CN112887087B - Data management method and device, electronic equipment and readable storage medium - Google Patents
Data management method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN112887087B CN112887087B CN202110074980.XA CN202110074980A CN112887087B CN 112887087 B CN112887087 B CN 112887087B CN 202110074980 A CN202110074980 A CN 202110074980A CN 112887087 B CN112887087 B CN 112887087B
- Authority
- CN
- China
- Prior art keywords
- ciphertext
- key
- data
- merchant
- service provider
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The embodiment of the invention provides a data management method, a data management device, electronic equipment and a readable storage medium, and aims to improve data security. The data management method comprises the following steps: obtaining target data to be encrypted, and encrypting the target data by using a first secret key to obtain a first ciphertext; sending the first ciphertext to an encryption service provider; receiving a second ciphertext returned by the encryption service provider, wherein the second ciphertext is obtained by encrypting the first ciphertext by a second key; and persistently storing the second ciphertext, and deleting the target data and the first ciphertext. In the invention, only the second ciphertext is stored in the device, but the first ciphertext is not stored, so that even if an attacker cracks the first key and the encryption algorithm of the device, plaintext data cannot be decrypted according to the second ciphertext.
Description
Technical Field
The present invention relates to the field of information technologies, and in particular, to a data management method and apparatus, an electronic device, and a readable storage medium.
Background
In the related art, when managing some sensitive data, private data, or data with a higher security level, a device for managing data generally encrypts the data by using a key, then persistently stores a data ciphertext, and when needing to call a data plaintext, first decrypts the corresponding data ciphertext by using the key, thereby obtaining the corresponding data plaintext. However, when the key and the encryption algorithm in the device are cracked by an attacker, the attacker can decrypt the data ciphertext into corresponding data plaintext by using the cracked key and encryption algorithm, thereby causing sensitive data, private data or data with higher security level to be leaked. Therefore, the security of the data management mode in the related art is low, and data leakage is easily caused.
Disclosure of Invention
Embodiments of the present invention provide a data management method, an apparatus, an electronic device, and a readable storage medium, which aim to improve data security. The specific technical scheme is as follows:
in a first aspect of the embodiments of the present invention, a data management method is provided, where the method includes:
obtaining target data to be encrypted, and encrypting the target data by using a first secret key to obtain a first ciphertext;
sending the first ciphertext to an encryption service provider;
receiving a second ciphertext returned by the encryption service provider, wherein the second ciphertext is obtained by encrypting the first ciphertext by a second key;
and persistently storing the second ciphertext, and deleting the target data and the first ciphertext.
In a second aspect of embodiments of the present invention, there is provided a data management apparatus, including:
the data encryption module is used for obtaining target data to be encrypted and encrypting the target data by using a first secret key to obtain a first ciphertext;
the first ciphertext sending module is used for sending the first ciphertext to an encryption service provider;
a second ciphertext receiving module, configured to receive a second ciphertext returned by the encryption service provider, where the second ciphertext is obtained by encrypting the first ciphertext with a second key;
and the ciphertext processing module is used for persistently storing the second ciphertext and deleting the target data and the first ciphertext.
In a third aspect of the embodiments of the present invention, an electronic device is provided, which includes a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the data management method provided in any embodiment of the present invention when executing the program stored in the memory.
In a fourth aspect of the embodiments of the present invention, there is provided a computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the data management method provided by any of the embodiments of the present invention.
In the invention, the device for managing data encrypts the target data by using the first key to obtain a first ciphertext. The device then sends the first ciphertext to the encryption service provider, which encrypts the first ciphertext with the second key into a second ciphertext. And the equipment receives a second ciphertext returned by the encryption service provider, persistently stores the second ciphertext, and deletes the target data and the first ciphertext. Because only the second ciphertext is stored in the device, but not the first ciphertext, even if an attacker cracks the first key and the encryption algorithm of the device, the target data cannot be decrypted according to the second ciphertext. And the data sent by the device to the encryption service provider is the first ciphertext of the target data, and the target data is not directly sent to the encryption service provider, so that the encryption service provider cannot acquire the target data, and an attacker cannot acquire the target data by intercepting communication information between the device and the encryption service provider. Therefore, the invention can effectively improve the data security.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a flowchart of a data management method according to an embodiment of the invention;
FIG. 2 is a flow chart of a data management method according to another embodiment of the present invention;
fig. 3 is a flowchart of a data key management method according to an embodiment of the present invention;
fig. 4 is a flowchart of a data key management method according to another embodiment of the invention;
FIG. 5 is a diagram of a data management apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an electronic device according to an embodiment of the invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It should be apparent that the described embodiments are only some of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the related art, when managing some sensitive data, private data, or data with a higher security level, a device for managing data generally encrypts the data by using a key, then persistently stores a data ciphertext, and when needing to call a data plaintext, first decrypts the corresponding data ciphertext by using the key, thereby obtaining the corresponding data plaintext. However, when the key and the encryption algorithm in the device are cracked by an attacker, the attacker can decrypt the data ciphertext into corresponding data plaintext by using the cracked key and encryption algorithm, thereby causing sensitive data, private data or data with higher security level to be leaked. Therefore, the security of the data management mode in the related art is low, and data leakage is easily caused.
In view of this, the present invention provides a data management method, an apparatus, an electronic device and a readable storage medium through the following embodiments, which are intended to improve data security.
Referring to fig. 1, fig. 1 is a flowchart of a data management method according to an embodiment of the present invention, where the data management method is applied to a device that needs to manage data. For example, the device may be a terminal device, and since the terminal device may manage the data of the user, the terminal device may perform the data management method provided by the present invention. For example, the device may be a server, and the server may manage data of a plurality of users, so the server may execute the data management method provided by the present invention. It should be noted that the present invention is not limited to the type of device that performs the illustrated data management method. For simplicity of description, a device that executes the data management method provided by the present invention will be simply referred to as an execution device hereinafter.
As shown in fig. 1, the data management method includes the steps of:
step S11: and acquiring target data to be encrypted, and encrypting the target data by using a first secret key to obtain a first ciphertext.
The target data to be encrypted includes but is not limited to: user identity information, user representation, account information, merchant information, transaction records, key data, business operations, financial data, business secrets, or technical documents, etc.
The method for the execution device to obtain the target data to be encrypted includes, but is not limited to: the target data to be encrypted is obtained from the outside or is generated by itself.
Optionally, in some embodiments, the execution device obtains the target data to be encrypted from the outside. For example, the execution device obtains target data to be encrypted sent by other devices, or the execution device obtains target data to be encrypted directly input by a user. After the execution device obtains the target data to be encrypted from the outside, the execution device may load the target data into the memory and delete the target data stored outside the memory. Then, under the coordination of the memory, the Central Processing Unit (CPU) of the execution device encrypts the target data by using the first secret key to obtain a first ciphertext, and temporarily stores the first ciphertext into the memory.
Optionally, in some embodiments, the execution device itself generates the target data to be encrypted. After a Central Processing Unit (CPU) of the execution device generates target data to be encrypted, the target data can be encrypted by using a first secret key to obtain a first ciphertext, and then the first ciphertext is written into a memory.
Step S12: and sending the first ciphertext to an encryption service provider.
Step S13: and receiving a second ciphertext returned by the encryption service provider, wherein the second ciphertext is obtained by encrypting the first ciphertext by a second key.
In the invention, the execution device sends the first ciphertext to the encryption service provider, so that the encryption service provider encrypts the first ciphertext into the second ciphertext by using the second key.
Wherein the encryption service provider may be a third party that specifically provides the data encryption service. Because the encryption service provider has strong technical capability in the field of data encryption, the encryption service provider can usually resist most network attacks, and further ensure that the second ciphertext is not cracked.
Optionally, in some embodiments, the execution device may submit a registration request to the encryption service provider in advance, and the encryption service provider generates a second key for the execution device in response to the registration request of the execution device, and returns a second key ID of the second key to the execution device. When executing step S12, the executing device may invoke an encryption service interface provided by the encryption service provider, and send the first ciphertext, the registered identity information, and the second key ID to the encryption service provider, so that the encryption service provider executes the following steps: and after the identity authentication is passed, encrypting the first ciphertext by using a second key corresponding to the second key ID so as to obtain a second ciphertext, and returning the second ciphertext to the execution equipment.
Step S14: and persistently storing the second ciphertext, and deleting the target data and the first ciphertext.
Optionally, in a specific implementation continuing to use step S11 above, after the execution device receives the second ciphertext returned by the encryption service provider, the second ciphertext is persistently stored. And then the execution equipment deletes the target data and the first ciphertext of the target data in the memory.
Further alternatively, in a case where the number of the first keys is plural, the execution device may further establish a correspondence relationship between the first key used for encrypting the target data and the second ciphertext of the target data. In this way, when the target data is to be decrypted in the future, the first key which can be used for decrypting the target data can be inquired according to the corresponding relation.
For ease of understanding, it is exemplarily assumed that 100 first keys are included in the execution device, and it is further assumed that the execution device first encrypts the target data x by using the 56 th first key of the 100 first keys to obtain a first ciphertext x ″ when performing an encryption operation on the target data x. And then the execution equipment sends the first ciphertext x 'to the encryption service provider for encryption to obtain a second ciphertext x' returned by the encryption service provider. And then the execution equipment stores the second ciphertext x 'in a persistent mode and establishes a corresponding relation between the second ciphertext x' and the 56 th first key.
By executing the above steps S11 to S14, the execution device encrypts the target data with the first key to obtain a first ciphertext. The execution device then sends the first ciphertext to the encryption service provider, and the first ciphertext is encrypted by the encryption service provider into a second ciphertext using the second key. And the execution equipment receives a second ciphertext returned by the encryption service provider, persistently stores the second ciphertext, and deletes the target data and the first ciphertext. Because only the second ciphertext is stored in the execution device, but the first ciphertext is not stored, even if an attacker cracks the first key and the corresponding encryption algorithm of the execution device, the target data cannot be decrypted according to the second ciphertext and the first key.
And because the encryption service provider only receives the first ciphertext and the first key does not exist in the encryption service provider, an attacker cannot decrypt the target data according to the first ciphertext and the second key even if the second key and the corresponding encryption algorithm of the encryption service provider are cracked.
Also, since the execution device and the encryption service provider are usually located in different geographical locations, and a physical isolation is formed between the two, it is difficult for an attacker to simultaneously break the first key of the execution device and the second key of the encryption service provider, and thus it is difficult for the attacker to decrypt the target data. Therefore, the method and the device can effectively improve the data security.
In addition, since the data transmitted by the execution device to the encryption service provider is the first ciphertext of the target data and the target data is not directly transmitted to the encryption service provider, the encryption service provider cannot know the target data, and an attacker cannot acquire the target data by intercepting communication information between the execution device and the encryption service provider.
In the above, the present invention proposes a data encryption process during data management in conjunction with fig. 1. Hereinafter, the present invention proposes a data decryption process during data management.
Referring to fig. 2, fig. 2 is a flowchart of a data management method according to another embodiment of the present invention, the data management method includes the steps of the flowchart shown in fig. 1, but the steps of the flowchart in fig. 1 are not shown in fig. 2 for simplifying the drawing.
As shown in fig. 2, the data management method includes the steps of:
step S21: and responding to a target data calling request, and sending the second ciphertext to the encryption service provider.
Step S22: and receiving a first ciphertext returned by the encryption service provider.
Wherein the target data call request may be obtained externally by the execution device. For example, when the owner of the target data needs to obtain the target data, the owner may send a target data call request to the execution device through the terminal device, so that the execution device obtains the target data call request. For another example, when the administrator of the execution device needs to view the target data, a target data call request may be input to the execution device, and thus, the execution device obtains the target data call request.
Alternatively, the target data call request may be automatically generated by the execution device. For example, the data key is used as a target data, and only the second ciphertext of the data key is stored in the execution device in a persistent mode. When the execution device needs to perform the signing operation, the execution device may automatically generate a data key call request aiming to decrypt the corresponding data key and perform the signing operation using the decrypted data key.
It should be noted that, the present invention is not limited to how the execution device obtains the target data call request.
Optionally, in some embodiments, the execution device may call a decryption service interface provided by the encryption service provider, and send the second ciphertext, the registered identity information, and the corresponding second key ID to the encryption service provider, so that the encryption service provider performs the following steps: and after the identity authentication is passed, decrypting the second ciphertext by using a second key corresponding to the second key ID to obtain a corresponding first ciphertext, and returning the first ciphertext to the execution equipment.
In the above specific embodiment, the executing device sends the identity information and the second key ID to the encryption service provider, so that the encryption service provider can perform authentication according to the identity information, and only if the authentication is passed, the corresponding second key is used to perform the decryption operation. Thus, even if the attacker steals the second ciphertext from the execution device, the attacker cannot continue the next cracking operation because the attacker cannot pass the authentication of the encryption service provider.
Step S23: and decrypting the first ciphertext by using the first key aiming at the first ciphertext returned by the encryption service provider to obtain the target data.
Optionally, in some specific embodiments, after receiving the first ciphertext returned by the encryption service provider, the execution device loads the first ciphertext to the memory. And the Central Processing Unit (CPU) of the execution equipment decrypts the first ciphertext by using the first secret key under the coordination of the internal memory, thereby obtaining the target data.
Optionally, in some specific embodiments, after decrypting the target data, the execution device may delete the first ciphertext from the memory, so as to reduce storage time of the first ciphertext and reduce possibility of stealing the first ciphertext by an attacker. In addition, after the execution device sends the target data to the data demand party or the execution device utilizes the target data, the target data can be deleted in the memory, so that the storage time of the target data is reduced, and the possibility that an attacker steals the target data is reduced.
Optionally, in some specific embodiments, as described above, in the case that the number of the first keys is multiple, the execution device may further establish a correspondence between the first key used for encrypting the target data and the second ciphertext of the target data in advance. In this way, when the execution device executes step S23, after receiving the first ciphertext, which is returned by the encryption service provider and is decrypted with respect to the second ciphertext, the execution device may determine the first key corresponding to the second ciphertext according to the corresponding relationship of the second ciphertext, and then decrypt the received first ciphertext with the first key, thereby obtaining the target data.
In the above, the present invention proposes a data decryption process during data management in conjunction with fig. 2. In the following, the present invention proposes a specific way to implement the data management method in some specific application scenarios based on these specific application scenarios. It should be noted that the following specific application scenario is not an existing application scenario.
As previously mentioned, the target data may be a data key. In other words, in the execution device, the data key, which is a kind of target data that needs to be encrypted, should not be stored persistently in the form of plaintext. Accordingly, the first key used to encrypt the data key is the master key of the enforcement device.
Optionally, in some specific application scenarios, the enforcement device of the present invention is used to manage data keys for merchants. In the execution device, each merchant corresponds to a plurality of data keys, and each data key of the merchant is distributed to one customer of the merchant. When a certain customer of a certain merchant needs to rely on the merchant to conduct business, the execution device can sign business data of the customer by using a data key of the customer.
For ease of understanding, a bank illustratively serves as a merchant, and a user having an account at the bank serves as a customer of the bank. Each customer of the bank (or each account opened by the customer) has a data key, and the enforcement device manages the data keys in a unified manner.
In the specific application scenario, the executing device implements encryption of the data key by using the method shown in fig. 3, and fig. 3 is a flowchart of a data key management method according to an embodiment of the present invention.
As shown in fig. 3, the method for managing a data key includes the following steps:
step S31: and responding to the merchant registration request, and generating a first secret key corresponding to the new merchant.
The merchant registration request may carry merchant information (e.g., a merchant ID or a merchant name) of the new merchant, and after the execution device generates the first key for the new merchant, the execution device may establish a corresponding relationship between the first key and the merchant information of the new merchant.
Optionally, in some specific embodiments, the merchant registration request carries a key seed set by a new merchant, and after receiving the merchant registration request, the execution device may input the key seed carried by the merchant registration request into a key generation algorithm, for example, a key derivation function (PBKDF), so as to obtain a first key generated by the key generation algorithm.
Or optionally, in some specific embodiments, after receiving the merchant registration request, the execution device automatically generates a random string as a key seed, and then inputs the key seed into a key generation algorithm, for example, a password-based key derivation function (PBKDF), so as to obtain the first key generated by the key generation algorithm.
Step S32: and generating a data key for the target merchant, and encrypting the data key by using a first key corresponding to the target merchant to obtain a first ciphertext of the data key.
As previously described, the data key is for distribution to the customer of the target merchant. The target merchant refers to any one of merchants registered in the execution device.
Optionally, in some embodiments, after the merchant develops into a new customer, an account registration request may be sent to the execution device, where the account registration request carries merchant information of the merchant. The execution device responds to the account registration request, generates a data key and temporarily stores the data key into the memory. And the execution equipment calls a first key corresponding to the merchant information according to the merchant information carried by the account registration request, and then encrypts a data key in the memory by using the first key to obtain a first ciphertext of the data key. Thereafter, as previously described, the execution device sends a first ciphertext of the data key to the encryption service provider, which is encrypted by the encryption service provider with a second key into a second ciphertext. And after receiving the second ciphertext returned by the encryption service provider, the execution equipment distributes the second ciphertext to the new client of the merchant and persistently stores the second ciphertext. In addition, the execution device deletes the data key and the first ciphertext thereof from the memory.
The step of distributing the second ciphertext to the new customer of the merchant by the execution device specifically includes: the execution device returns the second cryptogram to the registration requestor (e.g., the merchant). Optionally, the second ciphertext may include a private key ciphertext, a public key, and an address. The executing device specifically uses the public key and the address in the second ciphertext as an account public key and an account address, respectively, and returns the public key and the address to the registration requester (e.g., the merchant). The private key ciphertext is obtained by encrypting the private key by the first key of the execution device and the second key of the encryption service provider in sequence.
Or optionally, in other specific embodiments, after the execution device executes the merchant registration request and generates the first key for the new merchant, in order to improve account registration efficiency, the execution device may generate a plurality of data keys for the new merchant in advance, then encrypt the data keys with the first key corresponding to the target merchant to obtain first ciphertexts of the data keys, and then encrypt the first ciphertexts by using the encryption service provider to obtain second ciphertexts of the data keys. The execution device persists second ciphertext of the data keys. When an account needs to be registered for a new customer of a new merchant, a second ciphertext is quickly allocated for the new customer directly from a plurality of second ciphertexts stored in a persistent mode. For specific description of the specific embodiment, refer to the following, which is not described herein.
In the invention, by executing the step S31 and the step S32, the execution device implements merchant registration and performs encryption management on the data key corresponding to the merchant, thereby providing a centralized data key management service for a plurality of merchants, and being beneficial to reducing the cost of carrying and developing business by the merchants. In addition, special business scenarios are facilitated. For example, in some business scenarios, a merchant sends a service message to message middleware, which parses the service message into transactions. The message middleware then invokes the execution device, causing the execution device to sign the transaction with the corresponding data key. And the message middleware submits the signed transaction to a block chain network for execution. Therefore, the merchant does not need to construct transactions in person, and the technical difficulty of using the block chain network to carry out business by the merchant is reduced.
Alternatively, in some embodiments, given that a merchant's first key is used to encrypt the data keys for each customer of the merchant, if the merchant's first key is broken and the encryption service provider is compromised, it may result in the data keys for all customers of the merchant being exposed. In order to minimize the data key exposure range, in the present invention, the execution device may generate a plurality of first keys for the merchant, and encrypt a plurality of data keys corresponding to the merchant by using the plurality of first keys. The present invention proposes a specific implementation of this embodiment:
in specific implementation, the execution device responds to the merchant registration request, and generates a group of first keys corresponding to the new merchant, where the group of first keys includes multiple mutually different first keys.
To facilitate understanding, the performing device illustratively generates 50 first keys for the new merchant in response to the merchant registration request. The execution device uses the 50 first keys as a group of first keys, and establishes a corresponding relationship between the group of first keys and the merchant information of the new merchant. It should be noted that the numeral "50" in the examples is merely illustrative and should not be construed as limiting the present invention.
In specific implementation, after the execution device generates a data key for a target merchant, a first key is randomly or in a polling manner selected from a group of first keys corresponding to the target merchant, and the data key is encrypted by using the first key to obtain a first ciphertext of the data key.
For understanding, the execution device generates a data key in response to the account registration request, and temporarily stores the data key in the memory. Then, the execution device randomly or in a polling manner selects a first key from a group of first keys corresponding to the merchant information according to the merchant information carried by the account registration request, and then encrypts a data key in the memory by using the first key to obtain a first ciphertext of the data key.
In the above specific embodiment, by using the plurality of first keys of the merchant to encrypt the plurality of data keys corresponding to the merchant, the data key exposure range can be narrowed under the extreme condition that the first keys of the merchant are cracked and the encryption service provider is also broken.
Optionally, in some embodiments, as described above, in order to improve the account registration efficiency, the execution device may generate a plurality of data keys for the new merchant in advance, and then encrypt the data keys by using the first key corresponding to the target merchant, so as to obtain the first ciphertext of the data keys. The present invention proposes a specific implementation of this embodiment:
during specific implementation, the execution device generates a plurality of data keys for the target merchant, and encrypts the data keys by using a first key corresponding to the target merchant for each data key in the plurality of data keys to obtain a first ciphertext of the data key.
For convenience of understanding, for example, after the execution device processes the merchant registration request and generates a set of first keys for the new merchant, the execution device may immediately generate 5000 data keys for the new merchant, and temporarily store the 5000 data keys in the memory. The execution device then randomly or round-robin selects a first key from a set of first keys of the new merchant for each of the 5000 data keys, encrypts the data key with the first key to obtain a first ciphertext of the data key, and deletes the data key from memory to shorten the data key persistence time. And after the execution equipment executes encryption operation on 5000 data keys, 5000 first ciphertexts are obtained. It should be noted that the numeral "5000" in the examples is merely illustrative and should not be construed as limiting the present invention.
During specific implementation, the execution device sends the first ciphertext of each data key to the encryption service provider, and receives a plurality of second ciphertexts returned by the encryption service provider, wherein each second ciphertext is obtained by encrypting the first ciphertext of one data key by a second key. And the execution equipment persistently stores the plurality of second ciphertexts, establishes the corresponding relation between the plurality of second ciphertexts and the target merchant, and deletes the plurality of data keys and the plurality of first ciphertexts thereof.
For understanding, the execution device illustratively encrypts each data key, obtains a first ciphertext of the data key, and sends the first ciphertext to the encryption service provider for encryption. After receiving the second ciphertext returned by the encryption service provider, the execution equipment persistently stores the second ciphertext through a corresponding data table in a key database, and then deletes the first ciphertext from the memory, so that the retention time of the first ciphertext is shortened. The corresponding data table and the merchant information have a corresponding relationship, for example, the merchant information may be used as a key of the data table, and each second ciphertext is used as a value of the data table.
Or for example, after the execution device completes encryption of all 5000 data keys to obtain 5000 first ciphertexts, the execution device sends the 5000 first keys to the encryption service provider in batch for batch encryption. And after receiving the 5000 second ciphertexts returned by the encryption service provider, the execution equipment records the 5000 second ciphertexts into a newly-created data table in the key database. The data table and the merchant information have a corresponding relationship, for example, the merchant information may be used as a key of the data table, and 5000 second ciphertexts are recorded in the data table as values.
In specific implementation, the execution device responds to the account registration request, and allocates a second ciphertext to the new customer from a plurality of second ciphertexts corresponding to corresponding merchants according to merchant information carried in the account registration request.
For convenience of understanding, for example, the executing device, in response to an account registration request sent by a merchant, reads out merchant information from the account registration request, and queries a data table corresponding to the merchant information by using the merchant information as an index. Then, the execution device allocates a second ciphertext to the new client from a plurality of second ciphertexts with the state of 'unallocated' in the data table, and updates the state of the second ciphertext to 'allocated'. As described above, the second ciphertext of the data key may include the private ciphertext, the public key, and the address. When the execution device allocates the second ciphertext to the new client, the public key and the address in the second ciphertext may be sent to the registration requester (e.g., the merchant terminal) as the account public key and the account address, respectively. The private key ciphertext is obtained by encrypting the private key by the first key of the execution device and the second key of the encryption service provider in sequence.
In the above embodiment, a plurality of data keys are generated in advance, and are encrypted to obtain a plurality of second ciphertexts, and the plurality of second ciphertexts are persistently stored. When an account registration request is received, a second ciphertext is allocated to the new client from the plurality of second ciphertexts stored in a persistent mode in response to the account registration request. In the invention, when the account registration request is received, the execution equipment does not need to execute the data key generation step and the data key encryption step, and can directly distribute a second ciphertext to the new client from a plurality of second ciphertexts which are generated in advance and stored persistently, thereby improving the account registration efficiency.
In addition, in the foregoing specific application scenario, the execution device implements decryption of the second ciphertext of the data key and signing with the data key in a manner shown in fig. 4, where fig. 4 is a flowchart of a data key management method according to another embodiment of the present invention.
As shown in fig. 4, the method for managing a data key includes the following steps:
step S41: in response to the signing request, sending a corresponding second ciphertext to the encryption service provider.
When the execution equipment obtains the signing request, the second ciphertext of the data key required to be utilized in signing is sent to the encryption server.
Optionally, in some embodiments, as described above, the second ciphertext may include the private key ciphertext, the public key, and the address. When the execution device allocates the second ciphertext to the new client, the public key and the address in the second ciphertext are specifically used as the account public key and the account address, respectively, and are sent to the registration requester (for example, the merchant terminal). And then, the executing device queries a second secret key comprising a corresponding address according to the account address carried in the signature request during responding to the signature request, and then sends a private key ciphertext of the second secret key to the encryption service provider for decryption.
In specific implementation, the execution device may invoke a decryption service interface provided by the encryption service provider, and send the private key ciphertext, the registered identity information, and the corresponding second key ID to the encryption service provider, so that the encryption service provider performs the following steps: firstly, identity authentication is carried out according to identity information, after the identity authentication is passed, a second secret key corresponding to a second secret key ID is used for decrypting a private key ciphertext so as to obtain a corresponding first ciphertext, and then the first ciphertext is returned to the execution equipment.
Step S42: and for the first ciphertext returned by the encryption service provider, decrypting the first ciphertext by using the corresponding first key to obtain the corresponding data key.
Optionally, in some specific embodiments, after the execution device receives the first ciphertext returned by the encryption service provider, the first ciphertext is loaded to the memory. Then, under the coordination of the memory, the central processing unit CPU of the execution device calls the corresponding first secret key to decrypt the first ciphertext in the memory to obtain the corresponding data secret key, and temporarily stores the decrypted data secret key in the memory.
Optionally, in some specific embodiments, as described above, in the case that the execution device has a plurality of first keys, the execution device may further establish a correspondence between the first key used for encrypting the target data and the second ciphertext of the target data in advance. The second ciphertext comprises a private key ciphertext, a public key and an address. In this way, when the executing device executes the step S42, after receiving the first ciphertext, which is returned by the encryption service provider and is decrypted by referring to the private key ciphertext, the executing device may determine the first key corresponding to the private key ciphertext according to the corresponding relationship of the private key ciphertext, and then decrypt the first ciphertext returned by the encryption service provider by using the first key, so as to obtain the private key plaintext.
Step S43: and signing the data to be signed carried by the signing request by using the decrypted data key, and deleting the first ciphertext returned by the encryption service provider and the decrypted data key.
Optionally, in some specific embodiments, the central processing unit CPU of the execution device signs the data to be signed carried in the signing request by using a data key (also called a private key plaintext) temporarily stored in the memory to obtain signed data, and then the execution device deletes the first ciphertext and the data key in the memory.
It should be noted that, in some equivalent technical solutions, the execution device may delete the first ciphertext in the memory immediately after decrypting the data key, so as to shorten the existence time of the first ciphertext. And the executing equipment deletes the data key in the memory immediately after executing the signing operation by using the data key.
Based on the same inventive concept, the embodiment of the invention also provides a data management device. Referring to fig. 5, fig. 5 is a schematic diagram of a data management apparatus according to an embodiment of the present invention. As shown in fig. 5, the data management apparatus includes:
the data encryption module 51 is configured to obtain target data to be encrypted, and encrypt the target data by using a first key to obtain a first ciphertext;
a first ciphertext sending module 52, configured to send the first ciphertext to an encryption service provider;
a second ciphertext receiving module 53, configured to receive a second ciphertext returned by the encryption service provider, where the second ciphertext is obtained by encrypting the first ciphertext with a second key;
and the ciphertext processing module 54 is configured to persistently store the second ciphertext, and delete the target data and the first ciphertext.
Optionally, in some embodiments, the apparatus further comprises:
the second ciphertext sending module is used for responding to the target data calling request and sending the second ciphertext to the encryption service provider;
the first ciphertext receiving module is used for receiving a first ciphertext returned by the encryption service provider;
and the data decryption module is used for decrypting the first ciphertext returned by the encryption service provider by using the first key to obtain the target data.
Optionally, in some embodiments, the target data is a data key.
Optionally, in some embodiments, the apparatus further comprises:
the first key generation module is used for responding to the merchant registration request and generating a first key corresponding to a new merchant;
the data encryption module is specifically configured to: generating a data key for a target merchant, and encrypting the data key by using a first key corresponding to the target merchant to obtain a first ciphertext of the data key; wherein the data key is for distribution to customers of the target merchant.
Optionally, in some specific embodiments, the first key generation module is specifically configured to: responding to a merchant registration request, and generating a group of first keys corresponding to a new merchant, wherein the group of first keys comprise a plurality of mutually different first keys;
the data encryption module is specifically configured to: generating a data key for a target merchant, randomly or in a polling way, selecting a first key from a group of first keys corresponding to the target merchant, and encrypting the data key by using the first key to obtain a first ciphertext of the data key.
Optionally, in some specific embodiments, the data encryption module is specifically configured to: generating a plurality of data keys for a target merchant, and encrypting the data keys by using a first key corresponding to the target merchant aiming at each data key in the plurality of data keys to obtain a first ciphertext of the data key;
the first ciphertext sending module is specifically configured to: sending the first ciphertext of each data key to the encryption service provider;
the second ciphertext receiving module is specifically configured to: receiving a plurality of second ciphertexts returned by the encryption service provider, wherein each second cipher text is obtained by encrypting the first cipher text of one data key by a second key;
the ciphertext processing module is specifically configured to: persistently storing the plurality of second ciphertexts, establishing a corresponding relation between the plurality of second ciphertexts and the target merchant, and deleting the plurality of data keys and the plurality of first ciphertexts thereof;
the device further comprises:
and the account registration module is used for responding to the account registration request, and distributing a second ciphertext to the new customer from a plurality of second ciphertexts corresponding to the corresponding merchants according to the merchant information carried by the account registration request.
Optionally, in some specific embodiments, the second ciphertext sending module is specifically configured to: in response to the signing request, sending a corresponding second ciphertext to the encryption service provider;
the data decryption module is specifically configured to: for the first ciphertext returned by the encryption service provider, decrypting the first ciphertext by using the corresponding first key to obtain a corresponding data key;
the device further comprises:
and the signature module is used for signing the data to be signed carried by the signature request by using the decrypted data key and deleting the first ciphertext returned by the encryption service provider and the decrypted data key.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 6, including a processor 601, a communication interface 602, a memory 603, and a communication bus 604, where the processor 601, the communication interface 602, and the memory 603 complete communication with each other through the communication bus 604.
The memory 603 is used for storing computer programs;
the processor 601 is configured to implement the following steps when executing the program stored in the memory 603:
obtaining target data to be encrypted, and encrypting the target data by using a first secret key to obtain a first ciphertext;
sending the first ciphertext to an encryption service provider;
receiving a second ciphertext returned by the encryption service provider, wherein the second ciphertext is obtained by encrypting the first ciphertext by a second key;
and persistently storing the second ciphertext, and deleting the target data and the first ciphertext.
Alternatively, the processor 601 is configured to implement the steps of the data management method provided by the above other method embodiments of the present invention when executing the program stored in the memory 603.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM), and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components.
In yet another embodiment of the present invention, a computer-readable storage medium is further provided, which has instructions stored therein, and when the computer-readable storage medium runs on a computer, the computer is caused to execute the data management method in any one of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that includes one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. A method for managing data, the method comprising:
obtaining target data to be encrypted, and encrypting the target data by using a first secret key to obtain a first ciphertext;
sending the first ciphertext to an encryption service provider;
receiving a second ciphertext returned by the encryption service provider, and establishing a corresponding relationship between the first key and the second ciphertext, wherein the corresponding relationship is used for decrypting the first key corresponding to the target data subsequently according to the second ciphertext, and the second ciphertext is obtained by encrypting the first ciphertext by using a second key;
persistently storing the second ciphertext, and deleting the target data and the first ciphertext;
the first key is one of a group of keys corresponding to a new merchant generated in response to a merchant registration request.
2. The method of claim 1, further comprising:
sending the second ciphertext to the encryption service provider in response to a target data invocation request;
receiving a first ciphertext returned by the encryption service provider;
and for the first ciphertext returned by the encryption service provider, decrypting the first ciphertext by using the first key to obtain the target data.
3. The method of claim 2, wherein the target data is a data key.
4. The method of claim 3, further comprising:
responding to the merchant registration request, and generating a first secret key corresponding to the new merchant;
the obtaining target data to be encrypted and encrypting the target data by using a first key to obtain a first ciphertext comprises:
generating a data key for a target merchant, and encrypting the data key by using a first key corresponding to the target merchant to obtain a first ciphertext of the data key; wherein the data key is for distribution to a customer of the target merchant.
5. The method of claim 4, wherein generating the first key corresponding to the new merchant in response to the merchant registration request comprises:
responding to a merchant registration request, and generating a group of first keys corresponding to a new merchant, wherein the group of first keys comprise a plurality of mutually different first keys;
the generating a data key for the target merchant, and encrypting the data key by using a first key corresponding to the target merchant to obtain a first ciphertext of the data key includes:
generating a data key for a target merchant, randomly or in a polling way, selecting a first key from a group of first keys corresponding to the target merchant, and encrypting the data key by using the first key to obtain a first ciphertext of the data key.
6. The method of claim 4, wherein generating the data key for the target merchant and encrypting the data key using the first key corresponding to the target merchant to obtain the first ciphertext of the data key comprises:
generating a plurality of data keys for a target merchant, and encrypting the data keys by using a first key corresponding to the target merchant aiming at each data key in the plurality of data keys to obtain a first ciphertext of the data key;
the sending the first ciphertext to an encryption service provider, comprising:
sending a first ciphertext for each data key to the encryption service provider;
the receiving a second ciphertext returned by the encryption service provider, where the second ciphertext is obtained by encrypting the first ciphertext with a second key, includes:
receiving a plurality of second ciphertexts returned by the encryption service provider, wherein each second cipher text is obtained by encrypting the first cipher text of one data key by a second key;
the persistently storing the second ciphertext and deleting the target data and the first ciphertext comprises:
persistently storing the plurality of second ciphertexts, establishing a corresponding relation between the plurality of second ciphertexts and the target merchant, and deleting the plurality of data keys and the plurality of first ciphertexts thereof;
the method further comprises the following steps:
and responding to the account registration request, and distributing a second ciphertext to the new customer from a plurality of second ciphertexts corresponding to corresponding merchants according to the merchant information carried by the account registration request.
7. The method of claim 3, wherein sending the second ciphertext to the cryptographic service provider in response to the target data invocation request comprises:
in response to the signing request, sending a corresponding second ciphertext to the encryption service provider;
the decrypting the first ciphertext returned by the encryption service provider by using the first key to obtain the target data includes:
for the first ciphertext returned by the encryption service provider, decrypting the first ciphertext by using the corresponding first key to obtain a corresponding data key;
the method further comprises the following steps:
and signing the data to be signed carried by the signing request by using the decrypted data key, and deleting the first ciphertext returned by the encryption service provider and the decrypted data key.
8. A data management apparatus, characterized in that the apparatus comprises:
the data encryption module is used for obtaining target data to be encrypted and encrypting the target data by using a first secret key to obtain a first ciphertext;
the first ciphertext sending module is used for sending the first ciphertext to an encryption service provider;
a second ciphertext receiving module, configured to receive a second ciphertext returned by the encryption service provider, and establish a correspondence between the first key and the second ciphertext, where the correspondence is used to subsequently decrypt the first key corresponding to the target data according to the second ciphertext, and the second ciphertext is obtained by encrypting the first ciphertext with the second key;
the ciphertext processing module is used for persistently storing the second ciphertext and deleting the target data and the first ciphertext;
the first key is one of a group of keys corresponding to a new merchant generated in response to a merchant registration request.
9. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
the memory is used for storing a computer program;
the processor, when executing a program stored in the memory, is adapted to perform the method steps of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110074980.XA CN112887087B (en) | 2021-01-20 | 2021-01-20 | Data management method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110074980.XA CN112887087B (en) | 2021-01-20 | 2021-01-20 | Data management method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112887087A CN112887087A (en) | 2021-06-01 |
| CN112887087B true CN112887087B (en) | 2023-04-18 |
Family
ID=76050433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110074980.XA Active CN112887087B (en) | 2021-01-20 | 2021-01-20 | Data management method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887087B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114239065A (en) * | 2021-12-20 | 2022-03-25 | 北京深思数盾科技股份有限公司 | Data processing method based on secret key, electronic equipment and storage medium |
| CN114430343B (en) * | 2022-01-21 | 2023-12-01 | 北京数字认证股份有限公司 | Data synchronization method and device, electronic equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474423A (en) * | 2018-12-10 | 2019-03-15 | 平安科技(深圳)有限公司 | Data encryption/decryption method, server and storage medium |
| CN109728902A (en) * | 2018-06-01 | 2019-05-07 | 平安科技(深圳)有限公司 | Key management method, equipment, storage medium and device |
| CN111510288A (en) * | 2020-04-09 | 2020-08-07 | 北京奇艺世纪科技有限公司 | Key management method, electronic device and storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130028419A1 (en) * | 2011-07-26 | 2013-01-31 | Debabrata Das | System and a method for use in a symmetric key cryptographic communications |
| CN108632021A (en) * | 2017-03-15 | 2018-10-09 | 阿里巴巴集团控股有限公司 | A kind of key encryption method, device and system |
| US10439804B2 (en) * | 2017-10-27 | 2019-10-08 | EMC IP Holding Company LLC | Data encrypting system with encryption service module and supporting infrastructure for transparently providing encryption services to encryption service consumer processes across encryption service state changes |
| CN108038128B (en) * | 2017-11-08 | 2020-02-14 | 平安科技(深圳)有限公司 | Retrieval method, system, terminal equipment and storage medium of encrypted file |
| CN111414628B (en) * | 2019-01-08 | 2024-01-02 | 阿里巴巴集团控股有限公司 | Data storage method and device and computing equipment |
| CN109933995B (en) * | 2019-01-31 | 2023-04-07 | 广州中国科学院软件应用技术研究所 | User sensitive data protection and system based on cloud service and block chain |
| CN111723384B (en) * | 2019-03-22 | 2024-04-02 | 阿里巴巴集团控股有限公司 | Data processing method, system and equipment |
| CN110099048B (en) * | 2019-04-19 | 2021-08-24 | 中共中央办公厅电子科技学院(北京电子科技学院) | Cloud storage method and equipment |
| CN110290102A (en) * | 2019-04-26 | 2019-09-27 | 武汉众邦银行股份有限公司 | Service security system and method based on application |
-
2021
- 2021-01-20 CN CN202110074980.XA patent/CN112887087B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109728902A (en) * | 2018-06-01 | 2019-05-07 | 平安科技(深圳)有限公司 | Key management method, equipment, storage medium and device |
| CN109474423A (en) * | 2018-12-10 | 2019-03-15 | 平安科技(深圳)有限公司 | Data encryption/decryption method, server and storage medium |
| CN111510288A (en) * | 2020-04-09 | 2020-08-07 | 北京奇艺世纪科技有限公司 | Key management method, electronic device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| Mayur N. Ghuge et al..Collaborative Key Management in Ciphertext Policy Attribute Based Encryption for Cloud.2018 Second International Conference on Inventive Communication and Computational Technologies (ICICCT).2018,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112887087A (en) | 2021-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112131316B (en) | Data processing method and device applied to block chain system | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN109981287B (en) | Code signing method and storage medium thereof | |
| CN109660534B (en) | Multi-merchant-based security authentication method and device, electronic equipment and storage medium | |
| CN112887087B (en) | Data management method and device, electronic equipment and readable storage medium | |
| CN112733121A (en) | Data acquisition method, device, equipment and storage medium | |
| CN111259448A (en) | Data sharing method and device | |
| CN112632574A (en) | Multi-mechanism data processing method and device based on alliance chain and related equipment | |
| CN111400728A (en) | Data encryption and decryption method and device applied to block chain | |
| CN112287364A (en) | Data sharing method, device, system, medium and electronic equipment | |
| KR102271201B1 (en) | Method for maintaining private information on blockchain network and device thereof | |
| CN115409511B (en) | Personal information protection system based on block chain | |
| JP5678150B2 (en) | User terminal, key management system, and program | |
| CN112733130B (en) | Account registration method and device, electronic equipment and readable storage medium | |
| KR20190099984A (en) | System for managing private key | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| Abdulhamid et al. | Development of blowfish encryption scheme for secure data storage in public and commercial cloud computing environment | |
| CN113946864B (en) | Confidential information acquisition method, device, equipment and storage medium | |
| CN112769846B (en) | Key management method and device, electronic equipment and readable storage medium | |
| US11804969B2 (en) | Establishing trust between two devices for secure peer-to-peer communication | |
| CN114826616B (en) | Data processing method, device, electronic equipment and medium | |
| CN115062063B (en) | Data query method and device based on block chain | |
| CN114666119B (en) | Data processing method, device, electronic equipment and medium | |
| CN115208630B (en) | Block chain-based data acquisition method and system and block chain system | |
| KR102382314B1 (en) | Secure join method of distributed data set |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |