CN110138749B - Data security protection method and related equipment - Google Patents

Data security protection method and related equipment Download PDF

Info

Publication number
CN110138749B
CN110138749B CN201910329967.7A CN201910329967A CN110138749B CN 110138749 B CN110138749 B CN 110138749B CN 201910329967 A CN201910329967 A CN 201910329967A CN 110138749 B CN110138749 B CN 110138749B
Authority
CN
China
Prior art keywords
terminal
password
server
data
key server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910329967.7A
Other languages
Chinese (zh)
Other versions
CN110138749A (en
Inventor
刘红林
李高峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Device Co Ltd
Petal Cloud Technology Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910329967.7A priority Critical patent/CN110138749B/en
Publication of CN110138749A publication Critical patent/CN110138749A/en
Application granted granted Critical
Publication of CN110138749B publication Critical patent/CN110138749B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/61Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a data security protection method and related equipment. The method comprises the following steps: the first terminal sends first ciphertext information to the key server; the first ciphertext information is obtained by encrypting a first password by the first terminal according to a public key from the key server; the first terminal receives second ciphertext information sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password; the first terminal decrypts the second ciphertext information according to the first password to obtain a second password; and the first terminal sends the data encrypted by the second password to the storage server. By implementing the embodiment, the safety of the personal data of the user in the cloud backup process can be improved, and the risk of data leakage is avoided.

Description

Data security protection method and related equipment
Technical Field
The present invention relates to data transmission technologies in the field of communications, and in particular, to a data security protection method and related devices.
Background
Cloud backup, which is to backup personal data of a user, such as address book, short message, picture, video and other data, to a network in a cloud storage manner. With the more mature cloud backup technology, more and more users prefer to backup personal data in the mobile phone to the cloud. Therefore, the user can not only make a large amount of mobile phone storage space, but also download the personal data from the cloud whenever and wherever needed.
Since most of personal data in a user mobile phone relates to personal privacy, higher protection requirements are required for the personal data of the user, so that the damage to the interests of the user caused by stealing the personal data of the user is avoided. However, in the prior art, there is a risk of leakage in the process that a user transmits personal data to the cloud through a terminal and the personal data is stored in a cloud server. The problem that how to ensure the security of personal data of a user is urgently solved at present while enjoying the convenience brought by the cloud backup technology.
Disclosure of Invention
The embodiment of the invention provides a data security protection method and related equipment, which are used for improving the security of user personal data in a cloud backup process, avoiding data leakage risks and realizing better and safer protection of the user personal data.
In a first aspect, an embodiment of the present invention provides a data security protection method, where the method includes: the first terminal sends first ciphertext information to the key server; the first ciphertext information is obtained by encrypting a first password by the first terminal according to a public key from the key server; the first terminal receives the second ciphertext information sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password; the first terminal decrypts the second ciphertext information according to the first password to obtain the second password; and the first terminal sends the data encrypted by the second password to a storage server.
The first terminal encrypts the first password according to the public key of the key server to obtain first ciphertext information; the first ciphertext information can be decrypted to obtain a first password only according to a private key corresponding to a public key of the secret key server, and only the secret key server has the use authority of the private key, so that only the secret key server can decrypt to obtain the first password; after the secret key server decrypts to obtain the first password, encrypting a second password of the secret key server according to the first password to obtain second ciphertext information, and sending the second ciphertext information to the first terminal; the first terminal originally stores the first password, so that the first terminal can directly decrypt the second ciphertext information according to the first password to obtain the second password; then, the data sent by the first terminal to the storage server are all encrypted by the second password. As can be seen from the above process, the transmission of the second password negotiated between the first terminal and the key server for data encryption in the network is protected by layer-by-layer encryption, specifically, the second password is issued by the key server to the first terminal and encrypted by the first password, and the first password is encrypted and transmitted to the key server by the first terminal in an asymmetric encryption manner (public key and private key encryption manner). In any of the above steps, even if the data information is intercepted by a hacker during transmission between the terminal and the key server, the content of the data information cannot be acquired because the data information is encrypted and the hacker cannot acquire the corresponding decryption password. By implementing the embodiment, the safety of the personal data of the user in the cloud backup process can be improved, the risk of data leakage is avoided, and the personal data of the user can be better and more safely protected.
In some implementations, the data is video data, and the video data encrypted by the second password is used for being sent to a second terminal through the storage server to be decrypted and played.
In some implementations, before the first terminal sends the video data encrypted with the second password to a storage server, the method further includes: the first terminal obtains a plurality of video block data according to the original video data; correspondingly, the sending, by the first terminal, the video data encrypted by the second password to the storage server specifically includes: and the first terminal sends the video block data encrypted by the second password to the storage server.
It should be noted that, if the video data is transmitted in the form of plaintext in the network, the online playing of the video can be realized by a normal Streaming Media (Streaming Media) technology, that is, the downloaded video content is played while being downloaded. The video data targeted in the invention is encrypted, that is, the video data is transmitted in a form of ciphertext in the network, but the online playing of the encrypted video data cannot be realized by the conventional scheme, and the decrypted video data can be played only after the encrypted video data is completely downloaded and the encrypted video data is decrypted in the conventional scheme. By implementing the scheme provided by the invention, the implementation can be realized without modifying the code of the bottom layer streaming media technology of the operating system, and the encrypted video block data can be sent to the storage server after the original video data is subjected to segmentation processing and respectively encrypted processing, so that the second terminal can download the encrypted video block data from the storage server, and the video block data can be played once one video block data is decrypted. Therefore, the method and the device can realize the safe transmission of the encrypted video data and the online playing of the video data, realize high efficiency and rapidness and save a large amount of development cost.
In some implementations, the second cryptographically encrypted video data is at least one video chunk data of original video data.
It should be noted that the at least one video block data is determined from a plurality of video block data based on the input instruction for the at least one video block data. By implementing the embodiment, only part of the video data of the original video data can be backed up according to the requirements of the user, so that the user experience can be improved, and the storage space of the storage server can be saved.
In some implementations, the obtaining, by the first terminal, a plurality of video block data from original video data includes: the first terminal carries out segmentation processing on the original video data according to the blocking rule information from the storage server to obtain a plurality of video block data; the blocking rule information is determined according to a network bandwidth between the first terminal and the storage server.
In the embodiment, the original video data is segmented according to the segmentation rule determined by the network bandwidth, and each segmented video block data is sent to the storage server, so that network congestion caused by overlarge video block data can be avoided, and the speed of transmitting the video block data from the first terminal to the storage server is increased.
In some implementations, before the first terminal sends the first ciphertext information to the key server, the method further includes: the first terminal receives an access password sent by the authentication server; the access password is generated by the authentication server according to the login information of the first terminal; the first terminal sends a request for obtaining the public key to the secret key server; the request includes the access password; and under the condition that the key server verifies that the access password is successful through the authentication server, the first terminal receives the public key sent by the key server.
In some implementations, the first terminal sends the first ciphertext information to the key server while also sending the access password to the key server; correspondingly, the receiving, by the first terminal, the second ciphertext information sent by the key server specifically includes: and under the condition that the key server verifies that the access password is successful through the authentication server, the first terminal receives the second ciphertext information sent by the key server.
In the embodiment, the authentication server is added at the cloud, before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server is responsible for verifying the validity of the login user of the terminal, an access password is granted to the terminal passing the authentication, and the security of the user privacy data (such as video data) in the cloud backup is further improved by adding the verification of the validity of the request of the user.
In some implementations, the login information of the first terminal and the login information of the second terminal are the same. Through the embodiment, different terminals can be associated through login information (user accounts), and downloading or backup can be realized on different terminals.
In some implementations, the first password is a password generated by the first terminal from a random number. In the embodiment, the first password is randomly generated in the terminal, so that the difficulty of a hacker stealing the first password is increased, and the security is higher.
In a second aspect, an embodiment of the present invention provides a data security protection method, where the method includes: the second terminal sends the first ciphertext information to the secret key server; the first ciphertext information is obtained by encrypting a first password by the second terminal according to a public key from the secret key server; the second terminal receives the second ciphertext information sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password; the second terminal decrypts the second ciphertext information according to the first password to obtain a second password of the key server; and the second terminal decrypts the encrypted data from the storage server according to the second password of the secret key server.
The second terminal encrypts the first password according to the public key of the secret key server to obtain first ciphertext information; the first ciphertext information can be decrypted to obtain a first password only according to a private key corresponding to a public key of the secret key server, and only the secret key server has the use authority of the private key, so that only the secret key server can decrypt to obtain the first password; after the secret key server decrypts to obtain the first password, encrypting a second password of the secret key server according to the first password to obtain second ciphertext information, and sending the second ciphertext information to the second terminal; the second terminal originally stores the first password, so that the second terminal can directly decrypt the second ciphertext information according to the first password to obtain the second password; then, the data sent by the second terminal to the storage server are all encrypted by the second password. As can be seen from the above process, the transmission of the second password negotiated between the second terminal and the key server for data decryption in the network is protected by layer-by-layer encryption, specifically, the second password is issued by the key server to the second terminal and encrypted by the first password, and the first password is encrypted and transmitted to the key server by the first terminal through an asymmetric encryption method (public key and private key encryption method). In any of the above steps, even if the data information is intercepted by a hacker during transmission between the terminal and the key server, the content of the data information cannot be acquired because the data information is encrypted and the hacker cannot acquire the corresponding decryption password. By implementing the embodiment, the safety of the personal data of the user in the cloud backup process can be improved, the risk of data leakage is avoided, and the personal data of the user can be better and more safely protected.
In some implementations, the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server.
In some implementations, the encrypted data is video data encrypted by the first terminal according to a second password of the key server; after the second terminal decrypts the encrypted data from the storage server according to the second password of the key server, the method further includes: and the second terminal plays the decrypted video data.
In some implementation manners, the encrypted video data is obtained by the first terminal encrypting each video block data in the original video data according to the second password.
It should be noted that, if the video data is transmitted in the form of plaintext in the network, the online playing of the video can be realized by a normal Streaming Media (Streaming Media) technology, that is, the downloaded video content is played while being downloaded. The video data targeted in the invention is encrypted, that is, the video data is transmitted in a form of ciphertext in the network, but the online playing of the encrypted video data cannot be realized by the conventional scheme, and the decrypted video data can be played only after the encrypted video data is completely downloaded and the encrypted video data is decrypted in the conventional scheme. In the embodiment of the invention, the video data stored in the storage server is subjected to the blocking processing and respectively encrypted by the first terminal, so that the video data downloaded from the storage server at the second terminal is subjected to the blocking processing and respectively encrypted, and the second terminal decrypts and plays the video block data every time the second terminal downloads one video block data from the storage server. Therefore, the method and the device can realize the safe transmission of the encrypted video data and the online playing of the video data, realize high efficiency and rapidness and save a large amount of development cost.
In some implementations, the encrypted video data is obtained by encrypting, by the first terminal, at least one video block data in original video data according to the second password.
It should be noted that the at least one video block data is determined by the second terminal from the original video data based on the input instruction for the second terminal. By implementing the embodiment, only part of the video data of the original video data is downloaded according to the requirements of the user, so that the user experience can be improved, and the network bandwidth can be saved.
In some implementations, before the second terminal decrypts the encrypted data from the storage server according to the second password of the key server, the method further includes: the second terminal sends a request for obtaining encrypted video block data to the storage server; the encrypted video block data is one of the encrypted video block data, and the video block data is determined by the second terminal based on a user input instruction; the second terminal receives the one encrypted video block data from the storage server.
In the above-described embodiment, the second terminal sends a request for obtaining one encrypted video block data, which is determined based on the data for inputting instructions such as fast-forward, fast-rewind, and arbitrarily-dragging the play progress bar, to the storage server. By implementing the embodiment, the fast-forward playing, the fast-backward playing and the arbitrary dragging progress bar playing are realized for the encrypted video data, and the user experience is further improved.
In some implementations, before the second terminal sends the first ciphertext information to the key server, the method further includes: the second terminal receives an access password sent by the authentication server; the access password is generated by the authentication server according to the login information of the second terminal; the second terminal sends a request for obtaining the public key to the secret key server; the request includes the access password; and under the condition that the key server verifies that the access password is successful through the authentication server, the second terminal receives the public key sent by the key server.
In some implementations, the second terminal sends the first ciphertext information to the key server and also sends the access password to the key server; correspondingly, the receiving, by the second terminal, the second ciphertext information sent by the key server specifically includes: and under the condition that the key server verifies that the access password is successful through the authentication server, the second terminal receives the second ciphertext information sent by the key server.
In the embodiment, the authentication server is added at the cloud, before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server is responsible for verifying the validity of the login user of the terminal, an access password is granted to the terminal passing the authentication, and the security of the user privacy data (such as video data) in the cloud backup is further improved by adding the verification of the validity of the request of the user.
In some implementations, the login information of the second terminal is the same as the login information of the first terminal. Through the embodiment, different terminals can be associated through login information (user accounts), and downloading or backup can be realized on different terminals.
In a third aspect, an embodiment of the present invention provides a data security protection method, where the method includes: a secret key server receives first ciphertext information sent by a terminal, wherein the first ciphertext information is obtained by encrypting a first password of the terminal by the terminal according to a public key from the secret key server; the secret key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password; and the key server sends second ciphertext information to the terminal, the second ciphertext information is obtained by encrypting a second password generated by the key server according to the first password, and the second password is used for performing security protection on data of the terminal.
The terminal encrypts the first password according to the public key of the secret key server to obtain first ciphertext information; the first ciphertext information can be decrypted to obtain a first password only according to a private key corresponding to a public key of the secret key server, and only the secret key server has the use authority of the private key, so that only the secret key server can decrypt to obtain the first password; after the secret key server decrypts to obtain the first password, encrypting a second password of the secret key server according to the first password to obtain second ciphertext information, and sending the second ciphertext information to the first terminal; the terminal originally stores the first password, so the terminal can directly decrypt the second ciphertext information according to the first password to obtain the second password; then, the data sent by the terminal to the storage server are all encrypted by the second password. As can be seen from the above process, the transmission of the second password negotiated between the terminal and the key server for data encryption in the network is protected by layer-by-layer encryption, specifically, the second password is issued by the key server to the terminal and encrypted by the first password, and the first password is encrypted and transmitted to the key server by the terminal through an asymmetric encryption method (public key and private key encryption method). In any of the above steps, even if the data information is intercepted by a hacker during transmission between the terminal and the key server, the content of the data information cannot be acquired because the data information is encrypted and the hacker cannot acquire the corresponding decryption password. By implementing the embodiment, the safety of the personal data of the user in the cloud backup process can be improved, the risk of data leakage is avoided, and the personal data of the user can be better and more safely protected.
In some implementations, the data is video data, and the second password is used for the terminal to encrypt the video data and send the video data to a storage server.
In some implementations, the data is video data, and the second password is used for the terminal to decrypt the encrypted video data from the storage server.
In some implementations, before the key server receives the first ciphertext information sent by the terminal, the method further includes: the secret key server receives a request for acquiring the public key sent by the terminal; the request includes an access password; the access password is generated in advance by the authentication server according to the login information of the terminal and is sent to the terminal; and under the condition that the secret key server successfully verifies the access password through the authentication server, the secret key server sends the public key to the terminal.
In some implementations, the key server receives the access password while receiving the first ciphertext information sent by the terminal; correspondingly, the key server sends second ciphertext information to the terminal, specifically: and under the condition that the key server verifies that the access password is successful through the authentication server, the key server sends the second ciphertext information to the terminal.
In the embodiment, the authentication server is added at the cloud, before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server is responsible for verifying the validity of the login user of the terminal, an access password is granted to the terminal passing the authentication, and the security of the user privacy data (such as video data) in the cloud backup is further improved by adding the verification of the validity of the request of the user.
In some implementations, the second password is a password generated by the key server from a random number. In the above embodiment, since the second password is randomly generated inside the key server, the difficulty of hacking the second password is increased, and the security is higher.
In a fourth aspect, embodiments of the present invention provide a terminal, serving as a first terminal, including a display device, an input device, an output device, one or more memories, one or more processors; wherein the one or more memories store one or more programs; wherein the one or more processors, when executing the one or more programs, cause the terminal to perform the method of the first aspect.
In a fifth aspect, an embodiment of the present invention provides a terminal, serving as a second terminal, including a display device, an input device, an output device, one or more memories, one or more processors; wherein the one or more memories store one or more programs; wherein the one or more processors, when executing the one or more programs, cause the terminal to perform the method of the second aspect.
In a sixth aspect, an embodiment of the present invention provides a server, including an input device, an output device, one or more memories, one or more processors; wherein the one or more memories store one or more programs; wherein the one or more processors, when executing the one or more programs, cause the server to implement the method of the third aspect.
In a seventh aspect, an embodiment of the present invention provides a first terminal, where the terminal includes: encryption and decryption module, communication module, in a possible embodiment, the first terminal further includes: and (5) a cutting module. The modules are used for implementing the data security protection method described in the first aspect and any implementation manner thereof.
The communication module is used for sending first ciphertext information to the secret key server; the first ciphertext information is obtained by encrypting a first password by the first terminal according to a public key from the key server;
the communication module is used for receiving the second ciphertext information sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the encryption and decryption module is used for decrypting the second ciphertext information according to the first password to obtain the second password;
the communication module is used for sending the data encrypted by the second password to a storage server.
In a possible embodiment, the data is video data, and the video data encrypted by the second password is used for being sent to a second terminal through the storage server to be decrypted and played.
In a possible embodiment, the dividing module is configured to obtain a plurality of video block data from the original video data before the communication module sends the video data encrypted by the second password to the storage server; correspondingly, the communication module is used for sending the video block data encrypted by the second password respectively to the storage server.
In a possible embodiment, the second cryptographically encrypted video data is at least one video block data of the original video data.
In a possible embodiment, the segmentation module is configured to segment the original video data according to the segmentation rule information from the storage server to obtain the plurality of video block data; the blocking rule information is determined according to a network bandwidth between the first terminal and the storage server.
In a possible embodiment, the communication module is configured to receive an access password sent by the authentication server before the communication module sends the first ciphertext information to the key server; the access password is generated by the authentication server according to the login information of the first terminal; sending a request for obtaining the public key to the secret key server; the request includes the access password; and receiving the public key sent by the key server under the condition that the key server successfully verifies the access password through the authentication server.
In a possible embodiment, the communication module is configured to send the first ciphertext message to the key server and send the access password to the key server; correspondingly, the communication module is configured to receive the second ciphertext information sent by the key server, and specifically includes: the communication module is used for receiving the second ciphertext information sent by the key server under the condition that the key server verifies that the access password is successful through the authentication server.
In a possible embodiment, the login information of the first terminal is the same as the login information of the second terminal.
In a possible embodiment, the first password is a password generated by the encryption and decryption module according to a random number.
In an eighth aspect, an embodiment of the present invention provides a second terminal, where the second terminal includes: the communication module and the encryption and decryption module, in a possible embodiment, the first terminal further includes: and a playing module. The modules are used for implementing the data security protection method described in the second aspect and any implementation manner thereof.
The communication module is used for sending first ciphertext information to the secret key server; the first ciphertext information is obtained by encrypting a first password by the second terminal according to a public key from the secret key server;
the communication module is used for receiving the second ciphertext information sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the encryption and decryption module is used for decrypting the second ciphertext information according to the first password to obtain a second password of the key server;
and the encryption and decryption module decrypts the encrypted data from the storage server according to the second password of the key server.
In a possible embodiment, the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server.
In a possible embodiment, the encrypted data is video data encrypted by the first terminal according to a second password of the key server; the playing module is used for playing the decrypted video data after the encryption and decryption module decrypts the encrypted data from the storage server according to the second password of the key server.
In a possible embodiment, the encrypted video data is obtained by the first terminal encrypting each video block data in the original video data according to the second password.
In a possible embodiment, the encrypted video data is obtained by encrypting, by the first terminal, at least one video block data in original video data according to the second password.
In a possible embodiment, the communication module is configured to send a request for obtaining an encrypted video block data to the storage server before the encryption/decryption module decrypts the encrypted data from the storage server according to the second password of the key server; the encrypted video block data is one of the encrypted video block data, and the video block data is determined by the second terminal based on a user input instruction; receiving the encrypted video block data from the storage server.
In a possible embodiment, the communication module is configured to receive an access password sent by the authentication server before the second terminal sends the first ciphertext information to the key server; the access password is generated by the authentication server according to the login information of the second terminal; sending a request for obtaining the public key to the secret key server; the request includes the access password; and receiving the public key sent by the key server under the condition that the key server successfully verifies the access password through the authentication server.
In a possible embodiment, the communication module is configured to send the first ciphertext message to the key server and send the access password to the key server; correspondingly, the communication module is configured to receive the second ciphertext information sent by the key server, and specifically includes: the communication module is used for receiving the second ciphertext information sent by the key server under the condition that the key server verifies that the access password is successful through the authentication server.
In a possible embodiment, the login information of the second terminal is the same as the login information of the first terminal.
In a ninth aspect, an embodiment of the present invention provides a key server, including: the communication module, encryption and decryption module. The modules are used for implementing the data security protection method described in the third aspect and any implementation manner thereof.
The communication module is used for receiving first ciphertext information sent by a terminal, wherein the first ciphertext information is obtained by encrypting a first password of the terminal by the terminal according to a public key from the secret key server;
the encryption and decryption module is used for decrypting the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the communication module is configured to send second ciphertext information to the terminal, where the second ciphertext information is obtained by encrypting, according to the first password, a second password generated by the key server, and the second password is used to perform security protection on data of the terminal.
In a possible embodiment, the data is video data, and the second password is used for the terminal to encrypt the video data and send the video data to the storage server.
In a possible embodiment, the data is video data, and the second password is used for the terminal to decrypt the encrypted video data from the storage server.
In a possible embodiment, the communication module is configured to receive, before receiving the first ciphertext information sent by the terminal, a request sent by the terminal for obtaining the public key; the request includes an access password; the access password is generated in advance by the authentication server according to the login information of the terminal and is sent to the terminal; and under the condition that the access password is verified to be successful through the authentication server, the public key is sent to the terminal.
In a possible embodiment, the communication module is configured to receive the access password while receiving the first ciphertext information sent by the terminal; correspondingly, the communication module is configured to send second ciphertext information to the terminal, and specifically: and the communication module is used for sending the second ciphertext information to the terminal under the condition that the authentication server verifies that the access password is successful.
In a possible embodiment, the second password is a password generated by the encryption and decryption module according to a random number.
In a tenth aspect, an embodiment of the present invention provides a storage server, including: a communication module, a storage module, wherein:
the communication module is used for receiving data which is sent by the first terminal and encrypted by the second password;
the communication module is used for sending the data encrypted by the second password to the second terminal;
the storage module is used for storing the data which is sent by the first terminal and encrypted by the second password in a database.
In an eleventh aspect, embodiments of the present invention provide a non-volatile computer-readable storage medium; the computer readable storage medium is used for storing code for implementing the method of the first aspect. The program code, when executed by a computing device, is for use in the method of the first aspect.
In a twelfth aspect, embodiments of the present invention provide yet another non-transitory computer-readable storage medium; the computer readable storage medium is used for storing the implementation code of the method of the second aspect. The program code, when executed by a computing device, is for use by the user device in the method of the second aspect.
In a thirteenth aspect, embodiments of the invention provide yet another non-transitory computer-readable storage medium; the computer readable storage medium is used for storing the implementation code of the method of the second aspect. The program code, when executed by a computing device, is for use by the user equipment in the method of the third aspect.
In a fourteenth aspect, an embodiment of the present invention provides a computer program product; the computer program product comprising program instructions which, when executed by a computing device, cause the controller to perform the method of the first aspect as set forth above. The computer program product may be a software installation package, which, in case it is required to use the method provided by any of the possible designs of the first aspect described above, may be downloaded and executed on a controller to implement the method of the first aspect.
In a fifteenth aspect, an embodiment of the present invention provides yet another computer program product. The computer program product comprises program instructions which, when executed by a user device, cause the controller to perform the method provided by any of the possible designs of the second aspect described above. The computer program product may be a software installation package which, in case the method provided using any of the possible designs of the second aspect described above is required, may be downloaded and executed on a controller to implement the method of the second aspect.
In a sixteenth aspect, an embodiment of the present invention provides yet another computer program product. The computer program product comprises program instructions which, when executed by a user equipment, cause the controller to perform the method provided by any of the possible designs of the third aspect described above. The computer program product may be a software installation package, which, in case it is required to use the method provided by any of the possible designs of the third aspect described above, may be downloaded and executed on a controller to implement the method of the third aspect.
It can be seen that, in the embodiment of the present invention, transmission of the second password negotiated between the terminal and the key server for video data encryption or decryption in the network is protected by layer-by-layer encryption, specifically, the key server issues the second password to the terminal and encrypts the second password by the first password, and the first password is encrypted and transmitted to the key server by the terminal in an asymmetric encryption manner (public key and private key encryption manner); in addition, in the embodiment of the present invention, an authentication server is further added at the cloud, and before the key server sends the relevant security data (for example, the public key and the second ciphertext information) to the terminal, the validity of the login user of the terminal needs to be verified through the authentication server; in addition, in the embodiment of the invention, the terminal segments and respectively encrypts the original video data before backing up the encrypted video data, thereby realizing the safe transmission of the encrypted video and the online playing of the encrypted video. By implementing the embodiment of the invention, the safety of user privacy data (such as video data) in cloud backup is improved, and the problem that the conventional scheme cannot play encrypted video data on line is solved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below.
Fig. 1 is a schematic diagram of a network architecture for data security protection according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another network architecture for data security protection according to an embodiment of the present invention
FIG. 3 is a schematic diagram of an application scenario designed by an embodiment of the present invention;
fig. 4 is a schematic hardware architecture diagram of a terminal device according to an embodiment of the present invention;
FIG. 5 is a diagram of a hardware architecture of a server according to an embodiment of the present invention;
fig. 6 is a schematic flow chart of a data security protection method according to an embodiment of the present invention;
fig. 7 is a schematic flow chart of another data security protection method according to an embodiment of the present invention;
FIG. 8 is a schematic diagram illustrating the cooperative interaction of various components within various devices described in the embodiment of FIG. 6;
fig. 9 is a schematic functional block diagram of a data security protection system and related devices according to an embodiment of the present invention;
fig. 10 is a schematic diagram of functional modules of another data security protection system and related devices according to an embodiment of the present invention.
Detailed Description
The terminology used in the description of the embodiments of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
The following describes a conventional scheme in which a user performs a backup download process on personal data in a cloud through a terminal.
The terminal encrypts the personal data of the user according to the secret key of the user, and then the terminal uploads the encrypted personal data of the user to the storage server for backup. The storage server does not have the secret key of the user, so that the encrypted personal data of the user cannot be accessed. The manufacturer providing the decryption service deploys an independent decryption server, and the decryption server is responsible for acquiring the secret key from the user terminal and storing the secret key in a secret key library. When a user needs to download the user personal data which is backed up at the cloud, the decryption server is responsible for acquiring the user personal data from the storage server, decrypting the user personal data according to the corresponding secret key in the secret key library, and sending the decrypted user personal data to the terminal.
However, in the above process, the decryption server issues the user personal data to the terminal in a plaintext form, and a hacker may intercept the downstream user personal data to directly obtain the user personal data. Therefore, the above scheme has a risk of privacy leakage of personal data.
The embodiment of the invention provides a new data security protection network architecture, which can effectively avoid the risk of user data leakage in the cloud backup process and realize safer protection of personal data of a user. Referring specifically to fig. 1, fig. 1 is a schematic diagram of a network architecture for data security protection provided by the present invention, where the architecture includes:
(1) key cloud: the key cloud is formed by connecting a plurality of servers deployed at the cloud, the server providing the key service in the key cloud can be called a key server, the key server is responsible for negotiating passwords with the first terminal and the second terminal, the passwords are used for the first terminal to encrypt user personal data and send the user personal data to the storage server, and the passwords are also used for the second terminal to decrypt the encrypted user personal data from the storage server.
(2) And (4) authenticating the cloud: the authentication cloud is formed by connecting a plurality of servers deployed at the cloud, the servers providing authentication service in the authentication cloud can be called authentication servers, the authentication servers are responsible for authenticating accounts and passwords logged in by users through terminals, the authenticated users are granted access passwords, and only the users granted the access passwords can obtain the secret keys corresponding to the accounts in the secret key cloud and store personal data of the users corresponding to the accounts in the cloud.
(3) Storing the cloud: the storage cloud is formed by connecting a plurality of servers deployed at the cloud end, the server providing the storage server in the storage cloud can be called as a storage server, and the storage server is responsible for storing personal data uploaded by users after encryption. In addition, since each server in the storage cloud cannot obtain the key of the user, the encrypted content of the personal data of the user cannot be directly accessed in the storage cloud.
(4) First terminal, second terminal: the first terminal, the second terminal may each include, but are not limited to, other portable devices such as mobile handsets, wearable devices, laptop computers, or tablet computers. The first terminal is responsible for encrypting the user personal data to be backed up to the storage cloud according to the password negotiated with the secret key cloud and the password, and sending the encrypted user personal data to the storage cloud for storage. And the second terminal is responsible for decrypting the encrypted personal data of the user downloaded from the storage cloud according to the password negotiated with the secret key cloud and the password.
In another embodiment, the network architecture for data security protection provided by the present invention may also be the network architecture shown in fig. 2, that is, the key cloud, the authentication cloud, and the storage cloud described above may be combined to be a cloud, one or more servers in the cloud may be used as the key server, another one or more servers in the cloud may be used as the authentication server, and another one or more servers in the cloud may be used as the key server, where the relevant functions of the key server, the authentication server, and the key server may refer to the above description, the first terminal and the second terminal may perform communication interaction with the servers in the cloud to implement security protection of data, and the relevant functions of the first terminal and the second terminal may refer to the above description.
In order to facilitate understanding of the embodiments of the present invention, the following describes application scenarios related to the embodiments of the present invention.
With the increasingly powerful camera functions of terminals (such as smart phones, tablet computers and the like) and the development of mobile internet technologies, more and more users like to use videos shot by the terminals and upload the videos to the cloud for storage, so that the users can use other terminals (such as smart phones, tablet computers and the like) to play the videos. In the above usage scenario, the video file data taken by the user using the terminal relates to user privacy, and therefore, security protection with higher requirements is required for the video file data. In addition, because the capacity of the video file data is large, the downloading time is long, and in order to improve the user experience, the online playing of the video needs to be supported, that is, the user can play the video content at any time point by dragging the playing progress bar without downloading the complete video file.
As shown in fig. 3, fig. 3 is a schematic view of a terminal video data backup downloading application scene provided by an embodiment of the present invention. In fig. 3, a first terminal acquires original video data, where the original video data may be video data stored locally in the first terminal, for example, the original video data may be video data that is shot by the first terminal and stored locally, or video data that is sent to the first terminal by other terminal devices, or video data that is downloaded locally by the first terminal from a network, which is not limited in the present invention specifically; then, the first terminal performs segmentation processing on the original video data to obtain N pieces of video block data, wherein N is a positive integer; and then, the first terminal encrypts the N video block data respectively according to the password negotiated with the key server, and sends the encrypted N video block data to the storage server for backup storage. When a user needs to download backed-up video data through other terminals, the second terminal acquires corresponding encrypted video block data (which may be N video block data or a part of the N video block data) from the storage server, decrypts the N video block data and plays the decrypted video block data according to a password negotiated with the key server, and plays the decrypted video block data each time one video block data is decrypted, thereby realizing online playing of the video data.
In some application scenarios, the first terminal and the second terminal in fig. 3 are two different terminals, such as the following application scenarios: a user shoots a video through a terminal (such as a mobile phone, a tablet personal computer and the like), logs in a cloud through a user account, and uploads the video to the cloud for backup; the user can download and play the video online after other terminals (such as other mobile phones, tablet computers and the like) log in the cloud through the user account.
In other application scenarios, the first terminal and the second terminal in fig. 3 may be the same terminal, for example, the following application scenarios: a user shoots a video through a terminal, logs in a cloud through a user account, and uploads the video to the cloud for backup; due to the fact that the storage space of the terminal is limited, after the user uploads the video to the cloud, the video stored in the terminal is deleted, and the user can still download and play the video on line as long as the user logs in the cloud through the user account.
It is to be understood that the first terminal and the second terminal in the figures are only examples for facilitating understanding of the embodiments of the present invention, and may be multiple terminals.
Referring to fig. 4, fig. 4 is a schematic diagram of a hardware architecture of the terminal referred to in fig. 1-3, and the terminal 400 may include: a chip 410, a memory 411, a Radio Frequency (RF) module 412, a display device 413, an input device 414, and an image pickup device 415. These components may communicate over one or more communication buses 4104. The terminal 400 may be a first terminal or a second terminal.
The chip 410 may be integrated to include: one or more processors 4101, a clock module 4102, and a power management module 4103. The clock module 4102 integrated in the chip 410 is mainly used for generating clocks required for data transmission and timing control for the processor 4101. The power management module 4103 integrated in the chip 410 is mainly used for providing stable and high-precision voltage for the processor 410, the rf module 412 and peripheral systems. For example, when the terminal 400 is a first terminal, the processor 4101 of the first terminal is adapted to perform the steps related to the processor of the first terminal as referred to in the method embodiments of fig. 6 or fig. 7; when the terminal 400 is a second terminal, the processor 4101 of the second terminal is adapted to perform the steps related to the processor of the second terminal as referred to in the method embodiments of fig. 6 or fig. 7.
The memory 411 is coupled to the processor 4101 for storing various software programs and/or sets of instructions. In particular implementations, memory 411 may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. The memory 411 may store an operating system (hereinafter referred to simply as a system), such as an embedded operating system like ANDROID, IOS, WINDOWS, or LINUX. The memory 411 may also store network communication programs that may be used to communicate with one or more terminal devices. The memory 411 may further store a user interface program, which may vividly display the content of the application program through a graphical operation interface, and receive a control operation of the application program from a user through input controls such as menus, dialog boxes, and buttons. The memory 411 may also store data, e.g. when the terminal 400 is a first terminal, the memory 411 may be used to store the raw video data referred to in the method embodiment of fig. 7 later; when the terminal 400 is a second terminal, the memory 411 may be used to store video block data as referred to in the method embodiment of fig. 7 hereinafter. A Radio Frequency (RF) module 412 for receiving and transmitting radio frequency signals, mainly integrates a receiver and a transmitter of the terminal 400. Radio Frequency (RF) module 412 communicates with a communication network and other communication devices via radio frequency signals. In particular implementations, the Radio Frequency (RF) module 412 may include, but is not limited to: an antenna system, an RF transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a CODEC chip, a SIM card, a storage medium, and the like. In some embodiments, the Radio Frequency (RF) module 412 may be implemented on a separate chip. For example, in the method embodiment of fig. 6 or fig. 7, when the terminal 400 is a first terminal or a second terminal, the transmitter may be configured to transmit first ciphertext information and data encrypted by a second cipher, and the receiver may be configured to receive the second ciphertext information.
The display device 413 may be used to display information input by a user or provided to the user by the terminal 400, as well as various graphical user interfaces of the terminal 400, which may be made up of graphics, text, icons, video, and any combination thereof. Specifically, the Display device 413 may include a Display panel and an audio circuit, and optionally, the Display panel may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Although in FIG. 4 the touch sensitive surface and the display panel are shown as two separate components, in some embodiments the touch sensitive surface may be integrated with the display panel to perform input and output functions. For example, the touch-sensitive surface may overlie the display panel, and when a touch operation is detected on or near the touch-sensitive surface, the touch operation is passed to the processor 4101 to determine the type of touch event, and the processor 4101 then provides a corresponding visual output on the display panel in accordance with the type of touch event. For example, in the fig. 7 method embodiment of the present invention, when the terminal 400 is a first terminal, the display device 413 may be used to display and play the original video data; when the terminal 400 is a second terminal, the display device 413 may be used to display the playing video chunk data.
The input device 414 may be used to receive numeric or character information input by a user and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. In particular, input 414 may include touch sensitive surfaces as well as other input devices. The touch-sensitive surface, also called a touch display screen or a touch pad, can collect touch operations of a user on or near the touch-sensitive surface and drive the corresponding connecting device according to a preset program. In particular, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys, a trackball, a mouse, a joystick, and the like. For example, in the method embodiment of fig. 7 of the present invention, when the terminal 400 is a first terminal or a second terminal, the input device 414 may be configured to detect a user operation to obtain an input instruction of the user, where the input instruction may be formed by sliding, touching, clicking, etc. on the touch-sensitive surface.
The camera 415 may be provided with a photosensitive element such as an image sensor for capturing images or videos of a photographed scene, and the camera 415 may be a monocular camera, a binocular camera, or a multi-view camera, for example. For example, in the embodiment of the method of fig. 7, when the terminal 400 is a first terminal, the camera 415 may be used to capture video data.
Referring to fig. 5, fig. 5 is a block diagram of a server structure provided by an embodiment of the present disclosure, and the server, in particular, the key server, referred to in fig. 1 to 3 may refer to the block diagram of the server structure of fig. 5. The server includes: a processor 501, a memory for storing processor-executable instructions, wherein the processor is configured to: the method steps involved in executing the key server of the method embodiments of fig. 6 or fig. 7.
In a possible embodiment, the server may further include: one or more input interfaces 502, one or more output interfaces 503, and memory 504.
The processor 501, the input interface 502, the output interface 503, and the memory 504 are connected by a bus 505. The memory 502 is configured to store instructions, the processor 501 is configured to execute the instructions stored in the memory 502, the input interface 502 is configured to receive data, such as the first ciphertext information in the embodiment of the method of fig. 6 or 7, and the output interface 503 is configured to output data, such as the public key and the second ciphertext information in the embodiment of the method of fig. 6 or 7.
Wherein the processor 501 is configured to call the program instruction to perform: the method steps related to the processor of the key server in the method embodiments of fig. 6 or 7.
It should be understood that in the embodiments of the present disclosure, the Processor 501 may be a Central Processing Unit (CPU), and may be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 504 may include a read-only memory and a random access memory, and provides instructions and data to the processor 501. A portion of the memory 504 may also include non-volatile random access memory. For example, the memory 504 may also store information of the interface type.
In some implementations, the above-described components of the server described in embodiments of the present disclosure may be used to perform method steps involving a key server in the method embodiments of fig. 6 or 7 described below.
The following describes in detail a data security protection method provided by an embodiment of the present invention with reference to the accompanying drawings, which can implement more secure protection of user personal data in a cloud backup technology.
Referring to fig. 6, fig. 6 is a schematic flowchart of a data security protection method according to an embodiment of the present invention. In the embodiment of fig. 6, steps 601 to 609 describe a process in which the first terminal encrypts data according to a password negotiated with the key server and sends the encrypted data to the storage server; steps 701 to 710 describe a process in which the second terminal downloads the encrypted data from the storage server, and decrypts the encrypted data according to the password negotiated with the key server to obtain the decrypted data. The first terminal and the key server negotiate to obtain a password for data encryption, and the second terminal and the key server negotiate to obtain a password for data decryption, wherein the passwords for data encryption and the passwords for data decryption can be securely transmitted in the network. The following is developed: first, a process in which the first terminal encrypts data to be backed up and transmits the encrypted data to the storage server will be described. This process includes, but is not limited to, the following steps:
601. the key server sends the public key to the first terminal, and correspondingly, the first terminal receives the public key sent by the key server.
602. The first terminal generates a first password, and encrypts the first password according to the public key to obtain first ciphertext information.
603. The first terminal sends the first ciphertext information to the key server, and correspondingly, the key server receives the first ciphertext information sent by the first terminal.
604. And the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain a first password.
605. The key server generates a second password.
606. And the key server encrypts the second password according to the first password to obtain second ciphertext information.
607. The key server sends the second ciphertext information to the first terminal, and correspondingly, the first terminal receives the second ciphertext information sent by the key server.
608. And the first terminal decrypts the second ciphertext information according to the first password to obtain a second password.
609. The first terminal encrypts the data according to the second password and sends the data encrypted by the second password to the storage server, and correspondingly, the storage server receives the data encrypted by the second password and sent by the first terminal.
The process of the first terminal negotiating the second password with the key server, which is described in the above step 601-608, is described in detail below, where the second password is used for the first terminal to encrypt data. The Public Key and the Private Key described in this application may be a set of Key pairs (i.e., a Public Key and a Private Key) generated by an RSA asymmetric encryption algorithm, the Public Key may be a Public part of the Key pair, and the Private Key may be a non-Public part. The public key is typically used to encrypt session keys, verify digital signatures, or encrypt data that can be decrypted with a corresponding private key. The key pair generated by the RSA asymmetric encryption algorithm is guaranteed to be unique worldwide. When using this key pair, if a piece of data is encrypted with one of the keys, it must be decrypted with the other key. For example, if data is encrypted by a public key, the data must be decrypted by a private key corresponding to the public key, and if the data is encrypted by the private key, the data must also be decrypted by the public key, otherwise the data cannot be successfully decrypted.
The first password in step 602 may be a dynamic random password generated by the processor inside the first terminal according to the random number, and in some embodiments, the first password may be updated after a preset time interval, or the first password may be updated according to different data batches, or the first password generated by the processor inside the first terminal may be dynamically updated according to other conditions, which is not specifically limited in the present invention. The dynamic updating of the first password is beneficial to improving the security of the first password, and the difficulty of a hacker stealing the first password is increased.
In the embodiment of the present invention, after the processor inside the first terminal generates the first password, the processor encrypts the first password according to the public key of the key server to obtain the first ciphertext information. The first ciphertext information can be decrypted only through a private key corresponding to the public key of the key server to obtain a first password. Even if the first ciphertext information is intercepted by a hacker in the process of transmitting the first ciphertext information to the key server by the first terminal, the hacker cannot obtain the private key corresponding to the public key, so that the first ciphertext information cannot be decrypted to obtain the first password. The private key corresponding to the public key can be stored in the key server, and only the key server has the use authority. And after receiving the first ciphertext information sent by the first terminal through the input interface, the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain a first password. It can be seen that the first password is secure and trusted from being generated at the first terminal to being sent to the key server.
The second password in step 605 may be generated by a processor inside the key server, and the second password may be a dynamic random password generated by the processor inside the key server according to a random number, and in some embodiments, the second password may be updated after a preset time interval, or the second password generated by the processor inside the key server may be dynamically updated according to other conditions, which is not limited in this embodiment. And it should be explained that the second password is the password that the key server needs to send to the first terminal, the data that the first terminal sends to the storage server is encrypted according to the second password, and the security of the second password directly determines the security of the data that the first terminal sends to the storage server. Therefore, the security of the second password is very critical.
In the above description, it is known that the process of the first terminal informing the key server of the first password can ensure that the first password is secure and trusted. Therefore, the process that the key server encrypts the second password according to the safe and credible first password to obtain the second ciphertext information and sends the second ciphertext information to the first terminal is also safe and credible. In this process, even if the process of transmitting the second ciphertext information to the first terminal at the key server is intercepted by a hacker, the hacker cannot obtain the first password and thus cannot decrypt the second ciphertext information to obtain the second password. And after receiving the second ciphertext information sent by the key server, the first terminal decrypts the second ciphertext information according to the existing first password in the first terminal to obtain a second password. It can be seen that the process of sending the second password from the key server to the second terminal is secure and trusted.
In step 609, as can be seen from the above, the second password used by the first terminal to encrypt the data is secure and trusted, so that the process of encrypting the data according to the second password and sending the data encrypted by the second password to the storage server by the first terminal is also secure and reliable. Even if data encrypted by the second password is intercepted by a hacker during transmission from the first terminal to the key server, the data encrypted by the second password cannot be decrypted because the hacker cannot obtain the second password. Therefore, the embodiment can ensure that the data in the process of backing up the data to the cloud end through the terminal is safe and reliable.
The following describes a process in which the second terminal downloads the backed-up encrypted data from the storage server and decrypts it. This process includes, but is not limited to, the following steps:
701. the key server sends the public key to the second terminal, and correspondingly, the second terminal receives the public key sent by the key server.
702. And the second terminal generates a first password, and encrypts the first password according to the public key to obtain first ciphertext information.
703. The second terminal sends the first ciphertext information to the key server, and correspondingly, the key server receives the first ciphertext information sent by the second terminal
The first ciphertext information.
704. And the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain a first password.
705. The key server generates a second password.
706. And the key server encrypts the second password according to the first password to obtain second ciphertext information.
707. The key server sends a second ciphertext message to the second terminal, and correspondingly, the second terminal receives the ciphertext message sent by the key server
The second ciphertext information of (1).
708. And the second terminal decrypts the second ciphertext information according to the first password to obtain a second password.
709. And the storage server sends the encrypted data to the second terminal, and the second terminal receives the encrypted data sent by the storage server. The encrypted data may be data encrypted by the first terminal according to the second password and transmitted to the storage server, and for example, the encrypted data may be encrypted video data, picture data, text data, or the like.
710. The second terminal decrypts the encrypted data according to the second password.
Step 701 and step 708 are processes of negotiating the obtained password for data decryption by the second terminal and the key server, and the processes are similar to the processes of negotiating the obtained password for data encryption by the first terminal and the key server in step 601 and step 608, and for brevity, are not described again here.
As described in step 709-. Therefore, even if the encrypted data is intercepted by a hacker during the transmission from the storage server to the second terminal, the hacker cannot acquire the second password and thus cannot access the content in the encrypted data. And after the second terminal receives the encrypted data sent by the storage server, the encrypted data is decrypted in the terminal according to the second password, and the decrypted data content is obtained. Therefore, by implementing the embodiment, the process that the user downloads the backed-up data from the cloud end through the terminal can be ensured to be safe and reliable.
In some embodiments, the data related to the embodiment of fig. 6 may be user personal data, that is, data sent by the first terminal to the storage server, and the data sent by the storage server to the second terminal may be user personal data. The personal data of the user can be address list, short message, picture, video and other data, and the data can relate to the privacy of the user, so that the data needs to be subjected to higher-requirement security protection. By implementing the embodiment of the data security protection method, the security protection with higher requirements on the personal data of the user can be realized.
In the embodiment of the method shown in fig. 6, after encrypting data according to a password negotiated with a key server, a first terminal sends the encrypted data to a storage server; and after downloading the encrypted data from the storage server, the second terminal decrypts the encrypted data according to the password obtained by negotiating with the key server to obtain the decrypted data. And the first terminal and the key server negotiate to obtain a password for data encryption, and the second terminal and the key server negotiate to obtain a password for data decryption, wherein the passwords for data encryption and the passwords for data decryption are transmitted in the network safely. By implementing the embodiment, the safety of the user privacy data in the cloud backup is improved.
Fig. 7 is another data security protection method provided in the embodiment of the present invention. The main difference between the embodiment of fig. 6 and the embodiment of fig. 7 is that in the embodiment of fig. 7, an authentication server is added in the cloud, and the authentication server is responsible for verifying the validity of the login user of the terminal before the key server sends the relevant security data (e.g. the public key and the second ciphertext information) to the terminal; in addition, the embodiment of fig. 7 is to perform security protection on video data, and the video data can be played online while being protected. The following is developed:
firstly, a process that the first terminal divides and encrypts the video data to be backed up and then sends the video data to the storage server is described. This process includes, but is not limited to, the following steps:
801. the first terminal sends login information to the authentication server, and correspondingly, the authentication server receives the login information sent by the first terminal.
802. The authentication server sends an access password to the first terminal, and correspondingly, the first terminal receives the access password sent by the authentication server. Specifically, the access password is generated by the authentication server according to login information sent by the first terminal.
In some implementation manners, the first terminal sends login information to the authentication server through the radio frequency module to request to acquire the access password, and accordingly, the authentication server receives the login information, generates the access password according to the login information, and sends the generated access password to the first terminal. The login information is a user account, the user account comprises a user name and a password, and the user account is used for identifying a user. A user may log in to the authentication server in different terminals using the same user account to obtain an access password granted by the authentication server, where the access password is a password granted by the authentication server to the first terminal for obtaining related security data (e.g., a public key and second ciphertext information described below) after the authentication server verifies that the user account of the first terminal is a valid user account.
803. The first terminal sends a public key obtaining request to a secret key server, wherein the public key obtaining request comprises an access password.
804 and 806, in case that the key server verifies that the access password is successful through the authentication server, the key server sends the public key to the first terminal, and correspondingly, the first terminal receives the public key sent by the key server.
In some implementations, after obtaining the access password from the public key obtaining request sent by the first terminal in step 803, the key server sends the access password to the authentication server to verify whether the user account sending the public key obtaining request is legal. Correspondingly, the authentication server receives the access password, verifies whether the user account sending the request for obtaining the public key is legal or not according to the access password, and returns a verification result to an input interface of the secret key server, the secret key server sends the public key to the first terminal through an output interface under the condition that the verification result is legal, and correspondingly, the first terminal receives the public key sent by the secret key server through the radio frequency module.
807. The first terminal generates a first password, and encrypts the first password according to the public key to obtain first ciphertext information. The first password is generated in a manner as described in step 102 of the method embodiment shown in fig. 6.
808. The first terminal sends the first ciphertext information and the access password to the key server, and correspondingly, the key server receives the first ciphertext information and the access password sent by the first terminal.
809 + 811, in case that the key server verifies that the access password is successful through the authentication server, the key server decrypts the first ciphertext information according to the private key corresponding to the public key, so as to obtain the first password.
In some implementations, an output interface of the key server sends the access password to the authentication server to verify whether the user account sending the first ciphertext information is legitimate. Correspondingly, the authentication server receives the access password, verifies whether the user account sending the first ciphertext information is legal or not according to the access password, and returns a verification result to the input interface of the key server, and under the condition that the verification result is legal, the processor of the key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password.
812. The key server generates a second password. The second password is generated in a manner as described in step 105 of the embodiment of the method in fig. 6.
813. And the key server encrypts the second password according to the first password to obtain second ciphertext information.
814. The key server sends the second ciphertext information to the first terminal, and correspondingly, the first terminal receives the second ciphertext information sent by the key server.
815. And the first terminal decrypts the second ciphertext information according to the first password to obtain a second password.
816. The first terminal segments original video data to obtain a plurality of video block data, and encrypts the plurality of video block data according to a second password. The original video data may be video data stored locally in the first terminal, for example, the original video data may be video data shot by the first terminal and stored locally, or video data sent to the first terminal by other terminal devices, or video data downloaded locally from a network by the first terminal, which is not specifically limited in the present invention
817. And correspondingly, the storage server receives each video block data which is sent by the first terminal and encrypted by the second password.
Steps 816 and 817 are explained below.
It should be noted that, if the video data is transmitted in the form of plaintext in the network, the online playing of the video can be realized by a normal Streaming Media (Streaming Media) technology, that is, the downloaded video content is played while being downloaded. The video data targeted in the invention is encrypted, that is, the video data is transmitted in a form of ciphertext in the network, but the online playing of the encrypted video data cannot be realized by the conventional scheme, and the decrypted video data can be played only after the encrypted video data is completely downloaded and the encrypted video data is decrypted in the conventional scheme.
Since the general streaming media technology is a bottom-level basic technology of an operating system, such as an Android operating system (Android) and an apple operating system (iOS), if improvement is performed on code implementation of the general streaming media technology, for example, a video encryption and decryption function is integrated in the code implementation of the general streaming media technology, the modified code is large in size, the technology is complex, the development difficulty is large, and the development period is long. In view of this, the scheme provided by the invention does not relate to the code implementation of the bottom layer streaming media technology of the modified operating system, but can realize the online playing of the encrypted video data, the implementation is efficient and quick, and a large amount of development cost can be saved. The following is developed:
in the embodiment of the invention, the first terminal divides the original video data to obtain a plurality of video block data, encrypts the plurality of video block data according to the second password respectively, and transmits each video block data encrypted by the second password to the storage server, so that the storage server stores the plurality of video block data encrypted by the second password instead of the encrypted original video data. When a user downloads encrypted video data from a storage server through other terminal equipment, the first terminal only needs to download one encrypted video block data of the plurality of encrypted video block data, and after decrypting the encrypted video block data, the decrypted video block data can be played through a common streaming media technology, and while playing the decrypted video block data, the subsequent encrypted video block data is continuously downloaded, so that the online playing of the encrypted video data is realized. Through the implementation of the embodiment, the problem of online playing of encrypted video data is solved, user experience is improved, the embodiment is efficient and quick in implementation, and a large amount of development cost can be saved.
In one implementation, the first terminal performs segmentation processing on the original video data according to the blocking rule information from the storage server, where the blocking rule information is determined by the storage server according to the network bandwidth between the first terminal and the storage server. In the specific implementation, the first terminal sends a video data storage request to the storage server through the radio frequency module, and correspondingly, after receiving the video data storage request, the storage server determines the blocking rule information according to the network bandwidth between the first terminal and the storage server, where the blocking rule information includes the size of video blocks obtained by splitting the original video data. For example, the size of the original video data is 100M, and it is determined according to the partitioning rule information that the original video data is partitioned in an equal proportion according to the size of 4M, then 25 video blocks of data are obtained after partitioning. It should be noted that, if the original video data is subjected to equal-proportion segmentation, the sizes of the video blocks obtained by the segmentation may be the same, but the present invention also supports unequal-proportion segmentation of the original video data, and the sizes of the video blocks obtained by the segmentation may be different. Specifically, the size of the video chunk is positively correlated with the network bandwidth, that is, the larger the network bandwidth is, the larger the size of the video chunk is, for example, the size of the video chunk may be 4M, 8M, 16M, and the like. Because the video data is generally large, the original video data is segmented according to the segmentation rule determined by the network bandwidth, and each segmented video block data is sent to the storage server, so that network congestion caused by overlarge video block data can be avoided, and the speed of transmitting the video block data from the first terminal to the storage server is increased.
In some implementations, the first terminal segments the original video data, encrypts each segmented video block data, and then numbers each encrypted video block data according to a playing order of each video block data, for example, a video block data with a smaller number in the original video data that is earlier in the playing order may be numbered. Accordingly, the storage server may store the video block data in order of the number.
In some implementations, the first terminal may sequentially transmit the respective video block data encrypted with the second password to the storage server according to the number of the respective video block data encrypted with the second password, for example, the transmission order of the video block data with the smaller number is earlier.
In some implementations, steps 816 and 817 can also be implemented by: the first terminal divides the original video data to obtain a plurality of video block data, and encrypts at least one video block data in the original video data according to a second password; the first terminal sends the at least one video block data encrypted by the second password to the storage server, and correspondingly, the storage server receives the at least one video block data encrypted by the second password sent by the first terminal. In specific applications, there are application scenarios where, for example, a user only wants to backup a part of videos in videos captured by a camera device, such as a camera, of a terminal to a cloud, but does not want to backup the entire video to the cloud. The method comprises the steps that a first terminal divides original video data, determines at least one piece of video block data from the plurality of pieces of video block data based on an input instruction of a user after the plurality of pieces of video block data are obtained, wherein the at least one piece of video block data comprises a part of video which needs to be backed up to a cloud end and is determined by the user from the original video, then the first terminal encrypts the at least one piece of video block data according to a second password, and sends the at least one piece of video block data encrypted by the second password to a storage server. By implementing the embodiment, only part of the video data of the original video data can be backed up according to the requirements of the user, so that the user experience can be improved, and the storage space of the storage server can be saved.
In some implementations, determining at least one video block data from the plurality of video block data based on the user input instruction may be implemented by: a user clicks, touches and slides on a touch-sensitive surface (a mobile phone screen) to form a corresponding input instruction, specifically, the input instruction can be formed by triggering a video playing bar to slide on the touch-sensitive surface by the user, and after a video segment corresponding to the sliding range of the video playing bar is segmented, the at least one video block data can be obtained; or, the input instruction may be formed by a user clicking on the touch-sensitive surface to input a video playing start time and a video playing end time trigger, and the at least one piece of video block data may be obtained after the video segment determined by the video playing start time and the video playing end time is subjected to segmentation processing. The following describes a process in which the second terminal downloads the backed-up encrypted video data from the storage server, and decrypts and plays it. This process includes, but is not limited to, the following steps:
901. the second terminal sends login information to the authentication server, and correspondingly, the authentication server receives the login information sent by the first terminal, wherein the login information is an account and a password of the user.
902. The authentication server sends an access password to the second terminal, and correspondingly, the second terminal receives the access password sent by the authentication server.
903. And the second terminal sends a public key obtaining request to the secret key server, wherein the public key obtaining request comprises an access password.
904, in 906, when the key server verifies that the access password is successful through the authentication server, the key server sends the public key to the second terminal, and correspondingly, the second terminal receives the public key sent by the key server.
907. And the second terminal generates a first password, and encrypts the first password according to the public key to obtain a first ciphertext.
908. And correspondingly, the key server receives the first ciphertext information and the access password sent by the second terminal.
909 step 911, in case that the key server verifies that the access password is successful through the authentication server, the key server decrypts the first ciphertext information according to the private key corresponding to the public key, so as to obtain the first password.
912. The key server generates a second password.
913. And the key server encrypts the second password according to the first password to obtain second ciphertext information.
914. The key server sends the second ciphertext information to the second terminal, and correspondingly, the second terminal receives the second ciphertext information sent by the key server.
915. And the second terminal decrypts the second ciphertext information according to the first password to obtain a second password.
Step 901-.
916-; the storage server sends the encrypted video block data to the second terminal according to the video block data downloading request; and the second terminal receives the encrypted video block data sent by the storage server, decrypts the encrypted video block data according to the second password, and plays the decrypted video fraction data.
In some implementation manners, the second terminal sends a request for downloading video block data to the storage server through the radio frequency module, where the request for downloading video block data is used to request for downloading encrypted video data, and the encrypted video data is obtained by the first terminal encrypting each video block data in the original video data according to the second password. Correspondingly, the storage server receives the request and responds to the request to send each video block data encrypted by the second password to the second terminal. Correspondingly, when the second terminal receives one of the video block data encrypted by the second password through the radio frequency module, the second terminal decrypts the video block data encrypted by the second password according to the existing second password in the terminal and plays the decrypted video block data. By implementing the embodiment, the user can download the backed-up complete original video data from the cloud (namely, the storage server), and can realize online playing in the downloading process.
In some implementations, the second terminal sends a request for downloading video block data to the storage server through the radio frequency module, where the request for downloading video block data is used to request for downloading encrypted video data, and the encrypted video data is obtained by the first terminal encrypting at least one video block data in the original video data according to the second password. Accordingly, the storage server receives the request and, in response to the request, transmits at least one video chunk data encrypted with the second password to the second terminal. Correspondingly, when the second terminal receives one of the at least one video block data encrypted by the second password through the radio frequency module, the second terminal decrypts the at least one video block data encrypted by the second password according to the existing second password in the second terminal and plays the decrypted video block data. By implementing the embodiment, the user can download part of the video data in the backed-up original video data from the cloud (namely, the storage server), and can realize online playing in the downloading process.
To realize fast-forward play, fast-reverse play, and arbitrary drag progress bar play for encrypted video data. The invention also provides the following implementation modes: the second terminal sends a request for obtaining an encrypted video block data to the storage server; the encrypted video block data is one of the encrypted video block data, the video block data is determined by the second terminal based on a user input instruction, the user input instruction can be a corresponding input instruction formed by triggering after a user clicks, touches and slides on a touch-sensitive surface (a mobile phone screen), specifically, the user slides a video playing bar on the touch-sensitive surface or clicks, touches a fast forward playing key and a fast backward playing key, and the processor detects the sliding, clicking and touching operations through the touch-sensitive surface to generate the user input instruction; correspondingly, the storage server receives the request for acquiring the encrypted video block data, and sends the encrypted video block data to the second terminal after responding to the request; correspondingly, the second terminal receives an encrypted video block data from the storage server through the radio frequency module. In the specific implementation, since the video data is file data conforming to a video coding format, the storage positions and the playing time point information of all key frames of the video data in the file are stored at the initial position of the video data. Therefore, before playing video data, the second terminal always has to download and decrypt the first video block data of the video data, and then calculates to obtain the start position of the key frame corresponding to a certain time point in the video data, where the user fast forwards, fast backwards, or arbitrarily drags the progress bar according to the storage position and playing time point information of the key frame of the first video block data. And then the first terminal adds the start position information of the key frame in the video data to a request for acquiring encrypted video block data and sends the request to a storage server, the storage server determines target video block data according to the start position information, the target video block data comprises the key frame and sends the target video block data to a second terminal, and a processor of the second terminal decrypts the target video data and plays the target video block data on a display panel (such as a mobile phone screen) of the second terminal. By implementing the embodiment, the fast-forward playing, the fast-backward playing and the arbitrary dragging progress bar playing are realized for the encrypted video data, and the user experience is further improved.
The following illustrates how the storage server determines the target video block data according to the start position information of the key frame in the video data. For example, the start position of the key frame in the video data is 41000 bytes, and the size of the video block data obtained by segmenting the video data by the first terminal is 4M, that is, 4096 bytes, and the storage server determines that the key frame is in the 11 th video block data by calculating 41000 ÷ 4096 ═ 10 … 40.
In the embodiment of the present invention, the login information of the first terminal and the login information of the second terminal may be the same, but in some implementations, the login information of the first terminal and the login information of the second terminal may also be designed to be different, but both have an access right to a cloud (e.g., a key server and a storage server). The first terminal and the second terminal may be different terminals or the same terminal. The scheme that the first terminal and the second terminal are different terminals is used for realizing the following application scenarios: a user shoots a video through a camera of a terminal (such as a mobile phone), logs in a cloud through a user account, and uploads the video to the cloud for backup; the user can download and play the video online after other terminals (such as a tablet computer) log in the cloud through the user account. The scheme that the first terminal and the second terminal are the same terminal is used for realizing the following application scenarios: a user shoots a video through a camera of a terminal, logs in a cloud through a user account, and uploads the video to the cloud for backup; due to the fact that the storage space of the terminal is limited, after the user uploads the video to the cloud, the video stored in the terminal is deleted, and the user can still download and play the video on line as long as the user logs in the cloud through the user account.
Compared with the method embodiment of fig. 6, in the method embodiment of fig. 7, an authentication server is added in the cloud, and before the key server sends the relevant security data (e.g., the public key and the second ciphertext information) to the terminal, the validity of the login user of the terminal needs to be verified through the authentication server; in addition, the encrypted data in the embodiment of fig. 7 is encrypted video data, and the terminal performs segmentation to obtain a plurality of video block data before the terminal performs backup on the encrypted video data, so that online playing of the encrypted video is realized. By implementing the embodiment, the security of user privacy data (such as video data) in cloud backup is further improved, and the problem that the conventional scheme cannot play encrypted video data online is solved.
The related method of the embodiment of the present invention is described above, and the related apparatus of the embodiment of the present invention is described below based on the same inventive concept.
Referring to fig. 8, fig. 8 is a schematic diagram of functional modules of a data security protection system and related devices according to an embodiment of the present invention.
Fig. 8 shows a schematic structural diagram of an embodiment of a first terminal 1000, a second terminal 1100, a key server 1200 and a storage server 1300, and a communication system formed by the four according to an embodiment of the present invention. As shown in fig. 8, there may be a communication connection, for example, a wireless connection, between the first terminal 1000 and the key server 1200, between the first terminal 1000 and the storage server 1300, between the second terminal 1100 and the key server 1200, and between the second terminal 1100 and the storage server 1300, so that data communication between the above devices can be realized. The description is developed below.
As shown in fig. 8, first terminal 1000 can include: the encryption and decryption module 1002 and the communication module 1003 may, in an embodiment, further include: the cutting module 1001, the encryption/decryption module 1002 may be executed by the processor 4101 described in the foregoing embodiment of fig. 4, the communication unit 1003 may be implemented by the rf module 412 described in fig. 4, and the cutting module 1001 may be executed by the processor 4101 described in the embodiment of fig. 4, where:
the communication module 1003 may be configured to send the first ciphertext message to the key server; the first ciphertext information is obtained by encrypting a first password by the first terminal according to a public key from the key server;
the communication module 1003 may be configured to receive the second ciphertext message sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the encryption and decryption module 1002 may be configured to decrypt the second ciphertext information according to the first password to obtain the second password;
the communication module 1003 may be configured to send the data encrypted with the second password to the storage server.
In a possible embodiment, the data is video data, and the video data encrypted by the second password is used for being sent to a second terminal through the storage server to be decrypted and played.
In a possible embodiment, the slicing module 1001 may be configured to obtain a plurality of video block data from the original video data before the communication module 1003 sends the video data encrypted by the second password to the storage server; accordingly, the communication module 1003 may be configured to send each video chunk data encrypted with the second password to the storage server.
In a possible embodiment, the second cryptographically encrypted video data is at least one video block data of the original video data.
In a possible embodiment, the segmentation module 1001 may be configured to perform segmentation processing on the original video data according to the segmentation rule information from the storage server to obtain the plurality of video block data; the blocking rule information is determined according to a network bandwidth between the first terminal and the storage server.
In a possible embodiment, the communication module 1003 may be configured to receive an access password sent by the authentication server before the communication module 1003 sends the first ciphertext information to the key server; the access password is generated by the authentication server according to the login information of the first terminal; sending a request for obtaining the public key to the secret key server; the request includes the access password; and receiving the public key sent by the key server under the condition that the key server successfully verifies the access password through the authentication server.
In a possible embodiment, the communication module 1003 may be configured to send the first ciphertext message to the key server and send the access password to the key server; correspondingly, the communication module 1003 may be configured to receive the second ciphertext information sent by the key server, and specifically includes: the communication module 1003 may be configured to receive the second ciphertext message sent by the key server, if the key server verifies that the access password is successful through the authentication server.
In a possible embodiment, the login information of the first terminal is the same as the login information of the second terminal.
In a possible embodiment, the first password is a password generated by the encryption and decryption module 1002 according to a random number.
As shown in fig. 8, the second terminal 1100 may include: the communication module 1101 and the encryption/decryption module 1102 may, in an embodiment, further include: the playing module 1103 and the communication unit 1101 may be implemented by the radio frequency module 412 described in fig. 4, the encryption/decryption module 1102 may be run on the processor 4101 described in the embodiment of fig. 4, and the playing module 1103 may be implemented by the display device 413 described in fig. 4, where:
the communication module 1101 may be configured to send the first ciphertext message to the key server; the first ciphertext information is obtained by encrypting a first password by the second terminal according to a public key from the secret key server;
the communication module 1101 may be configured to receive the second ciphertext message sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the encryption and decryption module 1102 may be configured to decrypt the second ciphertext information according to the first password to obtain a second password of the key server;
the encryption/decryption module 1102 decrypts the encrypted data from the storage server according to the second password of the key server.
In a possible embodiment, the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server.
In a possible embodiment, the encrypted data is video data encrypted by the first terminal according to a second password of the key server; the playing module 1103 may be configured to play the decrypted video data after the encryption/decryption module 1102 decrypts the encrypted data from the storage server according to the second password of the key server.
In a possible embodiment, the encrypted video data is obtained by the first terminal encrypting each video block data in the original video data according to the second password.
In a possible embodiment, the encrypted video data is obtained by encrypting, by the first terminal, at least one video block data in original video data according to the second password.
In a possible embodiment, the communication module 1101 may be configured to send a request to the storage server for obtaining an encrypted video block data before the encryption/decryption module 1102 decrypts the encrypted data from the storage server according to the second password of the key server; the encrypted video block data is one of the encrypted video block data, and the video block data is determined by the second terminal based on a user input instruction; receiving the encrypted video block data from the storage server.
In a possible embodiment, the communication module 1101 may be configured to receive an access password sent by the authentication server before the second terminal sends the first ciphertext information to the key server; the access password is generated by the authentication server according to the login information of the second terminal; sending a request for obtaining the public key to the secret key server; the request includes the access password; and receiving the public key sent by the key server under the condition that the key server successfully verifies the access password through the authentication server.
In a possible embodiment, the communication module 1101 may be configured to send the first ciphertext message to the key server and send the access password to the key server; correspondingly, the communication module 1101 may be configured to receive the second ciphertext information sent by the key server, and specifically include: the communication module 1101 may be configured to receive the second ciphertext message sent by the key server if the key server verifies that the access password is successful through the authentication server.
In a possible embodiment, the login information of the second terminal is the same as the login information of the first terminal.
As shown in fig. 8, the key server 1200 may include: a communication module 1201 and an encryption/decryption module 1202, wherein:
the communication module 1201 can be configured to receive first ciphertext information sent by a terminal, where the first ciphertext information is obtained by encrypting, by the terminal, a first password of the terminal according to a public key from the key server;
the encryption and decryption module 1202 may be configured to decrypt the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the communication module 1201 may be configured to send second ciphertext information to the terminal, where the second ciphertext information is obtained by encrypting, according to the first password, a second password generated by the key server, and the second password is used to perform security protection on data of the terminal.
In a possible embodiment, the data is video data, and the second password is used for the terminal to encrypt the video data and send the video data to the storage server.
In a possible embodiment, the data is video data, and the second password is used for the terminal to decrypt the encrypted video data from the storage server.
In a possible embodiment, the communication module 1201 may be configured to receive, before receiving the first ciphertext information sent by the terminal, a request sent by the terminal to obtain the public key; the request includes an access password; the access password is generated in advance by the authentication server according to the login information of the terminal and is sent to the terminal; and under the condition that the access password is verified to be successful through the authentication server, the public key is sent to the terminal.
In a possible embodiment, the communication module 1201 may be configured to receive the access password while receiving the first ciphertext information sent by the terminal; correspondingly, the communication module 1201 may be configured to send second ciphertext information to the terminal, specifically: the communication module 1201 may be configured to send the second ciphertext message to the terminal when the authentication server verifies that the access password is successful.
In a possible embodiment, the second password is a password generated by the encryption and decryption module 1202 according to a random number.
As shown in fig. 8, the storage server 1300 may include: a communication module 1301 and a storage module 1302, wherein:
the communication module 1301 may be configured to receive data encrypted by the second password sent by the first terminal;
the communication module 1301 may be configured to send the data encrypted with the second password to the second terminal;
the storage module 1302 may be configured to store the data sent by the first terminal encrypted by the second password in a database.
It should be noted that, please refer to the descriptions of the embodiments in fig. 6 and fig. 7 for details not mentioned in the embodiment in fig. 8 and specific implementations of various functional modules, for example, in fig. 6, for the first terminal 1000, the encryption/decryption module 1002 may be configured to perform steps 602 and 608, and the communication module 1003 may be configured to perform steps 601, 603, and 607; for the second terminal 1100, the communication module 1101 may be configured to perform steps 701, 703, 707, 709, and the encryption/decryption module 1102 may be configured to perform steps 702, 708, 710; for the key server 1200, the communication module 1201 may be configured to perform steps 601, 603, 607, 701, 703, 707, and the encryption/decryption module 1202 may be configured to perform steps 604, 605, 606, 704, 705, 706; for the storage server 1300, the communication module 1301 may be used to perform steps 609, 709, and the storage module 1302 may be used to store the encrypted data of step 609. For brevity, no further description is provided herein.
The following describes in detail the cooperation relationship between each module in the first terminal 1000 and each module in the key server 1200 in the embodiment of the present invention, and the cooperation relationship between each module in the second terminal 1100 and each module in the key server 1200 in the embodiment of the present invention, taking the embodiment of fig. 6 as an example, please refer to fig. 9 and fig. 10.
Referring to fig. 9, the following mainly describes an interaction process between each module inside the first terminal and each component inside the key server.
1401. The communication module 1003 sends a public key request to the communication module 1201.
1402. The communication module 1201 transmits the public key to the communication module 1003.
1403. The encryption and decryption module 1002 generates a first password, and encrypts the first password according to the public key acquired from the communication module 1003 to obtain first ciphertext information.
1404. The communication module 1003 transmits the first ciphertext information to the communication module 1201.
1405. The encryption and decryption module 1202 decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password.
1406. The encryption and decryption module 1202 encrypts the second password according to the first password to obtain second ciphertext information.
1407. The communication module 1201 transmits the second ciphertext information to the communication module 1003.
1408. The encryption and decryption module 1002 decrypts the second ciphertext information according to the first password to obtain a second password.
1409. The encryption/decryption module 1002 sends the second password to the splitting module 1001 inside the first terminal.
1410. The segmentation module 1001 segments the original video data to obtain a plurality of video block data, and encrypts the plurality of video block data according to a second password.
1411. The communication module 1003 sends the second cryptographically encrypted video chunk data to the storage server.
1412. The storage server stores the encrypted video chunk data.
Referring to fig. 10, the following mainly describes an interaction process between each module inside the second terminal and each component inside the key server.
1501. The communication module 1101 sends a public key request to the communication module 1201.
1502. The communication module 1201 sends the public key to the communication module 1101.
1503. The encryption/decryption module 1102 generates a first password, and encrypts the first password according to the public key acquired from the communication module 1101 to obtain first ciphertext information.
1504. The communication module 1101 transmits the first ciphertext information to the communication module 1201.
1505. The encryption and decryption module 1202 decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password.
1506. The encryption and decryption module 1202 encrypts the second password according to the first password to obtain second ciphertext information.
1507. The communication module 1201 transmits the second ciphertext information to the communication module 1101.
1508. The encryption and decryption module 1102 decrypts the second ciphertext information according to the first password to obtain a second password.
1509. The encryption/decryption module 1102 sends the second password to the playing module 1103 in the second terminal 1100.
1510. The playing module 1103 sends a request for downloading video block data to the storage server through the communication module.
1511. The storage server sends the encrypted video block data to the communication module 1101.
1512. The play module 1101 decrypts the encrypted video block data according to the second password.
1513. The playback module 1101 plays the decrypted video block data.
It should be noted that fig. 9 is only one implementation manner of the embodiment of the present invention, and in practical applications, the first terminal 1000 or the key server 1200 may further include more or less components, which is not limited herein. Fig. 10 is merely an implementation manner of the embodiment of the present invention, and in practical applications, the second terminal 1100 or the key server 1200 may further include more or less components, which is not limited herein.
In the above-described embodiments, this may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer program instructions which, when loaded and executed on a computer, cause a process or function according to an embodiment of the invention to be performed, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one network site, computer, server, or data center to another network site, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer and can be a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The available media may be magnetic media (e.g., floppy disks, hard disks, tapes, etc.), optical media (e.g., DVDs, etc.), or semiconductor media (e.g., solid state drives), among others.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

Claims (27)

1. A data security protection method, comprising:
the first terminal sends first ciphertext information to the key server; the first ciphertext information is obtained by encrypting a first password by the first terminal according to a public key from the key server;
the first terminal receives second ciphertext information sent by the secret key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the first terminal decrypts the second ciphertext information according to the first password to obtain the second password;
and the first terminal sends the data encrypted by the second password to a storage server.
2. The method according to claim 1, wherein the data is video data, and the video data encrypted by the second password is used for decryption and playing by being sent to a second terminal through the storage server.
3. The method of claim 2, wherein before the first terminal sends the second cryptographically encrypted video data to a storage server, the method further comprises:
the first terminal obtains a plurality of video block data according to the original video data;
correspondingly, the sending, by the first terminal, the video data encrypted by the second password to the storage server specifically includes:
and the first terminal sends the video block data encrypted by the second password to the storage server.
4. The method of claim 2, wherein the second cryptographically encrypted video data is at least one video block data of original video data.
5. The method of claim 3, wherein the first terminal obtains a plurality of video block data from the original video data, comprising:
the first terminal carries out segmentation processing on the original video data according to the blocking rule information from the storage server to obtain a plurality of video block data; the blocking rule information is determined according to a network bandwidth between the first terminal and the storage server.
6. The method according to any of claims 1-5, wherein before the first terminal sends the first ciphertext message to the key server, the method further comprises:
the first terminal receives an access password sent by an authentication server; the access password is generated by the authentication server according to the login information of the first terminal;
the first terminal sends a request for obtaining the public key to the secret key server; the request includes the access password;
and under the condition that the key server verifies that the access password is successful through the authentication server, the first terminal receives the public key sent by the key server.
7. The method of claim 6,
the first terminal sends the first ciphertext information to the secret key server and also sends the access password to the secret key server;
correspondingly, the receiving, by the first terminal, the second ciphertext information sent by the key server specifically includes:
and under the condition that the key server verifies that the access password is successful through the authentication server, the first terminal receives the second ciphertext information sent by the key server.
8. The method according to any of claims 2-5, wherein the login information of the first terminal and the login information of the second terminal are the same.
9. The method according to any of claims 1-5, wherein the first password is a password generated by the first terminal from a random number.
10. A data security protection method, comprising:
the second terminal sends the first ciphertext information to the secret key server; the first ciphertext information is obtained by encrypting a first password by the second terminal according to a public key from the secret key server;
the second terminal receives second ciphertext information sent by the secret key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the second terminal decrypts the second ciphertext information according to the first password to obtain a second password of the key server;
and the second terminal decrypts the encrypted data from the storage server according to the second password of the secret key server.
11. The method of claim 10, wherein the encrypted data is encrypted by the first terminal according to a second password of the key server and sent to the storage server.
12. The method according to claim 11, wherein the encrypted data is video data encrypted by the first terminal according to a second password of the key server; after the second terminal decrypts the encrypted data from the storage server according to the second password of the key server, the method further includes: and the second terminal plays the decrypted video data.
13. The method according to claim 12, wherein the encrypted video data is obtained by the first terminal encrypting each video block data in the original video data according to the second password.
14. The method of claim 12, wherein the encrypted video data is obtained by the first terminal encrypting at least one video block data of the original video data according to the second password.
15. The method of claim 13, wherein before the second terminal decrypts the encrypted data from the storage server according to the second password of the key server, the method further comprises:
the second terminal sends a request for obtaining encrypted video block data to the storage server; the encrypted video block data is one of the encrypted video block data, and the video block data is determined by the second terminal based on a user input instruction;
the second terminal receives the one encrypted video block data from the storage server.
16. The method according to any one of claims 10-15, wherein before the second terminal sends the first ciphertext message to the key server, the method further comprises:
the second terminal receives an access password sent by the authentication server; the access password is generated by the authentication server according to the login information of the second terminal;
the second terminal sends a request for obtaining the public key to the secret key server; the request includes the access password;
and under the condition that the key server verifies that the access password is successful through the authentication server, the second terminal receives the public key sent by the key server.
17. The method of claim 16,
the second terminal sends the first ciphertext information to the secret key server and also sends the access password to the secret key server;
correspondingly, the receiving, by the second terminal, the second ciphertext information sent by the key server specifically includes:
and under the condition that the key server verifies that the access password is successful through the authentication server, the second terminal receives the second ciphertext information sent by the key server.
18. A method according to any of claims 11-15, characterized in that the login information of the second terminal is the same as the login information of the first terminal.
19. A data security protection method, comprising:
a secret key server receives first ciphertext information sent by a terminal, wherein the first ciphertext information is obtained by encrypting a first password of the terminal by the terminal according to a public key from the secret key server;
the secret key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password;
the secret key server sends second ciphertext information to the terminal, the second ciphertext information is obtained by encrypting a second password generated by the secret key server according to the first password, and the second ciphertext information is used for decrypting the terminal according to the first password to obtain the second password; the second password is used for carrying out security protection on the data of the terminal.
20. The method of claim 19, wherein the data is video data, and the second password is used for the terminal to encrypt the video data and send the video data to a storage server.
21. The method of claim 19, wherein the data is video data, and wherein the second password is used by the terminal to decrypt the encrypted video data from the storage server.
22. The method according to any one of claims 19-21, wherein before the key server receives the first ciphertext information sent by the terminal, the method further comprises:
the secret key server receives a request for acquiring the public key sent by the terminal; the request includes an access password; the access password is generated in advance by the authentication server according to the login information of the terminal and is sent to the terminal;
and under the condition that the secret key server successfully verifies the access password through the authentication server, the secret key server sends the public key to the terminal.
23. The method of claim 22,
the key server receives the first ciphertext information sent by the terminal and also receives the access password;
correspondingly, the key server sends second ciphertext information to the terminal, specifically:
and under the condition that the key server verifies that the access password is successful through the authentication server, the key server sends the second ciphertext information to the terminal.
24. The method of any of claims 19-21, wherein the second password is a password generated by the key server from a random number.
25. A terminal, functioning as a first terminal, comprising display means, input means, output means, one or more memories, one or more processors; wherein the one or more memories store one or more programs; wherein the one or more processors, when executing the one or more programs, cause the terminal to implement the method of any of claims 1-9.
26. A terminal, for use as a second terminal, comprising display means, input means, output means, one or more memories, one or more processors; wherein the one or more memories store one or more programs; wherein the one or more processors, when executing the one or more programs, cause the terminal to implement the method of any of claims 10 to 18.
27. A server comprising an input device, an output device, one or more memories, one or more processors; wherein the one or more memories store one or more programs; wherein the one or more processors, when executing the one or more programs, cause the server to implement the method of any of claims 19-24.
CN201910329967.7A 2019-04-23 2019-04-23 Data security protection method and related equipment Active CN110138749B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910329967.7A CN110138749B (en) 2019-04-23 2019-04-23 Data security protection method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910329967.7A CN110138749B (en) 2019-04-23 2019-04-23 Data security protection method and related equipment

Publications (2)

Publication Number Publication Date
CN110138749A CN110138749A (en) 2019-08-16
CN110138749B true CN110138749B (en) 2021-12-21

Family

ID=67570885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910329967.7A Active CN110138749B (en) 2019-04-23 2019-04-23 Data security protection method and related equipment

Country Status (1)

Country Link
CN (1) CN110138749B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7298392B2 (en) * 2019-08-28 2023-06-27 富士電機株式会社 Vending machine and service management method
CN110769306B (en) * 2019-10-12 2023-05-09 北京达佳互联信息技术有限公司 Subtitle decryption method and device, client and storage medium
CN110795745B (en) * 2019-10-14 2022-06-21 山东药品食品职业学院 Information storage and transmission system based on server and method thereof
CN111193659B (en) * 2019-12-30 2022-07-26 广东盈世计算机科技有限公司 File processing method and device based on instant chat tool
CN115174043A (en) * 2019-12-31 2022-10-11 华为技术有限公司 Method for sharing equipment and electronic equipment
CN111510745B (en) * 2020-03-27 2021-01-19 曹新 Internet video data encryption transmission method
CN112235299A (en) * 2020-10-14 2021-01-15 杭州海康威视数字技术股份有限公司 Data encryption and decryption method, device, equipment, system and medium
CN112528311B (en) * 2020-12-23 2024-02-20 杭州海康汽车软件有限公司 Data management method, device and terminal
CN113091224B (en) * 2021-04-07 2022-11-29 青岛海信日立空调系统有限公司 Air conditioning device and air conditioning control device
CN113591120A (en) * 2021-08-09 2021-11-02 北京达佳互联信息技术有限公司 Information issuing method and device, electronic equipment and storage medium
CN114244551B (en) * 2021-09-28 2024-01-30 自然资源部第三地形测量队 Data application protection method, equipment and wild external painting verification method
CN114422233B (en) * 2022-01-17 2023-01-13 中国科学院软件研究所 Login method and system for private equipment
CN114760500A (en) * 2022-03-24 2022-07-15 海南乾唐视联信息技术有限公司 Audio and video data encryption method and device
CN115189953B (en) * 2022-07-13 2024-02-06 深圳微言科技有限责任公司 Two-way communication device based on privacy protection

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078841A (en) * 2012-12-03 2013-05-01 厦门市美亚柏科信息股份有限公司 Method and system for preventive electronic data security
CN103685162A (en) * 2012-09-05 2014-03-26 中国移动通信集团公司 File storing and sharing method
CN105898376A (en) * 2015-12-11 2016-08-24 乐视网信息技术(北京)股份有限公司 Online video stream play method, device and system
CN108259609A (en) * 2018-01-20 2018-07-06 福建省数字福建云计算运营有限公司 The management method and Cloud Server of a kind of family high in the clouds data
CN108471404A (en) * 2018-02-28 2018-08-31 深圳市达仁基因科技有限公司 File sharing method, device, computer equipment and storage medium
CN108737394A (en) * 2018-05-08 2018-11-02 腾讯科技(深圳)有限公司 Off-line verification system, barcode scanning equipment and server
CN108900869A (en) * 2018-05-04 2018-11-27 烽火通信科技股份有限公司 A kind of communication group information encryption and decryption method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106611128A (en) * 2016-07-19 2017-05-03 四川用联信息技术有限公司 Secondary encryption-based data validation and data recovery algorithm in cloud storage
CN106534092B (en) * 2016-11-02 2019-07-02 西安电子科技大学 The privacy data encryption method of key is depended on based on message
TWI638561B (en) * 2016-12-23 2018-10-11 財團法人工業技術研究院 Control system and control method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685162A (en) * 2012-09-05 2014-03-26 中国移动通信集团公司 File storing and sharing method
CN103078841A (en) * 2012-12-03 2013-05-01 厦门市美亚柏科信息股份有限公司 Method and system for preventive electronic data security
CN105898376A (en) * 2015-12-11 2016-08-24 乐视网信息技术(北京)股份有限公司 Online video stream play method, device and system
CN108259609A (en) * 2018-01-20 2018-07-06 福建省数字福建云计算运营有限公司 The management method and Cloud Server of a kind of family high in the clouds data
CN108471404A (en) * 2018-02-28 2018-08-31 深圳市达仁基因科技有限公司 File sharing method, device, computer equipment and storage medium
CN108900869A (en) * 2018-05-04 2018-11-27 烽火通信科技股份有限公司 A kind of communication group information encryption and decryption method and system
CN108737394A (en) * 2018-05-08 2018-11-02 腾讯科技(深圳)有限公司 Off-line verification system, barcode scanning equipment and server

Also Published As

Publication number Publication date
CN110138749A (en) 2019-08-16

Similar Documents

Publication Publication Date Title
CN110138749B (en) Data security protection method and related equipment
US10469469B1 (en) Device-based PIN authentication process to protect encrypted data
CN110492990B (en) Private key management method, device and system under block chain scene
EP3731551A1 (en) Identity authentication method and system, and computing device
CN106716914B (en) Secure key management for roaming protected content
EP3324572B1 (en) Information transmission method and mobile device
US11196553B2 (en) Command transmission method and apparatus, electronic device
CN108733986B (en) Method and apparatus for protecting digital content using device authentication
KR20200027500A (en) Generate key certificates that provide device anonymity
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN107077567B (en) Identifying security boundaries on computing devices
US11159329B2 (en) Collaborative operating system
CN113343212B (en) Device registration method and apparatus, electronic device, and storage medium
CN105512576A (en) Method for secure storage of data and electronic equipment
CN111563251B (en) Encryption method and related device for private information in terminal equipment
US10027660B2 (en) Computer program, method, and system for secure data management
CN110611657A (en) File stream processing method, device and system based on block chain
JP6756056B2 (en) Cryptographic chip by identity verification
CN113259301A (en) Account data sharing method and electronic equipment
CN113821821B (en) Security architecture system, cryptographic operation method of security architecture system and computing device
CN113630412B (en) Resource downloading method, resource downloading device, electronic equipment and storage medium
CN104331672A (en) Method and device for performing confidential treatment on pictures upon bracelet
CN113032753A (en) Identity verification method and device
CN113282951A (en) Security verification method, device and equipment for application program
CN109600631B (en) Video file encryption and publishing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220510

Address after: 523799 Room 101, building 4, No. 15, Huanhu Road, Songshanhu Park, Dongguan City, Guangdong Province

Patentee after: Petal cloud Technology Co.,Ltd.

Address before: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee before: HUAWEI DEVICE Co.,Ltd.

Effective date of registration: 20220510

Address after: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee after: HUAWEI DEVICE Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.