CN116707783A - Data security management and control method, device, system and storage medium - Google Patents

Data security management and control method, device, system and storage medium Download PDF

Info

Publication number
CN116707783A
CN116707783A CN202310676168.3A CN202310676168A CN116707783A CN 116707783 A CN116707783 A CN 116707783A CN 202310676168 A CN202310676168 A CN 202310676168A CN 116707783 A CN116707783 A CN 116707783A
Authority
CN
China
Prior art keywords
calculation result
server
random number
sub
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310676168.3A
Other languages
Chinese (zh)
Inventor
尤贺
王宇
李京
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202310676168.3A priority Critical patent/CN116707783A/en
Publication of CN116707783A publication Critical patent/CN116707783A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data security management and control method, equipment, a system and a storage medium, and relates to the technical field of cloud computing. The method comprises the following steps: the method comprises the steps of sending a splitting task and the generation time of the splitting task to a sub-server, and obtaining a first message sent by the sub-server, wherein the first message is a random number or encryption information obtained by encrypting the random number; after the sub-server executes the splitting task to obtain a calculation result, an encryption calculation result and an attribute value sent by the sub-server are obtained; the attribute value comprises characteristic information of a calculation result, and the encryption calculation result is obtained by encrypting the calculation result by the sub-server according to the secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information; and obtaining a secret key according to the generation time, the first message and the attribute value, and decrypting the encryption calculation result according to the secret key to obtain a calculation result. The application can ensure that each server only provides the calculation result of the distributed task, and excessively leak private data.

Description

Data security management and control method, device, system and storage medium
Technical Field
The present application relates to the field of cloud computing technologies, and in particular, to a data security management and control method, device, system, and storage medium.
Background
In the distributed computing process, each server distributed in the network 'cloud' performs computing with respective resources, and the computing result is private data of each server. But each calculation needs to be combined to be the final result of the distributed task, which involves the aggregation of multiple private data.
In the data summarizing process, how to conduct data security control further ensures that each server only provides the calculation result of the distributed task, and how to leak private data of the servers is a problem which is solved in a great effort.
Based on the above-mentioned drawbacks, a method, device, system and storage medium for data security management and control are needed, which not only ensure that each server only provides the calculation result of the distributed task, but also leak the private data too much.
Disclosure of Invention
The application provides a data security management and control method, equipment, a system and a storage medium, which not only ensure that each server only provides the calculation result of the distributed task, but also leak private data excessively.
In a first aspect, the present application provides a data security management and control method, for a total server, including:
sending the splitting task and the generation time of the splitting task to a sub-server, and acquiring a first message sent by the sub-server, wherein the first message is a random number or encryption information obtained by encrypting the random number;
after the sub-server executes the splitting task to obtain a calculation result, acquiring an encryption calculation result and an attribute value sent by the sub-server; the attribute value comprises characteristic information of a calculation result, and the encryption calculation result is obtained by encrypting the calculation result by a sub-server according to a secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information;
and obtaining the secret key according to the generation time, the first message and the attribute value, and decrypting the encryption calculation result according to the secret key to obtain the calculation result.
In one possible design, the feature information includes a data size of the calculation result and a completion time when the calculation result is obtained, and the attribute value is obtained by encrypting the feature information by the sub-server according to a first public key/a first private key; the obtaining the key according to the generation time, the first message and the attribute value includes:
decrypting the attribute value through the first private key/the first public key to obtain the data size and the completion time;
acquiring the calculation time of the splitting task according to the generation time and the completion time;
and acquiring the secret key according to the first message, the data size and the calculation time.
In one possible design, the obtaining the key according to the first message, the data size, and the calculation time includes:
obtaining a random number according to the first message, and carrying out hash operation on the random number to obtain a first hash value;
obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value;
and performing exclusive OR operation on the first hash value and the second hash value to acquire the secret key.
In one possible design, the first message is information obtained by encrypting the random number by the sub-server according to a second public key/a second private key, and the obtaining the random number according to the first message includes:
and decrypting the first message through the second private key/the second public key to obtain the random number.
In one possible design, the encryption calculation result is obtained by symmetrically encrypting the calculation result by the sub-server through the secret key; the step of decrypting the encrypted calculation result according to the secret key to obtain the calculation result comprises the following steps:
and symmetrically decrypting the encryption calculation result through the secret key to obtain the calculation result.
In one possible design, after each of the calculation results is obtained, the method further includes:
and after the calculation result of each split task is obtained, summarizing each calculation result to obtain the calculation result of the complete task.
In a second aspect, the present application provides a data security management and control method, for a sub-server, including:
receiving a split task distributed by a total server and the generation time of the split task, generating a random number, and sending a first message to the total server according to the random number;
executing the splitting task, acquiring a calculation result, the data size of the calculation result and the completion time when the calculation result is acquired;
obtaining a secret key according to the random number, the generation time, the completion time and the data size; encrypting the calculation result according to a secret key to obtain an encryption calculation result;
encrypting the completion time and the data size to obtain an attribute value; and sending the encryption calculation result and the attribute value to a total server.
In one possible design, the sending the first message to the total server according to the random number and the random number includes:
and taking the random number as the first message, or encrypting the random number according to a second public key/a second private key to obtain the first message, and sending the first message to the total server.
In one possible design, the obtaining a key according to the random number, the generation time, the completion time, and the data size includes:
performing hash operation on the random number to obtain a first hash value;
acquiring the calculation time of the splitting task according to the generation time and the completion time; obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value;
and performing exclusive OR operation on the first hash value and the second hash value to acquire the secret key.
In one possible design, the encrypting the calculation result according to the key to obtain an encrypted calculation result includes:
and symmetrically encrypting the calculation result through the secret key to obtain the encryption calculation result.
In one possible design, the encrypting the completion time and the data size to obtain the attribute value includes:
and encrypting the completion time and the data size according to the first public key/the first private key to obtain the attribute value.
In a third aspect, the present application provides a data security management and control apparatus for a total server, including:
the first acquisition module is used for transmitting the splitting task and the generation time of the splitting task to the sub-server, and acquiring a first message transmitted by the sub-server, wherein the first message is a random number or encryption information obtained by encrypting the random number;
the first processing module is used for acquiring an encryption calculation result and an attribute value sent by the sub-server after the sub-server executes the splitting task to obtain the calculation result, wherein the attribute value comprises characteristic information of the calculation result, and the encryption calculation result is obtained by the sub-server according to encryption of the calculation result by a secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information;
and the second processing module is used for acquiring the secret key according to the generation time, the first message and the attribute value, and decrypting the encryption calculation result according to the secret key to acquire the calculation result.
In a fourth aspect, the present application provides a data security management and control apparatus for a sub-server, the apparatus comprising:
the first sending module is used for receiving a splitting task distributed by the total server and the generation time of the splitting task, generating a random number and sending a first message to the total server according to the random number;
the second acquisition module is used for executing the splitting task, acquiring a calculation result, the data size of the calculation result and the completion time when the calculation result is acquired;
the third processing module is used for obtaining a secret key according to the random number, the generation time, the completion time and the data size; encrypting the calculation result according to a secret key to obtain an encryption calculation result;
the second sending module is used for encrypting the completion time and the data size to obtain an attribute value; and sending the encryption calculation result and the attribute value to a total server.
In a fifth aspect, the present application provides a data security management and control system, including a total server and at least two sub servers, where the total server executes a data security management and control method for the total server, and the sub servers are configured to execute a data security management and control method for the sub servers.
In a sixth aspect, the present application provides an electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes the computer-executable instructions stored in the memory to implement a data security management method for the overall server or a data security management method for the sub-servers.
In a seventh aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for implementing a data security management method when executed by a processor.
According to the data security management and control method, the device, the system and the storage medium, the first message, the attribute value and the encryption calculation result are obtained, and the encryption calculation result is decrypted through the key according to the key of the encryption calculation result of the first message and the attribute value to obtain the calculation result. The following technical effects are realized:
the sub-server acquires a secret key according to the generation time, the random number and the characteristic information, wherein the secret key is a secret key only aiming at the calculation result, so that the privacy of other data in the sub-server is protected, and the privacy of the sub-server is improved;
the total server receives the first message and the attribute value twice, wherein the first message is a message encrypted by a random number, the characteristic value is a message encrypted by characteristic information, and the key is obtained by combining the generation time of the splitting task and decrypting the encrypted calculation result, so that the security of the key and the calculation result is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario diagram of a data security management and control method provided by an embodiment of the present application;
FIG. 2 is a flowchart illustrating a method for data security management and control according to an embodiment of the present application;
FIG. 3 is a second flowchart of a data security management and control method according to an embodiment of the present application;
fig. 4 is a flowchart illustrating a data security management and control method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a data security management and control device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram II of a data security management and control device according to an embodiment of the present application;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the application, as detailed in the accompanying claims, rather than all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to denote examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
The data security control method provided by the embodiment of the application is described in detail below with reference to the accompanying drawings. The "at … …" in the embodiment of the present application may be an instant when a certain situation occurs, or may be a period of time after a certain situation occurs, which is not particularly limited.
Fig. 1 is a schematic diagram of a scenario of a data security management and control method according to an embodiment of the present application. As shown in fig. 1, the method is used for split cloud computing tasks, when the split cloud computing tasks are executed, the total server 110 splits the total task into a plurality of split tasks and sends the split tasks to the sub-servers 120 (at least two), after the split tasks are completed, the sub-servers 120 send the computing results to the total server 110, and after the total server 110 sums all the computing results, the computing results of the total task are obtained.
Fig. 2 is a schematic flow chart of a data security management and control method according to an embodiment of the present application. As shown in fig. 2, for a total server, the method includes:
s201, sending the splitting task and the generation time of the splitting task to a sub-server, and acquiring a first message sent by the sub-server, wherein the first message is a random number or encryption information obtained by encrypting the random number;
specifically, for a total task, the total server splits the total task, sends each split task to each sub-server, sends the split task to the sub-servers and acquires a first message, wherein a random number in the first message is a part of information of an acquisition key.
S202, after a sub-server executes a splitting task to obtain a calculation result, acquiring an encryption calculation result and an attribute value sent by the sub-server; the attribute value comprises characteristic information of a calculation result, and the encryption calculation result is obtained by encrypting the calculation result by the sub-server according to the secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information;
specifically, the attribute value, the calculation result and the first message are all acquired by the sub-server, and the feature information of the calculation result included in the attribute value is another part of information of the acquisition key.
S203, obtaining a secret key according to the generation time, the first message and the attribute value, and decrypting the encryption calculation result according to the secret key to obtain a calculation result.
Specifically, the generation time is the time for the total server to acquire the splitting task, and the first message and the attribute value are respectively acquired by the total server when the total server transmits the splitting task and receives the encryption calculation result;
according to the method provided by the embodiment, the first message, the attribute value and the encryption calculation result are obtained, and the encryption calculation result is decrypted through the key according to the key of the encryption calculation result by the first message and the attribute value. The following technical effects are realized:
the sub-server acquires a secret key according to the generation time, the random number and the characteristic information, wherein the secret key is a secret key only aiming at the calculation result, so that the privacy of other data in the sub-server is protected, and the privacy of the sub-server is improved;
the total server receives the first message and the attribute value twice, wherein the first message is a message encrypted by a random number, the characteristic value is a message encrypted by characteristic information, and the key is obtained by combining the generation time of the splitting task and decrypting the encrypted calculation result, so that the security of the key and the calculation result is improved.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be implemented independently or combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 3 is a schematic flow chart of a data security control method according to an embodiment of the present application. As shown in fig. 3, the method includes:
s301, sending a splitting task and the generation time of the splitting task to a sub-server, and acquiring a first message sent by the sub-server, wherein the first message is information obtained by encrypting the random number by the sub-server according to a second public key/a second private key;
specifically, the first message may be sent after the sub-server performs the splitting task to obtain the calculation result. And obtaining the data size of the calculation result after obtaining the calculation result, and generating a random number.
Taking a total server and a certain sub-server as an example, the total server sends a splitting task and a generation time T0 of the splitting task to the sub-server, and sends a second public key, wherein the second public key has a corresponding second private key;
in response, the sub-server receives the split task, a generation time T0 of the split task, and the second public key; the sub-server executes the splitting task, obtains a calculation result Ri and a data size ni of the calculation result Ri, generates a random number xi, wherein 0< xi < ni, encrypts ni through a second public key to obtain a first message, and sends the first message to a total server; in response, the overall server obtains the first message.
S302, after a sub-server executes a splitting task to obtain a calculation result, acquiring an encryption calculation result and an attribute value sent by the sub-server;
specifically, the attribute value includes the data size and the completion time of the calculation result, and the encryption calculation result is obtained by encrypting the calculation result by the sub-server according to the secret key; the secret key is obtained by the sub-server according to the generation time, the random number, the data size and the completion time;
for example, when the sub-server obtains the calculation result Ri, the sub-server also obtains the completion time Ti of the calculation result Ri, where the value of Ti-T0 is the calculation time T, and takes the exclusive or operation result of the hash value of xi (Ti-T0)/ni and the hash value of the random number xi as the key for this cloud calculation task;
for the calculation result Ri, symmetrically encrypting by a key pair to obtain an encryption calculation result Ri;
encrypting the completion time Ti and the data size ni according to the first public key to obtain an attribute value; the first public key is sent by the total server, and the first private key corresponding to the first public key is also stored in the total server;
the sub-server sends the encryption calculation result ri and the attribute value to the total server;
in response, the total server acquires the encryption calculation result ri and the attribute value.
S303, acquiring a random number according to the first message, decrypting the attribute value, and acquiring the data size and the completion time; acquiring the calculation time of the splitting task according to the generation time and the completion time;
specifically, the first message is decrypted by the second private key/the second public key to obtain the random number.
Specifically, the attribute value comprises the data size and the completion time of the calculation result, the data size and the completion time are obtained by encrypting the data size and the completion time according to the first public key/the first private key by the sub-server, and the total server needs to decrypt the attribute value through the first private key/the first public key to obtain the data size and the completion time; the difference between the completion time and the generation time is the calculation time of the splitting task.
Illustratively, S303 includes the steps of:
decrypting the first message by adopting a second private key to obtain a random number xi;
decrypting the attribute value by adopting a first private key to obtain the completion time Ti and the data size ni;
taking the difference value between the completion time Ti and the generation time T0 as the calculation time T of the splitting task.
S304, obtaining a secret key according to the random number, the data size and the calculation time;
specifically, performing hash operation on the random number to obtain a first hash value; obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value; and performing exclusive OR operation on the first hash value and the second hash value to obtain a secret key.
Illustratively, the hash value of the random number xi is taken as the first hash value; taking the hash value of xi Ti/ni as a second hash value; and performing exclusive OR operation on the first hash value and the second hash value to obtain a secret key.
S305, decrypting the encryption calculation result through the secret key to obtain the calculation result.
Specifically, in this embodiment, the sub-server encrypts the calculation result according to the key in a symmetric encryption manner to obtain an encrypted calculation result, and correspondingly, the total server decrypts the encrypted calculation result according to the key in a symmetric decryption manner to obtain a calculation result.
S306, after the calculation result of each split task is obtained, summarizing each calculation result to obtain the calculation result of the complete task.
Specifically, after the total server obtains the calculation results of all the split tasks through the steps, summarizing all the calculation results to obtain the calculation results of the total task.
By adopting the method provided by the embodiment, the following technical effects can be realized:
the sub-server acquires a secret key according to the generation time, the random number and the characteristic information, wherein the secret key is a secret key only aiming at the calculation result, so that the privacy of other data in the sub-server is protected, and the privacy of the sub-server is improved;
the total server receives the first message and the attribute value twice, acquires the random number according to the first message, acquires the data size and the completion time according to the attribute value,
when a key is acquired, carrying out hash operation on the random number to acquire a first hash value; obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value; and performing exclusive or operation on the first hash value and the second hash value to obtain a secret key, and decrypting the encryption calculation result according to the secret key, thereby improving the safety.
FIG. 4 is a flowchart of a data security management and control method; as shown in fig. 4, the method of the present embodiment is used for a sub-server, and includes:
s401, receiving a splitting task and the generation time of the splitting task distributed by a total server, generating a random number, and sending a first message to the total server according to the random number;
specifically, the random number is used as a first message, or the random number is encrypted according to the second public key/the second private key to obtain the first message, and the first message is sent to the total server.
S402, executing a splitting task, acquiring a calculation result, the data size of the calculation result and the completion time when the calculation result is acquired;
specifically, the conventional operation of executing the splitting task to obtain the calculation result as the sub-server is not described herein, and the data size and the completion time when the calculation result is obtained are used for generating the key.
S403, obtaining a secret key according to the random number, the generation time, the completion time and the data size; encrypting the calculation result according to the secret key to obtain an encrypted calculation result;
specifically, performing hash operation on the random number to obtain a first hash value; acquiring the calculation time of the splitting task according to the generation time and the completion time; obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value; and performing exclusive OR operation on the first hash value and the second hash value to obtain a secret key.
S404, encrypting the completion time and the data size to obtain an attribute value; and sending the encryption calculation result and the attribute value to the total server.
Specifically, the calculation result is symmetrically encrypted by the secret key to obtain an encrypted calculation result. And encrypting the completion time and the data size according to the first public key/the first private key to obtain an attribute value.
The implementation principle and technical effects of the present embodiment are similar to those of the above embodiment, and the present embodiment is not repeated here.
The embodiment of the application can divide the functional modules of the electronic device or the main control device according to the method example, for example, each functional module can be divided corresponding to each function, and two or more functions can be integrated in one processing unit. The integrated units may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
Fig. 5 is a schematic structural diagram of a data security management and control device according to an embodiment of the present application; the device is a total server device 50, the total server device 50 being one embodiment of a total server, the total server device 50 comprising:
the first obtaining module 501 is configured to send the splitting task and the generation time of the splitting task to the sub-server, obtain a first message sent by the sub-server, where the first message is a random number or encrypted information obtained by encrypting the random number;
the first processing module 502 is configured to obtain, after the sub-server performs the splitting task to obtain a calculation result, an encrypted calculation result and an attribute value sent by the sub-server, where the attribute value includes feature information of the calculation result, and the encrypted calculation result is obtained by encrypting, by the sub-server, the calculation result according to a secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information;
the second processing module 503 is configured to obtain a key according to the generation time, the first message, and the attribute value, and decrypt the encrypted calculation result according to the key to obtain a calculation result.
Further, the feature information comprises the data size of the calculation result and the completion time when the calculation result is obtained, and the attribute value is obtained by encrypting the feature information according to the first public key/the first private key by the sub-server; the second processing module 503 is specifically configured to:
decrypting the attribute value through the first private key/the first public key to obtain the data size and the completion time;
acquiring the calculation time of the splitting task according to the generation time and the completion time;
further, the second processing module 503 is specifically configured to:
obtaining a random number according to the first message, and carrying out hash operation on the random number to obtain a first hash value;
obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value;
and performing exclusive OR operation on the first hash value and the second hash value to obtain a secret key.
Further, the first message is information obtained by encrypting the random number by the sub-server according to the second public key/the second private key, and the second processing module 503 is specifically further configured to:
and decrypting the first message through the second private key/the second public key to obtain the random number.
Further, the encryption calculation result is obtained by the sub-server performing symmetric encryption on the calculation result through a secret key, and the second processing module 503 is specifically further configured to:
and symmetrically decrypting the encryption calculation result through the secret key to obtain the calculation result.
Further, the second processing module 503 is specifically configured to:
after each calculation result is obtained, after the calculation result of each split task is obtained, each calculation result is summarized to obtain the calculation result of the complete task.
The data security management and control device provided in this embodiment may perform the data security management and control method as shown in the embodiment of fig. 2 or fig. 3, and its implementation principle and technical effects are similar, which is not described herein again.
Fig. 6 is a schematic structural diagram II of a data security management and control device according to an embodiment of the present application; the device is a sub-server device 60, the sub-server device 60 is an embodiment of the sub-server described above, and the sub-server device 60 comprises:
a first sending module 601, configured to receive a splitting task and a splitting task generation time allocated by a total server, generate a random number, and send a first message to the total server according to the random number;
a second obtaining module 602, configured to perform a splitting task and obtain a calculation result, a data size of the calculation result, and a completion time when the calculation result is obtained;
a third processing module 603, configured to obtain a secret key according to the random number, the generation time, the completion time, and the data size; encrypting the calculation result according to the secret key to obtain an encrypted calculation result;
a second sending module 604, configured to encrypt the completion time and the data size to obtain an attribute value; and sending the encryption calculation result and the attribute value to the total server.
Further, the first sending module 601 is specifically configured to:
and taking the random number as a first message, or encrypting the random number according to the second public key/the second private key to obtain the first message, and sending the first message to the total server.
Further, the third processing module 603 is specifically configured to:
performing hash operation on the random number to obtain a first hash value; acquiring the calculation time of the splitting task according to the generation time and the completion time; obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value; and performing exclusive OR operation on the first hash value and the second hash value to obtain a secret key.
Further, the third processing module 603 is specifically configured to:
and symmetrically encrypting the calculation result through the secret key to obtain an encryption calculation result.
Further, the second sending module 604 is specifically configured to:
and encrypting the completion time and the data size according to the first public key/the first private key to obtain an attribute value.
The data security control device provided in this embodiment may perform the method as shown in the embodiment of fig. 4, and the data security control method has similar implementation principles and technical effects, which are not described herein.
The embodiment of the application also provides a data security management and control system, which comprises a total server and at least two sub-servers, wherein the total server executes a data security management and control method for the total server, and the sub-servers are used for executing a data security management and control method for the sub-servers.
The implementation principle and technical effect of this embodiment are similar to those of the above embodiment, and the description of this embodiment is omitted here.
In the specific implementation of the foregoing data security management and control method device and system, each module may be implemented as a processor, and the processor may execute computer-executable instructions stored in the memory, so that the processor executes the foregoing data security management and control method.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 70 includes: at least one processor 701 and a memory 702. The electronic device 70 further comprises communication means 703. Wherein the processor 701, the memory 702 and the communication means 703 are connected by a bus 704.
In a specific implementation, the at least one processor 701 executes computer-executable instructions stored in the memory 702, so that the at least one processor 701 executes the data security management method executed on the electronic device side as described above.
The specific implementation process of the processor 701 can be referred to the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein again.
In the above embodiment, it should be understood that the processor may be a central processing unit (english: central Processing Unit, abbreviated as CPU), or may be other general purpose processors, digital signal processors (english: digital Signal Processor, abbreviated as DSP), application specific integrated circuits (english: application Specific Integrated Circuit, abbreviated as ASIC), or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
The memory may comprise high speed RAM memory or may further comprise non-volatile storage NVM, such as at least one disk memory.
The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, the buses in the drawings of the present application are not limited to only one bus or to one type of bus.
The scheme provided by the embodiment of the application is introduced aiming at the functions realized by the electronic equipment and the main control equipment. It will be appreciated that the electronic device or the master device, in order to implement the above-described functions, includes corresponding hardware structures and/or software modules that perform the respective functions. The present embodiments can be implemented in hardware or a combination of hardware and computer software in combination with the various exemplary elements and algorithm steps described in connection with the embodiments disclosed in the embodiments of the present application. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application, but such implementation is not to be considered as beyond the scope of the embodiments of the present application.
The application also provides a computer readable storage medium, wherein the computer readable storage medium stores computer execution instructions, and when the processor executes the computer execution instructions, the data security management and control method is realized.
The computer readable storage medium described above may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic disk, or optical disk. A readable storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
An exemplary readable storage medium is coupled to the processor such the processor can read information from, and write information to, the readable storage medium. In the alternative, the readable storage medium may be integral to the processor. The processor and the readable storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC for short). The processor and the readable storage medium may reside as discrete components in an electronic device or a master device.
The present application also provides a computer program product comprising: a computer program stored in a readable storage medium, from which at least one processor of an electronic device can read, the at least one processor executing the computer program causing the electronic device to perform the solution provided by any one of the embodiments described above.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims (15)

1. A method for data security management and control, for a total server, the method comprising:
sending the splitting task and the generation time of the splitting task to a sub-server, and acquiring a first message sent by the sub-server, wherein the first message is a random number or encryption information obtained by encrypting the random number;
after the sub-server executes the splitting task to obtain a calculation result, acquiring an encryption calculation result and an attribute value sent by the sub-server; the attribute value comprises characteristic information of a calculation result, and the encryption calculation result is obtained by encrypting the calculation result by a sub-server according to a secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information;
and obtaining the secret key according to the generation time, the first message and the attribute value, and decrypting the encryption calculation result according to the secret key to obtain the calculation result.
2. The method according to claim 1, wherein the feature information includes a data size of the calculation result and a completion time when the calculation result is obtained, and the attribute value is obtained by encrypting the feature information by the sub-server according to a first public key/a first private key; the obtaining the key according to the generation time, the first message and the attribute value includes:
decrypting the attribute value through the first private key/the first public key to obtain the data size and the completion time;
acquiring the calculation time of the splitting task according to the generation time and the completion time;
and acquiring the secret key according to the first message, the data size and the calculation time.
3. The method of claim 2, wherein the obtaining the key based on the first message, the data size, and the computation time comprises:
obtaining a random number according to the first message, and carrying out hash operation on the random number to obtain a first hash value;
obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value;
and performing exclusive OR operation on the first hash value and the second hash value to acquire the secret key.
4. A method according to claim 3, wherein the first message is information obtained by encrypting the random number by the sub-server according to a second public key/a second private key, and the obtaining the random number according to the first message includes:
and decrypting the first message through the second private key/the second public key to obtain the random number.
5. The method according to claim 1, wherein the encryption calculation result is obtained by symmetrically encrypting the calculation result by the sub-server through the key; the step of decrypting the encrypted calculation result according to the secret key to obtain the calculation result comprises the following steps:
and symmetrically decrypting the encryption calculation result through the secret key to obtain the calculation result.
6. The method of any one of claims 1-5, further comprising, after each of the computing results is obtained:
and after the calculation result of each split task is obtained, summarizing each calculation result to obtain the calculation result of the complete task.
7. A method for data security management and control, for a sub-server, the method comprising:
receiving a split task distributed by a total server and the generation time of the split task, generating a random number, and sending a first message to the total server according to the random number;
executing the splitting task, acquiring a calculation result, the data size of the calculation result and the completion time when the calculation result is acquired;
obtaining a secret key according to the random number, the generation time, the completion time and the data size; encrypting the calculation result according to a secret key to obtain an encryption calculation result;
encrypting the completion time and the data size to obtain an attribute value; and sending the encryption calculation result and the attribute value to a total server.
8. The method of claim 7, wherein said sending a first message to said overall server based on said random number, said based on said random number, comprises:
and taking the random number as the first message, or encrypting the random number according to a second public key/a second private key to obtain the first message, and sending the first message to the total server.
9. The method of claim 7, wherein the obtaining a key from the random number, the generation time, the completion time, and the data size comprises:
performing hash operation on the random number to obtain a first hash value;
acquiring the calculation time of the splitting task according to the generation time and the completion time; obtaining the product of the random number and the data size, and carrying out hash operation on the ratio of the product to the calculation time to obtain a second hash value;
and performing exclusive OR operation on the first hash value and the second hash value to acquire the secret key.
10. The method of claim 7, wherein encrypting the calculation result according to the key to obtain an encrypted calculation result comprises:
and symmetrically encrypting the calculation result through the secret key to obtain the encryption calculation result.
11. The method of claim 7, wherein encrypting the completion time, the data size to obtain an attribute value comprises:
and encrypting the completion time and the data size according to the first public key/the first private key to obtain the attribute value.
12. A data security management and control apparatus for a general server, the apparatus comprising:
the first acquisition module is used for transmitting the splitting task and the generation time of the splitting task to the sub-server, and acquiring a first message transmitted by the sub-server, wherein the first message is a random number or encryption information obtained by encrypting the random number;
the first processing module is used for acquiring an encryption calculation result and an attribute value sent by the sub-server after the sub-server executes the splitting task to obtain the calculation result, wherein the attribute value comprises characteristic information of the calculation result, and the encryption calculation result is obtained by the sub-server according to encryption of the calculation result by a secret key; the secret key is obtained by the sub-server according to the generation time, the random number and the characteristic information;
and the second processing module is used for acquiring the secret key according to the generation time, the first message and the attribute value, and decrypting the encryption calculation result according to the secret key to acquire the calculation result.
13. A data security management and control apparatus for a sub-server, the apparatus comprising:
the first sending module is used for receiving a splitting task distributed by the total server and the generation time of the splitting task, generating a random number and sending a first message to the total server according to the random number;
the second acquisition module is used for executing the splitting task, acquiring a calculation result, the data size of the calculation result and the completion time when the calculation result is acquired;
the third processing module is used for obtaining a secret key according to the random number, the generation time, the completion time and the data size; encrypting the calculation result according to a secret key to obtain an encryption calculation result;
the second sending module is used for encrypting the completion time and the data size to obtain an attribute value; and sending the encryption calculation result and the attribute value to a total server.
14. A data security management and control system comprising a total server performing the method of any one of claims 1 to 6 and at least two sub-servers for performing the method of any one of claims 7 to 11.
15. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are for implementing the method of any of claims 1 to 6 or for implementing the method of any of claims 7 to 11.
CN202310676168.3A 2023-06-07 2023-06-07 Data security management and control method, device, system and storage medium Pending CN116707783A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310676168.3A CN116707783A (en) 2023-06-07 2023-06-07 Data security management and control method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310676168.3A CN116707783A (en) 2023-06-07 2023-06-07 Data security management and control method, device, system and storage medium

Publications (1)

Publication Number Publication Date
CN116707783A true CN116707783A (en) 2023-09-05

Family

ID=87830768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310676168.3A Pending CN116707783A (en) 2023-06-07 2023-06-07 Data security management and control method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN116707783A (en)

Similar Documents

Publication Publication Date Title
CN107005574B (en) Block generation method and device and block chain network
CN111095256B (en) Securely executing smart contract operations in a trusted execution environment
EP3924852B1 (en) Fast oblivious transfers
US10122713B2 (en) Method and device for the secure authentication and execution of programs
CN110417726B (en) Key management method and related equipment
US11483161B2 (en) Method for information processing and non-transitory computer readable storage medium
US9792427B2 (en) Trusted execution within a distributed computing system
JP7454564B2 (en) Methods, user devices, management devices, storage media and computer program products for key management
TW202009776A (en) Secure multi-party computation method and apparatus, and electronic device
TW202013928A (en) Multi-party security computing method and apparatus, and electronic device
CN112926051B (en) Multi-party security computing method and device
CN111066019B (en) Processing data elements stored in a blockchain network
CN111245597A (en) Key management method, system and equipment
CN113329030A (en) Block chain all-in-one machine, password acceleration card thereof, and key management method and device
CN113051590A (en) Data processing method and related equipment
CN112948851A (en) User authentication method, device, server and storage medium
CN111404892B (en) Data supervision method and device and server
CN114154174A (en) State synchronization for post-quantum signature facilities
WO2020157756A1 (en) System and method for key recovery and verification in blockchain based networks
CN114143108A (en) Session encryption method, device, equipment and storage medium
JP6780771B2 (en) Verification information granting device, verification device, information management system, method and program
CN113569248A (en) Data processing method and computing device
CN113326518A (en) Data processing method and device
CN111368322B (en) File decryption method and device, electronic equipment and storage medium
CN116170157A (en) User password encryption and decryption method and device based on national encryption algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination