CN111132150A - Method and device for protecting data, storage medium and electronic equipment - Google Patents

Method and device for protecting data, storage medium and electronic equipment Download PDF

Info

Publication number
CN111132150A
CN111132150A CN201911425537.1A CN201911425537A CN111132150A CN 111132150 A CN111132150 A CN 111132150A CN 201911425537 A CN201911425537 A CN 201911425537A CN 111132150 A CN111132150 A CN 111132150A
Authority
CN
China
Prior art keywords
encryption
edek
management server
dek
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911425537.1A
Other languages
Chinese (zh)
Inventor
邱法家
郭庆
谢莹莹
于宏亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dawning Information Industry Co Ltd
Original Assignee
Dawning Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dawning Information Industry Co Ltd filed Critical Dawning Information Industry Co Ltd
Priority to CN201911425537.1A priority Critical patent/CN111132150A/en
Publication of CN111132150A publication Critical patent/CN111132150A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a method, a device, a storage medium and an electronic device for protecting data, wherein the method comprises the following steps: the key management server receives an encrypted data encryption key EDEK which is sent by a client and corresponds to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the HDFS; the key management server decrypts the EDEK by using an encryption and decryption algorithm to obtain a data encryption key DEK; and the key management server sends the DEK to the client so that the client can read or write the specified encryption area according to the DEK. According to the embodiment of the application, the encryption and decryption algorithm determined according to the attribute of the HDFS is configured in the key management server, so that data protection can be performed subsequently based on the encryption and decryption algorithm, and the encryption and decryption algorithm can be flexibly adjusted according to the attribute of the HDFS, so that configuration of different encryption scenes can be provided according to requirements of different encryption scenes.

Description

Method and device for protecting data, storage medium and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for protecting data, a storage medium, and an electronic device.
Background
With the popularization of big data application, the amount of data stored on a big data platform is huge and sensitive, so that data security is very necessary for the big data platform.
At present, a data storage part of a universal big data platform is stored based on a Hadoop Distributed File System (HDFS), and the HDFS provides an AES (Advanced Encryption Standard) transparent Encryption mode based on a JAVA JCE (JAVA cryptogrameextension) framework.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: because the HDFS provides a single AES encryption mode, the encryption mode provided by the HDFS cannot meet the security encryption requirement of domestic business scenes, and certain limitations exist in the actual use process.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method, an apparatus, a storage medium, and an electronic device for protecting data, so as to meet encryption requirements of different scenarios.
In a first aspect, an embodiment of the present application provides a method for protecting data, where the method includes: the key management server receives an encrypted data encryption key EDEK which is sent by a client and corresponds to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the HDFS; the key management server decrypts the EDEK by using an encryption and decryption algorithm to obtain a data encryption key DEK; and the key management server sends the DEK to the client so that the client can read or write the specified encryption area according to the DEK.
Therefore, according to the embodiment of the application, the encryption and decryption algorithm determined according to the attribute of the HDFS is configured in the key management server, so that data protection can be performed subsequently based on the encryption and decryption algorithm, and the encryption and decryption algorithm can be flexibly adjusted according to the attribute of the HDFS, so that configuration of different encryption scenes can be provided according to requirements of different encryption scenes.
In some possible embodiments, the DEK is a key randomly generated by the key management server according to a cryptographic algorithm.
Therefore, the DEK is randomly generated through the encryption algorithm, so that the data security is further enhanced.
In some possible embodiments, the encryption and decryption algorithm comprises a wireless network encryption algorithm.
Therefore, the encryption and decryption algorithm can be set according to actual requirements, and different requirements of users can be met.
In a second aspect, an embodiment of the present application provides a method for protecting data, where the method includes: the method comprises the steps that a client side obtains an encrypted data encryption key EDEK corresponding to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of a distributed file system HDFS; the client sends the EDEK to the key management server; the client receives a data encryption key DEK fed back by the key management server, wherein the DEK is obtained by decrypting the EDEK by the key management server by using an encryption and decryption algorithm; and the client performs read operation or write operation on the specified encryption area by using the DEK.
In one possible embodiment, the DEK is a key randomly generated by the key management server according to a cryptographic algorithm.
In one possible embodiment, the encryption and decryption algorithm comprises a wireless network encryption algorithm.
In a third aspect, an embodiment of the present application provides an apparatus for protecting data, where the apparatus is applied to a key management server, and the apparatus includes: the first receiving module is used for receiving an encrypted data encryption key EDEK which is sent by a client and corresponds to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the HDFS; the encryption and decryption module is used for decrypting the EDEK by using an encryption and decryption algorithm to obtain a data encryption key DEK; and the first sending module is used for sending the DEK to the client so that the client can conveniently perform read operation or write operation on the specified encryption area according to the DEK.
In a fourth aspect, an embodiment of the present application provides an apparatus for protecting data, where the apparatus is applied to a client, and the apparatus includes: the acquisition module is used for acquiring an encrypted data encryption key EDEK corresponding to the specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the distributed file system HDFS; the second sending module is used for sending the EDEK to the key management server; the second receiving module is used for receiving a data encryption key DEK fed back by the key management server, wherein the DEK is obtained by decrypting the EDEK by the key management server by using an encryption and decryption algorithm; and the read-write module is used for performing read operation or write operation on the specified encryption area by utilizing the DEK.
In a fifth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the method according to the first aspect or any optional implementation manner of the first aspect.
In a sixth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the method of the second aspect or any optional implementation manner of the second aspect.
In a seventh aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the alternative implementations of the first aspect.
In an eighth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the second aspect or any of the alternative implementations of the second aspect.
In a ninth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.
In a tenth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the second aspect or any possible implementation of the second aspect.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 illustrates a schematic diagram of an application scenario to which embodiments of the present application are applicable;
FIG. 2 is a flow chart illustrating a method for protecting data according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a method for requesting an EDEK according to an embodiment of the present disclosure;
fig. 4 is a flowchart illustrating a method for encrypting data according to an embodiment of the present application;
fig. 5 is a block diagram illustrating a structure of an apparatus for protecting data according to an embodiment of the present application;
fig. 6 is a block diagram illustrating a structure of another apparatus for protecting data according to an embodiment of the present disclosure;
fig. 7 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The encryption of HDFS is between database level encryption and file system level encryption. Since file storage in the HDFS is encrypted, attacks on the HDFS can be effectively prevented. In addition, a different encryption area may be set in the HDFS for each user. And, the data in the encryption area can be read or written by the client.
However, the original frame design process of the HDFS only considers the JCE encryption requirements depending on JAVA, and does not provide sufficient extension and support for multiple encryption modes, so that different encryption requirements of data cannot be met in different use scenarios.
That is to say, the encryption mode provided by the HDFS is single, and cannot meet the security encryption requirement of domestic business scenes, and certain limitations exist in the actual use process.
In order to satisfy the flexibility of the encryption mode of the HDFS and provide various encryption options for users to select, it is necessary to design and modify the encryption framework of the HDFS of the existing universal big data platform. Therefore, the whole encryption framework logic and architecture need to be adjusted, and a selectable and configurable encryption mode option is provided, so that adaptation of different encryption scenes is realized.
Based on this, the embodiment of the present application provides a scheme for protecting data, and an encryption and decryption algorithm determined according to the attribute of the HDFS is configured in the key management server, so that data protection can be performed subsequently based on the encryption and decryption algorithm, and as the encryption and decryption algorithm can be flexibly adjusted according to the attribute of the HDFS, configuration of different encryption scenes can be provided according to requirements of different encryption scenes.
To facilitate understanding of the embodiments of the present application, some terms in the embodiments of the present application are first explained herein as follows:
the key management server: it is responsible for generating encryption keys (EZK and DEK), communicating with clients, and decrypting the EDEK.
Encryption area: it is a special directory. And, each Encryption Zone has its own unique Encryption Key EZK (Encryption Zone Key) when it is created, which corresponds to a directory. The file under each directory corresponds to a DEK (Data Encryption key).
EZK: used for encrypting and decrypting the file corresponding key DEK created by the encryption area.
DEK: and the encryption key corresponding to each file in the encryption area. That is, for an encryption zone, each file inside it can be configured with a DEK.
EDEK (Encrypted DEK, Encrypted data encryption key): a key obtained by encrypting the DEK by EZK.
SMS4 algorithm: the encryption algorithm is an encryption algorithm used in a widely used Wireless LAN Authentication and privacy Infrastructure (WAPI) Wireless network standard in China, is a 32-round iteration unbalanced Feistel structure packet encryption algorithm, and has a key length and a packet length of 128.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an application scenario 100 to which an embodiment of the present application is applicable. Specifically, the application scenario 100 includes: a client 110, a key management server 120, and a distributed file system 130 connected via a network. The distributed file system 130 includes a Name Node (Name Node)131 and a data Node (data Node) 132.
It should be noted that the HDFS may include several or more data nodes, and only one data node 132 is shown in fig. 1 for ease of understanding.
The device type of the client 110, the device type of the key management server 120, the usage scenario of the distributed file system 130, and the like may all be set according to actual requirements, and the embodiment of the present application is not limited to this.
In the embodiment of the application, the client 110 obtains the EDEK corresponding to the specified encryption area in the data node 132 from the name node 131, wherein the encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the distributed file system 130. Subsequently, the client 110 sends the EDEK to the key management server 120. Correspondingly, the key management server 120 receives the EDEK sent by the client 110.
And, the key management server 120 may decrypt the EDEK using the encryption/decryption algorithm EZK stored in its own configuration file to obtain the DEK. Subsequently, the key management server 120 sends the DEK to the client 110. Correspondingly, the client 110 receives the DEK sent by the key management server 120.
After the client 110 receives the DEK, the client 110 may encrypt local data using the DEK to obtain encrypted data, and store the encrypted data in the designated encryption area.
In other words, the client 110 may decrypt the encrypted data in the specified encryption region using the DEK to obtain the original data corresponding to the encrypted data.
It should be noted that the scheme for protecting data provided in the embodiment of the present invention may be further extended to other suitable application scenarios, and is not limited to the application scenario 100 shown in fig. 1.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for protecting data according to an embodiment of the present disclosure. The method shown in fig. 2 comprises:
step S210, the client sends a request to the name node. Wherein, the request is used for obtaining the position of the specified encryption area and the EDEK corresponding to the specified encryption area.
It should be understood that the name node may be an index node in the HDFS that stores the locations or paths of all the encryption zones. That is, when the client wants to store data to or read data from a certain encryption area, the client can obtain the location of the encryption area by sending a request to the name node.
It should also be understood that the designated encryption area may be any one of all encryption areas, and the embodiment of the present application is not limited thereto.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Specifically, in the case where the client wants to perform a read operation or a write operation on the specified encryption area, the client may send a request to the name node to obtain the location of the specified encryption area and the EDEK corresponding to the specified encryption area.
And step S220, the name node acquires the position of the appointed encryption area and the EDEK corresponding to the appointed encryption area according to the request.
Specifically, the name node may obtain the location of the specified encryption zone according to the request. And the name node can also obtain the EDEK by judging whether the local cache or the extended attribute of the file metadata stores the EDEK, and specifically:
if the EDEK exists, the EDEK is indicated to be read or written before the appointed encryption area, so that the name node does not need to continuously request the EDEK from the key management server, and the follow-up name node can send the EDEK to the client; if the EDEK does not exist, the name node needs to request the key management server to create the EDEK, so that the subsequent name node can send the EDEK fed back by the key management server to the client.
In order to facilitate understanding of the process of creating an EDEK by the key management server in the embodiments of the present application, the following description is made by way of specific embodiments.
Specifically, since each encryption zone is created, in the key management server, the key management server may generate EZK corresponding to the key of each encryption zone through an encryption/decryption algorithm determined according to the attribute of the HDFS. That is, each encryption zone has a unique EZK. Each HDFS may correspond to a key management server, and each key management server may be configured with an encryption and decryption algorithm (i.e., for an algorithm, it can perform both encryption and decryption).
It should be understood that the attribute of the HDFS may include a usage scenario of the HDFS, and may also include a type of file data stored in the HDFS, and the embodiment of the present application is not limited thereto.
The usage scenario may be a usage scenario corresponding to finance, or a preset scenario such as a usage scenario corresponding to a regulatory agency. That is to say, the usage scenario may be set according to actual requirements, and the embodiment of the present application is not limited thereto; the type of the document data may be document data belonging to finance, document data belonging to monitoring, and the like. That is, the type of the file data may also be set according to actual needs.
For example, in the case where the usage scenario is a financial counterpart, the encryption/decryption algorithm may be the SMS4 algorithm.
It should also be understood that the same HDFS may correspond to one encryption/decryption algorithm or to multiple encryption/decryption algorithms, and the embodiments of the present application are not limited thereto.
In addition, under the condition that the same HDFS attribute corresponds to multiple encryption and decryption algorithms, the encryption and decryption algorithm stored in the configuration file of the key management server may be a preset encryption and decryption algorithm in the multiple encryption and decryption algorithms.
Thus, in the case where the name node requests the key management server to create the EDEK, the key management server acquires the creation request. Subsequently, the key management server randomly generates the DEK according to the encryption and decryption algorithm stored in the configuration file, and the key management server can also encrypt the DEK by using EZK corresponding to the specified encryption area to obtain the EDEK. The key management server then sends the EDEK to the name node. Correspondingly, the name node receives the EDEK sent by the key management server.
And under the condition that the name node acquires the EDEK, the name node can cache the EDEK in the memory, so that when the specified encryption area is subsequently operated, the name node does not need to request the key management server to create the EDEK, and the EDEK in the cache can be directly fed back to the client.
In addition, the name node may also write the EDEK into an extended attribute of the metadata.
In step S230, the name node transmits the location of the specified encryption zone and the EDEK corresponding to the specified encryption zone to the client. Correspondingly, the client receives the position of the specified encryption area sent by the name node and the EDEK corresponding to the specified encryption area.
It should be noted that, although the foregoing is described with three steps of step S210 to step S230, it should be understood by those skilled in the art that step S210 to step S230 may be combined into one step: and the client acquires the EDEK corresponding to the specified encryption area, wherein the encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the HDFS.
In step S240, the client sends the EDEK to the key management server. Correspondingly, the key management server receives the EDEK sent by the client.
Specifically, the client may send an authentication request carrying the identifier of the specified encryption area and the EDEK corresponding to the specified encryption area to the key management server.
And step S250, the key management server decrypts the EDEK by using an encryption and decryption algorithm to obtain the DEK.
It should be understood that the specific algorithm of the encryption and decryption algorithm may be set according to actual requirements, and the embodiments of the present application are not limited thereto.
For example, the encryption and decryption algorithms include a wireless network encryption algorithm, including the SMS4 algorithm.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
Specifically, in the case where the key management server receives the authentication request, the key management server may analyze the authentication request to obtain the identification of the specified encryption area and the EDEK corresponding to the specified encryption area.
Thus, the key management server may look up EZK corresponding to the specified encryption zone based on the identification of the specified encryption zone. And the key management server can decrypt the EDEK by using EZK corresponding to the specified encryption area and the encryption and decryption algorithm stored in the configuration file, thereby obtaining the DEK.
In addition, because the encryption area may be provided with access authority, the verification request may also carry an identifier of the client, so that the subsequent key management server can verify whether the client has the authority to access the specified encryption area through the identifier of the client and the identifier of the specified encryption area. If the client does not have the authority to access the specified encryption area, the key management server can feed back a prompt message which cannot be accessed to the client; if the client side is determined to have the right of accessing the specified encryption area, the key management server decrypts the EDEK by using EZK corresponding to the specified encryption area and the encryption and decryption algorithm stored in the configuration file, so as to obtain the DEK.
In step S260, the key management server sends the DEK to the client. Correspondingly, the client receives the DEK fed back by the key management server.
In step S270, the client performs a read operation or a write operation on the specified encryption region by using the DEK.
It should be understood that the read operation refers to the client encrypting data by using the DEK and storing the obtained encrypted data to the specified encryption area.
It should also be understood that a write operation refers to the client decrypting the encrypted data stored in the specified encryption zone using the DEK.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
In particular, the client may encrypt and decrypt data using its locally stored encryption and decryption algorithms and the DEK. Wherein, the encryption and decryption algorithm stored locally in the client can be the same as the encryption and decryption algorithm stored in the key management server.
Therefore, according to the embodiment of the application, the encryption and decryption algorithm determined according to the attribute of the HDFS is configured in the key management server, so that data protection can be performed subsequently based on the encryption and decryption algorithm, and the encryption and decryption algorithm can be flexibly adjusted according to the attribute of the HDFS, so that configuration of different encryption scenes can be provided according to requirements of different encryption scenes.
In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.
It should be noted that, in order to clearly describe the process of the method for protecting data in the embodiment of the present application, the following description is made by combining two drawings, fig. 3 and fig. 4.
In addition, fig. 3 and 4 are described by taking the SMS4 algorithm as an example, and it should be understood that other encryption and decryption algorithms are equally applicable and will not be described one by one.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for requesting an EDEK according to an embodiment of the present application. The method shown in fig. 3 comprises:
step 1, a client requests a name node to create a new file in a specified encryption area of the HDFS.
And step 2, the name node requests the encryption key of the new file from the key management server.
In addition, the key management server randomly generates a new DEK in SMS4 format according to the SMS4 algorithm stored in the configuration file. And the key management server encrypts the DEK by using the SMS4 algorithm and EZK corresponding to the specified encryption area to obtain the EDEK.
In addition, the embodiment of the application can also perform associated binding on all the encryption zones and EZK corresponding to each encryption zone in all the encryption zones so as to facilitate subsequent query.
And 3, the name node can obtain the EDEK and put the EDEK into a cache.
And 4, the name node acquires the EDEK from the cache.
And step 5, the name node writes the EDEK into the metadata information of the file.
Referring to fig. 4, fig. 4 is a flowchart illustrating a method for encrypting data according to an embodiment of the present application. The method shown in fig. 4 includes:
and 6, the name node sends the EDEK to the client.
And 7, the client sends the EDEK to the key management server so that the key management server can decrypt the EDEK, and the client can obtain the DEK.
And 8, the client can utilize the locally stored SMS4 algorithm and the DEK to read and write the encryption area.
It should be understood that the above method for protecting data is only exemplary, and those skilled in the art can make various modifications according to the above method, and the solution after the modification also falls within the protection scope of the present application.
Referring to fig. 5, fig. 5 shows a block diagram of a device 500 for protecting data according to an embodiment of the present application, and it should be understood that the device 500 corresponds to the key management server side in the above method embodiment and is capable of executing various steps related to the key management server side in the above method embodiment, and specific functions of the device 500 may be referred to the description above, and detailed descriptions are appropriately omitted here to avoid repetition. The device 500 includes at least one software functional module that can be stored in a memory in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the device 500. Specifically, the apparatus 500 is applied to a key management server, and the apparatus 500 includes:
the first receiving module 510 is configured to receive an encrypted data encryption key EDEK sent by a client and corresponding to a specified encryption area, where an encryption and decryption algorithm corresponding to the EDEK is determined according to an attribute of the distributed file system HDFS; the encryption and decryption module 520 is configured to decrypt the EDEK by using an encryption and decryption algorithm to obtain a data encryption key DEK; and a first sending module 530, configured to send the DEK to the client, so that the client performs a read operation or a write operation on the specified encryption region according to the DEK.
In one possible embodiment, the DEK is a key randomly generated by the key management server according to a cryptographic algorithm.
In one possible embodiment, the encryption and decryption algorithm comprises a wireless network encryption algorithm.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Referring to fig. 6, fig. 6 shows a structural block diagram of another apparatus 600 for protecting data provided in the embodiment of the present application, and it should be understood that the apparatus 600 corresponds to the client side in the above method embodiment and is capable of performing various steps involved in the client side in the above method embodiment, and specific functions of the apparatus 600 may be referred to the description above, and detailed descriptions are appropriately omitted here to avoid repetition. The device 600 includes at least one software functional module that can be stored in a memory in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the device 600. Specifically, the apparatus 600 is applied to a client, and the apparatus 600 includes:
the acquiring module 610 is configured to acquire an encrypted data encryption key EDEK corresponding to the specified encryption area, where an encryption and decryption algorithm corresponding to the EDEK is determined according to an attribute of the distributed file system HDFS; a second sending module 620, configured to send the EDEK to the key management server; a second receiving module 630, configured to receive a data encryption key DEK fed back by the key management server, where the DEK is obtained by the key management server decrypting the EDEK by using an encryption/decryption algorithm; and the read-write module 640 is configured to perform a read operation or a write operation on the specified encryption area by using the DEK.
In one possible embodiment, the DEK is a key randomly generated by the key management server according to a cryptographic algorithm.
In one possible embodiment, the encryption and decryption algorithm comprises a wireless network encryption algorithm.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
The embodiment of the application also provides electronic equipment, and the electronic equipment can be arranged in a key management server or a client.
Fig. 7 shows a block diagram of an electronic device 700 according to an embodiment of the present application. As shown in fig. 7, electronic device 700 may include a processor 710, a communication interface 720, a memory 730, and at least one communication bus 740. Wherein a communication bus 740 is used to enable direct, connected communication of these components. In this embodiment, the communication interface 720 of the device in this application is used for performing signaling or data communication with other node devices. Processor 710 may be an integrated circuit chip having signal processing capabilities. The Processor 710 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 710 may be any conventional processor or the like.
The Memory 730 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 730 stores computer readable instructions, and when the computer readable instructions are executed by the processor 710, the electronic device 700 may perform the steps of the corresponding apparatus side in the above method embodiments. For example, in the case where the electronic device 700 is provided in a key management server, the memory 730 stores therein computer-readable instructions, and when the computer-readable instructions are executed by the processor 710, the electronic device 700 may perform the steps of the key management server side in the above-described method embodiments.
The electronic device 700 may further include a memory controller, an input-output unit, an audio unit, and a display unit.
The memory 730, the memory controller, the processor 710, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these components may be electrically coupled to each other via one or more communication buses 740. The processor 710 is adapted to execute executable modules stored in the memory 730, such as software functional modules or computer programs comprised by the electronic device 700.
The input and output unit is used for providing input data for a user to realize the interaction of the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g. a user interface) between the electronic device and a user or for displaying image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing.
It will be appreciated that the configuration shown in fig. 7 is merely illustrative and that the electronic device 700 may include more or fewer components than shown in fig. 7 or may have a different configuration than shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
The present application provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of an embodiment.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method of protecting data, comprising:
the method comprises the steps that a key management server receives an encrypted data encryption key EDEK which is sent by a client and corresponds to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of a distributed file system HDFS;
the key management server decrypts the EDEK by using the encryption and decryption algorithm to obtain a Data Encryption Key (DEK);
and the key management server sends the DEK to the client so that the client can read or write the specified encryption area according to the DEK.
2. The method of claim 1, wherein the DEK is a key randomly generated by the key management server according to the encryption and decryption algorithm.
3. The method of claim 1, wherein the encryption and decryption algorithm comprises a wireless network encryption algorithm.
4. A method of protecting data, comprising:
the method comprises the steps that a client side obtains an encrypted data encryption key EDEK corresponding to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of a distributed file system HDFS;
the client sends the EDEK to a key management server;
the client receives a Data Encryption Key (DEK) fed back by the key management server, wherein the DEK is obtained by the key management server after decrypting the EDEK by using the encryption and decryption algorithm;
and the client side performs read operation or write operation on the specified encryption area by using the DEK.
5. The method of claim 4, wherein the DEK is a key randomly generated by the key management server according to the encryption and decryption algorithm.
6. The method of claim 4, wherein the encryption and decryption algorithm comprises a wireless network encryption algorithm.
7. An apparatus for protecting data, the apparatus being applied to a key management server, the apparatus comprising:
the device comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving an encrypted data encryption key EDEK which is sent by a client and corresponds to a specified encryption area, and an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of a distributed file system HDFS;
the encryption and decryption module is used for decrypting the EDEK by using the encryption and decryption algorithm to obtain a data encryption key DEK;
and the first sending module is used for sending the DEK to the client so that the client can read or write the specified encryption area according to the DEK.
8. An apparatus for protecting data, the apparatus being applied to a client, the apparatus comprising:
the acquisition module is used for acquiring an encrypted data encryption key EDEK corresponding to a specified encryption area, wherein an encryption and decryption algorithm corresponding to the EDEK is determined according to the attribute of the HDFS;
the second sending module is used for sending the EDEK to a key management server;
the second receiving module is used for receiving a Data Encryption Key (DEK) fed back by the key management server, wherein the DEK is obtained by the key management server after decrypting the EDEK by using the encryption and decryption algorithm;
and the read-write module is used for performing read operation or write operation on the specified encryption area by using the DEK.
9. A storage medium, having stored thereon a computer program which, when executed by a processor, performs a method of protecting data according to any one of claims 1 to 6.
10. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the method of protecting data according to any one of claims 1-6.
CN201911425537.1A 2019-12-31 2019-12-31 Method and device for protecting data, storage medium and electronic equipment Pending CN111132150A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911425537.1A CN111132150A (en) 2019-12-31 2019-12-31 Method and device for protecting data, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911425537.1A CN111132150A (en) 2019-12-31 2019-12-31 Method and device for protecting data, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN111132150A true CN111132150A (en) 2020-05-08

Family

ID=70507219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911425537.1A Pending CN111132150A (en) 2019-12-31 2019-12-31 Method and device for protecting data, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN111132150A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818032A (en) * 2020-06-30 2020-10-23 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN112613059A (en) * 2020-12-31 2021-04-06 鲁班(北京)电子商务科技有限公司 Fast file decryption method and system based on Fastdfs and CA
CN112613046A (en) * 2020-12-14 2021-04-06 苏州浪潮智能科技有限公司 Encryption and decryption verification method and device based on FPGA and storage medium
CN112906042A (en) * 2021-03-31 2021-06-04 浙江太美医疗科技股份有限公司 Method, server and computer readable medium for processing encrypted form
CN113162974A (en) * 2021-03-03 2021-07-23 北京中安星云软件技术有限公司 Method and system for realizing dynamic encryption and decryption of database based on TCP (Transmission control protocol) proxy
CN113836546A (en) * 2021-08-30 2021-12-24 广东浪潮智慧计算技术有限公司 Key management method, device, equipment and storage medium
CN115048656A (en) * 2021-03-09 2022-09-13 成都鼎桥通信技术有限公司 Session processing method, device, system and storage medium
CN117201204A (en) * 2023-11-07 2023-12-08 阿里云计算有限公司 Cloud storage system, data reading and writing method and device and storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457555A (en) * 2010-10-28 2012-05-16 中兴通讯股份有限公司 Security system and method for distributed storage
CN103581196A (en) * 2013-11-13 2014-02-12 上海众人网络安全技术有限公司 Distributed file transparent encryption method and transparent decryption method
CN104283868A (en) * 2014-09-11 2015-01-14 江苏集群信息产业股份有限公司 Encryption method for internet of things and cloud computing secure storage distributed file system
CN104852922A (en) * 2015-05-26 2015-08-19 陈彬 Big data encrypting and decrypting method based on distributed file system
KR101699176B1 (en) * 2015-09-22 2017-01-23 전북대학교산학협력단 Hadoop Distributed File System Data Encryption and Decryption Method
CN106452776A (en) * 2015-08-12 2017-02-22 航天信息股份有限公司 Data encryption method
WO2017193108A2 (en) * 2016-05-06 2017-11-09 ZeroDB, Inc. Encryption for distributed storage and processing
CN107404461A (en) * 2016-05-19 2017-11-28 阿里巴巴集团控股有限公司 Data safe transmission method, client and service end method, apparatus and system
CN108111479A (en) * 2017-11-10 2018-06-01 中国电子科技集团公司第三十二研究所 Key management method for transparent encryption and decryption of Hadoop distributed file system
CN109842589A (en) * 2017-11-27 2019-06-04 中兴通讯股份有限公司 A kind of cloud storage encryption method, device, equipment and storage medium
US20190318102A1 (en) * 2018-04-17 2019-10-17 Domo, Inc. Systems and methods for securely managing data in distributed systems
CN110492998A (en) * 2019-08-14 2019-11-22 郑州大学 The method of encryption and decryption data

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457555A (en) * 2010-10-28 2012-05-16 中兴通讯股份有限公司 Security system and method for distributed storage
CN103581196A (en) * 2013-11-13 2014-02-12 上海众人网络安全技术有限公司 Distributed file transparent encryption method and transparent decryption method
CN104283868A (en) * 2014-09-11 2015-01-14 江苏集群信息产业股份有限公司 Encryption method for internet of things and cloud computing secure storage distributed file system
CN104852922A (en) * 2015-05-26 2015-08-19 陈彬 Big data encrypting and decrypting method based on distributed file system
CN106452776A (en) * 2015-08-12 2017-02-22 航天信息股份有限公司 Data encryption method
KR101699176B1 (en) * 2015-09-22 2017-01-23 전북대학교산학협력단 Hadoop Distributed File System Data Encryption and Decryption Method
WO2017193108A2 (en) * 2016-05-06 2017-11-09 ZeroDB, Inc. Encryption for distributed storage and processing
CN107404461A (en) * 2016-05-19 2017-11-28 阿里巴巴集团控股有限公司 Data safe transmission method, client and service end method, apparatus and system
CN108111479A (en) * 2017-11-10 2018-06-01 中国电子科技集团公司第三十二研究所 Key management method for transparent encryption and decryption of Hadoop distributed file system
CN109842589A (en) * 2017-11-27 2019-06-04 中兴通讯股份有限公司 A kind of cloud storage encryption method, device, equipment and storage medium
US20190318102A1 (en) * 2018-04-17 2019-10-17 Domo, Inc. Systems and methods for securely managing data in distributed systems
CN110492998A (en) * 2019-08-14 2019-11-22 郑州大学 The method of encryption and decryption data

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818032A (en) * 2020-06-30 2020-10-23 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN111818032B (en) * 2020-06-30 2021-09-07 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN112613046A (en) * 2020-12-14 2021-04-06 苏州浪潮智能科技有限公司 Encryption and decryption verification method and device based on FPGA and storage medium
CN112613046B (en) * 2020-12-14 2022-08-05 苏州浪潮智能科技有限公司 Encryption and decryption verification method and device based on FPGA and storage medium
CN112613059A (en) * 2020-12-31 2021-04-06 鲁班(北京)电子商务科技有限公司 Fast file decryption method and system based on Fastdfs and CA
CN113162974A (en) * 2021-03-03 2021-07-23 北京中安星云软件技术有限公司 Method and system for realizing dynamic encryption and decryption of database based on TCP (Transmission control protocol) proxy
CN113162974B (en) * 2021-03-03 2023-04-07 北京中安星云软件技术有限公司 Method and system for realizing dynamic encryption and decryption of database based on TCP (Transmission control protocol) proxy
CN115048656A (en) * 2021-03-09 2022-09-13 成都鼎桥通信技术有限公司 Session processing method, device, system and storage medium
CN112906042A (en) * 2021-03-31 2021-06-04 浙江太美医疗科技股份有限公司 Method, server and computer readable medium for processing encrypted form
CN113836546A (en) * 2021-08-30 2021-12-24 广东浪潮智慧计算技术有限公司 Key management method, device, equipment and storage medium
CN113836546B (en) * 2021-08-30 2024-02-13 广东浪潮智慧计算技术有限公司 Key management method, device, equipment and storage medium
CN117201204A (en) * 2023-11-07 2023-12-08 阿里云计算有限公司 Cloud storage system, data reading and writing method and device and storage medium
CN117201204B (en) * 2023-11-07 2024-03-29 阿里云计算有限公司 Cloud storage system, data reading and writing method and device and storage medium

Similar Documents

Publication Publication Date Title
CN111539813B (en) Method, device, equipment and system for backtracking processing of business behaviors
CN111132150A (en) Method and device for protecting data, storage medium and electronic equipment
JP6961818B2 (en) Data sharing methods, clients, servers, computing devices, and storage media
US20200084045A1 (en) Establishing provenance of digital assets using blockchain system
US20190036928A1 (en) Data access and ownership management
CN110636043A (en) File authorization access method, device and system based on block chain
CN109347839B (en) Centralized password management method and device, electronic equipment and computer storage medium
US11509709B1 (en) Providing access to encrypted insights using anonymous insight records
EP3537684A1 (en) Apparatus, method, and program for managing data
EP2942899B1 (en) Information processing method, trust server and cloud server
KR20200085095A (en) Electronic apparatus and method for managing data based on block chain
WO2019120038A1 (en) Encrypted storage of data
CN115618321A (en) Access control method and device, electronic equipment and storage medium
US10043015B2 (en) Method and apparatus for applying a customer owned encryption
CN114386104A (en) Method for storing sensitive data, data reading method and device
JP5511925B2 (en) Encryption device with access right, encryption system with access right, encryption method with access right, and encryption program with access right
US20170200020A1 (en) Data management system, program recording medium, communication terminal, and data management server
US10783264B2 (en) Non-transitory computer-readable storage medium, and information processing device using unique file-specific information for decryption of a target file
CN111767550B (en) Data storage method and device
JP6558126B2 (en) Information processing system and information processing method
CN110888716A (en) Data processing method and device, storage medium and electronic equipment
CN111104693A (en) Android platform software data cracking method, terminal device and storage medium
CN111865916B (en) Resource management method and device and electronic equipment
CN109543367B (en) Quantum encryption-based software authorization method and device and storage medium
CN110619236A (en) File authorization access method, device and system based on file credential information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination