CN109325354B - Data storage, processing and reading method, data storage device and system - Google Patents
Data storage, processing and reading method, data storage device and system Download PDFInfo
- Publication number
- CN109325354B CN109325354B CN201710643448.9A CN201710643448A CN109325354B CN 109325354 B CN109325354 B CN 109325354B CN 201710643448 A CN201710643448 A CN 201710643448A CN 109325354 B CN109325354 B CN 109325354B
- Authority
- CN
- China
- Prior art keywords
- data
- data set
- preset
- encrypted
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 89
- 238000013500 data storage Methods 0.000 title claims abstract description 41
- 230000006870 function Effects 0.000 claims description 45
- 230000015654 memory Effects 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 13
- 238000003672 processing method Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
Abstract
The application discloses a data storage method, a data processing method, a data reading method, a data storage device and a data storage system. The data storage method comprises the following steps: acquiring a second data set to be encrypted from the first data set to be written into a preset storage area; encrypting the second data set; and storing the unencrypted residual data in the first data set and the encrypted second data set in a preset storage area. The method and the device solve the technical problems that the encryption granularity of a data storage method in the prior art is large and the system performance is influenced.
Description
Technical Field
The present application relates to the field of data processing, and in particular, to a method for storing, processing, and reading data, a data storage device, and a system.
Background
In a database system, in order to protect sensitive Data stored in a database from being leaked, the sensitive Data stored in the database needs to be encrypted, and at present, a TDE Encryption method (Transparent Data Encryption, which is an abbreviation of Transparent Data Encryption) is generally used to encrypt a Data page on a disk, and before the Data page is written into the disk, the Data page is symmetrically encrypted once and then dropped from the disk, which is completely Transparent to an application program connected to the database.
However, the above method is to encrypt the whole database, not to encrypt the field and the record, and the encryption granularity is large and the influence on the system performance is large.
Aiming at the problems that the storage method of the data in the prior art has larger encryption granularity and affects the system performance, an effective solution is not provided at present.
Disclosure of Invention
The embodiment of the application provides a data storage, processing and reading method, a data storage device and a system, which are used for at least solving the technical problem that the encryption granularity of a data storage method in the prior art is large and the system performance is influenced.
According to an aspect of an embodiment of the present application, there is provided a data storage method, including: acquiring a second data set to be encrypted from a first data set to be written into a preset storage area; encrypting the second data set; and storing the unencrypted residual data in the first data set and the encrypted second data set in a preset storage area.
According to another aspect of the embodiments of the present application, there is also provided a data storage device, including: the acquisition module is used for acquiring a second data set to be encrypted from a first data set to be written into a preset storage area; the encryption module is used for encrypting the second data set; and the storage module is used for storing the unencrypted residual data in the first data set and the encrypted second data set to a preset storage area.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the storage method of the data in the above embodiments.
According to another aspect of the embodiments of the present application, there is also provided a processor, configured to execute a program, where the program executes the storage method of the data in the above embodiments.
According to another aspect of the embodiments of the present application, there is also provided a system, including: a processor; and a memory coupled to the processor for providing instructions to the processor to perform the following processes: acquiring a second data set to be encrypted from a first data set to be written into a preset storage area; encrypting the second data set; and storing the unencrypted residual data in the first data set and the encrypted second data set in a preset storage area.
According to another aspect of the embodiments of the present application, there is also provided a data processing method, including: acquiring first data to be encrypted; extracting second data from the first data; encrypting the second data; and combining the unencrypted data and the encrypted second data in the first data into third data.
According to another aspect of the embodiments of the present application, there is also provided a method for reading data, including: reading an unencrypted first data set and an encrypted second data set from a preset storage area; decrypting the encrypted second data set to obtain a second data set; the unencrypted first data set and second data set are combined into a third data set.
In the embodiment of the application, a mode of acquiring the second data set from the first data set and encrypting the second data set is adopted, and the second data set is to-be-encrypted data in the first data set, so that only the second data set is encrypted without encrypting the whole first data set, and therefore, the effects of reducing the encryption granularity and reducing the influence on the system performance are achieved, and the technical problems that the storage method of the data in the prior art has larger encryption granularity and influences the system performance are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of an alternative method of storing data according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an encryption method in an alternative data storage method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a decryption method in an alternative data storage method according to an embodiment of the present application;
fig. 4 is a block diagram of a hardware structure of a computer terminal for implementing a data storage method according to an embodiment of the present application;
FIG. 5 is a flow chart of a method of storing data according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a data storage device according to an embodiment of the present application;
FIG. 7 is a flow chart of a method of processing data according to an embodiment of the present application;
FIG. 8 is a flow chart of a method of reading data according to an embodiment of the present application; and
fig. 9 is a block diagram of a computer terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
TDE: the method is used for providing protection for the whole database, and after the TDE encryption is opened for the database, the method is completely transparent for the application program connected to the selected database, and does not need to make any changes to the existing application program. Once open, pages are encrypted before they are written to disk and decrypted before being read to memory.
The basic data type: including types underlying user-visible types (e.g., int, double, char, text, etc. types), each inheriting an underlying data type.
Hook function: the method comprises an encryption and decryption function, and realizes encryption and decryption operations on the whole database by setting a hook and calling.
Example 1
In the prior art, a data storage method can only encrypt a data page, and the encryption granularity is too large, so that the system performance is greatly influenced.
In view of the foregoing problems, embodiments of the present application provide a data storage method, which may obtain a second data set from a first data set that needs to be stored, encrypt only the second data set without encrypting the entire first data set, and store the encrypted second data set and data in the first data set, except for the second data set, in a database, so as to reduce encryption granularity and reduce the influence on system performance.
In order to achieve the above object, a transparent data encryption TDE process in a database system in a shopping payment scenario is taken as an example to describe in detail the technical solution adopted in this embodiment. As shown in fig. 1, the data storage method provided in this embodiment may include the following processing steps:
Step S102, a second data set to be encrypted is obtained from the first data set to be written into the preset storage area.
Alternatively, in a shopping payment scenario, data such as order information (including an order number, order time, commodity information, address information, logistics information, and the like), user account information (including a user name, a password, and the like), amount information (a user balance, and the like) and the like may be stored in the database system, but for a user, not all information is sensitive information, only the user account information, the amount information, and the like are sensitive information, and in order to reduce the influence on the system performance, only the sensitive information such as the user account information, the amount information, and the like may be encrypted.
Specifically, the preset storage area may include a storage area in a database system for storing a first data set, and the second data set may include data to be encrypted, which is preset by a user in the first data set, and may include: a single data form or a single column of data.
In an optional scheme, a second data set that needs to be encrypted may be obtained from a first data set that needs to be stored in a database according to a user requirement, for example, the first data set that needs to be stored in the database includes information such as an order number, commodity information, a user balance, a user name, a password, and sensitive information such as a user balance, a user name, a password, and the like may be obtained from the first data set according to a user requirement, so as to obtain the second data set.
Step S104, the initial data type of each data contained in the second data set is obtained.
Specifically, the initial data type may include a data type of each data source above the basic data type, for example, the initial data type of the user name may be a str type, the initial data type of the password may be a text type, and the initial data type of the user balance may be a double type.
In an optional scheme, after a second data set containing user sensitive information is obtained from a first data set according to a user requirement, an initial data type of each data contained in the second data set may be obtained, that is, an initial data type of a user balance, a password, and a user name may be obtained: double, text, and str types.
And step S106, uniformly converting the initial data type of each data into a preset data type, and calling a preset encryption function to encrypt the second data set.
Specifically, the preset data type may include a binary format type, and may be compatible with a user-visible type (e.g., int, double, char, text, etc.); the preset encryption function may include a hook function, such as a TDE encryption/decryption algorithm.
In an optional scheme, as shown in fig. 2, if the types of the data included in the second data set are int, double, char, and text types, the base data types (including the above four data types) may be converted in the database, and the data types are converted into binary format types, and at the same time, a hook function is called to perform TDE encryption processing on the second data set, so as to obtain encrypted data of the user balance, the password, the user name, and the like.
Step S108, storing the unencrypted remaining data in the first data set and the encrypted second data set to a preset storage area.
In an optional scheme, the encrypted data of the user balance, the password, the user name and the like, and the unencrypted data of the order number, the commodity information and the like can be stored in the database system.
Step S110, reading the unencrypted residual data and the encrypted second data set from the preset storage area.
In an alternative scheme, when the user needs to read the first data set from the database system, the encrypted data of the user balance, the password, the user name and the like, and the unencrypted data of the order number, the commodity information and the like may be first read from a preset storage area in the database system.
Step S112, converting the preset data type of each data included in the encrypted second data set into the initial data type of each data, and calling a preset decryption function to decrypt the encrypted second data set.
In an optional scheme, as shown in fig. 3, after reading the unencrypted remaining data and the encrypted second data set from the database system, the binary format type may be converted in the database, and while converting the binary format type into int, double, char, and text types, a hook function may be invoked to perform TDE decryption processing on the encrypted second data set, so as to obtain data such as a user balance, a password, and a user name.
And step S114, restoring the unencrypted residual data and the second data set into a first data set.
In an optional scheme, data such as a user balance, a password, a user name, and the like, and unencrypted data such as an order number, commodity information, and the like may be merged to obtain a first data set.
It should be noted that the hook function may also be replaced by another function, for example, replacing the TDE encryption/decryption algorithm with another encryption/decryption algorithm.
Through the scheme, the encryption and decryption processing can be performed on the second data set in the first data set, the encryption granularity is reduced, the influence on the system performance is reduced, moreover, the hook function is added for encryption and decryption operation while the basic data type is subjected to data conversion, the encrypted data can be completely and transparently accessed to the application program, meanwhile, the operational characters supported by the original data type are supported, the functions of the original data type are not influenced, and the functions comprise functions of data arrangement, operation and the like.
Example 2
There is also provided, in accordance with an embodiment of the present application, an embodiment of a method of storing data, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 4 is a block diagram of a hardware structure of a computer terminal for implementing a data storage method according to an embodiment of the present application. As shown in fig. 4, the computer terminal 40 may include one or more (shown as 402a, 402b, … …, 402 n) processors 402 (the processors 402 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 404 for storing data, and a transmission device 406 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 4 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 40 may also include more or fewer components than shown in FIG. 4, or have a different configuration than shown in FIG. 4.
It should be noted that the one or more processors 402 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 40. As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of a variable resistance termination path to interface with).
The memory 404 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the data storage method in the embodiment of the present application, and the processor 402 executes various functional applications and data processing by operating the software programs and modules stored in the memory 404, that is, implementing the data storage method described above. The memory 404 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 404 may further include memory located remotely from the processor 402, which may be connected to the computer terminal 40 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 406 is used for receiving or sending data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 40. In one example, the transmission device 406 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 406 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with the user interface of the computer terminal 40.
It should be noted here that in some alternative embodiments, the computer device shown in fig. 4 may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that FIG. 4 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device described above.
Under the above operating environment, the present application provides a method for storing data as shown in fig. 5. Fig. 5 is a flowchart of a data storage method according to an embodiment of the present application, and as shown in fig. 5, the method may include the following processing steps:
step S502, a second data set to be encrypted is obtained from the first data set to be written into the preset storage area.
Step S504, performs encryption processing on the second data set.
Alternatively, this step may be achieved by, but is not limited to: acquiring an initial data type of each data contained in the second data set; and uniformly converting the initial data type of each data into a preset data type, and calling a preset encryption function to encrypt the second data set.
Step S506, storing the unencrypted remaining data in the first data set and the encrypted second data set to a preset storage area.
Optionally, after storing the unencrypted remaining data and the encrypted second data set in the preset storage area, the method may further include the following processing steps: reading the unencrypted residual data and the encrypted second data set from a preset storage area; carrying out decryption processing on the encrypted second data set; and restoring the first data set by using the unencrypted residual data and the second data set.
Optionally, the decryption process on the encrypted second data set may include, but is not limited to, the following process steps: and converting the preset data types of all the data in the encrypted second data set into the initial data type of each data, and calling a preset decryption function to decrypt the encrypted second data set.
Optionally, the method provided by this embodiment may be applied to a Transparent Data Encryption (TDE) process in a database system, but is not limited thereto.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
Example 3
According to an embodiment of the present application, there is also provided a data storage device for implementing the above data storage method, as shown in fig. 6, the data storage device 600 includes: an acquisition module 602, an encryption module 604, and a storage module 606.
The obtaining module 602 is configured to obtain a second data set to be encrypted from a first data set to be written in a preset storage area.
The encryption module 604 is configured to perform encryption processing on the second data set.
Alternatively, as shown in fig. 6, the module may include the following units, but is not limited thereto: an obtaining unit 608 and an encrypting unit 610, wherein the obtaining unit 608 is configured to obtain an initial data type of each data included in the second data set; the encryption unit 610 is configured to uniformly convert the initial data type of each data into a preset data type, and call a preset encryption function to perform encryption processing on the second data set.
The storage module 606 is configured to store the unencrypted remaining data in the first data set and the encrypted second data set in a preset storage area.
It should be noted here that the obtaining module 602, the encrypting module 604 and the storing module 606 correspond to steps S502 to S506 in embodiment 2, and the three modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in embodiment 1. It should be noted that the above modules may be operated in the computer terminal 40 provided in embodiment 1 as a part of the apparatus.
Optionally, as shown in fig. 6, the data storage device 600 further includes: a read module 612, a decryption module 614, and a restore module 616.
The reading module 612 is configured to read the unencrypted remaining data and the encrypted second data set from the preset storage area; the decryption module 614 is configured to decrypt the encrypted second data set; the restoring module 616 is configured to restore the first data set using the unencrypted remaining data and the second data set.
Optionally, the decryption module 614 is further configured to convert the preset data type of all data in the encrypted second data set into the initial data type of each data, and call a preset decryption function to perform decryption processing on the encrypted second data set.
Example 4
There is also provided, in accordance with an embodiment of the present application, an embodiment of a method of processing data, to note that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 7 is a flowchart of a data processing method according to an embodiment of the present application, and as shown in fig. 7, the method may include the following processing steps:
Step S702, obtain first data to be encrypted.
Optionally, in a shopping payment scenario, data such as order information (including an order number, order time, commodity information, address information, logistics information, and the like), user account information (including a user name, a password, and the like), amount information (a user balance, and the like) and the like may be stored in the database system, and in order to ensure data security, data stored in the database system may be encrypted.
Specifically, the first data to be encrypted may be included in different scenarios, and the user needs data stored in the database system.
In step S704, second data is extracted from the first data.
Optionally, in a shopping payment scenario, not all information is sensitive information for a user, but only user account information, amount information, and the like are sensitive information, and in order to reduce the influence on system performance, only the sensitive information such as the user account information, the amount information, and the like may be encrypted.
Specifically, the second data may include data that needs to be encrypted and is preset by the user in the first data, for example, sensitive information such as user account information and money amount information may include: a single data form or a single column of data.
Step S706, performs encryption processing on the second data.
In step S708, the unencrypted data and the encrypted second data in the first data are combined into third data.
In an optional scheme, according to a user requirement, second data containing user sensitive information may be extracted from first data to be encrypted, TDE encryption processing may be performed only on the second data to obtain encrypted second data, the entire first data is not encrypted any more, and remaining unencrypted data in the first data and the encrypted second data are combined into third data, and further the third data may be stored in a database, thereby reducing an influence on system performance.
In the embodiment of the application, the mode of extracting the second data from the first data to be encrypted and encrypting the second data is adopted, and only the second data in the first data to be encrypted is encrypted without encrypting the first data to be encrypted, so that the effects of reducing the encryption granularity and reducing the influence on the system performance are achieved.
Example 5
There is also provided, in accordance with an embodiment of the present application, an embodiment of a method for reading data, it being noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that presented herein.
Fig. 8 is a flowchart of a data reading method according to an embodiment of the present application, and as shown in fig. 8, the method may include the following processing steps:
in step S802, an unencrypted first data set and an encrypted second data set are read from a preset storage area.
Alternatively, in a shopping payment scenario, data such as order information (including an order number, order time, commodity information, address information, logistics information, and the like), user account information (including a user name, a password, and the like), amount information (a user balance, and the like) and the like may be stored in the database system, but for a user, not all information is sensitive information, only the user account information, the amount information, and the like are sensitive information, and in order to reduce the influence on the system performance, only the sensitive information such as the user account information, the amount information, and the like may be encrypted.
Specifically, the preset storage area may include a storage area in the database system for storing an unencrypted first data set and an encrypted second data set, where the second data set may include data that needs to be encrypted and is preset by a user, and the method may include: a single data form or single column of data, for example, in a shopping payment scenario, the second set of data may include: the first data set may include other data that needs to be stored in a preset storage area but needs to be encrypted, for example, in a shopping payment scenario, the first data set may include data such as order information other than the sensitive information.
In an alternative scheme, when data stored in the database is read, an encrypted second data set, for example, encrypted data of a user balance, a password, and a user name, and an unencrypted first data set, for example, unencrypted data of an order number, commodity information, and the like, may be read from a preset storage area in the database system.
Step S804, performing decryption processing on the encrypted second data set to obtain a second data set.
Alternatively, this step may be implemented by, but is not limited to: converting the preset data type of all the data in the encrypted second data set into the initial data type of each data; and calling a preset decryption function to decrypt the encrypted second data set to obtain the second data set.
Specifically, the preset data type may include a binary format type, and may be compatible with a user-visible type (e.g., int, double, char, text, etc.); the initial data type may include a data type of each data source above the basic data type, for example, the initial data type of the user name may be a str type, the initial data type of the password may be a text type, and the initial data type of the user balance may be a double type; the predetermined decryption function may include a hook function, such as TDE encryption and decryption algorithm.
In an optional scheme, after reading an unencrypted first data set and an encrypted second data set from a database system, a binary format type may be converted in the database, and while the binary format type is converted into int, double, char, and text types, a hook function may be called to perform TDE decryption processing on the encrypted second data set to obtain a second data set, for example, data such as a user balance, a password, and a user name may be obtained.
Step S806 combines the unencrypted first data set and second data set into a third data set.
In an alternative scheme, the unencrypted first data set and the unencrypted second data set may be combined to obtain a third data set, for example, data such as a user balance, a password, a user name, and unencrypted data such as an order number and commodity information may be combined to obtain the third data set.
It should be noted that the hook function described above may also be replaced by other functions, for example, replacing the TDE encryption/decryption algorithm with other encryption/decryption algorithms.
In the embodiment of the present application, a way of decrypting the encrypted second data set and combining the second data set and the unencrypted first data set to obtain the third data set is adopted, and since the second data set is encrypted and the first data set is unencrypted, only the encrypted second data set needs to be decrypted, so that the effects of reducing the decryption granularity and reducing the influence on the system performance are achieved.
Example 6
The embodiment of the application can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the data storage method: acquiring a second data set to be encrypted from a first data set to be written into a preset storage area; encrypting the second data set; and storing the unencrypted residual data in the first data set and the encrypted second data set in a preset storage area.
Optionally, fig. 9 is a block diagram of a computer terminal according to an embodiment of the present application. As shown in fig. 9, the computer terminal 900 may include: one or more processors 902 (only one shown), a memory 904, and a transmitting device 906.
The memory 904 can be used for storing software programs and modules, such as program instructions/modules corresponding to the data storage method and apparatus in the embodiment of the present application, and the processor 902 executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, implementing the data storage method described above. The memory 904 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memories may further include a memory located remotely from the processor, which may be connected to the terminal 900 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor 902 may invoke the memory-stored information and applications via the transmission means to perform the following steps: acquiring a second data set to be encrypted from the first data set to be written into a preset storage area; encrypting the second data set; and storing the unencrypted residual data in the first data set and the encrypted second data set to a preset storage area.
Optionally, the processor 902 may further execute the following steps: acquiring an initial data type of each data contained in the second data set; and uniformly converting the initial data type of each data into a preset data type, and calling a preset encryption function to encrypt the second data set.
Optionally, the processor 902 may further execute the following steps: after the unencrypted residual data and the encrypted second data set are stored in the preset storage area, reading the unencrypted residual data and the encrypted second data set from the preset storage area; carrying out decryption processing on the encrypted second data set; and restoring the first data set by using the unencrypted residual data and the second data set.
Optionally, the processor 902 may further execute program codes of the following steps: and converting the preset data types of all the data in the encrypted second data set into the initial data type of each data, and calling a preset decryption function to decrypt the encrypted second data set.
By adopting the embodiment of the application, a scheme for storing data is provided. The method comprises the steps of obtaining a second data set from a first data set, encrypting the second data set, and storing the unencrypted residual data and the encrypted second data set to a preset storage area, so that the aim of transparently storing the data is fulfilled, and the technical problems that the encryption granularity of a data storage method in the prior art is large and the system performance is influenced are solved.
It can be understood by those skilled in the art that the structure shown in fig. 9 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 9 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 9, or have a different configuration than shown in fig. 9.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Example 7
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the data storage method provided in the first embodiment.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring a second data set to be encrypted from a first data set to be written into a preset storage area; encrypting the second data set; and storing the unencrypted residual data in the first data set and the encrypted second data set in a preset storage area.
Example 8
An embodiment of the present application further provides a system for implementing the above data storage method, including:
a processor; and
a memory coupled to the processor for providing instructions to the processor to perform the following processes:
acquiring a second data set to be encrypted from a first data set to be written into a preset storage area;
encrypting the second data set;
and storing the unencrypted residual data in the first data set and the encrypted second data set in a preset storage area.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (11)
1. A method of storing data, comprising:
acquiring a second data set to be encrypted from a first data set to be written into a preset storage area, wherein the second data set comprises: a single data form or single column of data;
encrypting the second data set;
storing the unencrypted residual data in the first data set and the encrypted second data set to the preset storage area;
wherein the encrypting the second data set comprises: acquiring an initial data type of each data contained in the second data set; uniformly converting the initial data type of each datum into a preset data type, and calling a preset encryption function to encrypt the second data set while converting the initial data type of each datum into the preset data type, wherein the preset data type is a binary format type, and the preset encryption function comprises a hook function;
The method is applied to the transparent data encryption process of the database system.
2. The method according to claim 1, further comprising, after storing the unencrypted remaining data and the encrypted second data set in the preset storage area:
reading the unencrypted residual data and the encrypted second data set from the preset storage area;
decrypting the encrypted second data set;
and restoring the first data set by adopting the unencrypted residual data and the second data set.
3. The method of claim 2, wherein decrypting the encrypted second set of data comprises:
and converting the preset data types of all the data in the encrypted second data set into the initial data type of each data, and calling a preset decryption function to decrypt the encrypted second data set.
4. A data storage device, comprising:
an obtaining module, configured to obtain a second data set to be encrypted from a first data set to be written in a preset storage area, where the second data set includes: a single data form or single column of data;
The encryption module is used for encrypting the second data set;
the storage module is used for storing the unencrypted residual data in the first data set and the encrypted second data set to the preset storage area;
the encryption module includes: an obtaining unit, configured to obtain an initial data type of each piece of data included in the second data set; the encryption unit is used for uniformly converting the initial data type of each piece of data into a preset data type, and calling a preset encryption function to encrypt the second data set while converting the initial data type of each piece of data into the preset data type, wherein the preset data type is a binary format type, and the preset encryption function comprises a hook function;
the device is applied to a transparent data encryption process of a database system.
5. The data storage device of claim 4, further comprising:
a reading module, configured to read the unencrypted remaining data and the encrypted second data set from the preset storage area;
the decryption module is used for decrypting the encrypted second data set;
And the restoring module is used for restoring the first data set by adopting the unencrypted residual data and the second data set.
6. The data storage device according to claim 5, wherein the decryption module is configured to convert a preset data type of all data in the encrypted second data set into an initial data type of each data, and call a preset decryption function to perform decryption processing on the encrypted second data set.
7. A storage medium, characterized in that the storage medium comprises a stored program, wherein when the program runs, a device where the storage medium is located is controlled to execute the data storage method according to any one of claims 1 to 3.
8. A processor, characterized in that the processor is configured to execute a program, wherein the program executes a method of storing data according to any one of claims 1 to 3.
9. A system for storing data, comprising:
a processor; and
a memory coupled to the processor for providing instructions to the processor to perform the following processes:
acquiring a second data set to be encrypted from a first data set to be written into a preset storage area, wherein the second data set comprises: a single data form or single column of data;
Encrypting the second data set;
storing the unencrypted residual data in the first data set and the encrypted second data set to the preset storage area;
wherein the encrypting the second data set comprises: acquiring an initial data type of each data contained in the second data set; uniformly converting the initial data type of each datum into a preset data type, and calling a preset encryption function to encrypt the second data set while converting the initial data type of each datum into the preset data type, wherein the preset data type is a binary format type, and the preset encryption function comprises a hook function;
the system is applied to a transparent data encryption process of a database system.
10. A method for processing data, comprising:
acquiring first data to be encrypted;
extracting second data from the first data, wherein the second data comprises: a single data form or single column of data;
encrypting the second data;
combining unencrypted data and encrypted second data in the first data into third data;
Wherein the encrypting the second data set comprises: acquiring an initial data type of each data contained in the second data set; uniformly converting the initial data type of each data into a preset data type, and calling a preset encryption function to encrypt the second data set while converting the initial data type of each data into the preset data type, wherein the preset data type is a binary format type, and the preset encryption function comprises a hook function;
the method is applied to the transparent data encryption process of the database system.
11. A method for reading data, comprising:
reading an unencrypted first data set and an encrypted second data set from a preset storage area, wherein the encrypted second data set comprises: an encrypted single data form or an encrypted single column of data;
decrypting the encrypted second data set to obtain the second data set;
combining the unencrypted first set of data and the second set of data into a third set of data;
decrypting the encrypted second data set to obtain the second data set comprises: converting preset data types of all data in the encrypted second data set into initial data types of each data, and calling a preset decryption function to decrypt the encrypted second data set while converting the preset data types of all data in the encrypted second data set into the initial data types of each data, so as to obtain the second data set, wherein the preset data types are binary format types, and the preset encryption function comprises a hook function;
The method is applied to a transparent data encryption process of a database system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710643448.9A CN109325354B (en) | 2017-07-31 | 2017-07-31 | Data storage, processing and reading method, data storage device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710643448.9A CN109325354B (en) | 2017-07-31 | 2017-07-31 | Data storage, processing and reading method, data storage device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109325354A CN109325354A (en) | 2019-02-12 |
| CN109325354B true CN109325354B (en) | 2022-06-28 |
Family
ID=65245762
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710643448.9A Active CN109325354B (en) | 2017-07-31 | 2017-07-31 | Data storage, processing and reading method, data storage device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109325354B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101553794A (en) * | 2006-10-27 | 2009-10-07 | 三星Sds株式会社 | Rehosting method which convert mainframe system into open system |
| JP2014023100A (en) * | 2012-07-23 | 2014-02-03 | Nippon Hoso Kyokai <Nhk> | Encryption device, decryption device, encryption program, and decryption program |
| CN103853985A (en) * | 2012-12-05 | 2014-06-11 | 中国移动通信集团黑龙江有限公司 | Data encryption method, decryption method and decryption device |
| CN104144343A (en) * | 2014-07-11 | 2014-11-12 | 东北大学 | Digital image compressing, encrypting and encoding combined method |
| CN104486073A (en) * | 2014-12-23 | 2015-04-01 | 南通大学 | Encryption and decryption method of character data |
| WO2015131800A1 (en) * | 2014-03-04 | 2015-09-11 | 北京中天安泰信息技术有限公司 | Data blackhole processing method based on mobile storage device, and mobile storage device |
| CN106888183A (en) * | 2015-12-15 | 2017-06-23 | 阿里巴巴集团控股有限公司 | Data encryption, decryption, the method and apparatus and system of key request treatment |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7356147B2 (en) * | 2002-04-18 | 2008-04-08 | International Business Machines Corporation | Method, system and program product for attaching a title key to encrypted content for synchronized transmission to a recipient |
| US8677504B2 (en) * | 2005-07-14 | 2014-03-18 | Qualcomm Incorporated | Method and apparatus for encrypting/decrypting multimedia content to allow random access |
| KR20130101629A (en) * | 2012-02-16 | 2013-09-16 | 삼성전자주식회사 | Method and apparatus for outputting content in a portable device supporting secure execution environment |
| WO2015188202A2 (en) * | 2014-06-02 | 2015-12-10 | Global Data Sciences Inc. | Point-to-point secure data store and communication system and method |
| US9405928B2 (en) * | 2014-09-17 | 2016-08-02 | Commvault Systems, Inc. | Deriving encryption rules based on file content |
| CN105809066B (en) * | 2014-12-29 | 2019-02-01 | 深圳Tcl数字技术有限公司 | The storage method and terminal of encryption data |
| CN106127055A (en) * | 2016-06-14 | 2016-11-16 | 山东超越数控电子有限公司 | The cipher conversion of a kind of automatization and encryption implementation method |
| CN106131051B (en) * | 2016-08-16 | 2019-06-21 | 深圳神盾电子科技有限公司 | Information encryption and decryption method and device |
| CN106375084A (en) * | 2016-10-14 | 2017-02-01 | 郑州云海信息技术有限公司 | Data encryption method and data encryption device |
| CN106656751A (en) * | 2016-12-05 | 2017-05-10 | 北京中交兴路信息科技有限公司 | Data communication method and device |
-
2017
- 2017-07-31 CN CN201710643448.9A patent/CN109325354B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101553794A (en) * | 2006-10-27 | 2009-10-07 | 三星Sds株式会社 | Rehosting method which convert mainframe system into open system |
| JP2014023100A (en) * | 2012-07-23 | 2014-02-03 | Nippon Hoso Kyokai <Nhk> | Encryption device, decryption device, encryption program, and decryption program |
| CN103853985A (en) * | 2012-12-05 | 2014-06-11 | 中国移动通信集团黑龙江有限公司 | Data encryption method, decryption method and decryption device |
| WO2015131800A1 (en) * | 2014-03-04 | 2015-09-11 | 北京中天安泰信息技术有限公司 | Data blackhole processing method based on mobile storage device, and mobile storage device |
| CN104144343A (en) * | 2014-07-11 | 2014-11-12 | 东北大学 | Digital image compressing, encrypting and encoding combined method |
| CN104486073A (en) * | 2014-12-23 | 2015-04-01 | 南通大学 | Encryption and decryption method of character data |
| CN106888183A (en) * | 2015-12-15 | 2017-06-23 | 阿里巴巴集团控股有限公司 | Data encryption, decryption, the method and apparatus and system of key request treatment |
Non-Patent Citations (4)
| Title |
|---|
| Autosophy data/image compression and encryption;Klaus E. Holtz,;《https://doi:10.1117/12.549029》;20041018;第5561卷;第25-38页 * |
| MS SQL Server数据库加密系统的设计与实现;邓书基等;《计算机与现代化》;20060528(第05期);全文 * |
| SSM: Secure-Split-Merge Data Distribution in Cloud Infrastructure;Burhan Ul Islam Khan;《2015 IEEE Conference on Open Systems (ICOS)》;20160111;第40-45页 * |
| 基于WEB数据库加密系统的研究;吴兴惠等;《海南师范大学学报(自然科学版)》;20090915(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109325354A (en) | 2019-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110414244B (en) | Encryption card, electronic equipment and encryption service method | |
| AU2015334634B2 (en) | Transaction messaging | |
| CN107707347B (en) | User key backup method and device and user key importing method and device | |
| US20200104528A1 (en) | Data processing method, device and system | |
| CN109214201B (en) | Data sharing method, terminal equipment and computer readable storage medium | |
| CN110955914A (en) | Processing method, system, terminal equipment and storage medium of data to be desensitized | |
| CN105005731A (en) | Data encryption and decryption methods and mobile terminal | |
| CN105069365A (en) | Data processing method and mobile terminal | |
| CN107248972B (en) | Data encryption and decryption method and device and electronic equipment | |
| CN113382029A (en) | File data processing method and device | |
| CN109299944B (en) | Data encryption method, system and terminal in transaction process | |
| CN108833500B (en) | Service calling method, service providing method, data transmission method and server | |
| CN111368322B (en) | File decryption method and device, electronic equipment and storage medium | |
| CN110874476A (en) | Data processing system, method, storage medium and processor | |
| CN109325354B (en) | Data storage, processing and reading method, data storage device and system | |
| CN111104693A (en) | Android platform software data cracking method, terminal device and storage medium | |
| EP4216486A1 (en) | Address generation method, blockchain information processing method, and related device | |
| CN113343309B (en) | Natural person database privacy security protection method and device and terminal equipment | |
| CN113886850A (en) | Information encryption method, decryption method, device, electronic equipment and storage medium | |
| CN114357505A (en) | Logistics data encryption and decryption method and device and storage medium | |
| CN113645025A (en) | Data encryption storage method, storage device, user equipment and storage medium | |
| CN112596797A (en) | BIOS setting method, device, system, equipment and storage medium | |
| CN111179079A (en) | Terminal information acquisition method and device, terminal equipment and storage medium | |
| CN108418826A (en) | Video file processing method, device, server and storage medium | |
| CN110297687B (en) | Data interaction method, device and system based on virtual host |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210907 Address after: Room 508, floor 5, building 4, No. 699, Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Alibaba (China) Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: ALIBABA GROUP HOLDING Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211126 Address after: 310000 No. 12, Zhuantang science and technology economic block, Xihu District, Hangzhou City, Zhejiang Province Applicant after: Aliyun Computing Co.,Ltd. Address before: 310052 room 508, 5th floor, building 4, No. 699 Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province Applicant before: Alibaba (China) Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |