CN117077185B - Data storage and protection method, system and medium based on HMAC and secret sharing - Google Patents

Data storage and protection method, system and medium based on HMAC and secret sharing Download PDF

Info

Publication number
CN117077185B
CN117077185B CN202311345434.0A CN202311345434A CN117077185B CN 117077185 B CN117077185 B CN 117077185B CN 202311345434 A CN202311345434 A CN 202311345434A CN 117077185 B CN117077185 B CN 117077185B
Authority
CN
China
Prior art keywords
data
sub
server
character string
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311345434.0A
Other languages
Chinese (zh)
Other versions
CN117077185A (en
Inventor
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Basebit Shanghai Information Technology Co ltd
Wing Fang Jianshu Beijing Information Technology Co ltd
Original Assignee
Basebit Shanghai Information Technology Co ltd
Wing Fang Jianshu Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Basebit Shanghai Information Technology Co ltd, Wing Fang Jianshu Beijing Information Technology Co ltd filed Critical Basebit Shanghai Information Technology Co ltd
Priority to CN202311345434.0A priority Critical patent/CN117077185B/en
Publication of CN117077185A publication Critical patent/CN117077185A/en
Application granted granted Critical
Publication of CN117077185B publication Critical patent/CN117077185B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data storage and protection method, system and medium based on HMAC and secret sharing. The method comprises the following steps: the method comprises the steps that a client sends a request storage instruction, a server returns a random character string to the client to encrypt privacy data, the random character string is transmitted to the server to be segmented, segmented sub-data are stored in n different databases to be regularly distinguished, a corresponding sub-data encryption mode is determined according to a rule distinguishing result, when the client sends a query request, the server extracts encrypted sub-data from k databases to be decrypted respectively, all k decrypted sub-data are processed to obtain first decrypted sub-data, and the privacy data can be obtained after decryption. The encryption data is divided and then stored in different databases, and the secondary encryption mode is selected according to the regularity judgment of the divided data, so that double encryption protection is realized, and the reliability and the safety of the privacy data storage are improved.

