CN117439750A - Encryption method, device, equipment and medium for user subscription data - Google Patents

Encryption method, device, equipment and medium for user subscription data Download PDF

Info

Publication number
CN117439750A
CN117439750A CN202210834497.1A CN202210834497A CN117439750A CN 117439750 A CN117439750 A CN 117439750A CN 202210834497 A CN202210834497 A CN 202210834497A CN 117439750 A CN117439750 A CN 117439750A
Authority
CN
China
Prior art keywords
quantum random
file
random number
subscription data
service terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210834497.1A
Other languages
Chinese (zh)
Inventor
钮铮
欧洋洋
白雪
陈霞
王伟坚
王凯
孙康
魏华健
马文博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Beijing Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Beijing Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202210834497.1A priority Critical patent/CN117439750A/en
Publication of CN117439750A publication Critical patent/CN117439750A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention provides a method, a device, equipment and a medium for encrypting user subscription data, which comprise the following steps: the service terminal equipment receives the user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to the user signature from the user subscription data; encrypting the first plaintext file by using a first encryption key to obtain a first ciphertext file; encrypting the second plaintext file by using the second encryption key to obtain a second ciphertext file; transmitting the first ciphertext file and the second ciphertext file to the business support server; the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device. The invention improves the security of signature data encryption by encrypting the signature data in the user signature data in a safer way.

Description

Encryption method, device, equipment and medium for user subscription data
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a device, and a medium for encrypting user subscription data.
Background
With the development of big data analysis technology, subscription data of mobile communication users often has analysis value in many fields, and is selected by more and more big data analysis applications. The subscription data refers to various electronic contracts of the user and the operator, and then the signature added to the electronic contract by the user through an electronic handwriting pen is added.
In the prior art, subscription data is collected at a terminal of a business hall and then directly transmitted to a background business support server for storage. Or the public text is encrypted through a common symmetric encryption algorithm or an asymmetric encryption algorithm and then is stored by the industry branch server, then the industry branch server stores a decryption key, and when the subscription data is requested by a third party, the industry branch server decrypts the ciphertext by using the stored decryption key to obtain the plaintext of the subscription data.
Both the above two modes have potential safety hazards and technical defects of poor safety, and direct plaintext preservation is the least safe method. Since the server grasps the decryption key, the data stored by the conventional encryption method can cause data leakage if the key is illegally obtained, and can also cause data leakage if the conventional encryption and decryption algorithm is cracked.
Moreover, subscription data has its industry specificity, not ordinary data. Because contract information is of interest in big data analysis, but signature is not of interest and relatively frequent invocations; however, the signature of the user in the subscription data is not interesting for big data analysis, but is very confidential information for the user, if the information is obtained illegally, the benefit of the user is possibly jeopardized, and in the system of an operator, the signature of the user needs to be called, which generally relates to serious special requirements like disputes or judicial, and the like, and the requirement that the signature of the user is called belongs to the very small frequency occurrence.
Therefore, the subscription data includes two types of data, one type is that the use frequency is higher, but the security requirement is relatively lower, and the other type is that the use frequency is low, but the security requirement is very high, and the subscription data is encrypted by the conventional technology in the prior art, so that the technical defect of poor security exists.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for encrypting user subscription data, which are used for solving the defect of poor encryption security of the subscription data in the prior art and realizing the improvement of the security of the subscription data.
The invention provides a method for encrypting user subscription data, which comprises the following steps:
the service terminal equipment receives user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data;
the service terminal equipment encrypts the first plaintext file by using a first encryption key to obtain a first ciphertext file;
the service terminal equipment encrypts the second plaintext file by using a second encryption key to obtain a second ciphertext file;
the service terminal equipment transmits the first ciphertext file and the second ciphertext file to a business support server;
the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
According to the encryption method for the user subscription data provided by the invention, the first quantum random array and the second key seed are filled to the service terminal equipment through the quantum random number filling equipment, and the first quantum random array and the second quantum random array are generated through a quantum random number generator.
According to the encryption method of user subscription data provided by the invention, the first key seed is determined, and the method comprises the following steps:
the service terminal equipment sends a quantum random number request message to a business support server;
the service terminal equipment receives a first quantum random array transmitted by the quantum random number filling equipment and determines the first key seed based on the first quantum random array;
wherein the quantum random number request message is for requesting a quantum random number from the quantum random number generator, the first quantum random number array being determined by the quantum random number filling device based on the quantum random number.
According to the encryption method of user subscription data provided by the invention, the second key seed is determined, and the method comprises the following steps:
the service terminal equipment transmits the equipment ID to the quantum random number filling equipment;
the service terminal equipment receives the second key seed transmitted by the quantum random number filling equipment;
the device ID is used by the quantum random number filling device to generate a hash value H corresponding to the device ID, the hash value H is used by the quantum random number filling device to determine the second key seed based on the hash value H and a second quantum random array, and the second quantum random array is determined by the quantum random number filling device based on the quantum random number.
According to the encryption method for the user subscription data, the hash value H is obtained by inputting the equipment ID into a hash function, the maximum output value of the hash function is smaller than or equal to the number of quantum random numbers in the second quantum random array, and the H-th quantum random number in the second quantum random array is selected as the second key seed.
The invention also provides an encryption method of the user subscription data, which comprises the following steps:
the business support server receives a first ciphertext file and a second ciphertext file transmitted by business terminal equipment;
the business support server decrypts the first ciphertext file to obtain a first plaintext file;
the business support server decrypts the second ciphertext file to obtain a second plaintext file;
the first ciphertext file is obtained by encrypting the first plaintext file by the service terminal equipment based on a first encryption key, the second ciphertext file is obtained by encrypting the second plaintext file by the service terminal equipment based on a second encryption key, the first plaintext file is generated by the service terminal equipment based on service data in user subscription data, and the second plaintext file is generated by the service terminal equipment based on a user signature in the user subscription data;
The first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
The invention also provides an encryption device of the user subscription data, which comprises:
the plaintext file generation module is used for receiving user subscription data and generating a first plaintext file corresponding to service data and a second plaintext file corresponding to a user signature from the user subscription data;
the first encryption module is used for encrypting the first plaintext file by using a first encryption key to obtain a first ciphertext file;
the second encryption module is used for encrypting the second plaintext file by using a second encryption key by the service terminal equipment to obtain a second ciphertext file;
the ciphertext transmission module is used for transmitting the first ciphertext file and the second ciphertext file to the business support server;
the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor realizes the encryption method of the user subscription data when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of encrypting user subscription data as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a method of encrypting user subscription data as described in any of the above.
According to the encryption method, the device, the equipment and the medium for the user subscription data, the user subscription data is divided into the first plaintext file corresponding to the service data and the second plaintext file corresponding to the user signature, and the first plaintext file and the second plaintext file corresponding to the service data are respectively encrypted and protected according to different security levels.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for encrypting user subscription data according to the present invention;
fig. 2 is a schematic diagram of an exemplary system architecture to which the encryption method for subscriber subscription data provided by the present invention is applied;
FIG. 3 is a second flowchart of a method for encrypting subscriber subscription data according to the present invention;
FIG. 4 is a third flow chart of the encryption method of user subscription data according to the present invention;
fig. 5 is a schematic structural diagram of an encryption device for subscriber subscription data according to the present invention;
fig. 6 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The encryption method of user subscription data of the present invention is described below with reference to fig. 1 to 4.
Referring to fig. 1, the encryption method for user subscription data provided by the present invention includes:
step 10, a service terminal device receives user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data;
it should be noted that, referring to fig. 2, the encryption method of user subscription data of the present invention is applied to a system architecture, where the system architecture includes a service terminal device and a service support server, where the service terminal device may be used to provide a subscription service for a user, generate user subscription data when processing the subscription service, and sign a subscription for the user through the subscription service provided by the service terminal device when providing the subscription service for the user; the service terminal device may also provide only encrypted services of the subscriber subscription data. The business support server provides business support service, data support service and data storage service for the business terminal equipment, for example, provides data required by encryption and decryption for the terminal equipment, requests data required by encryption and decryption for the business terminal equipment to other equipment, stores and backs up encryption and decryption data, secret keys, user subscription data and the like.
The service terminal device can be a mobile phone, a tablet personal computer, a computer with a wireless receiving and transmitting function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned operation, a wireless terminal in smart grid, a wireless terminal in transportation safety, a wireless terminal in smart city, a wireless terminal in smart home and the like.
The user subscription data includes two types of data, one is user subscription data including service data, and the other is user subscription data including user signature. The method comprises the steps that user signing data are received by service terminal equipment, the user signing data are generated into a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature, the user signing data are distinguished according to whether the user signing data exist or not, the service data are distinguished from the signature, the user signing data are divided into the first plaintext file containing the service data and the second plaintext file containing the user signature, and signing is conducted on user signing data of different parts.
Step 20, the service terminal device encrypts the first plaintext file by using a first encryption key to obtain a first ciphertext file;
Step 30, the service terminal equipment encrypts the second plaintext file by using a second encryption key to obtain a second ciphertext file;
the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and the device ID of the service terminal device.
Encrypting the first plaintext file through a first encryption key to obtain a first ciphertext file; and encrypting the second plaintext file by the second encryption key to obtain a second ciphertext file, and encrypting the plaintext file corresponding to the service data and the plaintext file corresponding to the signature data according to different encryption keys. It can be known that, since the first key seed is generated based on the first quantum random array, and the second key seed is generated based on the first quantum random array and the device ID corresponding to the service terminal, the encryption degree of the first encryption key generated based on the second key seed is higher than that of the second encryption key generated based on the second key seed, so that the user subscription data is encrypted in a manner of respectively protecting different security levels, the user subscription data in the user subscription data is encrypted based on the key with higher encryption degree, and the service data in the user subscription data is encrypted based on the key with lower encryption degree.
Step 40, the service terminal device transmits the first ciphertext file and the second ciphertext file to a business support server;
the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
The business terminal equipment encrypts the first plaintext file by using the first encryption key to form a first ciphertext file, encrypts the second plaintext file by using the second encryption key to form a second ciphertext file, and then sends the first ciphertext file and the second ciphertext file to the business support server for the business support server to store, backup and the like the ciphertext files respectively.
When the third party terminal acquires the user subscription data, the business support server requests to acquire the user subscription data, and the business support server decrypts the ciphertext data and sends the ciphertext data to the third party terminal. Specifically: when a third party terminal requests to the industry branch server to obtain a first plaintext file, the industry branch server executes decryption operation on the stored first ciphertext file by using a first decryption key to obtain the first plaintext file; when the third party terminal requests the business support server to obtain the second plaintext file, the business support server requests the equipment ID of the business terminal equipment from the business terminal equipment and sends the equipment ID to the quantum random number filling equipment; the quantum random number filling equipment generates a second key seed based on the second quantum random number group and the second key seed, sends the second key seed to the industry branch server and invalidates the second key seed; and the business support server calculates a second decryption key according to the second key seed, decrypts the second ciphertext file, obtains a second plaintext file and sends the second plaintext file to a third party.
According to the encryption method for the user subscription data, the user subscription data is divided into the first plaintext file corresponding to the service data and the second plaintext file corresponding to the user signature, and the first plaintext file and the second plaintext file corresponding to the service data are respectively encrypted and protected according to different security levels.
In a possible embodiment, the first quantum random array and the second key seed are filled to the service terminal device by a quantum random number filling device, and the first quantum random array and the second quantum random array are generated by a quantum random number generator.
It should be noted that, the random number generator commonly used today either relies on computer simulation to generate pseudo random numbers or extracts random numbers from some classical physical noise (e.g. thermal noise, electrical noise, etc.). In theory, however, classical physical processes can be modeled taking into account all variables, except that the randomness produced by some quantum physical processes is completely truly random, such as the collapse process of the quantum states. The generation of the quantum random number comprises four steps of random source selection, digital sampling, data post-processing and randomness checking.
The quantum random number generator can be an online device or an offline device according to the requirement. If the device is an online device, the device is connected with other online devices through a network; if the device is an offline device, the device is connected with other devices only when the device needs to be used in an unconnected mode.
The quantum random number filling device is a small off-line device, and is mainly used for acquiring quantum random numbers from a quantum random number generator and then forwarding the received quantum random numbers to other devices through physical movement. The connection mode of the quantum random number filling device and other devices is as follows: USB, bluetooth, etc., in direct contact or short range communication. In connection with different devices, it is necessary to manually transfer the physical location of the quantum random number filling device in order to connect with the different devices.
In one possible embodiment, referring to fig. 3, determining the first key seed includes:
step 401, the service terminal device sends a quantum random number request message to a business support server;
step 402, the service terminal device receives a first quantum random array transmitted by the quantum random number filling device, and determines the first key seed based on the first quantum random array;
Wherein the quantum random number request message is for requesting a quantum random number from the quantum random number generator, the first quantum random number array being determined by the quantum random number filling device based on the quantum random number.
The first key seed generation process comprises the following steps: the service terminal equipment sends a quantum random number request message to the business support server; the business support server receives the quantum random number request message and sends the quantum random number request message to the quantum random number generator; the quantum random number generator receives the quantum random number request message, generates a plurality of quantum random numbers based on quantum information, and transmits the generated quantum random numbers to the quantum random number filling equipment; the quantum random number filling equipment divides the quantum random numbers into two groups to obtain a first quantum random number group and a second quantum random number group, and directly fills the first quantum random number group into service terminal equipment; the service terminal device selects a quantum random number from the first quantum random array as a first key seed.
Wherein the quantum random number generator generates a plurality of quantum random numbers T based on quantum information i Where i= … M, M is the number of generated quantum random numbers, and M is a larger value, e.g., M > 1000. After the quantum random number generator generates the quantum random number, the generated quantum random number is transmitted to the quantum random number filling equipment.
In a possible embodiment, referring to fig. 4, determining the second key seed includes:
step 411, the service terminal device transmits its device ID to the quantum random number filling device;
step 412, the service terminal device receives the second key seed transmitted by the quantum random number filling device;
the device ID is used by the quantum random number filling device to generate a hash value H corresponding to the device ID, the hash value H is used by the quantum random number filling device to determine the second key seed based on the hash value H and a second quantum random array, and the second quantum random array is determined by the quantum random number filling device based on the quantum random number.
The second key seed generation process includes: the service terminal equipment sends a quantum random number request message to the business support server; the business support server receives the quantum random number request message and sends the quantum random number request message to the quantum random number generator; the quantum random number generator receives the quantum random number request message, generates a plurality of quantum random numbers based on quantum information, and transmits the generated quantum random numbers to the quantum random number filling equipment; the quantum random number filling device divides the quantum random number into two groups to obtain a first quantum random array and a second quantum random array. Then, the quantum random number filling device transmits a device ID request message to the service terminal device; the service terminal equipment receives the equipment ID request message and transmits the equipment ID to the quantum random number filling equipment; the quantum random number filling device generates a hash value corresponding to the device ID and determines a second key seed based on the hash value and the second quantum random number set.
In this embodiment, the quantum random number is selected in combination with the device ID of the service terminal device, that is, only the device ID of the service terminal device is held to encrypt and decrypt the user signature data, so that the security of the plaintext data of the user signature data is improved, and even if the second ciphertext data is obtained, the corresponding signature data, that is, the second plaintext file, cannot be easily decrypted.
Further, the hash value H is obtained by inputting the device ID into a hash function, a maximum output value of the hash function is smaller than or equal to the number of quantum random numbers in the second quantum random array, and an H-th quantum random number in the second quantum random array is selected as the second key seed.
The specific process of determining the second key seed based on the hash value H and the second quantum random array includes: the quantum random number filling device stores a hash function f=hash (x) in a safety area, the maximum output value of the hash function is smaller than or equal to the number of quantum random numbers in the second quantum random number array, and a hash value H is obtained through calculation: hash (ID) =h, and select the H-th quantum random number in the second quantum random array to send to the terminal device as the second key seed.
In this embodiment, the second key seed is determined based on the hash value H and the second quantum random array by the hash function, specifically, in combination with the device ID of the service terminal device, the quantum random number is selected by the hash function, that is, only the device ID of the service terminal device is held to encrypt and decrypt the user signature data, so that the security of plaintext data of the user signature data is improved, and even if the second ciphertext data is obtained, the corresponding signature data, that is, the second plaintext file, cannot be easily decrypted.
The invention also provides an encryption method of the user subscription data, which comprises the following steps:
the business support server receives a first ciphertext file and a second ciphertext file transmitted by business terminal equipment;
the business support server decrypts the first ciphertext file to obtain a first plaintext file;
the business support server decrypts the second ciphertext file to obtain a second plaintext file;
the first ciphertext file is obtained by encrypting the first plaintext file by the service terminal equipment based on a first encryption key, the second ciphertext file is obtained by encrypting the second plaintext file by the service terminal equipment based on a second encryption key, the first plaintext file is generated by the service terminal equipment based on service data in user subscription data, and the second plaintext file is generated by the service terminal equipment based on a user signature in the user subscription data;
The first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
It should be noted that, referring to fig. 2, the encryption method of user subscription data of the present invention is applied to a system architecture, where the system architecture includes a service terminal device and a service support server, where the service terminal device may be used to provide a subscription service for a user, generate user subscription data when processing the subscription service, and sign a subscription for the user through the subscription service provided by the service terminal device when providing the subscription service for the user; the service terminal device may also provide only encrypted services of the subscriber subscription data. The business support server provides business support service, data support service and data storage service for the business terminal equipment, for example, provides data required by encryption and decryption for the terminal equipment, requests data required by encryption and decryption for the business terminal equipment to other equipment, stores and backs up encryption and decryption data, secret keys, user subscription data and the like.
The service terminal device can be a mobile phone, a tablet personal computer, a computer with a wireless receiving and transmitting function, a virtual reality terminal device, an augmented reality terminal device, a wireless terminal in industrial control, a wireless terminal in unmanned operation, a wireless terminal in smart grid, a wireless terminal in transportation safety, a wireless terminal in smart city, a wireless terminal in smart home and the like.
The user subscription data includes two types of data, one is user subscription data including service data, and the other is user subscription data including user signature. The method comprises the steps that a service terminal device receives user subscription data, generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data, and aims at distinguishing the user signature data according to whether the user signature is not available or not, distinguishing the service data from the signature, and dividing the user subscription data into the first plaintext file containing the service data and the second plaintext file containing the user signature so as to sign the user subscription data of different parts
The first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and the device ID of the service terminal device.
The service terminal equipment encrypts a first plaintext file through a first encryption key to obtain a first ciphertext file; and the service terminal equipment encrypts the second encryption key and the second plaintext file to obtain a second ciphertext file, so that the plaintext file corresponding to the service data and the plaintext file corresponding to the signature data are respectively encrypted according to different encryption keys. It can be known that, since the first key seed is generated based on the first quantum random array, and the second key seed is generated based on the first quantum random array and the device ID corresponding to the service terminal, the encryption degree of the first encryption key generated based on the second key seed is higher than that of the second encryption key generated based on the second key seed, so that the user subscription data is encrypted in a manner of respectively protecting different security levels, the user subscription data in the user subscription data is encrypted based on the key with higher encryption degree, and the service data in the user subscription data is encrypted based on the key with lower encryption degree.
The business terminal equipment encrypts the first plaintext file by using the first encryption key to form a first ciphertext file, encrypts the second plaintext file by using the second encryption key to form a second ciphertext file, and then sends the first ciphertext file and the second ciphertext file to the business support server for the business support server to store, backup and the like the ciphertext files respectively.
When the third party terminal acquires the user subscription data, the business support server requests to acquire the user subscription data, and the business support server decrypts the ciphertext data and sends the ciphertext data to the third party terminal. Specifically: when a third party terminal requests to the industry branch server to obtain a first plaintext file, the industry branch server executes decryption operation on the stored first ciphertext file by using a first decryption key to obtain the first plaintext file; when the third party terminal requests the business support server to obtain the second plaintext file, the business support server requests the equipment ID of the business terminal equipment from the business terminal equipment and sends the equipment ID to the quantum random number filling equipment; the quantum random number filling equipment generates a second key seed based on the second quantum random number group and the second key seed, sends the second key seed to the industry branch server and invalidates the second key seed; and the business support server calculates a second decryption key according to the second key seed, decrypts the second ciphertext file, obtains a second plaintext file and sends the second plaintext file to the third party terminal.
According to the encryption method for the user subscription data, the user subscription data is divided into the first plaintext file corresponding to the service data and the second plaintext file corresponding to the user signature, and the first plaintext file and the second plaintext file corresponding to the service data are respectively encrypted and protected according to different security levels.
The encryption device for user subscription data provided by the invention is described below, and the encryption device for user subscription data described below and the encryption method for user subscription data described above can be referred to correspondingly.
Referring to fig. 5, an encryption device for user subscription data according to the present invention includes:
the plaintext file generation module is used for receiving user subscription data and generating a first plaintext file corresponding to service data and a second plaintext file corresponding to a user signature from the user subscription data;
the first encryption module is used for encrypting the first plaintext file by using a first encryption key to obtain a first ciphertext file;
the second encryption module is used for encrypting the second plaintext file by using a second encryption key by the service terminal equipment to obtain a second ciphertext file;
the ciphertext transmission module is used for transmitting the first ciphertext file and the second ciphertext file to the business support server;
the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
Further, the first quantum random array and the second key seed are filled by a quantum random number filling device, the first quantum random array and the second quantum random array being generated by a quantum random number generator.
Further, the encryption device of the user subscription data further comprises a first key seed determining module, configured to:
sending a quantum random number request message;
receiving a first quantum random array transmitted by the quantum random number filling device, and determining the first key seed based on the first quantum random array;
wherein the quantum random number request message is for requesting a quantum random number from the quantum random number generator, the first quantum random number array being determined by the quantum random number filling device based on the quantum random number.
Further, the encryption device of the user subscription data further comprises a second key seed determining module, configured to:
transmitting its device ID to the quantum random number filling device;
receiving the second key seed transmitted by the quantum random number filling device;
the device ID is used by the quantum random number filling device to generate a hash value H corresponding to the device ID, the hash value H is used by the quantum random number filling device to determine the second key seed based on the hash value H and a second quantum random array, and the second quantum random array is determined by the quantum random number filling device based on the quantum random number.
Further, the hash value H is obtained by inputting the device ID into a hash function, a maximum output value of the hash function is smaller than or equal to the number of quantum random numbers in the second quantum random array, and an H-th quantum random number in the second quantum random array is selected as the second key seed.
Fig. 6 illustrates a physical schematic diagram of an electronic device, as shown in fig. 6, which may include: processor 610, communication interface (Communications Interface) 620, memory 630, and communication bus 640, wherein processor 610, communication interface 620, and memory 630 communicate with each other via communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform a method of encrypting user subscription data, the method comprising: the service terminal equipment receives user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data; the service terminal equipment encrypts the first plaintext file by using a first encryption key to obtain a first ciphertext file; the service terminal equipment encrypts the second plaintext file by using a second encryption key to obtain a second ciphertext file; the service terminal equipment transmits the first ciphertext file and the second ciphertext file to a business support server; the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
Further, the logic instructions in the memory 630 may be implemented in the form of software functional units and stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, being capable of executing a method of encrypting user subscription data provided by the above methods, the method comprising: the service terminal equipment receives user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data; the service terminal equipment encrypts the first plaintext file by using a first encryption key to obtain a first ciphertext file; the service terminal equipment encrypts the second plaintext file by using a second encryption key to obtain a second ciphertext file; the service terminal equipment transmits the first ciphertext file and the second ciphertext file to a business support server; the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
In still another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a method of encrypting user subscription data provided by the above methods, the method comprising: the service terminal equipment receives user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data; the service terminal equipment encrypts the first plaintext file by using a first encryption key to obtain a first ciphertext file; the service terminal equipment encrypts the second plaintext file by using a second encryption key to obtain a second ciphertext file; the service terminal equipment transmits the first ciphertext file and the second ciphertext file to a business support server; the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A method for encrypting subscriber subscription data, comprising:
the service terminal equipment receives user subscription data and generates a first plaintext file corresponding to the service data and a second plaintext file corresponding to a user signature from the user subscription data;
the service terminal equipment encrypts the first plaintext file by using a first encryption key to obtain a first ciphertext file;
the service terminal equipment encrypts the second plaintext file by using a second encryption key to obtain a second ciphertext file;
the service terminal equipment transmits the first ciphertext file and the second ciphertext file to a business support server;
The first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
2. The method of encrypting subscriber subscription data according to claim 1, wherein the first quantum random array and the second key seed are charged to the service terminal device by a quantum random number charging device, and the first quantum random array and the second quantum random array are generated by a quantum random number generator.
3. The method for encrypting subscriber subscription data according to claim 2, wherein determining the first key seed comprises:
the service terminal equipment sends a quantum random number request message to a business support server;
the service terminal equipment receives a first quantum random array transmitted by the quantum random number filling equipment and determines the first key seed based on the first quantum random array;
Wherein the quantum random number request message is for requesting a quantum random number from the quantum random number generator, the first quantum random number array being determined by the quantum random number filling device based on the quantum random number.
4. The method for encrypting subscriber subscription data according to claim 1, wherein determining the second key seed comprises:
the service terminal equipment transmits the equipment ID to the quantum random number filling equipment;
the service terminal equipment receives the second key seed transmitted by the quantum random number filling equipment;
the device ID is used by the quantum random number filling device to generate a hash value H corresponding to the device ID, the hash value H is used by the quantum random number filling device to determine the second key seed based on the hash value H and a second quantum random array, and the second quantum random array is determined by the quantum random number filling device based on the quantum random number.
5. The method according to claim 4, wherein the hash value H is obtained by inputting the device ID into a hash function, the maximum output value of the hash function is smaller than or equal to the number of quantum random numbers in the second quantum random array, and the H-th quantum random number in the second quantum random array is selected as the second key seed.
6. A method for encrypting subscriber subscription data, comprising:
the business support server receives a first ciphertext file and a second ciphertext file transmitted by business terminal equipment;
the business support server decrypts the first ciphertext file to obtain a first plaintext file;
the business support server decrypts the second ciphertext file to obtain a second plaintext file;
the first ciphertext file is obtained by encrypting the first plaintext file by the service terminal equipment based on a first encryption key, the second ciphertext file is obtained by encrypting the second plaintext file by the service terminal equipment based on a second encryption key, the first plaintext file is generated by the service terminal equipment based on service data in user subscription data, and the second plaintext file is generated by the service terminal equipment based on a user signature in the user subscription data;
the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
7. An encryption apparatus for user subscription data, comprising:
the plaintext file generation module is used for receiving user subscription data and generating a first plaintext file corresponding to service data and a second plaintext file corresponding to a user signature from the user subscription data;
the first encryption module is used for encrypting the first plaintext file by using a first encryption key to obtain a first ciphertext file;
the second encryption module is used for encrypting the second plaintext file by using a second encryption key by the service terminal equipment to obtain a second ciphertext file;
the ciphertext transmission module is used for transmitting the first ciphertext file and the second ciphertext file to the business support server;
the first ciphertext file is used for determining the first plaintext file, the second ciphertext file is used for determining the second plaintext file, the first encryption key is generated based on a first key seed, the first key seed is generated based on a first quantum random array, and the second key seed is generated based on a second quantum random array and a device ID of the service terminal device.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the encryption method of user subscription data according to any one of claims 1 to 6 when executing the program.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements a method of encrypting user subscription data according to any one of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements a method of encrypting user subscription data according to any one of claims 1 to 6.
CN202210834497.1A 2022-07-14 2022-07-14 Encryption method, device, equipment and medium for user subscription data Pending CN117439750A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210834497.1A CN117439750A (en) 2022-07-14 2022-07-14 Encryption method, device, equipment and medium for user subscription data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210834497.1A CN117439750A (en) 2022-07-14 2022-07-14 Encryption method, device, equipment and medium for user subscription data

Publications (1)

Publication Number Publication Date
CN117439750A true CN117439750A (en) 2024-01-23

Family

ID=89546849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210834497.1A Pending CN117439750A (en) 2022-07-14 2022-07-14 Encryption method, device, equipment and medium for user subscription data

Country Status (1)

Country Link
CN (1) CN117439750A (en)

Similar Documents

Publication Publication Date Title
KR101982237B1 (en) Method and system for data sharing using attribute-based encryption in cloud computing
CN108123800A (en) Key management method, device, computer equipment and storage medium
CN113067699B (en) Data sharing method and device based on quantum key and computer equipment
CN102546600A (en) Deputy-based encryption, decryption method, network equipment, network device and system
KR101615137B1 (en) Data access method based on attributed
CN109995739B (en) Information transmission method, client, server and storage medium
CN111404952B (en) Transformer substation data encryption transmission method and device, computer equipment and storage medium
CN109905229B (en) Anti-quantum computing Elgamal encryption and decryption method and system based on group asymmetric key pool
KR20190063193A (en) METHOD AND SYSTEM FOR DATA SHARING FOR INTERNET OF THINGS(IoT) MANAGEMENT IN CLOUD COMPUTING
CN110505053B (en) Quantum key filling method, device and system
CN114443718A (en) Data query method and system
CN115632880A (en) Reliable data transmission and storage method and system based on state cryptographic algorithm
CN111224958A (en) Data transmission method and system
CN114499857A (en) Method for realizing data correctness and consistency in big data quantum encryption and decryption
CN106487761B (en) Message transmission method and network equipment
CN100561913C (en) A kind of method of access code equipment
CN116707778A (en) Data hybrid encryption transmission method and device and electronic equipment
CN114785527B (en) Data transmission method, device, equipment and storage medium
CN107872312B (en) Method, device, equipment and system for dynamically generating symmetric key
CN113672955B (en) Data processing method, system and device
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
CN114173294A (en) Non-peer-to-peer short message transmission method, system, equipment and computer storage medium
CN112788046A (en) Method and system for encrypting transmission information
CN117439750A (en) Encryption method, device, equipment and medium for user subscription data
JP5945525B2 (en) KEY EXCHANGE SYSTEM, KEY EXCHANGE DEVICE, ITS METHOD, AND PROGRAM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination