the same time, among many pseudo-random permutation functions, the pseudo-random permutation function based on cyclic shift permutation and the Durstenfeld pseudo-random permutation function are more common. In this example, the user chooses the Durstenfeld pseudo-random permutation function The function form is: k ₂ represents the pseudorandom permutation function The security parameters of , y represents the pseudo-random permutation function The length of the input and output.

步骤2，用户通信与询问：Step 2, user communication and inquiry:

(2a)用户在不安全的信道上发送给云服务提供商CSP，随后本地删除分块文件以节省用户存储空间；(2a) The user sends on an insecure channel To the cloud service provider CSP, then locally delete the chunk file To save user storage space;

(2b)用户选择验证文件分块c，c的数量不少于总分块数量n的10％，本实例选择20％；(2b) The user selects the verification file block c, the number of c is not less than 10% of the total block number n, and 20% is selected in this example;

(2c)用户选择伪随机变换函数的安全参数k₁，该k₁的长度不少于512比特，本实例选择512比特；(2c) The user selects the pseudo-random transformation function The security parameter k ₁ of , the length of the k ₁ is not less than 512 bits, and 512 bits are selected in this example;

(2d)用户选择伪随机置换函数的安全参数k₂，该k₂的长度不少于512比特，本实例选择512比特；(2d) The user selects a pseudo-random permutation function The security parameter k ₂ , the length of the k ₂ is not less than 512 bits, and 512 bits are selected in this example;

(2e)用户根据所选到参数生成询问信息chal＝{c,k₁,k₂}，并将该询问信息发送给云服务提供商CSP。(2e) The user generates inquiry information chal={c,k ₁ ,k ₂ } according to the selected parameters, and sends the inquiry information to the cloud service provider CSP.

步骤3，抵抗主动攻击。Step 3, resist active attack.

参考图2，为步骤的具体实现如下：Referring to Figure 2, the specific implementation of the steps is as follows:

(3a)攻击者修改云服务提供商CSP中的用户信息；(3a) The attacker modifies the user information in the cloud service provider CSP;

(3b)云服务提供商CSP依据询问信息chal＝{c,k₁,k₂}，通过用户所需验证的c个分块文件生成如下证明信息proof发送给用户：(3b) According to the query information chal={c,k ₁ ,k ₂ }, the cloud service provider CSP passes the c block files that need to be verified by the user Generate the following proof information proof and send it to the user:

其中,表示变换后的文件分块，f(i_j)表示第i_j个文件分块，i_j表示在伪随机置换函数中j-bit串的集合即它是由k₂-bit串的集合与log₂j-bit串的集合叉乘得到；a_j表示伪随机函数生成的第j个系数，其在伪随机函数中由k₁-bit串的集合与log₂j-bit串的集合叉乘得到，j表示用户所需验证的c个分块文件的序号，1≤j≤c，c表示用户选择验证文件分块数量，H(·)表示哈希函数，S_γ(·)表示代数签名函数，它是一种具有代数性质的哈希函数，其代数性质满足 $S_{γ} (Σ_{i = 1}^{n} f (i)) = Σ_{i = 1}^{n} S_{γ} (f (i)),$ γ表示伽罗瓦域中的一个元素；in, express The transformed file is divided into blocks, f(i _j ) represents the i _jth file block, and i _j represents the pseudo-random permutation function The collection of j-bit strings in It is obtained by cross-producting the set of k ₂ -bit strings and the set of log ₂ j-bit strings; a _j represents the jth coefficient generated by the pseudo-random function, which in the pseudo-random function It is obtained by cross multiplying the set of k ₁ -bit strings and the set of log ₂ j-bit strings, and j represents the c block files that the user needs to verify The serial number of , 1≤j≤c, c indicates the number of blocks of the verification file selected by the user, H( ) indicates the hash function, S _γ ( ) indicates the algebraic signature function, which is a hash function with algebraic properties, Its algebraic properties satisfy $S_{γ} (Σ_{i = 1}^{no} f (i)) = Σ_{i = 1}^{no} S_{γ} (f (i)),$ γ represents an element in the Galois field;

(3c)攻击者截获云服务提供商CSP发送的证明信息proof，并对其进行修改；(3c) The attacker intercepts the proof information proof sent by the cloud service provider CSP and modifies it;

(3d)用户通过哈希函数H的单向性特性，对主动攻击者修改证明信息proof的行为进行抵抗，使攻击者的攻击结果失败，保护证明信息proof无法任意修改；(3d) The user uses the one-way characteristic of the hash function H to resist the behavior of the active attacker to modify the proof information, so that the attacker's attack result fails, and the protection proof information proof cannot be modified arbitrarily;

步骤4，用户验证步骤：Step 4, user verification steps:

(4a)用户在抵抗了主动攻击的行为后，利用本地保存c个主标签和c个辅助标签生成如下本地用户的验证信息μ：(4a) After resisting the behavior of active attack, the user saves c primary tags locally and c auxiliary tags Generate authentication information μ for the following local users:

$μ μ = = {Σ Σ}_{j j = = 11}^{c c} {a a}_{j j} (({T T}_{{i i}_{j j}} &CirclePlus; &CirclePlus; {C C}_{{i i}_{j j}}))$

其中，表示第i_j个主标签，表示第i_j个辅助标签，表示异或运算；in, Indicates the i _jth primary label, Indicates the i _jth auxiliary label, Indicates XOR operation;

(4b)用户将用户验证信息μ作为哈希函数H的输入，进行哈希计算得到用户验证信息的哈希值H(μ)，并利用H(μ)对证明信息proof进行验证：(4b) The user takes the user verification information μ as the input of the hash function H, performs hash calculation to obtain the hash value H(μ) of the user verification information, and uses H(μ) to verify the proof information proof:

如果等式H(μ)＝proof成立，则用户认为云服务提供商CSP存储的用户数据完整，否则，用户认为数据被破坏。If the equation H(μ)=proof holds true, the user believes that the user data stored by the cloud service provider CSP is complete; otherwise, the user believes that the data is damaged.

以上描述仅是本发明的一个具体实例，不构成对本发明的任何限制。显然，对于本领域的专业人员来说，在了解了本发明内容和原理后，都可能在不背离本发明原理、结果的情况下，进行形式和细节上的各种修正和改变，但是这些基于本发明思想的修正和改变仍在本发明的权利要求保护范围之内。The above description is only a specific example of the present invention, and does not constitute any limitation to the present invention. Obviously, for those skilled in the art, after understanding the content and principles of the present invention, it is possible to make various modifications and changes in form and details without departing from the principles and results of the present invention, but these are based on The modification and change of the idea of the present invention are still within the protection scope of the claims of the present invention.

Claims

1. A remote authentication method based on anti-active attack in cloud storage, including:

(1) User initialization steps:

The user divides the file F into n blocks to generate a block file pass Main tag for generating chunked files and auxiliary tags

The user selects a cryptographic hash function H, a pseudo-random function f, and a pseudo-random permutation function π, and saves two tags locally

{T_{i}}_{i = 1}^{no}, {C_{i}}_{i = 1}^{no};

(2) User communication and inquiry steps:

(2a) The user sends the chunked file to the cloud service provider CSP, and then deleted locally To save user storage space;

(2b) The user selects the first security parameter k ₁ for the pseudo-random function f, selects the second security parameter k ₂ for the pseudo-random permutation π, and selects the number of blocks of the file to be verified c, and generates query information chal={c,k ₁ ,k ₂ } to the cloud service provider CSP;

Wherein c is not less than 10% of the total number n of block files, the length of the first security parameter k ₁ is not less than 512 bits, and the length of the second security parameter k ₂ is not less than 512 bits.

(3) Steps to resist active attack:

(3a) After the cloud service provider CSP receives the query information, it passes the c block files that the user needs to verify Generate proof information proof to the user, where:

p p r r o o o o f f = = H h (({S S}_{γ γ} (({Σ Σ}_{j j = = 11}^{c c} {a a}_{j j} \cdot &Center Dot; f f (({i i}_{j j}))))))

Among them, H( ) represents the hash function, S _γ ( ) represents the algebraic signature function, γ represents an element in the Galois field, a _j represents the jth coefficient generated by the pseudo-random function, f(i _j ) Indicates the i _j -th file block, i _j represents the serial number of the j-th file block generated by the pseudo-random permutation function, and j represents the c block files that the user needs to verify The serial number of , 1≤j≤c, c indicates the number of blocks of the verification file selected by the user;

(3b) Through the one-way characteristic of the hash function H, the user resists the behavior of the active attacker to modify the proof information proof, so that the attacker's attack result fails, and the protection proof information proof cannot be modified arbitrarily;

(4) User verification steps:

(4a) After resisting the behavior of active attack, the user saves c primary tags locally and c auxiliary tags Generate authentication information μ for local users:

μ μ = = {Σ Σ}_{j j = = 11}^{c c} {a a}_{j j} (({T T}_{{i i}_{j j}} &CirclePlus; &CirclePlus; {C C}_{{i i}_{j j}})),,

in, Indicates the i _jth primary label, Indicates the i _jth auxiliary label;

(4b) Use the hash value H(μ) of the user’s verification information μ to verify the received proof information proof: if the equation H(μ)=proof holds true, the user believes that the proof information stored in the cloud service provider CSP The user data is intact; otherwise, the user considers the data corrupted.

2. The method according to claim 1, wherein in the step (1), the user divides the file F into blocks, and the file F to be stored is evenly divided into n blocks, that is, the length of the file F is L, and each block length is When the last block cannot reach the block length When , add 0 behind it to make its length reach

3. The method according to claim 1, wherein in step (1), the user passes the block file Main tag for generating chunked files and auxiliary tags is generated using the following formula:

T _i ＝S _γ (f(i)||(ID _F ||i||L _i ||V _i ))

C _i ＝S _γ (ID _F ||i||L _i ||V _i )

f(i) represents the i-th block file, 1≤i≤n, n represents the block number of the block file, the || symbol represents the concatenation of parameters, ID _F represents the unique identity information of the file, L _i represents the block File f(i) is serial numbered in the divide-and-conquer table DCT, and the divide-and-conquer table DCT represents a model for sequentially storing data, V _i represents the version number of the block file f(i) in the divide-and-conquer table DCT, S _γ ( ) represents the algebraic signature function, which is a hash function with algebraic properties, and its algebraic properties satisfy γ represents an element in the Galois field.

4. The method according to claim 1, wherein the cryptographic hash function H selected by the user in the step (1) adopts information-digest algorithm 5, namely MD5.

5. The method according to claim 1, wherein the pseudo-random function selected by the user in the step (1) adopts MonteCarlo pseudo-random function, and its functional form is: where k ₁ represents the pseudorandom function The security parameters of , x represents the pseudo-random transformation function The input length of , l represents the pseudo-random function output length.

6. The method according to claim 1, wherein the pseudo-random permutation function selected by the user in the step (1) adopts the Durstenfeld pseudo-random permutation function, and the function form is, where k ₂ represents the pseudorandom permutation function The security parameters of , y represents the pseudo-random permutation function The length of the input and output.