CN111177736A - System, method and device for data storage and access - Google Patents

System, method and device for data storage and access Download PDF

Info

Publication number
CN111177736A
CN111177736A CN201910697348.3A CN201910697348A CN111177736A CN 111177736 A CN111177736 A CN 111177736A CN 201910697348 A CN201910697348 A CN 201910697348A CN 111177736 A CN111177736 A CN 111177736A
Authority
CN
China
Prior art keywords
data
access
encrypted
management server
data storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910697348.3A
Other languages
Chinese (zh)
Inventor
王伟
秦晓晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910697348.3A priority Critical patent/CN111177736A/en
Publication of CN111177736A publication Critical patent/CN111177736A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The data storage and access method comprises the steps that a data management server located in a network security domain obtains corresponding encrypted data from a local data storage pool according to a received data request message of an access terminal, decrypts the encrypted data to obtain decrypted data, and returns the decrypted data to the access terminal. The encrypted data is data which are obtained by encrypting the specified type of data by each internet server and synchronously uploading the data to the data storage pool. Therefore, the data in each internet server in the external network is stored in one data management server in the network security domain in a centralized manner, so that the security of data storage and access is improved, and the data access efficiency is also improved.

Description

System, method and device for data storage and access
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a system, a method, and an apparatus for data storage and access.
Background
With the development of internet technology, data becomes an important core asset, and the security requirements of people on data storage and access are higher and higher.
Take Data protected by the third party Payment Industry Data security standard (PCI DSS) specification as an example. The purpose of the PCI DSS is to secure the information of the cardholder's credit and debit cards. In the prior art, in order to ensure the storage and access security of the confidential data protected by the PCI DSS specification, a user terminal sends the confidential data to an internet server located in an external network. And the Internet server encrypts and stores the confidential data, and returns the decrypted confidential data to the access terminal according to the received data request message of the access terminal.
However, since different secret data are stored in different internet servers, each internet server needs to be sequentially queried when accessing data, and thus, the data access efficiency is low. Moreover, because the internet server is located in the extranet, the security risk of the transmitted confidential data after decryption is high.
Therefore, how to improve the security and the access efficiency of data storage and access is an urgent problem to be solved.
Disclosure of Invention
The embodiment of the application provides a system, a method and a device for data storage and access, which are used for improving the safety and the access efficiency of the data storage and access during the data storage and access.
In one aspect, a system for data storage and access is provided, comprising a plurality of internet servers, a data management server, and a plurality of access terminals, the data management server comprising a data storage pool, the internet servers being located in an extranet, the data management server being located in a network security domain, wherein,
each internet server is used for encrypting the received data of the appointed type and synchronizing the obtained encrypted data to the data management server, and the data of the appointed type is data needing to ensure data security;
the data management server is used for storing the received encrypted data into the data storage pool; and the data processing device is used for decrypting the corresponding encrypted data acquired from the data storage pool according to the received data request message of the access terminal and returning the decrypted data to the access terminal;
each access terminal is used for sending a data request message to the data management server and receiving the decryption data returned by the data management server according to the data request message.
In one aspect, a method for storing and accessing data is provided, which is applied to the system for storing and accessing data, and includes:
acquiring corresponding encrypted data from the data storage pool according to the received data request message of the access terminal, wherein the encrypted data is data which is obtained by encrypting the specified type of data by the Internet server and synchronously uploading the data to the data storage pool;
decrypting the encrypted data to obtain decrypted data;
and returning the decrypted data to the access terminal.
Preferably, the specified type of data is data protected by the PCI DSS specification.
Preferably, the method further comprises the following steps:
acquiring identification information of received encrypted data;
when historical data corresponding to the identification information is stored in the data storage pool, updating the historical data into encrypted data;
and when the history data corresponding to the identification information is not stored in the data storage pool, adding the encrypted data into the data storage pool.
Preferably, the obtaining of the corresponding encrypted data from the data storage pool according to the received data request message of the access terminal includes:
receiving a data request message containing user identification information sent by an access terminal;
and acquiring the encrypted data corresponding to the user identification information from the data storage pool.
Preferably, returning the decrypted data to the access terminal includes:
and the decrypted data is coded by adopting a specified coding mode and then returned to the access terminal.
In one aspect, an apparatus for data storage and access is provided, comprising:
the acquisition unit is used for acquiring corresponding encrypted data from the data storage pool according to the received data request message of the access terminal, wherein the encrypted data is data which is obtained by encrypting the specified type of data by the Internet server and synchronously uploading the data to the data storage pool;
the decryption unit is used for decrypting the encrypted data to obtain decrypted data;
and the return unit is used for returning the decrypted data to the access terminal.
Preferably, the specified type of data is data protected by the PCI DSS specification.
Preferably, the return unit is further configured to:
acquiring identification information of received encrypted data;
when historical data corresponding to the identification information is stored in the data storage pool, updating the historical data into encrypted data;
and when the history data corresponding to the identification information is not stored in the data storage pool, adding the encrypted data into the data storage pool.
Preferably, the obtaining unit is specifically configured to:
receiving a data request message containing user identification information sent by an access terminal;
and acquiring the encrypted data corresponding to the user identification information from the data storage pool.
Preferably, the return unit is specifically configured to:
and the decrypted data is coded by adopting a specified coding mode and then returned to the access terminal.
In one aspect, a control device is provided comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor executing the program to perform the steps of any of the above-described methods of data storage and access.
In one aspect, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of any of the above-mentioned methods of data storage and access.
In the system, the method and the device for data storage and access provided by the embodiment of the application, the data management server located in the network security domain acquires corresponding encrypted data from a local data storage pool according to a received data request message of the access terminal, decrypts the encrypted data to acquire decrypted data, and returns the decrypted data to the access terminal. The encrypted data is data which are obtained by encrypting the specified type of data by each internet server and synchronously uploading the data to the data storage pool. Therefore, the data in each internet server in the external network is stored in one data management server in the network security domain in a centralized manner, so that the security of data storage and access is improved, and the data access efficiency is also improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a block diagram of a system for storing and accessing data according to an embodiment of the present disclosure;
FIG. 2 is a flowchart illustrating an implementation of a method for storing data according to an embodiment of the present disclosure;
FIG. 3 is a flowchart of an implementation of a method for accessing data according to an embodiment of the present disclosure;
FIG. 4 is an interaction flow diagram of a method for storing and accessing data according to an embodiment of the present application;
FIG. 5 is a diagram of a system architecture for secure data storage and access in accordance with the prior art;
FIG. 6 is a diagram illustrating a system architecture for secure data storage and access in an embodiment of the present application;
FIG. 7a is a diagram of an exemplary personal data page according to an embodiment of the present application;
FIG. 7b is a diagram illustrating an example of an identity authentication page in an embodiment of the present application;
FIG. 7c is a diagram illustrating an example of an upload page according to an embodiment of the present application;
FIG. 7d is a diagram illustrating an exemplary submit confirmation page in an embodiment of the present application;
FIG. 7e is a diagram illustrating an example of a successful submission page in the embodiment of the present application;
FIG. 7f is a diagram illustrating an example of a data storage of an Internet server according to an embodiment of the present disclosure;
FIG. 7g is a diagram illustrating an example of data storage of a data management server according to an embodiment of the present application;
fig. 7h is an exemplary diagram of user information in the embodiment of the present application;
FIG. 8 is a schematic structural diagram of an apparatus for data storage and access according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a control device in an embodiment of the present application.
Detailed Description
In order to make the purpose, technical solution and beneficial effects of the present application more clear and more obvious, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
First, some terms referred to in the embodiments of the present application are explained to facilitate understanding by those skilled in the art.
The terminal equipment: the electronic device can be mobile or fixed, and can be used for installing various applications and displaying objects provided in the installed applications. In the embodiment of the application, the terminal device is mainly a user terminal or an access terminal.
An outer net: the Internet is a collection of computer networks that interconnect computer networks (including local area networks, metropolitan area networks, and wide area networks) at different locations around the world, and on a varying scale.
Network security domain: the general implementation method is implemented by adopting a firewall to be deployed at a boundary, and controlling which Internet protocols (Internet protocols, IP) are allowed to access the domain and which are not allowed to access the domain through a firewall policy; which IP/network segments this domain is allowed to access and which IP/network segments it is not allowed to access. Through the network security domain, the security of the equipment can be improved.
Script: the method is an extension of batch processing data, is a pure text storage program, is a combination of a determined series of operation operations performed by a control computer, and can realize certain logic branches and the like.
The design concept of the embodiment of the present application is described below.
With the development of internet technology, data becomes an important core asset, and the security requirements of people on data storage and access are higher and higher.
In the embodiment of the present application, data protected by PCI DSS is taken as an example for description. The purpose of the PCI DSS is to secure the information of the cardholder's credit and debit cards. For example, the security data protected by the PCI DSS specification may be user's certificate photo data. In the prior art, the following methods are generally adopted for storing and accessing secret data:
the user terminal uploads the secret data to any one of a plurality of internet servers located in an external network, and the internet servers encrypt and store the received secret data. The access terminal accesses the data application in each of the internet servers in turn to determine the internet server on which the confidential data is stored. And the internet server decrypts the confidential data requested by the access terminal and returns the decrypted confidential data to the access terminal.
However, since the confidential data is stored in a plurality of internet servers in a distributed manner and the access terminal accesses the data application in each internet server in turn, the data access efficiency is low. Moreover, because the security of the external network is low, the internet server decrypts the confidential data and transmits the decrypted confidential data, so that the potential safety hazard of the confidential data is high. Further, when the internet server changes (such as capacity expansion or capacity reduction), the access terminal needs to configure corresponding access device information, and the configuration steps are complicated, which brings inconvenience to the user.
Therefore, how to improve the security and the access efficiency of data storage and access is an urgent problem to be solved.
In view of the above, the applicant considers that the data in each internet server can be stored in a data management server in the network security domain in a centralized manner, so as to improve the security and access efficiency of data storage and access.
In view of the above analysis and consideration, the present application provides a data storage and access scheme, in which encrypted data of specified types of data is centrally stored in a data management server located in a network security domain, and the data management server obtains corresponding encrypted data from a local data storage pool according to a received data request message of an access terminal, and returns decrypted data obtained by decrypting the encrypted data to the access terminal.
To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although the embodiments of the present application provide method steps as shown in the following embodiments or figures, more or fewer steps may be included in the method based on conventional or non-inventive efforts. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application. The method can be executed in sequence or in parallel according to the method shown in the embodiment or the figure when the method is executed in an actual processing procedure or a device.
Referring to fig. 1, a schematic diagram of an architecture of a data storage and access system is shown. The system comprises: a plurality of user terminals 10, a plurality of internet servers 11, a data management server 12, and a plurality of access terminals 13.
The user terminal 10 has a terminal application installed therein, and is configured to obtain information input by a user and uploaded data through the terminal application, and present corresponding page information to the user through a terminal application page. For example, the terminal application is a payment application, and the uploaded data is certificate photo data.
Each internet server 11 is located on the external network and is provided with a synchronization script for encrypting received data and synchronizing the data.
The security of the internet server 11 is low since any user can access the devices in the external network.
The data management server 12 is located in a network security domain and is provided with a data storage pool for storing data, for storing data centrally, and for decrypting data.
Wherein, the access terminal 13 is installed with an access application for acquiring data in the data management server 12 through the access application.
In the embodiment of the application, the data of different internet servers 11 which are dispersedly stored in the external network are intensively stored in the data management server 12 of the network security domain, so that the complicated step that each internet server 11 needs to be inquired in sequence to obtain the data is avoided, and the data access efficiency is improved; moreover, the data management server in the network security domain carries out decryption transmission instead of the internet server of the external network, so that the security of data access is greatly improved. Furthermore, the deployment of the internet server and the access terminal is decoupled, and the complicated configuration steps of the access terminal when the internet server is changed are reduced.
It should be noted that the embodiments of the present application are mainly applied to an application scenario of storing and accessing data that needs to ensure data security, for example, storing and accessing confidential data protected by the PCI DSS specification.
Referring to fig. 2, a flowchart of an implementation of a data storage method provided in the present application is shown. The method comprises the following specific processes:
step 200: the user terminal obtains the specified type data submitted through the terminal application page.
Specifically, a terminal application is installed in the user terminal, the user uploads data of a specified type through the terminal application, and the terminal application responds to data submission operation for a terminal application page and acquires the data of the specified type.
The specified type of data is data which needs to guarantee data security, that is, data which has a high requirement on the security level of the data. Optionally, the specified type of data is data protected by the PCI DSS specification, i.e. secret data.
Further, when the specified type data acquired by the user terminal does not meet the preset data condition, the data uploading failure indication information is presented through the terminal application page.
The preset data condition may be set according to an actual application scenario, and is not limited herein.
In one embodiment, the preset data condition is: the data capacity of the specified type data is not less than 0 k.
Step 201: and the user terminal uploads the specified type of data to the Internet server through an encryption transmission protocol.
Specifically, when step 201 is executed, in order to ensure the security of data transmission, the user terminal sends the specified type of data to the internet server of the external network through the encrypted transmission protocol.
Alternatively, the encrypted transmission protocol may be a hypertext transfer protocol over Secure Socket Layer (HTTPS).
Step 202: and the Internet server encrypts the received data of the specified type to obtain encrypted data.
Step 203: the internet server synchronizes the encrypted data to the data management server.
Specifically, the internet server synchronizes the received encrypted data to the data management server in real time or periodically through the deployed synchronization script, and stores the encrypted data to the local.
Optionally, the synchronization Script may be developed by using languages such as Hypertext Preprocessor (PHP) and parsing-type service terminal (VBScript), which is not limited herein.
That is to say, a synchronous script is deployed in the internet server, and when it is determined that new encrypted data exists through the synchronous script, the new encrypted data is sent to the data management server in real time, or the new encrypted data is sent to the data management server according to a preset time length.
The preset time duration may be set according to an actual application scenario, for example, 1 minute, and is not limited herein.
In one embodiment, the internet server obtains a first data list of the local specified data directory and a second data list of the specified data directory in the data management server through a synchronization script, and performs data synchronization according to data difference between the first data list and the second data list. And when the internet server determines that the data synchronization fails, the data synchronization is performed again according to the data difference between the first data list and the second data list, so that the complete synchronization of the data is realized through data retransmission.
Step 204: the data management server receives the encrypted data and stores the encrypted data to the data storage pool.
Specifically, when step 204 is executed, the data management server may adopt the following steps:
acquiring identification information of received encrypted data, and updating historical data into the encrypted data when the historical data corresponding to the identification information is stored in the data storage pool; and when the history data corresponding to the identification information is not stored in the data storage pool, adding the encrypted data into the data storage pool.
Wherein a storage pool is a set of disks in a server used to store the copy, the shadow copy, and the transfer log. The identification information is used to identify the encrypted data, and may be information such as a data name and a code of the encrypted data.
For example, the encrypted data is the encrypted data of the certificate photo file of the user S, and the identification information is the identification number of the user S, so that when the user S uploads the updated certificate photo file again, the data storage pool updates the encrypted data of the stored corresponding history certificate photo file according to the identification number of the user S.
Therefore, the data in each internet server can be stored in a data management server in the network security domain in a centralized manner, and the corresponding encrypted data can be updated according to the identification information of the encrypted data.
Referring to fig. 3, a flowchart of an implementation of a method for accessing data provided by the present application is shown. The method comprises the following specific processes:
step 300: the access terminal sends a data request message to the data management server.
Specifically, the access terminal sends a data request message containing user identification information to the data management server.
The user identification information may be a code or a name, and the like, for example, the user identification information may be a nickname, an account number, a certificate number, or the like of the user, and is not described herein again.
Step 301: the data management server obtains the received data request message and obtains the requested encrypted data from the data storage pool.
Specifically, the data management server receives the data request message, acquires the user identification information contained in the data request message, and searches the encrypted data corresponding to the user identification information from the data storage pool according to the user identification information.
Step 302: and the data management server decrypts the encrypted data to obtain decrypted data.
Step 303: and the data management server returns the decrypted data to the access terminal.
Specifically, the data management server encodes the decrypted data according to a specified encoding mode, and returns the encoded decrypted data to the access terminal.
The specified encoding manner may be set according to an actual application scenario, for example, the specified encoding manner may be BASE64 encoding, which is not described herein again.
In a traditional mode, encrypted data are usually decrypted and transmitted through an internet server located in an external network, and the internet server is located in the external network, so that the potential safety hazard of the internet server is large, the decrypted data stored in the internet server are easy to steal, tamper or destroy, and further, the decrypted data are easy to steal, tamper or destroy in the process of being transmitted from the internet server in the external network to an access terminal.
In the embodiment of the application, the implementation method of the network security domain is implemented by adopting a firewall to be deployed at the boundary, and the firewall policy controls which Internet Protocol (IP) is allowed to access the domain and which is not allowed to access the domain; which IP/network segments this domain is allowed to access and which IP/network segments it is not allowed to access. Therefore, as long as the access terminal is allowed to access the data management server through firewall policy control, the access terminal can access the data management server, the data management server located in the network security domain decrypts and transmits the encrypted data, the security of data storage and data access is high, and the potential safety hazard is greatly reduced.
Step 304: the access terminal presents the received decrypted data.
Specifically, the access terminal presents the received decrypted data through an access application page of the access application.
It should be noted that, in order to further improve the security of the decrypted data, the decrypted data cannot be downloaded through the access application. The access application cannot download and store the decrypted data, that is, the access application does not set a function of downloading the decrypted data, and the user can only view the decrypted data by accessing the application page, but cannot download the decrypted data by accessing the application.
In one embodiment, the access application is an application for data auditing of an auditor, and returns auditing failure indication information to the user terminal in response to an auditing failure operation for an access application page. And when the user terminal receives the data auditing failure message, presenting data auditing failure indication information to the user through the terminal application page.
Referring to fig. 4, an interactive flowchart of a method for storing and accessing data provided by the present application is shown. The method comprises the following specific processes:
step 400: the user terminal obtains the specified type data submitted through the terminal application page.
Specifically, when step 400 is executed, the specific steps refer to step 200 described above.
Step 401: and the user terminal uploads the specified type of data to an Internet server through an encryption transmission protocol.
Specifically, when step 401 is executed, the specific steps refer to step 201 described above.
Step 402: and the Internet server encrypts the received data of the specified type to obtain encrypted data.
Specifically, when step 402 is executed, the specific steps refer to step 202 described above.
Step 403: the internet server synchronizes the encrypted data to the data management server.
Specifically, when step 403 is executed, the specific steps refer to step 203 described above.
Step 404: the data management server receives the encrypted data and stores the encrypted data to the data storage pool.
Specifically, when step 404 is executed, the specific steps refer to step 204 described above.
Step 405: the access terminal sends a data request message to the data management server.
Specifically, when step 405 is executed, the specific steps refer to step 300 above.
Step 406: the data management server obtains the received data request message and obtains the requested encrypted data from the data storage pool.
Specifically, when step 406 is executed, the specific steps refer to step 301 above.
Step 407: and the data management server decrypts the encrypted data to obtain decrypted data.
Step 408: and the data management server returns the decrypted data to the access terminal.
Specifically, when step 408 is executed, the specific steps refer to step 303 described above.
Step 409: the access terminal presents the received decrypted data.
Specifically, when step 409 is executed, the specific steps refer to step 304.
A specific application scenario is adopted below, and the conventional manner is compared with the present application.
The application scene is as follows: before using the payment service, according to the supervision requirement, the user identity needs to be authenticated, and the user needs to upload secret data to an internet server of an external network to perform a job completion survey (CDD) of the individual user. The auditor needs to obtain the confidential data through the access terminal, so that the confidential data of the user can be audited according to the information filled by the user.
It should be noted that, in practical applications, according to the requirement of PCI DSS, in order to protect information security, confidential data cannot be stored in plaintext and must be uploaded to an internet service (e.g., a server in a certain country) of an external network, and the internet service needs to be able to be stored for at least a specified time (e.g., 3 years), the number of internet servers is usually multiple and all are located in the external network, the access terminal is located in the internal network, and the access terminal and the internet server are located in different systems.
Fig. 5 is a schematic diagram of a system architecture for secure data storage and access in the prior art. The system comprises: the system comprises a user terminal, a plurality of internet servers positioned on an external network and an access terminal.
In the conventional technology, a user uploads CDD information to an internet server through a terminal application of a user terminal. And the Internet server encrypts and locally stores the received CDD information. Wherein the CDD information comprises secret data. Different CDD information is stored in different internet servers in a scattered mode. And sequentially inquiring the proxy application of each Internet server by an auditor through the access terminal until the Internet server storing the target confidential data is determined. And the Internet server decrypts the target confidential data and returns the decrypted data to the access terminal so as to facilitate the audit of auditors.
Obviously, in the conventional mode, the access terminal needs to sequentially access the proxy application in each internet server in the external network, which consumes a large amount of data access time and has low system stability, and moreover, the internet server decrypts and transmits the encrypted data in the external network, so that the risk of information leakage is extremely high and great potential safety hazard is caused; further, when the internet server is changed, such as capacity expansion, the access terminal needs to reconfigure the accessed device information, which makes the operation steps cumbersome.
Fig. 6 is a schematic diagram of a system architecture for secure data storage and access according to an embodiment of the present application. The system comprises: the system comprises a user terminal, a plurality of internet servers located in an external network, a data management server located in a network security domain and an access terminal.
The specific steps of the storage and the access of the secret data are as follows:
s600: the user terminal obtains the confidential data submitted through the terminal application page.
FIG. 7a is a diagram of an example personal data page. Fig. 7b is a diagram illustrating an example of an authentication page. Fig. 7c is a diagram illustrating an example of uploading pages. FIG. 7d is a diagram illustrating an example of a submit confirmation page. FIG. 7e is a diagram illustrating an example of a successful page commit.
For example, the user terminal submits a CDD request on the terminal application page of the terminal application, which jumps to the profile page shown in fig. 7 a. The personal data in fig. 7a includes: name, gender, nationality, date of birth, and address.
After the user completes the personal data, the user clicks the "next" button, and the terminal application jumps to the identity authentication page shown in fig. 7b in response to the next operation on the personal data page. The identity authentication page comprises a certificate type, a certificate number, an identity card photo and the like. When the user clicks "add id photo", the authentication page jumps to the upload page shown in fig. 7 c. Wherein, the identification card photo is secret data.
The uploading page is used for uploading photos, and comprises correct example information and error example information. When the user clicks the "upload photos" button, the upload page jumps to the submit confirmation page shown in FIG. 7 d. When the user clicks the ok button, the submit confirmation page jumps to the submit success page shown in fig. 7 e.
S601: and the user terminal uploads the confidential data to an internet server through an encryption transmission protocol.
When S601 is executed, a Common Gateway Interface (CGI) may be used to upload data. The CGI is physically a program running on the server that provides an interface to the client HTML page. The CGI is the specification of an external program when the server runs, and the program written by the CGI can expand the functions of the server. The CGI application program can interact with the browser and can also communicate with an external data source such as a database server through a database interface to acquire data from the database server.
S602: and the Internet server encrypts and locally stores the received confidential data to obtain encrypted data.
Fig. 7f is a diagram showing an example of data storage of an internet server. The list of data stored under the xxx/xxx/data directory of the internet server is shown in fig. 7 f.
S603: the internet server transmits the encrypted data to the data management server.
Specifically, when S603 is executed, see step 203 described above.
S604: the data management server receives the encrypted data and stores the encrypted data to the data storage pool.
Fig. 7g is a diagram illustrating an example of data storage of the data management server. FIG. 7g shows the list of data synchronized under the xxx/server/xxx/data directory of the data management server.
S605: the access terminal sends a data request message to the data management server.
S606: the data management server obtains the received data request message and obtains the requested encrypted data from the data storage pool.
S607: and the data management server decrypts the encrypted data to obtain decrypted data.
S608: and the data management server returns the decrypted data to the access terminal.
S609: the access terminal presents the received decrypted data.
Fig. 7h is a diagram illustrating an example of user information. Including name, gender, religion, identification documents (confidential data) … …, etc. And the auditor audits the certificate photo file according to the user information in the figure 7h, and judges whether the audit is passed. And when the auditor confirms that the audit is failed, sending audit failure indication information to the user terminal through the access terminal. And when the user terminal receives the data auditing failure message, presenting data auditing failure indication information to the user through the terminal application page.
In the embodiment of the application, the storage requirement and the access requirement of the secret data are met, namely: sensitive data are stored in an encrypted mode and are uniformly stored to a specific position (a data management server) for a long time, the access terminal can simply and conveniently obtain decrypted data through the data management server, and potential safety hazards are small; when the internet server is changed, the access terminal does not need to change corresponding configuration information, so that the applicability and stability of the system are improved, and the access terminal can also pass and reject the audit, so that the data is retransmitted; the method improves the safety and efficiency of data storage and data access, simplifies the operation steps and brings great convenience to users.
Based on the same inventive concept, the embodiment of the present application further provides a data storage and access device, and as the principle of the device and the apparatus for solving the problem is similar to that of a data storage and access method, the implementation of the device can refer to the implementation of the method, and repeated details are not repeated.
Fig. 8 is a schematic structural diagram of an apparatus for storing and accessing data according to an embodiment of the present application. An apparatus for data storage and access comprising:
an obtaining unit 801, configured to obtain corresponding encrypted data from the data storage pool according to a received data request message of the access terminal, where the encrypted data is data that is obtained by encrypting data of a specified type by an internet server and synchronously uploading the encrypted data to the data storage pool;
a decryption unit 802, configured to decrypt the encrypted data to obtain decrypted data;
a returning unit 803 for returning the decrypted data to the access terminal.
Preferably, the specified type of data is data protected by the PCI DSS specification.
Preferably, the returning unit 803 is further configured to:
acquiring identification information of received encrypted data;
when historical data corresponding to the identification information is stored in the data storage pool, updating the historical data into encrypted data;
and when the history data corresponding to the identification information is not stored in the data storage pool, adding the encrypted data into the data storage pool.
Preferably, the obtaining unit 801 is specifically configured to:
receiving a data request message containing user identification information sent by an access terminal;
and acquiring the encrypted data corresponding to the user identification information from the data storage pool.
Preferably, the returning unit 803 is specifically configured to:
and the decrypted data is coded by adopting a specified coding mode and then returned to the access terminal.
In the system, the method and the device for data storage and access provided by the embodiment of the application, the data management server located in the network security domain acquires corresponding encrypted data from a local data storage pool according to a received data request message of the access terminal, decrypts the encrypted data to acquire decrypted data, and returns the decrypted data to the access terminal. The encrypted data is data which are obtained by encrypting the specified type of data by each internet server and synchronously uploading the data to the data storage pool. Therefore, the data in each internet server in the external network is stored in one data management server in the network security domain in a centralized manner, so that the security of data storage and access is improved, and the data access efficiency is also improved.
Fig. 9 is a schematic structural diagram of a control device. Based on the same technical concept, the embodiment of the present application further provides a control device, which may include a memory 901 and a processor 902.
A memory 901 for storing computer programs executed by the processor 902. The memory 901 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like. The processor 902 may be a Central Processing Unit (CPU), a digital processing unit, or the like. The specific connection medium between the memory 901 and the processor 902 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 901 and the processor 902 are connected through the bus 903 in fig. 9, the bus 903 is represented by a thick line in fig. 9, and the connection manner between other components is merely illustrative and is not limited. The bus 903 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
Memory 901 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 901 may also be a non-volatile memory (non-volatile memory) such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD), or the memory 901 may be any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 901 may be a combination of the above memories.
A processor 902 for executing the method of data storage and access provided by the embodiment shown in fig. 4 when calling the computer program stored in the memory 901.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method for storing and accessing data in any of the above-mentioned method embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions substantially or partially contributing to the related art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a control device (which may be a personal computer, a server, or a network device, etc.) to execute the methods of the various embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. A system for data storage and access comprising a plurality of Internet servers, a data management server and a plurality of access terminals, the data management server comprising a pool of data storage, the Internet servers being located in an extranet and the data management server being located in a network security domain, wherein,
each internet server is used for encrypting the received data of the appointed type and synchronizing the obtained encrypted data to the data management server, wherein the data of the appointed type is data needing to ensure the data security;
the data management server is used for storing the received encrypted data into the data storage pool; and the data processing device is used for decrypting the corresponding encrypted data acquired from the data storage pool according to the received data request message of the access terminal and returning the decrypted data to the access terminal;
each access terminal is used for sending a data request message to the data management server and receiving the decryption data returned by the data management server according to the data request message.
2. The system of claim 1, wherein the specified type of data is third party payment industry data security standard (PCI DSS) specification protected data.
3. The system of claim 1, wherein each internet server is specifically configured to:
synchronizing the received encrypted data to the data management server in real-time or periodically through the deployed synchronization script.
4. The system of claim 1, wherein the data management server is specifically configured to:
acquiring identification information of received encrypted data;
when historical data corresponding to the identification information is stored in the data storage pool, updating the historical data into the encrypted data;
and when the history data corresponding to the identification information is not stored in the data storage pool, adding the encrypted data into the data storage pool.
5. The system of claim 1, wherein the data management server is specifically configured to:
receiving a data request message containing user identification information sent by an access terminal;
acquiring encrypted data corresponding to the user identification information from the data storage pool;
decrypting the encrypted data to obtain decrypted data;
and the decrypted data is coded by adopting a specified coding mode and then returned to the access terminal.
6. The system of any of claims 1-5, wherein each access terminal is further to:
presenting the decrypted data through an access application page of an access application, wherein the decrypted data cannot be downloaded through the access application.
7. The system of any one of claims 1-5, further comprising a plurality of user terminals, each user terminal configured to:
and when the acquired specified type data is determined not to meet the preset data condition, presenting data uploading failure indication information through a terminal application page.
8. The system of any one of claims 1-5, further comprising a plurality of user terminals, each user terminal configured to:
and when the data auditing failure message is received, presenting data auditing failure indication information through a terminal application page.
9. A method of data storage and access, for use in a system as claimed in any one of claims 1 to 8, comprising:
acquiring corresponding encrypted data from the data storage pool according to the received data request message of the access terminal, wherein the encrypted data is data which is obtained by encrypting data of a specified type by an internet server and synchronously uploading the data to the data storage pool;
decrypting the encrypted data to obtain decrypted data;
and returning the decrypted data to the access terminal.
10. An apparatus for data storage and access, comprising:
the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring corresponding encrypted data from a data storage pool according to a received data request message of an access terminal, and the encrypted data is data which is obtained by encrypting specified type data by an internet server and synchronously uploading the data to the data storage pool;
the decryption unit is used for decrypting the encrypted data to obtain decrypted data;
a returning unit, configured to return the decrypted data to the access terminal.
CN201910697348.3A 2019-07-30 2019-07-30 System, method and device for data storage and access Pending CN111177736A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910697348.3A CN111177736A (en) 2019-07-30 2019-07-30 System, method and device for data storage and access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910697348.3A CN111177736A (en) 2019-07-30 2019-07-30 System, method and device for data storage and access

Publications (1)

Publication Number Publication Date
CN111177736A true CN111177736A (en) 2020-05-19

Family

ID=70657033

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910697348.3A Pending CN111177736A (en) 2019-07-30 2019-07-30 System, method and device for data storage and access

Country Status (1)

Country Link
CN (1) CN111177736A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112148920A (en) * 2020-08-11 2020-12-29 中标慧安信息技术股份有限公司 Data management method
CN114944940A (en) * 2022-04-26 2022-08-26 国网山东省电力公司滨州供电公司 Electronic file processing system and method for electrical test data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104598610A (en) * 2015-01-29 2015-05-06 无锡江南计算技术研究所 Step-by-step database data distribution uploading and synchronizing method
CN104750740A (en) * 2013-12-30 2015-07-01 北京新媒传信科技有限公司 Data renewing method and device
CN105630786A (en) * 2014-10-27 2016-06-01 航天信息股份有限公司 Car purchase tax electronic archive uploading, storing and querying system and method
CN106161535A (en) * 2015-04-10 2016-11-23 天津铂创国茂电子科技发展有限公司 Water power gas meter data acquisition treatment method based on cloud node server and device
CN106411884A (en) * 2016-09-29 2017-02-15 郑州云海信息技术有限公司 Method and device for data storage and encryption

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104750740A (en) * 2013-12-30 2015-07-01 北京新媒传信科技有限公司 Data renewing method and device
CN105630786A (en) * 2014-10-27 2016-06-01 航天信息股份有限公司 Car purchase tax electronic archive uploading, storing and querying system and method
CN104598610A (en) * 2015-01-29 2015-05-06 无锡江南计算技术研究所 Step-by-step database data distribution uploading and synchronizing method
CN106161535A (en) * 2015-04-10 2016-11-23 天津铂创国茂电子科技发展有限公司 Water power gas meter data acquisition treatment method based on cloud node server and device
CN106411884A (en) * 2016-09-29 2017-02-15 郑州云海信息技术有限公司 Method and device for data storage and encryption

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112148920A (en) * 2020-08-11 2020-12-29 中标慧安信息技术股份有限公司 Data management method
CN114944940A (en) * 2022-04-26 2022-08-26 国网山东省电力公司滨州供电公司 Electronic file processing system and method for electrical test data
CN114944940B (en) * 2022-04-26 2023-10-03 国网山东省电力公司滨州供电公司 Electronic archive processing system and method for electrical test data

Similar Documents

Publication Publication Date Title
US20230237132A1 (en) System and Method for Memetic Authentication and Identification
CN104270338B (en) Method and its system that a kind of electronic identity registration and certification are logged in
CN101427510B (en) Digipass for the web-functional description
CN111277573B (en) Resource locator with key
CN109274652B (en) Identity information verification system, method and device and computer storage medium
US8539231B1 (en) Encryption key management
US11675922B2 (en) Secure storage of and access to files through a web application
JP4863777B2 (en) Communication processing method and computer system
CN111177735B (en) Identity authentication method, device, system and equipment and storage medium
CN111740966B (en) Data processing method based on block chain network and related equipment
CN106936898B (en) Cross-region file transmission method and system
CN102469080A (en) Method for pass user to realize safety login application client and system thereof
CN110611657A (en) File stream processing method, device and system based on block chain
US20110238994A1 (en) Management of secret data items used for server authentication
CN106845986A (en) The signature method and system of a kind of digital certificate
CN117993017B (en) Data sharing system, method, device, computer equipment and storage medium
CN111177736A (en) System, method and device for data storage and access
CN106357727A (en) Method and system to upload files to multiple servers simultaneously
JP5678150B2 (en) User terminal, key management system, and program
EP3900289B1 (en) Method to monitor sensitive web embedded code authenticity
CN115694878A (en) Data transmission method, equipment and storage medium
CN111698299B (en) Session object replication method, device, distributed micro-service architecture and medium
CN112822020B (en) Network request method, device, computer equipment and storage medium
KR20050112146A (en) Method for safely keeping and delivering a certificate and private secret information by using the web-service
CN117997519A (en) Data processing method, apparatus, program product, computer device, and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination