CN111339558A - Data encryption method, data decryption method, computer device and medium - Google Patents

Data encryption method, data decryption method, computer device and medium Download PDF

Info

Publication number
CN111339558A
CN111339558A CN202010106955.0A CN202010106955A CN111339558A CN 111339558 A CN111339558 A CN 111339558A CN 202010106955 A CN202010106955 A CN 202010106955A CN 111339558 A CN111339558 A CN 111339558A
Authority
CN
China
Prior art keywords
data
encryption
decryption
function
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010106955.0A
Other languages
Chinese (zh)
Inventor
严月强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OneConnect Smart Technology Co Ltd
OneConnect Financial Technology Co Ltd Shanghai
Original Assignee
OneConnect Financial Technology Co Ltd Shanghai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by OneConnect Financial Technology Co Ltd Shanghai filed Critical OneConnect Financial Technology Co Ltd Shanghai
Priority to CN202010106955.0A priority Critical patent/CN111339558A/en
Publication of CN111339558A publication Critical patent/CN111339558A/en
Priority to PCT/CN2021/071173 priority patent/WO2021164462A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data encryption method, which comprises the following steps: responding to the data encryption signal, and acquiring data to be encrypted; judging whether an encryption annotation corresponding to the data to be encrypted exists; if yes, acquiring an encryption algorithm name and an encryption key in the encryption annotation; acquiring an encapsulation packet of the encrypted annotation from a database, and analyzing an encryption code generation template corresponding to the encryption algorithm name from the encapsulation packet, wherein the encryption code generation template comprises an encryption algorithm corresponding to the encryption algorithm name; populating the encryption key to the encryption code generation template to generate an encryption code; and encrypting the data to be encrypted by utilizing the encryption code. The invention also discloses a data decryption method, a computer device and a computer readable storage medium.

