CN110210251A - Data query method, apparatus, equipment and computer readable storage medium - Google Patents

Data query method, apparatus, equipment and computer readable storage medium Download PDF

Info

Publication number
CN110210251A
CN110210251A CN201910523410.7A CN201910523410A CN110210251A CN 110210251 A CN110210251 A CN 110210251A CN 201910523410 A CN201910523410 A CN 201910523410A CN 110210251 A CN110210251 A CN 110210251A
Authority
CN
China
Prior art keywords
data
sensitive
database
data query
query
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910523410.7A
Other languages
Chinese (zh)
Inventor
韩喆
蒋海滔
杨磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201910523410.7A priority Critical patent/CN110210251A/en
Publication of CN110210251A publication Critical patent/CN110210251A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

This specification one or more embodiment provides a kind of data query method, apparatus, equipment and computer readable storage medium.In one embodiment, a kind of data query method includes: to receive data query instruction;It is instructed in response to data query, conversion process is carried out to the data object to be checked for including in data query instruction using data converter;With the presence or absence of the sensitive data to match with the data object to be checked after conversion in inquiry sensitive database;Wherein, sensitive data is using data converter to the data obtained after the conversion of original sensitive data;Feedback query result.

Description

Data query method, apparatus, equipment and computer readable storage medium
Technical field
This specification one or more embodiment is related to data query technique field more particularly to a kind of data query side Method, device, equipment and computer readable storage medium.
Background technique
When database provider provides a user data query service, generally requires and save database with plaintext version On the server of database provider.User needs the server in database provider enterprising when carrying out data query Row data query operation simultaneously obtains data query result.
But in many cases, database provider is not intended to user to understand the specific data content of its database, Yong Huye It is not intended to database provider to monitor its inquiry record, accordingly, it is desirable to provide can guarantee that database provider and user's is hidden The data query scheme of private safety.
Summary of the invention
This specification one or more embodiment provides a kind of data query method, apparatus, equipment and computer-readable Storage medium can be improved the personal secrets of the user of the database provider for providing sensitive data and inquiry sensitive data.
The technical solution that this specification one or more embodiment provides is as follows:
In a first aspect, providing a kind of data query method, comprising:
Receive data query instruction;
It is instructed in response to data query, using data converter to the data pair to be checked for including in data query instruction As carrying out conversion process;
With the presence or absence of the sensitive data to match with the data object to be checked after conversion in inquiry sensitive database;Its In, sensitive data is using data converter to the data obtained after the conversion of original sensitive data;
Feedback query result.
Second aspect provides a kind of data query method, comprising:
Conversion process is carried out to original sensitive data using data converter, obtains sensitive data, and generate sensitive number According to library;
Data converter and sensitive database are sent to target device, so that target device refers to receiving data query In the case where order, conversion process is carried out to the data object to be checked for including in data query instruction using data converter, And inquire with the presence or absence of the sensitive data to match with the data object to be checked after conversion in sensitive database, it is to be checked to obtain Ask the query result of data object.
The third aspect, provides a kind of data query device, and device includes:
Instruction receiving unit is configured to receive data query instruction;
Date Conversion Unit is configured to instruct in response to data query, be referred to using data converter to data query The data object to be checked for including in order carries out conversion process;
Data query unit is configured to whether there is and the data object to be checked after conversion in inquiry sensitive database The sensitive data to match;Wherein, sensitive data is using data converter to the number obtained after the conversion of original sensitive data According to;
Result feedback unit is configured to feedback query result.
Fourth aspect, provides a kind of data query device, and device includes:
Data processing unit is configured to carry out conversion process to original sensitive data using data converter, obtain quick Feel data, and generates sensitive database;
Data transmission unit is configured to send data converter and sensitive database to target device, so that target Equipment is to be checked to include in data query instruction using data converter in the case where receiving data query instruction Data object carries out conversion process, and inquires to whether there is in sensitive database and match with the data object to be checked after conversion Sensitive data, to obtain the query result of data object to be checked.
5th aspect, provides a kind of data query equipment, and equipment includes: processor and is stored with computer program and refers to The memory of order;
Processor realizes that data described in this specification first aspect or second aspect are looked into when executing computer program instructions Inquiry method.
6th aspect, provides a kind of computer readable storage medium, calculating is stored on computer readable storage medium Machine program instruction realizes number described in this specification first aspect or second aspect when computer program instructions are executed by processor According to querying method.
According to above-mentioned this specification one or more embodiment, the server for being stored in database provider can be utilized Data converter in equipment and sensitive database in addition come obtain the query result of data object to be checked therefore can It is monitored with preventing the inquiry of user from recording by database provider, improves the personal secrets of user.Meanwhile in this specification one In a or multiple embodiments, the sensitive data in sensitive database is after being converted using data converter to original sensitive data Data object to be checked is carried out conversion process first with data converter, then when inquiring data by obtained data It is inquired again with the presence or absence of the sensitive data to match with the data object to be checked after conversion in sensitive database, therefore, in number It is investigated that sensitive data and ciphertext in sensitive database are shown during asking, can be provided to avoid database provider Sensitive data is learnt by user, improves the personal secrets of database provider.
Detailed description of the invention
It, below will be to this specification one in order to illustrate more clearly of the technical solution of this specification one or more embodiment A or multiple attached drawings needed in the embodiment are briefly described, for those of ordinary skill in the art, not Under the premise of making the creative labor, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is this specification one exemplary data query system architecture diagram;
Fig. 2 is another exemplary data query system architecture diagram of this specification;
Fig. 3 is the flow diagram for the data query method that this specification one embodiment provides;
Fig. 4 is the flow diagram for the data query method that another embodiment of this specification provides;
Fig. 5 is the flow diagram for the data query method that another embodiment of this specification provides;
Fig. 6 is the structural schematic diagram for the data query device that this specification one embodiment provides;
Fig. 7 is the structural schematic diagram for the data query device that another embodiment of this specification provides;
Fig. 8 is the hardware structural diagram for the data query equipment that this specification one embodiment provides.
Specific embodiment
The feature and exemplary embodiment of the various aspects of this specification is described more fully below, in order to make this specification Objects, technical solutions and advantages are more clearly understood, and below in conjunction with drawings and the specific embodiments, carry out to this specification further Detailed description.It should be understood that embodiment described herein is only this specification a part of the embodiment, rather than whole implementation Example.To those skilled in the art, this specification can be the case where not needing some details in these details Lower implementation.Below to the description of embodiment just for the sake of more preferable to this specification to provide by showing the example of this specification Understanding.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including There is also other identical elements in the process, method, article or equipment of the element.
Fig. 1 shows this specification one exemplary data query system architecture diagram.As shown in Figure 1, the data query system Frame of uniting includes user equipment 100 and database supplier server 200.Wherein, it is taken in user equipment 100 and database supplier A peace can be established by trusted service management (Trusted Service Management, TSM) platform between business device 200 Complete believable transmission channel.When user carries out data query by user equipment 100, user equipment 100, which can be used, to be passed through The sensitive database and data converter of transmission channel downloading carry out data query.
Another exemplary data query system architecture diagram Fig. 2 shows this specification.As shown in Fig. 2, the data query System tray includes user equipment 100, database supplier server 200 and cloud server 300.Wherein, database supplier A safe and reliable transmission channel can be established between server 200 and cloud server 300 by TSM platform.In user When carrying out data query by user equipment 100, user equipment 100 can carry out data query by cloud server 300, should The sensitive database downloaded by the transmission channel can be used in cloud server 300 and data converter completes the number of user It is investigated that asking.
In the present specification, user equipment specifically can be mobile phone, tablet computer, PC etc..Database supplier Server and cloud server are server, and server can be a kind of high performance electronic calculator, for storing and locating Data are managed, to provide the background service of data query or data downloading for corresponding user equipment.TSM platform can be used In realizing between servers, between server and user equipment establish a safe and reliable transmission channel, passed for data The safeguard protection of defeated process.
It is looked into since the user in Fig. 1 and Fig. 2 can carry out data by the equipment other than database provider server 300 It askes, the data converter and sensitive database are not stored in database provider server 300, it can thus be avoided with The inquiry record at family is monitored by database provider, is able to use the privacy at family with more safety.Simultaneously as sensitive data Sensitive data in library is using data converter to obtained data after the conversion of original sensitive data, therefore, user into During row data query, sensitive data and ciphertext in sensitive database are shown, can be mentioned to avoid database provider The sensitive data of confession is learnt by user, improves the personal secrets of database provider.
Fig. 3 shows the flow diagram of the data query method of this specification one embodiment offer.As shown in figure 3, The data query method includes:
S410, data query instruction is received;
S420, it is instructed in response to data query, it is to be checked to include in data query instruction using data converter Data object carries out conversion process;
With the presence or absence of the sensitive number to match with the data object to be checked after conversion in S430, inquiry sensitive database According to;Wherein, sensitive data is using data converter to the data obtained after the conversion of original sensitive data;
S440, feedback query result.
This specification embodiment can be turned using the data being stored in the equipment other than the server of database provider Program and sensitive database are changed to obtain the query result of data object to be checked, accordingly it is possible to prevent the inquiry of user records By database, provider is monitored, and improves the personal secrets of user.Meanwhile the sensitive data in this specification embodiment is to utilize The data that data converter obtains after converting to original sensitive data, when inquiring data, first with data converter Data object to be checked is subjected to conversion process, then inquiring again in sensitive database whether there is and the number to be checked after conversion The sensitive data to match according to object, therefore, sensitive data and ciphertext during data query, in sensitive database It has been shown that, the sensitive data that can be provided to avoid database provider are learnt by user, improve the privacy peace of database provider Quan Xing.
In the present specification, by Fig. 1 and data query system architecture diagram shown in Fig. 2 it is found that data query shown in Fig. 3 Method can be applied in user equipment or cloud server, as long as the equipment other than database supplier's server.
In order to further increase the personal secrets for the user for carrying out data query, in this specification one embodiment, Data query method is preferably applied to user and carries out in the user equipment of inquiry operation, i.e. user equipment shown in Fig. 1.This When, it can satisfy the query service demand of user, in the sensitive number that user is provided by user equipment using database provider During carrying out data query according to library, user can not need to set with other other than user equipment every time with offline search It is standby to interact, therefore can be improved the privacy of user.
In the following, will continue to look into the data of this specification embodiment so that data query method is applied to user equipment as an example Inquiry method is described in detail.
In this specification one embodiment, before step S410, which can also include:
Obtain data converter and sensitive database.
It specifically, can be logical by managing the transmission that platform TSM is established using trusted service in specification embodiment Road obtains data converter and sensitive database.
In this specification one embodiment, it can lead to before user carries out data query for the first time by user equipment It crosses user equipment and sends data download request to the server of database provider, so that the server of database provider responds Data converter and sensitive database are sent to user equipment in the data download request, so that user equipment be made to obtain data Conversion program and sensitive database, so that user can use acquired data converter and sensitive database passes through user Equipment carries out data query.
In another embodiment of this specification, the same of data query can be carried out by user equipment for the first time in user When, i.e., while user sends data query to user equipment for the first time and instructs, by user equipment to the clothes of database provider Business device sends data download request, so that the server of database provider is sent out in response to the data download request to user equipment Data converter and sensitive database are sent, so that user equipment is made to obtain data converter and sensitive database, so that with Family can use acquired data converter and sensitive database and be counted based on the data query sent for the first time instruction It is investigated that asking.
In this specification embodiment, the sensitive data in sensitive database may include telephone number data or number of addresses According to the data of databases provider's need for confidentiality such as equal data relevant to people's privacy and website blacklist data.Due to In this specification embodiment, the sensitive data in sensitive database is after being converted using data converter to initial data Data, for example, sensitive data is the character string obtained after being converted using data converter to initial data, and user The specific data conversion algorithm in track data conversion program is not known, therefore, sensitive data is encryption data for a user, can The sensitive data provided to avoid database provider is learnt by user, improves the personal secrets of database provider.
In this specification embodiment, data converter can include at least one of following algorithms or a variety of groups It closes: rivest, shamir, adelman RSA, Advanced Encryption Standardalgorithm (Advanced Encryption Standard, AES), formal Data encryption standard algorithm (Data Encryption Standard, DES) and secure hash algorithm (Secure Hash Algorithm, SHA).Wherein, SHA algorithm can be specially SHA256 algorithm, and SHA256 algorithm is that input data length is The SHA algorithm of 256bits.
In some embodiments of this specification, the algorithm in data converter can be the algorithm pre-set, this When, the data converter that different user equipmenies is got is identical data converter.In other of this specification In embodiment, the algorithm in data converter can also be according to the user of request downloading data conversion program and sensitive database Equipment determines that the data converter that is, different user equipmenies is got is different data converter, further to mention The safety of high sensitive data.
In this specification one embodiment, when data converter includes SHA algorithm, due to SHA algorithm have compared with Therefore high safety and Gray code after user equipment gets data converter and sensitive database, can incite somebody to action Data converter is directly mounted in the common running environment operating system of user equipment, such as rich operating system (Rich OS in).Accordingly, the sensitive database being made of sensitive data can also be directly stored in the common running environment of user equipment In operating system, such as in rich operating system (Rich OS).
After data converter installation, an interface can be generated, which can be used for and other data query groups Part association, and by other data query components interface, to use data converter.For example, other data query groups Part may include one or more groups receive with data query instruction, inquiry data and feedback query result Part.
It is above-mentioned in the case where in the common running environment operating system that data converter is directly mounted at user equipment Other data query components can also be directly mounted in the common running environment operating system of user equipment, it can realize To the function of keeping secret of sensitive data.
At this point, whole data query components can form an application in common running environment operating system, use Family can realize the inquiry to sensitive data by the application.
In another embodiment of this specification, user equipment get data converter and sensitive database it Afterwards, data converter can be installed in the safe operation system of user equipment.Wherein, safe operation system is one only It stands on other than common running environment and is used to provide the system of security service for common running environment, journey can be converted with hiding data Sequence and its including algorithm.At this point, may include any simple or complicated algorithm in data converter.
In the case where in the safe operation system that data converter is directly mounted at user equipment, data converter Other corresponding data query components are also installed in the safe operation system of user equipment, so as to utilize safe operation system System further realizes the function of keeping secret to sensitive data, prevents user's decompiling from going out the algorithm in data converter.
At this point, the data query component for receiving data query instruction and feedback query result can be at least one general Interface applications in logical running environment operating system, user can realize the inquiry to sensitive data by the application.
In this specification one embodiment, the safe operation of user equipment is directly mounted in data converter program In the case where in system, safe operation system can be safety element (Secure Element, SE), due to its safety compared with Height, therefore the personal secrets of database provider can be further increased.If safe operation system is SE, obtained in user equipment After getting data converter and sensitive database, sensitive database is also stored in the storage outside safe operation system and is set In standby, to guarantee that the processing capacity of SE can efficiently carry out data query.Wherein, storage equipment can be common running environment Storage equipment in storage equipment in operating system, such as rich operating system (Rich OS), or outside user equipment Storage equipment.
In another embodiment of this specification, the safety fortune of user equipment is directly mounted in data converter program In the case where in row system, safe operation system can be credible performing environment (Trusted Execution Environment, TEE), TEE be with the Rich OS on user equipment and the running environment deposited, it has the execution of its own Space, it is higher than the security level of Rich OS, it can satisfy the demand for security of most of applications, in the present specification, Ke Yibao Demonstrate,prove the personal secrets of database provider.If safe operation system be TEE, user equipment get data converter and After sensitive database, also sensitive database is stored in outside the storage equipment or safe operation system of safe operation system It stores in equipment.Specifically, if the data volume in sensitive database is smaller, i.e. the data volume of sensitive database is less than or equal to The sensitive database that sensitive data is constituted can be directly stored in the storage equipment of safe operation system by preset data amount, If the data volume of sensitive data is larger, i.e., the data volume of sensitive database is greater than preset data amount, can be by sensitive data structure At sensitive database be stored in the storage equipment of common running environment operating system, such as rich operating system (Rich OS) In storage equipment, or the storage equipment outside user equipment.
In some embodiments of this specification, if safe operation system is TEE, sensitive database can use preset The storage of secure storage scheme.Wherein, secure storage scheme can include at least elastic file service (Scalable File Service, SFS) secure storage scheme and structuralized query language distribution (Structured Query Language File Steam, SQLFS) secure storage scheme, to realize that sensitive database loads in trusted context, to meet except existence is looked into The function that bigger group other than looking for is searched.
Fig. 4 shows the flow diagram of the data query method of another embodiment of this specification offer.Such as Fig. 4 institute Show, unlike embodiment illustrated in fig. 3, the data query method is before response data inquiry instruction, further includes:
Whether the quantity for the data query instruction that S520, judgement receive in the given time is less than or equal to present count Amount;
If S530, in the given time, the quantity of the data query instruction received is less than or equal to preset quantity, then really The instruction of provisioning response data query.
In the present specification, it is only just determined when the quantity of the data query instruction received is less than or equal to preset quantity Currently received data query instruction is responded, and if the quantity of the data query instruction received is greater than preset quantity, It then determines and is not responding to currently received data query instruction.
Thus, it is possible to the inquiry times by setting user within each predetermined time, to prevent user to sensitive data Library carries out hitting library, to guarantee the safety of sensitive data.Wherein, the predetermined time can be 12 hours, one day, a week or one A month, specifically, it can according to need and preset by database provider.
Fig. 5 shows the flow diagram of the data query method of another embodiment of this specification offer.Such as Fig. 5 institute Show, which includes:
S610, conversion process is carried out to original sensitive data using data converter, obtains sensitive data, and generate quick Feel database;
S620, data converter and sensitive database are sent to target device, so that target device is receiving data In the case where inquiry instruction, the data object to be checked for including in data query instruction is converted using data converter Processing, and inquire with the presence or absence of the sensitive data to match with the data object to be checked after conversion in sensitive database, to obtain Obtain the query result of data object to be checked.
This specification embodiment as a result, can be utilized and is stored in the equipment other than the server of database provider Data converter and sensitive database obtain the query result of data object to be checked, accordingly it is possible to prevent user's looks into Consultation record is monitored by database provider, improves the personal secrets of user.Meanwhile the sensitive data in this specification embodiment To be turned when inquiring data first with data using data converter to the data obtained after the conversion of original sensitive data Change program and data object to be checked be subjected to conversion process, then inquire again in sensitive database with the presence or absence of with after conversion to The sensitive data that inquiry data object matches, therefore, during data query, the sensitive data in sensitive database is simultaneously Ciphertext shows that the sensitive data that can be provided to avoid database provider is learnt by user, improves database provider's Personal secrets.
In specification embodiment, data query method can be applied to Fig. 1 and database provider shown in Fig. 2 clothes Business device, target device can be Fig. 1 and user equipment shown in Fig. 2 or cloud server.
In this specification one embodiment, database provider server can generate number according to pre-set algorithm Conversion process is carried out to original sensitive data according to conversion program, and using data converter, and generates sensitive database, then After the data download request for receiving target device transmission, in response to the data download request by data converter and sensitivity Database is sent to target device, so that target device be made to obtain data converter and sensitive database, so that user can be with Data query is carried out by target device using acquired data converter and sensitive database, to guarantee sensitive data Safety.
In another embodiment of this specification, database provider server can be in response to the number of target device transmission It is requested according to downloading, the data converter generated by suitable algorithm is determined according to target device, and utilize data converter Conversion process is carried out to original sensitive data, and generates sensitive database, then sends out data converter and sensitive database It send to target device, so that target device be made to obtain data converter and sensitive database, has been obtained so that user can use The data converter and sensitive database obtained carries out data query by target device, thus further using different algorithms Improve the safety of sensitive data.
In this specification embodiment, data query method further include:
According to the access right of target device, target device is determined in the given time, respond the data query received The preset quantity of instruction.
It wherein, may include the access right of target device in data download request, database provider server can be with Determine that target device can inquire the number of sensitive data within each predetermined time according to the access right, and according to determining Number come be arranged target device respond in the given time receive data query instruction preset quantity, to realize number Control according to library provider to the query service of target device is effectively prevented user's decompiling by way of hitting library and goes out data Algorithm in conversion program further increases the safety of sensitive data.
Fig. 6 shows the structural schematic diagram of the data query device of this specification one embodiment offer.As shown in fig. 6, The data query device 700 includes:
Instruction receiving unit 710 is configured to receive data query instruction;
Date Conversion Unit 720 is configured to instruct in response to data query, using data converter to data query The data object to be checked for including in instruction carries out conversion process;
Data query unit 730 is configured to whether there is and the data to be checked after conversion in inquiry sensitive database The sensitive data that object matches;Wherein, sensitive data is to obtain after being converted using data converter to original sensitive data Data;
Result feedback unit is configured to feedback query result.This specification embodiment is able to use family utilization and is stored in Data converter in equipment and sensitive database other than the server of database provider obtain data pair to be checked The query result of elephant improves the personal secrets of user accordingly it is possible to prevent the inquiry record of user is monitored by database provider Property.Meanwhile the sensitive data in this specification embodiment is to obtain after being converted using data converter to original sensitive data Data, when inquiring data, first with data converter by data object to be checked carry out conversion process, then look into again It askes in sensitive database and is therefore looked into data with the presence or absence of the sensitive data to match with the data object to be checked after conversion During inquiry, sensitive data and ciphertext in sensitive database are shown, the sensitivity that can be provided to avoid database provider Data are learnt by user, improve the personal secrets of database provider.
In the present specification, by Fig. 1 and data query system architecture diagram shown in Fig. 2 it is found that data query shown in Fig. 2 Device can be applied in user equipment or cloud server, as long as the equipment other than database supplier's server.
In order to further increase the personal secrets for the user for carrying out data query, in this specification one embodiment, Data query device is preferably applied to user and carries out in the user equipment of inquiry operation, i.e. user equipment shown in Fig. 1.This When, it can satisfy the query service demand of user, in the sensitive number that user is provided by user equipment using database provider During carrying out data query according to library, user can not need to set with other other than user equipment every time with offline search It is standby to interact, therefore can be improved the privacy of user.
In the following, will continue to look into the data of this specification embodiment so that data query device is applied to user equipment as an example Device is ask to be described in detail.
In this specification embodiment, which further includes data capture unit, is configured to obtain data Conversion program and sensitive database.Specifically, data capture unit can be further configured to by utilizing trusted service pipe The transmission channel that TSM platform is established is managed, data converter and sensitive database are obtained.
Specifically, data capture unit can be before user carries out data query for the first time by target device, to data The server of library provider sends data download request, and obtains data converter and sensitive database.Data capture unit Data can also be sent to the server of database provider while user carries out data query for the first time by target device Downloading request, and obtain data converter and sensitive database.
In this specification embodiment, the sensitive data in sensitive database may include telephone number data or number of addresses According to the data of databases provider's need for confidentiality such as equal data relevant to people's privacy and website blacklist data.Due to In this specification embodiment, the sensitive data in sensitive database is after being converted using data converter to initial data Data, for example, sensitive data is the character string obtained after being converted using data converter to initial data, and user The specific data conversion algorithm in track data conversion program is not known, therefore, sensitive data is encryption data for a user, can The sensitive data provided to avoid database provider is learnt by user, improves the personal secrets of database provider.
In this specification embodiment, data converter can include at least one of following algorithms or a variety of groups It closes: rivest, shamir, adelman RSA, Advanced Encryption Standardalgorithm (Advanced Encryption Standard, AES), formal Data encryption standard algorithm (Data Encryption Standard, DES) and secure hash algorithm (Secure Hash Algorithm, SHA).Wherein, SHA algorithm can be specially SHA256 algorithm, and SHA256 algorithm is that input data length is The SHA algorithm of 256bits.
In some embodiments of this specification, the algorithm in data converter can be the algorithm pre-set, this When, the data converter that different user equipmenies is got is identical data converter.In other of this specification In embodiment, the algorithm in data converter can also be according to the user of request downloading data conversion program and sensitive database Equipment determines that the data converter that is, different user equipmenies is got is different data converter, further to mention The safety of high sensitive data.
In this specification embodiment, which further includes installation storage unit, is configured to installation data Conversion program and storage sensitive database.
In this specification one embodiment, when data converter includes SHA algorithm, due to SHA algorithm have compared with High safety and Gray code, therefore, installation storage unit can get data converter and sensitivity in user equipment After database, data converter is directly mounted in the common running environment operating system of user equipment, such as rich behaviour Make in system (Rich OS).Accordingly, installation storage unit can directly store the sensitive database being made of sensitive data In the common running environment operating system of user equipment, such as in rich operating system (Rich OS).
After data converter installation, an interface can be generated, which can be used for and other data query groups Part association, and by other data query components interface, to use data converter.For example, other data query groups Part may include one or more groups receive with data query instruction, inquiry data and feedback query result Part.
It is above-mentioned in the case where in the common running environment operating system that data converter is directly mounted at user equipment Other data query components can also be directly mounted in the common running environment operating system of user equipment, it can realize To the function of keeping secret of sensitive data.
At this point, whole data query components can form an application in common running environment operating system, use Family can realize the inquiry to sensitive data by the application.
In another embodiment of this specification, installation storage unit can also get data conversion journey in user equipment After sequence and sensitive database, data converter is installed in the safe operation system of user equipment.Wherein, it is safely operated System is one and is used to provide the system of security service, Ke Yiyin for common running environment independently of other than common running environment Hide data converter and its including algorithm.At this point, may include any simple or complicated calculation in data converter Method.
In the case where in the safe operation system that data converter is directly mounted at user equipment, data converter Other corresponding data query components are also installed in the safe operation system of user equipment, so as to utilize safe operation system System further realizes the function of keeping secret to sensitive data, prevents user's decompiling from going out the algorithm in data converter.
At this point, the data query component for receiving data query instruction and feedback query result can be at least one general Interface applications in logical running environment operating system, user can realize the inquiry to sensitive data by the application.
In this specification one embodiment, the safe operation system of user equipment is directly mounted in data converter In in the case where, safe operation system can be safety element (Secure Element, SE), since its safety is higher, because This can further increase the personal secrets of database provider.If safe operation system is SE, installation storage unit can be with After user equipment gets data converter and sensitive database, sensitive database is stored in outside safe operation system In the storage equipment in portion, to guarantee that the processing capacity of SE can efficiently carry out data query.Wherein, storage equipment can be general Storage equipment in storage equipment in logical running environment operating system, such as rich operating system (Rich OS), or use The storage equipment of family device external.
In another embodiment of this specification, the safe operation system of user equipment is directly mounted in data converter In the case where in system, safe operation system can for credible performing environment (Trusted Execution Environment, TEE), TEE be with the Rich OS on user equipment and the running environment deposited, it has the execution space of its own, compares Rich The security level of OS is higher, can satisfy the demand for security of most of applications, in the present specification, it is ensured that database provides The personal secrets of side.If safe operation system is TEE, installation storage unit can get data conversion journey in user equipment After sequence and sensitive database, sensitive database is stored in outside the storage equipment or safe operation system of safe operation system Storage equipment in.Specifically, if the data volume in sensitive database is smaller, i.e. the data volume of sensitive database is less than or waits In preset data amount, the sensitive database that sensitive data is constituted can be directly stored in the storage equipment of safe operation system In, if the data volume of sensitive data is larger, i.e., the data volume of sensitive database is greater than preset data amount, can be by sensitive data The sensitive database of composition is stored in the storage equipment of common running environment operating system, such as rich operating system (Rich OS the storage equipment in), or the storage equipment outside user equipment.
In some embodiments of this specification, if safe operation system is TEE, installation storage unit can use default Secure storage scheme store sensitive database.Wherein, secure storage scheme can include at least elastic file service (Scalable File Service, SFS) secure storage scheme and structuralized query language distribution (Structured Query Language File Steam, SQLFS) secure storage scheme, to realize that sensitive database loads in trusted context, thus Meet the function that the bigger group in addition to existence is searched is searched.
In this specification embodiment, which further includes inquiry response unit, is configured to judge pre- Whether the quantity of the data query instruction received in fixing time is less than or equal to preset quantity;If in the given time, receiving The quantity for the data query instruction arrived is less than or equal to preset quantity, it is determined that response data inquiry instruction, otherwise, it determines not ringing Data query is answered to instruct.
Thus, it is possible to the inquiry times by setting user within each predetermined time, to prevent user to sensitive data Library carries out hitting library, to guarantee the safety of sensitive database.Wherein, the predetermined time can for 12 hours, one day, a week or One month, specifically, it can according to need and preset by database provider.
Fig. 7 shows the structural schematic diagram of the data query device of another embodiment of this specification offer.Such as Fig. 7 institute Show, which includes:
Data processing unit 810 is configured to carry out conversion process to original sensitive data using data converter, obtain Sensitive data, and generate sensitive database;
Data transmission unit 820 is configured to send data converter and sensitive database to target device, so that mesh Marking device is to be checked to include in data query instruction using data converter in the case where receiving data query instruction It askes data object and carries out conversion process, and inquire in sensitive database and whether there is and the data object phase to be checked after conversion The sensitive data matched, to obtain the query result of data object to be checked.
This specification embodiment as a result, can be utilized and is stored in the equipment other than the server of database provider Data converter and sensitive database obtain the query result of data object to be checked, accordingly it is possible to prevent user's looks into Consultation record is monitored by database provider, improves the personal secrets of user.Meanwhile the sensitive data in this specification embodiment To be turned when inquiring data first with data using data converter to the data obtained after the conversion of original sensitive data Change program and data object to be checked be subjected to conversion process, then inquire again in sensitive database with the presence or absence of with after conversion to The sensitive data that inquiry data object matches, therefore, during data query, the sensitive data in sensitive database is simultaneously Ciphertext shows that the sensitive data that can be provided to avoid database provider is learnt by user, improves database provider's Personal secrets.
In specification embodiment, data query device can be applied to Fig. 1 and database provider shown in Fig. 2 clothes Business device, target device can be Fig. 1 and user equipment shown in Fig. 2 or cloud server.
In this specification one embodiment, data processing unit 810 can generate data according to pre-set algorithm Conversion program, and conversion process is carried out to original sensitive data using data converter, and generate sensitive database, then exist After the data download request for receiving target device transmission, data transmission unit 820 is in response to the data download request by data Conversion program and sensitive data are sent to target device, so that target device is made to obtain data converter and sensitive database, So that user, which can use acquired data converter and sensitive database, carries out data query by target device, thus Guarantee the safety of sensitive data.
In another embodiment of this specification, database provider server can be in response to the number of target device transmission It is requested according to downloading, data processing unit 810 is made to determine the data converter generated by suitable algorithm according to target device, and Conversion process is carried out to original sensitive data using data converter, and generates sensitive database, is then sent by data Data converter and sensitive database are sent to target device by unit 820, so that target device be made to obtain data conversion journey Sequence and sensitive database so that user can use acquired data converter and sensitive database by target device into Row data query, to further increase the safety of sensitive data using different algorithms.
In this specification embodiment, which further includes inquiry setting unit, is configured to according to target The access right of equipment determines target device in the given time, responds the preset quantity of the data query instruction received.
It wherein, may include the access right of target device in data download request, inquiry setting unit can be according to this Access right determines that target device can inquire the number of sensitive data within each predetermined time, and according to the number determined The preset quantity that the data query received instructs is responded in the given time target device is arranged, to realize that database mentions Control of the supplier to the query service of target device is effectively prevented user's decompiling by way of hitting library and goes out data conversion journey Algorithm in sequence further increases the safety of sensitive data.
Fig. 8 shows the hardware structural diagram of the data query equipment of this specification one embodiment offer.Such as Fig. 8 institute Show, data query equipment 900 connects including input equipment 901, input interface 902, central processing unit 903, memory 904, output Mouth 905 and output equipment 906.Wherein, input interface 902, central processing unit 903, memory 904 and output interface 905 are connected with each other by bus 910, and input equipment 901 and output equipment 906 pass through input interface 902 and output interface respectively 905 connect with bus 910, and then connect with the other assemblies of video processing equipment 900.
Specifically, input equipment 901 is received from external input information, and will input information by input interface 902 It is transmitted to central processing unit 903;Central processing unit 903 is based on the computer executable instructions stored in memory 904 to input Information is handled to generate output information, and output information is temporarily or permanently stored in memory 904, is then passed through Output information is transmitted to output equipment 906 by output interface 905;Output information is output to video processing and set by output equipment 906 Standby 900 outside is for users to use.
That is, data query equipment shown in Fig. 8 also may be implemented as including: to be stored with the executable finger of computer The memory of order;And processor, the processor may be implemented that Fig. 3 to Fig. 7 is combined to retouch when executing computer executable instructions The data query method and apparatus stated.
This specification physique embodiment also provides a kind of computer readable storage medium, on the computer readable storage medium It is stored with computer program instructions;The computer program instructions realize the number that this specification embodiment provides when being executed by processor According to querying method.
Functional block shown in above structural block diagram can be implemented as hardware, software, firmware or their combination.When When realizing in hardware, electronic circuit, specific integrated circuit (ASIC), firmware appropriate, plug-in unit, function may, for example, be Card etc..When being realized with software mode, the element of this specification is used to execute the program or code segment of required task. Perhaps code segment can store in machine readable media program or the data-signal by carrying in carrier wave is in transmission medium Or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.Machine can The example for reading medium includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disk, CD- ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via internet, Intranet etc. Computer network is downloaded.
It should also be noted that, above-mentioned be described this specification specific embodiment.Other embodiments are in appended power In the range of benefit requires.In some cases, the movement recorded in detail in the claims or step can be according to different embodiments In sequence execute and still may be implemented desired result.In addition, process depicted in the drawing not necessarily requires and shows Particular order or consecutive order out is just able to achieve desired result.In some embodiments, multitasking and parallel place It manages also possible or may be advantageous.
The above, the only specific embodiment of this specification, those skilled in the art can be understood that It arrives, for convenience of description and succinctly, system, the specific work process of module and unit of foregoing description can refer to aforementioned Corresponding process in embodiment of the method, details are not described herein.It should be understood that the protection scope of this specification is not limited thereto, appoint What those familiar with the art can readily occur in various equivalent modifications in the technical scope that this specification discloses Or replacement, these modifications or substitutions should all cover within the protection scope of this specification.

Claims (24)

1. a kind of data query method, comprising:
Receive data query instruction;
It is instructed in response to the data query, using data converter to the number to be checked for including in data query instruction Conversion process is carried out according to object;
With the presence or absence of the sensitive data to match with the data object to be checked after conversion in inquiry sensitive database;Wherein, institute Stating sensitive data is using the data converter to the data obtained after the conversion of original sensitive data;
Feedback query result.
2. data query method according to claim 1, wherein further include:
Obtain the data converter and the sensitive database.
3. data query method according to claim 2, wherein the acquisition data converter and the sensitivity Database, comprising:
By managing the transmission channel that TSM platform is established using trusted service, the data converter and the sensitivity are obtained Database.
4. data query method according to claim 2, wherein further include:
The data converter is installed in safe operation system.
5. data query method according to claim 4, wherein if the safe operation system is safety element SE, also Include:
The sensitive database is stored in the storage equipment outside the safe operation system.
6. data query method according to claim 4, wherein if the safe operation system is credible performing environment TEE operating system, further includes:
If the data volume of the sensitive database is less than or equal to preset data amount, the sensitive database is stored in the peace In the storage equipment of full operating system.
7. data query method according to claim 6, wherein the sensitive database utilizes preset secure storage side Case storage.
8. data query method according to claim 1, further includes:
If the quantity of the data query instruction in the given time, received is less than or equal to preset quantity, it is determined that response institute State data query instruction.
9. a kind of data query method, comprising:
Conversion process is carried out to original sensitive data using data converter, obtains sensitive data, and generate sensitive database;
The data converter and the sensitive database are sent to target device, so that the target device is receiving number In the case where according to inquiry instruction, using the data converter to the data pair to be checked for including in data query instruction As carrying out conversion process, and inquire in the sensitive database with the presence or absence of matching with the data object to be checked after conversion Sensitive data, to obtain the query result of the data object to be checked.
10. data query method according to claim 9, wherein the data converter is according to the target device It determines.
11. data query method according to claim 9, wherein further include:
According to the access right of the target device, the target device is determined in the given time, respond the data received The preset quantity of inquiry instruction.
12. a kind of data query device, which is characterized in that described device includes:
Instruction receiving unit is configured to receive data query instruction;
Date Conversion Unit is configured to instruct in response to the data query, be looked into using data converter the data It askes the data object to be checked for including in instruction and carries out conversion process;
Data query unit is configured to whether there is and the data object phase to be checked after conversion in inquiry sensitive database The sensitive data matched;Wherein, the sensitive data is to obtain after being converted using the data converter to original sensitive data Data;
Result feedback unit is configured to feedback query result.
13. data query device according to claim 12, which is characterized in that described device further includes data acquisition list Member is configured to obtain the data converter and the sensitive database.
14. data query device according to claim 13, which is characterized in that the data capture unit is further matched It is set to by managing the transmission channel that TSM platform is established using trusted service, obtains the data converter and the sensitivity Database.
15. data query device according to claim 13, which is characterized in that described device further includes that installation storage is single Member is configured to for the data converter being installed in safe operation system.
16. data query device according to claim 15, wherein if the safe operation system is safety element SE, The installation storage unit is further configured to the sensitive database being stored in depositing outside the safe operation system It stores up in equipment.
17. data query device according to claim 15, which is characterized in that if the safe operation system is credible holds Row environment TEE operating system, if the data volume that the installation storage unit is further configured to the sensitive database is less than Or it is equal to preset data amount, the sensitive database is stored in the storage equipment of the safe operation system.
18. data query device according to claim 17, which is characterized in that the installation storage unit is further matched It is set to and stores the sensitive database using preset secure storage scheme.
19. data query device according to claim 12, which is characterized in that described device further includes inquiry response list Member, if the quantity for being configured to the data query in the given time, received instruction is less than or equal to preset quantity, it is determined that Respond the data query instruction.
20. a kind of data query device, which is characterized in that described device includes:
Data processing unit is configured to carry out conversion process to original sensitive data using data converter, obtains sensitive number According to, and generate sensitive database;
Data transmission unit is configured to send the data converter and the sensitive database to target device, so that The target device refers to the data query using the data converter in the case where receiving data query instruction The data object to be checked that includes in order carries out conversion process, and inquire in the sensitive database with the presence or absence of with after conversion The sensitive data that data object to be checked matches, to obtain the query result of the data object to be checked.
21. data query device according to claim 20, which is characterized in that the data processing unit is further matched It is set to and the data converter is determined according to the target device.
22. data query device according to claim 20, which is characterized in that described device further includes that inquiry setting is single Member is configured to the access right according to the target device, determines the target device in the given time, response receives Data query instruction preset quantity.
23. a kind of data query equipment, which is characterized in that the equipment includes: processor and is stored with computer program and refers to The memory of order;
The processor realizes the number as described in claim 1-8 or 9-11 any one when executing the computer program instructions According to querying method.
24. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program instruction is realized as described in claim 1-8 or 9-11 any one when the computer program instructions are executed by processor Data query method.
CN201910523410.7A 2019-06-17 2019-06-17 Data query method, apparatus, equipment and computer readable storage medium Pending CN110210251A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910523410.7A CN110210251A (en) 2019-06-17 2019-06-17 Data query method, apparatus, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910523410.7A CN110210251A (en) 2019-06-17 2019-06-17 Data query method, apparatus, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN110210251A true CN110210251A (en) 2019-09-06

Family

ID=67793056

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910523410.7A Pending CN110210251A (en) 2019-06-17 2019-06-17 Data query method, apparatus, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN110210251A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200613A (en) * 2020-01-07 2020-05-26 北京链道科技有限公司 End-to-end model-based code trusted execution method
CN111461728A (en) * 2020-03-31 2020-07-28 支付宝(杭州)信息技术有限公司 Risk identification method, device and system
CN117390687A (en) * 2023-12-11 2024-01-12 闪捷信息科技有限公司 Sensitive data query method and device, storage medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107256249A (en) * 2017-06-08 2017-10-17 北京小度信息科技有限公司 A kind of data base query method, device, electronic equipment and computer-readable storage medium
CN107682303A (en) * 2016-08-02 2018-02-09 北京宸信征信有限公司 Personal sensitive information encrypted query system and method
CN108400963A (en) * 2017-10-23 2018-08-14 平安科技(深圳)有限公司 Electronic device, access request control method and computer readable storage medium
CN109255253A (en) * 2018-08-13 2019-01-22 苏州科达科技股份有限公司 The anti-method for implanting of SQL and device
CN109299147A (en) * 2018-09-26 2019-02-01 中国平安人寿保险股份有限公司 Database access processing method, device, computer equipment and storage medium
CN109688097A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Website protection method, website protective device, website safeguard and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682303A (en) * 2016-08-02 2018-02-09 北京宸信征信有限公司 Personal sensitive information encrypted query system and method
CN107256249A (en) * 2017-06-08 2017-10-17 北京小度信息科技有限公司 A kind of data base query method, device, electronic equipment and computer-readable storage medium
CN108400963A (en) * 2017-10-23 2018-08-14 平安科技(深圳)有限公司 Electronic device, access request control method and computer readable storage medium
CN109255253A (en) * 2018-08-13 2019-01-22 苏州科达科技股份有限公司 The anti-method for implanting of SQL and device
CN109688097A (en) * 2018-09-07 2019-04-26 平安科技(深圳)有限公司 Website protection method, website protective device, website safeguard and storage medium
CN109299147A (en) * 2018-09-26 2019-02-01 中国平安人寿保险股份有限公司 Database access processing method, device, computer equipment and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200613A (en) * 2020-01-07 2020-05-26 北京链道科技有限公司 End-to-end model-based code trusted execution method
CN111461728A (en) * 2020-03-31 2020-07-28 支付宝(杭州)信息技术有限公司 Risk identification method, device and system
CN111461728B (en) * 2020-03-31 2023-03-10 支付宝(杭州)信息技术有限公司 Risk identification method, device and system
CN117390687A (en) * 2023-12-11 2024-01-12 闪捷信息科技有限公司 Sensitive data query method and device, storage medium and electronic equipment
CN117390687B (en) * 2023-12-11 2024-04-02 闪捷信息科技有限公司 Sensitive data query method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN108632284B (en) User data authorization method, medium, device and computing equipment based on block chain
US11469891B2 (en) Expendable cryptographic key access
JP5811094B2 (en) Attribute information processing apparatus, attribute information processing method, and attribute information evaluation system
WO2018228973A1 (en) Improved hardware security module management
CN103607385A (en) Method and apparatus for security detection based on browser
US8234492B2 (en) Method, client and system for reversed access to management server using one-time password
CN110210251A (en) Data query method, apparatus, equipment and computer readable storage medium
CN102186173B (en) Identity authentication method and system
US20090129586A1 (en) Cryptographic module management apparatus, method, and program
KR20140016360A (en) Method and apparatus for achieving data security in a distributed cloud computing environment
CN103997521B (en) A kind of file operation method based on router, device and router
US10785211B2 (en) Authorization and authentication for recurring workflows
Yutaka et al. Using ethereum blockchain for distributed attribute-based access control in the internet of things
US20210281555A1 (en) Api key access authorization
KR102245358B1 (en) Techniques to transform network resource requests to zero rated network requests
Danish et al. BlockAM: An adaptive middleware for intelligent data storage selection for Internet of Things
CN114503101A (en) Block chain data searching method
CN110232570A (en) A kind of information monitoring method and device
US20230169165A1 (en) Customer premises equipment implementation of dynamic residential threat detection
JP5069168B2 (en) Network operation monitoring system, manager device, and network operation monitoring method
KR20130113787A (en) Method and system for providing game service using virtual ip of pc-room
Jayagopan et al. Intelligence orchestration in IoT and cyber-physical systems
Haque et al. ConSec: An encryption policy for context aware security applications
Frank et al. Challenges for context management systems imposed by context inference
KR20100065072A (en) System and method of delivery of virtual machine using context information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200921

Address after: Grand Cayman Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Grand Cayman Islands

Applicant before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200921

Address after: Grand Cayman Islands

Applicant after: Advanced innovation technology Co.,Ltd.

Address before: Grand Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

CB02 Change of applicant information
CB02 Change of applicant information

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Grand Cayman Islands

Applicant before: Innovative advanced technology Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190906