Description

Data storage and protection method, system and medium based on HMAC and secret sharing
Technical Field
The application relates to the technical field of big data and data encryption, in particular to a data storage and protection method, system and medium based on HMAC and secret sharing.
Background
In real life, a lot of important and private data exist, the data have strong privacy, a user is usually required to store the data by himself, a plurality of storage modes are usually needed, the personal storage mode is adopted, the private data are usually stored in a local notepad or a network disk, the local notepad storage mode is simple, but the efficiency is low, the user can not take the data at any time, the network disk storage safety is low, if clear text storage is used, the data are easy to leak, and if encrypted storage is used, the convenience is reduced; and secondly, a third party provides storage services, such as a Chrome browser password recording service, and the like, and the service provider is convenient to use, but has certain security problems, namely plaintext is usually given to the service provider, and then the service provider is used for encryption storage, which requires a certain trust on the service provider, and if the database of the service provider is attacked, the user data is easy to leak, and in the normal case, the service provider always adopts a data backup mode to ensure the availability of the data, but the data backup is full backup, so that the risk of being attacked is increased.
In view of the above problems, an effective technical solution is currently needed.
Disclosure of Invention
The method comprises the steps that a client sends a storage request, a server returns a random character string to the client to encrypt private data, the encrypted private data is transmitted to the server to be segmented, the segmented sub-data is stored in n different databases to be regularly identified, a corresponding sub-data encryption mode is determined according to a regular identification result, when the client sends a query request, the server extracts encrypted sub-data from the k databases to be decrypted respectively, then all the k decrypted sub-data are processed to obtain first decrypted sub-data, and the private data can be obtained after decryption. According to the method and the device, the encrypted data are divided and then stored in different databases, and the secondary encryption mode is selected according to the discriminant judgment of the divided data, so that double encryption protection is realized, the reliability and the safety of the private data storage are improved, and even if the private data are leaked, the data cannot be stolen as long as the number of the leaked databases is less than k, so that the method and the device have higher safety.
The application also provides a data storage and protection method based on sharing of HMAC and secrets, which comprises the following steps:
acquiring privacy data of a client;
the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server;
the server side segments the first encrypted data and stores the segmented sub data into n different databases;
the server side respectively carries out regularity discrimination on the sub-data stored in n databases to obtain regularity discrimination indexes, carries out threshold comparison on the regularity discrimination indexes and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data;
the client sends a query request to the server, and the server extracts the encrypted sub-data from k databases to decrypt respectively to obtain corresponding decrypted sub-data;
The server side calculates all k decryption sub-data to obtain first decryption sub-data;
and the server decrypts the first decryption sub-data according to the random character string to obtain the privacy data.
Optionally, in the data storage and protection method based on HMAC and secret sharing described in the present application, the client sends a storage request to the server, the server returns a random string to the client, and records the random string, and the client encrypts the private data according to the random string to generate first encrypted data, and transmits the first encrypted data to the server, including:
the client sends a storage request to a server;
the server returns a random character string to the client and records the random character string;
the client inputs the request storage instruction and the random character string into a preset encryption model for analysis and processing to obtain first encrypted data;
and the client transmits the first encrypted data to the server.
Optionally, in the data storage and protection method based on HMAC and secret sharing described in the present application, the server side segments the first encrypted data and stores the segmented sub-data into n different databases, including:
The server side performs segmentation processing on the first encrypted data to obtain sub-data;
the program processing formula of the sub data is as follows:
wherein i=1,..n,for the ith sub-data +.>For n mutually different preset non-zero elements,for a preset characteristic coefficient, h is a preset prime number, mod is a preset modulo operation identifier;
the server side stores the sub data into n different databases respectively.
Optionally, in the data storage and protection method based on HMAC and secret sharing described in the present application, the server side performs regular discrimination on the sub-data stored in the n databases, respectively, to obtain a regular discrimination index, performs threshold comparison on the regular discrimination index and a preset regular discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result, and encrypts the sub-data respectively, to generate corresponding encrypted sub-data, including:
acquiring a preset public key and a preset private key;
the server side inputs the sub-data stored in n databases into a preset regularity distinguishing model for identification to obtain regularity distinguishing indexes;
comparing the regularity distinguishing index with a preset regularity distinguishing index threshold value;
If the threshold comparison result meets the preset requirement, encrypting the sub-data by adopting a preset public key to generate public key encrypted sub-data;
if the threshold comparison result does not meet the preset requirement, acquiring attribute information of the client and sending the attribute information to the server;
inputting the attribute information into a preset key generation model for analysis processing to obtain a key character string, and encrypting the sub-data according to the key character string to generate character string encryption sub-data.
Optionally, in the data storage and protection method based on HMAC and secret sharing described in the present application, the client sends a query request to the server, and the server extracts the encrypted sub-data from the k databases to decrypt the encrypted sub-data respectively, so as to obtain corresponding decrypted sub-data, including:
the client sends a query request to the server;
the server side extracts the public key encryption sub-data or the character string encryption sub-data from k databases respectively;
decrypting the public key encryption sub-data according to the preset private key to obtain private key decryption sub-data;
and decrypting the character string encryption sub-data according to the key character string to obtain character string decryption sub-data.
Optionally, in the data storage and protection method based on HMAC and secret sharing described in the present application, the calculating, by the server side, all k decryption sub-data to obtain the first decryption sub-data includes:
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
the calculation formula of the first decryption sub-data is as follows:
wherein,for the first decryption sub-data +.>Decryption sub data for ith +.>、/>Is a preset characteristic coefficient.
Optionally, in the data storage and protection method based on HMAC and secret sharing described in the present application, the decrypting, by the server side, the first decrypted sub-data according to the random string to obtain the private data includes:
and the server inputs the random character string into a preset decryption model for analysis and processing to obtain the privacy data.
In a second aspect, the present application provides a data storage and protection system based on HMAC sharing with secrets, the system comprising: the memory comprises a program based on the data storage and protection method shared by the HMAC and the secret, and the program based on the data storage and protection method shared by the HMAC and the secret realizes the following steps when being executed by the processor:
Acquiring privacy data of a client;
the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server;
the server side segments the first encrypted data and stores the segmented sub data into n different databases;
the server side respectively carries out regularity discrimination on the sub-data stored in n databases to obtain regularity discrimination indexes, carries out threshold comparison on the regularity discrimination indexes and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data;
the client sends a query request to the server, and the server extracts the encrypted sub-data from k databases to decrypt respectively to obtain corresponding decrypted sub-data;
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
And the server decrypts the first decryption sub-data according to the random character string to obtain the privacy data.
In a third aspect, the present application further provides a computer readable storage medium, where the computer readable storage medium includes a data storage and protection method program based on HMAC and secret sharing, where the data storage and protection method program based on HMAC and secret sharing is executed by a processor, to implement the steps of the data storage and protection method based on HMAC and secret sharing as described in any one of the above.
As can be seen from the foregoing, according to the data storage and protection method, system and medium based on HMAC and secret sharing provided in the embodiments of the present application, a client sends a storage request command, a server returns a random string to the client to encrypt private data, the encrypted private data is transmitted to the server to be divided, the divided sub-data is stored in n different databases to perform regular recognition, a corresponding sub-data encryption mode is determined according to a regular recognition result, when the client sends a query request, the server extracts encrypted sub-data from k databases to decrypt respectively, and then processes all k decrypted sub-data to obtain first decrypted sub-data, and then the private data can be obtained after decryption. According to the method and the device, the encrypted data are divided and then stored in different databases, and the secondary encryption mode is selected according to the discriminant judgment of the divided data, so that double encryption protection is realized, the reliability and the safety of the private data storage are improved, and even if the private data are leaked, the data cannot be stolen as long as the number of the leaked databases is less than k, so that the method and the device have higher safety.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for storing and protecting data based on sharing of HMAC and secrets according to an embodiment of the present application;
FIG. 2 is a flowchart of generating first encrypted data according to a method for storing and protecting data based on sharing of HMAC and secrets according to an embodiment of the present application;
FIG. 3 is a flowchart of a method for storing and protecting data based on sharing of HMAC and secret according to an embodiment of the present application;
Fig. 4 is a schematic structural diagram of a data storage and protection system based on HMAC and secret sharing according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that like reference numerals and letters refer to like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a flowchart of a method for storing and protecting data based on HMAC and secret sharing in some embodiments of the present application. The data storage and protection method based on the HMAC and secret sharing is used in terminal equipment, such as computers, mobile phone terminals and the like. The data storage and protection method based on HMAC and secret sharing comprises the following steps:
s101, acquiring privacy data of a client;
s102, the client sends a storage request to a server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server;
s103, the server side segments the first encrypted data and stores the segmented sub data into n different databases;
s104, the server terminal respectively carries out regularity discrimination on the sub-data stored in n databases to obtain regularity discrimination indexes, carries out threshold comparison on the regularity discrimination indexes and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data;
S105, the client sends a query request to the server, and the server extracts the encrypted sub-data from the k databases and decrypts the encrypted sub-data respectively to obtain corresponding decrypted sub-data;
s106, the server side calculates all k decryption sub-data to obtain first decryption sub-data;
s107, the server decrypts the first decryption sub-data according to the random character string to obtain the privacy data.
In order to realize dual encryption protection of private data and improve reliability and security of data storage, firstly, a client sends a request storage instruction, a server returns a random character string to the client to encrypt the private data, the security of a transmission process can be increased by adopting a data transmission mode of encryption transmission, after receiving the encrypted data, the server performs segmentation processing, the segmented sub-data are stored in n different databases, the data are stored separately to be beneficial to reducing the risk of data leakage, then the server performs regular recognition on the segmented data, determines a corresponding sub-data encryption mode according to a regular recognition result, if the regularity exists, the data leakage risk is relatively large, encryption and decryption are performed by adopting a public key and a private key, if the regularity does not exist, the leakage risk is relatively small, the encryption and decryption are all performed by adopting the same key, when the client sends a query request, the server extracts the encrypted sub-data from k databases, and decrypts the k decrypted sub-data respectively, and obtains first decrypted sub-data after processing, and decrypts the first decrypted sub-data.
Referring to fig. 2, fig. 2 is a flowchart of generating first encrypted data according to a data storage and protection method based on HMAC and secret sharing in some embodiments of the present application. According to the embodiment of the invention, the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server, specifically:
s201, the client sends a storage request to a server;
s202, the server returns a random character string to the client and records the random character string;
s203, the client inputs the request storage instruction and the random character string into a preset encryption model for analysis and processing to obtain first encryption data;
s204, the client transmits the first encrypted data to the server.
It should be noted that, in order to increase the security of the data transmission process and better protect the data, firstly, the client sends a request storage instruction to the server, the server returns a random string to the client, records the random string, inputs the request storage instruction and the random string into a preset encryption model to perform analysis processing, obtains first encrypted data, and transmits the first encrypted data to the server, where the preset encryption model is a model obtained by obtaining a large number of storage instructions of historical samples, performing random strings, and training the first encrypted data, and can obtain the first encrypted data corresponding to the output by inputting relevant information to perform processing.
Referring to fig. 3, fig. 3 is a flowchart of a method for storing and protecting data based on HMAC and secret sharing in some embodiments of the present application. According to the embodiment of the invention, the server side segments the first encrypted data and stores the segmented sub-data into n different databases, specifically:
s301, the server side performs segmentation processing on the first encrypted data to obtain sub-data;
the program processing formula of the sub data is as follows:
wherein i=1,..n,for the ith sub-data +.>For n mutually different preset non-zero elements,for a preset characteristic coefficient, h is a preset prime number, mod is a preset modulo operation identifier;
s302, the server side stores the sub data into n different databases respectively.
It should be noted that, in order to prevent the occurrence of data leakage caused by an attack on one database, the server side performs segmentation processing on the first encrypted data and stores the first encrypted data in n different databases, so as to enhance the capability of resisting the risk of data leakage.
According to the embodiment of the invention, the server side respectively performs regularity discrimination on the sub-data stored in n databases to obtain a regularity discrimination index, performs threshold comparison on the regularity discrimination index and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data, which is specifically as follows:
Acquiring a preset public key and a preset private key;
the server side inputs the sub-data stored in n databases into a preset regularity distinguishing model for identification to obtain regularity distinguishing indexes;
comparing the regularity distinguishing index with a preset regularity distinguishing index threshold value;
if the threshold comparison result meets the preset requirement, encrypting the sub-data by adopting a preset public key to generate public key encrypted sub-data;
if the threshold comparison result does not meet the preset requirement, acquiring attribute information of the client and sending the attribute information to the server;
inputting the attribute information into a preset key generation model for analysis processing to obtain a key character string, and encrypting the sub-data according to the key character string to generate character string encryption sub-data.
It should be noted that, by determining whether the sub data stored in a split manner has regularity and then selecting a secondary encryption manner, firstly obtaining a preset public key and a preset private key, the server side respectively inputs the sub data stored in n databases into a preset regularity discrimination model to identify, so as to obtain a regularity discrimination index, the regularity discrimination model is a model obtained by training the sub data and the regularity discrimination index of a large number of history samples, the regularity discrimination index corresponding to the output can be obtained by inputting related information to process, then the regularity discrimination index is compared with a preset regularity discrimination index threshold, if the threshold comparison result meets the preset requirement, the regularity of the sub data is indicated, the safety coefficient of the data is relatively low, in order to improve the security of the data, the encryption and decryption adopt different keys respectively, the sub data are encrypted by adopting a preset public key to generate public key encryption sub data, if a threshold comparison result does not meet the preset requirement, the sub data are free from regularity, the safety coefficient of the data is relatively high, in order to reduce the calculation amount, the same key can be adopted for encryption and decryption, firstly, the attribute information of a client side is acquired and sent to a server side, the attribute information is input into a preset key generation model for analysis processing, a key character string is obtained, then the sub data are encrypted according to the key character string to generate character string encryption sub data, and the preset key generation model is a model obtained by acquiring the attribute information of a large number of historical samples and training the key character string, and can be processed by inputting related information to obtain a corresponding output key character string.
According to the embodiment of the invention, the client sends a query request to the server, and the server extracts the encrypted sub-data from the k databases to decrypt respectively to obtain corresponding decrypted sub-data, which specifically comprises:
the client sends a query request to the server;
the server side extracts the public key encryption sub-data or the character string encryption sub-data from k databases respectively;
decrypting the public key encryption sub-data according to the preset private key to obtain private key decryption sub-data;
and decrypting the character string encryption sub-data according to the key character string to obtain character string decryption sub-data.
When the client sends a query request to the server, the server only needs to extract the public key encryption sub-data or the character string encryption sub-data from the k databases respectively, the total sum of the number of the extracted public key encryption sub-data and the number of the character string encryption sub-data is k, then the public key encryption sub-data is decrypted according to a preset private key to obtain private key decryption sub-data, and the character string encryption sub-data is decrypted according to the key character string to obtain character string decryption sub-data.
According to the embodiment of the invention, the server side calculates all k decryption sub-data to obtain the first decryption sub-data, specifically:
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
the calculation formula of the first decryption sub-data is as follows:
wherein,for the first decryption sub-data +.>Decryption sub data for ith +.>、/>Is a preset characteristic coefficient.
After obtaining the decrypted sub-data, k decrypted sub-data are randomly selected from the n databases to be calculated, so as to obtain the first decrypted sub-data, and even if the condition of privacy data leakage occurs, the true data cannot be obtained as long as the number of leaked sub-data is less than k.
According to the embodiment of the present invention, the server decrypts the first decryption sub-data according to the random string to obtain the private data, including:
and the server inputs the random character string into a preset decryption model for analysis and processing to obtain the privacy data.
It should be noted that, the server inputs the random character string into a preset decryption model for analysis and processing, and the decryption model is a model obtained by training the random character string and the privacy data which acquire a large number of historical samples, and the corresponding output privacy data can be obtained by inputting related information for processing.
As shown in fig. 4, the invention further discloses a data storage and protection system 4 based on HMAC and secret sharing, which comprises a memory 41 and a processor 42, wherein the memory comprises a data storage and protection method program based on HMAC and secret sharing, and the data storage and protection method program based on HMAC and secret sharing is executed by the processor to implement the following steps:
acquiring privacy data of a client;
the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server;
the server side segments the first encrypted data and stores the segmented sub data into n different databases;
the server side respectively carries out regularity discrimination on the sub-data stored in n databases to obtain regularity discrimination indexes, carries out threshold comparison on the regularity discrimination indexes and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data;
The client sends a query request to the server, and the server extracts the encrypted sub-data from k databases to decrypt respectively to obtain corresponding decrypted sub-data;
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
and the server decrypts the first decryption sub-data according to the random character string to obtain the privacy data.
In order to realize dual encryption protection of private data and improve reliability and security of data storage, firstly, a client sends a request storage instruction, a server returns a random character string to the client to encrypt the private data, the security of a transmission process can be increased by adopting a data transmission mode of encryption transmission, after receiving the encrypted data, the server performs segmentation processing, the segmented sub-data are stored in n different databases, the data are stored separately to be beneficial to reducing the risk of data leakage, then the server performs regular recognition on the segmented data, determines a corresponding sub-data encryption mode according to a regular recognition result, if the regularity exists, the data leakage risk is relatively large, encryption and decryption are performed by adopting a public key and a private key, if the regularity does not exist, the leakage risk is relatively small, the encryption and decryption are all performed by adopting the same key, when the client sends a query request, the server extracts the encrypted sub-data from k databases, and decrypts the k decrypted sub-data respectively, and obtains first decrypted sub-data after processing, and decrypts the first decrypted sub-data.
According to the embodiment of the invention, the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server, specifically:
the client sends a storage request to a server;
the server returns a random character string to the client and records the random character string;
the client inputs the request storage instruction and the random character string into a preset encryption model for analysis and processing to obtain first encrypted data;
and the client transmits the first encrypted data to the server.
It should be noted that, in order to increase the security of the data transmission process and better protect the data, firstly, the client sends a request storage instruction to the server, the server returns a random string to the client, records the random string, inputs the request storage instruction and the random string into a preset encryption model to perform analysis processing, obtains first encrypted data, and transmits the first encrypted data to the server, where the preset encryption model is a model obtained by obtaining a large number of storage instructions of historical samples, performing random strings, and training the first encrypted data, and can obtain the first encrypted data corresponding to the output by inputting relevant information to perform processing.
According to the embodiment of the invention, the server side segments the first encrypted data and stores the segmented sub-data into n different databases, specifically:
the server side performs segmentation processing on the first encrypted data to obtain sub-data;
the program processing formula of the sub data is as follows:
wherein i=1,..n,for the ith sub-data +.>For n mutually different preset non-zero elements,for a preset characteristic coefficient, h is a preset prime number, mod is a preset modulo operation identifier;
the server side stores the sub data into n different databases respectively.
It should be noted that, in order to prevent the occurrence of data leakage caused by an attack on one database, the server side performs segmentation processing on the first encrypted data and stores the first encrypted data in n different databases, so as to enhance the capability of resisting the risk of data leakage.
According to the embodiment of the invention, the server side respectively performs regularity discrimination on the sub-data stored in n databases to obtain a regularity discrimination index, performs threshold comparison on the regularity discrimination index and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data, which is specifically as follows:
Acquiring a preset public key and a preset private key;
the server side inputs the sub-data stored in n databases into a preset regularity distinguishing model for identification to obtain regularity distinguishing indexes;
comparing the regularity distinguishing index with a preset regularity distinguishing index threshold value;
if the threshold comparison result meets the preset requirement, encrypting the sub-data by adopting a preset public key to generate public key encrypted sub-data;
if the threshold comparison result does not meet the preset requirement, acquiring attribute information of the client and sending the attribute information to the server;
inputting the attribute information into a preset key generation model for analysis processing to obtain a key character string, and encrypting the sub-data according to the key character string to generate character string encryption sub-data.
It should be noted that, by determining whether the sub data stored in a split manner has regularity and then selecting a secondary encryption manner, firstly obtaining a preset public key and a preset private key, the server side respectively inputs the sub data stored in n databases into a preset regularity discrimination model to identify, so as to obtain a regularity discrimination index, the regularity discrimination model is a model obtained by training the sub data and the regularity discrimination index of a large number of history samples, the regularity discrimination index corresponding to the output can be obtained by inputting related information to process, then the regularity discrimination index is compared with a preset regularity discrimination index threshold, if the threshold comparison result meets the preset requirement, the regularity of the sub data is indicated, the safety coefficient of the data is relatively low, in order to improve the security of the data, the encryption and decryption adopt different keys respectively, the sub data are encrypted by adopting a preset public key to generate public key encryption sub data, if a threshold comparison result does not meet the preset requirement, the sub data are free from regularity, the safety coefficient of the data is relatively high, in order to reduce the calculation amount, the same key can be adopted for encryption and decryption, firstly, the attribute information of a client side is acquired and sent to a server side, the attribute information is input into a preset key generation model for analysis processing, a key character string is obtained, then the sub data are encrypted according to the key character string to generate character string encryption sub data, and the preset key generation model is a model obtained by acquiring the attribute information of a large number of historical samples and training the key character string, and can be processed by inputting related information to obtain a corresponding output key character string.
According to the embodiment of the invention, the client sends a query request to the server, and the server extracts the encrypted sub-data from the k databases to decrypt respectively to obtain corresponding decrypted sub-data, which specifically comprises:
the client sends a query request to the server;
the server side extracts the public key encryption sub-data or the character string encryption sub-data from k databases respectively;
decrypting the public key encryption sub-data according to the preset private key to obtain private key decryption sub-data;
and decrypting the character string encryption sub-data according to the key character string to obtain character string decryption sub-data.
When the client sends a query request to the server, the server only needs to extract the public key encryption sub-data or the character string encryption sub-data from the k databases respectively, the total sum of the number of the extracted public key encryption sub-data and the number of the character string encryption sub-data is k, then the public key encryption sub-data is decrypted according to a preset private key to obtain private key decryption sub-data, and the character string encryption sub-data is decrypted according to the key character string to obtain character string decryption sub-data.
According to the embodiment of the invention, the server side calculates all k decryption sub-data to obtain the first decryption sub-data, specifically:
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
the calculation formula of the first decryption sub-data is as follows:
wherein,for the first decryption sub-data +.>Decryption sub data for ith +.>、/>Is a preset characteristic coefficient.
After obtaining the decrypted sub-data, k decrypted sub-data are randomly selected from the n databases to be calculated, so as to obtain the first decrypted sub-data, and even if the condition of privacy data leakage occurs, the true data cannot be obtained as long as the number of leaked sub-data is less than k.
According to the embodiment of the present invention, the server decrypts the first decryption sub-data according to the random string to obtain the private data, including:
and the server inputs the random character string into a preset decryption model for analysis and processing to obtain the privacy data.
It should be noted that, the server inputs the random character string into a preset decryption model for analysis and processing, and the decryption model is a model obtained by training the random character string and the privacy data which acquire a large number of historical samples, and the corresponding output privacy data can be obtained by inputting related information for processing.
A third aspect of the present invention provides a readable storage medium, where the readable storage medium includes a data storage and protection method program based on HMAC and secret sharing, where the data storage and protection method program based on HMAC and secret sharing is executed by a processor, to implement the steps of the data storage and protection method based on HMAC and secret sharing as described in any one of the above.
The invention discloses a data storage and protection method, a system and a medium based on HMAC and secret sharing, which are characterized in that a client firstly sends a request storage instruction, a server returns a random character string to the client to encrypt private data, the encrypted private data is transmitted to the server to be segmented, the segmented sub-data is stored in n different databases to be regularly identified, a corresponding sub-data encryption mode is determined according to a regular identification result, when the client sends a query request, the server extracts encrypted sub-data from k databases to be decrypted respectively, then all k decrypted sub-data are processed to obtain first decrypted sub-data, and the private data can be obtained after decryption. According to the method and the device, the encrypted data are divided and then stored in different databases, and the secondary encryption mode is selected according to the discriminant judgment of the divided data, so that double encryption protection is realized, the reliability and the safety of the private data storage are improved, and even if the private data are leaked, the data cannot be stolen as long as the number of the leaked databases is less than k, so that the method and the device have higher safety.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.
Alternatively, the above-described integrated units of the present invention may be stored in a readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.

Claims (10)

1. The data storage and protection method based on the sharing of the HMAC and the secret is characterized by comprising the following steps:
acquiring privacy data of a client;
the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server;
the server side segments the first encrypted data and stores the segmented sub data into n different databases;
the server side respectively carries out regularity discrimination on the sub-data stored in n databases to obtain regularity discrimination indexes, carries out threshold comparison on the regularity discrimination indexes and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data;
the client sends a query request to the server, and the server extracts the encrypted sub-data from k databases to decrypt respectively to obtain corresponding decrypted sub-data;
The server side calculates all k decryption sub-data to obtain first decryption sub-data;
and the server decrypts the first decryption sub-data according to the random character string to obtain the privacy data.
2. The HMAC and secret sharing-based data storage and protection method of claim 1, wherein the client sends a storage request to the server, the server returns a random string to the client and records the random string, the client encrypts the private data according to the random string to generate first encrypted data, and transmits the first encrypted data to the server, and the method comprises the steps of:
the client sends a storage request to a server;
the server returns a random character string to the client and records the random character string;
the client inputs a request storage instruction and the random character string into a preset encryption model for analysis and processing to obtain first encrypted data;
and the client transmits the first encrypted data to the server.
3. The HMAC and secret sharing-based data storage and protection method of claim 2, wherein the server-side segments the first encrypted data and stores the segmented sub-data into n different databases, including:
The server side performs segmentation processing on the first encrypted data to obtain sub-data;
the program processing formula of the sub data is as follows:
wherein i=1,..n,for the ith sub-data +.>For n mutually different preset non-zero elements, ">For a preset characteristic coefficient, h is a preset prime number, mod is a preset modulo operation identifier;
the server side stores the sub data into n different databases respectively.
4. The HMAC and secret sharing-based data storage and protection method of claim 3, wherein the server performs regular discrimination on the sub-data stored in the n databases respectively to obtain regular discrimination indexes, performs threshold comparison on the regular discrimination indexes and a preset regular discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to encrypt the sub-data respectively, and generates corresponding encrypted sub-data, and the method comprises the following steps:
acquiring a preset public key and a preset private key;
the server side inputs the sub-data stored in n databases into a preset regularity distinguishing model for identification to obtain regularity distinguishing indexes;
comparing the regularity distinguishing index with a preset regularity distinguishing index threshold value;
If the threshold comparison result meets the preset requirement, encrypting the sub-data by adopting a preset public key to generate public key encrypted sub-data;
if the threshold comparison result does not meet the preset requirement, acquiring attribute information of the client and sending the attribute information to the server;
inputting the attribute information into a preset key generation model for analysis processing to obtain a key character string, and encrypting the sub-data according to the key character string to generate character string encryption sub-data.
5. The HMAC and secret sharing-based data storage and protection method of claim 4, wherein the client sends a query request to the server, and the server extracts the encrypted sub-data from the k databases to decrypt respectively, and obtains the corresponding decrypted sub-data, and the method comprises the following steps:
the client sends a query request to the server;
the server side extracts the public key encryption sub-data or the character string encryption sub-data from k databases respectively;
decrypting the public key encryption sub-data according to the preset private key to obtain private key decryption sub-data;
and decrypting the character string encryption sub-data according to the key character string to obtain character string decryption sub-data.
6. The HMAC and secret sharing-based data storage and protection method of claim 5, wherein the server performs calculation processing on all k decryption sub-data to obtain first decryption sub-data, and the method comprises:
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
the calculation formula of the first decryption sub-data is as follows:
wherein,for the first decryption sub-data +.>For the ith decryption subData,/->、/>Is a preset characteristic coefficient.
7. The HMAC and secret sharing-based data storage and protection method of claim 6, wherein the server decrypts the first decrypted sub-data according to the random string to obtain the private data, comprising:
and the server inputs the random character string into a preset decryption model for analysis and processing to obtain the privacy data.
8. Data storage and protection system based on HMAC and secret sharing is characterized in that
The method comprises the following steps of:
Acquiring privacy data of a client;
the client sends a storage request to the server, the server returns a random character string to the client and records the random character string, and the client encrypts the privacy data according to the random character string to generate first encrypted data and transmits the first encrypted data to the server;
the server side segments the first encrypted data and stores the segmented sub data into n different databases;
the server side respectively carries out regularity discrimination on the sub-data stored in n databases to obtain regularity discrimination indexes, carries out threshold comparison on the regularity discrimination indexes and a preset regularity discrimination index threshold, selects a corresponding encryption mode according to a threshold comparison result to respectively encrypt the sub-data, and generates corresponding encrypted sub-data;
the client sends a query request to the server, and the server extracts the encrypted sub-data from k databases to decrypt respectively to obtain corresponding decrypted sub-data;
the server side calculates all k decryption sub-data to obtain first decryption sub-data;
And the server decrypts the first decryption sub-data according to the random character string to obtain the privacy data.
9. The HMAC and secret sharing-based data storage and protection system of claim 8, wherein the client sends a storage request to the server, the server returns a random string to the client and records the random string, the client encrypts the private data according to the random string to generate first encrypted data and transmits the first encrypted data to the server, and the method comprises:
the client sends a storage request to a server;
the server returns a random character string to the client and records the random character string;
the client inputs a request storage instruction and the random character string into a preset encryption model for analysis and processing to obtain first encrypted data;
and the client transmits the first encrypted data to the server.
10. A computer readable storage medium, wherein the computer readable storage medium includes a data storage and protection method program based on HMAC and secret sharing, and when the data storage and protection method program based on HMAC and secret sharing is executed by a processor, the steps of the data storage and protection method based on HMAC and secret sharing according to any one of claims 1 to 7 are implemented.
CN202311345434.0A 2023-10-18 2023-10-18 Data storage and protection method, system and medium based on HMAC and secret sharing Active CN117077185B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311345434.0A CN117077185B (en) 2023-10-18 2023-10-18 Data storage and protection method, system and medium based on HMAC and secret sharing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311345434.0A CN117077185B (en) 2023-10-18 2023-10-18 Data storage and protection method, system and medium based on HMAC and secret sharing

Publications (2)

Publication Number Publication Date
CN117077185A CN117077185A (en) 2023-11-17
CN117077185B true CN117077185B (en) 2024-02-02

Family

ID=88715733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311345434.0A Active CN117077185B (en) 2023-10-18 2023-10-18 Data storage and protection method, system and medium based on HMAC and secret sharing

Country Status (1)

Country Link
CN (1) CN117077185B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021010896A1 (en) * 2019-07-12 2021-01-21 Nanyang Technological University Method and system for distributed data management
CN112968859A (en) * 2020-11-27 2021-06-15 长威信息科技发展股份有限公司 Encryption storage system for work privacy data
CN113051587A (en) * 2021-03-10 2021-06-29 中国人民大学 Privacy protection intelligent transaction recommendation method, system and readable medium
CN113177219A (en) * 2021-05-26 2021-07-27 永旗(北京)科技有限公司 Network data privacy protection method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021010896A1 (en) * 2019-07-12 2021-01-21 Nanyang Technological University Method and system for distributed data management
CN112968859A (en) * 2020-11-27 2021-06-15 长威信息科技发展股份有限公司 Encryption storage system for work privacy data
CN113051587A (en) * 2021-03-10 2021-06-29 中国人民大学 Privacy protection intelligent transaction recommendation method, system and readable medium
CN113177219A (en) * 2021-05-26 2021-07-27 永旗(北京)科技有限公司 Network data privacy protection method

Also Published As

Publication number Publication date
CN117077185A (en) 2023-11-17

Similar Documents

Publication Publication Date Title
JP6504013B2 (en) Cryptographic processing method, cryptographic processing device, and cryptographic processing program
CN110324143A (en) Data transmission method, electronic equipment and storage medium
US10635824B1 (en) Methods and apparatus for private set membership using aggregation for reduced communications
US20130262863A1 (en) Searchable encryption processing system
EP3598714A1 (en) Method, device, and system for encrypting secret key
CN110177134B (en) Secure password manager based on multi-cloud storage and use method thereof
CN110771190A (en) Controlling access to data
CN113190584A (en) Concealed trace query method based on oblivious transmission protocol
JP7323004B2 (en) Data extraction system, data extraction method, registration device and program
CN112866227A (en) File authorization protection method and system
CN115473703A (en) Identity-based ciphertext equivalence testing method, device, system and medium for authentication
Verma Secure client-side deduplication scheme for cloud with dual trusted execution environment
CN111475690B (en) Character string matching method and device, data detection method and server
KR101217491B1 (en) A method for searching keyword based on public key
CN117056961A (en) Privacy information retrieval method and computer readable storage medium
CN117077185B (en) Data storage and protection method, system and medium based on HMAC and secret sharing
CN116049792A (en) Face registration and recognition method and face data protection system
CN111541652B (en) System for improving security of secret information keeping and transmission
CN108833449B (en) Web communication encryption transmission method, device and system based on RAS algorithm
CN113065146A (en) Homomorphic encryption method for block chain data protection
Wang et al. Internet of vehicles based on TrustZone and optimized RSA
CN112491904B (en) Big data privacy protection sharing method and system
CN116579005B (en) User data safety storage management method
CN115694921B (en) Data storage method, device and medium
CN110572256B (en) Anti-quantum computing asymmetric key management method and system based on asymmetric key pool and implicit certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant