CN104967601A - Data processing method and apparatus - Google Patents

Data processing method and apparatus Download PDF

Info

Publication number
CN104967601A
CN104967601A CN201510074112.6A CN201510074112A CN104967601A CN 104967601 A CN104967601 A CN 104967601A CN 201510074112 A CN201510074112 A CN 201510074112A CN 104967601 A CN104967601 A CN 104967601A
Authority
CN
China
Prior art keywords
user
data
pki
server
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510074112.6A
Other languages
Chinese (zh)
Inventor
刘畅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201510074112.6A priority Critical patent/CN104967601A/en
Publication of CN104967601A publication Critical patent/CN104967601A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a data processing method and apparatus, and belongs to the technical field of Internet. The method comprises the following steps: receiving a corresponding relation between a user identification and a public key, sent by a secret key management server, wherein the public key is generated by the secret key management server for a registered user of a specific server; when user data sent by the user is obtained, obtaining the public key corresponding to the user identification of the user; based on the public key corresponding to the user identification of the user, encrypting the user data of the user to obtain encrypted data; and storing the encrypted data. According to the invention, based on the received corresponding relation between the user identification of the user and the public key, the public key corresponding to the user identification is obtained, the user data is encrypted by use of the public key, and accordingly, the encrypted data is stored, such that the user, after obtaining the encrypted data, cannot read the data directly, and the data storage security is improved.

Description

Data processing method and device
Technical field
The present invention relates to Internet technical field, particularly a kind of data processing method and device.
Background technology
Along with the development of Internet technology, increasing user obtains service by website.For the ease of user's inquiry, website can relate to the process of the interaction data to user usually.Due to the privacy of user may be related in data processing, such as, telephone number, bank's card number, password etc., and after these interaction datas are stolen from server by network hacker, directly can read, and then cause the leakage of privacy of user, the information security of user can not be ensured, therefore, the data processing method providing a kind of fail safe higher is needed badly.
Summary of the invention
In order to solve the problem of correlation technique, embodiments provide a kind of data processing method and device.Described technical scheme is as follows:
First aspect, provides a kind of data processing method, and described method comprises:
Receive the user ID of Key Management server transmission and the corresponding relation of PKI, the registered user that described PKI is given server by described Key Management server generates;
When getting the user data that user sends, from the corresponding relation of described user ID and PKI, obtain the PKI that the user ID of described user is corresponding;
Based on the PKI that the user ID of described user is corresponding, the user data of described user is encrypted, obtains enciphered data;
Described enciphered data is stored.
Second aspect, provides a kind of data processing method, and described method comprises:
Receive the private key that Key Management server sends, the registered user that described private key is given server by described Key Management server generates;
Send data inquiry request to described data storage server, described data inquiry request at least carries user ID and the querying condition of described user;
Receive the specific data that described data storage server returns, described specific data is extracted according to the user ID of described user and querying condition by described data storage server from enciphered data;
Based on described private key, described specific data is decrypted.
The third aspect, provides a kind of data processing method, and described method comprises:
When user registration success, obtain the user ID of described user;
For described user ID distributes a pair specific key pair, described specific key forms by PKI and private key;
The corresponding relation of described user ID and PKI is sent to data storage server, described private key is sent to described user, the data that described PKI is used for described data storage server corresponding to described user ID are encrypted, and described private key is used for described user to the decrypt data after encryption.
Fourth aspect, provides a kind of data processing method, and described method comprises:
When user registration success, obtain the user ID of described user;
For described user ID distributes a pair specific key pair, described specific key forms by PKI and private key;
Store the user ID of described user and the corresponding relation of PKI, described private key is sent to described user;
When getting the user data that described user sends, according to the corresponding relation of described user ID and PKI, obtain the PKI that the user ID of described user is corresponding;
Based on the PKI that the user ID of described user is corresponding, the user data of described user is encrypted, obtains enciphered data;
Described enciphered data is stored.
5th aspect, provides a kind of data processing method, and described method comprises:
Receive the private key that data processing server sends, the registered user that described private key is given server by described data management server generates;
Send data inquiry request to described data processing server, described data inquiry request at least carries described user ID and querying condition;
Receive the specific data that described data processing server returns, described specific data is extracted according to described user ID and querying condition by described data processing server from enciphered data;
Based on described private key, described specific data is decrypted.
6th aspect, provides a kind of data storage server, and described data storage server comprises:
First receiver module, for receiving the corresponding relation of user ID and PKI that Key Management server sends, described PKI is registered user's generation of given server by described Key Management server;
Acquisition module, for when getting the user data that user sends, from the corresponding relation of described user ID and PKI, obtains the PKI that the user ID of described user is corresponding;
Encrypting module, for the PKI that the user ID based on described user is corresponding, is encrypted the user data of described user, obtains enciphered data;
Memory module, for storing described enciphered data.
7th aspect, provides a kind of terminal, and described terminal comprises:
First receiver module, for receiving the private key that Key Management server sends, the registered user that described private key is given server by described Key Management server generates;
First sending module, for sending data inquiry request to described data storage server, described data inquiry request at least carries user ID and the querying condition of described user;
Second receiver module, for receiving the specific data that described data storage server returns, described specific data is extracted according to the user ID of described user and querying condition by described data storage server from enciphered data;
Deciphering module, for based on described private key, is decrypted described specific data.
Eighth aspect, provides a kind of Key Management server, and described Key Management server comprises:
Acquisition module, for when user registration success, obtains the user ID of described user;
Distribution module, for distributing a pair specific key pair for described user ID, described specific key forms by PKI and private key;
Sending module, for the corresponding relation of described user ID and PKI is sent to data storage server, described private key is sent to described user, the data that described PKI is used for described data storage server corresponding to described user ID are encrypted, and described private key is used for described user to the decrypt data after encryption.
9th aspect, provides a kind of data processing server, and described data processing server comprises:
First acquisition module, for when user registration success, obtains the user ID of described user;
Distribution module, for distributing a pair specific key pair for described user ID, described specific key forms by PKI and private key;
First memory module, for the corresponding relation of the user ID and PKI that store described user, is sent to described user by described private key;
Second acquisition module, for when getting the user data that described user sends, according to the corresponding relation of described user ID and PKI, obtains the PKI that the user ID of described user is corresponding;
Encrypting module, for the PKI that the user ID based on described user is corresponding, is encrypted the user data of described user, obtains enciphered data;
Second memory module, for storing described enciphered data.
Tenth aspect, provides a kind of terminal, and described terminal comprises:
First receiver module, for receiving the private key that data processing server sends, the registered user that described private key is given server by described data management server generates;
First sending module, for sending data inquiry request to described data processing server, described data inquiry request at least carries described user ID and querying condition;
Second receiver module, for receiving the specific data that described data processing server returns, described specific data is extracted according to described user ID and querying condition by described data processing server from enciphered data;
Deciphering module, for based on described private key, is decrypted described specific data.
The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:
Data storage server receives the user ID of Key Management server transmission and the corresponding relation of PKI, and when getting the user data that user sends, from the corresponding relation of user ID and PKI, obtain the PKI that the user ID of user is corresponding, and then based on PKI corresponding to this user ID, the user data of user is encrypted, afterwards, enciphered data is stored.The present invention is based on the corresponding relation of user ID and the PKI received, obtain the PKI that user ID is corresponding, and adopt this PKI to be encrypted user data, and then storage encryption data, make user after getting enciphered data, directly cannot read, thus improve the fail safe storing data.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the Organization Chart of a kind of data handling system that the embodiment of the present invention provides;
Fig. 2 is the Organization Chart of a kind of data handling system that the embodiment of the present invention provides;
Fig. 3 is the flow chart of a kind of data processing method that one embodiment of the invention provides;
Fig. 4 is the flow chart of a kind of data processing method that another embodiment of the present invention provides;
Fig. 5 is the flow chart of a kind of data processing method that another embodiment of the present invention provides;
Fig. 6 is the flow chart of a kind of data processing method that another embodiment of the present invention provides;
Fig. 7 is the flow chart of a kind of data processing method that another embodiment of the present invention provides;
Fig. 8 is the flow chart of a kind of data processing method that another embodiment of the present invention provides;
Fig. 9 is the flow chart of a kind of data processing method that another embodiment of the present invention provides;
Figure 10 is the structural representation of a kind of data storage server that another embodiment of the present invention provides;
Figure 11 is the structural representation of a kind of terminal that another embodiment of the present invention provides;
Figure 12 is the structural representation of a kind of Key Management server that another embodiment of the present invention provides;
Figure 13 is the structural representation of a kind of data processing server that another embodiment of the present invention provides;
Figure 14 is the structural representation of a kind of terminal that another embodiment of the present invention provides;
Figure 15 is the structural representation of a kind of terminal that another embodiment of the present invention provides;
Figure 16 is the block diagram of a kind of data processing equipment that another embodiment of the present invention provides.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
In embodiments of the present invention, given server can refer to a server cluster with multiple difference in functionality servers, under each server in this server cluster is in same account mechanism, given server also can refer to a separate server being integrated with multiple function.Be that a server cluster is described for given server, Fig. 1 shows a kind of Organization Chart of data handling system.This data handling system is made up of terminal 101 and Key Management server 102, data storage server 103.Wherein, terminal 101 can be smart mobile phone, panel computer etc., and Key Management server 102 is the server that in server cluster, two functions are different with data storage server 103.When the keeps of terminal 101 in server cluster succeeds in registration, Key Management server 102 can be the user ID succeeded in registration and distributes pair of secret keys.When the service server that terminal 101 is accessed in given server cluster generates user data, user data is sent to data storage server 103 by the service server in given server cluster, is encrypted storage by data storage server 103 pairs of user data.In addition, under this enforcement scene, terminal 101 communicates by cable network or wireless network with between Key Management server 102 and data storage server 103, communicates between Key Management server 102 with data storage server 103 by cable network or wireless network.
Be that an alone server is described for given server, Fig. 2 shows a kind of Organization Chart of data handling system, and this data handling system is made up of terminal 201 and data processing server 202.This terminal 201 has identical function with the terminal 101 in Fig. 1.This data processing server 202 has several functions, can be user's distributing user mark of successful registration, and is user ID distribution pair of secret keys, and then when getting the user data of registered user, is encrypted storage to the data got.In addition, under this enforcement scene, communicate by cable network or wireless network between terminal 201 with data processing server 202.
In conjunction with the implementation environment shown in above-mentioned Fig. 1, embodiments provide a kind of data processing method, see Fig. 3, the method flow that the present embodiment provides comprises:
301, receive the user ID of Key Management server transmission and the corresponding relation of PKI, the registered user that PKI is given server by Key Management server generates.
302, when getting the user data that user sends, from the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding.
303, based on the PKI that the user ID of user is corresponding, the user data of user is encrypted, obtains enciphered data.
304, enciphered data is stored.
The method that the embodiment of the present invention provides, data storage server receives the user ID of Key Management server transmission and the corresponding relation of PKI, and when getting the user data that user sends, from the corresponding relation of user ID and PKI, obtain the PKI that the user ID of user is corresponding, and then based on PKI corresponding to the user ID of user, the user data of user is encrypted, afterwards, enciphered data is stored.The present invention is based on the corresponding relation of user ID and the PKI received, obtain the PKI that user ID is corresponding, and adopt this PKI to be encrypted user data, and then storage encryption data, make user after getting enciphered data, directly cannot read, thus improve the fail safe storing data.
In another embodiment of the present invention, after enciphered data is stored, also comprise:
Receive the data inquiry request of user, in data inquiry request, at least carry user ID and querying condition;
According to user ID and the querying condition of user, from enciphered data, filter out specific data;
Specific data is sent to user.
Above-mentioned all alternatives, can adopt and combine arbitrarily formation optional embodiment of the present invention, this is no longer going to repeat them.
In conjunction with the implementation environment shown in above-mentioned Fig. 1, embodiments provide a kind of data processing method, see Fig. 4, the method flow that the present embodiment provides comprises:
401, receive the private key that Key Management server sends, the registered user that private key is given server by Key Management server generates.
402, send data inquiry request to data storage server, data inquiry request at least carries user ID and the querying condition of user.
403, receive the specific data that data storage server returns, specific data is extracted according to the user ID of user and querying condition by data storage server from enciphered data.
404, based on private key, specific data is decrypted.
The method that the embodiment of the present invention provides, terminal receives the private key that Key Management server sends, and when receiving the specific data that data storage server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
In another embodiment of the invention, before receiving the private key of Key Management server transmission, also comprise:
Send registration request to given server, registration request is used for trigger key management server and generates the specific key pair comprising PKI and private key.
Above-mentioned all alternatives, can adopt and combine arbitrarily formation optional embodiment of the present invention, this is no longer going to repeat them.
In conjunction with the implementation environment shown in above-mentioned Fig. 1, embodiments provide a kind of data processing method, see Fig. 5, the method flow that the present embodiment provides comprises:
501, when user registration success, the user ID of user is obtained.
502, for user ID distributes a pair specific key pair, specific key forms by PKI and private key.
503, the corresponding relation of user ID and PKI is sent to data storage server, private key is sent to user, the data that PKI is used for data storage server corresponding to user ID are encrypted, and private key is used for user to the decrypt data after encryption.
The method that the embodiment of the present invention provides, Key Management server is by distributing a pair specific double secret key for registered user, and the PKI of specific key centering and private key are sent to data storage server and terminal respectively, make data storage server when getting user data, and not simply store, but adopt this PKI to be encrypted rear storage, simultaneously terminal needs corresponding private key could to decrypt data, thus user is after getting enciphered data, directly cannot read, improve the fail safe storing data.
In another embodiment of the present invention, for user ID distributes a pair specific key to afterwards, also comprise:
Store user ID and the right corresponding relation of specific key.
Above-mentioned all alternatives, can adopt and combine arbitrarily formation optional embodiment of the present invention, this is no longer going to repeat them.
In conjunction with the implementation environment shown in above-mentioned Fig. 2, embodiments provide a kind of data processing method, see Fig. 6, the method flow that the present embodiment provides comprises:
601, when user registration success, the user ID of user is obtained.
602, for user ID distributes a pair specific key pair, specific key forms by PKI and private key.
603, store the user ID of user and the corresponding relation of PKI, private key is sent to user.
604, when getting the user data that user sends, according to the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding.
605, based on the PKI that the user ID of user is corresponding, the user data of user is encrypted, obtains enciphered data.
606, enciphered data is stored.
The method that the embodiment of the present invention provides, data processing server is after distributing a pair specific double secret key for registered user, by storing the corresponding relation of user ID and PKI, and private key being sent to user, making when getting user data, and not simply store, but adopt this PKI to be encrypted rear storage, simultaneously terminal needs corresponding private key could to decrypt data, and thus user is after getting enciphered data, directly cannot read, improve the fail safe storing data.
In another embodiment of the present invention, after storage encryption data, also comprise:
Receive the data inquiry request of user, in data inquiry request, at least carry user ID and querying condition;
According to user ID and the querying condition of user, from enciphered data, filter out specific data;
Specific data is sent to user.
Above-mentioned all alternatives, can adopt and combine arbitrarily formation optional embodiment of the present invention, this is no longer going to repeat them.
In conjunction with the implementation environment shown in above-mentioned Fig. 2, embodiments provide a kind of data processing method, see Fig. 7, the method flow that the present embodiment provides comprises:
701, receive the private key that data processing server sends, the registered user that private key is given server by data management server generates.
702, send data inquiry request to data processing server, data inquiry request at least carries user ID and querying condition.
703, receive the specific data that data processing server returns, specific data is extracted according to user ID and querying condition by data processing server from enciphered data.
704, based on private key, specific data is decrypted.
The method that the embodiment of the present invention provides, terminal receives the private key that data processing server sends, and when receiving the specific data that data processing server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
In another embodiment of the present invention, before receiving the private key of data processing server transmission, also comprise:
Send registration request to given server, registration request is used for trigger data processing server and generates the specific key pair comprising PKI and private key.
Above-mentioned all alternatives, can adopt and combine arbitrarily formation optional embodiment of the present invention, this is no longer going to repeat them.
In conjunction with the implementation environment shown in above-mentioned Fig. 1, embodiments provide a kind of data processing method, perform this method for the Key Management server in terminal, server cluster and data storage server, see Fig. 8, the method flow that the present embodiment provides comprises:
801, when user registration success, Key Management server obtains the user ID of user.
In order to optimized network environment, better for user provides service, when user needs to get service, need first to register, and after user registration success, for user provides required service.In user registration course, user needs the account processing server in first access services device cluster, and sends registration request to this account processing server, and under the triggering of registration request, execution is registered operation by account processing server accordingly.When after user registration success, account processing server will distribute a user ID for user, and this user ID is the voucher that user accesses this server.In the present embodiment, this user ID can be account processing server according to certain rule is that user distributes automatically, and can also be that user inputs when registering on account processing server voluntarily, the present embodiment do concrete restriction to this.
In order to improve the fail safe of user data, when user registration success, the user ID of successful registration user can be sent to Key Management server by account processing server, by Key Management server according to user ID, carries out safety management to user data.
802, Key Management server is that user ID distributes a pair specific key pair, and this specific key forms by PKI and private key.
When receiving the user ID of account processing server transmission, Key Management server will distribute a pair specific key pair for this user ID, and this specific key forms by PKI and private key.Wherein, PKI is commonly used PK and is represented, can be used for encryption session, certifying digital signature etc.; Private key is commonly used SK and is represented, can be used for the data of deciphering corresponding public key encryption.The form of PKI and private key has multiple, can, for the character string be made up of numeral, as 123456, can, for the character string be made up of letter, as asdfg, can also be also the character string be made up of numeral and letter, as 123abc etc.Particularly, Key Management server, when distributing specific key pair for user ID, can adopt symmetric encipherment algorithm, asymmetrical encryption algorithm, irreversible encryption algorithm etc.
Because registered user's quantity is more, and each registered user has a user ID, therefore, in order to ensure the data security of each user, Key Management server is that the specific key that distributes of each user ID is to being unique, like this, other users are difficult to the data of the private key decrypted user according to self.
In addition, because continuation is also applied in subsequent step by the specific key that distributes in the present embodiment, therefore, Key Management server is distributing a pair specific key to afterwards for each user ID, also by storage user ID and the right corresponding relation of specific key.During concrete storage, corresponding relation right to user ID and specific key can be stored in corresponding memory cell by Key Management server.
803, the corresponding relation of user ID and PKI is sent to data storage server by Key Management server, and private key is sent to user.
Because the PKI in the present embodiment can be encrypted by the user data corresponding to user ID, private key can be decrypted enciphered data, and the ciphering process of user data carries out in data storage server, the decrypting process of enciphered data carries out in the terminal at user place, therefore, Key Management server is distributing a pair specific key to rear for user ID, also the corresponding relation of user ID and PKI is sent to data storage server, private key is sent to the terminal at user place, is stored by the terminal at user place.
804, when getting the user data that user sends, data storage server from the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding.
When after user registration success, user is by carrying out can getting required service alternately with the service server in server cluster, with the service server in server cluster carry out in mutual process, the user data produced in this process can be sent to data storage server and store by terminal.In addition, manage targetedly user data for the ease of data storage server, user ID, when sending user data to data storage server, can send by terminal in the lump.
Owing to data storage server store the corresponding relation of user ID and PKI, therefore, when receiving the user data that terminal sends, data storage server from the corresponding relation of user ID and PKI, can get the PKI that user ID is corresponding.Such as, the PKI that user ID A is corresponding is 123456, the PKI that user ID B is corresponding is 147258, the PKI that user ID C is corresponding is 258369, when getting the user data of user ID B, data storage server is from the corresponding relation of user ID and PKI, and can get PKI corresponding to user ID B is 147258.
805, based on the PKI that the user ID of user is corresponding, the user data of data storage server to user is encrypted, and obtains enciphered data.
In order to improve the fail safe storing data, avoid other users directly to read user data from data storage server, the PKI that basis is distributed for user ID by data storage server, the user data corresponding to user ID is encrypted.By being encrypted user data, enciphered data can be obtained.
806, data storage server stores enciphered data.
Inquire about the related data produced in the process of the service of acquisition for the ease of user, be encrypted user data, after obtaining enciphered data, data storage server is also by storage encryption data.During concrete storage, enciphered data can be stored in certain database by data storage server.
807, terminal sends data inquiry request to data storage server, and this data inquiry request at least carries user ID and the querying condition of user.
When terminal is wanted to obtain historical data, terminal can send data inquiry request to data storage server, to make data storage server after receiving data inquiry request, user requested data is returned to user.Wherein, the user ID and querying condition etc. of user is at least carried in data inquiry request.Querying condition can be the time period, key word of the inquiry etc. of inquiry.
808, when receiving the data inquiry request of user, data storage server, according to the user ID of user and querying condition, filters out specific data from enciphered data.
When receiving the data inquiry request of user, data storage server according to the user ID of user, can get the enciphered data that user ID is corresponding, afterwards from database, according to the querying condition in inquiry request from the enciphered data got, filter out specific data.
Be query time section with querying condition, the data stored in data storage server are the data instance that user ID A is corresponding, and the data stored in data storage server are as shown in table 1.
Table 1
Time period Enciphered data
On October 1st, 2014 Enciphered data one
On October 3rd, 2014 Enciphered data two
On October 4th, 2014 Enciphered data three
When the user ID of carrying in the inquiry request that data storage server receives is A, when querying condition is on October 1st, 2014, data storage server can from enciphered data, and filtering out specific data is enciphered data one.
809, specific data is sent to user by data storage server.
When the specific data got, data storage server can adopt the form of cable network or wireless network, will get specific data and be sent to user.
810, when receiving the specific data that data storage server returns, terminal, based on the private key received, is decrypted specific data.
In the present embodiment, the specific data that data storage server returns is enciphered data, user cannot directly read this specific data, needs to be decrypted rear reading to this specific data, and during user registration success, Key Management server have sent a private key to user, this private key is the decryption factor be decrypted specific data, therefore, based on this private key, terminal can be decrypted this specific data, and reads after decryption.
For the whole process of above-mentioned data processing, a concrete example is explained explanation in detail below.
When user U1 and U2 wants to buy article from shopping website A, user U1 and user U2 needs to register to shopping website A.When succeeding in registration on shopping website A, the Key Management server in server cluster will distribute PKI P1 and private key S1 for user U1, for user U2 distributes PKI P2 and private key S2.Afterwards, Key Management server can by <U1, P1>, <U2, P2> is issued to the data storage server of shopping website A, stored by data storage server, meanwhile, private key S1 is also handed down to user U1 by Key Management server, and private key S2 is handed down to user U2.
Based on the PKI got, any data D1 of user U1 uses PKI P1 to be encrypted to P1 (D1) and stores by data storage server, is all used by any data D2 of user U2 PKI P2 to be encrypted to P2 (D2) and stores.When user U1 needs the historical data of inquiring about oneself, user U1 can send data inquiry request to data storage server, data storage server is according to this data inquiry request, get enciphered data P1 (D1) from certain database after, use corresponding private key S1 to be decrypted enciphered data P1 (D1), can data D1 be obtained.In this process, other users, owing to cannot get the private key S1 of user U1, even if got enciphered data P1 (D1) from data storage server, also cannot be decrypted getting enciphered data, thus read this enciphered data.
The method that the embodiment of the present invention provides, Key Management server is by distributing a pair specific double secret key for registered user, and the PKI of specific key centering and private key are sent to data storage server and terminal respectively, make data storage server when getting user data, and not simply store, but adopt this PKI to be encrypted rear storage, simultaneously terminal needs corresponding private key could to decrypt data, thus user is after getting enciphered data, directly cannot read, improve the fail safe storing data.
In conjunction with the implementation environment shown in above-mentioned Fig. 2, embodiments provide a kind of data processing method, perform for terminal and data processing server the method that the present embodiment provides, see Fig. 9, the method flow that the present embodiment provides comprises:
901, when user registration success, data processing server obtains the user ID of user.
In order to optimized network environment, better for user provides service, when user needs to get service, need first to register, and after user registration success, for user provides required service.In user registration course, user needs first visit data processing server, and sends registration request to data processing server, and under the triggering of registration request, execution is registered operation by data processing server accordingly.When after user registration success, data processing server will distribute a user ID for user, and this user ID is the voucher that user accesses this server.In the present embodiment, user ID can be data processing server according to certain rule is that user distributes automatically, and can also be that user inputs when registering on data processing server voluntarily, the present embodiment do concrete restriction to this.
In order to improve the fail safe of user data, when user registration success, data processing server can get the user ID of successful registration user, and stores.
902, data processing server is that user ID distributes a pair specific key pair, and this specific key forms by PKI and private key.
When getting user ID, data processing server will distribute a pair specific key pair for this user ID, and this specific key forms by PKI and private key.Wherein, PKI is commonly used PK and is represented, can be used for encryption session, certifying digital signature etc.; Private key is commonly used SK and is represented, can be used for the data of deciphering corresponding public key encryption.The form of PKI and private key has multiple, can, for the character string be made up of numeral, as 123456, can, for the character string be made up of letter, as asdfg, can also be also the character string be made up of numeral and letter, as 123abc etc.Particularly, data processing server, when distributing specific key pair for user ID, can adopt symmetric encipherment algorithm, asymmetrical encryption algorithm, irreversible encryption algorithm etc.
Because registered user's quantity is more, and each registered user has a user ID, therefore, in order to ensure the data security of each user, data processing server is that the specific key that distributes of each user ID is to being unique, like this, other users are difficult to the data of the private key decrypted user according to self.
In addition, because the data processing server in the present embodiment is that continuation is also applied in subsequent step by the specific key that each user ID is distributed, therefore, data processing server is distributing a pair specific key to afterwards for each user ID, also will store user ID and the right corresponding relation of specific key.During concrete storage, corresponding relation right to user ID and specific key can be stored in corresponding memory cell by data processing server.
903, data processing server stores the user ID of user and the corresponding relation of PKI, and private key is sent to user.
Because the PKI in the present embodiment can be encrypted by the user data corresponding to user ID, private key can be decrypted enciphered data, and the ciphering process of user data carries out in data processing server, the decrypting process of enciphered data carries out in the terminal at user place, for this reason, data processing server is distributing a pair specific key to rear for user ID, also the corresponding relation of user ID and PKI will be stored, and private key is sent to the terminal at user place, stored by the terminal at user place.
904, when getting the user data that user sends, data processing server according to the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding.
When after user registration success, user is by carrying out can getting required service alternately with data processing server, and in the process mutual with data processing server, the user data produced in this process can be sent to data processing server and store by terminal.In addition, manage targetedly user data for the ease of data processing server, user ID, when sending user data to data processing server, can send by terminal in the lump.
Owing to data processing server store the corresponding relation of user ID and PKI, therefore, when receiving the user data that terminal sends, data processing server from the corresponding relation of user ID and PKI, can get the PKI that user ID is corresponding.Such as, the PKI that user ID A is corresponding is 123456, the PKI that user ID B is corresponding is 147258, the PKI that user ID C is corresponding is 258369, when getting the user data of user ID B, data processing server is from the corresponding relation of user ID and PKI, and can get PKI corresponding to user ID B is 147258.
905, based on the PKI that the user ID of user is corresponding, the user data of data processing server to user is encrypted, and obtains enciphered data.
In order to improve the fail safe storing data, avoid other users from directly reading user data from data processing server, the PKI that basis is distributed for user ID by data processing server, the user data corresponding to user ID is encrypted.By being encrypted user data, enciphered data can be obtained.
906, data processing server stores enciphered data.
Inquire about the related data produced in the process of the service of acquisition for the ease of user, be encrypted user data, after obtaining enciphered data, data processing server is also by storage encryption data.During concrete storage, enciphered data can be stored in certain database by data processing server.
907, terminal sends data inquiry request to data processing server, and this data inquiry request at least carries user ID and querying condition.
When terminal is wanted to obtain historical data, terminal can send data inquiry request to data processing server, to make data processing server after receiving data inquiry request, user requested data is returned to user.Wherein, the user ID and querying condition etc. of user is at least carried in data inquiry request.Querying condition can be the time period, key word of the inquiry etc. of inquiry.
908, when receiving the data inquiry request of user, data processing server, according to the user ID of user and querying condition, filters out specific data from enciphered data.
When receiving the data inquiry request of user, data processing server according to the user ID of user, can get the enciphered data that user ID is corresponding, afterwards from certain database, according to the querying condition in inquiry request from the enciphered data got, filter out specific data.
Be query time section with querying condition, the data stored in data processing server are the data instance that user ID A is corresponding, and the data stored in data processing server are as shown in table 2.
Table 2
Time period Enciphered data
On November 3rd, 2014 Enciphered data one
On December 5th, 2014 Enciphered data two
On December 9th, 2014 Enciphered data three
When the user ID of carrying in the inquiry request that data storage server receives is A, when querying condition is on December 9th, 2014, data processing server can from enciphered data, and filtering out specific data is enciphered data three.
909, specific data is sent to user by data processing server.
When the specific data got, data processing server can adopt the form of cable network or wireless network, will get specific data and be sent to user.
910, when receiving the specific data that data processing server returns, terminal, based on the private key received, is decrypted specific data.
In the present embodiment, the specific data that data processing server returns is enciphered data, user cannot directly read this specific data, needs to be decrypted rear reading to this specific data, and during user registration success, data processing server have sent a private key to user, this private key is the decryption factor be decrypted specific data, therefore, based on this private key, terminal can be decrypted this specific data, and reads after decryption.
For the whole process of above-mentioned data processing, a concrete example is explained explanation in detail below.
When user U3 and U4 wants to obtain service from tour site B, user U3 and user U4 needs to register to tour site B.When succeeding in registration on tour site B, data processing server will distribute PKI P3 and private key S3 for user U3, for user U4 distributes PKI P4 and private key S4.Afterwards, data processing server will store <U3, P3>, <U4, P4>, also private key S3 will be handed down to user U3 simultaneously, and private key S4 is handed down to user U4.
Based on the PKI got, any data D3 of user U3 uses PKI P3 to be encrypted to P3 (D3) and stores by data processing server, is all used by any data D4 of user U4 PKI P4 to be encrypted to P4 (D4) and stores.When user U4 needs the historical data of inquiring about oneself, user U4 can send data inquiry request to data processing server, data processing server is according to this data inquiry request, get enciphered data P4 (D4) from certain database after, use corresponding private key S4 to be decrypted enciphered data P4 (D4), can data D4 be obtained.In this process, other users, owing to cannot get the private key S4 of user U4, even if got enciphered data P4 (D4) from data processing server, also cannot be decrypted getting enciphered data, thus read this enciphered data.
The method that the embodiment of the present invention provides, data processing server is after distributing a pair specific double secret key for registered user, by storing the corresponding relation of user ID and PKI, and private key being sent to user, making when getting user data, and not simply store, but adopt this PKI to be encrypted rear storage, simultaneously terminal needs corresponding private key could to decrypt data, and thus user is after getting enciphered data, directly cannot read, improve the fail safe storing data.
See Figure 10, embodiments provide a kind of data storage server, this data storage server comprises:
First receiver module 1001, for receiving the corresponding relation of user ID and PKI that Key Management server sends, PKI is registered user's generation of given server by Key Management server;
Acquisition module 1002, for when getting the user data that user sends, from the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding;
Encrypting module 1003, for the PKI that the user ID based on user is corresponding, is encrypted the user data of user, obtains enciphered data;
Memory module 1004, for storing enciphered data.
In another embodiment of the present invention, data storage server, also comprises:
Second receiver module, for receiving the data inquiry request of user, at least carries user ID and querying condition in data inquiry request;
Screening module, for according to the user ID of user and querying condition, filters out specific data from enciphered data;
Sending module, for being sent to user by specific data.
The data storage server that the embodiment of the present invention provides, receive the user ID of Key Management server transmission and the corresponding relation of PKI, and when getting the user data that user sends, from the corresponding relation of user ID and PKI, obtain the PKI that the user ID of user is corresponding, and then based on PKI corresponding to the user ID of user, the user data of user is encrypted, afterwards, enciphered data is stored.The present invention is based on the corresponding relation of user ID and the PKI received, obtain the PKI that user ID is corresponding, and adopt this PKI to be encrypted user data, and then storage encryption data, make user after getting enciphered data, directly cannot read, thus improve the fail safe storing data.
See Figure 11, embodiments provide a kind of terminal, this terminal comprises:
First receiver module 1101, for receiving the private key that Key Management server sends, the registered user that private key is given server by Key Management server generates;
First sending module 1102, for sending data inquiry request to data storage server, data inquiry request at least carries user ID and the querying condition of user;
Second receiver module 1103, for receiving the specific data that data storage server returns, specific data is extracted according to the user ID of user and querying condition by data storage server from enciphered data;
Deciphering module 1104, for based on private key, is decrypted specific data.
In another embodiment of the present invention, terminal, also comprises:
Second sending module, for sending registration request to given server, registration request is used for trigger key management server and generates the specific key pair comprising PKI and private key.
The terminal that the embodiment of the present invention provides, receives the private key that Key Management server sends, and when receiving the specific data that data storage server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
See Figure 12, embodiments provide a kind of Key Management server, this Key Management server comprises:
Acquisition module 1201, for when user registration success, obtains the user ID of user;
Distribution module 1203, for distributing a pair specific key pair for user ID, specific key forms by PKI and private key;
Sending module 1203, for the corresponding relation of user ID and PKI is sent to data storage server, private key is sent to user, and the data that PKI is used for data storage server corresponding to user ID are encrypted, and private key is used for user to the decrypt data after encryption.
In another embodiment of the present invention, Key Management server, also comprises:
Memory module, for storing user ID and the right corresponding relation of specific key.
The Key Management server that the embodiment of the present invention provides, by distributing a pair specific double secret key for registered user, and the PKI of specific key centering and private key are sent to data storage server and terminal respectively, make data storage server when getting user data, and not simply store, but adopt this PKI to be encrypted rear storage, simultaneously terminal needs corresponding private key could to decrypt data, thus user is after getting enciphered data, directly cannot read, improve the fail safe storing data.
See Figure 13, embodiments provide a kind of data processing server, this data processing server comprises:
First acquisition module 1301, for when user registration success, obtains the user ID of user;
Distribution module 1302, for distributing a pair specific key pair for user ID, specific key forms by PKI and private key;
First memory module 1303, for the corresponding relation of the user ID and PKI that store user, is sent to user by private key;
Second acquisition module 1304, for when getting the user data that user sends, according to the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding;
Encrypting module 1305, for the PKI that the user ID based on user is corresponding, is encrypted the user data of user, obtains enciphered data;
Second stores mould 1306, for storing enciphered data.
In another embodiment of the present invention, data storage server, also comprises:
Receiver module, for receiving the data inquiry request of user, at least carries user ID and querying condition in data inquiry request;
Screening module, for according to the user ID of user and querying condition, filters out specific data from enciphered data;
Sending module, for being sent to user by specific data.
The data processing server that the embodiment of the present invention provides, after distribute a pair specific double secret key for registered user, by storing the corresponding relation of user ID and PKI, and private key being sent to user, making when getting user data, and not simply store, but adopt this PKI to be encrypted rear storage, simultaneously terminal needs corresponding private key could to decrypt data, and thus user is after getting enciphered data, directly cannot read, improve the fail safe storing data.
See Figure 14, embodiments provide a kind of terminal, this terminal comprises:
First receiver module 1401, for receiving the private key that data processing server sends, the registered user that private key is given server by data management server generates;
First sending module 1402, for sending data inquiry request to data processing server, data inquiry request at least carries user ID and querying condition;
Second receiver module 1403, for receiving the specific data that data processing server returns, specific data is extracted according to user ID and querying condition by data processing server from enciphered data;
Deciphering module 1404, for based on private key, is decrypted specific data.
In another embodiment of the present invention, terminal, also comprises:
Second sending module, for sending registration request to given server, registration request is used for trigger data processing server and generates the specific key pair comprising PKI and private key.
The terminal that the embodiment of the present invention provides, receives the private key that data processing server sends, and when receiving the specific data that data processing server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
See Figure 15, it illustrates the structural representation of the terminal involved by the embodiment of the present invention, this terminal may be used for the data processing method implementing to provide in above-described embodiment.Specifically:
Terminal 1500 can comprise RF (Radio Frequency, radio frequency) circuit 110, the memory 120 including one or more computer-readable recording mediums, input unit 130, display unit 140, transducer 150, voicefrequency circuit 160, WiFi (Wireless Fidelity, Wireless Fidelity) module 170, include the parts such as processor 180 and power supply 190 that more than or processes core.It will be understood by those skilled in the art that the restriction of the not structure paired terminal of the terminal structure shown in Figure 15, the parts more more or less than diagram can be comprised, or combine some parts, or different parts are arranged.Wherein:
RF circuit 110 can be used for receiving and sending messages or in communication process, the reception of signal and transmission, especially, after being received by the downlink information of base station, transfer to more than one or one processor 180 to process; In addition, base station is sent to by relating to up data.Usually, RF circuit 110 includes but not limited to antenna, at least one amplifier, tuner, one or more oscillator, subscriber identity module (SIM) card, transceiver, coupler, LNA (Low Noise Amplifier, low noise amplifier), duplexer etc.In addition, RF circuit 110 can also by radio communication and network and other devices communicatings.Described radio communication can use arbitrary communication standard or agreement, include but not limited to GSM (Global System of Mobile communication, global system for mobile communications), GPRS (General Packet Radio Service, general packet radio service), CDMA (Code Division Multiple Access, code division multiple access), WCDMA (Wideband CodeDivision Multiple Access, Wideband Code Division Multiple Access (WCDMA)), LTE (Long Term Evolution, Long Term Evolution), Email, SMS (Short Messaging Service, Short Message Service) etc.
Memory 120 can be used for storing software program and module, and processor 180 is stored in software program and the module of memory 120 by running, thus performs the application of various function and data processing.Memory 120 mainly can comprise storage program district and store data field, and wherein, storage program district can storage operation system, application program (such as sound-playing function, image player function etc.) etc. needed at least one function; Store data field and can store the data (such as voice data, phone directory etc.) etc. created according to the use of terminal 1500.In addition, memory 120 can comprise high-speed random access memory, can also comprise nonvolatile memory, such as at least one disk memory, flush memory device or other volatile solid-state parts.Correspondingly, memory 120 can also comprise Memory Controller, to provide the access of processor 180 and input unit 130 pairs of memories 120.
Input unit 130 can be used for the numeral or the character information that receive input, and produces and to arrange with user and function controls relevant keyboard, mouse, action bars, optics or trace ball signal and inputs.Particularly, input unit 130 can comprise Touch sensitive surface 131 and other input equipments 132.Touch sensitive surface 131, also referred to as touch display screen or Trackpad, user can be collected or neighbouring touch operation (such as user uses any applicable object or the operations of annex on Touch sensitive surface 131 or near Touch sensitive surface 131 such as finger, stylus) thereon, and drive corresponding jockey according to the formula preset.Optionally, Touch sensitive surface 131 can comprise touch detecting apparatus and touch controller two parts.Wherein, touch detecting apparatus detects the touch orientation of user, and detects the signal that touch operation brings, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, then gives processor 180, and the order that energy receiving processor 180 is sent also is performed.In addition, the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave can be adopted to realize Touch sensitive surface 131.Except Touch sensitive surface 131, input unit 130 can also comprise other input equipments 132.Particularly, other input equipments 132 can include but not limited to one or more in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, action bars etc.
Display unit 140 can be used for the various graphical user interface showing information or the information being supplied to user and the terminal 1500 inputted by user, and these graphical user interface can be made up of figure, text, icon, video and its combination in any.Display unit 140 can comprise display floater 141, optionally, the form such as LCD (Liquid Crystal Display, liquid crystal display), OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) can be adopted to configure display floater 141.Further, Touch sensitive surface 131 can cover display floater 141, when Touch sensitive surface 131 detects thereon or after neighbouring touch operation, send processor 180 to determine the type of touch event, on display floater 141, provide corresponding vision to export with preprocessor 180 according to the type of touch event.Although in fig .15, Touch sensitive surface 131 and display floater 141 be as two independently parts realize input and input function, in certain embodiments, can by Touch sensitive surface 131 and display floater 141 integrated and realize input and output function.
Terminal 1500 also can comprise at least one transducer 150, such as optical sensor, motion sensor and other transducers.Particularly, optical sensor can comprise ambient light sensor and proximity transducer, and wherein, ambient light sensor the light and shade of environmentally light can regulate the brightness of display floater 141, proximity transducer when terminal 1500 moves in one's ear, can cut out display floater 141 and/or backlight.As the one of motion sensor, Gravity accelerometer can detect the size of all directions (are generally three axles) acceleration, size and the direction of gravity can be detected time static, can be used for identifying the application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating) of mobile phone attitude, Vibration identification correlation function (such as pedometer, knock) etc.; As for terminal 1500 also other transducers such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor, do not repeat them here.
Voicefrequency circuit 160, loud speaker 161, microphone 162 can provide the audio interface between user and terminal 1500.Voicefrequency circuit 160 can by receive voice data conversion after the signal of telecommunication, be transferred to loud speaker 161, by loud speaker 161 be converted to voice signal export; On the other hand, the voice signal of collection is converted to the signal of telecommunication by microphone 162, voice data is converted to after being received by voicefrequency circuit 160, after again voice data output processor 180 being processed, through RF circuit 110 to send to such as another terminal, or export voice data to memory 120 to process further.Voicefrequency circuit 160 also may comprise earphone jack, to provide the communication of peripheral hardware earphone and terminal 1500.
WiFi belongs to short range wireless transmission technology, and by WiFi module 170, terminal 1500 can help that user sends and receive e-mail, browsing page and access streaming video etc., and its broadband internet wireless for user provides is accessed.Although Figure 15 shows WiFi module 170, be understandable that, it does not belong to must forming of terminal 1500, can omit in the scope of essence not changing invention as required completely.
Processor 180 is control centres of terminal 1500, utilize the various piece of various interface and the whole mobile phone of connection, software program in memory 120 and/or module is stored in by running or performing, and call the data be stored in memory 120, perform various function and the deal with data of terminal 1500, thus integral monitoring is carried out to mobile phone.Optionally, processor 180 can comprise one or more process core; Optionally, processor 180 accessible site application processor and modem processor, wherein, application processor mainly processes operating system, user interface and application program etc., and modem processor mainly processes radio communication.Be understandable that, above-mentioned modem processor also can not be integrated in processor 180.
Terminal 1500 also comprises the power supply 190 (such as battery) of powering to all parts, preferably, power supply can be connected with processor 180 logic by power-supply management system, thus realizes the functions such as management charging, electric discharge and power managed by power-supply management system.Power supply 190 can also comprise one or more direct current or AC power, recharging system, power failure detection circuit, power supply changeover device or the random component such as inverter, power supply status indicator.
Although not shown, terminal 1500 can also comprise camera, bluetooth module etc., does not repeat them here.Specifically in the present embodiment, the display unit of terminal 1500 is touch-screen displays, and terminal 1500 also includes memory, and one or more than one program, one of them or more than one program are stored in memory, and are configured to be performed by more than one or one processor.Described more than one or one program package is containing the instruction for performing following operation:
Receive the private key that Key Management server sends, the registered user that private key is given server by Key Management server generates;
Send data inquiry request to data storage server, data inquiry request at least carries user ID and the querying condition of user;
Receive the specific data that data storage server returns, specific data is extracted according to the user ID of user and querying condition by data storage server from enciphered data;
Based on private key, specific data is decrypted.
Suppose that above-mentioned is the first possible execution mode, then, in the execution mode that the second provided based on the execution mode that the first is possible is possible, in the memory of terminal, also comprise the instruction for performing following operation:
Before receiving the private key of Key Management server transmission, also comprise:
Send registration request to given server, registration request is used for trigger key management server and generates the specific key pair comprising PKI and private key.
The terminal that the embodiment of the present invention provides, receives the private key that Key Management server sends, and when receiving the specific data that data storage server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
The embodiment of the present invention additionally provides a kind of computer-readable recording medium, and this computer-readable recording medium can be the computer-readable recording medium comprised in the memory in above-described embodiment; Also can be individualism, be unkitted the computer-readable recording medium allocated in terminal.This computer-readable recording medium stores more than one or one program, and this more than one or one program is used for configuration for executing data processing by one or more than one processor, and the method comprises:
Receive the private key that Key Management server sends, the registered user that private key is given server by Key Management server generates;
Send data inquiry request to data storage server, data inquiry request at least carries user ID and the querying condition of user;
Receive the specific data that data storage server returns, specific data is extracted according to the user ID of user and querying condition by data storage server from enciphered data;
Based on private key, specific data is decrypted.
The implementation that the second then provided based on the implementation that the first is possible is possible, in the memory of terminal, also comprises the instruction for performing following operation:
Before receiving the private key of Key Management server transmission, also comprise:
Send registration request to given server, registration request is used for trigger key management server and generates the specific key pair comprising PKI and private key.
The computer-readable recording medium that the embodiment of the present invention provides, receives the private key that Key Management server sends, and when receiving the specific data that data storage server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
A kind of graphical user interface is provided in the embodiment of the present invention, this graphical user interface is used on data processing terminal, and the terminal of this execution data processing comprises touch-screen display, memory and one or more than one processor for performing one or more than one program; This graphical user interface comprises:
Receive the private key that Key Management server sends, the registered user that private key is given server by Key Management server generates;
Send data inquiry request to data storage server, data inquiry request at least carries user ID and the querying condition of user;
Receive the specific data that data storage server returns, specific data is extracted according to the user ID of user and querying condition by data storage server from enciphered data;
Based on private key, specific data is decrypted.
The graphical user interface that the embodiment of the present invention provides, receives the private key that Key Management server sends, and when receiving the specific data that data storage server returns, according to the private key received, is decrypted specific data.Because terminal is from when getting specific data, needs corresponding private key to be decrypted, just can read data, this improves the fail safe storing data.
Figure 16 is the block diagram of a kind of device 1600 for data processing method according to an exemplary embodiment.Such as, device 1600 may be provided in a data storage server.With reference to Figure 16, device 1600 comprises processing components 1622, and it comprises one or more processor further, and the memory resource representated by memory 1632, can such as, by the instruction of the execution of processing components 1622, application program for storing.The application program stored in memory 1632 can comprise each module corresponding to one group of instruction one or more.In addition, processing components 1622 is configured to perform instruction, and to perform above-mentioned data processing method, the method comprises:
Receive the user ID of Key Management server transmission and the corresponding relation of PKI, the registered user that PKI is given server by Key Management server generates;
When getting the user data that user sends, from the corresponding relation of user ID and PKI, the PKI that the user ID of acquisition user is corresponding;
Based on the PKI that the user ID of user is corresponding, the user data of user is encrypted, obtains enciphered data;
Enciphered data is stored.
In another embodiment of the present invention, after enciphered data is stored, also comprise:
Receive the data inquiry request of user, in data inquiry request, at least carry user ID and querying condition;
According to user ID and the querying condition of user, from enciphered data, filter out specific data;
Specific data is sent to user.
The device that the embodiment of the present invention provides, receive the user ID of Key Management server transmission and the corresponding relation of PKI, and when getting the user data that user sends, from the corresponding relation of user ID and PKI, obtain the PKI that the user ID of user is corresponding, and then based on PKI corresponding to the user ID of user, the user data of user is encrypted, afterwards, enciphered data is stored.The present invention is based on the corresponding relation of user ID and the PKI received, obtain the PKI that user ID is corresponding, and adopt this PKI to be encrypted user data, and then storage encryption data, make user after getting enciphered data, directly cannot read, thus improve the fail safe storing data.
It should be noted that: the data storage server that above-described embodiment provides, terminal, Key Management server, data processing server are when deal with data, only be illustrated with the division of above-mentioned each functional module, in practical application, can distribute as required and by above-mentioned functions and be completed by different functional modules, internal structure by data storage server, terminal, Key Management server, data processing server is divided into different functional modules, to complete all or part of function described above.In addition, the data storage server that above-described embodiment provides, terminal, Key Management server, data processing server and data processing method embodiment belong to same design, and its specific implementation process refers to embodiment of the method, repeats no more here.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (20)

1. a data processing method, is characterized in that, described method comprises:
Receive the user ID of Key Management server transmission and the corresponding relation of PKI, the registered user that described PKI is given server by described Key Management server generates;
When getting the user data that user sends, from the corresponding relation of described user ID and PKI, obtain the PKI that the user ID of described user is corresponding;
Based on the PKI that the user ID of described user is corresponding, the user data of described user is encrypted, obtains enciphered data;
Described enciphered data is stored.
2. method according to claim 1, is characterized in that, described described enciphered data is stored after, also comprise:
Receive the data inquiry request of described user, in described data inquiry request, at least carry described user ID and querying condition;
According to user ID and the querying condition of described user, from described enciphered data, filter out specific data;
Described specific data is sent to described user.
3. a data processing method, is characterized in that, described method comprises:
Receive the private key that Key Management server sends, the registered user that described private key is given server by described Key Management server generates;
Send data inquiry request to described data storage server, described data inquiry request at least carries user ID and the querying condition of described user;
Receive the specific data that described data storage server returns, described specific data is extracted according to the user ID of described user and querying condition by described data storage server from enciphered data;
Based on described private key, described specific data is decrypted.
4. method according to claim 3, is characterized in that, before the private key that described reception Key Management server sends, also comprises:
Send registration request to described given server, described registration request generates for triggering described Key Management server the specific key pair comprising PKI and private key.
5. a data processing method, is characterized in that, described method comprises:
When user registration success, obtain the user ID of described user;
For described user ID distributes a pair specific key pair, described specific key forms by PKI and private key;
The corresponding relation of described user ID and PKI is sent to data storage server, described private key is sent to described user, the data that described PKI is used for described data storage server corresponding to described user ID are encrypted, and described private key is used for described user to the decrypt data after encryption.
6. method according to claim 5, is characterized in that, describedly distributes a pair specific key to afterwards for described user ID, also comprises:
Store described user ID and the right corresponding relation of specific key.
7. a data processing method, is characterized in that, described method comprises:
When user registration success, obtain the user ID of described user;
For described user ID distributes a pair specific key pair, described specific key forms by PKI and private key;
Store the user ID of described user and the corresponding relation of PKI, described private key is sent to described user;
When getting the user data that described user sends, according to the corresponding relation of described user ID and PKI, obtain the PKI that the user ID of described user is corresponding;
Based on the PKI that the user ID of described user is corresponding, the user data of described user is encrypted, obtains enciphered data;
Described enciphered data is stored.
8. method according to claim 7, is characterized in that, after the described enciphered data of described storage, also comprises:
Receive the data inquiry request of described user, in described data inquiry request, at least carry described user ID and querying condition;
According to user ID and the querying condition of described user, from described enciphered data, filter out specific data;
Described specific data is sent to described user.
9. a data processing method, is characterized in that, described method comprises:
Receive the private key that data processing server sends, the registered user that described private key is given server by described data management server generates;
Send data inquiry request to described data processing server, described data inquiry request at least carries described user ID and querying condition;
Receive the specific data that described data processing server returns, described specific data is extracted according to described user ID and querying condition by described data processing server from enciphered data;
Based on described private key, described specific data is decrypted.
10. method according to claim 9, is characterized in that, before the private key that described reception data processing server sends, also comprises:
Send registration request to described given server, described registration request generates for triggering described data processing server the specific key pair comprising PKI and private key.
11. 1 kinds of data storage servers, is characterized in that, described data storage server comprises:
First receiver module, for receiving the corresponding relation of user ID and PKI that Key Management server sends, described PKI is registered user's generation of given server by described Key Management server;
Acquisition module, for when getting the user data that user sends, from the corresponding relation of described user ID and PKI, obtains the PKI that the user ID of described user is corresponding;
Encrypting module, for the PKI that the user ID based on described user is corresponding, is encrypted the user data of described user, obtains enciphered data;
Memory module, for storing described enciphered data.
12. data storage servers according to claim 11, is characterized in that, described data storage server, also comprises:
Second receiver module, for receiving the data inquiry request of described user, at least carries described user ID and querying condition in described data inquiry request;
Screening module, for according to the user ID of described user and querying condition, filters out specific data from described enciphered data;
Sending module, for being sent to described user by described specific data.
13. 1 kinds of terminals, is characterized in that, described terminal comprises:
First receiver module, for receiving the private key that Key Management server sends, the registered user that described private key is given server by described Key Management server generates;
First sending module, for sending data inquiry request to described data storage server, described data inquiry request at least carries user ID and the querying condition of described user;
Second receiver module, for receiving the specific data that described data storage server returns, described specific data is extracted according to the user ID of described user and querying condition by described data storage server from enciphered data;
Deciphering module, for based on described private key, is decrypted described specific data.
14. terminals according to claim 13, is characterized in that, described terminal, also comprises:
Second sending module, for sending registration request to described given server, described registration request generates for triggering described Key Management server the specific key pair comprising PKI and private key.
15. 1 kinds of Key Management servers, is characterized in that, described Key Management server comprises:
Acquisition module, for when user registration success, obtains the user ID of described user;
Distribution module, for distributing a pair specific key pair for described user ID, described specific key forms by PKI and private key;
Sending module, for the corresponding relation of described user ID and PKI is sent to data storage server, described private key is sent to described user, the data that described PKI is used for described data storage server corresponding to described user ID are encrypted, and described private key is used for described user to the decrypt data after encryption.
16. Key Management servers according to claim 15, is characterized in that, described Key Management server, also comprises:
Memory module, for storing described user ID and the right corresponding relation of specific key.
17. 1 kinds of data processing servers, is characterized in that, described data processing server comprises:
First acquisition module, for when user registration success, obtains the user ID of described user;
Distribution module, for distributing a pair specific key pair for described user ID, described specific key forms by PKI and private key;
First memory module, for the corresponding relation of the user ID and PKI that store described user, is sent to described user by described private key;
Second acquisition module, for when getting the user data that described user sends, according to the corresponding relation of described user ID and PKI, obtains the PKI that the user ID of described user is corresponding;
Encrypting module, for the PKI that the user ID based on described user is corresponding, is encrypted the user data of described user, obtains enciphered data;
Second memory module, for storing described enciphered data.
18. data processing servers according to claim 17, is characterized in that, described data processing server, also comprises:
Receiver module, for receiving the data inquiry request of described user, at least carries described user ID and querying condition in described data inquiry request;
Screening module, for according to the user ID of described user and querying condition, filters out specific data from described enciphered data;
Sending module, for being sent to described user by described specific data.
19. 1 kinds of terminals, is characterized in that, described terminal comprises:
First receiver module, for receiving the private key that data processing server sends, the registered user that described private key is given server by described data management server generates;
First sending module, for sending data inquiry request to described data processing server, described data inquiry request at least carries described user ID and querying condition;
Second receiver module, for receiving the specific data that described data processing server returns, described specific data is extracted according to described user ID and querying condition by described data processing server from enciphered data;
Deciphering module, for based on described private key, is decrypted described specific data.
20. terminals according to claim 19, is characterized in that, described terminal, also comprises:
Second sending module, for sending registration request to described given server, described registration request generates for triggering described data processing server the specific key pair comprising PKI and private key.
CN201510074112.6A 2015-02-12 2015-02-12 Data processing method and apparatus Pending CN104967601A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510074112.6A CN104967601A (en) 2015-02-12 2015-02-12 Data processing method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510074112.6A CN104967601A (en) 2015-02-12 2015-02-12 Data processing method and apparatus

Publications (1)

Publication Number Publication Date
CN104967601A true CN104967601A (en) 2015-10-07

Family

ID=54221545

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510074112.6A Pending CN104967601A (en) 2015-02-12 2015-02-12 Data processing method and apparatus

Country Status (1)

Country Link
CN (1) CN104967601A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254559A (en) * 2016-10-11 2016-12-21 广东欧珀移动通信有限公司 The method of a kind of information storage and server
CN106604238A (en) * 2015-10-20 2017-04-26 大唐移动通信设备有限公司 Group call business private communication method and apparatus
CN108154038A (en) * 2016-12-06 2018-06-12 北京京东尚科信息技术有限公司 Data processing method and device
CN109409109A (en) * 2018-10-17 2019-03-01 网易(杭州)网络有限公司 Data processing method, device, processor and server in network service
CN109842506A (en) * 2017-11-27 2019-06-04 财付通支付科技有限公司 Key management system disaster tolerance processing method, device, system and storage medium
CN110166460A (en) * 2019-05-24 2019-08-23 北京思源互联科技有限公司 Register method and device, storage medium, the electronic device of service account
CN110266480A (en) * 2019-06-13 2019-09-20 腾讯科技(深圳)有限公司 Data transmission method, device and storage medium
CN113922974A (en) * 2020-06-22 2022-01-11 中移(苏州)软件技术有限公司 Information processing method and system, front end, server and storage medium
CN113923005A (en) * 2021-09-30 2022-01-11 惠州Tcl移动通信有限公司 Method and system for writing data
CN114389802A (en) * 2021-12-10 2022-04-22 北京巨龟科技有限责任公司 Information decryption method and device, electronic equipment and readable storage medium
CN115102757A (en) * 2022-06-20 2022-09-23 中国银行股份有限公司 User information processing method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040151308A1 (en) * 2003-02-05 2004-08-05 Identicrypt, Inc. Identity-based encryption system for secure data distribution
CN101281498A (en) * 2007-04-02 2008-10-08 北京华旗资讯数码科技有限公司 Ciphering type mobile storage apparatus
CN102263637A (en) * 2010-05-28 2011-11-30 陈勇 Information encryption method and equipment thereof
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN103259651A (en) * 2013-05-30 2013-08-21 成都欣知科技有限公司 Encryption and decryption method and system of terminal data
CN103457995A (en) * 2013-06-07 2013-12-18 北京百纳威尔科技有限公司 Data information storage method for terminal equipment, terminal equipment and cloud terminal server
CN103795780A (en) * 2013-12-06 2014-05-14 中国科学院深圳先进技术研究院 Cloud storage data protection method and device
CN104144412A (en) * 2013-05-09 2014-11-12 腾讯科技(北京)有限公司 Information manager and information management method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040151308A1 (en) * 2003-02-05 2004-08-05 Identicrypt, Inc. Identity-based encryption system for secure data distribution
CN101281498A (en) * 2007-04-02 2008-10-08 北京华旗资讯数码科技有限公司 Ciphering type mobile storage apparatus
CN102263637A (en) * 2010-05-28 2011-11-30 陈勇 Information encryption method and equipment thereof
CN103248479A (en) * 2012-02-06 2013-08-14 中兴通讯股份有限公司 Cloud storage safety system, data protection method and data sharing method
CN104144412A (en) * 2013-05-09 2014-11-12 腾讯科技(北京)有限公司 Information manager and information management method
CN103259651A (en) * 2013-05-30 2013-08-21 成都欣知科技有限公司 Encryption and decryption method and system of terminal data
CN103457995A (en) * 2013-06-07 2013-12-18 北京百纳威尔科技有限公司 Data information storage method for terminal equipment, terminal equipment and cloud terminal server
CN103795780A (en) * 2013-12-06 2014-05-14 中国科学院深圳先进技术研究院 Cloud storage data protection method and device

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106604238A (en) * 2015-10-20 2017-04-26 大唐移动通信设备有限公司 Group call business private communication method and apparatus
CN106254559A (en) * 2016-10-11 2016-12-21 广东欧珀移动通信有限公司 The method of a kind of information storage and server
CN108154038A (en) * 2016-12-06 2018-06-12 北京京东尚科信息技术有限公司 Data processing method and device
CN109842506B (en) * 2017-11-27 2022-08-12 财付通支付科技有限公司 Disaster recovery processing method, device, system and storage medium for key management system
CN109842506A (en) * 2017-11-27 2019-06-04 财付通支付科技有限公司 Key management system disaster tolerance processing method, device, system and storage medium
CN109409109A (en) * 2018-10-17 2019-03-01 网易(杭州)网络有限公司 Data processing method, device, processor and server in network service
CN110166460A (en) * 2019-05-24 2019-08-23 北京思源互联科技有限公司 Register method and device, storage medium, the electronic device of service account
CN110166460B (en) * 2019-05-24 2021-12-14 北京思源理想控股集团有限公司 Service account registration method and device, storage medium and electronic device
CN110266480A (en) * 2019-06-13 2019-09-20 腾讯科技(深圳)有限公司 Data transmission method, device and storage medium
CN110266480B (en) * 2019-06-13 2022-05-20 腾讯科技(深圳)有限公司 Data transmission method, device and storage medium
CN113922974A (en) * 2020-06-22 2022-01-11 中移(苏州)软件技术有限公司 Information processing method and system, front end, server and storage medium
CN113922974B (en) * 2020-06-22 2024-04-09 中移(苏州)软件技术有限公司 Information processing method and system, front end, server side and storage medium
CN113923005B (en) * 2021-09-30 2024-04-09 惠州Tcl移动通信有限公司 Method and system for writing data
CN113923005A (en) * 2021-09-30 2022-01-11 惠州Tcl移动通信有限公司 Method and system for writing data
CN114389802A (en) * 2021-12-10 2022-04-22 北京巨龟科技有限责任公司 Information decryption method and device, electronic equipment and readable storage medium
CN114389802B (en) * 2021-12-10 2022-09-27 北京巨龟科技有限责任公司 Information decryption method and device, electronic equipment and readable storage medium
CN115102757A (en) * 2022-06-20 2022-09-23 中国银行股份有限公司 User information processing method and device

Similar Documents

Publication Publication Date Title
CN104967601A (en) Data processing method and apparatus
CN104113782B (en) Based on the method for registering of video, terminal, server and system
CN104836664B (en) A kind of methods, devices and systems executing business processing
CN104821937A (en) Token acquisition method, device and system
CN105721413A (en) Service processing method and apparatus
CN105491067A (en) Key-based business security verification method and device
CN105933904A (en) Network connection method and device
CN108809906B (en) Data processing method, system and device
CN104376353A (en) Two-dimension code generating method, terminal and server and two-dimension code reading method, terminal and server
CN104580167A (en) Data transmission method, device and system
CN103634109A (en) Operation right authentication method and device
CN103731810A (en) Access point sharing method and device
CN103763112B (en) A kind of user identity protection method and apparatus
CN104519485A (en) Communication method between terminals, devices and system
CN104519197A (en) User login method, user login device and terminal devices
CN105681032A (en) Key storage method and device as well as key management method and device
CN104901806B (en) A kind of virtual resource processing method, device and system
CN104901991A (en) Methods, devices and system for transferring virtual resource
CN106550361B (en) Data transmission method, equipment and computer readable storage medium
CN104954126A (en) Sensitive operation verification method, device and system
CN104901805A (en) Identity authentication method and device and system
CN107154935A (en) service request method and device
CN104852802A (en) Identity verification method, equipment, and system
CN104639394B (en) Statistical method, the device and system of client number of users
CN114553612B (en) Data encryption and decryption method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20151007