CN110688662A - Sensitive data desensitization and inverse desensitization method and electronic equipment - Google Patents
Sensitive data desensitization and inverse desensitization method and electronic equipment Download PDFInfo
- Publication number
- CN110688662A CN110688662A CN201910872140.0A CN201910872140A CN110688662A CN 110688662 A CN110688662 A CN 110688662A CN 201910872140 A CN201910872140 A CN 201910872140A CN 110688662 A CN110688662 A CN 110688662A
- Authority
- CN
- China
- Prior art keywords
- desensitization
- inverse
- interface
- sensitive data
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
Abstract
The embodiment of the invention relates to the technical field of computers, and discloses a sensitive data desensitization and inverse desensitization method and electronic equipment.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a sensitive data desensitization and inverse desensitization method and electronic equipment.
Background
In order to protect the security of user data and prevent user data from being leaked, some sensitive user data are often required not to be directly displayed on a user interface, such as an identification number, a mobile phone number, bank card information and the like.
In a system, there are often very many pages that need to show the sensitive user data, and for data security, we perform data transformation on the sensitive user data returned to the front end, and when the user data is returned to the back end, restore the transformed user data to a true value. At present, desensitization and inverse desensitization processes of user data are generally realized by some complex hard codes, and the method is relatively invasive to original service code logic.
Disclosure of Invention
The embodiment of the invention provides a sensitive data desensitization and inverse desensitization method and electronic equipment, which reduce the coupling degree of business code logic.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method for desensitizing sensitive data, including:
weaving an AOP frame, wherein the AOP frame is provided with desensitization objects and desensitization strategies;
intercepting a target desensitization interface matched with the desensitization object, wherein the target desensitization interface is output to the front end from the back end;
and carrying out desensitization treatment on the sensitive data carried in the target desensitization interface according to the desensitization strategy.
Optionally, the desensitization object includes a desensitization interface list, and the intercepting of the target desensitization interface matched with the desensitization object includes:
intercepting all interfaces;
and traversing the interfaces matched with the desensitization interfaces in the desensitization interface list from all the interfaces as the target desensitization interfaces.
Optionally, the desensitizing processing of the sensitive data carried in the target desensitizing interface according to the desensitizing policy includes:
extracting the sensitive data in the target desensitization interface;
and carrying out desensitization treatment on the sensitive data according to the desensitization strategy.
Optionally, the desensitizing processing the sensitive data according to the desensitizing policy includes:
obtaining a desensitization strategy corresponding to the data type of the sensitive data;
desensitizing the sensitive data according to the desensitization strategy.
Optionally, the method further comprises:
encrypting the sensitive data using AES encryption techniques.
In a second aspect, an embodiment of the present invention provides a method for inverse desensitization of sensitive data, including:
weaving an AOP frame, wherein the AOP frame is provided with a reverse desensitization object and a reverse desensitization strategy;
intercepting a target inverse desensitization interface matched with the inverse desensitization object, wherein the target inverse desensitization interface is output to the back end from the front end;
and carrying out inverse desensitization treatment on the sensitive data carried in the target inverse desensitization interface according to the inverse desensitization strategy.
Optionally, the inverse desensitization object includes an inverse desensitization interface list, and the intercepting a target inverse desensitization interface matched with the inverse desensitization object includes:
intercepting all interfaces;
and traversing the interfaces matched with the inverse desensitization interfaces in the inverse desensitization interface list from all the interfaces to be used as the target inverse desensitization interfaces.
Optionally, the performing, according to the inverse desensitization policy, inverse desensitization processing on the sensitive data carried in the target inverse desensitization interface includes:
extracting the sensitive data in the target inverse desensitization interface;
and carrying out inverse desensitization treatment on the sensitive data according to the inverse desensitization strategy.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the memory stores a program of instructions executable by the at least one processor to cause the at least one processor to perform a method of desensitizing sensitive data according to any of the above.
In a fourth aspect, an embodiment of the present invention provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the memory stores a program of instructions executable by the at least one processor to cause the at least one processor to perform a method of inverse desensitization of sensitive data according to any of the above.
Based on the technical scheme, the embodiment of the application provides a sensitive data desensitization and inverse desensitization method and electronic equipment.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is a system structure diagram of a method for desensitization and inverse desensitization of sensitive data according to an embodiment of the present invention;
FIG. 2a is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention;
FIG. 2b is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention;
FIG. 2c is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention;
FIG. 3a is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention;
FIG. 3b is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention;
FIG. 3c is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention;
FIG. 3d is a schematic diagram of data desensitization and inverse desensitization provided by embodiments of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a block diagram of a system structure of a desensitization and inverse desensitization method for sensitive data according to an embodiment of the present invention, as shown in fig. 1, the system 100 includes three layers: the display device comprises a display layer 101, a transverse layer 102 and a control layer 103, wherein data interaction is carried out between the display layer 101 and the control layer 103 through the transverse layer 102.
The display layer 101 is a human-computer interaction interface and is used for displaying background data, such as user information data, including user account, password, mailbox, bank card account data, and the like. And the method is also used for collecting the operation information of the user, for example, the user modifies the mailbox data through input operation on the human-computer interaction interface and stores the input operation, and after the input operation and the storage operation from the mobile phone of the human-computer interaction interface to the user, the modified data is sent to the back end for updating and storing.
In some embodiments, the display layer 101 may be a web HTML interface, and the user logs in to the web HTML interface containing the user information through a user account, where the user data may be output to the web HTML interface through a background template, or the user data may be returned through an Ajax interface and rendered to the web HTML interface by a front end. In the web HTML interface, a user may perform a user operation through a mouse or a keyboard, for example, the user clicks a user information input box with the mouse to obtain an editing right of the input box, and types a related editing content through the keyboard, and the web HTML interface obtains the editing content and then sends the editing content to the back end for updating and saving.
In some embodiments, the display layer 101 may also be an interface of various applications installed in the terminal, and the user logs in the application through account authorization, generally, the account authorization may be registered as a user account through a mobile phone number or a mailbox for authorized login, and may also be authorized to log in through a trusted account or a QQ account that is already logged in locally by the terminal. After the user logs in through the account authorization, the display layer 101 displays the relevant content and the user information of the application program, the user can check the user information through clicking or sliding operation, edit the user information through inputting, and send the edited data to the back end for updating and saving.
The traversal layer 102 is configured to intercept an interface carrying sensitive data, where the sensitive data refers to personal data of a user and affects security of the data due to leakage, for example, a user password is leaked, and if the user password is leaked, the account may be illegally logged in, and even other information under the account may be modified and leaked. The interface intercepted by the transverse cutting layer 102 includes an interface sent to the control layer 103 by the display layer 101, for example, the display layer 101 sends an account password of a user to the back end through the interface, and if the transverse cutting layer 102 intercepts and detects that the interface carries sensitive data, the sensitive data is extracted and correspondingly processed, and then the sensitive data is sent to the back end. The system also comprises an interface which is sent to the display layer 101 by the control layer 103, for example, the back end responds to a user login request, user information corresponding to a user account is sent to the display layer 101 for displaying by an interface mode through the control layer 103, the cross cutting layer 102 intercepts and detects that the interface carries sensitive data, and then extracts and correspondingly processes the sensitive data and sends the sensitive data to the back end display layer 101 for displaying.
In some embodiments, in order to reduce the coupling between service logic codes, the cross-section layer 102 employs an Aspect Oriented Programming (AOP) technology, which is an extraction for an Aspect in service processing, and encapsulates logic or responsibilities, such as transaction processing, log management, and authority control, that are not related to a service but are commonly invoked by service modules, so as to reduce the repeated codes of the system and reduce the coupling between service logics. In the application, the AOP technology adopted in the transverse layer 102 encapsulates modules such as an interface interception module carrying sensitive data and a desensitization strategy and an inverse desensitization strategy of the sensitive data, so as to intercept and correspondingly process the sensitive data. For example, if sensitive data for display on the display layer 101 is intercepted, the transverse cutting layer 102 desensitizes the sensitive data and sends the desensitized data to the display layer 101 for display; if the sensitive data sent to the back end by the display layer 101 for storage is intercepted, the transverse cutting layer 102 carries out inverse desensitization processing on the sensitive data to obtain clear data, and then sends the clear data to the back end for updating and storage.
The control layer 103 is configured to encapsulate the sensitive data into an interface, and complete sending of the sensitive data through the interface. The sensitive data may be user data that is output to the front end by the back end for presentation, or user data that is subjected to inverse desensitization processing into plain code in the transverse layer 102 after desensitization presentation is completed by the front end.
For the specific processes of desensitization and inverse desensitization, reference may be made to the following descriptions of the embodiments, and the methods for desensitization and inverse desensitization of sensitive data provided in the present application may also be applied to the system.
In a first aspect, please continue to refer to fig. 2a, fig. 2a is a schematic flow chart of a method for desensitizing sensitive data according to an embodiment of the present invention, as shown in fig. 2a, the method includes the following steps:
s21, weaving an AOP frame, and configuring a desensitization object and a desensitization strategy by the AOP frame;
the weaving can be understood as that the AOP frame is transversely crossed in the service processing logic, the transverse crossing point is a transverse cutting point of interest of the AOP frame, and other functions to be realized are woven in the service processing logic by merging the transverse cutting point of interest into the system, so that the weaving of the AOP frame is completed. The weaving of the AOP frame has no influence on the original business logic, and the cross-cutting point of interest is modularized when being woven into the system.
In the application, an AOP frame is woven to intercept the interfaces, a desensitization object and a desensitization strategy are pre-configured in the AOP frame according to service requirements, the desensitization object is an interface set which needs desensitization processing, and the desensitization strategy is a scheme for desensitization configured according to the type of each interface in the interface set.
In some embodiments, the AOP framework may dynamically configure desensitization objects and desensitization strategies. For example, desensitization subjects may be added dynamically, or the desensitization level may be increased by modifying the desensitization strategy, etc. For example, the application requires the user to bind the mobile phone number with the user account to improve the security of login, and then the AOP framework needs to add object interception of the mobile phone number and a desensitization policy corresponding to the mobile phone number. For another example, in order to increase the desensitization degree of the bank card number, the desensitization field length of the bank card number is increased, and the desensitization field length is increased from 6 bits to 10 bits to ensure the security of data.
S22, intercepting a target desensitization interface matched with the desensitization object, wherein the target desensitization interface is output to the front end from the back end;
and S23, performing desensitization processing on the sensitive data carried in the target desensitization interface according to the desensitization strategy.
It will be appreciated that not all AOP intercepted interfaces are target desensitized interfaces. And the AOP performs matching processing on the intercepted interface and the desensitized object, wherein the matching can be understood as that the interfaces in the desensitized object are compared one by one to determine whether the interface is a desensitized interface configured in advance in the desensitized object, and if so, the interface is a target desensitized interface.
In some embodiments, if a sensivedata attribute is set in the interface, and after the AOP framework intercepts the target desensitization interface, sensitive data carried in the sensivedata attribute is detected, the interface is the target desensitization interface.
Generally, the target desensitization interface is triggered by a back end in response to a user request and is used for transmitting display data, where the display data includes sensitive data, and the sensitive data includes, but is not limited to, user data that affects data security after leakage, such as information closely related to an individual, such as a login password, an identification number, a mobile phone number, and a bank card number of the user. Desensitization refers to modifying a partial field of sensitive data according to a desensitization policy, for example, displaying the partial field of sensitive data in the form of an "+" sign, that is, displaying real data in the form of a plus "+", so that the real data is hidden and protected.
In some embodiments, the desensitization policy may be customized according to the type of sensitive data. For example, if the sensitive data is the login password, the desensitization strategy of the login password is to desensitize all fields of the password, that is, the displayed password data is "×"; for another example, if the sensitive data is a bank card number, the desensitization policy of the bank card number is to desensitize the data in 9 fields from the fourth bit of the bank card number, that is, the bank card number is shown as "6226 × 431".
In other embodiments, the desensitization strategy may also be customized according to the desensitization level. The user level may be desensitization level setting performed by the user through an application interface, and may be desensitization level divided by the back end according to user's score or usage record, where the method of dividing desensitization level is not specifically limited. The desensitization grade can be understood as the desensitization degree of sensitive data, the desensitization grade is described by taking a bank card number as an example, the desensitization grade is divided into a first grade, a second grade and a third grade, if the desensitization grade is the first grade, the corresponding desensitization strategy is to desensitize data of 5 fields starting from the 6 th bit of the bank card number, namely the displayed bank card number is ' 622623 '. multidot.00431 '; if the desensitization grade is two grades, the corresponding desensitization strategy is to desensitize the data of 7 fields starting from the 5 th bit of the bank card number, namely the displayed bank card number is '62262 × 0431'; if the desensitization grade is three levels, the desensitization strategy corresponding to the desensitization grade is to perform desensitization processing on data of 9 fields starting from the 4 th position of the bank card number, that is, the bank card number is displayed as "6226 × 431".
In this embodiment, by weaving an AOP framework, and presetting a desensitization object and a desensitization policy corresponding to the desensitization object in the AOP framework, an interface passing through the AOP framework is intercepted according to the desensitization object and a target desensitization interface requiring desensitization is matched, and desensitization processing is completed on sensitive data carried in the target desensitization interface according to the corresponding desensitization policy, so that security of the sensitive data is ensured, and coupling degree of logic codes is reduced.
In some embodiments, referring to fig. 2b, step S22 includes the following steps:
s221, intercepting all interfaces;
s222, traversing the interfaces matched with the desensitization interfaces in the desensitization interface list from all the interfaces to serve as the target desensitization interfaces.
In this application, the desensitization object may be understood as a configuration file of the desensitization object defined in the AOP architecture, where an interface that needs to be desensitized is preset in the configuration file. It can be appreciated that the configuration file can be dynamically adjusted according to business requirements. The AOP framework intercepts all the interfaces passing through the framework, compares all the interfaces with the interfaces in the configuration file one by one, and takes the successfully matched interfaces as target desensitization interfaces.
In some embodiments, the type information of the interface in the desensitized object is dynamically acquired by a reflection technique, the type of the intercepted interface is matched with the type of the interface in the desensitized object, and if the types are consistent, the interface is the target desensitized interface.
In this embodiment, a configuration file of a desensitization object is preset in the AOP framework, the intercepted interfaces are compared with the interfaces in the configuration file one by one, and the successfully matched interface is used as a target desensitization interface, so that the accuracy of obtaining the target desensitization interface is improved.
After acquiring the target desensitization interface, in some embodiments, referring to fig. 2c, step S23 includes the following steps:
s231, extracting the sensitive data in the target desensitization interface;
and S232, desensitizing the sensitive data according to the desensitizing strategy.
Desensitization processing refers to modifying partial fields of sensitive data according to a desensitization strategy, namely, deforming partial fields of some sensitive data according to the desensitization strategy under the condition of keeping original characteristics of the data, so that reliable protection of sensitive private data is realized.
In some embodiments, the partial fields are replaced with symbols to achieve data desensitization. Partial fields of sensitive data are shown in the form of symbols, wherein the symbols include but are not limited to "#", etc., if the mobile phone number is desensitized with the symbol "#", the mobile phone number after desensitization is 152 × 12, and if the mobile phone number is desensitized with the symbol "#", the mobile phone number after desensitization is 152# # # # # # # # # 12.
In other embodiments, the sensitive data is encrypted by an encryption technique, which includes symmetric encryption, for example, encrypting the sensitive data according to the attribute name AES (original value + random number); MD5 may also be used to encrypt sensitive data and store the encrypted value on the sensitdata attribute. For example, the original data of the identification number is "123456789", and the identification number displayed after encryption is "#% yhopl2d 5".
In some embodiments, the sensitive data is desensitized according to a desensitization policy by obtaining the desensitization policy corresponding to a data type of the sensitive data.
It is understood that the sensitive data has different composition symbols and/or lengths according to the data types, for example, the mobile phone number data is composed of 11 digits, and the identification number is composed of 18 digits and/or letters. In the application, in order to adapt to desensitization of data of various data types, various desensitization strategies are customized, for example, a mobile phone number desensitization strategy is customized for a mobile phone number, an identity card number desensitization strategy is customized for an identity card number, and a bank card number desensitization strategy is customized for a bank card number. Desensitization of the telephone number desensitization strategy is that the middle 6 digits from the 4 th digit of the mobile phone number are subjected to desensitization treatment, and the mobile phone number after desensitization is 152 x 12; the desensitization rule of the bank card number desensitization strategy is to desensitize the middle 9 numbers from the 4 th position of the bank card number, and the desensitized bank card number is 622 x 1542.
In the embodiment, the sensitive data in the target desensitization interface is extracted, and desensitization processing is performed according to the desensitization strategy corresponding to the data type of the sensitive data, that is, multiple desensitization strategies are provided to desensitize different types of data, and desensitization flexibility is provided.
After a user checks or modifies user data, the data is returned to the back end from the display layer for data updating and storage, and as part of the data in the user data is sensitive data, before the data enters the display layer for display, the AOP framework performs desensitization processing on the data, that is, if the desensitized data is not subjected to inverse desensitization processing, the data is invalid data and cannot be updated and stored at the back end. In some embodiments, please refer to fig. 3a, fig. 3a is a schematic flowchart of a method for inverse desensitization of sensitive data according to an embodiment of the present invention, as shown in fig. 3a, the method includes the following steps:
s31, weaving an AOP framework, wherein the AOP framework is provided with a reverse desensitization object and a reverse desensitization strategy;
the AOP frame described in this embodiment and the AOP frame involved in the sensitive data desensitization method are the same frame, please refer to the related description in the above embodiments, and details of the frame are not repeated here.
In this embodiment, the AOP framework is pre-configured with an inverse desensitization object and an inverse desensitization policy according to service requirements, where the inverse desensitization object is an interface set that needs inverse desensitization processing, and the inverse desensitization policy is a scheme for inverse desensitization configured according to the type of each interface in the interface set.
It can be understood that because desensitization and inverse desensitization of sensitive data are corresponding relationships, if data enters the display layer after being desensitized in the AOP framework, the data needs to be desensitized inversely into plaintext to be stored when returning from the display layer to the back end. For example, the data of the mobile phone number after the desensitization processing is 152 × 12, and when the data is returned to the back end, if inverse desensitization is not performed, the mobile phone number received at the back end is the desensitized data. Therefore, in order to ensure the accuracy of the data, the desensitized data needs to be restored.
In some embodiments, the AOP framework can dynamically configure inverse desensitization objects and inverse desensitization strategies. The dynamic configuration refers to dynamically adjusting the inverse desensitization object and the inverse desensitization strategy according to the desensitization object and the desensitization strategy. For example, object interception of a mobile phone number and a desensitization policy corresponding to the mobile phone number are added in the AOP framework, and a reverse desensitization object interception of the mobile phone number and a reverse desensitization policy corresponding to the mobile phone number are correspondingly added.
S32, intercepting a target inverse desensitization interface matched with the desensitization object, wherein the target inverse desensitization interface is output from the front end to the back end;
and S33, carrying out inverse desensitization treatment on the sensitive data carried in the target inverse desensitization interface according to the inverse desensitization strategy.
And matching the intercepted interface output from the front end to the back end by the AOP with the inverse desensitization object, wherein the matching can be understood as comparing the interfaces with the interfaces in the inverse desensitization object one by one to determine whether the interface is a pre-configured inverse desensitization interface in the inverse desensitization object, and if so, the interface is a target inverse desensitization interface.
In some embodiments, if a sensivedata attribute is set in the interface, and after the AOP framework intercepts the target inverse desensitization interface, it detects inverse sensitive data carried in the sensivedata attribute, then the interface is the target inverse desensitization interface.
The inverse desensitization strategy is opposite to the desensitization strategy, the desensitization strategy defines a plurality of strategies according to different data types, and the inverse desensitization strategy defines a corresponding recovery method according to the desensitization strategy of the data, for example, when the desensitization processed data of the bank card number after symbol replacement is '6226 x 431', the data of the middle symbol field is recovered according to the inverse desensitization strategy corresponding to the data.
In some embodiments, the sensitive data carried in the target inverse desensitization interface is plaintext data. In some applications, a user is supported to modify and store the sensitive data through input, at the moment, the modified plaintext data is sent to the back end by the display layer, the sensitive data received in the AOP frame is the plaintext data, and at the moment, the sensitive data is directly sent to the back end for updating and storing without carrying out inverse desensitization processing.
Because data desensitization and inverse desensitization are corresponding processes, customization of inverse desensitization subjects and strategies may refer to embodiments of desensitization subjects and desensitization strategies. And will not be described in detail herein.
In this embodiment, by weaving an AOP framework, presetting an inverse desensitization object and an inverse desensitization strategy corresponding to the inverse desensitization object in the AOP framework, intercepting an interface passing through the AOP framework according to the inverse desensitization object and matching a target inverse desensitization interface requiring inverse desensitization, and completing inverse desensitization processing on inverse sensitive data carried in the target inverse desensitization interface according to the corresponding inverse desensitization strategy, accuracy of the sensitive data is ensured, and coupling degree of logic codes is reduced.
In some embodiments, referring to fig. 3b, step S32 includes the following steps:
s321, intercepting all interfaces;
and S322, traversing the interfaces matched with the inverse desensitization interfaces in the inverse desensitization interface list from all the interfaces to be used as the target inverse desensitization interfaces.
In this application, the inverse desensitization object may be understood as a configuration file of the inverse desensitization object defined in the AOP architecture, and an interface that needs to be subjected to inverse desensitization is preset in the configuration file. It can be appreciated that the configuration file can be dynamically adjusted according to business requirements. And the AOP framework intercepts all the interfaces passing through the framework, compares all the interfaces with the interfaces in the configuration file one by one, and takes the successfully matched interfaces as target inverse desensitization interfaces.
In this embodiment, a configuration file of the inverse desensitization object is preset in the AOP framework, the intercepted interfaces are compared with the interfaces in the configuration file one by one, and the successfully matched interface is used as the target inverse desensitization interface, so that the accuracy of obtaining the target inverse desensitization interface is improved.
After acquiring the target inverse desensitization interface, in some embodiments, referring to fig. 3c, step S33 includes the following steps:
s331, extracting the sensitive data in the target inverse desensitization interface;
and S332, carrying out inverse desensitization treatment on the sensitive data according to the inverse desensitization strategy.
The inverse desensitization processing refers to restoring the hidden partial fields into real data, and data desensitization and inverse desensitization are strongly corresponding processes, for example, data desensitization is desensitized by using an AES encryption technology, and then inverse desensitization processing is performed by using a DES decryption technology during inverse desensitization of the data, so that the desensitized data is restored. Therefore, please refer to the above embodiments of desensitization methods for performing inverse desensitization processing on sensitive data according to an inverse desensitization strategy, which is not described in detail herein.
In this embodiment, the sensitive data in the target inverse desensitization interface is extracted, and inverse desensitization processing is performed according to the inverse desensitization strategy corresponding to the data type of the sensitive data, that is, multiple inverse desensitization strategies are provided to desensitize different types of data, and inverse desensitization flexibility is provided.
In order to more clearly understand the changes of data in the desensitization and inverse desensitization processes and the adopted strategy, please refer to fig. 3d, as shown in fig. 3d, data 301 is user data before desensitization, data 301 generates data 302 after desensitization, data 302 is data displayed on a user interface after desensitization is completed, and data 302 is restored into original data after inverse desensitization and is sent to a back end for updating and storing the user data. The data 301 contains user data of various data types, user real names, identity numbers, mobile phone numbers, account numbers, passwords and user addresses, the data 301 is desensitized into data 302, the user data displayed in the data 302 shows that different desensitization methods are adopted for different data types in the desensitization process, namely desensitization fields and lengths of different data types are different. For example, the real name of the user is desensitized from position 2; for another example, the desensitization field of the mobile phone number is the middle 6 digits from the 4 th digit; the password is desensitized for all fields. Inverse desensitization is to restore data after desensitization processing, so the method and strategy for inverse desensitization should refer to desensitization method and strategy to restore user data accurately.
In some embodiments, please refer to fig. 4, fig. 4 is a schematic diagram of a hardware structure of an electronic device 400 for performing the above-mentioned desensitization and inverse desensitization methods of sensitive data according to the embodiment of the present application, and as shown in fig. 4, the electronic device 400 includes:
one or more processors 401 and a memory 402, one processor 401 being exemplified in fig. 4.
The processor 401 and the memory 402 may be connected by a bus or other means, such as the bus connection in fig. 4.
The memory 402, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the sensitive data desensitization and inverse desensitization methods in the embodiments of the present application. The processor 401 executes the nonvolatile software program, instructions and modules stored in the memory 402 to execute various functional applications and data processing of the server, that is, to implement the method for desensitizing sensitive data and performing inverse desensitization of sensitive data according to the above method embodiments.
The memory 402 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the sensitive data desensitization and inverse desensitization apparatuses, and the like. Further, the memory 402 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 402 may optionally include memory located remotely from processor 401, and these remote memories may be connected to the sensitive data desensitization and inverse desensitization devices via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 402 and, when executed by the one or more processors 401, perform the sensitive data desensitization and inverse desensitization methods of any of the method embodiments described above, e.g., performing the method steps of fig. 2 a-3 c described above.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) the server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(2) And other electronic devices with data interaction functions.
Embodiments of the present application provide a non-transitory computer-readable storage medium having stored thereon computer-executable instructions for execution by one or more processors, e.g., to perform the method steps of fig. 2 a-3 c described above.
Embodiments of the present application provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the method of desensitization and inverse desensitization of sensitive data in any of the above-described method embodiments, e.g., to perform the method steps of fig. 2a to 3c described above.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; within the idea of the invention, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A method of desensitizing sensitive data, comprising:
weaving an AOP frame, wherein the AOP frame is provided with desensitization objects and desensitization strategies;
intercepting a target desensitization interface matched with the desensitization object, wherein the target desensitization interface is output to the front end from the back end;
and carrying out desensitization treatment on the sensitive data carried in the target desensitization interface according to the desensitization strategy.
2. The method of claim 1, wherein the desensitized object contains a list of desensitized interfaces, and wherein intercepting a target desensitized interface that matches the desensitized object comprises:
intercepting all interfaces;
and traversing the interfaces matched with the desensitization interfaces in the desensitization interface list from all the interfaces as the target desensitization interfaces.
3. The method according to claim 1, wherein the desensitizing the sensitive data carried in the target desensitization interface according to the desensitization policy comprises:
extracting the sensitive data in the target desensitization interface;
and carrying out desensitization treatment on the sensitive data according to the desensitization strategy.
4. The method of claim 3, wherein the desensitizing the sensitive data according to the desensitization policy comprises:
obtaining a desensitization strategy corresponding to the data type of the sensitive data;
desensitizing the sensitive data according to the desensitization strategy.
5. The method of claim 4, further comprising:
encrypting the sensitive data using AES encryption techniques.
6. A method of inverse desensitization of sensitive data, comprising:
weaving an AOP frame, wherein the AOP frame is provided with a reverse desensitization object and a reverse desensitization strategy;
intercepting a target inverse desensitization interface matched with the inverse desensitization object, wherein the target inverse desensitization interface is output to the back end from the front end;
and carrying out inverse desensitization treatment on the sensitive data carried in the target inverse desensitization interface according to the inverse desensitization strategy.
7. The method of claim 6, wherein the inverse-desensitized object contains a list of inverse-desensitized interfaces, and wherein intercepting a target inverse-desensitized interface that matches the inverse-desensitized object comprises:
intercepting all interfaces;
and traversing the interfaces matched with the inverse desensitization interfaces in the inverse desensitization interface list from all the interfaces to be used as the target inverse desensitization interfaces.
8. The method according to claim 6, wherein the performing, according to the inverse desensitization policy, inverse desensitization processing on the sensitive data carried in the target inverse desensitization interface includes:
extracting the sensitive data in the target inverse desensitization interface;
and carrying out inverse desensitization treatment on the sensitive data according to the inverse desensitization strategy.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the memory stores a program of instructions executable by the at least one processor to cause the at least one processor to perform a method of desensitizing sensitive data according to any of claims 1-5.
10. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the memory stores a program of instructions executable by the at least one processor to cause the at least one processor to perform a method of inverse desensitization of sensitive data according to any of claims 6-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910872140.0A CN110688662A (en) | 2019-09-16 | 2019-09-16 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910872140.0A CN110688662A (en) | 2019-09-16 | 2019-09-16 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110688662A true CN110688662A (en) | 2020-01-14 |
Family
ID=69109300
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910872140.0A Pending CN110688662A (en) | 2019-09-16 | 2019-09-16 | Sensitive data desensitization and inverse desensitization method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110688662A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110928931A (en) * | 2020-02-17 | 2020-03-27 | 深圳市琦迹技术服务有限公司 | Sensitive data processing method and device, electronic equipment and storage medium |
| CN111339559A (en) * | 2020-02-25 | 2020-06-26 | 北京同邦卓益科技有限公司 | Data processing method and device for desensitizing log |
| CN112035871A (en) * | 2020-07-22 | 2020-12-04 | 北京中安星云软件技术有限公司 | Dynamic desensitization method and system based on database driven proxy |
| CN112307509A (en) * | 2020-10-20 | 2021-02-02 | 北京三快在线科技有限公司 | Desensitization processing method, equipment, medium and electronic equipment |
| CN113179266A (en) * | 2021-04-26 | 2021-07-27 | 口碑(上海)信息技术有限公司 | Service request processing method and device, electronic equipment and storage medium |
| CN113407989A (en) * | 2021-05-26 | 2021-09-17 | 天九共享网络科技集团有限公司 | Data desensitization method and device, electronic equipment and storage medium |
| CN113591135A (en) * | 2021-09-29 | 2021-11-02 | 清华大学 | Method and system for processing medical data |
| CN113704819A (en) * | 2021-08-11 | 2021-11-26 | 中国银联股份有限公司 | Code printing output method and device of application log and computer readable storage medium |
| CN113792342A (en) * | 2021-09-17 | 2021-12-14 | 平安普惠企业管理有限公司 | Desensitization data restoration method and device, computer equipment and storage medium |
| CN114025358A (en) * | 2020-07-15 | 2022-02-08 | 成都鼎桥通信技术有限公司 | Data desensitization method, device, equipment and storage medium |
| CN115374481A (en) * | 2022-10-19 | 2022-11-22 | 支付宝(杭州)信息技术有限公司 | Data desensitization processing method and device, storage medium and electronic equipment |
| CN115795538A (en) * | 2022-11-30 | 2023-03-14 | 湖南长银五八消费金融股份有限公司 | Desensitization document anti-desensitization method, apparatus, computer device and storage medium |
| CN116992487A (en) * | 2023-09-25 | 2023-11-03 | 北京众图识人科技有限公司 | Desensitization data restoring method, device, terminal equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060156418A1 (en) * | 2005-01-10 | 2006-07-13 | Ibm Corporation | Method and apparatus for preventing unauthorized access to data |
| CN102495853A (en) * | 2011-11-17 | 2012-06-13 | 成都康赛电子科大信息技术有限责任公司 | Aspect-oriented cloud storage engine construction method |
| CN107908541A (en) * | 2017-07-26 | 2018-04-13 | 平安壹钱包电子商务有限公司 | Interface test method, device, computer equipment and storage medium |
| CN108011889A (en) * | 2017-12-15 | 2018-05-08 | 四川长虹电器股份有限公司 | Body contents entirety encrypted transmission method in http request |
| CN108647143A (en) * | 2018-05-09 | 2018-10-12 | 平安普惠企业管理有限公司 | MOCK interface test methods, device, computer equipment and storage medium |
| CN108650254A (en) * | 2018-05-08 | 2018-10-12 | 上海你我贷互联网金融信息服务有限公司 | A kind of encrypting and deciphering system for multi-tenant data |
| CN109766330A (en) * | 2018-12-29 | 2019-05-17 | 北京三快在线科技有限公司 | Data fragmentation method, device, electronic equipment and storage medium |
-
2019
- 2019-09-16 CN CN201910872140.0A patent/CN110688662A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060156418A1 (en) * | 2005-01-10 | 2006-07-13 | Ibm Corporation | Method and apparatus for preventing unauthorized access to data |
| CN102495853A (en) * | 2011-11-17 | 2012-06-13 | 成都康赛电子科大信息技术有限责任公司 | Aspect-oriented cloud storage engine construction method |
| CN107908541A (en) * | 2017-07-26 | 2018-04-13 | 平安壹钱包电子商务有限公司 | Interface test method, device, computer equipment and storage medium |
| CN108011889A (en) * | 2017-12-15 | 2018-05-08 | 四川长虹电器股份有限公司 | Body contents entirety encrypted transmission method in http request |
| CN108650254A (en) * | 2018-05-08 | 2018-10-12 | 上海你我贷互联网金融信息服务有限公司 | A kind of encrypting and deciphering system for multi-tenant data |
| CN108647143A (en) * | 2018-05-09 | 2018-10-12 | 平安普惠企业管理有限公司 | MOCK interface test methods, device, computer equipment and storage medium |
| CN109766330A (en) * | 2018-12-29 | 2019-05-17 | 北京三快在线科技有限公司 | Data fragmentation method, device, electronic equipment and storage medium |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110928931B (en) * | 2020-02-17 | 2020-06-30 | 深圳市琦迹技术服务有限公司 | Sensitive data processing method and device, electronic equipment and storage medium |
| CN110928931A (en) * | 2020-02-17 | 2020-03-27 | 深圳市琦迹技术服务有限公司 | Sensitive data processing method and device, electronic equipment and storage medium |
| CN111339559A (en) * | 2020-02-25 | 2020-06-26 | 北京同邦卓益科技有限公司 | Data processing method and device for desensitizing log |
| CN114025358A (en) * | 2020-07-15 | 2022-02-08 | 成都鼎桥通信技术有限公司 | Data desensitization method, device, equipment and storage medium |
| CN114025358B (en) * | 2020-07-15 | 2024-02-13 | 成都鼎桥通信技术有限公司 | Data desensitization method, device, equipment and storage medium |
| CN112035871A (en) * | 2020-07-22 | 2020-12-04 | 北京中安星云软件技术有限公司 | Dynamic desensitization method and system based on database driven proxy |
| CN112307509A (en) * | 2020-10-20 | 2021-02-02 | 北京三快在线科技有限公司 | Desensitization processing method, equipment, medium and electronic equipment |
| CN113179266A (en) * | 2021-04-26 | 2021-07-27 | 口碑(上海)信息技术有限公司 | Service request processing method and device, electronic equipment and storage medium |
| CN113407989A (en) * | 2021-05-26 | 2021-09-17 | 天九共享网络科技集团有限公司 | Data desensitization method and device, electronic equipment and storage medium |
| CN113704819A (en) * | 2021-08-11 | 2021-11-26 | 中国银联股份有限公司 | Code printing output method and device of application log and computer readable storage medium |
| CN113704819B (en) * | 2021-08-11 | 2024-02-02 | 中国银联股份有限公司 | Coding output method and device of application log and computer readable storage medium |
| CN113792342A (en) * | 2021-09-17 | 2021-12-14 | 平安普惠企业管理有限公司 | Desensitization data restoration method and device, computer equipment and storage medium |
| CN113792342B (en) * | 2021-09-17 | 2023-09-08 | 山西数字政府建设运营有限公司 | Desensitization data reduction method, device, computer equipment and storage medium |
| CN113591135A (en) * | 2021-09-29 | 2021-11-02 | 清华大学 | Method and system for processing medical data |
| CN115374481A (en) * | 2022-10-19 | 2022-11-22 | 支付宝(杭州)信息技术有限公司 | Data desensitization processing method and device, storage medium and electronic equipment |
| CN115795538A (en) * | 2022-11-30 | 2023-03-14 | 湖南长银五八消费金融股份有限公司 | Desensitization document anti-desensitization method, apparatus, computer device and storage medium |
| CN115795538B (en) * | 2022-11-30 | 2023-08-18 | 湖南长银五八消费金融股份有限公司 | Anti-desensitization method, device, computer equipment and storage medium for desensitizing document |
| CN116992487A (en) * | 2023-09-25 | 2023-11-03 | 北京众图识人科技有限公司 | Desensitization data restoring method, device, terminal equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110688662A (en) | Sensitive data desensitization and inverse desensitization method and electronic equipment | |
| US11206256B2 (en) | Table-connected tokenization | |
| US9734091B2 (en) | Remote load and update card emulation support | |
| US20210349988A1 (en) | Systems and methods for decentralized recovery of identity attributes | |
| CN108075888B (en) | Dynamic URL generation method and device, storage medium and electronic equipment | |
| CN103023657A (en) | Security verification system based on distributed network transaction | |
| CN113015991A (en) | Secure digital wallet processing system | |
| CN115795538B (en) | Anti-desensitization method, device, computer equipment and storage medium for desensitizing document | |
| CN110598443A (en) | Data processing device and method based on privacy protection and readable storage medium | |
| CN114036495B (en) | Method and device for updating privatized deployment verification code system | |
| CN112528181B (en) | Two-dimensional code management method, device, computer equipment and readable storage medium | |
| CN112307503A (en) | Signature management method and device and electronic equipment | |
| US11133926B2 (en) | Attribute-based key management system | |
| CN116962021A (en) | Method, device, equipment and medium for user real name authentication in financial cooperative institution | |
| CN111628863A (en) | Data signature method and device, electronic equipment and storage medium | |
| CN116233847A (en) | Login method, login device, computer equipment and storage medium | |
| US11809603B2 (en) | Systems and methods for real-time encryption of sensitive data | |
| CN114222288A (en) | Equipment identifier generation method, equipment identifier verification method and device | |
| CN113343254A (en) | Insurance function encryption and decryption method, device, medium and electronic equipment based on OFD format | |
| EP2985724B1 (en) | Remote load and update card emulation support | |
| CN113645239B (en) | Application login method and device, user terminal and storage medium | |
| CN114567451B (en) | Identity verification method, identity verification device, computer equipment and storage medium | |
| CN117294484A (en) | Method, apparatus, device, medium and product for data interaction | |
| CN115765976A (en) | Verification code encryption method, electronic equipment and storage medium | |
| CN115567262A (en) | eID-based mobile phone bank online password retrieving method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200114 |
|
| RJ01 | Rejection of invention patent application after publication |