CN111355710B - Data request method and device of network service - Google Patents

Data request method and device of network service Download PDF

Info

Publication number
CN111355710B
CN111355710B CN202010103017.5A CN202010103017A CN111355710B CN 111355710 B CN111355710 B CN 111355710B CN 202010103017 A CN202010103017 A CN 202010103017A CN 111355710 B CN111355710 B CN 111355710B
Authority
CN
China
Prior art keywords
user
network
private network
data
sensitive data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010103017.5A
Other languages
Chinese (zh)
Other versions
CN111355710A (en
Inventor
王聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010103017.5A priority Critical patent/CN111355710B/en
Publication of CN111355710A publication Critical patent/CN111355710A/en
Application granted granted Critical
Publication of CN111355710B publication Critical patent/CN111355710B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention provides a data request method, a data request device, electronic equipment and a computer-readable storage medium of network service; the method comprises the following steps: initiating a login request to a private network of a network service to login to the private network through identity information of a user of a client; acquiring sensitive data and a user index which are involved in the process of using the network service by the user from the private network; according to the user index, behavior data related to the user in the process of using the network service is obtained from a common network; and integrating and presenting the sensitive data and the behavior data. The invention can simultaneously meet the high concurrency requirement and the safety requirement of the network service.

Description

Data request method and device of network service
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method and an apparatus for requesting data of a network service, an electronic device, and a computer-readable storage medium.
Background
The network service is a software module which runs in a network, is service-oriented and based on a distributed program, and adopts the universal internet standards such as HyperText Transfer Protocol (HTTP) and a subset of standard universal Markup Language (XML), so that a user can access relevant data of various services (online booking, government affairs and medical treatment) and the like through a client in terminal equipment at different places.
The implementation of the network service inevitably involves the personal privacy of the user, and for protecting the privacy of the user, the related art usually stores the data in a non-public storage environment or directly performs desensitization storage on the data, and these schemes cannot meet the high concurrency requirement and security requirement of the network service at the same time.
Disclosure of Invention
Embodiments of the present invention provide a data request method and apparatus for a network service, an electronic device, and a computer-readable storage medium, which can simultaneously meet high concurrency requirements and security requirements of the network service.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a data request method of network service, which comprises the following steps:
initiating a login request to a private network of a network service to login to the private network through identity information of a user of a client;
acquiring sensitive data and a user index which are involved in the process of using the network service by the user from the private network;
according to the user index, behavior data related to the user in the process of using the network service is obtained from a common network;
and integrating and presenting the sensitive data and the behavior data.
The embodiment of the invention provides a data request device of network service, which comprises:
the login request module is used for initiating a login request to a special network of the network service so as to log in the special network through the identity information of a user of the client;
an obtaining module, configured to obtain, from the private network, sensitive data and a user index that are related to the user in the process of using the network service;
the obtaining module is further configured to obtain behavior data related to the user in the process of using the network service from a common network according to the user index;
and the integration and presentation module is used for integrating and presenting the sensitive data and the behavior data.
In the above scheme, the login request module is further configured to initiate a login request to a private network of a network service, where the login request carries an account and a password used by a user of the client when registering the network service, so as to log in the private network through the account and the password;
or, the method is used for initiating a login request carrying real-name authentication information to a private network of the network service so as to log in the private network through the real-name authentication information.
In the above solution, the login request module is further configured to accept authentication of the private network for the user of the client;
when the identity authentication is passed, sending an acquisition request for acquiring the sensitive data and the user index to the private network;
and when the identity authentication fails, receiving authentication error information sent by the private network.
In the above scheme, the obtaining module is further configured to obtain, from multiple pieces of sensitive data pre-stored in the private network, target sensitive data matched with the identity information of the user at the client and a target user index corresponding to the target sensitive data.
In the foregoing solution, the obtaining module is further configured to obtain, according to the user index, behavior data related to the user in the process of using the network service from the shared network in an effective period of the user index.
In the foregoing solution, the obtaining module is further configured to match the user index obtained from the private network with multiple user indexes pre-stored in the shared network, and determine behavior data associated with the matched user index as behavior data related to the user in the process of using the network service.
An embodiment of the present invention provides an electronic device, including:
a memory for storing executable instructions;
and the processor is used for realizing the data request method of the network service provided by the embodiment of the invention when the executable instruction stored in the memory is executed.
An embodiment of the present invention provides a computer-readable storage medium, which stores executable instructions for causing a processor to implement a data request method of a network service provided by an embodiment of the present invention when executed.
The embodiment of the invention has the following beneficial effects:
sensitive data and behavior data related to a process that a user uses a network service are respectively stored through two different networks, the sensitive data are stored in a special network, a client side accesses the special network to obtain the sensitive data, the behavior data are stored in a common network, and user indexes returned by the special network are correlated, so that the sensitive data are prevented from flowing into the common network, the behavior data with complex calculation logic and huge data volume are stored in the common network with strong calculation elasticity, and high concurrency requirements and safety requirements of the network service are met at the same time.
Drawings
Fig. 1A is a schematic diagram of an alternative architecture of a network service system according to an embodiment of the present invention;
FIG. 1B is a schematic diagram of an alternative architecture of a network service system provided by an embodiment of the present invention;
fig. 2 is an alternative structural diagram of a terminal according to an embodiment of the present invention;
fig. 3 is an alternative flow chart of a data request method of a network service provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of an interface for sensitive data involved in a process of using Internet medical treatment provided by an embodiment of the present invention;
FIG. 5 is a schematic diagram of an interface for behavior data involved in using Internet medical services by a user according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of another alternative architecture of a data request system for network services provided by an embodiment of the present invention;
fig. 7 is an alternative flow chart of a data request method of a network service provided by an embodiment of the present invention;
FIG. 8 is a schematic diagram of a bloom filter constructed as provided by an embodiment of the present invention;
FIG. 9 is a schematic diagram of an update bloom filter provided by an embodiment of the present invention;
fig. 10 is a schematic diagram of verifying an index account through a bloom filter according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
Before further detailed description of the embodiments of the present invention, terms and expressions mentioned in the embodiments of the present invention are explained, and the terms and expressions mentioned in the embodiments of the present invention are applied to the following explanations.
1) The network service is a software module which runs in a network, is service-oriented and based on a distributed program, adopts the universal standards of the internet such as HyperText Transfer Protocol (HTTP) and subsets of standard universal Markup Language (XML), and enables people to access data on the network (WEB) through different terminal devices in different places, such as online ticket booking and checking the booking situation. The network service has wide application in the application fields of e-commerce, e-government affairs, company business process electronization and the like, and is regarded as the next key point of the internet by the insiders.
2) Sensitive data, and data related to personal basic information, such as the name, the identification number, the mobile phone number, the social security number, the mailbox and the like of the user.
3) Behavioral data, data that a user is involved in using a network service. For example, in the internet medical field, the user behavior data may be data such as medical records, prescriptions, cases, and examinations of the user.
4) A blockchain is a storage structure for encrypted, chained transactions formed from blocks. For example, the header of each block may include hash values of all transactions in the block, and also include hash values of all transactions in the previous block, so as to achieve tamper resistance and forgery resistance of the transactions in the block based on the hash values; newly generated transactions, after being filled into the tiles and passing through the consensus of nodes in the blockchain network, are appended to the end of the blockchain to form a chain growth.
5) And the block chain network is used for bringing the new block into a series of node sets of the block chain in a consensus mode.
6) The intelligent contract, also called chain code or application code, is a program deployed in a node of the blockchain network, and the node executes the intelligent contract called in the received transaction to update or refer to the key value of the account database.
The inventor finds that the implementation of the network service inevitably involves the personal privacy of the user in the implementation process of the embodiment of the invention, and for protecting the privacy of the user, the related technology is generally to store data in a non-public storage environment, for example, in e-government affairs, all data and computing resources are generally stored in the government network, and the data is accessed and returned to the client through a front-end processor outside the network. However, due to the fact that resources inside a government network are very limited, a large number of concurrent demands of users cannot be supported, and the experience effect of the users is seriously influenced.
In addition, the related technology also provides a scheme for desensitizing storage of sensitive data, for example, data is replaced by a star, original data is encrypted and stored, then the whole amount of data is stored in a common network, when the sensitive data needs to be displayed in some application scenes, the original data is decrypted by a key, and then the decrypted data is transmitted to a client for display. On one hand, however, since the key is usually not replaced, the key is easy to leak, and after the key of the original data is leaked, the whole amount of data can be directly decrypted, so that the data is very unsafe. On the other hand, in the process of transmitting the decrypted data, if any link in the middle is recorded, sensitive data can be leaked.
In view of the above, an embodiment of the present invention provides a data request method for a network service, which includes storing sensitive data and behavior data related to a user in a process of using the network service through two different networks, storing the sensitive data in a private network of the network service, accessing the private network by a client to obtain the sensitive data, storing the behavior data in a common network in which computing resources can be elastically expanded, and associating the behavior data with a user index returned by the private network, so that a login request can be initiated to the private network of the network service to log in the private network through identity information of the user at the client; acquiring sensitive data and user indexes related to a process of using network services by a user from a private network; acquiring behavior data related to a network service using process of a user from a common network according to the user index; and integrating and presenting the sensitive data and the behavior data.
In view of this, embodiments of the present invention provide a data request method and apparatus for a network service, an electronic device, and a computer-readable storage medium, which can simultaneously meet high concurrency requirements and security requirements of the network service.
An exemplary application of the data request device of the web service provided by the embodiment of the present invention is described below, and the data request device of the web service provided by the embodiment of the present invention may be implemented as various types of user terminals such as a notebook computer, a tablet computer, a desktop computer, a set-top box, a mobile device (e.g., a mobile phone, a portable music player, a personal digital assistant, a dedicated messaging device, a portable game device), and the like.
Taking the network service system including the data request device as an example, referring to fig. 1A, fig. 1A is an optional architecture diagram of the network service system provided in the embodiment of the present invention. Wherein, the network service system includes: a private network 100, a public network 200 and a terminal 300 of a network service. The network service may be various different types of network services such as electronic medical, electronic government affairs, electronic commerce and the like.
The data request method of the network service provided by the embodiment of the invention can be realized by the following processes: first, a plurality of sensitive data sets (different users and different sensitive data are in one-to-one correspondence, for example, a user a corresponds to sensitive data 1 including basic information of the user a, a user B corresponds to sensitive data 2 including basic information of the user B) related to a plurality of users in a process of using a network service are pre-stored in a private network 100 of the network service, and a plurality of user indexes in one-to-one correspondence are generated for the plurality of sensitive data sets (for example, a user index 1 corresponding to the user a is generated for the sensitive data 1, and a user index 2 corresponding to the user B is generated for the sensitive data 2). Then, a plurality of pieces of behavior data related to a plurality of users in the process of using the network service are stored in the shared network 200 in advance, and the plurality of pieces of behavior data are associated with the user index of the corresponding user (for example, behavior data 1 of user A is associated with user index 1 of the corresponding user A; behavior data 2 of user B is associated with user index 2 of the corresponding user B). Subsequently, when the terminal 300 transmits a login request to the private network 100 of the network service to login to the private network 100 of the network service through the identity information of the user of the client, the private network 100 of the network service returns target sensitive data and a corresponding target user index matching the identity information of the user to the terminal 300. Then, the terminal 300 may send a request to the shared network 200 according to the target user index returned by the private network 100 of the network service, so that the shared network 200 returns the target behavior data matching the target user index. Finally, the terminal 300 integrates the target sensitive data returned from the private network 100 of the network service and the target behavior data returned from the common network 200, and presents the integrated data to the user.
In other embodiments, the data request method of the network service provided by the embodiment of the present invention may also be implemented in combination with a block chain technology.
Referring to fig. 1B, fig. 1B is a schematic diagram of another alternative architecture of a network service system according to an embodiment of the present invention. Wherein, the network service system includes: a terminal 300 and a blockchain network 400. Illustratively, the blockchain network 400 may include a node 500 (corresponding to the private network 100 of the network service in fig. 1A) and a node 600 (corresponding to the common network 200 in fig. 1A), and the node 500 and the node 600 may be formed by mapping some or all of the servers in the blockchain network 400.
The data request method of the network service provided by the embodiment of the invention can be realized by the following processes: first, a plurality of sensitive data sets related to a plurality of users in a process of using a network service are pre-stored on a node 500 of the blockchain network 400 (different users are in one-to-one correspondence with different sensitive data sets, for example, a user a corresponds to sensitive data 1 including basic information of the user a, and a user B corresponds to sensitive data 2 including basic information of the user B), and a plurality of user indexes in one-to-one correspondence are generated for the plurality of sensitive data sets (for example, a user index 1 corresponding to the user a is generated for the sensitive data 1, and a user index 2 corresponding to the user B is generated for the sensitive data 2). Then, a plurality of pieces of behavior data related to a plurality of users in the process of using the network service are stored in advance on the node 600 of the blockchain network 400, and the plurality of pieces of behavior data are associated with the user index of the corresponding user (for example, the behavior data 1 of the user a is associated with the user index 1 of the corresponding user a; and the behavior data 2 of the user B is associated with the user index 2 of the corresponding user B). Subsequently, when the terminal 300 sends a login request to the blockchain network 400 to log in the blockchain network 400 through the identity information of the user at the client, the node 500 invokes an intelligent contract to verify the identity information of the user at the terminal 300, and when the verification is passed, returns the matched target sensitive data and the corresponding target user index to the terminal 300. Then, the terminal 300 initiates a request to the blockchain network 400 again according to the returned target user index, the node 600 invokes an intelligent contract to verify the target user index carried in the request, and when the verification passes, the matched target behavior data is returned to the terminal 300. Finally, the terminal 300 integrates the target sensitive data and the target behavior data to present to the user.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a terminal 300 according to an embodiment of the present invention, where the terminal 300 shown in fig. 2 includes: at least one processor 310, memory 350, at least one network interface 320, and a user interface 330. The various components in terminal 300 are coupled together by a bus system 340. It will be appreciated that the bus system 340 is used to enable communications among the components connected. The bus system 340 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 340 in fig. 2.
The Processor 310 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor, or the like.
The user interface 330 includes one or more output devices 331, including one or more speakers and/or one or more visual display screens, that enable presentation of media content. The user interface 330 also includes one or more input devices 332, including user interface components to facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.
The memory 350 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard disk drives, optical disk drives, and the like. Memory 350 optionally includes one or more storage devices physically located remote from processor 310.
The memory 350 may include either volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The nonvolatile memory may be a Read Only Memory (ROM), and the volatile memory may be a Random Access Memory (RAM). The memory 350 described in embodiments of the invention is intended to comprise any suitable type of memory.
In some embodiments, memory 350 is capable of storing data, examples of which include programs, modules, and data structures, or subsets or supersets thereof, as exemplified below, to support various operations.
An operating system 351 including system programs for processing various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and processing hardware-based tasks;
a network communication module 352 for communicating to other computing devices via one or more (wired or wireless) network interfaces 320, exemplary network interfaces 320 including: bluetooth, wireless compatibility authentication (WiFi), and Universal Serial Bus (USB), etc.;
a presentation module 353 for enabling presentation of information (e.g., a user interface for operating peripherals and displaying content and information) via one or more output devices 331 (e.g., a display screen, speakers, etc.) associated with the user interface 330;
an input processing module 354 for detecting one or more user inputs or interactions from one of the one or more input devices 332 and translating the detected inputs or interactions.
In some embodiments, the data request device of the network service provided by the embodiments of the present invention may be implemented in software, and fig. 2 shows the data request device 355 of the network service stored in the memory 350, which may be software in the form of programs and plug-ins, and includes the following software modules: a login request module 3551, an acquisition module 3552, and an integration and presentation module 3553, which are logical and thus may be arbitrarily combined or further split depending on the functionality implemented. The functions of the respective modules will be explained below.
In other embodiments, the data request Device of the network service provided by the embodiments of the present invention may be implemented in hardware, and for example, the data request Device of the network service provided by the embodiments of the present invention may be a processor in the form of a hardware decoding processor, which is programmed to execute the data request method of the network service provided by the embodiments of the present invention, for example, the processor in the form of the hardware decoding processor may be implemented by one or more Application Specific Integrated Circuits (ASICs), DS ps, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate arrays (fpgas), or other electronic components.
The following description will be given taking as an example a method in which the private network 100, the public network 200, and the terminal 300 of the network service in fig. 1A cooperate to implement the data request method of the network service provided by the embodiment of the present invention. Referring to fig. 3, fig. 3 is an alternative flowchart of a data request method for a network service according to an embodiment of the present invention, which takes a client capable of being used for the network service and operating in the terminal 300 shown in fig. 1A as an example, and will be described with reference to the steps shown in fig. 3.
In step S301, the client initiates a login request to a private network of the network service to log in the private network through identity information of a user of the client.
With the gradual advance of the internet +, network services are widely applied to a plurality of application fields such as e-commerce, e-medical treatment, e-government affairs and the like. A private network of network services refers to a network that provides network services and stores sensitive data that users are involved in using network services.
For example, for internet medical treatment, the corresponding private network may be an intranet of a medical institution and store sensitive data that is involved in the use of internet medical treatment by the user. When a user needs to acquire sensitive data involved in the process of using internet medical treatment, a login request can be initiated to the internal network of the medical unit providing internet medical treatment, so that the user can log in the internal network of the medical unit through the identity information of the user at the client.
For example, for internet government, the corresponding private network may be a government intranet and store sensitive data that users are involved in using internet government. When a user needs to obtain sensitive data involved in using internet government affairs, a login request may be initiated to a government internal network providing internet government affairs to log in to the government internal network through identity information of the user of the client.
For example, for internet commerce, the corresponding private network may be a banking system intranet and store sensitive data that users are involved in using internet commerce. When a user needs to acquire sensitive data involved in using internet commerce, a login request can be initiated to the internal network of the bank system providing the internet commerce so as to log in the internal network of the bank system through the identity information of the user at the client.
It should be noted that the data request method of the network service provided by the embodiment of the present invention is applicable to any government departments or enterprises that need to store user sensitive data.
In some embodiments, the client initiates a login request to a private network of the network service to log in to the private network through identity information of a user of the client, which may be implemented by: the client initiates a login request carrying an account and a password used by a user of the client when registering the network service to a private network of the network service so as to log in the private network through the account and the password.
For example, when a user wants to use a network service, the user first needs to fill in relevant information on a registration page, and the private network of the network service stores the user's registration information in a database. When a subsequent user logs in a private network, an account and a password used in registration are input in a user operation interface of a client, and the account and the password input by the user are sent to the private network in an encrypted manner (for example, transmission is performed by using a hypertext transfer Protocol over Secure Socket Layer (HTTPS)), and a login server of the private network queries and compares registration information of the user stored in a database in advance so as to verify the account and the password input by the user.
In other embodiments, the client initiates a login request to a private network of the network service to log in the private network through identity information of a user of the client, which may also be implemented as follows: the client initiates a login request carrying the real-name authentication information to a private network of the network service so as to log in the private network through the real-name authentication information.
For example, when a user wants to use a web service, the user is first authenticated by real name. The real-name authentication is a verification and verification for the authenticity of user resources, and is beneficial to establishing a perfect and reliable internet credit basis. The real-name authentication generally comprises two authentication modes of bank card authentication and identity card authentication. And when the user logs in the private network subsequently, inputting real-name authentication information in a user operation interface of the client so as to log in the private network through the real-name authentication information.
When the embodiment of the invention requests the special network of the network service for the sensitive data, the identity information of the user at the client is firstly logged in and authenticated, so that the sensitive data of the user is prevented from being illegally acquired by others, and the safety of the sensitive data of the user is ensured.
In step S302, the private network of the network service verifies the identity of the user of the client, and when the identity verification passes, step S303 is executed; and when the authentication fails, returning an error prompt message to the client.
In some embodiments, to further ensure the security of the user's sensitive data, the identity of the user of the client may be verified after the client logs into the private network and before the sensitive data and user index are obtained.
For example, after the user logs in the private network, a list of questions preset by the user, such as "color of your favorite", "something that you are most unforgettable", "star of your favorite", etc., is presented in the operation interface of the user, and these questions relate to the subjective interest of the user, and cannot be easily known by others, so that when the user answers correctly, the user's identity verification is passed; and when the user answers the error, the user fails to verify the identity, and an error prompt message is returned to the client. Therefore, even if the account number and the password of the user are leaked, if the authentication of the user is not passed, the sensitive data of the user cannot be acquired.
The embodiment of the invention verifies the identity of the user of the client after the client logs in the private network of the network service and before the sensitive data and the user index are acquired, so as to further ensure the safety of the sensitive data of the user.
In step S303, the private network of the network service returns to the client the sensitive data and the user index that the user involved in using the network service.
In some embodiments, before performing step S303, the following preamble steps may be further included: the method comprises the steps of storing multiple pieces of sensitive data related to multiple users in the process of using the network service in a special network of the network service in advance, generating multiple user indexes corresponding to the multiple pieces of sensitive data one by one, and acquiring the sensitive data related to the users in the process of using the network service and the user indexes from the special network of the network service, wherein the method can be realized by adopting the following modes: and acquiring target sensitive data matched with the identity information of the user and a corresponding target user index from a plurality of pieces of sensitive data pre-stored in a private network of the network service.
It should be noted that there is a one-to-one correspondence between a plurality of users pre-stored in the private network of the network service and a plurality of pieces of sensitive data. For example, user a, user B, and user C use a web service and generate sensitive data 1, sensitive data 2, and sensitive data 3. The sensitive data 1 is basic information (such as a name, an identity card number, a mobile phone number and the like of the user A) of the user A, which is filled by the user A when the user A uses the network service, the sensitive data 2 is basic information (such as a name, an identity card number, a mailbox and the like of the user B) of the user B, which is filled by the user B when the user B uses the network service, and the sensitive data 3 is basic information (such as a name, an identity card number, a birth date and the like of the user C) of the user C, which is filled by the user C when the user C uses the network service, so that the user A and the sensitive data 1 can be corresponded, and a user index 1 corresponding to the user A is generated; the user B corresponds to the sensitive data 2, and a user index 2 corresponding to the user B is generated; and the user C corresponds to the sensitive data 3, and a user index 3 corresponding to the user C is generated.
In other embodiments, generating a one-to-one correspondence multiple user indexes for multiple pieces of sensitive data may be implemented as follows: aiming at any sensitive data in the multiple sensitive data, generating a corresponding Universal Unique Identifier (UUID), and taking the generated universal Unique Identifier as a corresponding user index.
The universally unique identification code is composed of a group of 16 digits with 32 digits, theoretically the total number is 16 to the 32 th power, 16 octets of the 16 octets are expressed as 32 hexadecimal digits and are displayed in five groups separated by hyphens in the form of 8-4-4-4-12, and the total number of 36 characters (namely 32 English letters or digits and 4 hyphens) is as follows: 123e4567-e89b-12d3-a 456-426655440001. The purpose of the universal unique identification code is to enable all elements in the distributed system to have unique identification information. Therefore, the account number repetition among different users can be avoided, and meanwhile, due to the large number, the data of other people can be prevented from being acquired in a traversal mode.
For example, assume that sensitive data that user a is involved in using a web service includes "name: zhang III; the mobile phone number is as follows: 188 xxxxxxxxxx; date of birth: 2001.1.3 ", the corresponding universal unique identification code" 123e4567-e89 b-12d3-a456-426655440000 "is generated for user a.
For example, assume that user B is involved in using the web service and sensitive data includes "name: plum four; the mobile phone number is as follows: 177 XXXXXXX; date of birth: 1998.12.1 ", the corresponding universally unique identification code" 321e4567-e84B-12d3-a 796-42665543111 "is generated for user B.
The embodiment of the invention stores multiple pieces of sensitive data related to multiple users in the process of using the network service in the special network of the network service in advance, and generates multiple user indexes (such as universal unique identification codes) corresponding to the multiple pieces of sensitive data one by one, so that the collision of accounts among different users is avoided, and meanwhile, the behavior data of other people is also avoided being acquired in a traversal mode.
In step S304, the client initiates a request to the shared network according to the user index acquired from the private network of the network service.
In some embodiments, after the client obtains the user index from the private network of the network service, the client locally caches the obtained user index, and sends a request to the common network according to the user index within the validity period.
For example, after acquiring the universally unique identifier from the private network of the network service, the client locally caches the acquired universally unique identifier, and sends a request to a shared network (e.g., a cloud computing network) according to the acquired universally unique identifier within a valid period (e.g., 1 day).
Cloud computing (cloud computing) is one of distributed computing, a huge data computing processing program is decomposed into countless small programs through a network, and the results are obtained by processing and analyzing the small programs through a system consisting of a plurality of servers and are returned to a user. The core of cloud computing is that the internet is used as the center, fast and safe cloud computing service and data storage are provided for users, a plurality of computing resources can be coordinated together, and the cloud computing has strong expansibility.
According to the embodiment of the invention, the behavior data with complex computation logic and huge data volume is stored in the cloud computing network with elastically expandable computation resources and storage capacity, so that the high concurrency requirement of network service is realized.
In step S305, the shared network verifies the user index carried in the request initiated by the client, and when the user index passes verification, step S306 is executed; and when the user index verification fails, returning an error prompt message to the client.
In some embodiments, the verification of the user index carried in the request sent by the client by the common network may be implemented by: verifying a user index carried in a request sent by a client through a pre-constructed bloom filter; when the user index passes the verification, returning the matched user behavior data to the client; and when the user index verification fails, sending an error prompt message to the client.
A bloom filter is a probabilistic data structure that enables efficient insertion and querying, and can determine that "something must not exist or may exist". A bloom filter is essentially a bit vector or array of bits, with all address parameters set to "0" during the initialization phase. When a value needs to be mapped to the bloom filter, a plurality of different hash functions are used to generate a plurality of hash values, and the parameter of the address pointed to by each generated hash value is set to "1", for example, for a certain universally unique identifier "123 e4567-e89b-12d3-a 456-426655440000" and 3 different hash functions to generate hash values 1, 4, and 7, respectively, the parameter of the 1 st, 4 th, and 7 th addresses of the bit array is set to "1". By analogy, after the universal unique identification codes corresponding to all users are subjected to hash operation and mapped to the bit array, the bloom filter is constructed. When whether the universal unique identification code carried in the request sent by the client side exists needs to be verified, firstly, carrying out hash operation on the universal unique identification code through a plurality of different hash functions to obtain a plurality of hash values, comparing the obtained plurality of hash values with a constructed bloom filter, and when all the hash values have corresponding mapping (namely the parameters of the addresses corresponding to all the hash values are all '1'), determining that the universal unique identification code carried in the request sent by the client side is valid; and when the condition that all the corresponding mappings exist is not met (namely the parameter of the address corresponding to a certain hash value is '0'), determining that the universal unique identification code carried in the request sent by the client is invalid, returning an error prompt message by the client, and forbidding the access request of the client within a certain time length.
In step S306, the shared network returns behavior data, which is involved in the use of the network service by the user, to the client.
In some embodiments, before performing step S305, the following preamble steps may be further included: the method includes the steps that a plurality of pieces of behavior data related to a plurality of users in the process of using network services are stored in a shared network in advance, the plurality of pieces of behavior data are associated with user indexes of corresponding users, and then a client acquires the behavior data related to the users in the process of using the network services from the shared network, and the method can be realized in the following mode: matching the user index acquired from the private network with the multiple user indexes, determining behavior data associated with the matched user index as behavior data related to the user in the process of using the network service, and returning the determined behavior data to the client.
For example, multiple pieces of behavior data related to a plurality of users in a process of using a network service are stored in a common network (e.g., a cloud computing network) in advance, and the multiple pieces of behavior data are associated with the universal unique identification code of the corresponding user, so that when the behavior data of the user needs to be acquired subsequently, the matched user behavior data can be found in the database according to the universal unique identification code.
For example, assuming that the behavior data involved in the process of using internet medical treatment by the user a is "cold diagnosed in southern mountain hospital on 11/9/2019", the behavior data is associated with the universal unique identifier "141c8eb7-a794-44d1-8794-bc32484d710f" corresponding to the user a; and the behavior data involved in the process of using the internet medical treatment by the user B is that the behavior data is diagnosed as diarrhea in Hospital on 11/9/2019, and the behavior data is associated with the universal unique identification code '576 e0d7a-B80a-4abf-aa5c-0818e390f18 c' corresponding to the user B.
In step S307, the client integrates and presents the sensitive data acquired from the private network of the network service and the behavior data acquired from the common network.
After the client acquires the sensitive data from the private network of the network service and acquires the behavior data from the common network, the client integrates and presents the acquired sensitive data and behavior data, for example, integrates the name of the user and the corresponding visit record for the user to view.
Continuing with the exemplary structure of the implementation of the data request device 355 of the network service provided by the embodiment of the present invention as a software module, in some embodiments, as shown in fig. 2, the software module stored in the data request device 355 of the network service of the memory 350 may include: a login request module 3551, an acquisition module 3552, and an integration and presentation module 3553.
A login request module 3551, configured to initiate a login request to a private network of a network service, so as to log in the private network through identity information of a user of a client; an obtaining module 3552, configured to obtain, from the private network, the sensitive data and the user index involved in the process of using the network service by the user; an obtaining module 3552, configured to obtain behavior data, which is related to the user in using the network service, from the common network according to the user index; an integration and presentation module 3553 for integrating and presenting the sensitive data with the behavioral data.
In some embodiments, the login request module 3551 is further configured to initiate a login request to a private network of a network service, where the login request carries an account and a password used by a user of the client when registering the network service, so as to log in the private network through the account and the password; or, the method is used for initiating a login request carrying real-name authentication information to a private network of the network service so as to log in the private network through the real-name authentication information.
In some embodiments, the login request module 3551 is further configured to accept authentication of the private network for the user of the client; when the identity authentication is passed, sending an acquisition request for acquiring the sensitive data and the user index to the private network; and when the identity authentication fails, receiving authentication error information sent by the private network.
In some embodiments, the obtaining module 3552 is further configured to obtain, from multiple pieces of sensitive data pre-stored in the private network, target sensitive data that matches the identity information of the user of the client and a target user index corresponding to the target sensitive data.
In some embodiments, the obtaining module 3552 is further configured to obtain behavior data related to the user in using the network service from the shared network according to the user index during the validity period of the user index.
In some embodiments, the obtaining module 3552 is further configured to match the user index obtained from the private network with multiple user indexes stored in the shared network in advance, and determine behavior data associated with the matched user index as behavior data involved in the process of using the network service by the user.
It should be noted that the description of the apparatus according to the embodiment of the present invention is similar to the description of the method embodiment, and has similar beneficial effects to the method embodiment, and therefore, the description is omitted. The technical details of the data request device of the network service provided by the embodiment of the invention, which are not exhausted, can be understood according to the description of any one of the figures 3 and 6-7.
In the following, an exemplary application of the embodiments of the present invention in a practical application scenario will be described.
In some medical and government scenes, sensitive data related to personal privacy of a user needs to be displayed on a client, and in the related technology, all data and computing resources are generally stored in a network of the government, and the data are accessed from the outside through a front-end processor and returned to the client; or desensitizing the sensitive data, for example, replacing the data with a star, encrypting and storing the original data, storing the full amount of data in a cloud computing network, decrypting the original data by using a key when the sensitive data needs to be displayed, and transmitting the decrypted data to a client for displaying.
However, for the scheme of storing all data in the internal network of the government, because the resources in the internal network of the government are very limited compared with the resources of the cloud computing network, a large number of concurrent demands of users cannot be supported, and the experience effect of the service is seriously affected. For the scheme of desensitizing storage of sensitive data, the key is usually not replaced, so that the key of the original data is easily leaked, and when the key is leaked, the whole amount of data can be directly decrypted, so that the data is very unsafe. In addition, when the decrypted data is transmitted through the cloud computing network, if any link in the middle is recorded, sensitive data can be leaked.
The embodiment of the invention provides a data request method of network service, which is characterized in that sensitive data and behavior data (namely non-sensitive data) are respectively stored through two different networks, the sensitive data are stored in a special network of a government and can only be pulled by a client through a key, user behavior data are stored in a cloud computing network with storage and computing resources capable of being elastically expanded, and meanwhile, business logic service is also deployed on the cloud computing network. Thus, even if sensitive data stored in a private network of the government is leaked, only basic information of the user (such as an identity card number, a mobile phone number and the like of the user) can be seen, and actual behavior data of the user is unknown; and if the user behavior data stored in the cloud computing network is leaked, the user behavior data cannot be associated with specific users, so that more government departments and enterprises and public institutions can be ensured to deploy services and data to the cloud computing network with great care.
Referring to fig. 4, fig. 4 is a schematic diagram of an interface of sensitive data involved in a process of using internet medical treatment by a user according to an embodiment of the present invention. The sensitive data shown in fig. 4 includes information of name, sex, date of birth, etc. of the user, and is obtained by the client from the private network of internet medical treatment through the key.
Referring to fig. 5, fig. 5 is a schematic interface diagram of behavior data involved in a process of using internet medical treatment by a user according to an embodiment of the present invention. The behavior data shown in fig. 5 includes information such as the type and time of vaccination of the user, and is obtained from the cloud computing network by the index ID returned by the client through the private network.
Referring to fig. 6, fig. 6 is a schematic diagram of another alternative architecture of a data request system of a network service provided by an embodiment of the present invention, and the data request system is composed of a private network for government enterprises, a cloud computing network, and a client. The respective functions of these three modules are specifically described below:
a government and enterprise private network: storing the sensitive data, generating a corresponding relation between the sensitive data and the index ID, and authenticating the access request of the client.
Cloud computing network: storing the behavior data of the user, and realizing the calculation requirements of various business logics according to the application requirements.
A client: and calling an interface of the private network of the government enterprise to obtain the sensitive data and the index ID, locally caching the index I D (for example, for 1 day), and using the index ID to send a calling request for reading and writing the user behavior data to the cloud computing network in a valid period.
Referring to fig. 7, fig. 7 is an alternative flowchart of a data request method for a network service according to an embodiment of the present invention, which will be described with reference to the steps shown in fig. 7.
In step S701, the client initiates a login request to an index lookup server of a private network of a government enterprise, and uses HTTPS to ensure that the identity of a calling target server is reliable, where the login request uses an account and a password to log in, or uses real-name authentication information to log in.
In step S702, the index query server of the private network of the government and enterprise first verifies the identity information of the user at the client, and after the verification is passed, queries the index ID corresponding to the user behavior data, and determines whether to query the sensitive data according to the difference of the user access parameters.
In step S703, the private network returns the index ID to the client, and returns sensitive data as needed.
In step S704, the client locally caches the index ID returned by the private network for government and enterprise, which is generally 1 day, and the index ID is used for access in the cloud computing network within the valid period.
In step S705, the client accesses the cloud computing network using the index ID to read and write specific user behavior data.
In step S706, the cloud computing network first uses the bloom filter to determine whether the index ID sent by the client exists, and if not, then step S707 is executed; if yes, go to step S708.
In step S707, the cloud computing network returns error information to the client, and prohibits all accesses of the IP within a certain time period (e.g., 1 hour).
In step S708, the cloud computing network queries the database for matching behavior data according to the index ID or writes the user behavior data into the database.
In step S709, the cloud computing network returns the queried user behavior data to the client.
In steps S710 and S711, it is only necessary to access an interface of the cloud computing network, and steps S705 to S709 are repeated.
The following description is made specifically for an index query server deployed in a private network of an enterprise.
1) The new user firstly needs to register the relevant information in the registration page, and the background stores the registration information of the user.
2) When the client logs in by using the account password, the index query server firstly compares the information input by the user with the pre-stored registration information in the database, and if the two are inconsistent, the authentication of the user is failed, and an error prompt message is returned to the client.
3) And if the two are consistent, indicating that the authentication of the user passes, returning the index ID to the client and judging whether the sensitive data needs to be returned at the same time according to the access parameter of the user (if the positive is 1, indicating that the sensitive data and the index ID need to be returned at the same time, and if the positive is 0, indicating that the sensitive data does not need to be returned).
Request parameter sensory ═ 0:
{
"index _ ID" 141c8eb7-a794-44d1-8794-bc32484d710f "(index ID)
}
Request parameter positive 1:
{
"index _ ID" 141c8eb7-a794-44d1-8794-bc32484d710f "(index ID),
"Positive data" (sensitive data) ready pocket
"name": zhang three "(name),
"idCard": 343 XXXXXXXXXXXXX 212 "(identification number),
age 27 (age)
}
The following is a detailed description of the process by which a client requests sensitive data from a private network of a government enterprise.
1) And the user inputs an account number and a password in a user operation interface of the client. When sending the request, the data is transmitted to the login server in an encrypted mode by using the H TTPS protocol.
2) The client acquires a token (temporary token) returned by the login server, the token is used within the valid period, and when the token expires, the client needs to make a request to the login server again.
3) When a client requests sensitive data from a private network of a government enterprise, a token is carried in a request protocol.
The following describes the data generation process in detail.
1) In the initialization phase, sensitive data and part of behavior data are stored in a special network of the government enterprise.
2) When no user behavior data exists in the private network of the administrative enterprise, the user ID and the corresponding behavior data index ID are directly generated, and the index ID can be generated by using a universal unique Identifier (UUID, universal Uniqu e Identifier), so that on one hand, ID collision of different users can be avoided, and on the other hand, behavior data can be obtained in an ID traversal mode.
3) When part of behavior data is stored in the private network of the enterprise, the generated UUID needs to be added to the behavior data, and the part of behavior data is migrated to the cloud computing network.
It should be noted that, in the embodiment of the present invention, when acquiring the sensitive data, login authentication needs to be performed first, so as to prevent the sensitive data from being illegally acquired by others.
The following is a detailed description of a process of acquiring behavior data from a cloud computing network by a client.
1) The behavior data is read and written through the index ID, and the index ID is generated by using the UUID, wherein the UUID is a 128-bit numerical value, namely a 128-power number with 2 at most. Therefore, the user can hardly acquire behavior data of other people in a traversal mode according to the UUID of the user.
2) In order to further prevent behavior data of others from being acquired in a traversal manner, the embodiment of the present invention further uses a bloom filter to efficiently determine whether an index ID carried in an access request exists, and if not, it indicates that others directly call through an interface, and then prohibits all access requests of the IP within a certain time period.
Referring to fig. 8, fig. 8 is a schematic diagram of constructing a bloom filter according to an embodiment of the present invention. As shown in fig. 8, an index ID set composed of a plurality of user index IDs is synchronized in advance in a bloom filter, and when an access request sent by a client is received, the index ID carried in the access request is verified by using the constructed bloom filter.
In some embodiments, when the index ID of the user changes, for example, the index ID increases or decreases, the changes need to be synchronized to the bloom filter in real time to update the bloom filter. Referring to fig. 9, fig. 9 is a schematic diagram of updating a bloom filter according to an embodiment of the present invention. As shown in FIG. 9, during the initialization phase, the bloom filter is a bit array (bit array) with each bit position being zero. Then, the user index I D is calculated and modulo by multiple hash functions, the obtained value is set to 1 at the corresponding position of the bit array (for example, when the calculated value is 4, the 4 th position of the bit array is set to 1), and when all the user index IDs are calculated by the same algorithm, the data construction of the bloom filter is completed.
Referring to fig. 10, fig. 10 is a schematic diagram of verifying an index account through a bloom filter according to an embodiment of the present invention. As shown in fig. 10, when a client requests behavior data from a cloud computing network, an index ID carried in the request is first calculated through a plurality of hash functions, and when the calculated positions are all "1" in the initially constructed bit array, a bloom filter is hit, which indicates that the index ID exists, and the request is passed, and the matched behavior data is returned to the client. When the calculated position has "0" in the initially constructed bit data, i.e. does not hit the bloom filter, it indicates that this index ID does not exist and all access requests of the IP are prohibited for a certain period of time.
It should be noted that, due to the error of the bloom filter, it may be accurately determined that one index ID does not exist, but it cannot be determined that one index ID exists in 100% (under a normal parameter configuration, the misjudgment rate may be reduced to 1%), therefore, when the index ID is determined to exist by the bloom filter, the request is passed, but when the index ID is not found in the actual database, the request is considered as illegal access, and all access requests of the IP are prohibited for a certain period of time.
Table 1 is a sensitive data table composed of sensitive data of a plurality of users according to an embodiment of the present invention. As shown in Table 1, sensitive data for different users are generated with one-to-one corresponding index IDs, for example, the index ID corresponding to user "Zhang three" is "141c8eb7-a794-44d1-8794-bc32484d710f", and the index ID corresponding to user "Li four" is "576 e0d7a-b80a-4abf-aa5c-0818e390f18 c".
Figure RE-GDA0002437804420000221
TABLE 1
Table 2 is a behavior data table composed of behavior data of a plurality of users according to the embodiment of the present invention. As shown in table 2, the behavior data of different users are in one-to-one correspondence with the index IDs of the corresponding users, for example, the behavior data is "cold diagnosed in southern mountain hospital on 11/9/2019", index ID "141c8eb7-a794-44d1-8794-bc32484d710f" corresponding to user "zhang san"; and the behavioral data was "diagnosed as diarrhea in northern general Hospital on 11/9/2019" index ID "576 e0d7a-b80a-4abf-aa5c-0818e390f18 c" corresponding to the user "Liquan".
Figure RE-GDA0002437804420000222
Figure RE-GDA0002437804420000231
TABLE 2
The data request method of the network service provided by the embodiment of the invention has the following beneficial effects:
1) sensitive data and behavior data related to a user in the process of using the network service are respectively stored in two different networks, and when data of any one network is leaked, verification influence cannot be caused.
2) The behavior data and all services related to a large amount of logic calculation are stored in the cloud computing network, and the cloud computing network has strong computing elasticity, so that the concurrency of user access is increased, and the user experience is improved.
3) More government and enterprise entities may be empowered to deposit data and services in a cloud computing network.
It should be noted that, the above embodiments of the present invention are only described by taking vaccination in internet medical care as an example, and actually, the data request method of the network service provided by the embodiments of the present invention may also be applied to other services, even other fields, such as e-commerce field, e-government field, and the like. In addition, the private network of the government enterprise mentioned in the above embodiment of the present invention may also include any network of enterprises and public institutions that need to store sensitive data.
Embodiments of the present invention provide a computer-readable storage medium storing executable instructions, which when executed by a processor, will cause the processor to perform a method provided by embodiments of the present invention, for example, a data request method of a network service as shown in fig. 3 or 7.
In some embodiments, the storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EE PROM, flash, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.
In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
By way of example, executable instructions may correspond, but do not necessarily have to correspond, to files in a file system, and may be stored in a portion of a file that holds other programs or data, e.g., in one or more scripts in a hypertext Markup Language (HT ML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
By way of example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.
In summary, the embodiment of the invention has the following beneficial effects:
sensitive data and behavior data related to a process of using network services by a user are respectively stored through two different networks, the sensitive data are stored in a special network of the network services, and only a client can pull the sensitive data through a secret key; the behavior data is stored in a common network with elastically expandable storage and computing resources, so that when sensitive data stored in the private network is leaked, only basic information of a user can be seen, and actual behavior data of the user cannot be obtained; when the behavior data stored in the shared network is leaked, the behavior data cannot be associated with specific users, so that the high concurrency requirement and the safety requirement of the network service are met at the same time.
The above description is only an example of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present invention are included in the protection scope of the present invention.

Claims (11)

1. A method for requesting data for a network service, the method comprising:
initiating a login request to a private network of a network service to login to the private network through identity information of a user of a client;
sensitive data related to the user in the process of using the network service and a user index corresponding to the sensitive data are obtained from the private network;
storing behavior data related to a plurality of users in the process of using the network service in a shared network in advance, and associating the behavior data with a user index of a corresponding user;
in the effective period of the user index, matching the user index acquired from the private network with a plurality of pre-stored user indexes, and determining behavior data associated with the matched user index as behavior data related to the user in the process of using the network service;
and integrating and presenting the sensitive data and the behavior data.
2. The method of claim 1, wherein initiating a login request to a private network of a network service to log in to the private network via identity information of a user of a client comprises:
initiating a login request to a private network of a network service, wherein the login request carries an account and a password used by a user of the client when registering the network service so as to log in the private network through the account and the password;
or initiating a login request carrying real-name authentication information to a private network of the network service so as to log in the private network through the real-name authentication information.
3. The method of claim 1, wherein after logging on the private network and before obtaining the sensitive data and the user index corresponding to the sensitive data, the method further comprises:
accepting authentication of the private network for a user of the client;
when the identity authentication is passed, sending an acquisition request for acquiring the sensitive data and the user index to the private network;
and when the identity authentication fails, receiving authentication error information sent by the private network.
4. The method of claim 1, further comprising:
sensitive data related to a plurality of users in the process of using the network service is stored in the private network in advance, and a one-to-one corresponding user index is generated aiming at the sensitive data;
the obtaining sensitive data related to the user in the process of using the network service and a user index corresponding to the sensitive data includes:
and acquiring target sensitive data matched with the identity information of the user of the client and a target user index corresponding to the target sensitive data from a plurality of sets of sensitive data.
5. The method of claim 4, wherein generating a one-to-one correspondence user index for the sensitive data comprises:
and aiming at any sensitive data in a plurality of sensitive data, generating a universal unique identification code corresponding to any sensitive data, and taking the universal unique identification code as a user index corresponding to any sensitive data.
6. The method of claim 1, wherein matching the user index obtained from the private network with a plurality of pre-stored user indexes comprises:
matching the user index obtained from the private network with a plurality of copies of the user index through a bloom filter;
when the user index obtained from the private network hits the same user index in a plurality of copies of the user indexes, determining that the user index obtained from the private network is verified;
and when the user index acquired from the private network does not hit the same user index in a plurality of copies of the user index, determining that the user index acquired from the private network fails to be verified.
7. The method of claim 6, wherein matching the user index obtained from the private network with a plurality of copies of the user index through a bloom filter comprises:
performing hash operation and modulus operation on the user index acquired from the private network through K hash functions included by the bloom filter to obtain K addresses; wherein K is a positive integer;
and comparing the K addresses with a bit array constructed in advance, and determining that the user index acquired from the private network passes verification when the parameters corresponding to the K addresses in the bit array are all 1.
8. A data request device for a network service, the device comprising:
the login request module is used for initiating a login request to a special network of the network service so as to log in the special network through the identity information of a user of the client;
an obtaining module, configured to obtain, from the private network, sensitive data related to the user in a process of using the network service and a user index corresponding to the sensitive data;
the acquisition module is further configured to store behavior data related to a plurality of users in a shared network in advance during use of the network service, and associate the behavior data with a user index of a corresponding user; in the effective period of the user index, matching the user index acquired from the private network with a plurality of pre-stored user indexes, and determining behavior data associated with the matched user index as behavior data related to the user in the process of using the network service;
and the integration and presentation module is used for integrating and presenting the sensitive data and the behavior data.
9. An electronic device, characterized in that the electronic device comprises:
a memory for storing executable instructions;
a processor for implementing the data request method of the network service of any one of claims 1-7 when executing the executable instructions stored in the memory.
10. A computer-readable storage medium storing executable instructions for implementing the data request method of the web service according to any one of claims 1 to 7 when executed by a processor.
11. A computer program product comprising a computer program or instructions, characterized in that the computer program or instructions, when executed by a processor, implement the data request method of a network service of any of claims 1 to 7.
CN202010103017.5A 2020-02-19 2020-02-19 Data request method and device of network service Active CN111355710B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010103017.5A CN111355710B (en) 2020-02-19 2020-02-19 Data request method and device of network service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010103017.5A CN111355710B (en) 2020-02-19 2020-02-19 Data request method and device of network service

Publications (2)

Publication Number Publication Date
CN111355710A CN111355710A (en) 2020-06-30
CN111355710B true CN111355710B (en) 2021-12-24

Family

ID=71194009

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010103017.5A Active CN111355710B (en) 2020-02-19 2020-02-19 Data request method and device of network service

Country Status (1)

Country Link
CN (1) CN111355710B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196943A (en) * 2017-05-26 2017-09-22 浙江大学 A kind of security display implementation method of private data in third-party platform
CN109993647A (en) * 2019-03-08 2019-07-09 西安电子科技大学 A kind of pay taxes credit investigation system and processing method based on block chain
WO2019144963A1 (en) * 2018-01-26 2019-08-01 Shanghai Weilian Information Technology Co., Ltd. Methods, application server, iot device and media for implementing iot services
CN110442791A (en) * 2019-08-08 2019-11-12 北京阿尔山区块链联盟科技有限公司 Data push method and system
CN110598448A (en) * 2019-09-19 2019-12-20 腾讯科技(深圳)有限公司 Operation data processing method, device and equipment based on block chain and storage medium

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10097344B2 (en) * 2016-07-15 2018-10-09 Mastercard International Incorporated Method and system for partitioned blockchains and enhanced privacy for permissioned blockchains
CN109255585A (en) * 2018-08-22 2019-01-22 泰康保险集团股份有限公司 Time management method, device, medium and electronic equipment based on block chain
CN109558748B (en) * 2018-11-23 2020-11-03 泰康保险集团股份有限公司 Data processing method and device, electronic equipment and storage medium
CN109347865B (en) * 2018-11-23 2021-10-01 四川兴政信息技术有限公司 User data authentication and evidence storage method and system based on block chain technology
WO2019120326A2 (en) * 2019-03-29 2019-06-27 Alibaba Group Holding Limited Managing sensitive data elements in a blockchain network
CN109977152A (en) * 2019-04-03 2019-07-05 翟红鹰 Intelligent Matching method, system and storage medium based on block chain technology
CN110135844B (en) * 2019-04-28 2020-11-24 创新先进技术有限公司 Credit recording and inquiring method and device based on block chain and electronic equipment
CN110602096B (en) * 2019-09-12 2021-07-13 腾讯科技(深圳)有限公司 Data processing method, device, storage medium and equipment in block chain network
CN110569658A (en) * 2019-09-12 2019-12-13 腾讯科技(深圳)有限公司 User information processing method and device based on block chain network, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196943A (en) * 2017-05-26 2017-09-22 浙江大学 A kind of security display implementation method of private data in third-party platform
WO2019144963A1 (en) * 2018-01-26 2019-08-01 Shanghai Weilian Information Technology Co., Ltd. Methods, application server, iot device and media for implementing iot services
CN109993647A (en) * 2019-03-08 2019-07-09 西安电子科技大学 A kind of pay taxes credit investigation system and processing method based on block chain
CN110442791A (en) * 2019-08-08 2019-11-12 北京阿尔山区块链联盟科技有限公司 Data push method and system
CN110598448A (en) * 2019-09-19 2019-12-20 腾讯科技(深圳)有限公司 Operation data processing method, device and equipment based on block chain and storage medium

Also Published As

Publication number Publication date
CN111355710A (en) 2020-06-30

Similar Documents

Publication Publication Date Title
US11290255B2 (en) Verifying an identity based on multiple distributed data sources using a blockchain to safeguard the identity
US11777911B1 (en) Presigned URLs and customer keying
US11507948B2 (en) Blockchain architecture, system, method and device for automated cybersecurity and data privacy law compliance with delayed block posting protocol
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
US11853457B2 (en) Selectively verifying personal data
WO2019205860A1 (en) Blockchain-based data query method, server and storage medium
CN110602052B (en) Micro-service processing method and server
US11790077B2 (en) Methods, mediums, and systems for establishing and using security questions
US9558366B2 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
CN110753944B (en) System and method for blockchain-based data management
US9596263B1 (en) Obfuscation and de-obfuscation of identifiers
CN107005568A (en) Data safety is operated with being expected
US20210192516A1 (en) Blockchain architecture, system, method and device for automated cybersecurity and data privacy law compliance with a streamlined block structure
JP2006301992A (en) Authentication management method and system
US11711350B2 (en) Systems and processes for vaultless tokenization and encryption
CN111756684A (en) System and method for transmitting confidential data
WO2024032658A1 (en) Method for processing medical data processing, system, apparatus, and computer device
US11218466B2 (en) Endpoint security
KR102517001B1 (en) System and method for processing digital signature on a blockchain network
CN111355710B (en) Data request method and device of network service
US11070534B2 (en) Systems and processes for vaultless tokenization and encryption
US11968256B2 (en) Blockchain architecture, system, method and device for automated cybersecurity and data privacy law compliance with a partitioned replication protocol
US20210092185A1 (en) Blockchain architecture, system, method and device for automated cybersecurity and data privacy law compliance with a partitioned replication protocol
CN116961937A (en) Block chain program access method, related equipment and storage medium
CN116488907A (en) Time-limited login method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40024748

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant