CN111371813B

CN111371813B - Big data network data protection method and system based on edge calculation

Info

Publication number: CN111371813B
Application number: CN202010465323.3A
Authority: CN
Inventors: 胡俊
Original assignee: Hangzhou Canba Technology Co ltd
Current assignee: Hangzhou Canba Technology Co ltd
Priority date: 2020-05-28
Filing date: 2020-05-28
Publication date: 2020-10-02
Anticipated expiration: 2040-05-28
Also published as: CN111371813A; JP6893626B1; JP2021190978A

Abstract

The invention discloses a big data network data protection method and a system based on edge calculation, which comprises the following steps: s1, determining the computing power level of the client; s2, determining the encryption strength of the data; s3, judging whether the computing power level of the client can meet the encryption strength requirement, if so, executing a step S4, and if not, executing a step S5; s4, slowly encrypting the plaintext password to obtain a first temporary password, and executing the step S8; s5, the application server selects a plurality of other connected clients and sends the plaintext passwords, the salt and the encryption strength to the selected clients; s6, the selected client performs slow encryption on the plaintext password to obtain a second temporary password; s7, the application server determines a first temporary password based on the received plurality of second temporary passwords; s8, the server carries out fast encryption on the first temporary password to obtain an encrypted password, and the user name, the salt and the encrypted password are stored. The invention realizes effective balance between safety protection and calculation performance, and has high data security.

Description

Big data network data protection method and system based on edge calculation

Technical Field

The invention relates to the technical field of network security, in particular to a big data network data protection method and system based on edge computing.

Background

With the wider application range of computer network technology, global informatization is rapidly developed, information content is deeply permeated in various fields, the world view of people is changed due to the background environment of big data, the life of people is remarkably changed due to the arrival of the big data era, people have new opinions on the world, particularly the application and effective integrated data of the computer network technology in the data era, the information processing speed is accelerated, and meanwhile, information is obtained through statistics better and faster. With the popularization of computer technology, data security becomes an increasingly prominent problem.

The safety of sensitive data (such as financial statements and the like) and various account numbers (such as mailbox account numbers and passwords, account numbers and passwords of online banks, account numbers and passwords of online stock transactions and the like) and the like are closely related to users, and as the processing capacity of a computer is greatly improved, events such as library dragging, library washing, library collision, library removal and the like are frequent. The database collision is that an attacker generates a corresponding dictionary table by collecting the user and password information which are leaked from the internet, and obtains a series of users which can log in after trying to log in other websites in batch. The database dragging and the database dropping are both behaviors that an attacker invades a valuable network site and steals all the data databases of registered users. After dragging the library, after taking a large amount of user data, an attacker can turn out valuable user data through a series of technical means and black industry chains, which is also commonly referred to as "library washing". Finally, the attacker tries to log in the obtained data on other websites, and the data is called as a database collision.

Obviously, if the system directly stores the plaintext data of the user, if the whole database is downloaded once the database is dragged by an attacker, the attacker can log in any account to perform dangerous operations, even accidents which cannot be compensated. Most websites encrypt and store password information in a database, MD5 is common encryption, the mode is theoretically irreversible, but the mode is still unsafe, the original password can be deduced as long as all common passwords are enumerated and made into an index table, and the plaintext decoding speed is high.

Based on this, the prior art proposes that attacks such as a dragged library and the like are resisted in a salt adding mode, the cracking difficulty of an attacker is increased, an encryption event is improved in a mode of combining slow encryption and fast encryption, and correspondingly, the difficulty and time for the attacker to crack the password are greatly increased.

The method for protecting the network data can greatly improve the security of the data, but the calculation processing amount is large when the data is encrypted, and a large amount of calculation resources are consumed. In addition, the data volume is suddenly increased, and if all the calculations are completed on the basis of the server side, the server is heavy in load, and system crash is easily caused. With the increase of the processing capability of the personal terminal device, it is increasingly feasible to implement encryption processing of data based on edge calculation. However, data protection requirements and computing capabilities of different users and different terminal devices are different, and how to implement edge-computing-based big data network data protection for different protection requirements and terminal devices is a problem to be solved in the field.

Disclosure of Invention

The invention aims to provide a big data network data protection method and system based on edge calculation aiming at the defects of the prior art. According to the invention, different data are slowly encrypted according to different data protection requirements and different operational capacities of different users and different terminal devices, so that effective balance between safety protection and computing performance is realized, and the data security is high.

In order to achieve the purpose, the invention adopts the following technical scheme:

a big data network data protection method based on edge calculation comprises the following steps:

s1, determining the computing capacity level of the client based on the basic information of the client;

s2, determining the encryption strength of the data according to the application type and the encryption strength strategy of the connection;

s3, randomly generating salt, judging whether the computing power level of the client can meet the encryption strength requirement, if so, executing a step S4, and if not, executing a step S5;

s4, slowly encrypting the plaintext password input by the user to obtain a first temporary password, and sending the user name, the salt and the first temporary password to the application server; step S8 is executed;

s5, sending the user name, the plaintext password, the salt and the encryption strength input by the user to an application server side, selecting a plurality of other connected client sides by the application server, and sending the plaintext password, the salt and the encryption strength input by the user to the selected client sides;

s6, the selected client performs slow encryption on the plaintext password input by the user to obtain a second temporary password, and the second temporary password is sent to the application server;

s7, the application server determines a first temporary password based on the received plurality of second temporary passwords;

s8, the server carries out fast encryption on the first temporary password to obtain an encrypted password, and the user name, the salt and the encrypted password are stored.

Further, the step S1 includes:

the weights for setting the clock frequency, the word length, the kernel number and the memory capacity are sequentially

、

、

、

Wherein

the calculation capability value of the client is as follows:

wherein,

、

、

、

the values of clock frequency, word length, kernel number and memory capacity are respectively;

and classifying the client side to the corresponding computing capacity grade based on the computing capacity value according to the preset computing capacity grade and the corresponding computing capacity value range.

Further, the encryption strength is the number of times of loop iteration encryption, and the encryption strength policy is: setting an encryption intensity range for each type of application by a user; the step S2 includes:

judging the application type of the connection, calling a user encryption strength strategy stored in advance locally at the client, determining a corresponding encryption strength range according to the application type, and randomly selecting any encryption strength value in the encryption strength range as the encryption strength of the data.

Further, the step S7 includes:

the server counts the number of the clients corresponding to the returned second temporary passwords, judges whether the number of the clients corresponding to the second temporary passwords is parallel to the first number, and selects the second temporary password with the largest number of the clients as the first temporary password if the number of the clients corresponding to the second temporary passwords is not parallel to the first number; if so, selecting a second temporary password returned by a client with the highest trust value in the clients corresponding to the parallel first second temporary password as the first temporary password; and when the second temporary password returned by the client is consistent with the first temporary password, the response result of the client is correct, otherwise, the response result of the client is wrong.

Further, the trust value is adjusted by the server according to whether the response result of the client is correct or not; the initial trust value of the client when registering in the server is

；

For the mth result response of the client, if the response result is correct, the adjustment value of the trust value of the user client is as follows:

wherein,

with the adjusted value of the client trust value when the result of the mth response is correct,

the number of times that the response result is correct in the M responses,

a unit adjustment value of the trust value when the response result is correct;

therefore, the trust value after the user M-th result response is correct is as follows:

wherein,

for the trust value after the mth result response of the user,

the trust value after the M-1 result response of the user;

for the Mth result response of the user client, if the response result is wrong, the adjustment value of the trust value of the user client is as follows:

wherein,

an adjustment value for the client trust value when the result of the mth response is false,

the number of response result errors in M responses,

a unit adjustment value for the trust value in response to a result error,

；

therefore, the trust value after the user's mth result response error is:

wherein,

for the trust value after the mth result response of the user,

the trust value after the M-1 result response of the user;

for the first response of the user, when the response result is correct, the adjustment value of the client trust value is

Then the adjusted client trust value is

(ii) a When the result of the response is wrong, the adjustment value of the client trust value is

Then the adjusted client trust value is

。

The invention also provides a big data network data protection system based on edge calculation, which comprises:

the first determining module is used for determining the computing capacity level of the client based on the basic information of the client;

the second determining module is used for determining the encryption strength of the data according to the connected application type and the encryption strength strategy;

the judging module is used for randomly generating salt, judging whether the computing capability level of the client can meet the encryption strength requirement, if so, calling the local encryption module, and if not, calling the selecting module;

the local encryption module is used for slowly encrypting a plaintext password input by a user to obtain a first temporary password and sending the user name, the salt and the first temporary password to the application server; calling a storage module;

the selection module is used for sending the user name, the plaintext password, the salt and the encryption strength input by the user to the application server side, the application server selects a plurality of other connected client sides, and the plaintext password, the salt and the encryption strength input by the user are sent to the selected client sides;

the collaborative encryption module is used for the selected client to slowly encrypt the plaintext password input by the user to obtain a second temporary password and send the second temporary password to the application server;

a third determining module, configured to determine, by the application server, the first temporary password based on the received plurality of second temporary passwords;

and the storage module is used for the server to quickly encrypt the first temporary password to obtain an encrypted password and store the user name, the salt and the encrypted password.

Further, the first determining module comprises:

、

、

、

Wherein

the calculation capability value of the client is as follows:

wherein,

、

、

、

Further, the encryption strength is the number of times of loop iteration encryption, and the encryption strength policy is: setting an encryption intensity range for each type of application by a user; the second determining module includes:

Further, the third determining module comprises:

；

wherein,

the number of times that the response result is correct in the M responses,

a unit adjustment value of the trust value when the response result is correct;

wherein,

for the trust value after the mth result response of the user,

the trust value after the M-1 result response of the user;

wherein,

the number of response result errors in M responses,

a unit adjustment value for the trust value in response to a result error,

；

therefore, the trust value after the user's mth result response error is:

wherein,

for the trust value after the mth result response of the user,

the trust value after the M-1 result response of the user;

Then the adjusted client trust value is

Then the adjusted client trust value is

。

Compared with the prior art, the invention has the following advantages:

1. the invention provides a data protection method and a data protection system based on edge calculation, aiming at the problem of large data calculation amount in a big data network. The client is used as an edge node, the computing capacity of the client is fully utilized, slow encryption is carried out by adopting the client in the data protection process, and the problems that the server is large in computing burden and easy to crash are effectively avoided;

2. different users set different encryption strengths according to different application types, so that the problem of unnecessary calculation processing expense caused by overhigh encryption strength is avoided, and effective balance between data security and system expense is realized;

3. the computing capacity of the client is quantitatively evaluated, whether the local client performs slow encryption is determined according to the encryption strength requirement and whether the computing capacity is matched, and the local slow encryption is performed only during matching, so that the problems of too low processing speed and too much reduced client performance are avoided;

4. the method screens results returned by other clients, quantitatively evaluates the trust value of the client, and simultaneously, the influence of the trust value caused by wrong response is larger than that caused by correct response, thereby avoiding malicious users from returning wrong results and further improving the safety of data; meanwhile, an incentive mechanism corresponding to the trust value is set, so that the enthusiasm of the user for participating in slow encryption calculation is improved, the response behavior of the user is restrained, and the safety of the system is improved;

5. the method is based on the modes of slow encryption at the client side and fast encryption at the server side, so that the attack cost of an attacker for acquiring data is greatly increased, and the data protection is strong.

Drawings

FIG. 1 is a flowchart of a big data network data protection method based on edge computing according to an embodiment;

fig. 2 is a block diagram of a big data network data protection system based on edge computing according to the second embodiment.

Detailed Description

The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.

It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.

The invention is further described with reference to the following drawings and specific examples, which are not intended to be limiting.

Example one

As shown in fig. 1, the present embodiment provides a method for protecting big data network data based on edge computing, and in particular, a method for encrypting private data such as a user password, including:

in order to overcome the problem of server overload in the data protection method based on the server, the data protection method based on the client side performs partial data protection calculation so as to effectively reduce the processing expense of the server side. With the popularization of terminal equipment and the development of the future internet of things, the terminal equipment is becoming more and more diversified, and the performance on a client is stronger and stronger, so that the migration of part of computing tasks from a server to a mobile terminal is possible. Therefore, the client serves as an edge node, partial data protection calculation is realized by utilizing edge calculation, and the client and the server realize protection of user data together. The edge calculation is a distributed calculation structure, which moves the calculation of application program, data and service from the central node of the network to the edge node of the network logic for processing.

The client includes a personal computer, a mobile phone, a personal palm computer, etc., which is not limited herein. When a client is used as an edge node to perform data protection encryption calculation, the calculation capacities of different clients are different, and when the calculation capacity of a user cannot meet the corresponding encryption requirement, encryption protection cannot be performed based on the client obviously. Therefore, the invention firstly determines the computing capacity of the client based on the basic information of the client to decide whether to carry out data encryption protection based on the edge node.

Client configuration information related to computing power typically includes clock frequency, word length, number of cores, memory capacity, and the like. The clock frequency refers to the number of pulses sent by a computer CPU in unit time, the word length refers to the number of bits of binary data which can be simultaneously processed by an arithmetic element of the computer, the number of cores refers to the number of arithmetic units and controllers for executing instructions in the CPU, and the memory capacity refers to the total number of bytes of information stored in an internal memory. Generally, the higher the clock frequency, the larger the word length, the larger the number of cores, and the larger the memory capacity, the faster the operation speed of the client, and the stronger the corresponding computing capability.

In order to determine the computing power of the client, the invention sets different weights for the client configuration information related to the computing power, for example, the weights of the clock frequency, the word length, the kernel number and the memory capacity are set to

、

、

、

Wherein

the calculation capability value of the client is as follows:

wherein,

、

、

、

the values of clock frequency, word length, kernel number, and memory capacity are provided. Different configuration information may have different weights, for example, the clock frequency largely determines the computing power of the client, and thus the clock frequency has the greatest weight.

Further, based on the calculated computing power values, the present invention classifies different clients into corresponding computing power levels, for example, the present invention sets the computing power levels of the clients to I level, II level, III level, IV level, and V level. Different calculation capability levels correspond to different calculation capability value ranges, and in general, the higher the calculation capability value is, the higher the corresponding calculation capability level is, and the faster the calculation speed is.

It should be noted that the computation power calculation based on the clock frequency, word length, kernel number and memory capacity is only an exemplary illustration, and the computation power calculation including the basic information of other clients is similar and not limited herein. In addition, in order to reduce the processing expense of the client, the computing power level of the client is only calculated once, after the first calculation is completed, the computing power level is stored in the client as public information, and when the client is required to be used as an edge node to perform encryption protection calculation, the corresponding computing power level is directly obtained at the client.

in the process of data encryption protection, the greater the encryption strength is, the higher the data security is, but the greater the corresponding processing cost is. Therefore, the present invention effectively balances safety and processing costs. In practical applications, users need different security for cryptographic data in different applications. For example, for login passwords for online banking, high security is generally required to protect the property of the user. And for the login password on the video website, high security is not required. Therefore, in the invention, different users set different encryption strengths for different application types.

Specifically, the application types are divided into finance types, shopping types, medical health types, video types, life service types and the like, and the user sets corresponding encryption strength for each type of application according to the requirement of the user. The finance category comprises a payment treasure, a mobile phone bank, an online bank and the like, the shopping category comprises a treasure, a Jingdong and the like, the video category comprises an Tengcong video, an Aiqiyi video, a Youkou video and the like, the life service category comprises a drip, a Mei take-out and the like, and the medical health category comprises a hospital registration platform, an online medical consultation platform and the like.

In the invention, the encrypted result is re-encrypted at the edge node, and the cyclic iteration is performed for m times, so that the difficulty of brute force cracking of an attacker is improved. That is, the strength of data encryption is related to the number of times the iterative encryption is cycled. Therefore, the data encryption strength applied by each category corresponds to the corresponding cycle iteration number range.

For example, the user sets an encryption strength policy in advance, and sets the encryption strength corresponding to the financial application to [100000,90000], the encryption strength corresponding to the shopping application to [80000,70000], the encryption strength corresponding to the medical and health application to [75000,60000], the encryption strength corresponding to the video application to [20000,10000], and the encryption strength corresponding to the life service application to [50000,40000 ].

When a user registers or logs in to use a certain application through a website or an application program, firstly, the application type of the website or the application program is judged, a user encryption intensity strategy locally stored in advance at a client side is called, a corresponding encryption intensity range is determined according to the application type, and any encryption intensity value in the encryption intensity range is randomly selected to serve as the encryption intensity of the data.

in order to resist cracking methods such as a violent exhaustive dictionary, different salt values are introduced for different users in the encryption process. By inserting a specific character string at an arbitrarily fixed position of the privacy password, the hashed result is not matched with the hashed result using the original password, and the process is called salting. Therefore, before the data protection encryption is performed on the edge node, each user client randomly generates a salt at first, so that the security of the data encryption is improved.

As described above, when the computing power of the user cannot meet the corresponding encryption requirement, it is obviously impossible to perform encryption protection based on the client, because when the computing power does not meet the encryption strength requirement, a large amount of time is required to complete the corresponding encryption strength, the user has a long waiting time, and the user experience is greatly reduced. Therefore, in the edge node data protection process provided by the invention, whether the computing capability of the current client can meet the encryption strength requirement is judged, if so, the current client directly performs protection encryption computation, and if not, the local client does not perform protection encryption computation any more, so that poor user experience is avoided.

The encryption strength range which can be realized by each computing power level is firstly determined, specifically, the encryption strength range can be realized by counting a large number of clients, and can also be realized by a machine learning mode, and the encryption strength range is not limited herein. And determining the encryption strength range which can be realized by the client according to the computing power level of the client, and when the data encryption strength of the time belongs to the encryption strength range which can be realized by the client, indicating that the computing power of the current client can meet the encryption requirement, otherwise, not meeting the encryption requirement.

the invention adopts PBKDF2 or bcrypt and other slow encryption algorithms to encrypt the plaintext password. The slow hash encryption is to increase the encryption time to correspondingly increase the cracking time and difficulty. The time for password cracking and the encryption algorithm are directly related, for example, the MD5 encryption is very fast, the encryption takes 1 microsecond, when the code is cracked, a phrase is guessed at anytime, only 1 microsecond is needed, and an attacker can guess 100 ten thousand in one second. If the encryption is increased to 10 milliseconds at a time, an attacker can only guess 100 in a second, and the cracking speed is ten thousand times slower. There are two methods for increasing the encryption time, namely, multiple encryption and increasing the complexity of the encryption algorithm.

Taking PBKDF2 as an example, the PBKDF2 function is defined as DK = PBKDF2(PRF, Password, Salt, c, dkLen), where PRF is a pseudo-random function, such as a HASH _ HMAC function, that outputs a result of length hLen. Password is the plaintext cipher used to generate the key. Salt is a Salt value for encryption. c is the number of times of repeated calculation, which is the determined encryption strength of the data this time in the invention. dkLen is the length of the key that is expected to be obtained. The DK is the last generated key.

When the computing capacity of the current client can meet the requirement of encryption strength, the client generates a first temporary password through loop iteration according to the salt and the encryption strength which are generated randomly and the password of the website or the application program input by the user, and sends the user name, the salt and the first temporary password to the application server so that the server can verify the next login of the user. At the moment, the server side does not receive and store the plaintext password, only can acquire the first temporary password after slow encryption, and can effectively resist the attacks such as library dragging and the like.

when the computing power of the current client cannot meet the encryption strength requirement, no protection encryption calculation is carried out at the client. At this time, the current client sends the user name, the plaintext password, the salt and the encryption strength corresponding to the user to the application server. Meanwhile, in order to avoid the excessive processing burden of the server, after receiving the plaintext password of the user, the server does not perform corresponding slow encryption, but selects a plurality of clients connected with the server to perform slow encryption. Because malicious edge nodes may exist, the invention selects a plurality of edge clients to perform encryption calculation at the same time, thereby avoiding the problems that the malicious edge nodes do not return results, the estimation calculation is wrong and the like.

Specifically, the server determines the computing power level corresponding to the encryption strength according to the encryption strength, and the computing power level of the client is public, so that the application server selects a plurality of clients of which the computing power levels meet the computing power level requirement corresponding to the encryption strength, and the selected clients provide corresponding slow encryption services. Correspondingly, the plaintext password, the salt and the encryption strength input by the user are sent to the selected client side, so that the selected client side can provide slow encryption service for improvement.

It is worth noting that when the server transmits the plaintext password information to the selected client, the server discards the plaintext password of the user and does not store the plaintext password in the server, so as to effectively avoid the attack of an attacker. For the client, although the client acquires the plaintext password, the client does not use the username information, so that the plaintext password cannot be effectively associated with the user, and the password information of the user cannot be cracked.

after receiving the encryption request sent by the server, the selected client can autonomously select whether to respond to the encryption request. When the encryption request is not responded to, the encryption request is ignored and the request is not responded to. And when the encryption request is responded, slow encryption is carried out by adopting a slow encryption algorithm which is the same as that of the local client side, so that a second temporary password is obtained. The process of slow encryption is similar to step S4 and will not be described in detail herein.

as described above, an edge client may have a malicious node, and thus, the returned results of the clients may be different. Therefore, when the server receives a plurality of second temporary passwords, the server needs to filter the second temporary passwords to determine the last first temporary password.

Specifically, the server counts the number of clients corresponding to each returned second temporary password, and selects the second temporary password with the largest number of clients as the first temporary password. For example, when the second temporary passwords selected by the 6 clients A, B, C, D, E, F are respectively X₁、X₂、X₃、X₂、X₃、X₃The server counts X₁The number of corresponding clients is 1, X₂The number of corresponding clients is 2, X₃The corresponding client number is 3, and X is returned₃Is the largest, so X is₃As the first temporary password to be finally determined.

And when the number of the clients corresponding to the plurality of second temporary passwords is parallel to the first number, selecting the second temporary password returned by the client with the highest trust value in the clients as the first temporary password. Specifically, in order to improve the security of the system and avoid malicious users from damaging the security of data, the invention manages users connected with the server side.

Specifically, the user connects to the server and needs to register and log in the server. Therefore, the invention sets an initial trust value for each user registered at the server side

. And when the user client responds to the second temporary password calculation requests of other users, the server adjusts the trust value according to whether the response result is correct or not. When the second temporary password returned by the client is consistent with the finally determined first temporary password, the client respondsAnd the result is correct, otherwise, the client response result is wrong.

For the mth result response of the user client, if the response result is correct, the adjustment value of the trust value of the user client is as follows:

wherein,

the number of times that the response result is correct in the M responses,

the unit adjustment value of the trust value when the response result is correct.

Correspondingly, the trust value after the mth result response of the user is as follows:

wherein,

for the trust value after the mth result response of the user,

and (4) responding to the result of the M-1 th time for the user.

wherein,

the number of response result errors in M responses,

the value is adjusted in units of trust value in response to a result error.

wherein,

for the trust value after the mth result response of the user,

and (4) responding to the result of the M-1 th time for the user.

Then the adjusted client trust value is

. When the result of the response is wrong, the adjustment value of the client trust value is

Then the adjusted client trust value is

。

It is worth noting thatThe invention effectively protects the data and improves the safety of the data, and the invention

。

For the trust value of the client, the server may provide a corresponding incentive measure to actively participate in the process of cooperatively computing the second temporary password. For example, for video-like applications, a range of trust values may enjoy complimentary member services, member fee discounts, etc.; for shopping-like applications, users who reach a trust value within a threshold range may be exempted from a shipping fee, etc.

And after receiving the first temporary password, the server carries out fast encryption on the first temporary password and the salt together to obtain an encrypted password corresponding to the plaintext password input by the user finally. Fast encryption includes MD5 encryption and the like, and is not limited herein. And the server stores the user name, the salt and the encrypted password so as to verify the identity of the user. Because the server only stores the encrypted password, even if an attacker cracks the encrypted password, the server can only obtain the first temporary password, and the plaintext password of the user needs to be further cracked, so that the processing difficulty is great, the security of network data is greatly improved, and the user data is effectively protected.

When the user performs login verification, the user inputs a plaintext password, the corresponding encryption process is consistent with the above, the server side judges whether the calculated encryption password is consistent with the pre-stored encryption password, and if so, the user is a legal user. In addition, in order to further improve the data security, the generated salt can be continuously updated, the newly generated salt is sent while logging in, and the corresponding first temporary password is calculated, so that the salt is updated without being perceived by a user, and the user experience is improved.

Example two

As shown in fig. 2, the present embodiment provides a big data network data protection system based on edge computing, in particular, a system for encrypting private data such as a user password, including:

、

、

、

Wherein

the calculation capability value of the client is as follows:

wherein,

、

、

、

Specifically, the server counts the number of clients corresponding to each returned second temporary password, and selects the second temporary password with the largest number of clients as the first temporary password. For example, when the second temporary passwords selected by the 6 clients A, B, C, D, E, F are respectively X₁、X₂、X₃、X₂、X₃、X₃Time, serverStatistics of X₁The number of corresponding clients is 1, X₂The number of corresponding clients is 2, X₃The corresponding client number is 3, and X is returned₃Is the largest, so X is₃As the first temporary password to be finally determined.

. And when the user client responds to the second temporary password calculation requests of other users, the server adjusts the trust value according to whether the response result is correct or not. And when the second temporary password returned by the client is consistent with the finally determined first temporary password, the response result of the client is correct, otherwise, the response result of the client is wrong.

wherein,

the number of times that the response result is correct in the M responses,

wherein,

for the trust value after the mth result response of the user,

and (4) responding to the result of the M-1 th time for the user.

wherein,

the number of response result errors in M responses,

the value is adjusted in units of trust value in response to a result error.

wherein,

for the trust value after the mth result response of the user,

and (4) responding to the result of the M-1 th time for the user.

Then the adjusted client trust value is

Then the adjusted client trust value is

。

It is worth noting that in order to effectively protect data and improve the safety of the data, the invention

。

And the storage module is used for the server side to quickly encrypt the first temporary password to obtain an encrypted password and store the user name, the salt and the encrypted password.

The invention provides a big data network data protection method and system based on edge calculation, and provides a data protection method and system based on edge calculation aiming at the problem of large data calculation amount in a big data network. The client is used as an edge node, the computing capacity of the client is fully utilized, slow encryption is carried out by adopting the client in the data protection process, and the problems that the server is large in computing burden and easy to crash are effectively avoided; different users set different encryption strengths for different application types, so that the problem of unnecessary calculation processing expense caused by overhigh encryption strength is avoided, and effective balance between data security and system expense is realized; the computing capacity of the client is quantitatively evaluated, whether slow encryption is performed on the local client is determined according to the encryption strength requirement and whether the computing capacity is matched, and the local slow encryption is performed only during matching, so that the problems of too low processing speed and too much performance reduction of the client are solved; the results returned by other clients are screened, the trust value of the client is quantitatively evaluated, meanwhile, the influence of the trust value caused by wrong response is greater than that caused by correct response, so that a malicious user is prevented from returning wrong results, and the safety of data is further improved; meanwhile, an incentive mechanism corresponding to the trust value is set, so that the enthusiasm of the user for participating in slow encryption calculation is improved, the response behavior of the user is restrained, and the safety of the system is improved; based on the slow encryption mode of the client and the fast encryption mode of the server, the attack cost of an attacker for obtaining data is greatly improved, and the data protection strength is strong.

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims

1. A big data network data protection method based on edge calculation is characterized by comprising the following steps:

s8, the application server carries out fast encryption on the first temporary password to obtain an encrypted password, and the user name, the salt and the encrypted password are stored;

the step S7 includes:

the application server counts the number of the clients corresponding to the returned second temporary passwords, judges whether the number of the clients corresponding to the second temporary passwords is parallel to the first number, and selects the second temporary password with the largest number of the clients as the first temporary password if the number of the clients corresponding to the second temporary passwords is not parallel to the first number; if so, selecting a second temporary password returned by a client with the highest trust value in the clients corresponding to the parallel first second temporary password as the first temporary password; and when the second temporary password returned by the client is consistent with the first temporary password, the response result of the client is correct, otherwise, the response result of the client is wrong.

2. The big data network data protection method according to claim 1, wherein the step S1 includes:

、

、

、

Wherein

the calculation capability value of the client is as follows:

wherein,

、

、

、

3. The big data network data protection method according to claim 1, wherein the encryption strength is a number of times of loop iteration encryption, and the encryption strength policy is: setting an encryption intensity range for each type of application by a user; the step S2 includes:

4. The big data network data protection method according to claim 1, wherein the trust value is performed by the application server according to whether the response result of the client is correct or notAdjusting; the initial trust value of the client when registering in the application server is

；

wherein,

the adjusted value of the user client trust value when the result of the mth response is correct,

the number of times that the response result is correct in the M responses,

a unit adjustment value of the trust value when the response result is correct;

wherein,

for the trust value after the mth result response of the user,

the trust value after the M-1 result response of the user;

wherein,

the adjusted value of the user client trust value when the result of the mth response is an error,

the number of response result errors in M responses,

the value is adjusted in units of trust value in response to a result error, wherein,

；

therefore, the trust value after the user's mth result response error is:

wherein,

for the trust value after the mth result response of the user,

the trust value after the M-1 result response of the user;

Then the adjusted client trust value is

Then the adjusted client trust value is

。

5. A big data network data protection system based on edge computing is characterized by comprising:

the storage module is used for the application server to quickly encrypt the first temporary password to obtain an encrypted password and store the user name, the salt and the encrypted password;

the third determining module is further configured to:

6. The big data network data protection system of claim 5, wherein the first determination module is further configured to:

、

、

、

Wherein, the calculation ability value of the client is as follows:

wherein,

、

、

、

7. The big data network data protection system according to claim 5, wherein the encryption strength is a number of iterative rounds of encryption, and the encryption strength policy is: setting an encryption intensity range for each type of application by a user; the second determination module is further to:

8. The big data network data protection system according to claim 5, wherein the trust value is adjusted by the application server according to whether the response result of the client is correct; the initial trust value of the client when registering in the application server is