JP6893626B1 - Big data and network data protection methods and systems by edge computing - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a data protection method and a system by edge computing for a huge problem of data calculation amount of a big data network. SOLUTION: If the calculation performance level of the client can satisfy the encryption strength requirement, the client low-speed hashes the plaintext password to obtain the first temporary password and sends it to the application server. If the client's computational performance level does not meet the encryption strength requirements, the client sends the plain password to the application server, and the application server sends the plain password to multiple other selected clients, with slow hashing. 2 The temporary password is calculated, returned to the application server, and the first temporary password is determined based on the obtained plurality of second temporary passwords. The server acquires the encrypted password by high-speed hashing the acquired first temporary password and stores it. [Selection diagram] Fig. 1

Description

The present invention relates to network security technology, and specifically to a method and system for protecting big data and network data by edge computing.

The application of network technology is expanding. Along with this, the development of global informatization is rapid, and the informatization of contents is progressing in various fields. Moreover, big data efforts are changing the way people think. It can be said that the era of big data has arrived. It has significantly changed our lives and gave us a new perspective on the world. In particular, the application of network technology and effective data integration means in the data era will not only accelerate information processing, but will also enable better and faster information statistics and acquisition. However, despite the widespread use of computer technology, data security is becoming an increasingly important issue.

Data security such as sensitive data (financial statements, etc.) and various accounts (email account and password, net bank account number and password, net stock transaction account number and password, etc.) is very important for users. Is. Computer processing performance has improved significantly, but "drag-out" and "drag-out" for data
"Wash", "bump", "divorce"
) ”And other incidents have occurred without a break. Here, "dragout" and "divose" have the same meaning, and both mean the act of an attacker invading a site of a valuable network and stealing the entire database of registered user's materials. "Wash" means the act of an attacker acquiring a large amount of user data by dragging out and then purchasing valuable user data through a series of technical means and the black industry chain to cash it. Finally, the act of an attacker attempting to log in to another site with the acquired data is called "bump".
In addition, an attacker collects user and password information that has already been leaked on the net, generates a corresponding dictionary table, attempts batch login to other sites, and steals a series of log-inable users. The act of doing is also called "bump".

It's not hard to imagine, but if the system remembers the user's plaintext data as it is, once it is dragged out by an attacker and the entire database is downloaded, any account will be logged in and perform dangerous operations. This can lead to irreparable accidents. Password information in the database on most websites is encrypted and stored (MD5 encryption is often used). This is theoretically irreversible (non-decryptable), but still not secure. If all the common passwords can be listed, it will be possible to create an index table and derive the original password. Also, the speed of deciphering the plaintext is comfortable.

On the other hand, in the conventional technology, it is possible to counter attacks such as drag-out by adding salt to increase the difficulty of decryption of an attacker, and encryption is performed by combining low-speed hashing and high-speed hashing. It has submitted that the number of cases will be enormous and that the attacker's password decryption difficulty and time will be increased accordingly.

The above-mentioned network data protection method can greatly improve data security, but the amount of calculation processing is large and a large amount of calculation resources are consumed when encrypting data. The amount of data will explode. In this case, if all the calculations were to be completed on the server, the load on the server would be heavy and it would easily cause the system to collapse. In addition, as the processing capacity of personal terminals has improved, data encryption processing has finally been realized by edge computing. However, the data protection requirement and the calculation performance differ depending on the user and the terminal device. Protecting big data and network data by edge computing on terminal equipment against different protection requirements is an urgent issue to be solved in this field.

An object of the present invention is to provide a method and system for protecting big data network data based on edge calculation against defects in the prior art. The present invention performs slow encryption processing of different data based on the data protection requirements and computing power of different users and different terminal devices, realizes an effective balance between security protection and calculation performance, and ensures data security. high.

、

、

、

とすると、

であり、クライアントの計算性能値は

であり、ただし、

、

、

、

はそれぞれクロック周波数、語長、カーネル数およびメモリ容量の値であり、
予設定の計算性能レベルおよびその対応する計算性能値範囲によって、前記計算性能値に
基づいてクライアントをそれぞれ相応の計算性能レベルに分ける。 The present invention provides a method for protecting big data and network data by edge computing. The method is
S1, the step of determining the calculation performance level of the client based on the basic information of the client,
S2, the step of determining the current data encryption strength based on the type of connected application and the encryption strength plan,
S3, a step of randomly generating a salt, determining whether the client's computational performance level can satisfy the encryption strength requirement, and if possible, performing step S4, otherwise performing step S5. When,
S4, a step of slow hashing the plaintext password input from the user to obtain the first temporary password, sending the user name, salt and the first temporary password to the application server, and executing step S8. When,
S5, user name, plaintext password entered by the user, salt and encryption strength are sent to the application server, multiple clients to connect to are selected by the application server, and the plaintext password, salt and encryption strength entered by the user are selected. And the steps to ship to the selected client,
S6, the step of slow-hashing the plaintext password entered by the user by the selected client, acquiring the second temporary password, and sending the second temporary password to the application server.
S7, the step of confirming the first temporary password based on the plurality of second temporary passwords received by the application server, and
S8, the server includes a storage module in which the first temporary password is hashed at high speed to obtain an encrypted password, and the user name, salt, and the encrypted password are stored.
Further, in step S1, the step S1
Clock frequency, word length, number of kernels, and memory capacity weights are respectively

,

,

,

Then

And the calculation performance value of the client is

However,

,

,

,

Are clock frequency, word length, number of kernels, and memory capacity, respectively.
The clients are divided into appropriate calculation performance levels based on the calculation performance values according to the preset calculation performance level and the corresponding calculation performance value range.

とする。
クライアントのＭ番目結果応答に関して、応答結果が正確であれば、ユーザクライアント
の信頼値の調整値は、

であり、ただし、

はＭ番目応答結果が正確であるときにおけるユーザクライアントの信頼値の調整値、

はＭ回の応答における応答結果が正確である回数、

は応答結果が正確であるときにおける信頼値の単位調整値である。
したがって、ユーザのＭ番目結果応答が正確であった後の信頼値は、

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目の結果応答後の信頼値である。
ユーザクライアントのＭ番目結果応答に関して、応答結果が誤りであれば、ユーザクライ
アントの信頼値の調整値は、

と調整し、ただし、

はＭ番目応答の結果が誤りである場合におけるユーザクライアントの信頼値の調整値、

はＭ番目応答の応答結果が誤りである回数、

は応答結果が誤りであるときにおける信頼値の単位調整値であり、そして、

とする。
したがって、ユーザのＭ番目結果応答が誤りであった後の信頼値は

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目結果応答後の信頼値である。
ユーザの初回応答に関して、応答の結果が正確であれば、クライアント信頼値の調整値は

とすると、調整後のクライアント信頼値は

である。応答の結果が誤りであれば、クライアント信頼値の調整値は

とすると、調整後のクライアント信頼値は

となる。 Further, the encryption strength is the number of loop repeated encryptions, the encryption strength plan is to set an encryption strength range for each type of application by the user, and step S2 is
Determine the type of connected application, call the user encryption strength plan locally pre-stored in the client, determine the corresponding encryption strength range according to the application type, and one of the ciphers within the encryption strength range The encryption strength value is randomly selected and used as the encryption strength of the current data.
Further, in step S7,
The server stats the number of corresponding clients for each of the returned second temporary passwords and determines if there are multiple second temporary passwords with the same number of corresponding clients and the first place. When determining, the second temporary password with the largest number of clients is used as the first temporary password, and when determining that there is, the return of the client with the highest trust value among the corresponding clients of the second temporary password with the same number If the second temporary password is the first temporary password and the second temporary password returned by the client matches the first temporary password, the response result of the client is accurate, otherwise the response result of the client is incorrect. is there.
Further, the trust value is adjusted by the server depending on whether the response result of the client is accurate. The initial trust value when registering on the client's server is

And.
For the client's M-th result response, if the response result is accurate, the user client trust value adjustment value is

However,

Is the adjustment value of the trust value of the user client when the Mth response result is accurate,

Is the number of times the response result is accurate in M responses,

Is the unit adjustment value of the confidence value when the response result is accurate.
Therefore, the confidence value after the user's M-th result response is accurate is

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
Regarding the M-th result response of the user client, if the response result is incorrect, the adjustment value of the trust value of the user client is

Adjust with, however

Is the adjustment value of the trust value of the user client when the result of the Mth response is incorrect,

Is the number of times the response result of the Mth response is incorrect,

Is the unit adjustment value of the confidence value when the response result is incorrect, and

And.
Therefore, the confidence value after the user's M-th result response is incorrect

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
For the user's initial response, if the response result is accurate, then the client trust value adjustment is

Then, the adjusted client trust value is

Is. If the response result is incorrect, the client trust value adjustment value is

Then, the adjusted client trust value is

Will be.

、

、

、

とすると、

であり、クライアントの計算性能値は

であり、ただし、

、

、

、

はそれぞれクロック周波数、語長、カーネル数およびメモリ容量の値であり、
予設定の計算性能レベルおよびその対応する計算性能値範囲によって、前記計算性能値に
基づいてクライアントをそれぞれ相応の計算性能レベルに分ける。 The present invention provides a protection system for big data and network data by edge computing. The system
The first confirmation module that determines the calculation performance level of the client based on the basic information of the client,
A second confirmation module that determines the current data encryption strength based on the type of connected application and the encryption strength plan,
A decision module that randomly generates salts, determines if the client's computational performance level can meet the encryption strength requirements, calls the local encryption module if possible, and calls the selection module otherwise. ,
A local encryption module that slow-hashes the plaintext password entered by the user to obtain the first temporary password, sends the user name, salt and first temporary password to the application server, and calls the storage module. When,
The user name, plaintext password entered by the user, salt and encryption strength are sent to the application server, multiple clients to connect to are selected by the application server, and the plaintext password, salt and encryption strength entered by the user are selected. The selection module to be shipped to the client
A cooperative encryption module that slow-hashes the plaintext password entered by the user by the selected client to acquire the second temporary password and sends the second temporary password to the application server.
A third confirmation module that confirms the first temporary password based on a plurality of second temporary passwords received by the application server, and
The server includes a storage module that fast-hashes the first temporary password to obtain an encrypted password, and stores a user name, salt, and the encrypted password.
Further, the first confirmation module is
Clock frequency, word length, number of kernels, and memory capacity weights are respectively

,

,

,

Then

And the calculation performance value of the client is

However,

,

,

,

Are clock frequency, word length, number of kernels, and memory capacity, respectively.
The clients are divided into appropriate calculation performance levels based on the calculation performance values according to the preset calculation performance level and the corresponding calculation performance value range.

とする。
クライアントのＭ番目結果応答に関して、応答結果が正確であれば、ユーザクライアント
の信頼値の調整値は、

であり、ただし、

はＭ番目応答結果が正確であるときにおけるユーザクライアントの信頼値の調整値、

はＭ回の応答における応答結果が正確である回数、

は応答結果が正確であるときにおける信頼値の単位調整値である。
したがって、ユーザのＭ番目結果応答が正確であった後の信頼値は、

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目の結果応答後の信頼値である。
ユーザクライアントのＭ番目結果応答に関して、応答結果が誤りであれば、ユーザクライ
アントの信頼値の調整値は、

と調整し、ただし、

はＭ番目応答の結果が誤りである場合におけるユーザクライアントの信頼値の調整値、

はＭ番目応答の応答結果が誤りである回数、

は応答結果が誤りであるときにおける信頼値の単位調整値であり、そして、

とする。
したがって、ユーザのＭ番目結果応答が誤りであった後の信頼値は

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目結果応答後の信頼値である。
ユーザの初回応答に関して、応答の結果が正確であれば、クライアント信頼値の調整値は

とすると、調整後のクライアント信頼値は

である。応答の結果が誤りであれば、クライアント信頼値の調整値は

とすると、調整後のクライアント信頼値は

となる。 Further, the encryption strength is the number of loop repeated encryptions, and the encryption strength plan is to set an encryption strength range for each type of application by the user.
In the confirmation module
Determine the type of connected application, call the user encryption strength plan locally pre-stored in the client, determine the corresponding encryption strength range according to the application type, and one of the ciphers within the encryption strength range The encryption strength value is randomly selected and used as the encryption strength of the current data.
Further, in the third confirmation module,
The server stats the number of corresponding clients for each of the returned second temporary passwords and determines if there are multiple second temporary passwords with the same number of corresponding clients and the first place. When determining, the second temporary password with the largest number of clients is used as the first temporary password, and when determining that there is, the return of the client with the highest trust value among the corresponding clients of the second temporary password with the same number If the second temporary password is the first temporary password and the second temporary password returned by the client matches the first temporary password, the response result of the client is accurate, otherwise the response result of the client is incorrect. is there.
Further, the trust value is adjusted by the server depending on whether the response result of the client is accurate. The initial trust value when registering on the client's server is

And.
For the client's M-th result response, if the response result is accurate, the user client trust value adjustment value is

However,

Is the adjustment value of the trust value of the user client when the Mth response result is accurate,

Is the number of times the response result is accurate in M responses,

Is the unit adjustment value of the confidence value when the response result is accurate.
Therefore, the confidence value after the user's M-th result response is accurate is

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
Regarding the M-th result response of the user client, if the response result is incorrect, the adjustment value of the trust value of the user client is

Adjust with, however

Is the adjustment value of the trust value of the user client when the result of the Mth response is incorrect,

Is the number of times the response result of the Mth response is incorrect,

Is the unit adjustment value of the confidence value when the response result is incorrect, and

And.
Therefore, the confidence value after the user's M-th result response is incorrect

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
For the user's initial response, if the response result is accurate, then the client trust value adjustment is

Then, the adjusted client trust value is

Is. If the response result is incorrect, the client trust value adjustment value is

Then, the adjusted client trust value is

Will be.

The present invention has the following advantages over the prior art.
-The present invention submits a data protection method and system by edge computing for a huge data calculation problem of a big data network. Make the client an edge node and fully utilize the computing performance of the client. By executing slow hashing by the client in the process of data protection, the problem of heavy calculation load and easy collapse of the server is effectively solved.

-The present invention sets different encryption strengths for different application types of different users. This solves the problem of unnecessarily high calculation processing cost due to excessive encryption strength.
An effective balance between data security and system cost.
-The present invention quantitatively evaluates the calculation performance of the client, determines whether to perform low-speed hashing on the local client depending on whether the encryption strength requirement and the calculation performance match, and performs low-speed hashing locally only when they match. This solves problems such as excessive slow processing speed and reduced client performance.
-The present invention screens the returned results of other clients and quantitatively evaluates the trust value of the client. Since the effect of an erroneous response on the confidence value is greater than that of an accurate response,
Avoid return error results from bad users. This further improves the security of the data. In addition, incentive rules corresponding to the confidence value will be established. This improves the user's willingness to participate in low-speed hashing calculations. Furthermore, it restricts the user's response behavior. This improves the security of the system.
-The present invention uses a method of low-speed hashing of a client and high-speed hashing of a server.
Increase the protection of data by increasing the cost of attacking the attacker's data.

It is a flowchart of the protection method of big data network data by edge computing which concerns on Example 1. FIG. It is a structural diagram of the big data network data protection system by edge computing which concerns on Example 2. FIG.

Hereinafter, embodiments of the present invention will be described with reference to specific specific examples. One of ordinary skill in the art can easily understand the other advantages and effects of the present invention from the contents disclosed in the present specification. The present invention may also be implemented or applied by other different specific embodiments, and the details of the present specification may be modified or applied in various ways based on different perspectives and applications without departing from the spirit of the invention. You can also make changes. It should be noted that the following embodiments and features of the embodiments can be combined with each other if they do not conflict.
The drawings provided in the following embodiments only schematically illustrate the basic concept of the present invention, and the drawings show only the components related to the present invention and the components when actually implemented. Rather than plotting according to the number, shape and size of the components, the form, number and proportion of each component when actually implemented can be changed at will. The placement of components can also be more complicated.
Hereinafter, the present invention will be further described in relation to the accompanying drawings and specific embodiments, but the present invention is not limited thereto.

Example 1
As shown in FIG. 1, this embodiment presents a method of protecting big data network data by edge computing, particularly a method of encrypting private data such as a user's password. The method includes:

、

、

、

とすると、

である。したがって、クライアントの計算性能値は

であり、ただし、

、

、

、

はそれぞれクロック周波数、語長、カーネル数、メモリ容量の値である。構成情報によっ
てその占める重みが異なり、例えばクロック周波数は大きい程度で、クライアントの計算
性能を決定する。したがって、クロック周波数の重みは最も大きくする。
さらに、本発明において、算出計算性能値に基づいて、各クライアントを相応の計算性能
レベルに分けている。例えば本例ではクライアントの計算性能レベルはＩレベル、ＩＩレ
ベル、ＩＩＩレベル、ＩＶレベル、Ｖレベルがある。異なる計算性能レベルは、異なる計
算性能値の範囲に対応している。一般的には、計算性能値が高ければ、その対応する計算
性能レベルも高く、計算速度が速い。
注意すべきのは、クロック周波数、語長、カーネル数、メモリ容量に基づく計算性能の計
算は単に例示的説明だけで、他のクライアントの基本情報に基づく計算性能の計算と類似
のものも含み、その制限としてはならない。なお、クライアントの処理コストを低減させ
るために、クライアントの計算性能レベルの計算は単に一回だけで行い、初回で済み、公
開情報としてクライアントに保存される。クライアントをエッジノードとして暗号化保護
計算しょうとする場合、クライアントから相応の計算性能レベルを直接に読み取ってもよ
い。 S1, the calculation performance level of the client is determined by the basic information of the client.
In order to overcome the problems of the rapid increase in the amount of user data due to the big data era and the excessive load on the server in the server-based data protection method, in the present invention, some data protection calculations are performed based on the client. Therefore, the processing cost of the server is effectively reduced. With the spread of terminal equipment and the development of mono-networks, terminal equipment will become more diverse and client performance will become stronger. Under these circumstances, it is possible to transfer some computing tasks from the server to the mobile terminal. Therefore, in the present invention, the client is an edge node, some data protection calculations are executed by edge computing, and user data is protected in collaboration with the server. Edge computing, as a mechanism of distributed computing, transfers the computation of application programs, data materials, and services from the central node of the network to the logical age note of the network for processing.
Clients are personal computers, mobile phones, and PDAs (personal digital a).
sisstant) and the like can be included, but are not limited thereto. When data protection encryption calculation is performed with the client as an edge node, the calculation performance differs depending on the client. If the computing performance of the user cannot satisfy the corresponding encryption request, encryption protection cannot be performed based on this client. Therefore, the present invention first determines the calculation performance of the client based on the basic information of the client. And depending on the result
Decide whether to perform cryptographic protection of data based on this edge node.
Client configuration information related to computational performance can generally include clock frequency, word length, number of kernels, memory capacity, and the like. The clock frequency refers to the number of unit-time pulses of a computer CPU. The word length is the number of digits of binary data that can be processed once by the arithmetic unit of a computer. The number of kernels refers to the number of arithmetic units and controls that execute commands in the CPU. Memory capacity refers to the total number of bytes that can store information in memory. Normally,
The higher the cool frequency, the longer the word length, the larger the number of kernels, the larger the memorial capacity, and the faster the calculation speed of the client, the stronger the calculation performance.
In order to determine the computational performance of the client, the present invention sets different weights for the client's configuration information related to the computational performance. For example, the clock frequency, word length, number of kernels, and memory capacity weights are each.

,

,

,

Then

Is. Therefore, the computational performance value of the client is

However,

,

,

,

Are the values of clock frequency, word length, number of kernels, and memory capacity, respectively. The weight occupied by the configuration information differs, and for example, the clock frequency is large enough to determine the computing performance of the client. Therefore, the weight of the clock frequency is the largest.
Further, in the present invention, each client is divided into appropriate calculation performance levels based on the calculated calculation performance value. For example, in this example, the calculation performance level of the client is I level, II level, III level, IV level, and V level. Different computational performance levels correspond to different ranges of computational performance values. Generally, the higher the calculation performance value, the higher the corresponding calculation performance level and the faster the calculation speed.
It should be noted that the calculation of calculation performance based on clock frequency, word length, number of kernels, and memory capacity is merely an example explanation, and includes similar calculations to calculation performance based on basic information of other clients. It should not be the limitation. In addition, in order to reduce the processing cost of the client, the calculation of the calculation performance level of the client is performed only once, the first time is required, and the information is saved in the client as public information. When the client is used as an edge node for cryptographic protection calculation, the corresponding calculation performance level may be read directly from the client.

S2, the type of application to be connected and the encryption strength plan determine the current data encryption strength.
In the process of data encryption protection, the higher the encryption strength, the higher the security of the data, but the corresponding processing cost also increases. Therefore, the present invention strives to provide an effective balance between security and processing costs. In reality, the security required for the user's password data for that purpose differs depending on the application. For example, it is desirable that the login password of the net bank has a particularly high security in order to protect the property security of the user. The login password for the video website may be not very secure. Therefore, the present invention sets different encryption strengths for different application types of different users.
Specifically, the present invention classifies application types into finance, shopping, medical health, moving images, living services, and the like. The user sets the encryption strength corresponding to each type of application according to his / her needs. Finance is Alipay,
Examples include mobile banks and net banks. Examples of shopping include Taobao and JD. Examples of moving images include Tencent, QIY, Youku and the like. Examples of life services include drops, Meituan, and the like. As for medical and health care, there is a platform that includes reservations for hospital receptions, online medical consultations, and so on.
The present invention increases the difficulty of brute force decryption by an attacker by re-encrypting the result after encryption on the edge node and repeating the loop m times. That is, the strength of data encryption is related to the number of loop iteration encryptions. Therefore, the data encryption strength of each type of application according to the present invention corresponds to a range of corresponding loop repetition times.
For example, the user presets an encryption strength plan. The corresponding encryption strength of the financial application is [100,000, 90000]. The corresponding encryption strength of the shopping application is [80,000, 70,000]. The corresponding encryption strength of the medical health application is [75,000, 60,000]. , The corresponding encryption strength of the moving image application is set to [20000, 10000]. Let the corresponding encryption strength of the life service application be [50,000, 40,000].
When a user uses an application through registration or login via a website or application program, the user first determines the type of application to which this website or application program belongs. Next, the user's encryption strength plan pre-stored locally on the client is called, and the corresponding encryption strength range is determined according to the application type. Then, any one of the encryption strength values within the encryption strength range is randomly selected and used as the encryption strength of the current data.

S3, Salt is randomly generated, and it is determined whether the calculation performance level of the client can satisfy the encryption strength requirement. If so, execute S4, otherwise execute S5.
In order to counter decryption methods such as brute force brute force dictionary attacks, the present invention introduces different salt values depending on the user in the encryption process. By inserting a specific character string at any specific position of the privacy password, the hashed result cannot match the hashed result using the original password. Such an operation is called salt.
Therefore, before data protection encryption is performed on the edge node, each user client first randomly generates a salt to improve the security of data encryption.
As mentioned above, if the computing performance of the user cannot satisfy the corresponding encryption request, the encryption protection cannot be performed based on this client. If the computational performance and the encryption strength requirement do not match, there is a large amount of time loss to complete the corresponding encryption strength, the user wait time is long, and the user experience is significantly deteriorated. Therefore, in the edge node data protection process according to the present invention, it is first determined whether the computing performance of the client at that time can satisfy the encryption strength requirement. If so, perform the protected cryptographic calculation directly on the client at the time. Otherwise, the user experience is poor without having to perform the protected cryptographic calculation on the local client.
The present invention first determines the completeable encryption strength range for each computational performance level. Specifically, it can be achieved by statistics on a large number of clients, but it can also be achieved by machine learning. This is not limited. Then, as a result of determining the complete encryption strength range of the client by the calculation performance level of the client, if the current data encryption strength belongs within the complete encryption strength range of the client, the calculation performance of the client at that time is Prove that the encryption request is satisfied. Otherwise, the encryption request cannot be satisfied.

S4, The plaintext password input from the user is hashed at low speed to acquire the first temporary password. The user name, salt, and first temporary password are sent to the application server, and S8 is executed.
The present invention encrypts plaintext passwords by slow hashing algorithms such as PBKDF2 or bcrypt. Slow hashing encryption increases the encryption time and correspondingly increases the decryption time and difficulty. Password decryption time is directly related to cryptographic algorithms. For example, MD5 encryption is very fast, and one encryption is 1 μs. Therefore, any one phrase takes 1 μs at the time of decoding. One million attackers can try in 1s. If 10
If the encryption is extended to ms, only 100 can be tried within 1s, and the decryption speed will be 10,000 times slower. There are two ways to increase the encryption time. One is multiple cryptography, and the other is the increasing complexity of cryptographic algorithms.
PBKDF2 will be described as an example, but the definition of the PBKDF2 function is DK = PBKDF2 (P).
RF, Password, Salt, c, dkLen). However, PRF is a pseudo-random number function, for example, a HASH_HMAC function, and can output the result of hLen length. Password is the original password for generating the common key. Salt is a salt value for encryption. c is the number of repetitive calculations, and in this example, it is the determined data encryption strength of the current time. dkLen is the desired common key length. DK is the last generated common key.
If the computing performance of the client at that time can satisfy the encryption strength requirement, the loop is repeated based on the salt randomly generated on the client, the encryption strength, and the password of the website or application program entered by the user. 1 Generates a temporary password and sends the user name, salt, and first temporary password to the application server in order for the server to verify the user's next login. In this case, the plaintext password is not received or saved on the server, and only the first temporary password after low-speed hashing can be obtained, so it is possible to effectively counter attacks such as drag-out. It is possible.

S5, the user name, the plaintext password entered by the user, the salt, and the encryption strength are sent to the application server. The application server selects a plurality of other connected clients and sends them to the client that selects the plaintext password, salt, and encryption strength entered by the user.
If the computing performance of the client at that time cannot satisfy the encryption strength requirement, the client will not perform any protective encryption calculation. In this case, the client at that time ships the user name, plaintext password, salt, and encryption strength corresponding to the user to the application server. On the other hand, in order to avoid excessive server processing load, after receiving the user's plaintext password by the server, multiple clients connected to the server are selected and slow hashed without performing appropriate slow hashing. To execute the conversion. Since there may be a bad edge node, the present invention selects a plurality of edge clients and executes the encryption calculation at the same time, thereby causing no return of the result from the bad edge node, an error in the prospect calculation, and the like. To avoid.
Specifically, the server first determines the corresponding calculation performance level of the encryption strength by the encryption strength. Since the calculation performance level of the client is disclosed, the application server selects a plurality of clients whose calculation performance level satisfies the corresponding calculation performance level requirement of the encryption strength, and the selected client selects a corresponding low-speed hash. Providing a conversion service. Correspondingly, the selected client is provided with a low-speed hashing service by sending the plaintext password, salt, and encryption strength input by the user to the selected client.
It should be noted that when the plaintext password information is delivered from the server to the selected client, the attacker's attack can be effectively prevented by discarding the user's plaintext password without remembering it on the server. The plaintext password is received on the client, but since there is no user name information, the plaintext password cannot be effectively associated with the user, and the user's password information cannot be decrypted.

S6, The plaintext password input from the user by the selected client is hashed at low speed to acquire the second temporary password, and the second temporary password is sent to the application server.
After receiving the encryption request sent from the server, the selected client may voluntarily decide whether or not to respond to the encryption request. If it does not respond to the encryption request, it ignores the encryption request and does not respond to the request. When responding to an encryption request, a second temporary password is obtained by slow hashing with a slow hashing algorithm homologous to the local client. The process of low-speed hashing is similar to step S4 and is omitted here.

を設定する。ユーザクライアントにより他のユーザの第２臨時パスワード計算請求へ応答
するとする場合、サーバーにおいてその応答結果が正確であるか否かによって信頼値を調
整する。クライアントの返還した第２臨時パスワードと最終に確定する第１臨時パスワー
ドが一致する場合、クライアントの応答結果が正確である。さもなければ、クライアント
の応答結果が誤りである。
クライアントのＭ番目結果応答に関して、応答結果が正確であれば、ユーザクライアント
の信頼値の調整値は

であり、ただし、

はＭ番目応答結果が正確であるときにおけるユーザクライアントの信頼値の調整値、

はＭ回応答における応答結果が正確である回数、

は応答結果が正確であるときにおける信頼値の単位調整値である。
相応的に、ユーザのＭ番目結果応答後の信頼値は、

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目結果応答後の信頼値である。
ユーザクライアントのＭ番目結果応答に関して、応答結果が誤りであれば、ユーザクライ
アント信頼値の調整値は

と調整し、ただし、

はＭ番目応答結果が誤りである場合におけるユーザクライアントの信頼値の調整値、

はＭ番目応答における応答結果が誤りである回数、

は応答結果が誤りであるときにおける信頼値の単位調整値である。
相応的に、ユーザのＭ番目結果応答後の信頼値は、

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目結果応答後の信頼値である。
ユーザの初回応答に関して、応答結果が正確であれば、クライアントの信頼値の調整値は

とすると、調整後のクライアント信頼値は

である。応答結果が誤りであれば、クライアント信頼値の調整値は

とすると、調整後のクライアント信頼値は

となる。

注意すべきのは、データを有効に保護できるように、データのセキュリティ性を向上する
ために、本発明では

とする。
クライアントの信頼値に関して、サーバーから相応のインセンティブ手段を提供し、ユー
ザに積極的に第２臨時パスワードの協力計算過程に参与させる。例えば、動画類アプリケ
ーションは、一定範囲内の信頼値であるとなれば、会員サービスをただで与えるや、会員
費ディスカウントなどの手段がある。ショッピング類のアプリケーションは、閾値を超え
る信頼値であればユーザに運賃減免を与える手段があってもよい。 S7, The first temporary password is confirmed based on the plurality of second temporary passwords received by the application server.
As mentioned above, there may be bad nodes on the edge client, so the return results of multiple clients may be inconsistent. Therefore, when a plurality of second temporary passwords are received by the server, it is necessary to screen them. Thereby, the final first temporary password is confirmed.
Specifically, the server statistics the number of clients corresponding to each of the returned second temporary passwords, and selects the second temporary password having the largest number of clients as the first temporary password. For example, assuming that the second temporary passwords selected by the six clients A, B, C, D, E, and F are X1, X2, X3, X2, X3, and X3, respectively, the correspondence of X1 according to the server statistics. When the number of clients is 1, the number of corresponding clients of X2 is 2, and the number of corresponding clients of X3 is 3, the number of clients who have returned X3 is the largest, and the first temporary determination of X3 is finalized. Use it as a password.
If there are a plurality of corresponding clients and there are a plurality of second temporary passwords in which the number of corresponding clients is ranked first, the client with the highest trust value in these clients is returned as the second temporary password. The password is the first temporary password. Specifically
In order to improve the security of the system and avoid the security of malicious user hazard data, the present invention manages the users connected to the server.
Specifically, when a user connects to a server, he / she needs to register or log in to the server. Therefore, the present invention gives the registered user to each server an initial trust value.

To set. When the user client responds to another user's second extraordinary password calculation request, the trust value is adjusted depending on whether the response result is accurate or not on the server. If the second temporary password returned by the client and the first temporary password finally confirmed match, the response result of the client is accurate. Otherwise, the client response is incorrect.
Regarding the client's M-th result response, if the response result is accurate, the user client trust value adjustment value is

However,

Is the adjustment value of the trust value of the user client when the Mth response result is accurate,

Is the number of times the response result in the M response is accurate,

Is the unit adjustment value of the confidence value when the response result is accurate.
Correspondingly, the trust value after the user's M-th result response is

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
Regarding the Mth result response of the user client, if the response result is incorrect, the adjustment value of the user client trust value is

Adjust with, however

Is the adjustment value of the trust value of the user client when the Mth response result is incorrect,

Is the number of times the response result in the Mth response is incorrect,

Is the unit adjustment value of the reliability value when the response result is incorrect.
Correspondingly, the trust value after the user's M-th result response is

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
For the user's initial response, if the response is accurate, the client trust value adjustment is

Then, the adjusted client trust value is

Is. If the response result is incorrect, the client trust value adjustment value is

Then, the adjusted client trust value is

Will be.

It should be noted that in the present invention, in order to improve the security of the data so that the data can be effectively protected.

And.
Regarding the trust value of the client, the server provides an appropriate incentive means, and the user is actively participated in the cooperative calculation process of the second temporary password. For example, in a video application, if the trust value is within a certain range, there are means such as giving a membership service for free or discounting a membership fee. Shopping applications may have a means of giving a user a fare reduction or exemption as long as the reliability value exceeds the threshold value.

S8, the encrypted password by quickly hashing the first temporary password by the server.
Obtain the saved user name, salt and the encrypted password.
After the first temporary password is received by the server, the first temporary password is quickly hashed again together with the salt to obtain the corresponding encrypted password of the plaintext password entered by the user as the final password. Rapid hashing includes, for example, MD5 encryption, but is not limited thereto. Validate the user's identity by storing the username, salt and encrypted password on the server. Since it only stores the encrypted password on the server, even if an attacker tries to attack, it can only get the first temporary password, which needs to be further decrypted to get the user's plaintext password. Yes, the difficulty is maximum. The security of network data can be greatly improved, and user data can be effectively protected.

When verifying the user's login, the user enters a plaintext password. The corresponding encryption process is the same as described above, and it is determined whether the encrypted password calculated by the server matches the one stored in advance. If it is determined to match, the user can be proved to be a legal user. In addition, in order to further improve the security of the data, the salt may be constantly updated and generated, and the newly generated salt is shipped at the same time as the login occurs, and the corresponding first temporary password is calculated. As a result, the salt can be updated without making the user aware, and the user experience is improved.

Example 2
As shown in FIG. 2, the present embodiment presents a big data network data protection system by edge computing, particularly a system for encrypting private data such as a user's password. The system includes:

、

、

、

とすると、

である。したがって、クライアントの計算性能値は

であり、ただし、

、

、

、

はそれぞれクロック周波数、語長、カーネル数、メモリ容量の値である。構成情報によっ
てその占める重みが異なり、例えばクロック周波数は大きい程度で、クライアントの計算
性能を決定する。したがって、クロック周波数の重みは最も大きくする。
さらに、本発明において、算出計算性能値に基づいて、各クライアントを相応の計算性能
レベルに分けている。例えば本例ではクライアントの計算性能レベルはＩレベル、ＩＩレ
ベル、ＩＩＩレベル、ＩＶレベル、Ｖレベルがある。異なる計算性能レベルは、異なる計
算性能値の範囲に対応している。一般的には、計算性能値が高ければ、その対応する計算
性能レベルも高く、計算速度が速い。
注意すべきのは、クロック周波数、語長、カーネル数、メモリ容量に基づく計算性能の計
算は単に例示的説明だけで、他のクライアントの基本情報に基づく計算性能の計算と類似
のものも含み、その制限としてはならない。なお、クライアントの処理コストを低減させ
るために、クライアントの計算性能レベルの計算は単に一回だけで行い、初回で済み、公
開情報としてクライアントに保存される。クライアントをエッジノードとして暗号化保護
計算しょうとする場合、クライアントから相応の計算性能レベルを直接に読み取ってもよ
い。 The first confirmation module determines the calculation performance level of the client based on the basic information of the client.
In order to overcome the problems of the rapid increase in the amount of user data due to the big data era and the excessive load on the server in the server-based data protection method, in the present invention, some data protection calculations are performed based on the client. Therefore, the processing cost of the server is effectively reduced. With the spread of terminal equipment and the development of mono-networks, terminal equipment will become more diverse and client performance will become stronger. Under these circumstances, it is possible to transfer some computing tasks from the server to the mobile terminal. Therefore, in the present invention, the client is an edge node, some data protection calculations are executed by edge computing, and user data is protected in collaboration with the server. Edge computing, as a mechanism of distributed computing, transfers the computation of application programs, data materials, and services from the central node of the network to the logical age note of the network for processing.
Clients are personal computers, mobile phones, and PDAs (personal digital a).
sisstant) and the like can be included, but are not limited thereto. When data protection encryption calculation is performed with the client as an edge node, the calculation performance differs depending on the client. If the computing performance of the user cannot satisfy the corresponding encryption request, encryption protection cannot be performed based on this client. Therefore, the present invention first determines the calculation performance of the client based on the basic information of the client. And depending on the result
Decide whether to perform cryptographic protection of data based on this edge node.
Client configuration information related to computational performance can generally include clock frequency, word length, number of kernels, memory capacity, and the like. The clock frequency refers to the number of unit-time pulses of a computer CPU. The word length is the number of digits of binary data that can be processed once by the arithmetic unit of a computer. The number of kernels refers to the number of arithmetic units and controls that execute commands in the CPU. Memory capacity refers to the total number of bytes that can store information in memory. Normally,
The higher the cool frequency, the longer the word length, the larger the number of kernels, the larger the memorial capacity, and the faster the calculation speed of the client, the stronger the calculation performance.
In order to determine the computational performance of the client, the present invention sets different weights for the client's configuration information related to the computational performance. For example, the clock frequency, word length, number of kernels, and memory capacity weights are each.

,

,

,

Then

Is. Therefore, the computational performance value of the client is

However,

,

,

,

Are the values of clock frequency, word length, number of kernels, and memory capacity, respectively. The weight occupied by the configuration information differs, and for example, the clock frequency is large enough to determine the computing performance of the client. Therefore, the weight of the clock frequency is the largest.
Further, in the present invention, each client is divided into appropriate calculation performance levels based on the calculated calculation performance value. For example, in this example, the calculation performance level of the client is I level, II level, III level, IV level, and V level. Different computational performance levels correspond to different ranges of computational performance values. Generally, the higher the calculation performance value, the higher the corresponding calculation performance level and the faster the calculation speed.
It should be noted that the calculation of calculation performance based on clock frequency, word length, number of kernels, and memory capacity is merely an example explanation, and includes similar calculations to calculation performance based on basic information of other clients. It should not be the limitation. In addition, in order to reduce the processing cost of the client, the calculation of the calculation performance level of the client is performed only once, the first time is required, and the information is saved in the client as public information. When the client is used as an edge node for cryptographic protection calculation, the corresponding calculation performance level may be read directly from the client.

The second confirmation module determines the current data encryption strength according to the type of application to be connected and the encryption strength plan.
In the process of data encryption protection, the higher the encryption strength, the higher the security of the data, but the corresponding processing cost also increases. Therefore, the present invention strives to provide an effective balance between security and processing costs. In reality, the security required for the user's password data for that purpose differs depending on the application. For example, it is desirable that the login password of the net bank has a particularly high security in order to protect the property security of the user. The login password for the video website may be not very secure. Therefore, the present invention sets different encryption strengths for different application types of different users.
Specifically, the present invention classifies application types into finance, shopping, medical health, moving images, living services, and the like. The user sets the encryption strength corresponding to each type of application according to his / her needs. Finance is Alipay,
Examples include mobile banks and net banks. Examples of shopping include Taobao and JD. Examples of moving images include Tencent, QIY, Youku and the like. Examples of life services include drops, Meituan, and the like. As for medical and health care, there is a platform that includes reservations for hospital receptions, online medical consultations, and so on.
The present invention increases the difficulty of brute force decryption by an attacker by re-encrypting the result after encryption on the edge node and repeating the loop m times. That is, the strength of data encryption is related to the number of loop iteration encryptions. Therefore, the data encryption strength of each type of application according to the present invention corresponds to a range of corresponding loop repetition times.
For example, the user presets an encryption strength plan. The corresponding encryption strength of the financial application is [100,000, 90000]. The corresponding encryption strength of the shopping application is [80,000, 70,000]. The corresponding encryption strength of the medical health application is [75,000, 60,000]. , The corresponding encryption strength of the moving image application is set to [20000, 10000]. Let the corresponding encryption strength of the life service application be [50,000, 40,000].
When a user uses an application through registration or login via a website or application program, the user first determines the type of application to which this website or application program belongs. Next, the user's encryption strength plan pre-stored locally on the client is called, and the corresponding encryption strength range is determined according to the application type. Then, any one of the encryption strength values within the encryption strength range is randomly selected and used as the encryption strength of the current data.

The decision module randomly generates salts to determine if the client's computational performance level can meet the encryption strength requirements. If so, call the local encryption module, otherwise call the selection module.
In order to counter decryption methods such as brute force brute force dictionary attacks, the present invention introduces different salt values depending on the user in the encryption process. By inserting a specific character string at any specific position of the privacy password, the hashed result cannot match the hashed result using the original password. Such an operation is called salt.
Therefore, before data protection encryption is performed on the edge node, each user client first randomly generates a salt to improve the security of data encryption.
As mentioned above, if the computing performance of the user cannot satisfy the corresponding encryption request, the encryption protection cannot be performed based on this client. If the computational performance and the encryption strength requirement do not match, there is a large amount of time loss to complete the corresponding encryption strength, the user wait time is long, and the user experience is significantly deteriorated. Therefore, in the edge node data protection process according to the present invention, it is first determined whether the computing performance of the client at that time can satisfy the encryption strength requirement. If so, perform the protected cryptographic calculation directly on the client at the time. Otherwise, the user experience is poor without having to perform the protected cryptographic calculation on the local client.
The present invention first determines the completeable encryption strength range for each computational performance level. Specifically, it can be achieved by statistics on a large number of clients, but it can also be achieved by machine learning. This is not limited. Then, as a result of determining the complete encryption strength range of the client by the calculation performance level of the client, if the current data encryption strength belongs within the complete encryption strength range of the client, the calculation performance of the client at that time is Prove that the encryption request is satisfied. Otherwise, the encryption request cannot be satisfied.

The local encryption module performs low-speed hashing of the plaintext password entered by the user to obtain the first temporary password. Send the user name, salt, and first temporary password to the application server. And call the storage module.
The present invention encrypts plaintext passwords by slow hashing algorithms such as PBKDF2 or bcrypt. Slow hashing encryption increases the encryption time and correspondingly increases the decryption time and difficulty. Password decryption time is directly related to cryptographic algorithms. For example, MD5 encryption is very fast, and one encryption is 1 μs. Therefore, any one phrase takes 1 μs at the time of decoding. One million attackers can try in 1s. If 10
If the encryption is extended to ms, only 100 can be tried within 1s, and the decryption speed will be 10,000 times slower. There are two ways to increase the encryption time. One is multiple cryptography, and the other is the increasing complexity of cryptographic algorithms.
PBKDF2 will be described as an example, but the definition of the PBKDF2 function is DK = PBKDF2 (P).
RF, Password, Salt, c, dkLen). However, PRF is a pseudo-random number function, for example, a HASH_HMAC function, and can output the result of hLen length. Password is the original password for generating the common key. Salt is a salt value for encryption. c is the number of repetitive calculations, and in this example, it is the determined data encryption strength of the current time. dkLen is the desired common key length. DK is the last generated common key.
If the computing performance of the client at that time can satisfy the encryption strength requirement, the loop is repeated based on the salt randomly generated on the client, the encryption strength, and the password of the website or application program entered by the user. 1 Generates a temporary password and sends the user name, salt, and first temporary password to the application server in order for the server to verify the user's next login. In this case, the plaintext password is not received or saved on the server, and only the first temporary password after low-speed hashing can be obtained, so it is possible to effectively counter attacks such as drag-out. It is possible.

The selection module ships the username, plaintext password entered by the user, salt, and encryption strength to the application server. The application server selects a plurality of other connected clients and sends them to the client that selects the plaintext password, salt, and encryption strength entered by the user.
If the computing performance of the client at that time cannot satisfy the encryption strength requirement, the client will not perform any protective encryption calculation. In this case, the client at that time ships the user name, plaintext password, salt, and encryption strength corresponding to the user to the application server. On the other hand, in order to avoid excessive server processing load, after receiving the user's plaintext password by the server, multiple clients connected to the server are selected and slow hashed without performing appropriate slow hashing. To execute the conversion. Since there may be a bad edge node, the present invention selects a plurality of edge clients and executes the encryption calculation at the same time, thereby causing no return of the result from the bad edge node, an error in the prospect calculation, and the like. To avoid.
Specifically, the server first determines the corresponding calculation performance level of the encryption strength by the encryption strength. Since the calculation performance level of the client is disclosed, the application server selects a plurality of clients whose calculation performance level satisfies the corresponding calculation performance level requirement of the encryption strength, and the selected client selects a corresponding low-speed hash. Providing a conversion service. Correspondingly, the selected client is provided with a low-speed hashing service by sending the plaintext password, salt, and encryption strength input by the user to the selected client.
It should be noted that when the plaintext password information is delivered from the server to the selected client, the attacker's attack can be effectively prevented by discarding the user's plaintext password without remembering it on the server. The plaintext password is received on the client, but since there is no user name information, the plaintext password cannot be effectively associated with the user, and the user's password information cannot be decrypted.

In the cooperative encryption module, the plaintext password entered by the user by the selected client is hashed at low speed to acquire the second temporary password, and the second temporary password is sent to the application server.
After receiving the encryption request sent from the server, the selected client may voluntarily decide whether or not to respond to the encryption request. If it does not respond to the encryption request, it ignores the encryption request and does not respond to the request. When responding to an encryption request, a second temporary password is obtained by slow hashing with a slow hashing algorithm homologous to the local client. The process of low-speed hashing is similar to step S4 and is omitted here.

を設定する。ユーザクライアントにより他のユーザの第２臨時パスワード計算請求へ応答
するとする場合、サーバーにおいてその応答結果が正確であるか否かによって信頼値を調
整する。クライアントの返還した第２臨時パスワードと最終に確定する第１臨時パスワー
ドが一致する場合、クライアントの応答結果が正確である。さもなければ、クライアント
の応答結果が誤りである。
クライアントのＭ番目結果応答に関して、応答結果が正確であれば、ユーザクライアント
の信頼値の調整値は

であり、ただし、

はＭ番目応答結果が正確であるときにおけるユーザクライアントの信頼値の調整値、

はＭ回応答における応答結果が正確である回数、

は応答結果が正確であるときにおける信頼値の単位調整値である。
相応的に、ユーザのＭ番目結果応答後の信頼値は、

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目結果応答後の信頼値である。
ユーザクライアントのＭ番目結果応答に関して、応答結果が誤りであれば、ユーザクライ
アント信頼値の調整値は

と調整し、ただし、

はＭ番目応答結果が誤りである場合におけるユーザクライアントの信頼値の調整値、

はＭ番目応答における応答結果が誤りである回数、

は応答結果が誤りであるときにおける信頼値の単位調整値である。
相応的に、ユーザのＭ番目結果応答後の信頼値は、

であり、ただし、

はユーザのＭ番目結果応答後の信頼値、

はユーザのＭ−１番目結果応答後の信頼値である。
ユーザの初回応答に関して、応答結果が正確であれば、クライアントの信頼値の調整値は

とすると、調整後のクライアント信頼値は

である。応答結果が誤りであれば、クライアント信頼値の調整値は

とすると、調整後のクライアント信頼値は

となる。

注意すべきのは、データを有効に保護できるように、データのセキュリティ性を向上する
ために、本発明では

とする。
クライアントの信頼値に関して、サーバーから相応のインセンティブ手段を提供し、ユー
ザに積極的に第２臨時パスワードの協力計算過程に参与させる。例えば、動画類アプリケ
ーションは、一定範囲内の信頼値であるとなれば、会員サービスをただで与えるや、会員
費ディスカウントなどの手段がある。ショッピング類のアプリケーションは、閾値を超え
る信頼値であればユーザに運賃減免を与える手段があってもよい。 In the third confirmation module, the first temporary password is confirmed based on the plurality of second temporary passwords received by the application server.
As mentioned above, there may be bad nodes on the edge client, so the return results of multiple clients may be inconsistent. Therefore, when a plurality of second temporary passwords are received by the server, it is necessary to screen them. Thereby, the final first temporary password is confirmed.
Specifically, the server statistics the number of clients corresponding to each of the returned second temporary passwords, and selects the second temporary password having the largest number of clients as the first temporary password. For example, assuming that the second temporary passwords selected by the six clients A, B, C, D, E, and F are X1, X2, X3, X2, X3, and X3, respectively, the correspondence of X1 according to the server statistics. When the number of clients is 1, the number of corresponding clients of X2 is 2, and the number of corresponding clients of X3 is 3, the number of clients who have returned X3 is the largest, and the first temporary determination of X3 is finalized. Use it as a password.
If there are a plurality of corresponding clients and there are a plurality of second temporary passwords in which the number of corresponding clients is ranked first, the client with the highest trust value in these clients is returned as the second temporary password. The password is the first temporary password. Specifically
In order to improve the security of the system and avoid the security of malicious user hazard data, the present invention manages the users connected to the server.
Specifically, when a user connects to a server, he / she needs to register or log in to the server. Therefore, the present invention gives the registered user to each server an initial trust value.

To set. When the user client responds to another user's second extraordinary password calculation request, the trust value is adjusted depending on whether the response result is accurate or not on the server. If the second temporary password returned by the client and the first temporary password finally confirmed match, the response result of the client is accurate. Otherwise, the client response is incorrect.
Regarding the client's M-th result response, if the response result is accurate, the user client trust value adjustment value is

However,

Is the adjustment value of the trust value of the user client when the Mth response result is accurate,

Is the number of times the response result in the M response is accurate,

Is the unit adjustment value of the confidence value when the response result is accurate.
Correspondingly, the trust value after the user's M-th result response is

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
Regarding the Mth result response of the user client, if the response result is incorrect, the adjustment value of the user client trust value is

Adjust with, however

Is the adjustment value of the trust value of the user client when the Mth response result is incorrect,

Is the number of times the response result in the Mth response is incorrect,

Is the unit adjustment value of the reliability value when the response result is incorrect.
Correspondingly, the trust value after the user's M-th result response is

However,

Is the trust value after the user's Mth result response,

Is the confidence value after the user's M-1st result response.
For the user's initial response, if the response is accurate, the client trust value adjustment is

Then, the adjusted client trust value is

Is. If the response result is incorrect, the client trust value adjustment value is

Then, the adjusted client trust value is

Will be.

It should be noted that in the present invention, in order to improve the security of the data so that the data can be effectively protected.

And.
Regarding the trust value of the client, the server provides an appropriate incentive means, and the user is actively participated in the cooperative calculation process of the second temporary password. For example, in a video application, if the trust value is within a certain range, there are means such as giving a membership service for free or discounting a membership fee. Shopping applications may have a means of giving a user a fare reduction or exemption as long as the reliability value exceeds the threshold value.

In the storage module, the server quickly hashes the first temporary password to acquire the encrypted password, the stored user name, the salt, and the encrypted password.
After the first temporary password is received by the server, the first temporary password is quickly hashed again together with the salt to obtain the corresponding encrypted password of the plaintext password entered by the user as the final password. Rapid hashing includes, for example, MD5 encryption, but is not limited thereto. Validate the user's identity by storing the username, salt and encrypted password on the server. Since it only stores the encrypted password on the server, even if an attacker tries to attack, it can only get the first temporary password, which needs to be further decrypted to get the user's plaintext password. Yes, the difficulty is maximum. The security of network data can be greatly improved, and user data can be effectively protected.

When verifying the user's login, the user enters a plaintext password. The corresponding encryption process is the same as described above, and it is determined whether the encrypted password calculated by the server matches the one stored in advance. If it is determined to match, the user can be proved to be a legal user. In addition, in order to further improve the security of the data, the salt may be constantly updated and generated, and the newly generated salt is shipped at the same time as the login occurs, and the corresponding first temporary password is calculated. As a result, the salt can be updated without making the user aware, and the user experience is improved.

The present invention presents a data protection method and system by edge computing for a huge data calculation problem of a big data network. Make the client an edge node and fully utilize the computing performance of the client. By executing slow hashing by the client in the process of data protection, the problem of heavy calculation load and easy collapse of the server is effectively solved. The present invention sets different encryption strengths for different application types for different users. This solves the problem of unnecessarily high calculation processing cost due to excessive encryption strength. An effective balance between data security and system cost. The present invention quantitatively evaluates the calculation performance of the client, determines whether to perform low-speed hashing on the local client depending on whether the encryption strength requirement and the calculation performance match, and performs low-speed hashing locally only when they match. This solves problems such as excessive slow processing speed and reduced client performance. The present invention screens the returned results of other clients and quantitatively evaluates the trust value of the client. Since the effect of the erroneous response on the confidence value is greater than the effect of the accurate response, the return error result from the bad user is avoided. This further improves the security of the data. In addition, incentive rules corresponding to the confidence value will be established. This improves the user's willingness to participate in low-speed hashing calculations. Furthermore, it restricts the user's response behavior. This improves the security of the system. The present invention uses a method of low-speed hashing of a client and high-speed hashing of a server to increase the attack cost of an attacker on data and strengthen the data protection.

It should be noted that the above are only better embodiments of the present invention and operational principles. Those skilled in the art may make various overt changes, readjustments, and substitutions without limiting the invention to the particular embodiments described herein and without departing from the scope of protection of the invention. You will understand what you can do. Therefore, although the present invention has been described in more detail by the above embodiments, the present invention is not limited to the above embodiments and more other equivalent embodiments without departing from the concept of the present invention. Forms can be included and the scope of the invention is determined by the appended claims.

Claims (2)

A system for protecting big data and network data by edge computing.
The first confirmation module that determines the calculation performance level of the client based on the basic information of the client,
Encryption based on the type of application connected to the client and the encryption strength plan
The second confirmation module that determines the strength requirement and
A decision module that randomly generates salts, determines if the client's computational performance level can meet the encryption strength requirements, calls the local encryption module if possible, and calls the selection module otherwise. ,
PBKDF2 hashing Argo of plaintext password entered by the client user
A person who uses the client by hashing using Nism to obtain the first temporary password.
A local encryption module that ships the name, salt and first temporary password to the server , and calls the storage module,
A person of the name using the client, the plain text password that you input from those who use the client, the salt and the encryption strength ships to the server, the server is connected to a plurality of server
And the selection module selects the client, the plain text password that you input from those who use the client, shipped to the selected clients Salt and encryption strength,
The plaintext password entered by the person who uses the client by the selected client is P.
BKDF2 Hashing A cooperative encryption module that hashes using algorithms to obtain a second temporary password and sends the second temporary password to the server.
After the server receives a plurality of second temporary passwords, a third confirmation module that confirms the first temporary password and
The server encrypts the first temporary password using MD5 encryption algorithm.
Includes the name of the person who gets the encrypted password and uses the client , the salt and the storage module that stores the encrypted password.
In the third confirmation module, the server receives each of the second temporary passwords it receives.
Statistically count the number of corresponding clients, determine if there are multiple second temporary passwords with the same number of corresponding clients and ranked first, and if not, the number of clients is the largest. 2 If the temporary password is used as the first temporary password and it is determined that there is one, the client with the highest reliability value, which is the accuracy rate of the response result of the corresponding client of the second temporary password, which has the same number and is ranked first, is shipped. If the second temporary password is the first temporary password and the second temporary password sent by the client matches the first temporary password, the response result of the client is accurate, otherwise the response result of the client is incorrect. Yes,
Further, the first confirmation module is
Clock frequency, word length, number of kernels, and memory capacity weights are respectively

,

,

,

Then

And the calculation performance value of the client is

However,

,

,

,

Are clock frequency, word length, number of kernels, and memory capacity, respectively.
Depending on the preset calculation performance level and its corresponding calculation performance value range, the clients are divided into appropriate calculation performance levels based on the calculation performance value.
A system for protecting big data and network data by edge computing. The encryption strength is the number of loop repeated encryptions, and the encryption strength plan is a client.
It is to set the encryption strength range in each kind of application by the person who uses the second confirmation module.
Determine the type of application connected to the client, call the encryption strength plan of the person who uses the client locally pre-stored in the client, determine the corresponding encryption strength range according to the application type, and determine the encryption strength range. Randomly select one of the encryption strength values to use as the encryption strength of the current data.
Furthermore, the trust value is adjusted by the server depending on whether the response result of the client is accurate, and the initial trust value at the time of registration of the client on the server is set.

age,
For the client's M-th response , if the response result is accurate, the client 's trust value adjustment value is

However,

Is the adjustment value of the client 's trust value when the Mth response result is accurate,

Is the number of times the response result is accurate in M responses,

Is the unit adjustment value of the confidence value when the response result is accurate,
Therefore, the trust value after the M-th response of the client user is accurate is

However,

Is the trust value after the Mth response of the client user,

Is the M-1 trust value of the client user after the first response,
For the client 's M-th response , if the response result is incorrect, the client trust value adjustment value is

Adjust with, however

Is the adjustment value of the client trust value when the result of the Mth response is incorrect,

Is the number of times the response result of the Mth response is incorrect,

Is the unit adjustment value of the confidence value when the response result is incorrect, and

age,
The trust value after the Mth response of the client user is incorrect

However,

Is the trust value after the Mth response of the client user,

Is the trust value after the M-1st response of the person who uses the client,
For the initial response of the client user , if the response result is accurate, the client trust value adjustment value is

Then, the adjusted client trust value is

Is. If the response result is incorrect, the client trust value adjustment value is

Then, the adjusted client trust value is

Will be
The big data / network data protection system by edge computing according to claim 1.

Images