CN110750810A - Data desensitization method and device, computer equipment and storage medium - Google Patents

Data desensitization method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN110750810A
CN110750810A CN201911011482.XA CN201911011482A CN110750810A CN 110750810 A CN110750810 A CN 110750810A CN 201911011482 A CN201911011482 A CN 201911011482A CN 110750810 A CN110750810 A CN 110750810A
Authority
CN
China
Prior art keywords
data
sensitive data
round operation
digital sensitive
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911011482.XA
Other languages
Chinese (zh)
Inventor
吴良顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Original Assignee
Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuo Erzhi Lian Wuhan Research Institute Co Ltd filed Critical Zhuo Erzhi Lian Wuhan Research Institute Co Ltd
Priority to CN201911011482.XA priority Critical patent/CN110750810A/en
Publication of CN110750810A publication Critical patent/CN110750810A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The application relates to a data desensitization method, a data desensitization device, a computer device and a storage medium. The method comprises the following steps: by acquiring digital sensitive data; carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data; performing Feistel structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result; and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result. According to the data desensitization method, the round function is constructed through SM4 encryption, then round operation is carried out based on the round function to carry out data desensitization, the consistency of formats before and after digital characteristic data desensitization is effectively guaranteed, the data length, the data type and the like cannot be changed, an original database storage unit can directly store ciphertext results, the utilization rate of encryption results is effectively improved, meanwhile, the SM4 algorithm is expanded to a format-preserving encryption algorithm, and the applicability of SM4 is enhanced.

Description

Data desensitization method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data desensitization method, apparatus, computer device, and storage medium.
Background
With the development of computer technologies, security maintenance of network data is also receiving more and more attention. Data desensitization is one of data security technologies, and data desensitization refers to data deformation performed on certain sensitive information through desensitization rules, so that reliable protection of sensitive private data is realized. Under the condition of relating to client security data or some business sensitive data, the real data is modified and provided for test use under the condition of not violating system rules, and data desensitization is required to be carried out on personal information such as identification numbers, mobile phone numbers, card numbers, client numbers and the like.
At present, a method for realizing data desensitization by adopting a symmetric encryption mode of cryptography exists, but the traditional encryption method usually changes the data length, the data type and the like when encrypting numerical sensitive data, so that an original database storage unit cannot directly store a ciphertext result, an application program cannot be correctly read and displayed, and the utilization rate of the encryption result is reduced.
Disclosure of Invention
Based on this, it is necessary to provide a data desensitization method, apparatus, computer device and storage medium capable of preserving the original data format after encryption, aiming at the technical problem that the traditional encryption method may change the data length and data type, resulting in a decrease in the utilization rate of the encryption result.
A method of data desensitization, the method comprising:
acquiring digital sensitive data;
performing segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
performing round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
In one embodiment, the performing round operation and modular operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain an operation result includes:
when the number of the sections of the digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data;
and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, performing round operation of the balanced Feistel structure, and acquiring round operation result data corresponding to each section of the digital sensitive data.
In one embodiment, the obtaining of ciphertext data corresponding to the digital sensitive data according to the round operation result includes:
and splicing the round operation results according to the splitting sequence of the digital sensitive data to obtain ciphertext data corresponding to the digital sensitive data.
In one embodiment, after obtaining ciphertext data corresponding to the digital sensitive data according to the operation result, the method further includes:
and carrying out result verification on the ciphertext data.
In one embodiment, the performing result check on the ciphertext data includes:
acquiring the round operation result data, and judging whether the round operation result data belongs to the value range of the digital sensitive data after corresponding segmentation;
acquiring the digits of the digital sensitive data and the ciphertext data, and judging whether the digits of the digital sensitive data are the same as the digits of the ciphertext data;
when the round operation result belongs to the value range of the digital sensitive data after corresponding segmentation, and the digit of the digital sensitive data is the same as that of the ciphertext data, judging that the result check is passed;
and when the round operation result does not belong to the value range of the digital sensitive data after corresponding segmentation, or the digit of the digital sensitive data is different from the digit of the ciphertext data, judging that the result check is not passed.
In one embodiment, the performing result check on the ciphertext data includes:
performing round operation of a Feistel structure on the round operation result based on a preset round operation function to obtain segmented data;
splicing the segmented data according to the splitting sequence of splicing the digital sensitive data to obtain decrypted checking data;
and when the decryption verification data is the same as the digital sensitive data, judging that the result verification is passed.
A data desensitization apparatus, comprising:
the data acquisition module is used for acquiring digital sensitive data;
the data segmentation module is used for carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
the round operation module is used for carrying out round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, and the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and the ciphertext acquisition module is used for acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
In one embodiment, the round operation module is specifically configured to:
when the number of the sections of the digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation to obtain round operation result data corresponding to each section of the digital sensitive data;
and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, and performing round operation to obtain round operation result data corresponding to each section of the digital sensitive data.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring digital sensitive data;
performing segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
performing round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring digital sensitive data;
performing segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
performing round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
The data desensitization method, the data desensitization device, the computer equipment and the storage medium acquire digital sensitive data; carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data; performing Feistel structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result; and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result. According to the data desensitization method, the round function is constructed through SM4 encryption, then round operation is carried out based on the round function to carry out data desensitization, the consistency of formats before and after digital characteristic data desensitization is effectively guaranteed, the data length, the data type and the like cannot be changed, an original database storage unit can directly store ciphertext results, the utilization rate of encryption results is effectively improved, meanwhile, the SM4 algorithm is expanded to a format-preserving encryption algorithm, and the applicability of SM4 is enhanced.
Drawings
FIG. 1 is a diagram of an environment in which a data desensitization method is implemented in one embodiment;
FIG. 2 is a schematic flow diagram of a data desensitization method in one embodiment;
FIG. 3 is a schematic flow chart of a data desensitization method according to another embodiment;
FIG. 4 is a schematic sub-flow chart illustrating step S900 of FIG. 3 according to an embodiment;
FIG. 5 is a block diagram showing the structure of a data desensitizing apparatus according to an embodiment;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data desensitization method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The terminal 102 can submit digital characteristic data to be desensitized to the server 104, and the server 104 performs segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data by acquiring the digital characteristic data submitted by the terminal 102; performing Feistel structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key; and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, a data desensitization method is provided, which is illustrated by taking the method as an example applied to the server in fig. 1, and includes the following steps:
and S200, acquiring digital sensitive data.
Data desensitization refers to data deformation of some sensitive information through desensitization rules, and reliable protection of sensitive private data is achieved. While the desensitized real dataset can be safely used in development, testing and other non-production environments as well as outsourcing environments. The data desensitization method is used for desensitizing digital sensitive data, and for example, desensitization can be performed on digital sensitive data such as an identification number, a social security number and a telephone number.
And S400, carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data.
The preset segmentation rule is a segmentation rule set according to the data type of the data to be desensitized, different types of digital sensitive data have different segmentation rules, and the mobile phone number can be segmented according to the characteristics of the data, for example, an 11-bit mobile phone number can be divided into 3/4/4 three segments, which respectively represent a network identification number, an area code and a user number, and an 18-bit identity card number can be divided into 6/4/2/2/3/1 segments, which respectively represent a location address, a birth year, a birth month, a birth date, a place code plus gender and a check code. The splitting in particular is not absolute and other splits may be made to the above types of data according to other splitting rules. Specifically, for the identification number with the 18 th bit as X, X can be converted into 0 and then processed.
S600, performing Feistel-structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data secret key.
The Feistel cipher structure is a symmetric structure used in block cipher in the study of cryptology. Named its inventor, Horst Feistel. The Feistel has the advantages that: since it is a symmetric cryptographic structure, it is useful for informationThe encryption and decryption processes of (a) are very similar or even identical. This reduces the amount of coding and line transmission requirements by almost half during implementation. The preset round operation function is a function used in the process of carrying out data desensitization processing on the digital sensitive data. In one embodiment, the predetermined round operation function is PRF trunk (SM 4)K(T), r). Wherein T represents the split digital sensitive data, r is the round number of round operation circulation, desensitization operators can set according to actual needs, the round number is 2 to 3 times at least, but the confidentiality of the desensitized data can be improved through multiple times of circulation. When the number of sections of digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of digital sensitive data; and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, and performing round operation of the balanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data.
And S800, acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
Specifically, round operation result data corresponding to each section of digital sensitive data after round operation are encrypted, the data can be spliced to form ciphertext data, the data format of the ciphertext data is the same as that of the original digital sensitive data, the length and the type of the data are the same, and the utilization rate of the encryption result after desensitization can be effectively improved. Specifically, the digital sensitive data before desensitization can be obtained by decrypting the ciphertext data.
In one embodiment, digital sensitive data P is taken as an example to illustrate the implementation process of the data desensitization method of the present application. Firstly, the characteristic data P is divided into m data segments, i.e. P ═ P1‖P2‖…‖Pm,|PjI represents PjLength m, Y ofjIs P at this timejThe corresponding value range is set according to the value range,
Figure BDA0002244324970000071
sjis YjThe number of elements contained (j is 1, …, m). Then judging m is odd or even.
If m is even number, performing Feistel structured round operation on the segmented digital sensitive data, L0=P1‖…‖Pm/2,R0=Pm/2+1‖…‖PmThen, r (r is an even number) round calculation is performed. The operation procedure of the ith (i ═ 1, …, r) round:
1) when i is odd number
Li=Ri-1
Figure BDA0002244324970000072
The output results for the odd rounds are obtained as: l isi=P1‖…‖Pm/2,Ri=Pm/2+1‖…‖Pm. Wherein P is1∈Ym/2+1,…,Pm/2∈Ym。Pm/2+1∈Y1,…,Pm∈Ym/2,|Pj|=|Zj|。
2) When i is even and i ≠ r, the same applies as above. When i is r, Li=Ri-1,Ri=Li-1I.e. the output of the even round is: l isi=P1‖…‖Pm/2,Ri=Pm/2+1‖…‖PmIn which P is1∈Y1,P2∈Y2,…,Pm∈Ym
And when m is an odd number, inputting an unbalanced Feistel structure: l is0=P1‖…‖P(m-1)/2,R0=P(m+1)/2‖…‖PmIn which P is1∈Y1,P2∈Y2,…,Pm∈YmThen, r (r is an even number) round calculation is performed. The operation procedure of the ith (i ═ 1, …, r) round:
1) when i is odd number
Li=Ri-1
Figure BDA0002244324970000073
Obtaining the output result L of the odd-numbered wheeli=P1‖…‖P(m+1)/2,Ri=P(m+1)/2+1‖…‖PmIn which P is1∈Y(m+1)/2,…,P(m+1)/2∈Ym,P(m+1)/2+1∈Y1,Pm∈Y(m-1)/2
2) When i is even number and i ≠ r
Li=Ri-1
Figure BDA0002244324970000081
When i is r, Li=Ri-1,Ri=Li-1. Obtaining the output result of the even-numbered round:
Li=P1‖…‖P(m-1)/2,Ri=P(m+1)/2‖…‖Pmin which P is1∈Y1,P2∈Y2,…,Pm∈Ym
Wherein L isrAnd RrIs the output result of the round operation. In one embodiment, step S800 includes: and splicing the round operation results according to the splitting sequence of the digital sensitive data to obtain ciphertext data corresponding to the digital sensitive data. As in the above embodiments, when a specific round operation result is obtained, the round operation result L can be usedrAnd RrAnd splicing the data into finally output ciphertext data. I.e. the obtained ciphertext data C ═ Lr||Rr
The data desensitization method comprises the steps of obtaining digital sensitive data; carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data; performing Feistel structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result; and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result. According to the data desensitization method, the round function is constructed through SM4 encryption, then round operation is carried out based on the round function to carry out data desensitization, the consistency of formats before and after digital characteristic data desensitization is effectively guaranteed, the data length, the data type and the like cannot be changed, an original database storage unit can directly store ciphertext results, the utilization rate of encryption results is effectively improved, meanwhile, the SM4 algorithm is expanded to a format-preserving encryption algorithm, and the applicability of SM4 is enhanced.
As shown in fig. 3, step S800 is followed by:
and S900, checking the result of the ciphertext data.
After the ciphertext data is obtained, corresponding result verification is required to be carried out on the ciphertext data to ensure that the obtained ciphertext data meets the format requirement and can be restored to the original digital sensitive data, so that the result is required to be carried out on the ciphertext data, and then the ciphertext data passing the result verification is output to the terminal to complete the whole data desensitization process. The effectiveness of the desensitization result can be effectively ensured through result verification.
In one embodiment, the data desensitization method is particularly applied to the social field and used for determining whether to desensitize digital sensitive data in the display information according to the intimacy of both social parties. When the method is applied to a social application, when a certain user browses digital sensitive data of other users, such as telephone numbers, identity card numbers and other information, the server can firstly identify the intimacy level between the browsing party and the browsed party, the intimacy level is determined according to the frequency and the interaction amount of information interaction between the two parties, and then the data is displayed according to the intimacy level. For example, for a stranger, all data in the data can be desensitized to display, and for a friend with a higher intimacy level, privacy data of a corresponding level is displayed. The more intimate the relationship, the more the private data is displayed, the higher the privacy level of the private data.
In one embodiment, S900 includes: acquiring round operation result data, and judging whether the round operation result data belongs to the value range of the digital sensitive data after corresponding segmentation; acquiring the digits of the digital sensitive data and the ciphertext data, and judging whether the digits of the digital sensitive data are the same as the digits of the ciphertext data; when the round operation result belongs to the value range of the digital sensitive data after corresponding segmentation and the digit of the digital sensitive data is the same as that of the ciphertext data, judging that the result check is passed; and when the round operation result does not belong to the value range of the digital sensitive data after corresponding segmentation, or the digit of the digital sensitive data is different from the digit of the ciphertext data, judging that the result check is not passed.
The result verification comprises a process of verifying the output ciphertext data, specifically, whether each round of operation result data to be verified belongs to a value range of the original digital characteristic data after segmentation or not, in addition, whether the digit of the ciphertext data is equal to the digit of the original digital characteristic data or not needs to be judged, the consistency of the format and the consistency of the data length of the output result are ensured through double verification, and the output ciphertext can be effectively ensured to meet the requirement of the output format through double verification. In another embodiment, when the output result does not conform to the output format, the round of the round operation may be adjusted, and the above round operation steps may be repeated until the result data conforming to the output format is obtained.
As shown in fig. 4, in one embodiment, S900 includes:
s920, performing wheel operation of a Feistel structure on the wheel operation result based on a preset wheel operation function to obtain segmented data.
And S940, splicing the segmented data according to the splitting sequence of the spliced digital sensitive data to obtain decrypted verification data.
And S960, when the decryption verification data is the same as the digital sensitive data, judging that the verification result passes.
Before desensitization is carried out through the data desensitization method, decryption operation can be carried out on the desensitized data, round operation of a Feistel structure is carried out on a round operation result, segmented data are obtained, whether feedback can be returned to initial digital sensitive data according to final desensitized ciphertext data is determined, and usability of the data desensitization method is guaranteed. In particularGet the ciphertext C ═ Lr||Rr,YjIs P at this timejCorresponding value range, dividing it into m data segments, P1∈Y1,P2∈Y2,…,Pm∈YmThe decryption process is shown in fig. 3, and the specific steps are as follows: when m is even number, performing round operation of balancing Feistel structurer=P1‖…‖Pm/2,Rr=Pm/2+1‖…‖PmThen, r (r is an even number) round calculation is performed. The operation procedure of the ith (i ═ 1, …, r) round:
1) when i is odd number
Lr-i=Rr-i+1
Figure BDA0002244324970000101
The output results of the odd-numbered rounds are: l isr-i=P1‖…‖Pm/2,Rr-i=Pm/2+1‖…‖Pm. Wherein P is1∈Ym/2+1,…,Pm/2∈Ym。Pm/2+1∈Y1,…,Pm∈Ym/2
2) When i is even and i ≠ r, the same applies as above. When i is r, Lr-i=Rr-i+1,Rr-i=Lr-i+1I.e. the output of the even round is: l isr-i=P1‖…‖Pm/2,Rr-i=Pm/2+1‖…‖PmIn which P is1∈Y1,P2∈Y2,…,Pm∈Ym
And (3) when m is an odd number, inputting an unbalanced Feistel structure: l isr=P1‖…‖P(m-1)/2,Rr=P(m+1)/2‖…‖PmIn which P is1∈Y1,P2∈Y2,…,Pm∈YmThen, r (r is an even number) round calculation is performed. The operation procedure of the ith (i ═ 1, …, r) round:
1) when i is odd number
Lr-i=Rr-i+1
Figure BDA0002244324970000102
Obtaining the output result L of the odd-numbered wheelr-i=P1‖…‖P(m+1)/2,Rr-i=P(m+1)/2+1‖…‖PmIn which P is1∈Y(m+1)/2,…,P(m+1)/2∈Ym,P(m+1)/2+1∈Y1,…,Pm∈Y(m-1)/2
2) When i is even number and i ≠ r
Lr-i=Rr-i+1
Figure BDA0002244324970000111
When i is r, Li=Ri-1,Ri=Li-1. Obtaining the output result of the even-numbered round:
Li=P1‖…‖P(m-1)/2,Ri=P(m+1)/2+1‖…‖Pmin which P is1∈Y1,P2∈Y2,…,Pm∈Ym
And finally, outputting the result and checking. Obtaining an output result C ═ L0||R0. And judging whether the output result is usable or not according to the comparison of the output result C and the original digital sensitive data, and effectively ensuring the effectiveness of the data desensitization process through verification.
As in a specific embodiment, assuming that the data key K is 1593654782163214 and the round operation number r of Feistel structure is 4, a data desensitization method is used to desensitize the cell phone number 18722793543.
The specific process of data desensitization is as follows:
dividing P18722793543 into three parts1=187,P2=2279,P3=3543,P1,P2,P3The corresponding value ranges are respectively Y1={180,…,189},Y2={1000,…,9999},Y3={1000,…,9999},|P1|=3,|P2|=|P3|=4,|Y1|=10,|Y2|=|Y39000. Mixing L with0=187,R02279| |3543 is input to the unbalanced Feistel structure to perform round calculation.
When r is 1, the first round of operation:
L1=R0=2279||3543
Figure BDA0002244324970000112
when r is 2, the second round of operation:
L2=R1=185
Figure BDA0002244324970000113
when r is 3, the third round of operation:
L3=R2=1464||7466
Figure BDA0002244324970000121
when r is 4, the fourth operation:
L4=R3=188
R4=L3=1464||7466
and finally, ciphertext data are obtained: c-18814647466
The decryption process at this time specifically includes dividing C into three parts P1=188,P2=1464,P3=7466,Y1,Y2,Y3,|P1|,|P2|,|P3| is the same as the value in encryption. Mixing L with4=188,R41464| |7466, input unbalanced Feistel structure and round calculation
When r is 1, the first round of operation:
L3=R4=1464||7466
Figure BDA0002244324970000122
when r is 2, the second round of operation:
L2=R3=185
Figure BDA0002244324970000123
when r is 3, the third round of operation:
L1=R2=2279||3543
Figure BDA0002244324970000124
when r is 4, the fourth operation:
L0=R1=187
R0=L1=2279||3543
and finally, obtaining a ciphertext: p ═ L0||R018722793543, consistent with the number data before desensitization.
It should be understood that although the steps in the flowcharts of fig. 2 and 4 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2 and 4 may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 5, there is provided a data desensitization apparatus, comprising:
and the data acquisition module 200 is used for acquiring digital sensitive data.
And the data segmentation module 400 is configured to perform segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data.
And the round operation module 600 is configured to perform round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, where the preset round operation function is generated based on a national secret SM4 algorithm and a data key.
And the ciphertext obtaining module 800 is configured to obtain ciphertext data corresponding to the digital sensitive data according to the round operation result.
In one embodiment, the round robin module 600 is specifically configured to: when the number of sections of digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of digital sensitive data; and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, and performing round operation of the balanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data.
In one embodiment, the ciphertext obtaining module 800 is specifically configured to splice round operation results according to the splitting order of the digital sensitive data, and obtain ciphertext data corresponding to the digital sensitive data.
In one embodiment, the system further comprises a result checking module, configured to perform result checking on the ciphertext data.
In one embodiment, the result checking module is specifically configured to obtain round operation result data, and determine whether the round operation result data belongs to a value range of the digital sensitive data after corresponding segmentation; acquiring the digits of the digital sensitive data and the ciphertext data, and judging whether the digits of the digital sensitive data are the same as the digits of the ciphertext data; when the round operation result belongs to the value range of the digital sensitive data after corresponding segmentation and the digit of the digital sensitive data is the same as that of the ciphertext data, judging that the result check is passed; and when the round operation result does not belong to the value range of the digital sensitive data after corresponding segmentation, or the digit of the digital sensitive data is different from the digit of the ciphertext data, judging that the result check is not passed.
In one embodiment, the result checking module is specifically configured to perform round operation of a Feistel structure on a round operation result based on a preset round operation function to obtain segmented data; splicing the segmented data according to the splitting sequence of the spliced digital sensitive data to obtain decrypted verification data; and when the decryption verification data is the same as the digital sensitive data, judging that the verification of the result is passed.
For specific limitations of the data desensitization device, reference may be made to the limitations of the data desensitization method above, and further description thereof is omitted here. The various modules in the data desensitization apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing various preset data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of data desensitization.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring digital sensitive data;
carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
performing Feistel structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the number of sections of digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of digital sensitive data; and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, and performing round operation of the balanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and splicing the round operation results according to the splitting sequence of the digital sensitive data to obtain ciphertext data corresponding to the digital sensitive data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: and carrying out result verification on the ciphertext data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: acquiring round operation result data, and judging whether the round operation result data belongs to the value range of the digital sensitive data after corresponding segmentation; acquiring the digits of the digital sensitive data and the ciphertext data, and judging whether the digits of the digital sensitive data are the same as the digits of the ciphertext data; when the round operation result belongs to the value range of the digital sensitive data after corresponding segmentation and the digit of the digital sensitive data is the same as that of the ciphertext data, judging that the result check is passed; and when the round operation result does not belong to the value range of the digital sensitive data after corresponding segmentation, or the digit of the digital sensitive data is different from the digit of the ciphertext data, judging that the result check is not passed.
In one embodiment, the processor, when executing the computer program, further performs the steps of: performing wheel operation of a Feistel structure on a wheel operation result based on a preset wheel operation function to obtain segmented data; splicing the segmented data according to the splitting sequence of the spliced digital sensitive data to obtain decrypted verification data; and when the decryption verification data is the same as the digital sensitive data, judging that the verification of the result is passed.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring digital sensitive data;
carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
performing Feistel structured round operation on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the number of sections of digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of digital sensitive data; and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, and performing round operation of the balanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: and splicing the round operation results according to the splitting sequence of the digital sensitive data to obtain ciphertext data corresponding to the digital sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: and carrying out result verification on the ciphertext data.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring round operation result data, and judging whether the round operation result data belongs to the value range of the digital sensitive data after corresponding segmentation; acquiring the digits of the digital sensitive data and the ciphertext data, and judging whether the digits of the digital sensitive data are the same as the digits of the ciphertext data; when the round operation result belongs to the value range of the digital sensitive data after corresponding segmentation and the digit of the digital sensitive data is the same as that of the ciphertext data, judging that the result check is passed; and when the round operation result does not belong to the value range of the digital sensitive data after corresponding segmentation, or the digit of the digital sensitive data is different from the digit of the ciphertext data, judging that the result check is not passed.
In one embodiment, the computer program when executed by the processor further performs the steps of: performing wheel operation of a Feistel structure on a wheel operation result based on a preset wheel operation function to obtain segmented data; splicing the segmented data according to the splitting sequence of the spliced digital sensitive data to obtain decrypted verification data; and when the decryption verification data is the same as the digital sensitive data, judging that the verification of the result is passed.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method of data desensitization, comprising:
acquiring digital sensitive data;
performing segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
performing round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, wherein the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
2. The method according to claim 1, wherein the performing Feistel structured round operation and modular operation on the segmented digital sensitive data based on a preset round operation function to obtain an operation result comprises:
when the number of the sections of the digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data;
and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, performing round operation of the balanced Feistel structure, and acquiring round operation result data corresponding to each section of the digital sensitive data.
3. The method of claim 1, wherein obtaining ciphertext data corresponding to the digital sensitive data according to the round operation result comprises:
and splicing the round operation results according to the splitting sequence of the digital sensitive data to obtain ciphertext data corresponding to the digital sensitive data.
4. The method according to claim 1, wherein after obtaining the ciphertext data corresponding to the digital sensitive data according to the operation result, the method further comprises:
and carrying out result verification on the ciphertext data.
5. The method of claim 4, wherein the performing the result check on the ciphertext data comprises:
acquiring the round operation result data, and judging whether the round operation result data belongs to the value range of the digital sensitive data after corresponding segmentation;
acquiring the digits of the digital sensitive data and the ciphertext data, and judging whether the digits of the digital sensitive data are the same as the digits of the ciphertext data;
when the round operation result belongs to the value range of the digital sensitive data after corresponding segmentation, and the digit of the digital sensitive data is the same as that of the ciphertext data, judging that the result check is passed;
and when the round operation result does not belong to the value range of the digital sensitive data after corresponding segmentation, or the digit of the digital sensitive data is different from the digit of the ciphertext data, judging that the result check is not passed.
6. The method of claim 4, wherein the performing the result check on the ciphertext data comprises:
performing round operation of a Feistel structure on the round operation result based on a preset round operation function to obtain segmented data;
splicing the segmented data according to the splitting sequence of splicing the digital sensitive data to obtain decrypted checking data;
and when the decryption verification data is the same as the digital sensitive data, judging that the result verification is passed.
7. A data desensitization apparatus, comprising:
the data acquisition module is used for acquiring digital sensitive data;
the data segmentation module is used for carrying out segmentation processing on the digital sensitive data according to a preset segmentation rule corresponding to the digital sensitive data;
the round operation module is used for carrying out round operation of a Feistel structure on the segmented digital sensitive data based on a preset round operation function to obtain a round operation result, and the preset round operation function is generated based on a state secret SM4 algorithm and a data key;
and the ciphertext acquisition module is used for acquiring ciphertext data corresponding to the digital sensitive data according to the round operation result.
8. The apparatus of claim 7, wherein the round robin module is specifically configured to:
when the number of the sections of the digital sensitive data is an odd number, inputting the segmented digital sensitive data into an unbalanced Feistel structure, and performing round operation of the unbalanced Feistel structure to obtain round operation result data corresponding to each section of the digital sensitive data;
and when the number of the sections of the digital sensitive data is an even number, inputting the segmented digital sensitive data into a balanced Feistel structure, performing round operation of the balanced Feistel structure, and acquiring round operation result data corresponding to each section of the digital sensitive data.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN201911011482.XA 2019-10-23 2019-10-23 Data desensitization method and device, computer equipment and storage medium Pending CN110750810A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911011482.XA CN110750810A (en) 2019-10-23 2019-10-23 Data desensitization method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911011482.XA CN110750810A (en) 2019-10-23 2019-10-23 Data desensitization method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN110750810A true CN110750810A (en) 2020-02-04

Family

ID=69279503

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911011482.XA Pending CN110750810A (en) 2019-10-23 2019-10-23 Data desensitization method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110750810A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859438A (en) * 2020-07-31 2020-10-30 上海观安信息技术股份有限公司 Reversible desensitization encryption algorithm with specified length
CN112487444A (en) * 2020-11-25 2021-03-12 远光软件股份有限公司 Database-based data encryption method and device, storage medium and electronic equipment
CN113037488A (en) * 2021-04-19 2021-06-25 工业信息安全(四川)创新中心有限公司 Reserved format encryption method and decryption method based on national secret code hash algorithm
CN113204780A (en) * 2021-05-20 2021-08-03 郑州信大捷安信息技术股份有限公司 Method and device for realizing reserved format encryption algorithm
CN113204781A (en) * 2021-05-20 2021-08-03 郑州信大捷安信息技术股份有限公司 Implementation method and device for reserved format encryption algorithm
CN113204779A (en) * 2021-05-20 2021-08-03 郑州信大捷安信息技术股份有限公司 Implementation method and device of reserved format encryption algorithm based on symmetric cryptographic algorithm
CN113591127A (en) * 2021-08-16 2021-11-02 京东科技控股股份有限公司 Data desensitization method and device
CN113691366A (en) * 2020-05-16 2021-11-23 成都天瑞芯安科技有限公司 Desensitized secure biometric identity authentication system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105959098A (en) * 2016-04-28 2016-09-21 东港股份有限公司 Format-reserved encryption algorithm based on multi-segmented Feistel network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105959098A (en) * 2016-04-28 2016-09-21 东港股份有限公司 Format-reserved encryption algorithm based on multi-segmented Feistel network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ZHELI LIU;CHUNFU JIA;JINGWEI LI;XIAOCHUN CHENG: "《Format-preserving encryption for DateTime》", 《2010 IEEE INTERNATIONAL CONFERENCE ON INTELLIGENT COMPUTING AND INTELLIGENT SYSTEMS》 *
卞超轶;朱少敏;周涛: "《 一种基于保形加密的大数据脱敏系统实现及评估》", 《电信科学》 *
陈佳;彭长根;樊玫玫;丁红发;赵园园: "《SM4-FPE: 基于SM4 的数字型数据保留格式加密算法》", 《小型微型计算机系统》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113691366A (en) * 2020-05-16 2021-11-23 成都天瑞芯安科技有限公司 Desensitized secure biometric identity authentication system
CN111859438A (en) * 2020-07-31 2020-10-30 上海观安信息技术股份有限公司 Reversible desensitization encryption algorithm with specified length
CN112487444A (en) * 2020-11-25 2021-03-12 远光软件股份有限公司 Database-based data encryption method and device, storage medium and electronic equipment
CN113037488A (en) * 2021-04-19 2021-06-25 工业信息安全(四川)创新中心有限公司 Reserved format encryption method and decryption method based on national secret code hash algorithm
CN113037488B (en) * 2021-04-19 2022-07-22 工业信息安全(四川)创新中心有限公司 Format-preserving encryption method and decryption method based on cryptographic hash algorithm
CN113204780A (en) * 2021-05-20 2021-08-03 郑州信大捷安信息技术股份有限公司 Method and device for realizing reserved format encryption algorithm
CN113204781A (en) * 2021-05-20 2021-08-03 郑州信大捷安信息技术股份有限公司 Implementation method and device for reserved format encryption algorithm
CN113204779A (en) * 2021-05-20 2021-08-03 郑州信大捷安信息技术股份有限公司 Implementation method and device of reserved format encryption algorithm based on symmetric cryptographic algorithm
CN113204780B (en) * 2021-05-20 2022-02-18 郑州信大捷安信息技术股份有限公司 Method and device for realizing reserved format encryption algorithm
CN113204781B (en) * 2021-05-20 2022-04-15 郑州信大捷安信息技术股份有限公司 Implementation method and device for reserved format encryption algorithm
CN113204779B (en) * 2021-05-20 2022-04-15 郑州信大捷安信息技术股份有限公司 Implementation method and device of reserved format encryption algorithm based on symmetric cryptographic algorithm
CN113591127A (en) * 2021-08-16 2021-11-02 京东科技控股股份有限公司 Data desensitization method and device

Similar Documents

Publication Publication Date Title
CN110750810A (en) Data desensitization method and device, computer equipment and storage medium
CN111666576B (en) Data processing model generation method and device, and data processing method and device
US10129028B2 (en) Relational encryption for password verification
CN110457945B (en) List query method, query party device, service party device and storage medium
EP3961458B1 (en) Blockchain-based service processing methods, apparatuses, devices, and storage media
CN110768784B (en) Password transmission method, device, computer equipment and storage medium
CN112953974B (en) Data collision method, device, equipment and computer readable storage medium
WO2023142440A1 (en) Image encryption method and apparatus, image processing method and apparatus, and device and medium
CN112100142A (en) Block chain-based digital asset processing method and system
CN113836559A (en) Sample alignment method, device, equipment and storage medium in federated learning
CN114417364A (en) Data encryption method, federal modeling method, apparatus and computer device
CN113434906B (en) Data query method, device, computer equipment and storage medium
CN114091067A (en) Sample alignment method, device, equipment and storage medium
CN116049802B (en) Application single sign-on method, system, computer equipment and storage medium
US20230120548A1 (en) Secret calculation system, secret calculation method, and program
CN108390758B (en) User password processing method and device and internal control security monitoring system
CN113240045B (en) Data dimension reduction method and device and related equipment
CN114238914A (en) Digital certificate application system, method, device, computer equipment and storage medium
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
CN110995437B (en) ETC system-based user information input method, device, equipment and storage medium
CN111475690B (en) Character string matching method and device, data detection method and server
CN114239004A (en) Electronic signature generation method and device, computer equipment and storage medium
CN114244519A (en) Password verification method and device, computer equipment and storage medium
CN114745173A (en) Login verification method, login verification device, computer equipment, storage medium and program product
CN115174260B (en) Data verification method, device, computer, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200204

RJ01 Rejection of invention patent application after publication