CN110061840B - Data encryption method and device, computer equipment and storage medium - Google Patents
Data encryption method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110061840B CN110061840B CN201910186608.0A CN201910186608A CN110061840B CN 110061840 B CN110061840 B CN 110061840B CN 201910186608 A CN201910186608 A CN 201910186608A CN 110061840 B CN110061840 B CN 110061840B
- Authority
- CN
- China
- Prior art keywords
- data
- encrypted
- key
- initial vector
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Abstract
The embodiment of the application provides a data encryption method, a data encryption device, computer equipment and a computer readable storage medium. When the data encryption is realized, the data to be encrypted is divided into different data domains according to the preset rule, the root key is generated in the first preset mode, the initial vector and the step length are obtained, the plurality of sub-keys are derived in the second preset mode based on the root key, the initial vector and the step length, the sub-keys are used for encrypting the data domains, so that the plurality of data domains of the same service data are separately encrypted, and therefore the independent authorization of the plurality of data domains of the same service data by using the corresponding sub-keys is realized.
Description
Technical Field
The present application relates to the field of information security encryption technologies, and in particular, to a data encryption method and apparatus, a computer device, and a computer-readable storage medium.
Background
In order to prevent sensitive data from being randomly accessed by other nodes in the block chain, the data of the node needs to be encrypted and uplinked, and an authorization key mode is adopted for the node needing to know the data of the node. The authorized node can view the encrypted data corresponding to the key in the chain after taking the key. The traditional encryption authorization mode adopts a one-file one-secret mode, one-time authorization is required, the whole service data is authorized at the same time, and therefore the whole safety and the independence of each piece of encrypted data are guaranteed. For example, referring to fig. 1, fig. 1 (a) shows that in a business contract, there is a piece of business data including a business party name, a business party ID number, a business party rating, and a unit price of goods of the contract, i.e., the piece of business data includes a business name, a business ID, a business rating, and a unit price of goods. In the conventional technology, a one-text-one-secret manner is generally adopted for the business data, that is, the business name, the business ID, the business rating and the manifest price included in the business data are encrypted by using one secret key, as shown in fig. 1 (a), a uniform secret key DataKey is used for encrypting the data, and after the secret key DataKey is authorized to the other party, the authorized party obtaining the secret key DataKey can access all contents including the business name, the business ID, the business rating, the manifest price and the like included in the business data through the secret key DataKey.
However, in actual business requirements, in the same business data, only an authorized party is expected to view only part of the content of the same business data, for example, before the transaction is concluded, the first party only expects the second party to view information such as business name and business ID of the business party, and the information such as business rating and the like is optionally allowed to be viewed by the other party, and the unit price of the goods of the contract is not expected to be viewed by the second party before the final conclusion of the contract. Please continue to refer to (a) and (b) in fig. 1, if different contents in the same service data shown in fig. 1 are to be authorized respectively, the same service data is divided into three independent service data and sent to the block chain in the manner shown in fig. b in the conventional art, for example, the enterprise name and the enterprise ID are encrypted by using the key DataKey1 and then linked up individually, the enterprise rating is encrypted by using the key DataKey2 and then linked up individually, and the manifest price is encrypted by using the key DataKey3 and then linked up individually, so that the enterprise name and the enterprise ID, the enterprise rating, and the manifest price are authorized respectively. By adopting the processing mode of splitting the service data to separately uplink part of the data, for the service party, the service data needs to be split to manage a plurality of pieces of data, and because the plurality of pieces of data belong to the service data in the same contract, the relationship among the plurality of pieces of data needs to be managed, such operation is relatively complicated, great trouble is brought to the encrypted data processing of the service end, and the efficiency of encrypted data processing is reduced.
Disclosure of Invention
The embodiment of the application provides a data encryption method and device, computer equipment and a computer readable storage medium, and can solve the problem that the processing efficiency of encrypted data is low because the encrypted data needs to be authorized respectively for data splitting in the traditional technology.
In a first aspect, an embodiment of the present application provides a data encryption method, where the method includes: acquiring data to be encrypted; dividing the data to be encrypted into different data fields according to a preset rule; generating a root key in a first preset mode, and acquiring an initial vector and a step length; deriving a plurality of sub-keys in a second preset mode based on the root key, the initial vector and the step length; encrypting the data field using the subkey.
In a second aspect, an embodiment of the present application further provides a data encryption apparatus, including: a first obtaining unit configured to obtain data to be encrypted; the dividing unit is used for dividing the data to be encrypted into different data fields according to a preset rule; the generating unit is used for generating a root key in a first preset mode and acquiring an initial vector and a step length; a derivation unit, configured to derive a plurality of sub-keys in a second preset manner based on the root key, the initial vector, and a step size; an encryption unit for encrypting the data field using the subkey.
In a third aspect, an embodiment of the present application further provides a computer device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the data encryption method when executing the computer program.
In a fourth aspect, the present application further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program causes the processor to execute the data encryption method.
The embodiment of the application provides a data encryption method, a data encryption device, computer equipment and a computer readable storage medium. When the embodiment of the application realizes data encryption, data to be encrypted are divided into different data domains according to preset rules, a root key is generated through a first preset mode, an initial vector and a step length are obtained, a plurality of sub-keys are derived through a second preset mode based on the root key, the initial vector and the step length, the sub-keys are used for encrypting the data domains, a plurality of data domains of the same service data are separately encrypted, and therefore the corresponding sub-keys are used for independently authorizing a plurality of data domains of the same service data, independent access of different data domains of the same service data is further realized, and compared with the prior art, in the same service data, if only an authorized party can only access the requirement of partial content and the data must be split in a processing mode of independent uplink, the efficiency of encrypted data processing and the convenience of access can be greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a data encryption method in the prior art according to an embodiment of the present application;
fig. 2 is a schematic view of an application scenario of a data encryption method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a data encryption method according to an embodiment of the present application;
fig. 4 is a schematic diagram illustrating comparison of three encryption modes in the data encryption method according to the embodiment of the present application;
fig. 5 is a schematic block diagram of a data encryption apparatus provided in an embodiment of the present application;
fig. 6 is another schematic block diagram of a data encryption apparatus provided in an embodiment of the present application; and
fig. 7 is a schematic block diagram of a computer device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 2, fig. 2 is a schematic view of an application scenario of a data encryption method according to an embodiment of the present application. The application scene comprises the following steps:
(1) A plurality of terminals in a blockchain. The blockchain shown in fig. 2 includes 6 terminals, if encrypted data exists on the terminal 1 and needs to be uploaded to the blockchain, so that other terminals in the blockchain share the encrypted data, the data on the terminal 1 is encrypted by the data encryption method in the embodiment of the present application and then uploaded to the chain, and the other terminals in the blockchain can acquire the encrypted data from the chain after being authorized to achieve access to the encrypted data, where the terminal 1 that needs to upload the encrypted data performs the steps of the data encryption method in the embodiment of the present application, and the terminal may be an electronic device such as a notebook computer, a tablet computer, a smart phone, or a desktop computer.
The operation of each main body in fig. 2 is as follows: the method comprises the steps that a terminal 1 obtains data to be encrypted, the data to be encrypted are divided into different data fields according to preset rules, a root key is generated in a first preset mode, an initial vector and a step length are obtained, a plurality of sub-keys are derived in a second preset mode based on the root key, the initial vector and the step length, the data fields are encrypted by using the sub-keys, the data to be encrypted are uploaded to a block chain after being encrypted, any one of other terminals 2 to 6 in the block chain can access corresponding encrypted data according to authority obtaining authorization after the authorization of the terminal 1 is obtained, for example, if the sub-key 3 encrypts data of the data field 3, the terminal 5 obtains the sub-key 3, and the terminal 5 can access the encrypted data of the data field 3 corresponding to the sub-key 3 in the block chain.
It should be noted that fig. 2 only illustrates a desktop computer and a smart phone as terminals, in an actual operation process, the types of the terminals are not limited to those shown in fig. 2, the terminals may also be electronic devices such as a notebook computer, a smart watch, or a tablet computer, and an application scenario of the data encryption method is only used for illustrating the technical solution of the present application, and is not used for limiting the technical solution of the present application, and the connection relationship may have other forms.
Referring to fig. 3 and fig. 4, fig. 3 is a schematic flowchart of a data encryption method according to an embodiment of the present application, fig. 4 is a schematic comparison diagram of three encryption methods in the data encryption method according to the embodiment of the present application, and fig. 4 includes three diagrams of fig. (a), (b), and (c). The data encryption method is applied to the terminal in fig. 2 that needs to upload encrypted data to the blockchain, so as to complete all or part of the functions of the data encryption method.
Referring to fig. 3, fig. 3 is a schematic flowchart of a data encryption method according to an embodiment of the present disclosure. As shown in fig. 3, the method includes the following steps S310-S350:
s310, acquiring data to be encrypted;
and S320, dividing the data to be encrypted into different data domains according to a preset rule.
The data field refers to a value range of data encrypted by using a key to perform independent authorization, for example, a key value pair in the JSON format is used as a data field, and for example, two columns of data of enterprise rating and manifest price in fig. 3 form a data field. The JSON, which is a JavaScript Object Notation in english, JSON Object Notation, is a lightweight data exchange format, and the writing format of JSON data is: name/value pairs.
The preset rule is a basis for dividing the data to be encrypted into a plurality of parts to obtain different data fields. For example, if the data to be encrypted adopts the JSON format, the data to be encrypted may be split into different parts according to key value pairs in the JSON format to obtain different data fields, that is, each key value pair in the JSON format is used as one data field.
Specifically, a node in the block chain acquires data to be encrypted, and divides the data to be encrypted into different data domains according to a preset rule to realize fine-granularity encryption of the data to be encrypted, so that flexible authorization can be realized for the different data domains in the subsequent process. For example, data of the same service attribute is encrypted in a JSON format, and each Key-Value pair (i.e., key-Value pair) of the JSON is used as a data Field (Field in english) to be encrypted individually, so that each Field has an independent data Field Key as a sub-Key, that is, a Field Key, and can authorize the Field Key individually, so that an authorized party can read some data in the same service without splitting the service data, where Key is an attribute of an object and Value is a corresponding attribute Value.
Further, the data in the non-key-value-pair format may be converted into key-value-pair format data so as to divide the data to be encrypted into different data fields according to the key-value pairs. If the data to be encrypted is in a non-key-value-pair format, the step of dividing the data to be encrypted into different data fields according to a preset rule comprises the following steps:
converting the data to be encrypted into key value pairs;
and dividing the data to be encrypted into a plurality of data fields by taking each key value pair as a data field.
Specifically, according to the format of the data to be encrypted, the data to be encrypted is converted into a format of a Key-Value pair, that is, an object in the encrypted data is used as a Key, and a Value or an attribute of the object is used as a Value. For example, if the data to be encrypted is in an array format, after the array format of the data is converted into a JSON object, a Key Value is an index in an array, and a Value is a Value corresponding to the array. And after the data to be encrypted is converted into key value pairs, dividing the data to be encrypted into a plurality of data domains by taking each key value pair as a data domain so as to further realize flexible authorization of the data corresponding to the data domains by encrypting different data domains.
In addition, if the data to be encrypted is in the JSON format, the data to be encrypted in the JSON format is directly obtained, and each key value pair in the data to be encrypted in the JSON format is used as a data field to divide the data to be encrypted into a plurality of data fields. Further, if the JSON packet format of the data to be encrypted is complex, for example, if the data to be encrypted adopts JSON to apply JSON, after the step of obtaining the data to be encrypted in the JSON format, the method further includes:
and flattening the data to be encrypted in the JSON format to obtain one-dimensional data to be encrypted in the JSON format.
Specifically, because the JSON packet format of the data to be encrypted is complex, for example, when the data to be encrypted adopts the condition that JSON applies JSON to a node, the node flattens the JSON packet format sent by the service layer, that is, the JSON packet format passed to the secondary node of the block chain by the service end is very complex, and there is the condition that JSON applies JSON to a node, the complex condition that JSON applies JSON to a node needs to be flattened, the complex JSON packet format of the data to be encrypted is flattened into a one-dimensional JSON packet format, and taking a two-dimensional JSON packet format as an example, the procedures involved in the flattening process are as follows:
the format of the data to be encrypted before flattening is as follows:
the format of the data to be encrypted after being flattened is as follows:
it can be seen that the whole data to be encrypted is composed of 7 Key-Value pairs in total, and the data to be encrypted is divided into different data fields according to the Key-Value pairs, and each Key-Value is a Field.
S330, generating a root key in a first preset mode, and acquiring an initial vector and a step length.
Specifically, a node generates a cryptographically secure random number as a DataKey, which is used as a root key. Meanwhile, an initial vector is generated through a cryptograph, the initial vector is required to be a random number or a pseudo random number (pseudo random) in general use, semantic security can be achieved only by using the initial vector generated by a random number, and the step length can be a preset fixed step length or a randomly generated step length. Wherein, in the field of cryptography, the initialization vector, english: the InitializationVector, abbreviated as IV or initial vector, also called initial Variable, and abbreviated as start Variable, abbreviated as SV, is a fixed-length input value, which is generally required to be a random number or pseudo random number (Pseudorandom) in use. The Step size is also called Step Length factor, and English is Step Length factor.
S340, deriving a plurality of sub-keys in a second preset mode based on the root key, the initial vector and the step length;
wherein, the derivation means a way of generating a root key-based sub-key through a second preset way. In the embodiment of the present application, the deriving refers to a manner of generating a plurality of sub-keys through a preset relationship among a root key, an initial vector, and a step size based on the root key.
Specifically, in this embodiment of the present application, deriving a plurality of sub-keys in a second preset manner based on the root key, the initial vector, and the step size means using the root key and the initial vector to perform key derivation to obtain a first sub-key, obtaining a second initial vector according to a preset functional relationship between the initial vector and the step size, using the root key and the second initial vector to perform key derivation to obtain a second sub-key, obtaining a third initial vector according to the preset functional relationship between the second initial vector and the step size, using the root key and the third initial vector to perform key derivation to obtain a third sub-key, and repeating the above processes until a preset number of sub-keys are derived. For example, a second initial vector is obtained according to a preset linear function relationship between the initial vector and the step length, a third initial vector is obtained according to the preset function relationship between the second initial vector and the step length, a first sub-key is obtained by using the root key and the initial vector for key derivation, a second sub-key is obtained by using the root key and the second initial vector for key derivation, a third sub-key is obtained by using the root key and the third initial vector for key derivation, and the above processes are repeated until a preset number of sub-keys are derived. The FeildKey generation method specifically comprises the following processes: firstly, generating a cryptographically secure random number as DataKey, generating a current initial vector IV and a current Filed step StepFactor, wherein a root key and the initial vector satisfy a preset mathematical relationship, deriving a FieldKey, for example, fieldKey = DataKey + f (IV), then using DataKey as the root key and IV as an initial vector, performing key derivation to obtain a first FieldKey1, then using StepFactor as the step, using IV as a base number, calculating IV2= IV + StepFactor, using DataKey as the root key and IV2 as the initial vector, obtaining a second FieldKey2, and deriving a plurality of sub-keys by analogy.
In an embodiment, the fine-grained encrypted data authorization method provided in this embodiment of the present application can separately authorize multiple data domains of the same service data, and separately encrypt a Field serving as a data domain for each Key-Value pair of JSON by using a JSON format for data of the same service attribute, so that each Field has an independent Field Key and can individually authorize the Field Key, so that an authorized party can read some data in the same service without splitting the service, and meanwhile, the data has only one DataKey, and all the Field keys are obtained by the DataKey in a Key derivation manner, and it is not necessary to locally store all the Field keys in a secondary node of a block chain, but only the DataKey needs to be stored. Please continue to refer to fig. 4, for example, as shown in fig. 4 (a), for a commercial contract, there is a piece of service data including a name of a service party, an ID number of the service party, a rating of the service party, and a unit price of goods of the contract, please refer to fig. 4 (c), only one DataKey is generated for the piece of data, the DataKey is used as a root key, all the fieldbus keys are obtained by the DataKey through key derivation, at this time, all the fieldbus keys do not need to be locally stored in a secondary node of a block chain, but only the DataKey needs to be stored, the DataKey can be derived from a preset relationship, the data size of storage and management can be greatly reduced, and the efficiency of password management can be improved while the password security is improved. Referring to fig. 4, as shown in fig. 4 (c), the encryption result generated by the method according to the embodiment of the present application is shown, and compared with the single encryption of multiple data in the conventional technology shown in fig. 4 (b), the data encryption method according to the embodiment of the present application can greatly reduce the data amount generated by the password, and improve the efficiency of password management and storage efficiency.
And S350, encrypting the data domain by using the subkey.
Specifically, the form of encrypting the data domain using the subkey is various, as long as the authorization and access to each data domain can be controlled individually. Generally, a data domain is encrypted by using one sub-key, different data domains are correspondingly encrypted by using different sub-keys, and each part of data domain is correspondingly encrypted by using the sub-keys respectively, so that each part of data domain is accessed by using the corresponding sub-key, and thus, independent authorization and access to each part of data domain are realized. For example, please continue to refer to fig. 4 (c), encrypt the enterprise name with FieldKey1 to make individual access to the enterprise name with FieldKey1, encrypt the enterprise ID with FieldKey2 to make individual access to the enterprise ID with FieldKey2, encrypt the enterprise rating with FieldKey3 to make individual access to the enterprise rating with FieldKey3, encrypt the manifest price with FieldKey4 to make individual access to the manifest price with FieldKey4, so that different data fields are correspondingly encrypted with different sub-keys, and thus, different data fields of the same piece of business data are individually authorized and accessed with individual keys.
In one embodiment, after the step of encrypting the data field by using the subkey, the method further includes:
obtaining a hash message according to the sub-key corresponding to the data domain and the data ciphertext of the data domain;
and taking the characters of the front preset number of bytes in the hash message as a hash message check code.
Specifically, a hash message is obtained according to the sub-key corresponding to the data field and the data ciphertext of the data field, and characters of a preset number of bytes in the hash message are used as a hash message check code. For example, the generated FieldKey is used to encrypt the corresponding data field, and meanwhile, the current FeildKey is used as a key to calculate the HMAC for each encrypted data ciphertext, in order to reduce the storage of the block chain, the first 4 bytes of the HMAC may be finally taken as the last check code HMAC, and finally, the encrypted ciphertext of all the data fields and the check code HMAC are sent to the block chain. When a certain data domain needs to be independently authorized, the FieldKey can be directly authorized to the other party, and after the other party receives the FieldKey, whether the HMAC is correct or not can be checked for the data on the block chain, so that the FieldKey is ensured to be correct. If all the FieldKey under the service need to be authorized, the DataKey, the IV and the StepFactor can be directly authorized to the other party, and the other party can calculate all the FieldKey and decrypt all the data. The HMAC is a key-related Hash operation Message Authentication Code, and the HMAC operation uses a Hash algorithm, and takes a key and a Message as input, and generates a Message digest as output.
The embodiment of the application provides an authorization mode of encrypted data with fine granularity, so that a service end can independently and flexibly control authorization of different parts of data in the service data by encrypting the service data once, so as to realize that which parts of data can be checked, which parts of data cannot be checked, and which data are allowed to be checked by a user at which time in a transaction negotiation process, so as to improve flexibility and processing efficiency for controlling the service data, thereby realizing an authorization method of encrypted data with fine granularity to independently authorize different data fields in the same service data.
It should be noted that, in the data encryption method described in each of the above embodiments, the technical features included in different embodiments may be recombined as needed to obtain a combined implementation, but all of them are within the protection scope claimed in the present application.
Referring to fig. 5, fig. 5 is a schematic block diagram of a data encryption device according to an embodiment of the present disclosure. Corresponding to the data encryption method, the embodiment of the application also provides a data encryption device. As shown in fig. 5, the data encryption apparatus includes a unit for executing the data encryption method described above, and the apparatus may be configured in a computer device such as a server. Specifically, referring to fig. 5, the data encryption apparatus 500 includes a first obtaining unit 501, a dividing unit 502, a generating unit 503, a deriving unit 504, and an encrypting unit 505.
The first obtaining unit 501 is configured to obtain data to be encrypted;
a dividing unit 502, configured to divide the data to be encrypted into different data fields according to a preset rule;
a generating unit 503, configured to generate a root key in a first preset manner, and obtain an initial vector and a step length;
a deriving unit 504, configured to derive a plurality of sub-keys in a second preset manner based on the root key, the initial vector, and the step size;
an encrypting unit 505, configured to encrypt the data field using the subkey.
Referring to fig. 6, fig. 6 is another schematic block diagram of a data encryption device according to an embodiment of the present application. As shown in fig. 6, the dividing unit 502 includes:
a conversion subunit 5021, configured to convert the data to be encrypted into key-value pairs;
a dividing unit 5022, configured to divide the data to be encrypted into multiple data fields with each key-value pair as a data field.
In an embodiment, the first obtaining unit 501 is configured to obtain data to be encrypted in a JSON format;
the dividing unit 502 is configured to use each key value pair in the data to be encrypted in the JSON format as a data field to divide the data to be encrypted into multiple data fields.
Referring to fig. 6, as shown in fig. 6, the data encryption apparatus 500 further includes:
the processing unit 506 is configured to perform flattening processing on the data to be encrypted in the JSON format to obtain one-dimensional data to be encrypted in the JSON format.
With continuing reference to FIG. 6, as shown in FIG. 6, the deriving unit 504 includes:
a first derivation subunit 5041, configured to perform key derivation using the root key and the initial vector to obtain a first subkey;
a first obtaining subunit 5042, configured to obtain a second initial vector according to a preset functional relationship between the initial vector and the step length;
a second derivation subunit 5043, configured to perform key derivation using the root key and the second initial vector to obtain a second subkey;
a second obtaining subunit 5044, configured to obtain a third initial vector according to the preset functional relationship between the second initial vector and the step size;
a third derivation subunit 5045, configured to perform key derivation using the root key and the third initial vector to obtain a third subkey;
a loop sub-unit 5046 is configured to loop the above process until a predetermined number of sub-keys are derived.
In one embodiment, the predetermined functional relationship is a predetermined linear functional relationship.
Referring to fig. 6, as shown in fig. 6, the data encryption apparatus 500 further includes:
a second obtaining unit 507, configured to obtain a hash message according to the sub-key corresponding to the data domain and the data ciphertext of the data domain;
an obtaining unit 508, configured to use a character of a preset number of bytes in the hash message as a hash message check code.
It should be noted that, as can be clearly understood by those skilled in the art, the specific implementation processes of the data encryption device and each unit may refer to the corresponding descriptions in the foregoing method embodiments, and for convenience and brevity of description, no further description is provided herein.
Meanwhile, the division and connection mode of each unit in the data encryption device are only used for illustration, in other embodiments, the data encryption device may be divided into different units as required, or each unit in the data encryption device may adopt different connection sequences and modes to complete all or part of the functions of the data encryption device.
The data encryption apparatus may be implemented in the form of a computer program that is executable on a computer device as shown in fig. 7.
Referring to fig. 7, fig. 7 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 700 may be a computer device such as a desktop computer or a server, or may be a component or part of another device.
Referring to fig. 7, the computer device 700 includes a processor 702, memory, and a network interface 705 coupled via a system bus 701, where the memory may include a non-volatile storage medium 703 and an internal memory 704.
The non-volatile storage medium 703 may store an operating system 7031 and a computer program 7032. The computer program 7032, when executed, causes the processor 702 to perform one of the above-described data encryption methods.
The processor 702 is configured to provide computing and control capabilities to support the operation of the overall computer device 800.
The internal memory 704 provides an environment for the execution of a computer program 7032 on the non-volatile storage medium 703, which computer program 7032, when executed by the processor 702, causes the processor 702 to perform a data encryption method as described above.
The network interface 705 is used for network communication with other devices. Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing device 700 to which the disclosed aspects apply, as a particular computing device 700 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components. For example, in some embodiments, the computer device may only include a memory and a processor, and in such embodiments, the structures and functions of the memory and the processor are consistent with those of the embodiment shown in fig. 7, and are not described herein again.
Wherein the processor 702 is configured to run the computer program 7032 stored in the memory to perform the steps of: acquiring data to be encrypted; dividing the data to be encrypted into different data fields according to a preset rule; generating a root key in a first preset mode, and acquiring an initial vector and a step length; deriving a plurality of sub-keys in a second preset mode based on the root key, the initial vector and the step length; encrypting the data field using the subkey.
In an embodiment, when the processor 702 implements the step of dividing the data to be encrypted into different data fields according to the preset rule, the following steps are specifically implemented:
converting the data to be encrypted into key value pairs;
and dividing the data to be encrypted into a plurality of data fields by taking each key value pair as a data field.
In an embodiment, when the processor 702 implements the step of obtaining the data to be encrypted, the following steps are specifically implemented:
acquiring data to be encrypted in a JSON format;
when the processor 702 implements the step of dividing the data to be encrypted into different data fields according to the preset rule, the following steps are implemented:
and taking each key value pair in the data to be encrypted in the JSON format as a data field so as to divide the data to be encrypted into a plurality of data fields.
In an embodiment, after the step of obtaining the data to be encrypted in the JSON format, the processor 702 further performs the following steps:
and flattening the data to be encrypted in the JSON format to obtain one-dimensional data to be encrypted in the JSON format.
In an embodiment, when the processor 702 implements the step of deriving a plurality of sub-keys in a second preset manner based on the root key, the initial vector and the step size, the following steps are specifically implemented:
performing key derivation by using the root key and the initial vector to obtain a first sub-key;
obtaining a second initial vector according to a preset functional relation between the initial vector and the step length;
performing key derivation by using the root key and the second initial vector to obtain a second sub-key;
obtaining a third initial vector according to the preset functional relation between the second initial vector and the step length;
performing key derivation by using the root key and the third initial vector to obtain a third sub-key;
and circulating the process until a preset number of sub-keys are derived.
In one embodiment, the predetermined functional relationship is a predetermined linear functional relationship.
In an embodiment, after the processor 702 performs the step of encrypting the data field by using the subkey, it further performs the following steps:
obtaining a hash message according to the sub-key corresponding to the data domain and the data ciphertext of the data domain;
and taking the characters of the front preset number of bytes in the hash message as a hash message check code.
It should be understood that, in the embodiment of the present Application, the Processor 702 may be a Central Processing Unit (CPU), and the Processor 702 may also be other general-purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the processes of the method for implementing the above embodiments may be implemented by a computer program, and the computer program may be stored in a computer readable storage medium. The computer program is executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present application also provides a computer-readable storage medium. The computer readable storage medium may be a non-transitory computer readable storage medium storing a computer program that, when executed by a processor, causes the processor to perform the steps of:
a computer program product which, when run on a computer, causes the computer to perform the steps of the data encryption method described in the embodiments above.
The computer readable storage medium may be an internal storage unit of the aforementioned device, such as a hard disk or a memory of the device. The computer readable storage medium may also be an external storage device of the device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the device. Further, the computer-readable storage medium may also include both an internal storage unit and an external storage device of the apparatus.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described devices, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The computer readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk or an optical disk, and various computer readable storage media capable of storing program codes.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated in another system or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the application can be combined, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing an electronic device (which may be a personal computer, a terminal, or a network device) to perform all or part of the steps of the method according to the embodiments of the present application.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of various equivalent modifications or substitutions within the technical scope of the present application, and these modifications or substitutions should be covered within the scope of the present application.
Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (9)
1. A method for data encryption, the method comprising:
acquiring data to be encrypted;
dividing the data to be encrypted into different data fields according to a preset rule;
generating a root key in a first preset mode, and acquiring an initial vector and a step length;
deriving a plurality of sub-keys in a second preset mode based on the root key, the initial vector and the step length;
encrypting the data field using the subkey;
the step of deriving a plurality of sub-keys based on the root key, the initial vector and the step size in a second preset manner comprises;
performing key derivation by using the root key and the initial vector to obtain a first sub-key;
obtaining a second initial vector according to the preset functional relation between the initial vector and the step length;
performing key derivation by using the root key and the second initial vector to obtain a second sub-key;
obtaining a third initial vector according to the preset functional relation between the second initial vector and the step length;
performing key derivation by using the root key and the third initial vector to obtain a third sub-key;
and circulating the process until a preset number of sub-keys are derived.
2. The data encryption method according to claim 1, wherein the step of dividing the data to be encrypted into different data fields according to a preset rule comprises:
converting the data to be encrypted into key value pairs;
and dividing the data to be encrypted into a plurality of data fields by taking each key value pair as a data field.
3. The data encryption method according to claim 1, wherein the step of obtaining the data to be encrypted comprises:
acquiring data to be encrypted in a JSON format;
the step of dividing the data to be encrypted into different data fields according to a preset rule comprises the following steps:
and taking each key value pair in the data to be encrypted in the JSON format as a data field so as to divide the data to be encrypted into a plurality of data fields.
4. The data encryption method according to claim 3, wherein the step of obtaining the data to be encrypted in the JSON format is followed by further comprising:
and flattening the data to be encrypted in the JSON format to obtain one-dimensional data to be encrypted in the JSON format.
5. The data encryption method of claim 1, wherein the predetermined functional relationship is a predetermined linear functional relationship.
6. The data encryption method of claim 1, wherein the step of encrypting the data field using the subkey is followed by the step of:
obtaining a hash message according to the sub-key corresponding to the data domain and the data ciphertext of the data domain;
and taking the characters of the front preset number of bytes in the hash message as a hash message check code.
7. A data encryption apparatus, comprising:
a first obtaining unit configured to obtain data to be encrypted;
the dividing unit is used for dividing the data to be encrypted into different data fields according to a preset rule;
the generating unit is used for generating a root key in a first preset mode and acquiring an initial vector and a step length;
a derivation unit, configured to derive a plurality of sub-keys in a second preset manner based on the root key, the initial vector, and a step size;
an encryption unit for encrypting the data field using the subkey;
the derivatising unit is particularly useful;
performing key derivation by using the root key and the initial vector to obtain a first sub-key;
obtaining a second initial vector according to a preset functional relation between the initial vector and the step length;
performing key derivation by using the root key and the second initial vector to obtain a second sub-key;
obtaining a third initial vector according to the preset functional relation between the second initial vector and the step length;
performing key derivation by using the root key and the third initial vector to obtain a third sub-key;
and circulating the process until a preset number of sub-keys are derived.
8. A computer device, comprising a memory and a processor coupled to the memory; the memory is used for storing a computer program; the processor is adapted to execute a computer program stored in the memory to perform the steps of the data encryption method of any one of claims 1-6.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, causes the processor to carry out the steps of the data encryption method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910186608.0A CN110061840B (en) | 2019-03-12 | 2019-03-12 | Data encryption method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910186608.0A CN110061840B (en) | 2019-03-12 | 2019-03-12 | Data encryption method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110061840A CN110061840A (en) | 2019-07-26 |
| CN110061840B true CN110061840B (en) | 2022-10-28 |
Family
ID=67316244
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910186608.0A Active CN110061840B (en) | 2019-03-12 | 2019-03-12 | Data encryption method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110061840B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111212026A (en) * | 2019-11-21 | 2020-05-29 | 深圳壹账通智能科技有限公司 | Data processing method and device based on block chain and computer equipment |
| CN111211888B (en) * | 2019-12-23 | 2023-04-18 | 新奇点智能科技集团有限公司 | Data sending method, data receiving method, sending end and receiving end |
| CN111131311A (en) * | 2019-12-31 | 2020-05-08 | 北京中电普华信息技术有限公司 | Data transmission method based on block chain and block chain link point |
| CN111464500B (en) * | 2020-03-06 | 2023-03-17 | 深圳壹账通智能科技有限公司 | Method, device, equipment and storage medium for sharing protocol data |
| CN111786777B (en) * | 2020-06-05 | 2023-08-04 | 京东科技控股股份有限公司 | Stream data encryption and decryption method, device, system and storage medium |
| CN112165383A (en) * | 2020-09-29 | 2021-01-01 | 平安科技(深圳)有限公司 | Encryption method, device, equipment and medium based on shared root key |
| CN112133386A (en) * | 2020-09-29 | 2020-12-25 | 深圳壹账通智能科技有限公司 | Block chain-based information processing method, device, equipment and medium |
| CN112131593A (en) * | 2020-09-29 | 2020-12-25 | 深圳壹账通智能科技有限公司 | Information-based feature encryption method, device, equipment and storage medium |
| CN114285670B (en) * | 2021-12-31 | 2022-11-15 | 安徽中科锟铻量子工业互联网有限公司 | Internet of things gateway data encryption communication method based on quantum random number key |
| CN114465734B (en) * | 2022-04-11 | 2022-08-02 | 成方金融科技有限公司 | Investor authentication method and storage medium |
| CN115941600B (en) * | 2023-03-14 | 2023-05-26 | 鹏城实验室 | Message distribution method, system and computer readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911474A (en) * | 2017-05-10 | 2017-06-30 | 国家电网公司 | A kind of quantum key encryption method and device based on service attribute |
| CN108377189A (en) * | 2018-05-09 | 2018-08-07 | 深圳壹账通智能科技有限公司 | User's communication encrypting method, device, terminal device and storage medium on block chain |
| CN108629027A (en) * | 2018-05-09 | 2018-10-09 | 深圳壹账通智能科技有限公司 | Customer data base method for reconstructing, device, equipment and medium on block chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2197144A1 (en) * | 2008-12-15 | 2010-06-16 | Thomson Licensing | Methods and devices for a chained encryption mode |
-
2019
- 2019-03-12 CN CN201910186608.0A patent/CN110061840B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911474A (en) * | 2017-05-10 | 2017-06-30 | 国家电网公司 | A kind of quantum key encryption method and device based on service attribute |
| CN108377189A (en) * | 2018-05-09 | 2018-08-07 | 深圳壹账通智能科技有限公司 | User's communication encrypting method, device, terminal device and storage medium on block chain |
| CN108629027A (en) * | 2018-05-09 | 2018-10-09 | 深圳壹账通智能科技有限公司 | Customer data base method for reconstructing, device, equipment and medium on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110061840A (en) | 2019-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110061840B (en) | Data encryption method and device, computer equipment and storage medium | |
| CN108377189B (en) | Block chain user communication encryption method and device, terminal equipment and storage medium | |
| US9973334B2 (en) | Homomorphically-created symmetric key | |
| CN106664202B (en) | Method, system and computer readable medium for providing encryption on multiple devices | |
| CN108629027B (en) | User database reconstruction method, device, equipment and medium based on block chain | |
| US10103888B2 (en) | Method of performing keyed-hash message authentication code (HMAC) using multi-party computation without Boolean gates | |
| US9917695B2 (en) | Authenticated encryption method using working blocks | |
| AU2021271512A1 (en) | Constructing a distributed ledger transaction on a cold hardware wallet | |
| US11616643B2 (en) | System and method of management of a shared cryptographic account | |
| WO2020155812A1 (en) | Data storage method and device, and apparatus | |
| CN112784284B (en) | Encryption processing system, encryption processing method, and recording medium | |
| WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
| US10848312B2 (en) | Zero-knowledge architecture between multiple systems | |
| US20240063999A1 (en) | Multi-party cryptographic systems and methods | |
| KR102315632B1 (en) | System and method for generating scalable group key based on homomorphic encryption with trust server | |
| US9438429B2 (en) | Method for authentication and electronic device for performing the authentication | |
| CN111953480B (en) | Key generation device and method, operation key generation device and method | |
| KR102526114B1 (en) | Apparatus and method for encryption and decryption | |
| ES2956809T3 (en) | Integrity verification and decryption procedure for an encrypted message, associated encryption module and terminal | |
| US11101824B2 (en) | Encryption device and decryption device, and operation method thereof | |
| CN114430549A (en) | White box encryption and decryption method and device suitable for wireless communication | |
| CN113381854B (en) | Data transmission method, device, equipment and storage medium | |
| US11646877B2 (en) | Apparatus and method for generating secret key, apparatus and method for generating evaluation key | |
| KR20210126944A (en) | Method for Sharing Secret Information | |
| Kumar Yadav et al. | An Efficient Approach for Security in Cloud Computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |