CN117768093A - Data encryption system for mobile phone terminal - Google Patents
Data encryption system for mobile phone terminal Download PDFInfo
- Publication number
- CN117768093A CN117768093A CN202410062205.6A CN202410062205A CN117768093A CN 117768093 A CN117768093 A CN 117768093A CN 202410062205 A CN202410062205 A CN 202410062205A CN 117768093 A CN117768093 A CN 117768093A
- Authority
- CN
- China
- Prior art keywords
- data
- sensitive information
- encrypted
- class
- desensitized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims description 21
- 238000000586 desensitisation Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 9
- 230000035945 sensitivity Effects 0.000 claims description 7
- 230000007774 longterm Effects 0.000 claims description 6
- 238000003745 diagnosis Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims description 3
- 230000003068 static effect Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 30
- 238000004458 analytical method Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Abstract
The invention discloses a data encryption system for a mobile phone terminal, which relates to the technical field of data encryption, wherein the existing data encryption system for the mobile phone terminal is difficult to desensitize data and difficult to recover the desensitized data, and comprises the following components: and a data encryption module: identifying one type of encrypted data and sensitive information in the two types of encrypted data, extracting the sensitive information in the original data, and replacing the sensitive information in the original data by using a placeholder to form desensitized data; encrypting the sensitive information extracted from the first-class encrypted data and the second-class encrypted data by different encryption algorithms, and generating a key of the sensitive information; the encrypted sensitive information is used as a token of the desensitized data, and the desensitized data is bound with a key of the generated sensitive information; the sensitive information is encrypted and bound with the desensitized data, so that even if the desensitized data is leaked, the sensitive information is still protected, and the protection of the sensitive information is enhanced.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to a data encryption system for a mobile phone terminal.
Background
As mobile phone terminals play an increasingly important role in our lives and works, personal information, business confidentiality and sensitive data stored on mobile phones are also receiving increasing attention. In order to prevent such data from being accessed by unauthorized users or hacked, a data encryption system of a mobile phone terminal has been developed. The system can protect private data of users through encryption technology and prevent data leakage and unauthorized access. Nowadays, with the popularization of applications such as mobile payment and mobile office, the data security of a mobile phone terminal becomes particularly important, and a data encryption system becomes an important component of the security protection of the mobile phone terminal. The data encryption system is a security technique for protecting sensitive information stored on a mobile phone terminal. It does not allow unauthorized users to access, decrypt, or tamper with the data by encrypting it.
The existing data encryption system for the mobile phone terminal is mainly used for directly encrypting data, providing a key when the data is accessed by legal authentication, and is difficult to desensitize the data and difficult to recover after desensitization. For example, patent CN104657674B discloses a system and a method for isolating and protecting private data in a mobile phone, which belong to the fields of mobile communication and information security. The system comprises: private storage area: for storing private data to be quarantined; the data in the private storage area is encrypted and stored; a general storage area: for storing non-quarantine protected data; and (3) a setting module: the method comprises the steps of setting an identity authentication mode and selecting private data to be stored in a private storage area; and an analysis and judgment module: the system event monitoring module is used for monitoring the system event in real time, when a data writing request exists, the analysis judging module judges whether the data is privacy data to be isolated and protected or not, and the judging result is handed to the processing module; when a private data access request exists, authenticating the user according to the set identity authentication mode; the processing module is used for: if the judgment result of the analysis judgment module is a data writing request and is privacy data to be isolated and protected, the processing module encrypts the data and then sends the writing request to the storage module.
Disclosure of Invention
The invention aims to provide a data encryption system for a mobile phone terminal, which solves the following technical problems:
the existing data encryption system for the mobile phone terminal is mainly used for directly encrypting data, providing a key when the data is accessed by legal authentication, and is difficult to desensitize the data and difficult to recover after desensitization.
The aim of the invention can be achieved by the following technical scheme:
a data encryption system for a mobile terminal, comprising:
and a data classification module: the method is used for classifying the data in the mobile phone and dividing the data into one type of encrypted data, two types of encrypted data and common encrypted data according to the sensitivity degree and the security requirement of the data;
and a storage management module: the storage areas are used for managing different grades, comprise a first storage area, a second storage area and a common storage area, and store data in the corresponding security grade areas;
and the cache management module: the system comprises a first-class cache area, a second-class cache area and a common cache area, wherein the first-class cache area is used for managing cache areas of different levels, and the data in the cache are subjected to proper encryption or desensitization;
and a data encryption module: identifying one type of encrypted data and sensitive information in the two types of encrypted data, extracting the sensitive information in the original data, and replacing the sensitive information in the original data by using a placeholder to form desensitized data; encrypting the sensitive information extracted from the first-class encrypted data and the second-class encrypted data by different encryption algorithms, and generating a key of the sensitive information; the encrypted sensitive information is used as a token of the desensitized data, and the desensitized data is bound with a key of the generated sensitive information.
As a further scheme of the invention: further comprises:
an encryption algorithm module: the data encryption module is used for providing a data encryption algorithm for the data encryption module and encrypting the data;
desensitization processing module: identifying one type of encrypted data and sensitive information in the two types of encrypted data, and extracting the sensitive information in the original data;
and an access control module: the system is used for controlling the access of the encrypted storage area and the cache area, and allowing a user or an application program which is legally authenticated and authorized to access the data in the corresponding storage management module and the cache management module.
As a further scheme of the invention: the encrypted data comprises: user authentication information, financial information, and medical health information;
the user authentication information is a user name, a password and an identity card number, the financial information is a bank card number and a payment password, and the medical health information is a medical record and a diagnosis report;
the second class of encrypted data comprises: user personal information, transaction record information and geographic location information,
wherein, the personal information of the user is name, telephone number and home address;
the general encryption data includes: application setting information, static resource file and public data
As a further scheme of the invention: the storage management module manages storage areas with different levels, including a first storage area, a second storage area and a common storage area, and stores data in the corresponding security level areas, comprising the following steps:
the storage management module determines the types of data stored in the first storage area, the second storage area and the common storage area;
a class of storage areas: a key for storing the desensitized data and the sensitive information of the encrypted data for long-term storage;
two types of storage areas: a key for storing the desensitized data of the second type of encrypted data for long-term storage and the sensitive information;
common storage area: and the device is used for storing the encrypted common encrypted data which is stored for a long time.
As a further scheme of the invention: the cache management module manages cache areas of different levels, including a first type cache area, a second type cache area and a common cache area, and performs proper encryption or desensitization processing on data in the cache, including the following steps:
a class of cache regions: the method comprises the steps of storing a token corresponding to desensitized data of one type of encrypted data in a storage area through a read-only mode for a long time, temporarily storing a key and a corresponding token of the desensitized data of one type of encrypted data and generated sensitive information through the read-only mode, and periodically deleting the temporarily stored data;
second-class cache region: the method comprises the steps of storing a token corresponding to the desensitized data of the second-class encrypted data in the second-class storage area through a read-only mode for a long time, temporarily storing a key and a corresponding token of the desensitized data of the second-class encrypted data and generated sensitive information through the read-only mode, and periodically deleting the temporarily stored data;
common buffer area: for storing the encrypted normal encrypted data for temporary storage.
As a further scheme of the invention: the data encryption module identifies sensitive information in one type of encrypted data and two types of encrypted data, extracts sensitive information in the original data, and uses placeholders to replace the sensitive information in the original data to form desensitized data, and comprises the following steps:
setting sensitive characteristics and sensitive keywords of sensitive information in the first-class encrypted data and the second-class encrypted data;
scanning the encrypted data through a data security tool according to the sensitive characteristics and the sensitive keywords, identifying sensitive information in the data, and extracting the sensitive information in the original data;
and replacing sensitive information in the original data by using the placeholders to form desensitized data.
As a further scheme of the invention: the data encryption module encrypts one type of encrypted data and sensitive information extracted from the two types of encrypted data through different encryption algorithms and generates a key of the sensitive information, and the method comprises the following steps:
encrypting the sensitive information extracted from the encrypted data by an SHA-256 hash algorithm, and generating a key corresponding to the sensitive information;
encrypting the sensitive information extracted from the second-class encrypted data by an AES-128 symmetric encryption algorithm, and generating a key corresponding to the sensitive information;
as a further scheme of the invention: the data encryption module takes the encrypted sensitive information as a token of the desensitized data, binds the desensitized data with a generated key of the sensitive information, and comprises the following steps:
the encrypted sensitive information is used as a token of the desensitized data, and a unique identifier of the token is generated by combining a time stamp with a random number;
binding the desensitized data with the generated key of sensitive information and giving the same unique identifier.
As a further scheme of the invention: the access control module controls the access of the encrypted storage area and the cache area, and allows the users or application programs which are legally authenticated and authorized to access the data in the corresponding storage management module and the cache management module, and the access control module comprises the following steps:
controlling access to the encrypted storage area and the cache area, and allowing a user or an application program which is legally authenticated and authorized to access one type of encrypted data, two types of encrypted data and common encrypted data in the corresponding storage management module and the cache management module;
directly decrypting and then accessing common encrypted data;
the method comprises the steps of obtaining key of desensitized data and sensitive information of one type of encrypted data which are stored for a long time from one type of storage area, reading a token corresponding to the desensitized data from one type of cache area through a unique identifier, decrypting the token through the key of the sensitive information, and replacing placeholders in the desensitized data of one type of encrypted data with the decrypted data to access original data;
for the temporarily stored encrypted data, matching the desensitized data of the encrypted data in the cache area with a key of sensitive information and a token corresponding to the desensitized data through a unique identifier, decrypting the token through the key of the sensitive information, and replacing the decrypted data with a placeholder in the desensitized data of the encrypted data, so that the original data can be accessed;
in the second-class encrypted data, for the second-class encrypted data which is stored for a long time, acquiring the key of the desensitized data and the sensitive information of the second-class encrypted data from the second-class storage area, reading the token corresponding to the desensitized data from the second-class cache area through the unique identifier, decrypting the token through the key of the sensitive information, and replacing the placeholder in the desensitized data of the second-class encrypted data with the decrypted data to access the original data;
and for the second-class encrypted data which is temporarily stored, matching the desensitized data of the second-class encrypted data in the second-class cache area with a key of sensitive information and a token corresponding to the desensitized data through a unique identifier, decrypting the token through the key of the sensitive information, and replacing the placeholder in the desensitized data of the second-class encrypted data with the decrypted data to access the original data. .
The invention has the beneficial effects that:
the invention classifies the data in the mobile phone by the data classification module, divides the data into one type of encrypted data, two types of encrypted data and common encrypted data according to the sensitivity degree and the security requirement of the data, and sets a storage management module and a cache management module to store different data; the data of different levels are classified and encrypted and stored, different encryption intensity and control levels can be adopted according to different sensitivity degrees, and the safety of the data is improved. For one type of encrypted data, a higher level encryption algorithm and authority control can be adopted, so that the private data of a user can be better protected.
The invention desensitizes sensitive information in the first-class encrypted data and the second-class encrypted data through the data encryption module to form desensitized data; encrypting the sensitive information extracted from the first-class encrypted data and the second-class encrypted data by different encryption algorithms, and generating a key of the sensitive information; the encrypted sensitive information is used as a token of the desensitized data, and the desensitized data is bound with a key of the generated sensitive information; and encrypting the sensitive information and binding the sensitive information with the desensitized data, wherein even if the desensitized data is leaked, the sensitive information is still protected due to the lack of key information. The token is used for representing the encrypted sensitive information, so that the original sensitive data is protected, meanwhile, the data format and structure are reserved, and the usability of the data is improved.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of the system of the present invention;
FIG. 2 is a schematic diagram of the structure of the storage management module and the cache management module of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1-2, the present invention is a data encryption system for a mobile phone terminal, comprising:
and a data classification module: the method is used for classifying the data in the mobile phone and dividing the data into one type of encrypted data, two types of encrypted data and common encrypted data according to the sensitivity degree and the security requirement of the data;
and a storage management module: the storage areas are used for managing different grades, comprise a first storage area, a second storage area and a common storage area, and store data in the corresponding security grade areas;
and the cache management module: the system comprises a first-class cache area, a second-class cache area and a common cache area, wherein the first-class cache area is used for managing cache areas of different levels, and the data in the cache are subjected to proper encryption or desensitization;
and a data encryption module: identifying one type of encrypted data and sensitive information in the two types of encrypted data, extracting the sensitive information in the original data, and replacing the sensitive information in the original data by using a placeholder to form desensitized data; encrypting the sensitive information extracted from the first-class encrypted data and the second-class encrypted data by different encryption algorithms, and generating a key of the sensitive information; the encrypted sensitive information is used as a token of the desensitized data, and the desensitized data is bound with a key of the generated sensitive information.
Specifically, in this embodiment, the data in the mobile phone is classified by the data classification module, and is classified into one type of encrypted data, two types of encrypted data and common encrypted data according to the sensitivity degree and the security requirement of the data, and a storage management module and a cache management module are set to store different data; the data of different levels are classified and encrypted and stored, different encryption intensity and control levels can be adopted according to different sensitivity degrees, and the safety of the data is improved. For one type of encrypted data, a higher level encryption algorithm and authority control can be adopted, so that the private data of a user can be better protected. The storage management module and the cache management module are used for managing data of different levels, so that the storage space and the cache resources can be better utilized, and the system efficiency and performance are improved.
Desensitizing sensitive information in the first encrypted data and the second encrypted data through a data encryption module to form desensitized data; encrypting the sensitive information extracted from the first-class encrypted data and the second-class encrypted data by different encryption algorithms, and generating a key of the sensitive information; the encrypted sensitive information is used as a token of the desensitized data, and the desensitized data is bound with a key of the generated sensitive information; and encrypting the sensitive information and binding the sensitive information with the desensitized data, wherein even if the desensitized data is leaked, the sensitive information is still protected due to the lack of key information. The token is used for representing the encrypted sensitive information, so that the original sensitive data is protected, meanwhile, the data format and structure are reserved, and the usability of the data is improved. By desensitization and encryption, sensitive information can be protected from access or disclosure by unauthorized persons.
In one embodiment of the present invention, the method further comprises:
an encryption algorithm module: the method is used for providing a data encryption algorithm for the data encryption module, and encrypting the data, and comprises the following steps: symmetric encryption algorithms, such as AES, asymmetric encryption algorithms, such as RSA, hash algorithms, such as SHA-256;
desensitization processing module: identifying the first type of encrypted data and the sensitive information in the second type of encrypted data, and extracting the sensitive information in the original data, wherein the method comprises the following steps: data replacement, data masking, data generalization, and data randomization;
and an access control module: the system is used for controlling the access of the encrypted storage area and the cache area, and allowing a user or an application program which is legally authenticated and authorized to access the data in the corresponding storage management module and the cache management module.
In one embodiment of the present invention, the class of encrypted data includes: user authentication information, financial information, and medical health information;
the user authentication information is a user name, a password and an identity card number, the financial information is a bank card number and a payment password, and the medical health information is a medical record and a diagnosis report;
the second class of encrypted data comprises: user personal information, transaction record information and geographic location information,
wherein, the personal information of the user is name, telephone number and home address;
the general encryption data includes: application setting information, static resource files, and public data.
In one embodiment of the present invention, the storage management module manages storage areas of different levels, including a first storage area, a second storage area and a normal storage area, and stores data in corresponding security level areas, including the following steps:
the storage management module determines the types of data stored in the first storage area, the second storage area and the common storage area;
a class of storage areas: a key for storing the desensitized data and the sensitive information of the encrypted data for long-term storage;
two types of storage areas: a key for storing the desensitized data of the second type of encrypted data for long-term storage and the sensitive information;
common storage area: and the device is used for storing the encrypted common encrypted data which is stored for a long time.
In one embodiment of the present invention, the cache management module manages cache areas of different levels, including a first type cache area, a second type cache area and a normal cache area, and performs appropriate encryption or desensitization processing on data in the cache, including the following steps:
a class of cache regions: the method comprises the steps of storing a token corresponding to desensitized data of one type of encrypted data in a storage area through a read-only mode for a long time, temporarily storing a key and a corresponding token of the desensitized data of one type of encrypted data and generated sensitive information through the read-only mode, and periodically deleting the temporarily stored data;
second-class cache region: the method comprises the steps of storing a token corresponding to the desensitized data of the second-class encrypted data in the second-class storage area through a read-only mode for a long time, temporarily storing a key and a corresponding token of the desensitized data of the second-class encrypted data and generated sensitive information through the read-only mode, and periodically deleting the temporarily stored data;
common buffer area: for storing the encrypted normal encrypted data for temporary storage.
Specifically, the cache area is used for storing tokens corresponding to the desensitized data of the encrypted data in the storage area in a read-only mode for a long time, and the key of the desensitized data and the sensitive information of the encrypted data stored in the storage area for a long time is stored in the storage area; by encrypting the sensitive information and binding the sensitive information with the desensitized data, even if the desensitized data is revealed, the sensitive information is still protected due to lack of key information. The token is used for representing the encrypted sensitive information, so that the original sensitive data is protected, meanwhile, the data format and structure are reserved, and the usability of the data is improved.
In one embodiment of the present invention, the data encryption module identifies sensitive information in one type of encrypted data and two types of encrypted data, extracts sensitive information in original data, and uses placeholders to replace the sensitive information in the original data, so as to form desensitized data, including the following steps:
setting sensitive characteristics and sensitive keywords of sensitive information in the first-class encrypted data and the second-class encrypted data;
scanning the encrypted data through a data security tool according to the sensitive characteristics and the sensitive keywords, identifying sensitive information in the data, and extracting the sensitive information in the original data;
and replacing sensitive information in the original data by using the placeholders to form desensitized data.
Specifically, in this embodiment, the sensitive characteristics of sensitive information in the encrypted data are: numbers and names in user authentication information, numbers and names in financial information, and numbers and names in medical health information;
the sensitive keywords are: user name, password, identification card number, bank card number, payment password, medical history, and diagnostic report.
In one embodiment of the present invention, the data encryption module encrypts the sensitive information extracted from the first type of encrypted data and the second type of encrypted data by using different encryption algorithms, and generates a key of the sensitive information, including the following steps:
encrypting the sensitive information extracted from the encrypted data by an SHA-256 hash algorithm, and generating a key corresponding to the sensitive information;
encrypting the sensitive information extracted from the second-class encrypted data by an AES-128 symmetric encryption algorithm, and generating a key corresponding to the sensitive information;
in one embodiment of the present invention, the data encryption module uses the encrypted sensitive information as a token of the desensitized data, and binds the desensitized data with a generated key of the sensitive information, and the method includes the following steps:
the encrypted sensitive information is used as a token of the desensitized data, and a unique identifier of the token is generated by combining a time stamp with a random number;
binding the desensitized data with the generated key of sensitive information and giving the same unique identifier.
Specifically, in this embodiment, the encrypted sensitive information is used as a token of the desensitized data, and the unique identifier of the token is generated by combining the timestamp with the random number. The system may first read the corresponding token from the data storage area based on the identifier, then read the corresponding information from the same identifier to another data storage area, and finally perform the matching. By using the same unique identifier, the system can accurately match tokens and corresponding information, regardless of the information being stored in different locations.
In one embodiment of the present invention, the access control module controls access to the encrypted storage area and the cache area, and allows a user or an application program that is legally authenticated and authorized to access data in the corresponding storage management module and the cache management module, including the following steps:
controlling access to the encrypted storage area and the cache area, and allowing a user or an application program which is legally authenticated and authorized to access one type of encrypted data, two types of encrypted data and common encrypted data in the corresponding storage management module and the cache management module;
directly decrypting and then accessing common encrypted data;
the method comprises the steps of obtaining key of desensitized data and sensitive information of one type of encrypted data which are stored for a long time from one type of storage area, reading a token corresponding to the desensitized data from one type of cache area through a unique identifier, decrypting the token through the key of the sensitive information, and replacing placeholders in the desensitized data of one type of encrypted data with the decrypted data to access original data;
for the temporarily stored encrypted data, matching the desensitized data of the encrypted data in the cache area with a key of sensitive information and a token corresponding to the desensitized data through a unique identifier, decrypting the token through the key of the sensitive information, and replacing the decrypted data with a placeholder in the desensitized data of the encrypted data, so that the original data can be accessed;
in the second-class encrypted data, for the second-class encrypted data which is stored for a long time, acquiring the key of the desensitized data and the sensitive information of the second-class encrypted data from the second-class storage area, reading the token corresponding to the desensitized data from the second-class cache area through the unique identifier, decrypting the token through the key of the sensitive information, and replacing the placeholder in the desensitized data of the second-class encrypted data with the decrypted data to access the original data;
and for the second-class encrypted data which is temporarily stored, matching the desensitized data of the second-class encrypted data in the second-class cache area with a key of sensitive information and a token corresponding to the desensitized data through a unique identifier, decrypting the token through the key of the sensitive information, and replacing the placeholder in the desensitized data of the second-class encrypted data with the decrypted data to access the original data.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
The foregoing describes one embodiment of the present invention in detail, but the description is only a preferred embodiment of the present invention and should not be construed as limiting the scope of the invention. All equivalent changes and modifications within the scope of the present invention are intended to be covered by the present invention.
Claims (9)
1. A data encryption system for a mobile terminal, comprising:
and a data classification module: the method is used for classifying the data in the mobile phone and dividing the data into one type of encrypted data, two types of encrypted data and common encrypted data according to the sensitivity degree and the security requirement of the data;
and a storage management module: the storage areas are used for managing different grades, comprise a first storage area, a second storage area and a common storage area, and store data in the corresponding security grade areas;
and the cache management module: the system comprises a first-class cache area, a second-class cache area and a common cache area, wherein the first-class cache area is used for managing cache areas of different levels, and the data in the cache are subjected to proper encryption or desensitization;
and a data encryption module: identifying one type of encrypted data and sensitive information in the two types of encrypted data, extracting the sensitive information in the original data, and replacing the sensitive information in the original data by using a placeholder to form desensitized data; encrypting the sensitive information extracted from the first-class encrypted data and the second-class encrypted data by different encryption algorithms, and generating a key of the sensitive information; the encrypted sensitive information is used as a token of the desensitized data, and the desensitized data is bound with a key of the generated sensitive information.
2. The data encryption system for a mobile phone terminal according to claim 1, further comprising:
an encryption algorithm module: the data encryption module is used for providing a data encryption algorithm for the data encryption module and encrypting the data;
desensitization processing module: identifying one type of encrypted data and sensitive information in the two types of encrypted data, and extracting the sensitive information in the original data;
and an access control module: the system is used for controlling the access of the encrypted storage area and the cache area, and allowing a user or an application program which is legally authenticated and authorized to access the data in the corresponding storage management module and the cache management module.
3. The data encryption system for mobile terminals of claim 1, wherein the encrypted data comprises: user authentication information, financial information, and medical health information;
the user authentication information is a user name, a password and an identity card number, the financial information is a bank card number and a payment password, and the medical health information is a medical record and a diagnosis report;
the second class of encrypted data comprises: user personal information, transaction record information and geographic location information,
wherein, the personal information of the user is name, telephone number and home address;
the general encryption data includes: application setting information, static resource files, and public data.
4. The data encryption system according to claim 1, wherein the storage management module manages storage areas of different levels, including a class one storage area, a class two storage area, and a general storage area, and stores data in the corresponding security level areas, comprising the steps of:
the storage management module determines the types of data stored in the first storage area, the second storage area and the common storage area;
a class of storage areas: a key for storing the desensitized data and the sensitive information of the encrypted data for long-term storage;
two types of storage areas: a key for storing the desensitized data of the second type of encrypted data for long-term storage and the sensitive information;
common storage area: and the device is used for storing the encrypted common encrypted data which is stored for a long time.
5. The data encryption system for mobile phone terminals according to claim 4, wherein the buffer management module manages buffer areas of different levels, including a class one buffer area, a class two buffer area and a common buffer area, and performs proper encryption or desensitization processing on data in the buffer, and the method comprises the following steps:
a class of cache regions: the method comprises the steps of storing a token corresponding to desensitized data of one type of encrypted data in a storage area through a read-only mode for a long time, temporarily storing a key and a corresponding token of the desensitized data of one type of encrypted data and generated sensitive information through the read-only mode, and periodically deleting the temporarily stored data;
second-class cache region: the method comprises the steps of storing a token corresponding to the desensitized data of the second-class encrypted data in the second-class storage area through a read-only mode for a long time, temporarily storing a key and a corresponding token of the desensitized data of the second-class encrypted data and generated sensitive information through the read-only mode, and periodically deleting the temporarily stored data;
common buffer area: for storing the encrypted normal encrypted data for temporary storage.
6. The data encryption system for mobile phone terminals according to claim 1, wherein the data encryption module identifies sensitive information in one type of encrypted data and two types of encrypted data, extracts sensitive information in original data, and uses placeholders to replace the sensitive information in the original data, so as to form desensitized data, and the data encryption system comprises the following steps:
setting sensitive characteristics and sensitive keywords of sensitive information in the first-class encrypted data and the second-class encrypted data;
scanning the encrypted data through a data security tool according to the sensitive characteristics and the sensitive keywords, identifying sensitive information in the data, and extracting the sensitive information in the original data;
and replacing sensitive information in the original data by using the placeholders to form desensitized data.
7. The data encryption system for mobile phone terminal according to claim 1, wherein the data encryption module encrypts the sensitive information extracted from the first type of encrypted data and the second type of encrypted data by different encryption algorithms and generates a key of the sensitive information, comprising the steps of:
encrypting the sensitive information extracted from the encrypted data by an SHA-256 hash algorithm, and generating a key corresponding to the sensitive information;
and encrypting the sensitive information extracted from the second-class encrypted data by an AES-128 symmetric encryption algorithm, and generating a key corresponding to the sensitive information.
8. The data encryption system for mobile phone terminal according to claim 2, wherein the data encryption module uses the encrypted sensitive information as a token of the desensitized data, and binds the desensitized data with the generated key of the sensitive information, comprising the following steps:
the encrypted sensitive information is used as a token of the desensitized data, and a unique identifier of the token is generated by combining a time stamp with a random number;
binding the desensitized data with the generated key of sensitive information and giving the same unique identifier.
9. The data encryption system for mobile phone terminal according to claim 8, wherein the access control module controls access to the encrypted storage area and the cache area, and allows a legally authenticated and authorized user or application to access the data in the corresponding storage management module and cache management module, comprising the steps of:
controlling access to the encrypted storage area and the cache area, and allowing a user or an application program which is legally authenticated and authorized to access one type of encrypted data, two types of encrypted data and common encrypted data in the corresponding storage management module and the cache management module;
directly decrypting and then accessing common encrypted data;
the method comprises the steps of obtaining key of desensitized data and sensitive information of one type of encrypted data which are stored for a long time from one type of storage area, reading a token corresponding to the desensitized data from one type of cache area through a unique identifier, decrypting the token through the key of the sensitive information, and replacing placeholders in the desensitized data of one type of encrypted data with the decrypted data to access original data;
for the temporarily stored encrypted data, matching the desensitized data of the encrypted data in the cache area with a key of sensitive information and a token corresponding to the desensitized data through a unique identifier, decrypting the token through the key of the sensitive information, and replacing the decrypted data with a placeholder in the desensitized data of the encrypted data, so that the original data can be accessed;
in the second-class encrypted data, for the second-class encrypted data which is stored for a long time, acquiring the key of the desensitized data and the sensitive information of the second-class encrypted data from the second-class storage area, reading the token corresponding to the desensitized data from the second-class cache area through the unique identifier, decrypting the token through the key of the sensitive information, and replacing the placeholder in the desensitized data of the second-class encrypted data with the decrypted data to access the original data;
and for the second-class encrypted data which is temporarily stored, matching the desensitized data of the second-class encrypted data in the second-class cache area with a key of sensitive information and a token corresponding to the desensitized data through a unique identifier, decrypting the token through the key of the sensitive information, and replacing the placeholder in the desensitized data of the second-class encrypted data with the decrypted data to access the original data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410062205.6A CN117768093A (en) | 2024-01-16 | 2024-01-16 | Data encryption system for mobile phone terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410062205.6A CN117768093A (en) | 2024-01-16 | 2024-01-16 | Data encryption system for mobile phone terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117768093A true CN117768093A (en) | 2024-03-26 |
Family
ID=90310567
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410062205.6A Pending CN117768093A (en) | 2024-01-16 | 2024-01-16 | Data encryption system for mobile phone terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117768093A (en) |
-
2024
- 2024-01-16 CN CN202410062205.6A patent/CN117768093A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101853363B (en) | File protection method and system | |
| CN106980794B (en) | TrustZone-based file encryption and decryption method and device and terminal equipment | |
| CN100504819C (en) | Access authentication method, information processing unit and detachable recording device | |
| US9807065B2 (en) | Wireless device and computer readable medium for storing a message in a wireless device | |
| US20070136202A1 (en) | Personal-information managing apparatus, method of providing personal information, computer product, and personal-information-providing system | |
| KR101296195B1 (en) | A method for controlling access to file systems, related system, SIM card and computer program product for use therein | |
| WO2005031580A1 (en) | Information processing apparatus, information processing system and program | |
| US20080195858A1 (en) | Method and Apparatus For Accessing an Electronic Device by a Data Terminal | |
| US20150012748A1 (en) | Method And System For Protecting Data | |
| JP2003058840A (en) | Information protection management program utilizing rfid-loaded computer recording medium | |
| CN101971186A (en) | Information leak prevention device, and method and program thereof | |
| US20120137372A1 (en) | Apparatus and method for protecting confidential information of mobile terminal | |
| JP2001016655A (en) | Portable terminal with security | |
| CN111967024A (en) | File sensitive data protection method and device | |
| CN103812649A (en) | Method and system for safety access control of machine-card interface, and handset terminal | |
| CN115795538B (en) | Anti-desensitization method, device, computer equipment and storage medium for desensitizing document | |
| CN115622792A (en) | Zero trust-based data security comprehensive protection system and method | |
| RU2311676C2 (en) | Method for providing access to objects of corporate network | |
| CN101099207B (en) | Portable data support with watermark function | |
| CN115952530A (en) | Financial data processing method and system for improving confidentiality and computer | |
| CN113806785B (en) | Method and system for carrying out security protection on electronic document | |
| CN117768093A (en) | Data encryption system for mobile phone terminal | |
| CN113489669B (en) | User data protection method and device | |
| CN113221139A (en) | Electronic information encryption method | |
| CN116257862B (en) | Data storage system based on data hierarchical classification and database transparent encryption and decryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |