CN107463848B - Application-oriented ciphertext search method, device, proxy server and system - Google Patents
Application-oriented ciphertext search method, device, proxy server and system Download PDFInfo
- Publication number
- CN107463848B CN107463848B CN201710586634.3A CN201710586634A CN107463848B CN 107463848 B CN107463848 B CN 107463848B CN 201710586634 A CN201710586634 A CN 201710586634A CN 107463848 B CN107463848 B CN 107463848B
- Authority
- CN
- China
- Prior art keywords
- data
- user
- application
- search
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Abstract
The invention discloses an application-oriented ciphertext searching method, which comprises the following steps: receiving an application data uploading request sent by a user side; analyzing the application data uploading request to obtain user application data, determining and caching user sensitive data in the user application data; encrypting user sensitive data in user application data to obtain ciphertext data, and sending the ciphertext data to an application server; receiving response data returned by the application server, extracting first metadata information in the response data, and establishing a first search index according to the user sensitive data and the first metadata information; receiving a data search request sent by a user side; analyzing the data search request to obtain a keyword, and searching in the first search index by using the keyword to obtain a search result; and returning the search result to the user side. The method supports full-text retrieval of the ciphertext without configuring a special encryption client, realizes the transparentization of data encryption and ciphertext search, and ensures the functionality, efficiency and safety of ciphertext search.
Description
Technical Field
The invention relates to the field of computer information security, in particular to an application-oriented ciphertext searching method, device, proxy server and system.
Background
With the increasing volume of data and the popularization of cloud computing models, more and more organizations, organizations and enterprises begin to deliver data to specialized servers for unified data management or directly use application services operated by the servers. However, in this mode, the problem of separation of ownership and management rights of user data causes frequent data privacy disclosure events, and the problem of user privacy protection is urgently to be solved. Common cloud services such as mail application, cloud storage application, CRM application and ERP application have potential safety hazards of user data privacy disclosure.
At present, a data encryption technology is generally adopted for a mode for dealing with the hidden trouble, but the two existing encryption modes have certain defects respectively. The method comprises the following steps: data is encrypted at the user terminal. The method needs to develop a specific client for each service and application and provide encryption at the client, which causes the complexity of user terminal software and the consumption of higher terminal resources during user operation; the second method comprises the following steps: the service provider provides user data encryption. However, the security measures provided by the service provider themselves are not transparent to the user, the user is also in doubt about the credibility of the service provider, and differential encryption cannot be provided for different application services.
Moreover, after the user privacy data is encrypted and uploaded to the server, the original search function of the server fails due to encryption, so that the retrieval of the encrypted data by the user becomes a very difficult task. Therefore, the user needs a retrieval technique applicable to ciphertext search.
The current ciphertext search techniques include homomorphic encryption, symmetric ciphertext search (SSE), and the like. For example: an invention patent CN201310616577 disclosed in 26/2/2014 proposes a ciphertext search authentication method facing cloud storage; an invention patent CN201510698146 disclosed in 5, 3 and 2017 proposes a method, a device and a system for creating a ciphertext index. These ciphertext search methods mainly have the following problems: in order to realize data search on ciphertext, a plurality of ciphertext search technologies adopt a special encryption mode (the strength can be guaranteed, a universal encryption algorithm is not applicable any more), and the encryption security is weakened to a certain extent; and (2) the current ciphertext search technology only realizes the most basic search function, and the original advanced search ciphertext functions of multi-keyword search, fuzzy search and the like only stay in the theoretical stage and cannot be practiced. Moreover, the academic research on ciphertext search at home and abroad generally has the problems of function loss, low search efficiency, poor safety and the like, even the application program and the use habit of the user need to be changed, and the method is difficult to implement in an actual scene.
Disclosure of Invention
In view of this, the present invention provides an application-oriented ciphertext search method, apparatus, proxy server, and system, which ensure the functionality, efficiency, and security of ciphertext data search while providing user privacy protection.
Based on the above purpose, the present invention provides an application-oriented ciphertext search method, which includes:
receiving an application data uploading request sent by a user side;
analyzing the application data uploading request to obtain user application data, determining and caching user sensitive data in the user application data;
encrypting the user sensitive data in the user application data to obtain ciphertext data, and sending the ciphertext data to an application server;
receiving response data returned by the application server, extracting first metadata information in the response data, and establishing a first search index according to the user sensitive data and the first metadata information;
receiving a data search request sent by the user side;
analyzing the data search request to obtain a keyword, and searching in the first search index by using the keyword to obtain a search result;
and returning the search result to the user side.
Further, the ciphertext search method for the application further comprises:
receiving an application data acquisition request sent by the user side;
sending the application data acquisition request to the application server;
receiving ciphertext data returned by the application server;
decrypting the ciphertext data to obtain the user application data, and sending the user application data to the user side; and judging whether the first search index exists or not, if not, determining the user sensitive data in the user application data, acquiring second metadata information in the ciphertext data, and establishing a second search index according to the user sensitive data and the second metadata information.
Further, after receiving the application data obtaining request sent by the user side, the method includes:
analyzing the application data acquisition request to obtain user identity information, and verifying whether the user side has an access right according to the user identity information;
and if the user side has the access right, sending the application data acquisition request to the application server side.
Further, after the searching in the first search index using the keyword to obtain the search result, the method further includes:
forwarding the data search request to the application server;
receiving search response data sent by the application server, and determining a communication protocol applied by the application server;
adding the search result to the search response data according to the communication protocol to obtain a second search result;
and returning the second search result to the user terminal.
The invention also provides an application-oriented ciphertext search device, which comprises:
the first receiving module is used for receiving an application data uploading request sent by a user side;
the analysis module is used for analyzing the application data uploading request to obtain user application data, determining user sensitive data in the user application data and caching the user sensitive data;
the encryption module is used for encrypting the user sensitive data in the user application data to obtain ciphertext data and sending the ciphertext data to an application server;
the first establishing module is used for receiving response data returned by the application server, extracting first metadata information in the response data, and establishing a first search index according to the user sensitive data and the first metadata information;
the second receiving module is used for receiving a data searching request sent by the user side;
the searching module is used for analyzing the data searching request to obtain a keyword, and searching in a searching index by using the keyword to obtain a searching result;
and the first returning module is used for returning the search result to the user side.
Further, the ciphertext search apparatus for an application further includes:
a third receiving module, configured to receive an application data acquisition request sent by the user side;
the sending module is used for sending the application data acquisition request to the application server;
the fourth receiving module is used for receiving ciphertext data returned by the application server;
the second establishing module is used for decrypting the ciphertext data to obtain the user application data and sending the user application data to the user side; and judging whether the first search index exists, if not, determining user sensitive data in the user application data, acquiring second metadata information in the ciphertext data, and establishing a second search index according to the user sensitive data and the second metadata information.
Further, the ciphertext search apparatus for an application further includes:
the verification module is used for analyzing the application data acquisition request to obtain user identity information and verifying whether the user side has access authority or not according to the user identity information;
and when the user side has the access right, the sending module sends the application data acquisition request to the application server side.
Further, the ciphertext search apparatus for an application further includes:
the forwarding module is used for forwarding the data search request to the application server;
a fifth receiving module, configured to receive search response data sent by the application server, and determine a communication protocol applied by the application server;
the adding module is used for adding the search result into the search response data according to the communication protocol to obtain a second search result;
and the second returning module is used for returning the second search result to the user side.
The invention also provides a proxy server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method as described in any one of the above when executing the program.
The invention also provides an application-oriented ciphertext search system, which comprises a user side and an application server side, and further comprises: an application-oriented ciphertext search apparatus as claimed in any preceding claim; or a proxy server as described above.
From the above, the application-oriented ciphertext search method, the application-oriented ciphertext search device, the proxy server and the application-oriented ciphertext search system provided by the invention have the advantages that a special encryption client does not need to be configured at a user, so that the software and hardware requirements of the user side are reduced; service application does not need to be changed, service providers do not need to cooperate, and the transparentization of user data encryption and ciphertext search to users is realized; the original encryption algorithm is not required to be changed, and the data security is guaranteed. The method and the device ensure the functionality, efficiency and safety of ciphertext data search while providing user privacy protection.
Drawings
FIG. 1 is a flowchart of an application-oriented ciphertext search method according to an embodiment of the present invention;
FIG. 2 is another schematic flow chart of the ciphertext search method according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of an application-oriented ciphertext search apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an application-oriented ciphertext search system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
Referring to fig. 1, a flowchart of an application-oriented ciphertext search method according to an embodiment of the present invention is shown. In one embodiment of the present invention, the application-oriented ciphertext search method includes the following steps:
In a specific embodiment, the application service may be a cloud storage service/application, a mail service, or the like, and the application data upload request may be an upload of a cloud storage file, a sending upload of a web mail, or the like. For example, the user may upload the application data through a general-purpose cloud storage client such as a general-purpose browser and a mail client on the user terminal.
And 102, analyzing the application data uploading request to obtain user application data, and determining and caching user sensitive data in the user application data.
After different types of application data uploading requests are analyzed to obtain user application data, according to a preset rule, user sensitive data in the user application data, such as user personal privacy data and user identity data, are confirmed, and the user sensitive data are cached.
103, encrypting the user sensitive data in the user application data to obtain ciphertext data, and sending the ciphertext data to an application server.
Acquiring an encryption key group corresponding to the user sensitive data according to an encryption rule preset by an application service; the encryption key set comprises one or more keys for encrypting one or more sensitive data segments of the user sensitive data; and according to the encryption rule, encrypting one or more sensitive data segments in the user sensitive data by using the encryption key group to obtain the ciphertext data. The embodiment of the invention can directly use the commonly used universal encryption algorithm at present, such as the international universal encryption algorithm like AES and RSA, and the national commercial passwords like SM2, SM4 and SM9, etc., to realize encryption search, without changing the encryption algorithm, thereby ensuring the encryption strength.
The embodiment of the invention provides different safety services aiming at different application services or according to the requirements of users, and sets different encryption rules for different application services in advance, such as encryption algorithm, encryption field and the like. After receiving an application data uploading request sent by a user side, the proxy server obtains a group of suitable encryption keys according to the application type and user requirements in the request, wherein the encryption key group comprises one or more keys used for encrypting one or more data segments in user sensitive data. For example, in a mail service, a user only needs to encrypt the mail subject and the text, and a receiver, a sender and a transcriber do not need to encrypt, and at this time, only a key group comprising two keys is needed. In the cloud storage application, if a user only needs to upload one file, only one key is needed to encrypt the whole file. In this embodiment, the encryption and decryption technology based on the proxy gateway provided by the patent is mainly used. Technicians deploy the agent gateway, and a user accesses the agent gateway to access the mail system, so that uploading encryption and downloading decryption of mail data can be realized without locally installing a client or modifying an interface of the mail system.
And 104, receiving response data returned by the application server, extracting first metadata information in the response data, and establishing a first search index according to the user sensitive data and the first metadata information.
The first metadata information includes ID information, a ciphertext data flag, and the like. And combining the first metadata information and the user sensitive data obtained in the step 102 into a complete metadata group, and establishing a first search index based on the metadata group.
And 105, receiving a data search request sent by the user side.
And 106, analyzing the data search request to obtain a keyword, and searching in the first search index by using the keyword to obtain a search result.
And analyzing the data search request, acquiring user identity information, search keywords and other metadata information, and inquiring the keywords in the first search index to obtain a search result.
In this embodiment, a ciphertext search technique is mainly used. And accessing the user access proxy gateway under the proxy gateway to access the mail system, submitting the unencrypted keyword to the proxy gateway, and searching by the gateway to obtain the ciphertext data ID stored on the cloud platform so as to obtain the ciphertext data. After the ciphertext data is obtained, the user can download the confidential data. The search supports full-text retrieval, multi-keyword search and fuzzy search of ciphertext, does not sacrifice the original search function, and even enhances the original search function; meanwhile, the method is suitable for encryption and search of files and binary data streams, and has wide practicability.
And step 107, returning the search result to the user side.
Fig. 2 is another schematic flow chart of the ciphertext search method for application according to the embodiment of the present invention. In another embodiment of the present invention, the application-oriented ciphertext search method further includes:
As another embodiment of the present invention, after receiving the application data obtaining request sent by the user side in step 201, the method further includes:
analyzing the application data acquisition request to obtain user identity information, ciphertext data marks and other metadata information, and verifying whether the user side has the access right of ciphertext data according to the user identity information; and if the user side has the access right, sending the application data acquisition request to the application server side.
And 203, receiving the ciphertext data returned by the application server.
And after receiving the ciphertext data, decrypting the ciphertext data by using a decryption key group corresponding to the ciphertext data according to a set encryption rule to obtain plaintext data, wherein the plaintext data is the user application data. And then the proxy server judges whether a first search index exists locally according to the user identity information and other metadata information, and if so, the user application data is directly returned to the user side applying for downloading the data. If the first search index does not exist, for example, the first search index is not at the user side for uploading the data during downloading, but at the other data side for downloading, the search index needs to be reestablished at this time. Namely, the user sensitive data in the user application data is determined, second metadata information in the ciphertext data is obtained, and a second search index is established according to the user sensitive data and the second metadata information, wherein the second search index is a local search index of the client. The second metadata information includes user identity information, ciphertext data flag, other metadata information and the like. For the same application data, the contents of the first metadata information and the second metadata information are substantially the same, and the difference is as follows: the first metadata information is obtained from the response data in step 104, and the second metadata information is returned from the application server in step 203.
Step 106 and step 204 apply the key technology of index construction, which combines the cache data with the application return data, constructs a complete index for searching on the local, i.e. proxy server, and simultaneously ensures the encryption and searching of the file and binary data stream.
As another embodiment of the present invention, after the step 106 uses the keyword to search in the first search index to obtain the search result, the method further includes:
step 601, forwarding the data search request to the application server.
Step 602, receiving the search response data sent by the application server, and determining the communication protocol applied by the application server.
Step 603, adding the search result to the search response data according to the communication protocol to obtain a second search result. And adding search results such as ciphertext data marks returned by the inquired local index and the like to the application service response data according to the communication protocol format to obtain a second search result.
Step 604, returning the second search result including the search result to the user side.
The application-oriented ciphertext search method is a user privacy data protection and search method in a data ownership and management authority separation mode. The method does not need to configure a special encryption client at the user end, thereby reducing the software and hardware requirements of the user end; the original encryption algorithm does not need to be changed, the encryption search can be realized by directly using the currently commonly used universal encryption algorithm, such as the international universal encryption algorithms of AES, RSA and the like, and the national commercial passwords of SM2, SM4, SM9 and the like, so that the encryption strength is ensured, and the data security is ensured; the full-text retrieval, multi-keyword search and fuzzy search of the ciphertext are supported, the original search function is not sacrificed, and even the original search function is enhanced; meanwhile, the method is suitable for encryption and search of files and binary data streams, and has wide practicability; the mutual independence with the application service is realized, the cooperation of a service provider is not needed, the original service application is not needed to be changed, the transparence of user data encryption and ciphertext search to the user is realized, and the doubt of the user on the encryption safety is fundamentally eliminated; finally, the functionality, efficiency and safety of ciphertext data search are ensured while user privacy protection is provided.
The embodiment of the invention also discloses an application-oriented ciphertext searching device. Fig. 3 is a schematic structural diagram of an application-oriented ciphertext search apparatus according to an embodiment of the present invention.
The ciphertext search device for application in the embodiment of the invention comprises:
the first receiving module 301 is configured to receive an application data upload request sent by a user side.
And the analyzing module 302 is configured to analyze the application data uploading request to obtain user application data, determine user sensitive data in the user application data, and cache the user sensitive data.
The encryption module 303 is configured to encrypt the user sensitive data in the user application data to obtain ciphertext data, and send the ciphertext data to an application server.
The first establishing module 304 is configured to receive response data returned by the application server, extract first metadata information in the response data, and establish a first search index according to the user sensitive data and the first metadata information.
A second receiving module 305, configured to receive a data search request sent by the user side.
The searching module 306 is configured to parse the data search request to obtain a keyword, and search in a search index by using the keyword to obtain a search result.
A first returning module 307, configured to return the search result to the user side.
In some embodiments, the application-oriented ciphertext search apparatus further comprises:
and the third receiving module is used for receiving the application data acquisition request sent by the user side.
And the sending module is used for sending the application data acquisition request to the application server.
And the fourth receiving module is used for receiving the ciphertext data returned by the application server.
The second establishing module is used for decrypting the ciphertext data to obtain the user application data and sending the user application data to the user side; and judging whether the first search index exists, if not, determining user sensitive data in the user application data, acquiring second metadata information in the ciphertext data, and establishing a second search index according to the user sensitive data and the second metadata information.
In some embodiments, the application-oriented ciphertext search apparatus further comprises:
and the verification module is used for analyzing the application data acquisition request to obtain user identity information and verifying whether the user side has the access right according to the user identity information.
And when the user side has the access right, the sending module sends the application data acquisition request to the application server side.
In some embodiments, the application-oriented ciphertext search apparatus further comprises:
and the forwarding module is used for forwarding the data search request to the application server.
And the fifth receiving module is used for receiving the search response data sent by the application server and determining the communication protocol applied by the application server.
And the adding module is used for adding the search result into the search response data according to the communication protocol to obtain a second search result.
And the second returning module is used for returning the second search result to the user side.
The apparatus of the foregoing embodiment is used to implement the corresponding application-oriented ciphertext search method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
In yet another aspect, an embodiment of the present invention further provides a proxy server, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the program, the processor implements the application-oriented ciphertext search method as described in the above method embodiment.
The proxy server of the foregoing embodiment is used to implement the corresponding application-oriented ciphertext search method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Finally, an embodiment of the present invention further provides an application-oriented ciphertext search system, which is shown in fig. 4 and is a schematic structural diagram of an application-oriented ciphertext search system according to an embodiment of the present invention. The ciphertext search system for the application comprises: a client 401, an application server 403, and the proxy server 402 in the above embodiments.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. An application-oriented ciphertext search method, comprising:
receiving an application data uploading request sent by a user side;
analyzing the application data uploading request to obtain user application data, determining and caching user sensitive data in the user application data;
encrypting the user sensitive data in the user application data to obtain ciphertext data, and sending the ciphertext data to an application server; acquiring an encryption key group corresponding to the user sensitive data according to an encryption rule preset by an application service; the encryption key set comprises one or more keys for encrypting one or more sensitive data segments of the user sensitive data; encrypting one or more sensitive data segments in the user sensitive data by using the encryption key group according to the encryption rule to obtain the ciphertext data;
receiving response data returned by the application server, extracting first metadata information in the response data, and establishing a first search index according to the user sensitive data and the first metadata information; the first metadata information comprises ID information and ciphertext data marks;
receiving a data search request sent by the user side;
analyzing the data search request to obtain a keyword, and searching in the first search index by using the keyword to obtain a search result;
and returning the search result to the user side.
2. The application-oriented ciphertext search method of claim 1, further comprising:
receiving an application data acquisition request sent by the user side;
sending the application data acquisition request to the application server;
receiving ciphertext data returned by the application server;
decrypting the ciphertext data to obtain the user application data, and sending the user application data to the user side; and judging whether the first search index exists or not, if not, determining the user sensitive data in the user application data, acquiring second metadata information in the ciphertext data, and establishing a second search index according to the user sensitive data and the second metadata information.
3. The ciphertext search method according to claim 2, wherein after receiving the application data obtaining request sent by the user side, the method includes:
analyzing the application data acquisition request to obtain user identity information, and verifying whether the user side has an access right according to the user identity information;
and if the user side has the access right, sending the application data acquisition request to the application server side.
4. The application-oriented ciphertext search method of claim 1, wherein after the searching in the first search index using the keyword to obtain the search result, further comprising:
forwarding the data search request to the application server;
receiving search response data sent by the application server, and determining a communication protocol applied by the application server;
adding the search result to the search response data according to the communication protocol to obtain a second search result;
and returning the second search result to the user terminal.
5. An application-oriented ciphertext search apparatus, comprising:
the first receiving module is used for receiving an application data uploading request sent by a user side;
the analysis module is used for analyzing the application data uploading request to obtain user application data, determining user sensitive data in the user application data and caching the user sensitive data;
the encryption module is used for encrypting the user sensitive data in the user application data to obtain ciphertext data and sending the ciphertext data to an application server; acquiring an encryption key group corresponding to the user sensitive data according to an encryption rule preset by an application service; the encryption key set comprises one or more keys for encrypting one or more sensitive data segments of the user sensitive data; encrypting one or more sensitive data segments in the user sensitive data by using the encryption key group according to the encryption rule to obtain the ciphertext data;
the first establishing module is used for receiving response data returned by the application server, extracting first metadata information in the response data, and establishing a first search index according to the user sensitive data and the first metadata information; the first metadata information comprises ID information and ciphertext data marks;
the second receiving module is used for receiving a data searching request sent by the user side;
the searching module is used for analyzing the data searching request to obtain a keyword, and searching in a searching index by using the keyword to obtain a searching result;
and the first returning module is used for returning the search result to the user side.
6. The application-oriented ciphertext search apparatus of claim 5, further comprising:
a third receiving module, configured to receive an application data acquisition request sent by the user side;
the sending module is used for sending the application data acquisition request to the application server;
the fourth receiving module is used for receiving ciphertext data returned by the application server;
the second establishing module is used for decrypting the ciphertext data to obtain the user application data and sending the user application data to the user side; and judging whether the first search index exists, if not, determining user sensitive data in the user application data, acquiring second metadata information in the ciphertext data, and establishing a second search index according to the user sensitive data and the second metadata information.
7. The application-oriented ciphertext search apparatus of claim 6, further comprising:
the verification module is used for analyzing the application data acquisition request to obtain user identity information and verifying whether the user side has access authority or not according to the user identity information;
and when the user side has the access right, the sending module sends the application data acquisition request to the application server side.
8. The application-oriented ciphertext search apparatus of claim 5, further comprising:
the forwarding module is used for forwarding the data search request to the application server;
a fifth receiving module, configured to receive search response data sent by the application server, and determine a communication protocol applied by the application server;
the adding module is used for adding the search result into the search response data according to the communication protocol to obtain a second search result;
and the second returning module is used for returning the second search result to the user side.
9. A proxy server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any one of claims 1 to 4 when executing the program.
10. An application-oriented ciphertext search system comprises a user side and an application server side, and is characterized by further comprising: an application-oriented ciphertext search apparatus as claimed in any one of claims 5 to 8; or, a proxy server as claimed in claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710586634.3A CN107463848B (en) | 2017-07-18 | 2017-07-18 | Application-oriented ciphertext search method, device, proxy server and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710586634.3A CN107463848B (en) | 2017-07-18 | 2017-07-18 | Application-oriented ciphertext search method, device, proxy server and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107463848A CN107463848A (en) | 2017-12-12 |
| CN107463848B true CN107463848B (en) | 2021-10-12 |
Family
ID=60546852
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710586634.3A Active CN107463848B (en) | 2017-07-18 | 2017-07-18 | Application-oriented ciphertext search method, device, proxy server and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107463848B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108304733B (en) * | 2018-01-23 | 2020-06-02 | 深圳大普微电子科技有限公司 | Encrypted data searching method and data storage system capable of encrypted searching |
| CN108900468A (en) * | 2018-05-31 | 2018-11-27 | 中融万博网络科技有限公司 | A kind of method of secure storage and transmitting user service data |
| CN110263570B (en) * | 2019-05-10 | 2020-09-25 | 电子科技大学 | Gene data desensitization method for realizing efficient similarity query and access control |
| CN112637199B (en) * | 2020-12-22 | 2022-08-05 | 深圳壹账通智能科技有限公司 | Method and device for automatically detecting encrypted data, computer equipment and medium |
| CN116095685B (en) * | 2022-06-01 | 2023-11-14 | 荣耀终端有限公司 | Protection method of key information and terminal equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049466A (en) * | 2012-05-14 | 2013-04-17 | 深圳市朗科科技股份有限公司 | Full-text search method and system based on distributed cipher-text storage |
| CN106610995A (en) * | 2015-10-23 | 2017-05-03 | 华为技术有限公司 | Ciphertext index creating method, device and system |
-
2017
- 2017-07-18 CN CN201710586634.3A patent/CN107463848B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049466A (en) * | 2012-05-14 | 2013-04-17 | 深圳市朗科科技股份有限公司 | Full-text search method and system based on distributed cipher-text storage |
| CN106610995A (en) * | 2015-10-23 | 2017-05-03 | 华为技术有限公司 | Ciphertext index creating method, device and system |
Non-Patent Citations (1)
| Title |
|---|
| A Cloud Access Security Broker Based Approach for Encrypted Data Search and Sharing;Chuanyi Liu等;《2017 International Conference on Computing,Networking and Communication(ICNC):Cloud Computing and Big Data》;20170313;第1-5页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107463848A (en) | 2017-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107463848B (en) | Application-oriented ciphertext search method, device, proxy server and system | |
| US10868811B2 (en) | Secure user credential access system | |
| US10757090B2 (en) | Secure application access system | |
| US9172682B2 (en) | Local authentication in proxy SSL tunnels using a client-side proxy agent | |
| US9552492B2 (en) | Secure application access system | |
| JP4596554B2 (en) | Method and system for mapping encrypted HTTPS network packets to specific URL names and other data without decryption outside the secure web server (mapping) | |
| US20220078017A1 (en) | Authorized Data Sharing Using Smart Contracts | |
| US20060075122A1 (en) | Method and system for managing cookies according to a privacy policy | |
| US20150363609A1 (en) | Information Processing Method and Apparatus, Information Retrieval Method and Apparatus, User Terminal, and Server | |
| US20170295144A1 (en) | Data security for content delivery networks | |
| US20170371625A1 (en) | Content delivery method | |
| CN104602238A (en) | Wireless network connecting method, device and system | |
| US11038692B2 (en) | Digital data locker system providing enhanced security and protection for data storage and retrieval | |
| US10063655B2 (en) | Information processing method, trusted server, and cloud server | |
| US20210160203A1 (en) | System for disarming encrypted attachment files of e-mail and disarming method using same | |
| CN103095663B (en) | Information interacting method between a kind of A non logged-on user and device | |
| CN108566397B (en) | Special remote data transmission system and transmission method for data recovery service | |
| US10855513B2 (en) | Information pushing method, device and computer readable storage medium | |
| EP3413529A1 (en) | Data security protection method and apparatus | |
| CN106027535A (en) | Campus network security authentication system and method | |
| US10484348B1 (en) | Network device with virtual private file system | |
| Vorugunti | PPMUAS: A privacy preserving mobile user authentication system for cloud environment utilizing big data features | |
| EP3200420B1 (en) | Providing communications security to an end-to-end communication connection | |
| JP6125196B2 (en) | Network system, electronic data management method for network system, program therefor, and program recording medium | |
| CN109274765B (en) | Data transmission method, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |