CN112583809B - Data encryption and decryption method of non-immersion multiple encryption algorithms - Google Patents

Abstract

The invention discloses a data encryption and decryption method of non-immersion multiple encryption algorithms, which adopts a secondary key system to enhance the management of key use, distributes the key of a client user according to the request of the user, confirms and distributes the key by an administrator, and records when the client uses the key; encrypting and decrypting the sensitive data by adopting an asymmetric encryption algorithm; mapping the content of the field to be encrypted to a hash value based on a hash function to realize equivalent query and range query of the encrypted field; the encryption and decryption of the application data are completed by configuring a dependent injection mode; the invention has the advantages that: the security protection of sensitive data in electronic government affairs is realized, the management of the whole process from the generation of the secret key to the use is realized, the fuzzy and accurate query of encrypted data is supported, the existing application systems are integrated in a non-immersion mode, the good portability is embodied, and the encryption and decryption application of the sensitive data is effectively supported.

Description

Data encryption and decryption method of non-immersion multiple encryption algorithms

Technical Field

The invention relates to a data encryption and decryption method, in particular to a non-immersion data encryption and decryption method based on multiple encryption algorithms, and belongs to the field of data encryption and decryption methods.

Background

In e-government, a large amount of data is stored in a relational database to provide data services for system users, and especially, sensitive data security in e-government applications is important. On one hand, data in a database needs to be encrypted and protected to enhance the safety of data transmission and access, and on the other hand, under the condition that the code does not need to be modified for the existing application, the data encryption and decryption service is completed through configuration management. However, most of the current processes for encrypting and decrypting sensitive data have the following three problems:

(1) the key management has the problems that in the normal condition, data encryption and decryption basically adopt a symmetric encryption algorithm for encryption and decryption, and the key management is basically not recorded, so that the use condition of the key cannot be tracked.

(2) The problem of ciphertext query is that the field ciphertext exists, so that the query efficiency is reduced or condition matching query cannot be performed.

(3) The encryption and decryption service generally adopts the logic of modifying application core codes to integrate the encryption and decryption service into a system, so that the development work of the system is changed.

Disclosure of Invention

The invention aims to design a data encryption and decryption method of non-immersive multiple encryption algorithms, which can enable encryption and decryption services to be freely used in different application environments through relevant configuration without modifying codes for realizing core functions in an application system.

The technical scheme of the invention is as follows:

the data encryption and decryption method of non-immersion multiple encryption algorithms mainly comprises the following steps:

(1) the management of key use is enhanced by adopting a secondary key system, the key of a client user is distributed according to user request, an administrator confirms and distributes the key, meanwhile, the record is carried out when the client uses the key, and the key of the client is also distributed according to the data record; encrypting and decrypting the sensitive data by adopting an asymmetric encryption algorithm;

(2) the method comprises the steps of solving the problem of ciphertext query in a database encryption system by adopting a ciphertext field index table method, mapping the content of a field to be encrypted to a HASH value based on a HASH function by adopting a HASH algorithm, and realizing equivalent query and range query of the encrypted field based on the HASH value after the mapping of the record of the content of the field to be encrypted;

(3) the method adopts non-immersion to provide encryption and decryption services, completes application data encryption and decryption by configuring a dependent injection mode, and does not need to modify codes of an original application system.

The invention supports the encryption and decryption of newly-built application and established application data, realizes the security requirement of data transmission access by using different key methods, simultaneously supports the query and retrieval of encrypted data, and is integrated into an application system framework by configuring a dependent injection mode, thereby providing final data encryption and decryption service.

The method specifically comprises the following steps:

step S100: the administrator creates an asymmetric encrypted key pair, simultaneously stores a private key, sends a public key to the client, generates a symmetric encrypted key by the administrator, and secondarily encrypts and stores the asymmetric encrypted private key and the public key pair in the database by using the key;

step S200: the method comprises the steps that an encryption and decryption service is configured by an application, an interface which needs to encrypt and decrypt sensitive data is injected into an application program package in a front-mounted mode, the sensitive data is encrypted or decrypted firstly, then a service operation interface service is executed, and log information called by encryption and decryption is injected into a rear-mounted mode;

step S300: the client encrypts plaintext data to be uploaded by using the public key, the server records the use condition of the public key, and stores the ciphertext into a database data table;

step S400: establishing a ciphertext index table based on the encrypted field, wherein the ciphertext index table records fields and unique identification field IDs which establish a one-to-one correspondence relationship with the encrypted field records; mapping the unique identification ID of the record of the field to be encrypted to the encrypted unique identification ID by using a Hash function, and storing the ID and the Hash value of the field content into an index table;

step S500: based on the mapped hash value, realizing equivalent query and range query of the encrypted field; and calling the private key or the public key to decrypt the encrypted data and display the decrypted data.

Further, the step S100 includes the following sub-steps:

(1) an administrator generates an SM2 secret key, and a public key and a private key are generated by adopting an asymmetric encryption SM2 algorithm;

(2) the administrator generates an SM4 key and generates the key by adopting a symmetric encryption algorithm SM 4;

(3) encrypting and storing the generated public key and private key, encrypting the generated asymmetric encrypted private key and public key by using an SM4 key by an administrator, and simultaneously storing the encrypted public key and private key in a database;

(4) the user applies for the key, the administrator approves, registers and issues records, and provides a cipher plaintext to the client, the client forms a cipher text for opening the public key through the symmetrically encrypted key, and opens the asymmetrically encrypted public key;

(5) the administrator records the key application, records the key application condition of the user and stores the key application condition in the database.

Further, the step S200 includes the following sub-steps:

(1) configuring a preposed encryption and decryption function depending on the injection function;

(2) and configuring a post-encryption and decryption log recording function depending on the injection function.

Further, the step S300 includes the following sub-steps:

(1) the user decrypts the public key by using the symmetric key, uploads or checks the encrypted sensitive data, and decrypts the public key by using the symmetric key; calling a public key to encrypt and decrypt data;

(2) the server side records the use condition of the client side public key to form a client side public key use log, analyzes the log record and checks abnormal conditions;

(3) and (4) ciphertext data storage, wherein the ciphertext form of the encrypted data uploaded by the client is stored in a database.

Further, the step S400 includes the following sub-steps:

(1) establishing an index table corresponding to the encryption field;

(2) defining an index field in an index table, wherein the content of the index field consists of a division value and a characteristic value of character string data;

(3) defining an index field partition function, and mapping the value range Di of the attribute R.ai to partitions { p1, p2, …, pk }, wherein the following conditions are satisfied: (1) all partitioned and can cover the entire domain; (2) any two divisions do not overlap; formally, the function partition is defined as follows: partition (r, Ai) = { p1, p2, …, pk }; the dividing method of the numerical field value domain usually adopts the method of equal width or equal depth division; for the character type field, dividing the value range of the attribute according to the probability distribution of the attribute value, so that the number of elements contained in each division is approximately equal;

(4) defining an index field identification function, and assigning an identifier identRAi (Pi) to each partition Pi of the attribute Ai;

(5) defining an index field mapping function, and mapping a value v in the attribute Ai domain to an identifier of v-membership division; formally, mapr. Ai (v) = identR. (Ai), wherein a direction is a subdivision comprising a possible.

(6) Defining an index field feature function: mapping the character string C1C 2 … Cn to a binary bit string b0b1 … bm-1 by using a HASH function;

(7) for any character string needing to be encrypted, the division value and the characteristic value of the character string are obtained through a mapping function and a characteristic function; in order to facilitate the translation of the query conditions, the first h bits of the specified index field represent the division values of the character string data, the second m bits represent the characteristic values of the character string data, and the length of the whole index field is h + m bits;

(8) establishing a one-to-one corresponding relation between the encrypted fields and the field records of the index table; for each relationship R (a1, …, Ar, …, An), Ar is the string field to be encrypted, and the encrypted relationship pattern is RE (a1, …, ArE, …, An., Ars); where ArE is the encryption string field corresponding to Ar, i.e., ArE = e (Ar); ars is an auxiliary index field corresponding to Ar, and is obtained by combining the division value and the eigenvalue of Ar.

Further, the step S500 includes the following sub-steps:

(1) searching ciphertext data, converting and querying a conditional statement in SQL by using rules in metadata such as a mapping function, a characteristic function and the like according to a storage mode of an encryption relationship, and converting a query of a character string field into a query of a corresponding index field; however, there are some records that satisfy the query condition of the index field but do not satisfy the query condition of the string field, resulting in the generation of "pseudo records";

(2) the ciphertext data is queried for the second time, the record after query filtering is decrypted by calling a private key or a public key, and then the decrypted data is queried for the first time accurately;

(3) the ciphertext data is decrypted and displayed, and the ciphertext in the inquired data is decrypted and displayed by using the public key;

(4) and uploading the log record used by the user for encrypting and decrypting the public key, such as the public key use time, the user name, the decryption field, the use client condition and the like.

The invention has the beneficial effects that: the security protection of sensitive data in electronic government affairs is realized, the management of the whole process from the generation of the secret key to the use is realized, the fuzzy and accurate query of encrypted data is supported, the existing application systems are integrated in a non-immersion mode, the good portability is embodied, and the encryption and decryption application of the sensitive data is effectively supported.

The invention is further illustrated by the following figures and examples.

Drawings

FIG. 1: the invention provides a flow chart of a non-immersion basic data encryption method based on a Hash algorithm and an asymmetric encryption algorithm.

Detailed Description

The following description of the preferred embodiments of the present invention is provided for the purpose of illustration and description, and is in no way intended to limit the invention.

Example 1

As shown in fig. 1, a method for encrypting and decrypting data by non-immersion multiple encryption algorithms mainly includes the following steps:

(1) the management of key use is enhanced by adopting a secondary key system, the key of a client user is distributed according to user request, an administrator confirms and distributes the key, meanwhile, the record is carried out when the client uses the key, and the key of the client is also distributed according to the data record; encrypting and decrypting the sensitive data by adopting an asymmetric encryption algorithm (SM 2);

(2) the method comprises the steps of solving the problem of ciphertext query in a database encryption system by adopting a ciphertext field index table method, mapping the content of a field to be encrypted to a HASH value based on a HASH function by adopting a HASH algorithm, and realizing equivalent query and range query of the encrypted field based on the HASH value after the mapping of the record of the content of the field to be encrypted;

(3) the method adopts non-immersion to provide encryption and decryption services, completes application data encryption and decryption by configuring a dependent injection mode, and does not need to modify codes of an original application system.

The invention supports the encryption and decryption of newly-built application and established application data, realizes the security requirement of data transmission access by using different key methods, simultaneously supports the query and retrieval of encrypted data, and is integrated into an application system framework by configuring a dependent injection mode to provide final data encryption and decryption service.

The method specifically comprises the following steps:

step S100: the method comprises the following steps that an administrator creates an asymmetric encryption key pair, simultaneously stores a private key, sends a public key to a client, generates a symmetric encryption key by the administrator, and secondarily encrypts and stores the asymmetric encryption private key and the public key pair to a database by using the key;

the step S100 includes the following substeps:

(1) the administrator generates an SM2 secret key, and generates a public key and a private key by adopting an asymmetric encryption SM2 algorithm;

(2) the administrator generates an SM4 key and generates the key by adopting a symmetric encryption algorithm SM 4;

(3) the generated public key and the private key are stored in an encrypted manner, an administrator encrypts the generated asymmetric encrypted private key and the public key by using an SM4 secret key, and simultaneously stores the encrypted public key and the encrypted private key in a database;

(4) the user applies for the key, the administrator approves, registers and issues records, and provides a cipher plaintext to the client, the client forms a cipher text for opening the public key through the symmetrically encrypted key, and opens the asymmetrically encrypted public key;

(5) the administrator records the key application, and the administrator records the key application condition of the user and stores the key application condition in the database.

Step S200: configuring encryption and decryption services by an application, pre-injecting an interface which needs to encrypt and decrypt sensitive data in an application program package, encrypting or decrypting the sensitive data, then executing service operation interface services, and post-injecting log information called by encryption and decryption;

the step S200 includes the following substeps:

(1) configuring a preposed encryption and decryption function depending on the injection function;

(2) and configuring a post-encryption and decryption log recording function depending on the injection function.

Step S300: the client encrypts plaintext data to be uploaded by using the public key, the server records the use condition of the public key, and stores the ciphertext into a database data table;

the step S300 includes the following substeps:

(1) the user decrypts the public key by using the symmetric key, uploads or checks the encrypted sensitive data, and decrypts the public key by using the symmetric key; calling a public key to encrypt and decrypt data;

(2) the server side records the use condition of the client side public key to form a client side public key use log, analyzes the log record and checks abnormal conditions;

(3) and (4) ciphertext data storage, wherein the ciphertext form of the encrypted data uploaded by the client is stored in a database.

Step S400: establishing a ciphertext index table based on the encrypted field, wherein the ciphertext index table records fields and unique identification field IDs which establish a one-to-one correspondence relationship with the encrypted field records; mapping the unique identification ID of the record of the field to be encrypted to the encrypted unique identification ID by using a Hash function, and storing the ID and the Hash value of the field content into an index table;

the step S400 comprises the following substeps:

(1) establishing an index table corresponding to the encryption field;

(2) defining an index field in an index table, wherein the content of the index field consists of a division value and a characteristic value of character string data;

(3) defining an index field partition function, and mapping the value range Di of the attribute R.ai to partitions { p1, p2, …, pk }, wherein the following conditions are satisfied: (1) all partitioned and can cover the entire domain; (2) any two partitions are not overlapped; formally, the function partition is defined as follows: partition (r, Ai) = { p1, p2, …, pk }; the dividing method of the numerical field value domain usually adopts the method of equal width or equal depth division; for the character type field, dividing the value range of the attribute according to the probability distribution of the attribute value, so that the number of elements contained in each division is approximately equal;

(4) defining an index field identification function, and assigning an identifier identrai (Pi) to each partition Pi of the attribute Ai;

(5) defining an index field mapping function, and mapping a value v in the attribute Ai domain to an identifier of v-membership division; formally, mapr. Ai (v) = identR. (Ai), wherein a direction is a subdivision comprising a possible.

(6) Defining an index field feature function: mapping the character string C1C 2 … Cn to the binary bit string b0b1 … bm-1 using a HASH function;

(7) for any character string needing to be encrypted, the division value and the characteristic value of the character string are obtained through a mapping function and a characteristic function; in order to facilitate the translation of the query conditions, the first h bits of the specified index field represent the division values of the character string data, the second m bits represent the characteristic values of the character string data, and the length of the whole index field is h + m bits;

(8) establishing a one-to-one corresponding relation between the encrypted fields and the field records of the index table; for each relationship R (a1, …, Ar, …, An), Ar is the string field to be encrypted, and the encrypted relationship pattern is RE (a1, …, ArE, …, An., Ars); where ArE is the encryption string field corresponding to Ar, i.e., ArE = e (Ar); ars is an auxiliary index field corresponding to Ar, and is obtained by combining the division value and the eigenvalue of Ar.

Step S500: based on the mapped hash value, realizing equivalent query and range query of the encrypted field; and calling the private key or the public key to decrypt the encrypted data and display the decrypted data.

The step S500 comprises the following substeps:

(1) searching ciphertext data, converting and querying a conditional statement in SQL by using rules in metadata (such as a mapping function, a characteristic function and the like) according to a storage mode of an encryption relationship, and converting a query of a character string field into a query of a corresponding index field; however, there are some records that satisfy the query condition of the index field but do not satisfy the query condition of the string field, resulting in the generation of "pseudo records";

(2) the ciphertext data is queried for the second time, the private key or the public key is called for decryption on the record after query filtering, and then accurate query is carried out on the decrypted data for the first time;

(3) the ciphertext data is decrypted and displayed, and the ciphertext in the inquired data is decrypted and displayed by using the public key;

(4) and (4) encrypting and decrypting the log record by using the public key, and uploading the conditions of encrypting and decrypting the log record by using the public key by the user, such as the using time of the public key, the user name, the decryption field, the condition of using the client and the like.

Claims (5)

1. The data encryption and decryption method of the non-immersion type multiple encryption algorithms is characterized in that:

(1) the method comprises the following steps that a secondary key system is adopted to enhance the management of key use, the key of a client user is distributed according to a user request, an administrator confirms and distributes the key, meanwhile, the key is recorded when the client uses the key, and the key of the client is also distributed according to data records; encrypting and decrypting the sensitive data by adopting an asymmetric encryption algorithm;

(2) the method comprises the steps of solving the problem of ciphertext query in a database encryption system by adopting a ciphertext field index table method, mapping the content of a field to be encrypted to a HASH value based on a HASH function by adopting a HASH algorithm, encrypting the content of the field to be encrypted based on the encryption function, and recording the mapped HASH value to realize equivalent query and range query of the encrypted field;

(3) the method adopts non-immersion to provide encryption and decryption services, completes encryption and decryption of application data by configuring a dependent injection mode, and does not need to modify codes of an original application system;

the method specifically comprises the following steps:

step S100: the administrator creates an asymmetric encrypted key pair, simultaneously stores a private key, sends a public key to the client, generates a symmetric encrypted key by the administrator, and secondarily encrypts and stores the asymmetric encrypted private key and the public key pair in the database by using the key;

step S200: the method comprises the steps that an encryption and decryption service is configured by an application, an interface which needs to encrypt and decrypt sensitive data is injected into an application program package in a front-mounted mode, the sensitive data is encrypted or decrypted firstly, then a service operation interface service is executed, and log information called by encryption and decryption is injected into a rear-mounted mode;

step S300: the client encrypts plaintext data to be uploaded by using the public key, the server records the use condition of the public key, and stores the ciphertext into a database data table;

step S400: establishing a ciphertext index table based on the encrypted fields, wherein fields and unique identification field IDs which establish one-to-one correspondence with the encrypted fields are recorded in the ciphertext index table; mapping the unique identification ID of the record of the field to be encrypted to the encrypted unique identification ID by using a Hash function, and storing the ID and the Hash value of the field content into an index table;

step S500: based on the mapped hash value, realizing equivalent query and range query of the encrypted field; the private key or the public key is called to decrypt the encrypted data, and the encrypted data is displayed;

the step S400 comprises the following substeps:

(1) establishing an index table corresponding to the encryption field;

(2) defining an index field in an index table, wherein the content of the index field consists of a division value and a characteristic value of character string data;

(3) defining an index field partition function, and mapping the value range Di of the attribute R.ai to partitions { P1, P2, … and Pk }, wherein the following conditions are satisfied: (1) all partitioned union sets may cover the entire domain; (2) any two divisions do not overlap; formally, the function partition is defined as follows: partition (r, Ai) = { P1, P2, …, Pk }; the dividing method of the numerical field value domain usually adopts the method of equal width or equal depth division; for the character type field, dividing the value range of the attribute according to the probability distribution of the attribute value, so that the number of elements contained in each division is approximately equal;

(4) defining an index field identification function, and assigning an identifier identrai (Pi) to each partition Pi of the attribute Ai;

(5) defining an index field mapping function, and mapping a value v in the attribute Ai domain to an identifier of v-membership division; formally, mapr. Ai (v) = identR. (Ai), where vector v is a partition of an identification function;

(6) defining an index field feature function: mapping the character string C1C 2 … Cn to the binary bit string b0b1 … bm-1 using a HASH function;

(7) for any character string needing to be encrypted, the division value and the characteristic value of the character string are obtained through a mapping function and a characteristic function; in order to facilitate the translation of the query conditions, the first h bits of the specified index field represent the division values of the character string data, the second m bits represent the characteristic values of the character string data, and the length of the whole index field is h + m bits;

(8) establishing a one-to-one corresponding relation between the encrypted fields and the field records of the index table; for each relationship R (a1, …, Ar, …, An), Ar is the string field to be encrypted, and the encrypted relationship pattern is RE (a1, …, ArE, …, An., Ars); where ArE is the encryption string field corresponding to Ar, i.e., ArE = e (Ar); ars is an auxiliary index field corresponding to Ar, and is obtained by combining the division value and the feature value of Ar.

2. The method for data encryption and decryption without immersion in various encryption algorithms according to claim 1, wherein the step S100 comprises the sub-steps of:

(1) an administrator generates an SM2 secret key, and a public key and a private key are generated by adopting an asymmetric encryption SM2 algorithm;

(2) the administrator generates an SM4 key and generates the key by adopting a symmetric encryption algorithm SM 4;

(3) encrypting and storing the generated public key and private key, encrypting the generated asymmetric encrypted private key and public key by using an SM4 key by an administrator, and simultaneously storing the encrypted public key and private key in a database;

(4) the user applies for the key, the administrator approves, registers and issues records, and provides a cipher plaintext to the client, the client forms a cipher text for opening the public key through the symmetrically encrypted key, and opens the asymmetrically encrypted public key;

(5) the administrator records the key application, and the administrator records the key application condition of the user and stores the key application condition in the database.

3. The method for data encryption and decryption without adopting multiple encryption algorithms according to claim 1, wherein the step S200 comprises the following sub-steps:

(1) configuring a preposed encryption and decryption function depending on an injection function;

(2) and configuring a post-encryption and decryption log recording function depending on the injection function.

4. The method for data encryption and decryption without immersion in various encryption algorithms according to claim 1, wherein the step S300 comprises the sub-steps of:

(1) the user decrypts the public key by using the symmetric key, and uploads or checks the encrypted sensitive data; calling a public key to encrypt and decrypt data;

(2) the server side records the use condition of the client side public key to form a client side public key use log, analyzes the log record and checks abnormal conditions;

(3) and (4) ciphertext data storage, namely storing the ciphertext form of the encrypted data uploaded by the client into a database.

5. The method for data encryption and decryption without immersion in various encryption algorithms according to claim 1, wherein the step S500 comprises the following sub-steps:

(1) searching ciphertext data, converting and querying conditional statements in SQL by using rules in metadata according to a storage mode of an encryption relationship, and converting the query of a character string field into the query of a corresponding index field; however, there are some records that satisfy the query condition of the index field but do not satisfy the query condition of the string field, resulting in the generation of "pseudo records";

(2) the ciphertext data is queried for the second time, the private key or the public key is called for decryption on the record after query filtering, and then accurate query is carried out on the decrypted data for the first time;

(3) the ciphertext data is decrypted and displayed, and the ciphertext in the inquired data is decrypted and displayed by using the public key;

(4) and the log record is used by encrypting and decrypting the public key, and the log condition of the encryption and decryption of the public key used by the user is uploaded.

Images