Description

Data encryption method, data decryption method, computer device and medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a data encryption method, a data decryption method, a computer device, and a computer-readable storage medium.
Background
At present, the national security control on data is more and more strict, and the privacy protection policy on customers is also more and more strict, and enterprises are generally required to encrypt and store sensitive data of customers into a storage engine.
However, the inventor finds that the prior art has at least the following defects in the process of researching the invention: when a project is developed or iterative development is performed once, as long as sensitive data is involved, an encryption and decryption scheme of the sensitive data needs to be constructed independently, so that a large amount of redundant codes exist in a code base, memory resources are seriously occupied, and a processor is influenced by excessive memory resources in the process of executing tasks.
Disclosure of Invention
It is an object of the present invention to provide a data encryption method, a data decryption method, a computer device and a computer-readable storage medium, which are capable of solving the above-mentioned drawbacks of the prior art.
One aspect of the present invention provides a data encryption method, including: responding to the data encryption signal, and acquiring data to be encrypted; judging whether an encryption annotation corresponding to the data to be encrypted exists; if yes, acquiring an encryption algorithm name and an encryption key in the encryption annotation; acquiring an encapsulation packet of the encrypted annotation from a database, and analyzing an encryption code generation template corresponding to the encryption algorithm name from the encapsulation packet, wherein the encryption code generation template comprises an encryption algorithm corresponding to the encryption algorithm name; populating the encryption key to the encryption code generation template to generate an encryption code; and encrypting the data to be encrypted by utilizing the encryption code.
Optionally, the step of obtaining the data to be encrypted includes: acquiring a function name of a first target function to be executed; judging whether the first objective function is used for storing data or not according to the function name of the first objective function; if the first target function is judged to be used for storing data, acquiring the access parameter carried by the first target function, and taking the access parameter as the data to be encrypted; after the step of implementing encryption of the data to be encrypted using the encryption code, the method further comprises: and executing the first target function to store the encrypted data obtained by encrypting the data to be encrypted by using the encryption code.
Optionally, the step of obtaining the entry parameter carried by the first objective function and taking the entry parameter as the data to be encrypted includes: judging whether an encryption function library contains a function name of the first target function or not, wherein the access parameters carried by the function corresponding to the function name contained in the encryption function library need to be encrypted; and when the encryption function library is judged to contain the function name of the first target function, acquiring the access parameter carried by the first target function, and taking the access parameter as the data to be encrypted.
Optionally, the step of populating the encryption key to the encryption code generation template to generate an encryption code comprises: determining whether the encrypted annotation includes a salt value; if the salt value is included and the salt value is not 0, decrypting the encryption key by using the salt value to obtain an original encryption key, and filling the original encryption key into the encryption code generation template to generate the encryption code; and if the salt value is not included or is 0, directly filling the encryption key into the encryption code generation template to generate the encryption code.
Another aspect of the present invention provides a data decryption method, including: responding to the data decryption signal, and acquiring data to be decrypted; judging whether a decryption annotation corresponding to the data to be decrypted exists; if yes, acquiring a decryption algorithm name and a decryption key in the decryption annotation; acquiring an encapsulation packet of the decryption annotation from a database, and analyzing a decryption code generation template corresponding to the decryption algorithm name from the encapsulation packet, wherein the decryption code generation template comprises a decryption algorithm corresponding to the decryption algorithm name; filling the decryption key into the decryption code generation template to generate a decryption code; and decrypting the data to be decrypted by using the decryption code.
Optionally, the step of obtaining the data to be decrypted includes: acquiring a function name of a second target function to be executed; judging whether the second objective function is used for reading data or not according to the function name of the second objective function; and if the second objective function is judged to be used for reading data, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
Optionally, the step of executing the second objective function and taking the data read by the second objective function as the data to be decrypted includes: judging whether a decryption function library contains the function name of the second target function or not, wherein the data read by the function corresponding to the function name contained in the decryption function library needs to be decrypted; and when the decryption function library is judged to contain the function name of the second objective function, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
Optionally, the step of populating the decryption key to the decryption code generation template to generate a decryption code comprises: judging whether the decrypted annotation contains a salt value; if the salt value is included and the salt value is not 0, decrypting the decryption key by using the salt value to obtain an original decryption key, and filling the original decryption key into the decryption code generation template to generate the decryption code; and if the salt value is not included or is 0, directly filling the decryption key into the decryption code generation template to generate the decryption code.
Yet another aspect of the present invention provides a data encryption apparatus, comprising: the first acquisition module is used for responding to the data encryption signal and acquiring data to be encrypted; the first judgment module is used for judging whether an encryption note corresponding to the data to be encrypted exists or not; the second acquisition module is used for acquiring the encryption algorithm name and the encryption key in the encrypted annotation when the encrypted annotation exists; the first processing module is used for acquiring an encapsulation packet of the encrypted annotation from a database and analyzing an encryption code generation template corresponding to the encryption algorithm name from the encapsulation packet, wherein the encryption code generation template comprises an encryption algorithm corresponding to the encryption algorithm name; a first padding module for padding the encryption key into the encryption code generation template to generate an encryption code; and the encryption module is used for encrypting the data to be encrypted by utilizing the encryption code.
Yet another aspect of the present invention provides a data decryption apparatus, the apparatus comprising: the third acquisition module is used for responding to the data decryption signal and acquiring the data to be decrypted; the second judgment module is used for judging whether a decryption annotation corresponding to the data to be decrypted exists or not; the fourth obtaining module is used for obtaining the decryption algorithm name and the decryption key in the decryption annotation when the decryption annotation exists; the second processing module is used for acquiring the encapsulation packet of the decryption annotation from a database and analyzing a decryption code generation template corresponding to the decryption algorithm name from the encapsulation packet, wherein the decryption code generation template comprises a decryption algorithm corresponding to the decryption algorithm name; the second filling module is used for filling the decryption key into the decryption code generation template so as to generate a decryption code; and the decryption module is used for decrypting the data to be decrypted by utilizing the decryption code.
Yet another aspect of the present invention provides a computer apparatus, comprising: a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the data encryption method and/or the data decryption method according to any of the embodiments when executing the computer program.
A further aspect of the present invention provides a computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the data encryption method and/or the data decryption method of any of the above embodiments.
The data encryption method and the data decryption method provided by the invention have the advantages that the notes are set for the data to be encrypted and decrypted in advance, sensitive data encryption and decryption codes do not need to be repeatedly developed for new projects or new requirements, but when the data needs to be encrypted and decrypted, only the annotated packaging packet needs to be called from an external database, the encryption and decryption code generation template is analyzed from the packaging packet, then the encryption and decryption key is filled into the encryption and decryption code generation template to generate the encryption and decryption codes, and the encryption and decryption of the data to be encrypted and decrypted are realized by utilizing the encryption and decryption codes. The invention sets standard, generalized, simple and easy-to-use notes, does not need to pay attention to any implementation details, has very small code amount, is clean and simple, is easy to maintain, and solves the defects that a code base in the prior art has a large amount of redundant codes, seriously occupies hardware resources, and a processor is also influenced by excessive memory resources in the process of executing tasks.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 schematically illustrates a flow diagram of a method of data encryption according to an embodiment of the present invention;
FIG. 2 schematically shows a flow diagram of a data decryption method according to an embodiment of the invention;
FIG. 3 schematically illustrates a schematic diagram of a data encryption/decryption scheme according to an embodiment of the invention;
FIG. 4 schematically shows a block diagram of a data encryption apparatus according to an embodiment of the present invention;
FIG. 5 schematically shows a block diagram of a data decryption device according to an embodiment of the present invention;
fig. 6 schematically shows a block diagram of a computer device adapted to implement a data encryption method and/or a data decryption method according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the invention provides a data encryption method, which can be applied to the following service scenes: before a user stores sensitive data, the sensitive data is encrypted and then stored in order to prevent the sensitive data from being leaked, at the moment, the sensitive data can be automatically encrypted according to preset encryption annotations, and then the encrypted data is stored. In particular, fig. 1 schematically shows a flow chart of a data encryption method according to an embodiment of the present invention. As shown in fig. 1, the data encryption method may include steps S1 to S6, in which:
in step S1, in response to the data encryption signal, data to be encrypted is acquired.
The data to be encrypted may be sensitive data.
Alternatively, the step S1 may include steps S11 to S13, wherein:
step S11, acquiring a function name of a first target function to be executed;
step S12, judging whether the first objective function is used for storing data according to the function name of the first objective function;
step S13, if it is determined that the first objective function is used for storing data, acquiring an entry carried by the first objective function, and using the entry as the data to be encrypted.
Specifically, in the whole code logic, each time a function is executed, the function of the function is determined according to the function name of the function, and then the step of implementing the function is executed according to the code included in the function. The first objective function in the present embodiment is not limited to any function.
When the function of the first objective function is determined to be used for storing data according to the function name of the first objective function, it is indicated that the access parameter carried by the first objective function may need to be encrypted and then stored, at this time, the access parameter carried by the first objective function may be obtained, and the access parameter is used as data to be encrypted.
For example, the first objective function is as follows:
Figure BDA0002388457930000061
the function name of the first target function is setIdNo, the first target function belongs to the set function, and the set function can be used for storing data, so that the function of the first target function can be determined as storing data, and the idNo can be used as data to be encrypted.
Alternatively, step S13 may include step S131 and step S132, wherein:
step S131, judging whether an encryption function library contains a function name of the first target function, wherein the access parameter carried by a function corresponding to the function name contained in the encryption function library needs to be encrypted;
step S132, when it is determined that the encryption function library contains the function name of the first target function, acquiring an entry parameter carried by the first target function, and taking the entry parameter as the data to be encrypted.
It should be noted that, in this embodiment, all the entries of the first objective function with the storage function are not encrypted, but only when the function name of the first objective function is preset in the encryption function library, the entries carried by the first objective function are encrypted.
The encryption database is preset with a plurality of preset encryption function names, each preset encryption function name corresponds to the type of the access parameter carried by the preset encryption function, and the type of the access parameter corresponding to the preset encryption function name in the encryption database is the type of sensitive data, such as the type of identity card number, mobile phone number, wage or other confidential data. For example, the predetermined encryption function name is setage, the preset encryption function setage () may store an age type argument.
Correspondingly, if the function name of the first objective function has a storage function, the function name of the first objective function also corresponds to the type of the parameter of the first objective function. Thus, if the entry parameter carried by the first objective function is sensitive data, the function name of the first objective function is inevitably stored in the encryption function library. At this time, the entry parameter of the first objective function may be determined as the data to be encrypted.
For example, in connection with the above example, the function name of the first objective function is setIdNo, and the cryptographic function library includes: setage, setphone, and setIdNo. It can be seen that, if the encryption database includes the function name of the first target function, the idNo may be determined as the data to be encrypted.
Step S2, determining whether there is an encrypted annotation corresponding to the data to be encrypted.
If data encryption needs to be implemented by using the encrypted annotation in the whole business program code, the encrypted annotation is written in the program code, and specifically, the encrypted annotation may be written in the program code located in front of the first target function in the whole business program code. Since the data to be encrypted is obtained by the first target function in the present embodiment, and the program code before the first target function is executed, if the encrypted annotation is identified in the process of executing the program code, the encrypted annotation can be used as the annotation of the first target function. Note that the annotations all exist in a specific format, such as @ PrivacyProcessor, and thus if the specific format is recognized, the annotations are considered to be recognized.
And step S3, if the encryption annotation exists, acquiring the encryption algorithm name and the encryption key in the encryption annotation.
In this embodiment, the Encryption Algorithm may be a Triple Data Encryption Algorithm (TDEA), an Advanced Encryption Standard (AES), an RSA (Rivest-Shamir-Adleman), an information-Digest Algorithm (Message-Digest Algorithm 5, MD5), or the like, and the name of the Encryption Algorithm is a name corresponding to the Encryption Algorithm.
For example, the encrypted annotations: @ PrivacyProcessor (encryptType ═ AES, key ═ abcdefge), the encryption algorithm name is AES, and the encryption key is abcdefgabcdefge.
Step S4, obtaining the encapsulation packet of the encrypted annotation from the database, and analyzing the encryption code generation template corresponding to the encryption algorithm name from the encapsulation packet, wherein the encryption code generation template comprises the encryption algorithm corresponding to the encryption algorithm name.
In this embodiment, the specific logic code of the encrypted annotation is pre-packaged in a package, for example, in a map, when data needs to be encrypted in the process of storing the data, the encrypted annotation only needs to be written into the whole code logic, and in the process of running the whole code logic, when it is determined that the entry parameter carried by the first target function needs to be encrypted, the package of the encrypted annotation can be called according to the encrypted annotation, because different encrypted annotations can carry different encryption algorithm names, the package of the encrypted annotation can include different encryption code generation templates, and after the package is analyzed, it needs to determine the encryption code generation template corresponding to the encryption algorithm name included in the encrypted annotation. Each encryption code generation template has vacant parameter positions, and the vacant parameter positions can include parameter positions where encryption keys need to be added, parameter positions where data to be encrypted need to be added, and the like.
Step S5, the encryption key is filled into the encryption code generation template to generate an encryption code.
By filling the encryption key into the encryption code template, the parameter position corresponding to the vacancy can be filled, and the encryption code for realizing encryption is generated.
However, there may also be a salt value in the encrypted annotation, where the salt value is used to encrypt the original encryption key to prevent the original encryption key from being leaked, and when the salt value is 0, it indicates that no salt is added, that is, the original encryption key is not encrypted, and then the encryption key in the encrypted annotation is the original encryption key, and when the salt value is not 0, it indicates that salt is added, that is, the original encryption key is encrypted, and then the encryption key in the encrypted annotation is data encrypted by the salt value to the original encryption key. For example, the salt is a random number, which is used to generate a new random number as an encryption key to be encapsulated in the encryption comment, so as to prevent the original encryption key from being leaked.
For example, the encrypted annotations: @ PrivacyProcessor (encryptType ═ AES, "key ═ abcdefge"), denotes the encryption algorithm name AES, and the encryption key is abcdefgabcdefge, without salt addition.
Optionally, step S5 may specifically be:
determining whether the encrypted annotation includes a salt value;
if the salt value is included and the salt value is not 0, decrypting the encryption key by using the salt value to obtain an original encryption key, and filling the original encryption key into the encryption code generation template to generate the encryption code;
and if the salt value is not included or is 0, directly filling the encryption key into the encryption code generation template to generate the encryption code.
In this embodiment, when the salt value exists in the encrypted annotation and the salt value is not 0, it indicates that the encryption key carried in the encrypted annotation is the key encrypted by the salt value, at this time, the salt value can be used to decrypt the encryption key to obtain an original encryption key, and then the original encryption key is filled to a corresponding parameter position of the encryption code generation template to generate the encryption code. When the salt value does not exist in the encrypted annotation or the existing salt value is 0, the encrypted key carried in the encrypted annotation is the original encrypted key, and at the moment, the encrypted key can be directly filled to the corresponding parameter position of the encrypted code generation template to generate the encrypted code.
And step S6, encrypting the data to be encrypted by using the encryption code.
In this embodiment, the data to be encrypted may also be filled in the corresponding parameter position in the encryption code, so as to obtain the completed encryption code, and the encryption of the data to be encrypted may be implemented by executing the encryption code, so as to obtain the encrypted data.
Optionally, after step S3, the method further comprises: and executing the first target function to store the encrypted data obtained by encrypting the data to be encrypted by using the encryption code.
For example, in connection with the above example, before executing the first target function, idNo may be encrypted by using the AES algorithm and abcdefgabcdefge to obtain encrypted data, and then the first target function is executed to store the encrypted data in the database.
The embodiment of the invention provides a data decryption method, which can be applied to the following service scenes: the method comprises the steps that a user encrypts sensitive data to obtain encrypted data (also called to-be-decrypted data), the encrypted data are stored in a database, when the user needs to read the encrypted data, a main body of the data decryption method such as a client can automatically decrypt the encrypted data according to preset decryption annotations, and then the decrypted data are fed back to the user. In particular, fig. 2 schematically shows a flow chart of a data decryption method according to an embodiment of the present invention. As shown in fig. 2, the data decryption method may include steps M1 to M6, wherein:
step M1, in response to the data decryption signal, obtains the data to be decrypted.
The data to be decrypted may be obtained by encrypting the data to be encrypted by using a plurality of parameters in the encryption annotation, or may be obtained by encrypting the data to be encrypted by using other encryption methods.
Alternatively, the step M1 may include steps M11 to M13, wherein:
step M11, acquiring a function name of a second target function to be executed;
step M12, judging whether the second objective function is used for reading data according to the function name of the second objective function;
step M13, if it is determined that the second objective function is used for reading data, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
Specifically, in the whole code logic, each time a function is executed, the function of the function is determined according to the function name of the function, and then the step of implementing the function is executed according to the code included in the function. The second objective function in the present embodiment is not limited to any function.
When it is determined that the function of the second objective function is for storing data according to the function name of the second objective function, the second objective function is executed to read out data from the database, and at this time, it is considered that the data read out by the second objective function is likely to be decrypted, and then the read-out data may be used as data to be decrypted at this time.
For example, the second objective function is as follows:
Figure BDA0002388457930000091
the function name of the second objective function is getIdNo, the second objective function belongs to the get function, and the get function can be used for reading data, so that the function of the second objective function can be determined to be data reading, the second objective function can be executed, data corresponding to the idNo are read from the database, and the read data corresponding to the idNo are used as data to be decrypted.
Alternatively, step M13 may include step M131 and step M132, wherein:
step M131, judging whether a decryption function library contains a function name of the second target function, wherein data read by a function corresponding to the function name contained in the decryption function library needs to be decrypted;
step M132, when it is determined that the decryption function library includes the function name of the second objective function, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
It should be noted that, in this embodiment, not all the data read out by the second objective function with the reading function are decrypted, but only when the function name of the second objective function is preset in the decryption function library, the data read out by the second objective function is decrypted.
The decryption database is preset with a plurality of preset decryption function names, each preset decryption function name corresponds to the type of data read by the preset decryption function, and the type of the data read by the preset decryption function names in the decryption database is the type of sensitive data, such as identity card numbers, mobile phone numbers, salaries or other types of confidential data. For example, if the predetermined decryption function name is getage, the predetermined decryption function getage () may read data of an age type, and the data of the age type is data to be decrypted.
Accordingly, if the function name of the second objective function has a reading function, the function name of the second objective function also corresponds to the type of the read data of the second objective function. Thus, if the data to be read by the second objective function is sensitive data, the function name of the second objective function is inevitably stored in the decryption function library. At this time, the data read by the second objective function may be determined as the data to be decrypted.
For example, in connection with the above example, the function name of the second objective function is getIdNo, and the decryption function library includes: getage, getphone and getIdNo. It can be seen that the decryption database includes the function name of the second objective function, and the data corresponding to idNo read from the database can be determined as the data to be decrypted.
And step M2, judging whether a decryption annotation corresponding to the data to be decrypted exists.
In the whole business program code, if data decryption needs to be implemented by using the decryption annotation, the decryption annotation is written in the program code, and specifically, the decryption annotation may be written in the program code located in front of the second objective function in the whole business program code. Since the data to be encrypted is obtained by the second target function in the present embodiment, and the program code located before the first target function is executed, if there is a decrypted annotation in the process of executing the program code, the decrypted annotation may be used as the annotation of the first target function.
And step M3, if yes, acquiring the decryption algorithm name and the decryption key in the decryption annotation.
In this embodiment, the decryption algorithm may include a TDEA algorithm, an AES algorithm, an RSA algorithm, or an MD5 algorithm, and the decryption algorithm is used corresponding to the encryption algorithm, and the decryption algorithm name is a name corresponding to the decryption algorithm.
If, decrypt note: @ PrivacyProcessor (encryptType ═ AES, key ═ abcdefge), the name of the decryption algorithm is AES, and the decryption key is abcdefgabcdefge.
Step M4, obtaining the encapsulation packet of the decryption annotation from the database, and analyzing the decryption code generation template corresponding to the decryption algorithm name from the encapsulation packet, wherein the decryption code generation template comprises the decryption algorithm corresponding to the decryption algorithm name.
In this embodiment, the specific logic code for decrypting the annotation is pre-packaged in a package, for example, in a map, when data needs to be decrypted in the process of reading the data, the decryption annotation only needs to be written into the whole code logic, and in the process of operating the whole code logic, when it is determined that the data read out by the second target function needs to be decrypted, the package for decrypting the annotation can be called according to the decryption annotation, because different decryption annotations can carry different decryption algorithm names, the package for decrypting the annotation can include different decryption code generation templates, and after the package is analyzed, a decryption code generation template corresponding to the decryption algorithm name included in the decryption annotation needs to be determined. Each decryption code generation template has a vacant parameter position, and the vacant parameter positions may include a parameter position where a decryption key needs to be added, a parameter position where data to be decrypted needs to be added, and the like.
And step M5, filling the decryption key into the decryption code generation template to generate the decryption code.
By filling the decryption key into the decryption code template, the parameter position corresponding to the vacancy can be filled, and the decryption code for realizing decryption is generated.
However, sometimes there may be a salt value in the decryption annotation, where the salt value is used to encrypt the original decryption key to prevent the original decryption key from being leaked, and when the salt value is 0, it indicates that no salt is added, that is, the original decryption key is not encrypted, then the decryption key in the decryption annotation is the original decryption key, and when the salt value is not 0, it indicates that salt is added, that is, the original decryption key is encrypted, then the decryption key in the decryption annotation is data encrypted by the salt value. For example, the salt is a random number, which is used to generate a new random number as the decryption key to be encapsulated in the decryption annotation in combination with the original decryption key, so as to prevent the original decryption key from being leaked.
If, decrypt note: @ PrivacyProcessor (encryptType ═ AES, key ═ abcdefgejfge), denotes that the decryption algorithm is AES, the decryption key is abcdefgabcdefge, and no salt is added.
Optionally, step M5 may specifically be:
judging whether the decrypted annotation contains a salt value;
if the salt value is included and the salt value is not 0, decrypting the decryption key by using the salt value to obtain an original decryption key, and filling the original decryption key into the decryption code generation template to generate the decryption code;
and if the salt value is not included or is 0, directly filling the decryption key into the decryption code generation template to generate the decryption code.
In this embodiment, when the decrypted annotation has a salt value and the salt value is not 0, it indicates that the decryption key carried in the decrypted annotation is a key encrypted by using the salt value, at this time, the decryption key may be decrypted by using the salt value to obtain an original decryption key, and then the original decryption key is filled to a corresponding parameter position of the decryption code generation template to generate the decryption code. When the salt value does not exist in the decryption annotation or the existing salt value is 0, the decryption key carried in the decryption annotation is the original decryption key, and at the moment, the decryption key can be directly filled to the corresponding parameter position of the decryption code generation template to generate the decryption code.
And step M6, decrypting the data to be decrypted by using the decryption code.
In this embodiment, the data to be decrypted may also be filled to the corresponding parameter position in the decryption code, so as to obtain the completed decryption code, and the decryption of the data to be decrypted may be implemented by executing the decryption code, so as to obtain the decrypted data.
For example, in combination with the above example, before the first objective function is executed, the read data corresponding to the idNo may be decrypted by using aes algorithm and abcdef, so as to obtain the original data, and the original data may be returned to the user.
Fig. 3 schematically shows a schematic diagram of a data encryption and decryption scheme according to an embodiment of the present invention.
As shown in fig. 3, for the whole encryption and decryption process, the following can be performed schematically: judging whether the function name (namely the method name) of the target function to be executed starts with get, if not, judging whether the function name starts with set, if so, encrypting the original input parameter value of the target function through encryption annotation to obtain a new input parameter value, and then calling the target function to store the new input parameter value in a database. If the target function starts with get, get before the function name can be removed, then the first letter is converted into a lower case letter to obtain the name of the class member variable.
The embodiment of the present invention further provides a data encryption apparatus, which corresponds to the data encryption method provided in the above embodiment, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference may be made to the above embodiment for relevant points. In particular, fig. 4 schematically shows a block diagram of a data encryption apparatus according to an embodiment of the present invention. As shown in fig. 4, the data encryption apparatus 400 may include a first obtaining module 401, a first judging module 402, a second obtaining module 403, a first processing module 404, a first padding module 405, and an encryption module 406, wherein:
a first obtaining module 401, configured to obtain data to be encrypted in response to a data encryption signal;
a first judging module 402, configured to judge whether there is an encryption comment corresponding to the data to be encrypted;
a second obtaining module 403, configured to obtain, when the encrypted annotation exists, an encryption algorithm name and an encryption key in the encrypted annotation;
a first processing module 404, configured to obtain an encapsulation packet of the encrypted annotation from a database, and parse an encryption code generation template corresponding to the encryption algorithm name from the encapsulation packet, where the encryption code generation template includes an encryption algorithm corresponding to the encryption algorithm name;
a first padding module 405, configured to pad the encryption key into the encryption code generation template to generate an encryption code;
and the encryption module 406 is configured to implement encryption on the data to be encrypted by using the encryption code.
Optionally, the first obtaining module is further configured to: acquiring a function name of a first target function to be executed; judging whether the first objective function is used for storing data or not according to the function name of the first objective function; if the first target function is judged to be used for storing data, acquiring the input parameter carried by the target function, and taking the input parameter as the data to be encrypted; the system may further include: and the storage module is used for executing the first target function after the step of encrypting the data to be encrypted by using the encryption code so as to store the encrypted data obtained after the data to be encrypted is encrypted by using the encryption code.
Optionally, the first obtaining module is further configured to, when obtaining the entry parameter carried by the target function and taking the entry parameter as the data to be encrypted: judging whether an encryption function library contains a function name of the first target function or not, wherein the entry parameters carried by the function corresponding to the function name contained in the encryption function library can be encrypted by the encryption comment; and when the encryption function library is judged to contain the function name of the first target function, acquiring the input parameter carried by the target function, and taking the input parameter as the data to be encrypted.
Optionally, the first filling module is further configured to: determining whether the encrypted annotation includes a salt value; if the salt value is included and the salt value is not 0, decrypting the encryption key by using the salt value to obtain an original encryption key, and filling the original encryption key into the encryption code generation template to generate the encryption code; and if the salt value is not included or is 0, directly filling the encryption key into the encryption code generation template to generate the encryption code.
The embodiment of the present invention further provides a data decryption apparatus, which corresponds to the data decryption method provided in the foregoing embodiment, and corresponding technical features and technical effects are not described in detail in this embodiment, and reference may be made to the foregoing embodiment for relevant points. In particular, fig. 5 schematically shows a block diagram of a data decryption apparatus according to an embodiment of the present invention. As shown in fig. 5, the data decryption apparatus 500 may include a third obtaining module 501, a second judging module 502, a fourth obtaining module 503, a second processing module 504, a second padding module 505, and a decryption module 506, wherein:
a third obtaining module 501, configured to obtain data to be decrypted in response to the data decryption signal;
a second determining module 502, configured to determine whether a decryption annotation corresponding to the data to be decrypted exists;
a fourth obtaining module 503, configured to obtain, when the decryption annotation exists, a decryption algorithm name and a decryption key in the decryption annotation;
a second processing module 504, configured to obtain an encapsulation packet of the decryption annotation from a database, and parse a decryption code generation template corresponding to the decryption algorithm name from the encapsulation packet, where the decryption code generation template includes a decryption algorithm corresponding to the decryption algorithm name;
a second padding module 505, configured to pad the decryption key in the decryption code generation template to generate a decryption code;
and a decryption module 506, configured to implement decryption on the data to be decrypted by using the decryption code.
Optionally, the third obtaining module is further configured to: acquiring a function name of a second target function to be executed; judging whether the second objective function is used for reading data or not according to the function name of the second objective function; and if the second objective function is judged to be used for reading data, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
Optionally, when the third obtaining module executes the second objective function and takes the data read by the second objective function as the data to be decrypted, the third obtaining module is further configured to: judging whether a decryption function library contains the function name of the second target function or not, wherein the data read by the function corresponding to the function name contained in the decryption function library can be decrypted by the decryption annotation; and when the decryption function library is judged to contain the function name of the second objective function, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
Optionally, the second filling module is further configured to: judging whether the decrypted annotation contains a salt value; if the salt value is included and the salt value is not 0, decrypting the decryption key by using the salt value to obtain an original decryption key, and filling the original decryption key into the decryption code generation template to generate the decryption code; and if the salt value is not included or is 0, directly filling the decryption key into the decryption code generation template to generate the decryption code.
Fig. 6 schematically shows a block diagram of a computer device adapted to implement a data encryption method and/or a data decryption method according to an embodiment of the present invention. In this embodiment, the computer device 600 may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server, or a rack server (including an independent server or a server cluster composed of a plurality of servers), and the like that execute programs. As shown in fig. 6, the computer device 600 of the present embodiment includes at least, but is not limited to: a memory 601, a processor 602, a network interface 603, which may be communicatively coupled to each other via a system bus. It is noted that FIG. 6 only shows the computer device 600 having components 601 and 603, but it is to be understood that not all of the shown components are required and that more or fewer components may alternatively be implemented.
In this embodiment, the memory 603 includes at least one type of computer-readable storage medium, which includes flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 601 may be an internal storage unit of the computer device 600, such as a hard disk or a memory of the computer device 600. In other embodiments, the memory 601 may also be an external storage device of the computer device 600, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 600. Of course, the memory 601 may also include both internal and external storage devices for the computer device 600. In the present embodiment, the memory 601 is generally used for storing an operating system and various types of application software installed in the computer apparatus 600, such as a program code of a data encryption method and/or a program code of a data decryption method, and the like. In addition, the memory 601 can also be used to temporarily store various types of data that have been output or are to be output.
Processor 602 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 602 is typically used to control the overall operation of the computer device 600. Such as program code for performing a data encryption method and/or program code for performing a data decryption method, for example, for controlling and processing related to data interaction or communication with the computer apparatus 600.
In this embodiment, the data encryption method and/or the data decryption method stored in the memory 601 may be further divided into one or more program modules and executed by one or more processors (in this embodiment, the processor 602) to implement the present invention.
The network interface 603 may comprise a wireless network interface or a wired network interface, and the network interface 603 is typically used to establish communication links between the computer device 600 and other computer devices. For example, the network interface 603 is used to connect the computer apparatus 600 to an external terminal via a network, establish a data transmission channel and a communication link between the computer apparatus 600 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a Global System of Mobile communication (GSM), Wideband Code Division Multiple Access (WCDMA), 4G network, 5G network, Bluetooth (Bluetooth), Wi-Fi, etc.
The present embodiment also provides a computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., on which a computer program is stored, which implements a data encryption method and/or a data decryption method when executed by a processor.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A method for data encryption, the method comprising:
responding to the data encryption signal, and acquiring data to be encrypted;
judging whether an encryption annotation corresponding to the data to be encrypted exists;
if yes, acquiring an encryption algorithm name and an encryption key in the encryption annotation;
acquiring an encapsulation packet of the encrypted annotation from a database, and analyzing an encryption code generation template corresponding to the encryption algorithm name from the encapsulation packet, wherein the encryption code generation template comprises an encryption algorithm corresponding to the encryption algorithm name;
populating the encryption key to the encryption code generation template to generate an encryption code;
and encrypting the data to be encrypted by utilizing the encryption code.
2. The method of claim 1, wherein the step of obtaining data to be encrypted comprises:
acquiring a function name of a first target function to be executed;
judging whether the first objective function is used for storing data or not according to the function name of the first objective function;
if the first target function is judged to be used for storing data, acquiring the access parameter carried by the first target function, and taking the access parameter as the data to be encrypted;
after the step of implementing encryption of the data to be encrypted using the encryption code, the method further comprises:
and executing the first target function to store the encrypted data obtained by encrypting the data to be encrypted by using the encryption code.
3. The method according to claim 2, wherein the step of obtaining the entry carried by the first objective function and taking the entry as the data to be encrypted comprises:
judging whether an encryption function library contains a function name of the first target function or not, wherein the access parameters carried by the function corresponding to the function name contained in the encryption function library need to be encrypted;
and when the encryption function library is judged to contain the function name of the first target function, acquiring the access parameter carried by the first target function, and taking the access parameter as the data to be encrypted.
4. The method of any one of claims 1 to 3, wherein the step of populating the encryption key to the encryption code generation template to generate an encryption code comprises:
determining whether the encrypted annotation includes a salt value;
if the salt value is included and the salt value is not 0, decrypting the encryption key by using the salt value to obtain an original encryption key, and filling the original encryption key into the encryption code generation template to generate the encryption code;
and if the salt value is not included or is 0, directly filling the encryption key into the encryption code generation template to generate the encryption code.
5. A method for data decryption, the method comprising:
responding to the data decryption signal, and acquiring data to be decrypted;
judging whether a decryption annotation corresponding to the data to be decrypted exists;
if yes, acquiring a decryption algorithm name and a decryption key in the decryption annotation;
acquiring an encapsulation packet of the decryption annotation from a database, and analyzing a decryption code generation template corresponding to the decryption algorithm name from the encapsulation packet, wherein the decryption code generation template comprises a decryption algorithm corresponding to the decryption algorithm name;
filling the decryption key into the decryption code generation template to generate a decryption code;
and decrypting the data to be decrypted by using the decryption code.
6. The method of claim 5, wherein the step of obtaining data to be decrypted comprises:
acquiring a function name of a second target function to be executed;
judging whether the second objective function is used for reading data or not according to the function name of the second objective function;
and if the second objective function is judged to be used for reading data, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
7. The method according to claim 6, wherein the step of executing the second objective function and using the data read by the second objective function as the data to be decrypted comprises:
judging whether a decryption function library contains the function name of the second target function or not, wherein the data read by the function corresponding to the function name contained in the decryption function library needs to be decrypted;
and when the decryption function library is judged to contain the function name of the second objective function, executing the second objective function, and taking the data read by the second objective function as the data to be decrypted.
8. The method according to any one of claims 5 to 7, wherein the step of populating the decryption key into the decryption code generation template to generate a decryption code comprises:
judging whether the decrypted annotation contains a salt value;
if the salt value is included and the salt value is not 0, decrypting the decryption key by using the salt value to obtain an original decryption key, and filling the original decryption key into the decryption code generation template to generate the decryption code;
and if the salt value is not included or is 0, directly filling the decryption key into the decryption code generation template to generate the decryption code.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor being configured to implement the method of any one of claims 1 to 4 and/or the method of any one of claims 5 to 8 when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 4 and/or the method of any one of claims 5 to 8.
CN202010106955.0A 2020-02-21 2020-02-21 Data encryption method, data decryption method, computer device and medium Pending CN111339558A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010106955.0A CN111339558A (en) 2020-02-21 2020-02-21 Data encryption method, data decryption method, computer device and medium
PCT/CN2021/071173 WO2021164462A1 (en) 2020-02-21 2021-01-12 Data encryption method, data decryption method, computer device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010106955.0A CN111339558A (en) 2020-02-21 2020-02-21 Data encryption method, data decryption method, computer device and medium

Publications (1)

Publication Number Publication Date
CN111339558A true CN111339558A (en) 2020-06-26

Family

ID=71183957

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010106955.0A Pending CN111339558A (en) 2020-02-21 2020-02-21 Data encryption method, data decryption method, computer device and medium

Country Status (2)

Country Link
CN (1) CN111339558A (en)
WO (1) WO2021164462A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021164462A1 (en) * 2020-02-21 2021-08-26 深圳壹账通智能科技有限公司 Data encryption method, data decryption method, computer device, and medium
CN113709188A (en) * 2021-10-27 2021-11-26 北京蓝莓时节科技有限公司 Session control information processing method, device, system and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113722733A (en) * 2021-08-27 2021-11-30 北京航天云路有限公司 Data access authority control method based on Java annotation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282212A (en) * 2008-05-20 2008-10-08 北京方正国际软件系统有限公司 System and method for encipherment and decipherment based on template
US20140020111A1 (en) * 2012-07-13 2014-01-16 Futurewei Technologies, Inc. Signaling and Handling Content Encryption and Rights Management in Content Transport and Delivery
CN110427779A (en) * 2019-08-13 2019-11-08 威富通科技有限公司 A kind of the Encrypt and Decrypt method and data server of database table field
CN110708273A (en) * 2018-07-10 2020-01-17 杭州海康威视数字技术股份有限公司 Data encryption and decryption method and data encryption and decryption system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109361717A (en) * 2018-12-20 2019-02-19 中科鼎富(北京)科技发展有限公司 Encrypted content file method, apparatus and electronic equipment
CN111339558A (en) * 2020-02-21 2020-06-26 深圳壹账通智能科技有限公司 Data encryption method, data decryption method, computer device and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101282212A (en) * 2008-05-20 2008-10-08 北京方正国际软件系统有限公司 System and method for encipherment and decipherment based on template
US20140020111A1 (en) * 2012-07-13 2014-01-16 Futurewei Technologies, Inc. Signaling and Handling Content Encryption and Rights Management in Content Transport and Delivery
CN110708273A (en) * 2018-07-10 2020-01-17 杭州海康威视数字技术股份有限公司 Data encryption and decryption method and data encryption and decryption system
CN110427779A (en) * 2019-08-13 2019-11-08 威富通科技有限公司 A kind of the Encrypt and Decrypt method and data server of database table field

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021164462A1 (en) * 2020-02-21 2021-08-26 深圳壹账通智能科技有限公司 Data encryption method, data decryption method, computer device, and medium
CN113709188A (en) * 2021-10-27 2021-11-26 北京蓝莓时节科技有限公司 Session control information processing method, device, system and storage medium

Also Published As

Publication number Publication date
WO2021164462A1 (en) 2021-08-26

Similar Documents

Publication Publication Date Title
CN110391906B (en) Data processing method based on block chain, electronic device and readable storage medium
CN111339558A (en) Data encryption method, data decryption method, computer device and medium
CN111552931A (en) Method and system for adding shell of java code
CN109522270A (en) File storing and reading method, electronic device and readable storage medium storing program for executing based on block chain
CN111314306A (en) Interface access method and device, electronic equipment and storage medium
US20120226823A1 (en) Document distribution system and method
CN111915019A (en) Federal learning method, system, computer device, and storage medium
CN112738004B (en) Communication method and system based on QUIC transmission protocol
WO2019062015A1 (en) Source code protection method, application server, and computer-readable storage medium
CN114041134A (en) System and method for block chain based secure storage
US10536276B2 (en) Associating identical fields encrypted with different keys
CN109787768A (en) A kind of authentication configuration method, device and computer readable storage medium
CN111382201A (en) Heterogeneous database synchronization method and device, computer equipment and storage medium
CN111984988A (en) Method, system, computer device and storage medium for generating encrypted code
CN102799815A (en) Method and device for safely loading program library
CN115758399A (en) Intelligent medical information management method, device, equipment and medium based on medical networking
CN113127915A (en) Data encryption desensitization method and device, electronic equipment and storage medium
CN112783847B (en) Data sharing method and device
CN114239029A (en) System log safety processing method, device, equipment and storage medium
CN111628863B (en) Data signature method and device, electronic equipment and storage medium
CN111818087A (en) Block chain node access method, device, equipment and readable storage medium
CN110880965A (en) Outgoing electronic document encryption method, system, terminal and storage medium
CN109871698A (en) Data processing method, device, computer equipment and storage medium
CN111949996A (en) Generation method, encryption method, system, device and medium of security private key
CN107026841B (en) Method and device for publishing works in network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination