CN106027509A - Cloud platform data computing method in ERP environment - Google Patents

Abstract

The invention provides a cloud platform data computing method in an ERP environment. The cloud platform data computing method comprises the steps that: a master user in a business organization defines and configures encrypted parameters and business data table items; and all the users in the business organization perform query in stages for an encrypted field. The provided cloud platform data computing method in the ERP environment realizes convenient data query in the ERP collaborative cloud platform, avoids a security problem caused by field decryption and brings convenience for sharing of business information at the interior of the business organization.

Description

Cloud platform method for computing data under ERP environment

Technical field

The present invention relates to cloud computing, particularly to the cloud platform method for computing data under a kind of ERP environment.

Background technology

The appearance of cloud computing mode allows the use pattern of software or service transfer the use pattern of lease to from purchase, This brings interests for medium-sized and small enterprises, because they are soft without bearing while obtaining oneself required service The maintenance of part and upgrading expense.Particularly with manufacturing enterprise, the competition between enterprise has developed into enterprise's group Knit the competition between supply chain.For improving competitiveness, each enterprise uses cooperation ERP platform to whole the most one after another Individual supply chain is managed.Being carried out building and safeguarding of platform by the third party service provider, enterprise only need to pay phase To cheap rent, it is possible to obtain the personalized service that can customize of equal quality.Enterprise customer makes When cooperating by ERP cooperation cloud platform, produce substantial amounts of data, wherein part data be business organization it Between significant data, referred to as confidential data.Ensure that confidential data is not obtained by disabled user, use the most extensive , most efficient method be that confidential data is encrypted storage, but cryptographic operation ensure that user believes But destroy original logical relation in plain text while breath confidentiality, will result in the inconvenience of data query.Cannot Directly by inquiring about in encrypted fields data in plain text.

Summary of the invention

For solving the problem existing for above-mentioned prior art, the present invention proposes the cloud under a kind of ERP environment and puts down Platform method for computing data, including:

Encryption parameter and business datum list item are defined and configure by the primary user in business organization；

Field after encryption is inquired about by all users in business organization stage by stage.

Preferably, encryption parameter is defined and configures by described primary user, farther includes, by following Two ways arranges encryption key, and a kind of is that all member enterprises in business organization are for same business datum In table, same field uses identical private key to carry out encryption and decryption, is now being encrypted field selection by primary user Time configuration private key；Another kind is that the business record adhering to different collaboration user in same tables of data separately is used difference Private key carry out encryption and decryption, now encryption and decryption private key is held consultation with collaboration user respectively by primary user, or by Collaboration user configures；

Field after encryption is inquired about by described all users stage by stage, farther includes: the first step is inquired about Realizing at platform, after user setup querying condition, the non-NULL concerning security matters field in querying condition first isolated by platform Matching value, obtains the index record of this field in this table the most again from index file, is extracting index record Time, first judge that inquiry is primary user or collaboration user, during collaboration user inquiry, increase a combined characters Section matching condition, after obtaining index information, then obtains the index record that the match is successful, then uses and divide Outside the most remaining match query condition, from business tables of data, inquire data, therefrom obtain and mate Index record successfully has the record of like-identified field value, obtains the initial results set of platform inquiry, And return to user；Second step inquiry is carried out in client, after client obtains initial results set, at this Encrypted fields in ground deciphering initial results set, carries out mating in plain text, removes wherein with matching condition not The result joined, obtains last correct Query Result.

The present invention compared to existing technology, has the advantage that

The present invention proposes the cloud platform method for computing data under a kind of ERP environment, works in coordination with cloud platform at ERP The convenient data query of middle realization, and avoid safety problem field deciphering caused, facilitate simultaneously Business information within business organization is shared.

Accompanying drawing explanation

Fig. 1 is the flow chart of the cloud platform method for computing data under ERP environment according to embodiments of the present invention.

Detailed description of the invention

Hereafter provide one or more embodiment of the present invention together with the accompanying drawing of the diagram principle of the invention is detailed Thin description.Describe the present invention in conjunction with such embodiment, but the invention is not restricted to any embodiment.This Bright scope is limited only by the appended claims, and the present invention contains many replacements, amendment and equivalent.? Middle elaboration many detail is described below to provide thorough understanding of the present invention.For exemplary purposes And these details are provided, and can also be according to right without some in these details or all details Claim realizes the present invention.

An aspect of of the present present invention provides the cloud platform method for computing data under a kind of ERP environment.Fig. 1 is root According to the cloud platform method for computing data flow chart under the ERP environment of the embodiment of the present invention.

The present invention, according to ERP the cooperation data characteristic of cloud platform, user operation characteristic, proposes for this platform Data encryption and encrypted fields querying method.The realization of encrypted fields inquiry is by being divided into text confidential data Encrypted fields inquiry realize and logarithm value type confidential data encrypted fields inquiry realize.

The ERP cooperation cloud platform of the present invention is a public service platform providing service for medium-sized and small enterprises, for In each ERP, the cooperation between business organization provides support.This platform and the ERP system of each enterprises Realizing seamless connection, provide complete collaboration services for each business organization, content includes: sell, after sale, Buying, logistics management etc..Whole system includes the inquiry of data encrypting and deciphering, encrypted fields and Private key distribution merit Can module.Data encrypting and deciphering module ensures that concerning security matters field is stored securely in platform and user can be allowed again normal simultaneously Check business datum；Encrypted fields inquiry realizes quick search on the premise of confidential data is not revealed in plain text； Private key distribution is to ensure that collaboration user and primary user can normally check the security mechanism of data.

Platform uses self contained data base pattern to the storage of the business datum of each business organization, and business datum is deposited Business datum by the data exchange mechanism between enterprises system, is delivered to after platform by storage In the built-in system of enterprise, information is processed in built-in system by enterprise, then re-uses data exchange Information after mechanism will process is delivered in platform；Confidential data only should be checked by business two parties, and Non-confidential data is then directly stored in plain text in platform database.

Platform have employed the strategy by each tissue oneself management and the confidential data arranging business datum table.In group Knitting inside, primary user has the highest authority, can be managed collaboration user, can check all industry Business data, and collaboration user can only check the data relevant to oneself, therefore by the option and installment of confidential data Power gives primary user.

Data type between different business organizations is the most variant, but the basic data type used substantially phase With, during for different types of field as querying condition, the inquiry mode used also has difference: for Numeric data, is all to use numeric data to store such as data such as unit price, quantity, adjustment amounts, these numbers According to inquiry have two classes: accurately inquiry and interval query.For text data, platform uses two kinds of issuers Formula: fuzzy query and accurately inquiry.In private key stores, private key can only be had the right to obtain the enterprise of this private key Obtaining, unauthorized user cannot obtain the plaintext of private key.

System uses primary user to be encrypted field configuration operation, and arranging of private key can be divided into two kinds, a kind of It is that all member enterprises in business organization use identical private key for same field in same business datum table Carrying out encryption and decryption, now encryption and decryption private key is by primary user's configuration private key when being encrypted field and selecting, another Plant is to use different private keys to add solution the business record adhering to different collaboration user in same tables of data separately Close；Now encryption and decryption private key is held consultation with collaboration user respectively by primary user, or by collaboration user oneself Configure.

ERP cloud platform uses three-tier architecture.User interface layer, is used for providing Custom Encryption view, private key Configuration view and user data query view.Business Logic, for data are processed, including The process of data encrypting and deciphering, encrypted fields inquiry, the content such as process of Private key distribution.Data access layer, uses In controlling platform database digital independent, add, revise, delete.The modules of cloud platform is concrete It is described as follows:

Data self encrypting module: be supplied to primary user and carry out self-defined concerning security matters field configuration, including, industry Business tables of data combined field selects, and receives primary user and is chosen for use as the field of combined field from business tables of data, Business datum table concerning security matters field is added and deletes.

Encryption/decryption module: clear data is used des encryption algorithm and RSA Algorithm, by tables of data The property value of field is that unit is encrypted and deciphered accordingly.

Business datum enquiry module: for counting in the case of tables of data encrypted fields in non-decrypting data base It is investigated inquiry, particularly may be divided into: ciphertext information inquiry: when querying condition comprises concerning security matters text matches bar This module is used to be encrypted Field Inquiry during part, including accurately inquiry and fuzzy query to text data； Concerning security matters text index manages: be managed text index table when business datum table is modified and searched, Including the new index record of condition, delete index record, renewal index record；Numeric type encrypted fields is inquired about: This module is used to be encrypted Field Inquiry when querying condition comprises numeric type concerning security matters matching condition, including Accurately inquiry and the interval query of logarithm value data；

Private key management and distribution module: carry out concerning security matters field protection, encrypted fields inquiry for generation and use User data is checked the generation of required all kinds of private keys, is stored and the functional module distributed, and specifically farther includes: The RSA PKI of storage enterprise customer；The private key of the storage enterprise customer of safety, it is ensured that the private key of user can only Obtained by this enterprise.Operation when have selected a number Value data field as encrypted fields field, generates FMES private key；Realize the safety storage to FMES private key with business private key.Needing in each business organization When wanting, safety, correct acquisition private key are in plain text.

The major key of database table is the most encrypted with external key.Business datum tables of data has a special field, should Field is referred to as combined field, is for differentiating that a record is relevant to which collaboration user, and this group Close field the most encrypted.Confidential data in the business datum being stored in platform is used DES enciphering and deciphering algorithm Carry out encryption and decryption, then use for private key RSA Algorithm to carry out encryption and decryption operation.

Before business datum is encrypted, initially sets up the index data of encrypted fields, specifically include: First individually set up an index look-up table for each concerning security matters field, for text data, use text sequence Row adjacency information generating algorithm processes, and sets up new index record set after adding other information, and counts Value Data then uses FMES to be encrypted clear data, then adds other information and generates new index Set of records ends.The value of the corresponding concerning security matters field of each record in index, in this index record, record has The index match information of plaintext concerning security matters field value corresponding with this index entry, positional information, related information. Index match information be confidential data is carried out in plain text adjacency information generating algorithm calculate the result generated or The result that FMES computing obtains, this information is mated when being used for inquiring about；Positional information represents this index note Business datum position in business datum table that record is corresponding.Positional information is made up of following content: this industry Business unique identification field name of tables of data, unique identification field values；Related information is one and represents this concerning security matters number According to the identification field associated by which collaboration user, this field carries out data when collaboration user inquiry data Isolation, can improve the efficiency of collaboration user inquiry operation simultaneously.

When encryption, first select the combined field of business datum table；Select to need in concerning security matters field selects function The business datum table of operation to be encrypted, simultaneously according to the table configuration information of this data base, analyzes selected Major key in business datum table and external key, and forbid major key, external key and combined field are encrypted selection Operation；The concerning security matters field selected by user information in platform database is generated corresponding index information by platform, And in client, the clear data of concerning security matters field is encrypted, then the business datum after encryption is sent to Platform, updates the Service Database of platform.When user checks data, first inquire about first at platform, To initial results set, initial results set is returned to user, carry out second time in client and inquire about, To last result.

When user inquires about, inquiry is divided into two steps, first step inquiry to realize at platform, and user setup is looked into After inquiry condition, the non-NULL concerning security matters fields match value in querying condition first isolated by platform, the most again from index literary composition Part obtains the index record of this field in this table.When extracting index record, first judge that inquiry is primary Family or collaboration user, during collaboration user inquiry, increase a combined field matching condition, obtain index After information, then obtain, by distinguished number, the index record that the match is successful.Then use and remain after separating Match query condition outside from business tables of data, inquire data, therefrom obtain and the index that the match is successful Record has the record of like-identified field value, obtains the initial results set of platform inquiry, and return to User；Second step inquiry is carried out in client, and after client obtains initial results set, local deciphering is initial Encrypted fields in results set, carries out mating in plain text, removes wherein result unmatched with matching condition, Obtain last correct Query Result.

During primary user's Custom Encryption process, the Custom Encryption service aid that calling platform provides, select to need The business datum table of operation to be encrypted, platform shows all fields, to can not encrypted fields be set to prohibit Only selecting, then primary user selects concerning security matters field, is reconfigured at private key, finally adds confidential data Close.In business datum allocation plan, provide AES, cipher mode and encryption key for primary user Self-defined scheme.DEA uses des encryption algorithm, it is provided that two kinds of encryption policys, a kind of Being individual character section list private key, another kind is the same private key of same table, and first kind of way is that primary user needs to relate to for each Close field is separately provided private key, can repeat, and the second way is that all concerning security matters fields in same table make With identical private key, this private key can be arranged by user oneself, maybe can produce random private-key by platform, The private key of the concerning security matters field that oneself has with this table can also be used.Carry out after private key is arranged private key primary user Check, it is determined that private key is the most legal, be to judge that the figure place of private key is the most correct.

Private key distribution is centered by platform, first needs to set up enterprise's public key information table, private key in platform Information table and Private key distribution table, record the PKI of each enterprise in this tissue in public key information table, and each user Private key be stored encrypted in platform database, encryption method is to use user to log in the password of platform, the most right Private key carries out AES encryption；The private key that the needs of the public key encryption recording enterprise in Private key distribution table are allocated. When primary user uses the data self cryptographic services of platform have selected a new concerning security matters field and arrange for it Private key K_iTime, from platform, first obtain the PKI of business organization, with the PKI of each business organization to K_i It is encrypted, then result is added in the Private key distribution table in platform；Equally, when existing concerning security matters field Private key change time, by after in business datum table, the encrypted fields of this field is updated, by new private key It is encrypted and updates Private key distribution table.When enterprise's X landing platform, first obtain encrypted fields from platform Private key, is then decrypted in client with it, and by private key stored in clear in client, then checks During business datum tables of data T, first from the Private key distribution table of platform, the user of the public key encryption of acquisition X The private key of concerning security matters field in deciphering T, then X is deciphered with the private key of oneself in the client of oneself In T, the private key of concerning security matters field is in plain text, the concerning security matters field deciphering in the business datum then transmitted by platform.

It it is below the present invention query script to concerning security matters text message.

Text adjacency matrix is used to represent the text adjacency information of a text sequence, the literary composition then will set up This sequence matrix is compressed storage, i.e. determines figure place m obtaining a compression result, to going out in matrix Existing each 1 processes, and is converted by each 1 position k independent hash function, will It is mapped to multiple positions of an one-dimension information string.

When there being non-NULL concerning security matters matching condition in the querying condition of user, querying flow is divided into two steps, the first step It is to realize at platform, is that the information in the concordance list created by platform is inquired about, it is ensured that the concerning security matters of user Data are not revealed.

Step 1: user X submits inquiry to, obtains querying condition QS, and business datum table to be checked is L；

Step 2: searching platform data base, obtains concerning security matters set of fields SF of table L；

Step 3: decompose QS, obtains concerning security matters matching field name set SQ therein, and matching value Set VS；

Step 4: judge whether each concerning security matters matching field value is empty, if being all empty, the most directly will be fed into DBMS carries out conventional query；

Step 5: if being not all sky, obtains the non-NULL concerning security matters matching field name set FN in QS, and value Set FV, and their query option set, query option is accurately to inquire about or fuzzy query, obtains simultaneously Non-concerning security matters matching field in taking and null value concerning security matters matching field name set NS and value set NF, and inquiry Option set；

Step 6: plaintext matching value is processed, the matching value set OF after being processed；

Step 7: according to concerning security matters field name FN and business datum table L, obtain the rope that these concerning security matters fields are corresponding Draw the table name of table；

Step 8: according to the user type of current enterprise user, obtains user's X energy from manipulative indexing file The index record of concerning security matters field SF of the table L viewed, if this user is primary user, then the relating to of acquisition table L All index records of close field SF, if user is collaboration user, the most only obtain the index record relevant to X, The result obtained is put in a data set DS, and arranges by indication field ascending order, then by following match party Method is mated, the record that in deletion DS, it fails to match:

When accurately inquiring about, first above-mentioned text sequence adjacency information is used to generate method meter matching value Calculate result St obtaining a m position, then with in the past by index match information So generated in plain text mate, Both are identical, then it represents that the match is successful；When carrying out fuzzy query, it is also desirable to first to matching condition Value processes, and including first setting up adjacency matrix, then will abut against matrix compression, but in adjacency matrix Rear four row information all set to 0, and obtain compression result St*, next will index match information St original with St* Matching operation, matching operation step is: the first step, St* Yu St is carried out step-by-step and operation, obtains result Sm；Second step, compares Sm with St* the most identical, and the match is successful in identical then expression, otherwise represents that coupling is lost Lose.

Step 9: obtain business datum, and arrange by ascending order, then downwards the most line by line with the first row carry out word Segment value mates, if identical, then the Article 1 record in deletion, if it is not, then delete the current line of business datum Data.

Step 10: judge whether DS is empty, if not empty, then continues step 8, if it is empty, by business Data are deposited into interim table Tew, then other condition queries outside the non-NULL concerning security matters matching condition in basis Table Tew, obtains data DL.

Second time inquiry is to realize in client, first deciphers encrypted fields, the most accurately inquires about. If collaboration user is inquired about in inquiring about first, platform add user type as querying condition, Can ensure that the data in the initial results that collaboration user obtains do not comprise other cooperations unrelated with this enterprise and use The business datum at family.

Step 1: obtain data base querying QS, inquires about table L

Step 2: obtain concerning security matters set of fields SF of table L from platform；

Step 3: decompose QS and pass through SF, it is thus achieved that the non-NULL concerning security matters matching field name set FN in QS And value set FV；

Step 4: the encryption field information in Query Result DL first is decrypted, it is thus achieved that clear data ML。

For encryption and the inquiry of numeric data, for ensureing the uniformity with data self encipherment scheme, adopt Encryption and decryption is carried out with the DES algorithm as text data, the encrypted fields inquiry of logarithm value data, specifically Including:

Step 1: primary user determines the table L needing to carry out concerning security matters field protection, and has determined that numeric type concerning security matters Field SF；

Step 2: carry the field name T of the acquisition unique indication field of table L, and association belonging to this field signable Make field OW of user；

Step 3: start from Article 1 record and the most down obtain the record Ai L；

Step 4: obtain confidential data SAi in Ai, and the value of field T in Ai, field OW Value；

Step 5: SAi is carried out FMES encryption, obtains encrypted result Ri；

Step 6: by table name L, attribute field name MN, banner word segment value MV, index match information Ri It is stored in an ephemeral data to concentrate；

Step 7: judge whether all to be processed by all of for table L record, if untreated complete all notes Record, then return step 3；

Step 8: generate a new concordance list according to current service data table table name L, concerning security matters field name SF IN；

Step 9: the batch data that ephemeral data is concentrated is inserted in newly-built concordance list.

For the accurate inquiry of numeric data, use the inquiry mode as text confidential data, i.e. visitor Family end, matching value is encrypted by user with the private key of this field, is then communicated to platform, platform database Carrying out conventional database query, but carry out being accomplished by during interval query utilizing the index set up, querying flow is such as Under:

Step 1: user X submits inquiry to, the business datum table obtaining querying condition QS, this QS inquiry is L；

Step 2: searching platform data base, obtains concerning security matters set of fields SF of table L；

Step 3: judge whether the matching condition of user has numeric type field, if proceeding to step 4, numerical value The matching field of data is NF: if without, carry out step 5；

Step 4: the FMES private key of user X NF carries out FMES computing to matching value, and replacement is looked into The matching value of field NF in inquiry condition；

Step 5: QS is passed to platform.QS is decomposed by platform, carries acquisition values match word therein Section name set and matching value set；

Step 6: judge whether each concerning security matters matching field value is empty, if being all empty, then directly send QS Entering and DBMS carries out conventional query, if being not all sky, then forwarding step 7 to；

Step 7: the non-NULL concerning security matters matching field name set NFN in acquisition, and value set NFV, and Their query option set, i.e. query option are accurately inquiry or commensurate in scope, non-in simultaneously obtaining Concerning security matters matching field and null value concerning security matters matching field name set and value set, and query option set；

Step 8: according to concerning security matters field name NFN and business datum table table name L, obtain these concerning security matters fields pair The concordance list table name answered；

Step 9: by the field name of values match field, query option, matching value or the coupling separated Scope, and obtain from each self-corresponding numeric data field index table according to the user type of current enterprise user Take the index record of the concerning security matters field of the table L that family X can view, if particularly as follows: user type is primary Family, then obtain all index records of the concerning security matters field of table L, if user type is collaboration user, the most only obtain Taking the index record relevant to L, the result of acquisition is put in a data set DS, and arranges by indication field ascending order Row.

Step 10: obtain business datum, the value then carrying out downwards field line by line with the first row of DS is mated, If identical, then delete the Article 1 record in DS, if it is different, then delete the Current Datarow of business datum.

Step 11: judge whether DS is empty, if not empty, then continues step 8, if it is empty, then by DS It is deposited into interim table, then according to other condition query tables outside the non-NULL concerning security matters matching condition in QS, To data DL.

In sum, the present invention proposes the cloud platform method for computing data under a kind of ERP environment, at ERP Collaborative cloud platform realizes convenient data query, and avoids safety problem field deciphering caused, Facilitate the business information within business organization to share simultaneously.

Obviously, it should be appreciated by those skilled in the art, each module or each step of the above-mentioned present invention are permissible Realizing by general calculating system, they can concentrate in single calculating system, or is distributed in many On the network that individual calculating system is formed, alternatively, they can use the executable program code of calculating system Realize, it is thus possible to be stored in storage system being performed by calculating system.So, this Bright be not restricted to any specific hardware and software combine.

It should be appreciated that the above-mentioned detailed description of the invention of the present invention is used only for exemplary illustration or explains this The principle of invention, and be not construed as limiting the invention.Therefore, without departing from the spirit and scope of the present invention In the case of any modification, equivalent substitution and improvement etc. done, should be included in protection scope of the present invention Within.Additionally, claims of the present invention be intended to fall into scope and border or Whole in the equivalents on this scope of person and border change and modifications example.

Claims (2)

1. the cloud platform method for computing data under ERP environment, for providing public service for enterprise ERP cooperates cloud platform, it is characterised in that including:

Encryption parameter and business datum list item are defined and configure by the primary user in business organization；

Field after encryption is inquired about by all users in business organization stage by stage.

Method the most according to claim 1, it is characterised in that encryption parameter is carried out by described primary user Definition and configuration, farther include, arrange encryption key by following two mode, and one is business organization In all member enterprises in same business datum table same field use identical private key carry out adding solution Close, now by primary user's configuration private key when being encrypted field and selecting；Another kind is in same tables of data Adhering to the business record of different collaboration user separately uses different private keys to carry out encryption and decryption, now encryption and decryption private key by Primary user holds consultation with collaboration user respectively, or is configured by collaboration user；

Field after encryption is inquired about by described all users stage by stage, farther includes: the first step is inquired about Realizing at platform, after user setup querying condition, the non-NULL concerning security matters field in querying condition first isolated by platform Matching value, obtains the index record of this field in this table the most again from index file, is extracting index record Time, first judge that inquiry is primary user or collaboration user, during collaboration user inquiry, increase a combined characters Section matching condition, after obtaining index information, then obtains the index record that the match is successful, then uses and divide Outside the most remaining match query condition, from business tables of data, inquire data, therefrom obtain and mate Index record successfully has the record of like-identified field value, obtains the initial results set of platform inquiry, And return to user；Second step inquiry is carried out in client, after client obtains initial results set, at this Encrypted fields in ground deciphering initial results set, carries out mating in plain text, removes wherein with matching condition not The result joined, obtains last correct Query Result.