CN116545627A - Method, apparatus and computer readable storage medium for data encryption - Google Patents
Method, apparatus and computer readable storage medium for data encryption Download PDFInfo
- Publication number
- CN116545627A CN116545627A CN202310750796.1A CN202310750796A CN116545627A CN 116545627 A CN116545627 A CN 116545627A CN 202310750796 A CN202310750796 A CN 202310750796A CN 116545627 A CN116545627 A CN 116545627A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- key
- processed
- encrypting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000003860 storage Methods 0.000 title claims abstract description 43
- 230000008569 process Effects 0.000 claims description 43
- 238000012545 processing Methods 0.000 claims description 43
- 238000004422 calculation algorithm Methods 0.000 claims description 39
- 230000015654 memory Effects 0.000 claims description 29
- 238000010276 construction Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 description 16
- 238000005516 engineering process Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 8
- 238000013515 script Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000006243 chemical reaction Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 238000013500 data storage Methods 0.000 description 4
- 238000000586 desensitisation Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000005477 standard model Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000011282 treatment Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application provides a method, a device and a computer readable storage medium for data encryption. The data encryption method comprises the following steps: acquiring data to be processed; encrypting the user information according to a first encryption mode under the condition that the user information exists in the data to be processed; encrypting the key field according to a second encryption mode under the condition that the key field exists in the data to be processed; and encrypting the data to be transmitted according to a third encryption mode under the condition that the data to be transmitted exists in the data to be processed. The data encryption efficiency can be improved, and the data security is ensured.
Description
Technical Field
The present application relates to the field of electronic technologies, and in particular, to a method, an apparatus, and a computer readable storage medium for encrypting data.
Background
The potential safety hazard of the data in the current data storage process is that the data information is damaged, tampered and revealed due to accidental factors and malicious attacks.
Most encryption processes are resistant to conventional information security attacks, but cannot effectively keep secret for highly secure data. When the data sharing process is realized after encryption, in order to increase the security that the encryption and decryption units experienced by each node are more, the problem of redundancy of encryption and decryption processes exists, and the encryption and decryption processes are required to strictly follow consecutive time sequence relations, so that the problem of poor sharing performance among data is easily caused. That is, the current data encryption has the problems of low defensive performance or redundant flow, and the encryption and decryption efficiency is poor.
Disclosure of Invention
The application provides a data encryption method and device, which are used for guaranteeing data security.
In a first aspect, the present application provides a method for encrypting data, including: acquiring data to be processed; encrypting the user information according to a first encryption mode under the condition that the user information exists in the data to be processed; encrypting the key field according to a second encryption mode under the condition that the key field exists in the data to be processed; and encrypting the data to be transmitted according to a third encryption mode under the condition that the data to be transmitted exists in the data to be processed.
The method optimizes the encryption flow and improves the encryption efficiency. And aiming at different scene requirements, different encryption modes are adopted to encrypt the part of the data to be processed, namely, different parts of the data to be encrypted are processed in a targeted manner, and compared with a single encryption mode, the security is higher. In addition, compared with a mode of overlapping multiple encryption steps, the encryption process is simpler; on the premise of ensuring the data security, the encryption and decryption process has no time sequence requirement, the required calculated amount is small, and the error probability is reduced.
Optionally, the encrypting the data to be sent according to the third encryption mode includes: encrypting the data to be transmitted according to a symmetric encryption algorithm to obtain first encrypted data; the key of the symmetric encryption algorithm is used for completing encryption and decryption; and obtaining a public key sent by a receiver, and encrypting a key of a symmetric encryption algorithm according to the public key to obtain a first key.
In this embodiment, the data to be transmitted is encrypted using a symmetric encryption algorithm and a public key before transmission. Multiple encryption is not needed to be executed according to time sequence, the complexity of an encryption process is reduced, performance problems caused by multi-layer encryption and decryption are simplified, the calculated amount is reduced, and the error probability is reduced. The first encryption method or the second encryption method is used for assisting in realizing protection on the highly confidential data which is particularly required to be concerned, so that the confidentiality effect on the highly confidential data can be ensured.
Optionally, after encrypting the data to be sent according to the third encryption manner, the method further includes: and sending the encryption result of the third encryption mode to the receiver, wherein the first key is used for the receiver to acquire a key, the key is used for decrypting the first encrypted data, the decryption key of the first key is a private key stored by the receiver, and the private key and the public key are a key pair.
Compared with the problem that the decryption operation is required to strictly adhere to the continuous time sequence relationship and other processes which are complicated and are caused by the adoption of the multi-layer secret key, the encryption and decryption process of the multi-layer secret key is not required, the constraint of the correlation sequence during each encryption and decryption operation is reduced, and encryption and decryption efficiency is improved.
Optionally, after encrypting the key field according to the second encryption manner, the method further includes: storing the second encrypted data to a second storage space; the second encryption data is to-be-processed data of which the key field is encrypted by the second encryption mode; the access right requirement of the second storage space is lower than that of the first storage space, and the first storage space is the storage space where the data to be processed with the key field being unencrypted is located.
When the embodiment is applied to a smart city scene, the data to be processed after the key field processing is stored in the second storage space with lower safety, so that not only can the key field be prevented from being divulged, but also a common user with lower authority can view the content of the non-key field, thereby realizing data sharing in the smart city.
Optionally, the first encryption mode includes: SHA-256 secure hash algorithm.
The embodiment adopts SHA-256 (Secure Hash Algorithm ), the encrypted data has high security, and the leakage of highly confidential data information to unrelated users can be effectively avoided in the process of storing and sharing the project file information.
Optionally, the key field includes at least one of the following parameters: military information, business confidentiality, custom sensitive data.
In the embodiment, various sensitive information is encrypted in a second encryption mode, including known sensitive information, custom sensitive information and the like, so that the sensitive information is prevented from being leaked in data storage or data transmission, the data security is ensured, and the loss caused by information leakage is reduced.
Optionally, the method further comprises; and asynchronously storing the data to be processed encrypted according to the first encryption mode, the second encryption mode or/and the third encryption mode.
In the embodiment, the encrypted data is asynchronously stored, namely, a multi-copy remote storage strategy is adopted for realizing data disaster recovery, so that the safety, stability and reliability of the data are further improved.
Optionally, the acquiring data to be processed includes: collecting multi-source heterogeneous data; the multi-source heterogeneous data are data acquired in the construction process of the smart city; and carrying out standardized processing on the multi-source heterogeneous data to obtain the data to be processed.
In the embodiment, various types of data generated in the smart city construction process are processed, format unification is needed before the smart city construction process is accessed to a large data platform for processing, the complexity of large data processing is reduced, the calculated amount is reduced, and the error probability is reduced.
In a second aspect, there is provided an apparatus for data encryption comprising means for performing any of the methods of the first aspect. The device may be a terminal device or a server, or may be a chip in the terminal device. The apparatus may include an input unit and a processing unit.
When the apparatus is a terminal device, the processing unit may be a processor, and the input unit may be a touch screen, a camera, a microphone, an AI (Artificial Intelligence ) robot, an AR (Augmented Reality, augmented Reality)/VR (Virtual Reality) device, or other internet of things device; the terminal device may further comprise a memory for storing computer program code which, when executed by the processor, causes the terminal device to perform any of the methods of the first aspect.
When the device is a chip in a terminal device, the processing unit may be a processing unit inside the chip, and the input unit may be an input/output interface, a pin, a circuit, or the like; the chip may also include memory, which may be memory within the chip (e.g., registers, caches, etc.), or memory external to the chip (e.g., read-only memory, random access memory, etc.); the memory is for storing computer program code which, when executed by the processor, causes the chip to perform any of the methods of the first aspect.
In a third aspect, there is provided a computer readable storage medium storing computer program code which, when run by a data encryption apparatus, causes the apparatus to perform any one of the methods of the first aspect.
Drawings
FIG. 1 is a schematic illustration of an application scenario suitable for use in the present application;
FIG. 2 is a schematic construction diagram of an application scenario of the present application;
FIG. 3 is a technical schematic diagram of an application scenario of the present application;
FIG. 4 is a schematic diagram of a method of data encryption provided herein;
FIG. 5 is a schematic diagram of the steps of the method for encrypting data provided in the present application;
FIG. 6 is a second step schematic diagram of the method for encrypting data provided in the present application;
FIG. 7 is a third step schematic diagram of the method for encrypting data provided herein;
FIG. 8 is a step four of the method for encrypting data provided herein;
FIG. 9 is a schematic diagram of an apparatus for data encryption provided herein;
fig. 10 is a schematic diagram of an electronic device for data encryption provided herein.
Detailed Description
The technical solutions in the present application will be described below with reference to the accompanying drawings.
The embodiment of the application is applied to the smart city, the data processing in the smart city is mainly realized through a big data platform, the big data platform is used for managing, storing, sharing and exchanging the data collected in the construction of the smart city, and the processed data can be sent to other big data platforms or intelligent business systems for other big data platforms to complete the data processing or optimize the intelligent business systems. As particularly shown in fig. 1.
In one example, deployment of the big data platform may be implemented by a container cloud technology, for example, based on a service product that deploys the big data platform on the cluster server by the container cloud technology. The nature of the container cloud is that processes can share the CPU, memory, storage and network of the host machine among the processes, so that the hardware resources are fully utilized. Technologies such as Docker and kubernetes (k 8s for short) are used for managing and running containerized applications on multiple hosts in a container cloud, and mainly comprise service packaging, service deployment and service running, wherein a service deployment flow of a container cloud is shown in fig. 2.
Wherein, the service package includes: the method comprises the steps of constructing a service and an uploading service, wherein the constructing service comprises the steps of creating a front-end service, a back-end service and a corresponding middleware basic service for a big data platform according to the service scene requirement, and constructing mirror image packages of different versions; the concrete construction content comprises the following steps: configuration service basic information, base images (such as jdk1.8, software development kit in Java language), configuration startup scripts, etc. For example, when the front-end service is created, the mirror name: front-end service; version number: 0.0.1; the architecture is used: ARM64 (Advanced RISC Machine, advanced reduced instruction set machine); status: normal; mirror size: 387.61MB; the construction time is as follows: and x. When the backend service is created, mirror name: a back-end service; version number: 0.0.1; the architecture is used: ARM64; status: normal; mirror size: 387.61MB; the construction time is as follows: and x. When the middleware service is created, mirror name: middleware services; version number: 0.0.1; the architecture is used: ARM64; status: normal; mirror size: 387.61MB; the construction time is as follows: and x.
A service deployment comprising: after the front-end service mirror image package and the rear-end service mirror image package are successfully created, the corresponding starting script is executed, so that the operation of publishing and installing the front-end service mirror image package can be performed; if the execution of the startup script fails, the startup script command is checked and then the startup script is restarted. Wherein the command to start the script is checked, for example: the background service may take the instruction: java-jar service, jar, or front-end service may take instructions: npm run dev.
Service operation, comprising: corresponding service can be started according to the service scene requirement, the corresponding service can be stopped, and after stopping the service, the unloading service can be supported or version upgrading can be carried out; if the service fails to run, the service deployment step can be returned, and the script is restarted after the script starting command is checked.
After the deployment of the big data platform is completed, the data management capability supports data acquisition, storage, aggregation, treatment, processing, service, security, sharing exchange and the like. The collected data can be planned to form big data assets, and efficient services are provided for business application, model training and data sharing. When the big data platform operates, the data assets and the program packages of the data services after the security processing are shared and exchanged to other systems. The key technical characteristics of the big data are shown in figure 3.
In addition, according to the export function in the sharing exchange of the big data platforms, the program package (tar.gz format) of the data asset and the data service can be exported according to the service scene requirement, and the exported information is safely imported into another big data platform through the import function in the sharing exchange of the other big data platform, so that the sharing of the data asset and the data service among the big data platforms is realized.
Or the data after analysis, classification and statistics in the big data platform can be exported and imported into an intelligent business system (such as a lightweight BI intelligent management system) to promote the manager to make decisions in the aspect of management. The method breaks through the island of data, builds a digital space required by construction of the smart city, enriches comprehensive data sets and finely-divided scene service data, effectively improves management and control processing efficiency of a smart city manager on services such as city operation, traffic, security and government affairs, and realizes intelligent perception and decision of city management.
Wherein, certain data security measures are needed in the data management process of the big data platform.
In order to ensure data security and achieve the purpose of data encryption, some related technologies, such as MD5 (Message-Digest Algorithm 5) encryption, are used to encrypt the uplink, and the encryption technology can only resist conventional information security attacks, and cannot achieve a super-strong security effect on highly-secure data.
In other technologies, in order to improve data security, a shared file is encrypted by a multi-layer key, and the encrypted shared file is uploaded to a distributed file system, so that secure sharing of the file based on a blockchain is realized. However, in the whole file sharing process, the nodes of the distributed file system have more encryption and decryption units and more encryption and decryption flows, and the operations need to strictly follow consecutive time sequence relationships, so that the problem of poor sharing performance among data is caused.
The method 400 of data encryption provided herein will be described in detail below in conjunction with fig. 4.
In this application, the terms "first", "second", and the like are used to distinguish different individuals in the same type of object, for example, the first encryption scheme and the second encryption scheme represent two different encryption schemes, and there is no limitation otherwise.
The method 400 may be performed by the apparatus for data encryption shown in fig. 9. As shown in fig. 4, method 400 includes the following.
S401, obtaining data to be processed.
The data to be processed is, for example, data collected during construction of a smart city, which needs to be processed or used for realizing a certain process of the smart city.
Optionally, the acquiring data to be processed includes: collecting multi-source heterogeneous data; the multi-source heterogeneous data are data acquired in the construction process of the smart city; and carrying out standardized processing on the multi-source heterogeneous data to obtain the data to be processed.
Specifically, multi-source heterogeneous data generated by a plurality of users in smart city construction activities is collected. The multi-source heterogeneous data comprises a plurality of data types, and each type of data is acquired through a plurality of channels. Various internet of things devices are involved in smart city construction activities, such as wearable devices, smart home devices, autopilot devices, retail devices, telemedicine devices, smart agriculture devices, industrial robots, monitoring cameras, etc., which will generate a large amount of heterogeneous multi-source data, such as: multi-source heterogeneous data in the format of audio/video data (avi, dat, mp, mov, vid), image data (png, jpeg, bmp), text data (txt, doc, docx, ppt, pdf, csv, xlsx), and the like. The multi-source heterogeneous data sources need to be connected into a large data platform, and the equipment involved in the generation of the multi-source heterogeneous data in the smart city construction process is shown in fig. 5.
The standardized processing is performed on the multi-source heterogeneous data, namely data cleaning and conversion are performed on the multi-source heterogeneous data through a large data platform to form data in a unified format, namely standardized data. For example, an access processor of multi-source heterogeneous data can be constructed, the multi-source heterogeneous data is collected through a fusion pipeline of converged data of the access processor, a standard model and a standard format/standard type are referenced for a standardized processing function of a large data platform, and the multi-source heterogeneous data is subjected to data cleaning conversion through the large data platform to form standardized data.
In addition, after the multi-source heterogeneous data is subjected to standardized processing, the data distributed storage is realized through a block structure by adopting a block chain technology, and the security of the data storage is ensured by matching with the subsequent data encryption. The decentralized nature of blockchain technology supports distributed data accounting and storage, the blockchain architecture does not have centralized hardware, and the data is commonly maintained by nodes with maintenance functions in the entire blockchain system, which greatly reduces the time to normalize the classification of the data and create a dataset for analysis applications. The stored information is non-tamper-evident, and once the data is verified and added to the blockchain blockstructure, permanent storage is achieved, and modifications to the database on a single node are not valid. The use of blockchain technology facilitates the collection of data from trusted data sources (reducing the probability of unreliable data acquisition), the data owners will have complete data manipulation control, and any unauthorized third party is restricted from manipulating the data. The data security, stability and reliability of the blockchain are greatly improved, and the high standard quality of the data flow in the large data platform is ensured.
S402, encrypting the user information according to a first encryption mode when the user information exists in the data to be processed. Wherein, the user information includes: user password, user behavior, user ID, etc. In the actual use process, the first encryption mode can be adopted for encryption when a user logs in and the system log buries.
Optionally, the first encryption mode includes: SHA-256 secure hash algorithm. Namely, the SHA-256 secure hash algorithm adopted when the user logs in and the system log buries is mainly used for encrypting information such as user passwords, user behaviors, user IDs and the like. For example, a piece of received information is converted into a hash value (message digest) of 256 bits of fixed number of bits by a hash algorithm and stored. The algorithm processing flow of the SHA-256 algorithm is shown in FIG. 6.
Specifically, the SHA-256 secure hash algorithm performs information preprocessing including bit filling, additional length filling and the like, and performs digest calculation according to the preprocessed information. The implementation formula of the padding bits is: (original length +1+k) mod 512=448; wherein 1 means adding 1 bit "1" after the original data; k is the smallest integer k that holds the above formula, filling k "0" s after the previously filled "1"; mod represents a modulo operation.
The padding additional length is obtained by bit padding with a binary number of 64 bits, and n 512-bit message blocks can be obtained after padding. The additional length is the original length, and the bit filling is carried out by using binary numbers with 64 bits, so that the total length plus the previous 448 is just an integer multiple of 512, the bit number of filling is between 1 and 512, and the original length is (264-1) bit at the longest.
The formula for calculating the abstract is:
wherein the hash value H (i) is derived from the last calculated H (i-1); function C is SHA-256 compression function; + represents that each operation unit word (32 bits are taken as one word in SHA-256) is modulo and added; />: every 512 bits of a message block, which is denoted +.>。
In the related art, an MD5 encryption uplink mode is adopted, and the encryption technology can only generate resistance to conventional information security attacks and cannot achieve a super-strong confidentiality effect on highly-secure data. The embodiment adopts the SHA-256 secure hash algorithm, and can effectively avoid the leakage of highly confidential data information (such as user information and the like) to unrelated users in the user login process.
S403, encrypting the key field according to a second encryption mode under the condition that the key field exists in the data to be processed.
Specifically, in this embodiment, the key field may be encrypted or desensitized by a built-in data security processing operator. The security rule for realizing the second encryption mode supports management and maintenance according to actual conditions, including data encryption, new addition, modification, deletion and the like of the data desensitization rule, and the security rule can be referred to when constructing a security processing task, wherein the security processing task is used for realizing the second encryption mode. In addition, the data security processing operator in some examples has an advanced design page for displaying the flow of the security processing task, and a user can create or modify a workflow of data encryption and data desensitization tasks in the security processing task through a drag function in the advanced design page.
It can be understood that, in this embodiment, a specific manner of performing encryption of the key field is not limited, and a user is supported to select according to actual situations, or preset a certain fixed manner to perform encryption, etc. The key fields are selected to be encrypted or desensitized, hard limitation does not exist, and the user is supported to select in real time or process according to the preset corresponding relation of the platform.
Optionally, the key field includes at least one of the following parameters: military information, business confidentiality, custom sensitive data.
Namely, various sensitive information is encrypted in a second encryption mode, including known sensitive information, custom sensitive information and the like, so that the sensitive information is prevented from being leaked in data storage or data transmission, the data security is ensured, and the loss caused by information leakage is reduced.
Optionally, after encrypting the key field according to the second encryption manner, the method further includes: storing the second encrypted data to a second storage space; the second encryption data is to-be-processed data of which the key field is encrypted by the second encryption mode; the access right requirement of the second storage space is lower than that of the first storage space, and the first storage space is the storage space where the data to be processed with the key field being unencrypted is located.
When the method is applied to a smart city scene, the data to be processed after the key field processing is stored in the second storage space with lower safety, so that the key field is prevented from being divulged, and meanwhile, a common user with lower authority can view the content of the non-key field, so that the data sharing in the smart city is realized.
In one example, the key fields are encrypted or desensitized by a built-in data security processing operator. The data processing platform provides a task management function of the data security processing operator, and supports the adjustment of data encryption or data desensitization configuration and the selection of a second storage space (data warehouse) for storing the data processed by the second encryption mode. The workflow of the second encryption algorithm is shown in fig. 7.
S404, encrypting the data to be transmitted according to a third encryption mode when the data to be transmitted exists in the data to be processed.
In the data processing process of the smart city, a large amount of data needing to be interacted exists, and the data needs to be sent to different nodes or to a data processing system of the next stage, so that the data encryption in the data receiving and sending process is also particularly important.
Optionally, the encrypting the data to be sent according to the third encryption mode includes: encrypting the data to be transmitted according to a symmetric encryption algorithm to obtain first encrypted data; the key of the symmetric encryption algorithm is used for completing encryption and decryption; and obtaining a public key sent by a receiver, and encrypting a key of a symmetric encryption algorithm according to the public key to obtain a first key.
That is, the data to be transmitted is encrypted by means of a public key and a private key, and in this embodiment, the data to be transmitted is encrypted by using a symmetric encryption algorithm and a public key before being transmitted. Multiple encryption is not needed to be executed according to time sequence, so that the complexity of an encryption process is reduced, the performance problem caused by multi-layer encryption and decryption is simplified, and the calculated amount and the error probability are reduced. The first encryption method or the second encryption method is used for assisting in realizing protection on the highly confidential data which is particularly required to be concerned, so that the confidentiality effect on the highly confidential data is ensured.
Optionally, after encrypting the data to be sent according to the third encryption manner, the method further includes: and sending the encryption result of the third encryption mode to the receiver, wherein the first key is used for the receiver to acquire a key, the key is used for decrypting the first encrypted data, the decryption key of the first key is a private key stored by the receiver, and the private key and the public key are a key pair.
Compared with the problems of performance and complexity such as strict adherence to consecutive time sequence relations between encryption and decryption flow redundancy and operation caused by the adoption of the multi-layer key, the encryption and decryption method and the encryption and decryption system have the advantages that the public key algorithm and the private key algorithm do not need to pass through the encryption and decryption flow of the multi-layer key, constraint of relevant sequence in each encryption and decryption operation is reduced, and encryption and decryption efficiency is improved.
Specifically, encryption and decryption are completed by implementing a public key and private key mode on data file information before third-class data sharing exchange, for example, adopting an RSA algorithm and an AES (Advanced Encryption Standard ) algorithm in combination. The encryption and decryption method combining the RSA algorithm and the AES algorithm in the big data platform can take the security, the efficiency and the flexibility into consideration, and the encryption and decryption flow is as follows: the information sender encrypts data to be sent by using a symmetric algorithm to obtain first encrypted data, a receiver generates a pair of keys (a public key and a private key) through a public key mechanism and sends the public key to the sender, the sender encrypts the keys of the symmetric algorithm by using the public key to obtain the first keys and sends the first keys to the receiver, the receiver decrypts the keys of the symmetric algorithm by using the private key to obtain the keys of the symmetric algorithm, the sender sends the encrypted data to be sent (the first encrypted data) to the receiver, and the receiver decrypts the encrypted data by using the keys of the symmetric algorithm. One implementation is shown in fig. 8.
It can be understood that in the encryption and decryption process, as shown in fig. 8, the text of the character string may be encrypted after being processed into the text of the byte stream, or may not be converted into the byte stream, and the encryption and decryption are performed by the character string type in the whole process. Under the condition that byte conversion exists, the transmitted data can be first encrypted data byte and a first key, or the first encrypted data byte, a first encrypted data character string, the first key and the first key byte are subjected to type conversion, namely, the data to be transmitted are subjected to type conversion, and various types of data are transmitted to a receiving end, so that even if errors such as partial data damage and packet loss exist in the transmission process, the receiving end can receive complete data to be transmitted due to the fact that the plurality of data types representing the same data to be transmitted are received by the receiving end, and the damaged data are excluded; the data type required by decryption processing can be selected according to the requirement, so that the processing amount of a receiving end for realizing data type conversion is reduced. In addition, after encrypting the plaintext of the character string, format conversion is supported before transmission, and different types of first encrypted data and first keys are transmitted to ensure the success rate of data transmission or reduce the data processing amount of decryption processing.
In the encryption process of fig. 8, the text from the character string plaintext to the byte stream plaintext is realized by designating different code pages through an Encoding process and converting the character string into codes corresponding to the different code pages, and finally the character string plaintext is expressed in a byte [ ] form. In the decryption process, byte streams plaintext into character string plaintext, and the byte [ ] plaintext is converted into proper character string plaintext by using a code page used by Encoding.
Optionally, the method further comprises; and asynchronously storing the data to be processed encrypted according to the first encryption mode, the second encryption mode or/and the third encryption mode.
In particular, the data encryption process is applied to the scene of the smart city, and the data processing process of the smart city can be realized by adopting a blockchain technology and distributed storage. And the result of the encryption processing of the data to be processed can be asynchronously stored in each storage node according to the service scene. The multi-copy remote storage strategy is adopted for realizing data disaster recovery, and the safety, stability and reliability of the data are further improved.
The different encryption modes can be combined and encrypted according to the requirements of users, so that the encrypted data which needs to be stored asynchronously can be the result of combined encryption of a plurality of encryption modes.
In some scenes, when only user information exists in the data to be processed, the encrypted data is obtained only through a first encryption mode and is stored asynchronously; when only key field information exists in the data to be processed, the encrypted data is obtained only through a second encryption mode, and asynchronous storage is carried out; when only the data to be transmitted exists in the data to be processed, the encrypted data is obtained only through a third encryption mode, and asynchronous storage is carried out.
In other scenes, when the user information belongs to the custom sensitive field and needs to be sent, the user information is supported to be processed by adopting a first encryption mode, a second encryption mode and a third encryption mode at the same time, and finally encrypted data needing to be stored in a distributed mode is obtained. Or when the key field in the data to be processed needs to be sent, supporting the data to be processed in combination with a second encryption mode and a third encryption mode; when user information exists in the data to be processed and the user information belongs to the type of the key field, supporting the data to be processed in combination with a first encryption mode and a second encryption mode; when user information exists in the data to be processed and the user information needs to be sent, the data to be processed is supported to be processed by combining the first encryption mode and the third encryption mode.
That is, different encryption modes can be combined for use, and adaptive adjustment is supported in the actual use process.
Examples of the method of data encryption provided herein are described above in detail. It is to be understood that the corresponding means, in order to carry out the functions described above, comprise corresponding hardware structures and/or software modules for carrying out the respective functions. Those of skill in the art will readily appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The present application may divide functional units of a device for encrypting data according to the above-described method example, for example, each function may be divided into each functional unit, or two or more functions may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. It should be noted that the division of the units in the present application is illustrative, and is merely a logic function division, and other division manners may be implemented in practice.
Fig. 9 is a schematic structural diagram of a data encryption device provided in the present application. The apparatus 900 comprises a processing unit 910 and an input unit 920, wherein the input unit 920 is capable of performing the acquisition step under control of the processing unit 910.
The input unit 920 is configured to: acquiring data to be processed;
the processing unit 910 is configured to: under the condition that user information exists in the data to be processed, encrypting the user information according to a first encryption mode; under the condition that key fields exist in the data to be processed, encrypting the key fields according to a second encryption mode; and encrypting the data to be transmitted according to a third encryption mode under the condition that the data to be transmitted exists in the data to be processed.
Optionally, the encrypting the data to be sent according to the third encryption mode includes: encrypting the data to be transmitted according to a symmetric encryption algorithm to obtain first encrypted data; the key of the symmetric encryption algorithm is used for completing encryption and decryption; and obtaining a public key sent by a receiver, and encrypting a key of a symmetric encryption algorithm according to the public key to obtain a first key.
Optionally, after encrypting the data to be sent according to the third encryption manner, the method further includes: and sending the encryption result of the third encryption mode to the receiver, wherein the first key is used for the receiver to acquire a key, the key is used for decrypting the first encrypted data, the decryption key of the first key is a private key stored by the receiver, and the private key and the public key are a key pair.
Optionally, after encrypting the key field according to the second encryption manner, the method further includes: storing the second encrypted data to a second storage space; the second encryption data is to-be-processed data of which the key field is encrypted by the second encryption mode; the access right requirement of the second storage space is lower than that of the first storage space, and the first storage space is the storage space where the data to be processed with the key field being unencrypted is located.
Optionally, the first encryption mode includes: SHA-256 secure hash algorithm.
Optionally, the key field includes at least one of the following parameters: military information, business confidentiality, custom sensitive data.
Optionally, the method further comprises; and asynchronously storing the data to be processed encrypted according to the first encryption mode, the second encryption mode or/and the third encryption mode.
Optionally, the acquiring data to be processed includes: collecting multi-source heterogeneous data; the multi-source heterogeneous data are data acquired in the construction process of the smart city; and carrying out standardized processing on the multi-source heterogeneous data to obtain the data to be processed.
The specific manner in which apparatus 900 performs the method of data encryption and the resulting benefits may be found in the relevant description of the method embodiments.
Fig. 10 shows a schematic structural diagram of an electronic device for data encryption provided in the present application. The dashed lines in fig. 10 indicate that the unit or the module is optional. The apparatus 1000 may be used to implement the methods described in the method embodiments above. The device 1000 may be a terminal device or a server or a chip.
The device 1000 includes one or more processors 1001, which one or more processors 1001 may support the device 1000 to implement the methods in the method embodiments. The processor 1001 may be a general purpose processor or a special purpose processor. For example, the processor 1001 may be a central processing unit (central processing unit, CPU), digital signal processor (digital signal processor, DSP), application specific integrated circuit (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA), or other programmable logic device such as discrete gates, transistor logic, or discrete hardware components.
The processor 1001 may be used to control the device 1000, execute software programs, and process data of the software programs. The device 1000 may further comprise a communication unit 1005 for enabling input (reception) and output (transmission) of signals.
For example, the device 1000 may be a chip, the communication unit 1005 may be an input and/or output circuit of the chip, or the communication unit 1005 may be a communication interface of the chip, which may be an integral part of a terminal device or a server or other electronic device.
For another example, the device 1000 may be a terminal device or a server, the communication unit 1005 may be a transceiver of the terminal device or the server, or the communication unit 1005 may be a transceiver circuit of the terminal device or the server.
The device 1000 may include one or more memories 1002 having a program 1004 stored thereon, the program 1004 being executable by the processor 1001 to generate instructions 1003 such that the processor 1001 performs the methods described in the method embodiments above in accordance with the instructions 1003. Optionally, the memory 1002 may also have data stored therein. Alternatively, the processor 1001 may also read data stored in the memory 1002, which may be stored at the same memory address as the program 1004, or which may be stored at a different memory address than the program 1004.
The processor 1001 and the memory 1002 may be provided separately or may be integrated together, for example, on a System On Chip (SOC) of the terminal device.
The present application also provides a computer program product which, when executed by the processor 1001, implements the method described in any of the method embodiments of the present application.
The computer program product may be stored in the memory 1002, for example, the program 1004, and the program 1004 is finally converted into an executable object file capable of being executed by the processor 1001 through preprocessing, compiling, assembling, and linking.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed by a computer, implements a method according to any of the method embodiments of the present application. The computer program may be a high-level language program or an executable object program.
The computer-readable storage medium is, for example, a memory 1002. The memory 1002 may be a volatile memory or a nonvolatile memory, or the memory 1002 may include both a volatile memory and a nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM).
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working processes and technical effects of the apparatus and device described above may refer to corresponding processes and technical effects in the foregoing method embodiments, which are not described in detail herein.
In several embodiments provided in the present application, the disclosed systems, apparatuses, and methods may be implemented in other manners. For example, some features of the method embodiments described above may be omitted, or not performed. The above-described apparatus embodiments are merely illustrative, the division of units is merely a logical function division, and there may be additional divisions in actual implementation, and multiple units or components may be combined or integrated into another system. In addition, the coupling between the elements or the coupling between the elements may be direct or indirect, including electrical, mechanical, or other forms of connection.
It should be understood that, in various embodiments of the present application, the size of the sequence number of each process does not mean that the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
In addition, the terms "system" and "network" are often used interchangeably herein. The term "and/or" herein is merely one association relationship describing the associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
In summary, the foregoing description is only a preferred embodiment of the technical solution of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method of encrypting data, comprising:
acquiring data to be processed;
encrypting the user information according to a first encryption mode under the condition that the user information exists in the data to be processed;
encrypting the key field according to a second encryption mode under the condition that the key field exists in the data to be processed;
and encrypting the data to be transmitted according to a third encryption mode under the condition that the data to be transmitted exists in the data to be processed.
2. The method according to claim 1, wherein encrypting the data to be transmitted according to a third encryption scheme comprises:
encrypting the data to be transmitted according to a symmetric encryption algorithm to obtain first encrypted data; the key of the symmetric encryption algorithm is used for completing encryption and decryption;
and obtaining a public key sent by a receiver, and encrypting a key of a symmetric encryption algorithm according to the public key to obtain a first key.
3. The method according to claim 2, wherein after encrypting the data to be transmitted according to a third encryption scheme, the method further comprises:
and sending the encryption result of the third encryption mode to the receiver, wherein the first key is used for the receiver to acquire a key, the key is used for decrypting the first encrypted data, the decryption key of the first key is a private key stored by the receiver, and the private key and the public key are a key pair.
4. A method according to any one of claims 1 to 3, wherein after encrypting the key field according to the second encryption scheme, the method further comprises:
storing the second encrypted data to a second storage space;
the second encryption data is to-be-processed data of which the key field is encrypted by the second encryption mode; the access right requirement of the second storage space is lower than that of the first storage space, and the first storage space is the storage space where the data to be processed with the key field being unencrypted is located.
5. The method of claim 1, wherein the first encryption scheme comprises:
SHA-256 secure hash algorithm.
6. The method of claim 1, wherein the key field comprises at least one of the following parameters: military information, business confidentiality, custom sensitive data.
7. The method of claim 1, 2, 3, 5 or 6, further comprising;
and asynchronously storing the data to be processed encrypted according to the first encryption mode, the second encryption mode or/and the third encryption mode.
8. The method of claim 1, 2, 3, 5 or 6, wherein the acquiring the data to be processed comprises:
collecting multi-source heterogeneous data; the multi-source heterogeneous data are data acquired in the construction process of the smart city;
and carrying out standardized processing on the multi-source heterogeneous data to obtain the data to be processed.
9. An apparatus for encrypting data, comprising a processor and a memory, the processor and the memory being coupled, the memory being for storing a computer program which, when executed by the processor, causes the apparatus to perform the method of any one of claims 1 to 8.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program, which when executed by a processor causes the processor to perform the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310750796.1A CN116545627A (en) | 2023-06-25 | 2023-06-25 | Method, apparatus and computer readable storage medium for data encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310750796.1A CN116545627A (en) | 2023-06-25 | 2023-06-25 | Method, apparatus and computer readable storage medium for data encryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116545627A true CN116545627A (en) | 2023-08-04 |
Family
ID=87449021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310750796.1A Pending CN116545627A (en) | 2023-06-25 | 2023-06-25 | Method, apparatus and computer readable storage medium for data encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116545627A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2866169A1 (en) * | 2013-10-24 | 2015-04-29 | Kaspersky Lab, ZAO | System and method for copying files between encrypted and unencrypted data storage devices |
| CN106685980A (en) * | 2017-01-13 | 2017-05-17 | 桂林电子科技大学 | Cryptographic method of large files |
| CN112732280A (en) * | 2021-01-14 | 2021-04-30 | 东莞理工学院 | Personal habit data management system for computer users |
| CN115580454A (en) * | 2022-09-26 | 2023-01-06 | 中国建设银行股份有限公司 | Data processing method, device, equipment and storage medium |
| CN115765977A (en) * | 2022-09-23 | 2023-03-07 | 福建节点信息科技有限公司 | Method and terminal for safely storing data |
-
2023
- 2023-06-25 CN CN202310750796.1A patent/CN116545627A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2866169A1 (en) * | 2013-10-24 | 2015-04-29 | Kaspersky Lab, ZAO | System and method for copying files between encrypted and unencrypted data storage devices |
| CN106685980A (en) * | 2017-01-13 | 2017-05-17 | 桂林电子科技大学 | Cryptographic method of large files |
| CN112732280A (en) * | 2021-01-14 | 2021-04-30 | 东莞理工学院 | Personal habit data management system for computer users |
| CN115765977A (en) * | 2022-09-23 | 2023-03-07 | 福建节点信息科技有限公司 | Method and terminal for safely storing data |
| CN115580454A (en) * | 2022-09-26 | 2023-01-06 | 中国建设银行股份有限公司 | Data processing method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3769490B1 (en) | Implementing a blockchain-based web service | |
| CN110417750B (en) | Block chain technology-based file reading and storing method, terminal device and storage medium | |
| JP6545136B2 (en) | System and method for encrypted transmission of web pages | |
| CN111460453A (en) | Machine learning training method, controller, device, server, terminal and medium | |
| US11546348B2 (en) | Data service system | |
| US20210119781A1 (en) | Systems and methods for re-using cold storage keys | |
| CN115048657B (en) | System, method and computer readable medium for protecting cryptographic keys | |
| WO2004042537A2 (en) | System and method for securing digital messages | |
| CN114041134A (en) | System and method for block chain based secure storage | |
| GB2594741A (en) | Multi-directional zero-knowledge attestation systems and methods | |
| Huang et al. | Implementing publish/subscribe pattern for CoAP in fog computing environment | |
| US9825920B1 (en) | Systems and methods for multi-function and multi-purpose cryptography | |
| CN112100639B (en) | Data encryption transmission method and system based on metadata service information | |
| CN116743713B (en) | Remote online paperless conference method and device based on Internet of things | |
| US20230244797A1 (en) | Data processing method and apparatus, electronic device, and medium | |
| US10944732B2 (en) | Streaming digital content with content metadata | |
| KR20190139742A (en) | Distributed Ledger for logging inquiry time in blockchain | |
| CN116545627A (en) | Method, apparatus and computer readable storage medium for data encryption | |
| US9178855B1 (en) | Systems and methods for multi-function and multi-purpose cryptography | |
| CN115391795A (en) | Data processing method, related device and medium | |
| Joseph et al. | Design a hybrid optimization and homomorphic encryption for securing data in a cloud environment | |
| KR20190139744A (en) | Distributed Ledger for Integrity of Information Retrieval in Block Chain Using UUID | |
| US9189638B1 (en) | Systems and methods for multi-function and multi-purpose cryptography | |
| CN116996331B (en) | Block chain-based data processing method, device, equipment and medium | |
| US20240163088A1 (en) | Fault-tolerant access to digital assets without storing sensitive security data for decryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |