CN112329007A - Sensitive data controllable sharing system and method - Google Patents

Sensitive data controllable sharing system and method Download PDF

Info

Publication number
CN112329007A
CN112329007A CN202110010440.5A CN202110010440A CN112329007A CN 112329007 A CN112329007 A CN 112329007A CN 202110010440 A CN202110010440 A CN 202110010440A CN 112329007 A CN112329007 A CN 112329007A
Authority
CN
China
Prior art keywords
data
sensitive data
intelligent contract
sensitive
sandbox
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110010440.5A
Other languages
Chinese (zh)
Other versions
CN112329007B (en
Inventor
宋成平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruizhi Technology Group Co ltd
Original Assignee
Ruizhi Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruizhi Technology Group Co ltd filed Critical Ruizhi Technology Group Co ltd
Priority to CN202110010440.5A priority Critical patent/CN112329007B/en
Publication of CN112329007A publication Critical patent/CN112329007A/en
Application granted granted Critical
Publication of CN112329007B publication Critical patent/CN112329007B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application relates to the technical field of big data processing, in particular to a sensitive data controllable sharing system and method, wherein the sensitive data controllable sharing method comprises the following steps: verifying the sensitive data application request; after the verification is qualified, generating an intelligent contract according to the sensitive data application request; in response to generating an intelligent contract, building a data sandbox specific to the intelligent contract and saving the intelligent contract into the data sandbox; establishing a secure channel between the data sandbox and the big data center, and transmitting the sensitive data of the big data center into the data sandbox through the secure channel; carrying out data processing on the sensitive data in the data sandbox according to the intelligent contract; and providing the sensitive data subjected to the data processing to a user. The method and the device can guarantee the safety of the sensitive data and avoid the leakage of the sensitive data.

Description

Sensitive data controllable sharing system and method
Technical Field
The application relates to the technical field of big data processing, in particular to a sensitive data controllable sharing system and method.
Background
With the development of the information technology industry, especially the innovative application of the big data technology, the data technology is deeply and widely influencing and changing the society. The data security situation presents three major trends at present, firstly, with the rapid development of the big data industry, data, especially high-value data, are collected to big data nodes, meanwhile, serious potential safety hazards are brought, and the leakage event of massive sensitive data often occurs. Secondly, the harm after data leakage is larger and wider, and the range is wider and wider. Thirdly, with the continuous development of big data technology means, the ways and ways of data leakage are more diverse and unpredictable.
Therefore, how to ensure the security of the sensitive data and avoid the leakage of the sensitive data is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application provides a sensitive data controllable sharing method, so that the safety of sensitive data is guaranteed, and sensitive data leakage is avoided.
In order to solve the technical problem, the application provides the following technical scheme:
a controllable sharing method for sensitive data comprises the following steps: step S110, verifying the sensitive data application request, if the sensitive data application request is qualified, performing step S120, and if the sensitive data application request is unqualified, ending the process; step S120, generating an intelligent contract according to the sensitive data application request; step S130, responding to the generation of the intelligent contract, constructing a data sandbox special for the intelligent contract, and saving the intelligent contract into the data sandbox; step S140, a safety channel is established between the data sandbox and the big data center, and sensitive data of the big data center are transmitted to the data sandbox through the safety channel; s150, performing data processing on the sensitive data in the data sandbox according to the intelligent contract; and step S160, providing the sensitive data after data processing to a user.
The method for controllable sharing of sensitive data as described above, wherein, preferably, before step S110, the following steps are further included: s106, inquiring the sensitive data catalogues according to the browsing command to obtain the relevant information of the sensitive data; and S108, generating a sensitive data application request according to the obtained relevant information of the sensitive data.
The method for controllable sharing of sensitive data as described above, wherein, preferably, the following steps are further included before step S106: step S102, receiving a registration request and verifying the registration request; and step S104, pre-storing the user identity information after the registration request is verified to be qualified.
The method for controllable sharing of sensitive data as described above, wherein preferably, the intelligent contract is generated according to the request of the sensitive data application, includes the following sub-steps: extracting each element in the sensitive data application request to form a contract constituent element set; respectively calculating the similarity between each element in the contract element set and the representative keyword of each preset category, and classifying each element into the preset category corresponding to the maximum similarity; taking the weight of the preset category corresponding to each element as the weight of the element to form an element weight set; selecting an expression model of an intelligent contract from a pre-established intelligent contract expression model library according to a contract constituent element set and an element weight set; and adding each element extracted from the sensitive data application request into an intelligent contract expression model to form an intelligent contract.
The method for controllable sharing of sensitive data as described above, wherein preferably, the intelligent contract includes a data deformation algorithm, and the sensitive data is deformed according to the data deformation algorithm to obtain deformed data.
A sensitive data controlled sharing system, comprising: the system comprises a data application layer, a sensitive data processing layer and a big data center; the data application layer comprises: a data acquisition module; the sensitive data processing layer comprises: the system comprises a security guarantee module, an intelligent contract generation module, a data sandbox module and a data deformation module; verifying the sensitive data application request of the security guarantee module; after the sensitive data application request is verified to be qualified, the intelligent contract generating module generates an intelligent contract according to the sensitive data application request; in response to generating an intelligent contract, a data sandbox module constructs a data sandbox specific to the intelligent contract and saves the intelligent contract into the data sandbox; the data deformation module carries out data processing on the sensitive data moved from the big data center to the data sandbox in the data sandbox according to the intelligent contract; and the data acquisition module provides the sensitive data after data processing for a user.
The sensitive data controllable sharing system as described above, wherein preferably, the data application layer includes: the data application module, the sensitive data processing layer includes: a sensitive data cataloging module; the sensitive data cataloging module queries the sensitive data cataloging according to the browsing command to obtain the relevant information of the sensitive data; and the data application module generates a sensitive data application request according to the obtained relevant information of the sensitive data.
The sensitive data controllable sharing system as described above, wherein preferably, the data application layer further includes: register the module, the safety guarantee module includes: a platform registration submodule and an identity information storage submodule; the registration module generates a registration request according to the identity information of the applicant; and the platform registration submodule receives the registration request, verifies the registration request, and prestores the registration request to the identity information storage submodule after verifying that the registration request is qualified.
The controllable share system of the sensitive data as described above, wherein preferably, the intelligent contract generating module extracts each element in the request for applying for the sensitive data to form a contract constituent element set; respectively calculating the similarity between each element in the contract element set and the representative keyword of each preset category, and classifying each element into the preset category corresponding to the maximum similarity; taking the weight of the preset category corresponding to each element as the weight of the element to form an element weight set; selecting an expression model of an intelligent contract from a pre-established intelligent contract expression model library according to a contract constituent element set and an element weight set; and adding each element extracted from the sensitive data application request into an intelligent contract expression model to form an intelligent contract.
The above-mentioned sensitive data controllable sharing system, wherein preferably, the intelligent contract includes a data deformation algorithm, and the sensitive data is deformed according to the data deformation algorithm to obtain deformed data.
Compared with the background art, the sensitive data controllable sharing method and the sensitive data controllable sharing system can generate an intelligent contract according to a sensitive data application request, generate a data sandbox according to the intelligent contract, and store the sensitive data of the intelligent contract and the big data center in the data sandbox, so that the sensitive data in the data sandbox can be shared in a certain range, and the security of the sensitive data can be effectively ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a flowchart of a method for controllable sharing of sensitive data according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of a sensitive data controllable sharing system provided in an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative only and should not be construed as limiting the invention.
Example one
As shown in fig. 1, fig. 1 is a flowchart of a method for controllable sharing of sensitive data according to an embodiment of the present application.
The application provides a sensitive data controllable sharing method, which comprises the following steps:
step S110, verifying the sensitive data application request, if the sensitive data application request is qualified, performing step S120, and if the sensitive data application request is unqualified, ending the process;
the sensitive data application request includes the related information of the sensitive data and the identity information of the applicant, for example: the relevant information of the sensitive data comprises data use application program information, data use range, data use aging and the like; the identity information of the applicant is an identity token of the applicant.
And comparing the identity information of the applicant contained in the sensitive data application request with the prestored identity information. And if the comparison is inconsistent, the sensitive data application request is unqualified, and the process is ended. If the comparison is consistent, judging whether the sensitive data application request conforms to a preset sensitive data management rule, if not, determining that the sensitive data application request is unqualified, and ending the process; if yes, the sensitive data application request is qualified, and step S120 is performed.
Before step S110, the method for controllable sharing of sensitive data provided by the present application further includes the following steps:
s106, inquiring the sensitive data catalogues according to the browsing command to obtain the relevant information of the sensitive data;
the sensitive data catalogs are based on a data catalog of a large data center, the sensitive data catalogs are inquired according to the received browsing command, and the relevant information of the sensitive data which the user wants is inquired in the sensitive data catalogs.
Step S108, generating a sensitive data application request according to the obtained relevant information of the sensitive data;
the sensitive data application request comprises the related information of the sensitive data obtained by query and the identity information of the applicant. For example: the relevant information of the sensitive data is application fields, application ranges and the like; the identity information of the applicant is an identity token of the applicant.
On the basis, before step S106, the method for controllable sharing of sensitive data provided by the present application further includes the following steps:
step S102, receiving a registration request and verifying the registration request;
the user provides identity information and a registration request is generated for the identity information. The registration request includes identity information of the user, and the identity information includes: the name of the user, a license number/identification number, a telephone number, a verification mailbox, and the like.
Step S104, after the registration request is verified to be qualified, the user identity information is prestored;
after the registration request of the user is verified to be qualified, the user identity information is prestored, for example: and the identity token is stored, so that the validity of the sensitive data application request is verified when the user applies for the sensitive data later.
Step S120, generating an intelligent contract according to the sensitive data application request;
specifically, each element in the sensitive data application request is extracted to form a contract constituent element set:
Figure 92419DEST_PATH_IMAGE001
wherein,
Figure 743980DEST_PATH_IMAGE002
n is the number of elements in the set for the elements in the sensitive data application request. For example:
Figure 258138DEST_PATH_IMAGE003
using application information for the data,
Figure 246823DEST_PATH_IMAGE004
The data use range,
Figure 795616DEST_PATH_IMAGE005
The time for using the data,
Figure 211553DEST_PATH_IMAGE006
An identity token for the applicant, etc.
And respectively calculating the similarity between each element in the contract element set and the representative keyword of each preset category, and classifying each element into the preset category corresponding to the maximum similarity.
Taking the weight of the preset category corresponding to each element as the weight of the element, and forming an element weight set:
Figure 213008DEST_PATH_IMAGE007
wherein,
Figure 146328DEST_PATH_IMAGE008
and n is the number of elements in the set. For example:
Figure 408683DEST_PATH_IMAGE009
is composed of
Figure 136467DEST_PATH_IMAGE010
The weight of,
Figure 359638DEST_PATH_IMAGE011
Is composed of
Figure 457169DEST_PATH_IMAGE012
The weight of,
Figure 449396DEST_PATH_IMAGE013
Is composed of
Figure 613661DEST_PATH_IMAGE014
The weight of,
Figure 714341DEST_PATH_IMAGE015
Is composed of
Figure 458306DEST_PATH_IMAGE016
The weight of (c).
Set of constituents according to a contract
Figure 836198DEST_PATH_IMAGE017
And element weight set
Figure 764840DEST_PATH_IMAGE018
And selecting an expression model of the intelligent contract from a pre-created intelligent contract expression model library. Specifically, the model selection index is calculated according to the following formula:
Figure 228182DEST_PATH_IMAGE019
wherein, W is a model selection index,
Figure 41417DEST_PATH_IMAGE020
for an element in a request for sensitive data,
Figure 132870DEST_PATH_IMAGE021
is composed of
Figure 638938DEST_PATH_IMAGE022
The weight of (a) is determined,
Figure 323997DEST_PATH_IMAGE023
is the number of elements in the set.
Selecting an index according to a model
Figure 298513DEST_PATH_IMAGE024
And selecting an expression model of the intelligent contract from a pre-created intelligent contract expression model library.
And adding each element extracted from the sensitive data application request to the intelligent contract expression model so as to form the intelligent contract. Specifically, the formed intelligent contract describes a data user, a permitted data use scene, a data deformation method, a data encryption method, a data destruction method and the like. The generated intelligent contract is stored in each node of the block chain, and the generated intelligent contract is guaranteed not to be tampered in the using and transmitting process by means of the anti-tampering capability of the block chain, so that the safety and compliance of data are guaranteed.
Step S130, responding to the generated intelligent contract, constructing a data sandbox special for the intelligent contract, and saving the intelligent contract into the data sandbox;
a data sandbox is a system for storing data, each of which is an independent operating environment that allows for the manipulation and computation of data within the data sandbox. In the present application, in response to generating an intelligent contract, meaning that sensitive data needs to be provided to a user pursuant to the intelligent contract, a data sandbox needs to be downloaded and assigned and only to the intelligent contract so that the data sandbox is specific to the intelligent contract, which is then saved in the data sandbox.
Step S140, a safety channel is established between the data sandbox and the big data center, and sensitive data of the big data center are transmitted to the data sandbox through the safety channel;
specifically, a multilayer security guarantee data transmission channel is established between the data sandbox and the sensitive data management platform by means of an asymmetric encryption protocol and a security transmission protocol. And transmitting the sensitive data of the big data center from the big data center to the data sandbox through the established safe channel.
S150, performing data processing on the sensitive data in the data sandbox according to the intelligent contract;
specifically, the intelligent contract comprises a data deformation algorithm, and sensitive data are deformed according to the data deformation algorithm to obtain deformed data. For example: the deformation data is calculated according to the following formula:
Figure 385418DEST_PATH_IMAGE025
wherein,
Figure 921441DEST_PATH_IMAGE026
for the purpose of identity information in the sensitive data,
Figure 93797DEST_PATH_IMAGE027
as identity information
Figure 248834DEST_PATH_IMAGE028
The number of the characters of (a) is,
Figure 314879DEST_PATH_IMAGE029
is not more than
Figure 162750DEST_PATH_IMAGE030
The largest integer part of (a) is,
Figure 822401DEST_PATH_IMAGE031
to be driven from
Figure 640184DEST_PATH_IMAGE032
X characters from the leftmost character of the characters of (a),
Figure 436102DEST_PATH_IMAGE033
to be driven from
Figure 189294DEST_PATH_IMAGE034
The rightmost character of the characters is selected
Figure 696761DEST_PATH_IMAGE035
The number of the characters is one,
Figure 193602DEST_PATH_IMAGE036
in order to generate the random number(s),
Figure 234239DEST_PATH_IMAGE037
is a tunable factor, 0<k<1, k is gradually changed from 1 to 0 to realize smooth splicing of the overlapped area
Figure 892753DEST_PATH_IMAGE038
Character of and
Figure 526997DEST_PATH_IMAGE039
is a character and
Figure 686583DEST_PATH_IMAGE040
character of and
Figure 722672DEST_PATH_IMAGE041
let k = d1/(d1+ d2), where d1 denotes the character in the overlap region to
Figure 817667DEST_PATH_IMAGE042
D2 represents the average left distance of the leftmost character of the characters to
Figure 798261DEST_PATH_IMAGE043
The average of the rightmost of the characters of (a) has a distance.
In addition, the deformed data or the sensitive data are encrypted according to an encryption mode specified by the intelligent contract. Specifically, the obtained deformed data or sensitive data may be encrypted by a private key recorded in the smart contract. Furthermore, authentication identifiers can be added to the deformed data or the sensitive data, such as: adding a watermark to the picture data.
On the basis, when the use of the sensitive data reaches a preset destroying rule, the sensitive data stored in the data sandbox is destroyed according to the destroying rule. Wherein the destruction rules include: timeliness, number of visits or frequency of visits, and combinations of timeliness, number of visits, frequency of visits. Such as: the shared sensitive data stored in the data sandbox is allowed to be used for only one week, and the data of the data sandbox is destroyed immediately after exceeding one week, so that the sensitive data is prevented from being used indefinitely in an uncontrolled state, and data leakage is prevented.
And step S160, providing the sensitive data after data processing to a user.
And after the sensitive data are processed in the data sandbox, sending the processed sensitive data to a user.
Example two
As shown in fig. 2, fig. 2 is a schematic diagram of a sensitive data controllable sharing system provided in an embodiment of the present application.
The application provides a controllable shared system of sensitive data, includes: the data processing system comprises a data application layer 210, a sensitive data processing layer 220 and a big data center 230, wherein the big data layer 230 depends on a data center platform of the national grid big data center, and the big data layer 230 divides data in the data center platform into a light summary layer and a detail layer on each theme, for example: personnel topics, material topics, financial topics, project topics, asset topics, customer topics, grid topics, etc., and certainly also other data assets, such as: and (4) service themes.
The data application layer 210 includes: a data application module 211 and a data acquisition module 212.
The sensitive data processing layer 220 includes: the system comprises a sensitive data cataloging module 221, a security guarantee module 222, an intelligent contract generating module 223, a data sandbox module 224 and a data deformation module 225.
The sensitive data cataloging module 221 queries the sensitive data cataloging according to the browsing command to obtain the relevant information of the sensitive data. Specifically, the sensitive data cataloging module 221 receives the browsing command, and the sensitive data cataloging module 221 queries the sensitive data cataloging according to the browsing command, where the sensitive data cataloging depends on the data catalog of the big data center 230, and the relevant information of the sensitive data that the user wants is queried in the sensitive data cataloging.
The data application module 211 generates a sensitive data application request according to the obtained relevant information of the sensitive data. The sensitive data application request comprises the related information of the sensitive data obtained by query and the identity information of the applicant. For example: the relevant information of the sensitive data is application fields, application ranges and the like; the identity information of the applicant is an identity token of the applicant.
The security assurance module 222 verifies the sensitive data application request. The sensitive data application request includes the related information of the sensitive data and the identity information of the applicant, for example: the relevant information of the sensitive data comprises data use application program information, data use range, data use aging and the like; the identity information of the applicant is an identity token of the applicant.
Specifically, the security module 222 includes: a validity check submodule 2221 and an identity information storage submodule 2222. The validity check submodule 2221 compares the identity information of the applicant included in the sensitive data application request with the identity information prestored in the identity information storage submodule 2222, if the comparison is inconsistent, the sensitive data application request is not qualified, the process is ended, if the comparison is consistent, whether the sensitive data application request meets the preset sensitive data management rule is judged, if not, the sensitive data application request is not qualified, and the process is ended; and if so, the sensitive data application request is qualified.
On the basis of the above, the data application layer 210 further includes: the registration module 213 and the security module 222 further include: platform registration submodule 2223. Registration module 213 generates a registration request based on the identity information of the applicant. The user provides identity information, and the registration module 213 generates a registration request for the identity information, where the registration request includes identity information of the user, and the identity information includes: the name of the user, a license number/identification number, a telephone number, a verification mailbox, and the like. The platform registration submodule 2223 receives the registration request, verifies the registration request, and prestores the user identity information to the identity information storage submodule 2222 after the registration request is verified to be qualified. After the registration request of the user is verified to be qualified, for the user identity information, for example: and storing the identity token in the identity information storage submodule 2222, so that the validity of the sensitive data application request is verified when the user applies for the sensitive data later.
After the sensitive data application request is verified to be qualified, the intelligent contract generating module 223 generates an intelligent contract according to the sensitive data application request.
Specifically, each element in the sensitive data application request is extracted to form a contract component element set
Figure 902484DEST_PATH_IMAGE044
Wherein
Figure 527500DEST_PATH_IMAGE045
for the elements in the sensitive data application request, n is the number of elements. For example:
Figure 416565DEST_PATH_IMAGE046
using application information for the data,
Figure 759822DEST_PATH_IMAGE047
The data use range,
Figure 526790DEST_PATH_IMAGE048
The time for using the data,
Figure 271892DEST_PATH_IMAGE049
An identity token for the applicant, etc.
And respectively calculating the similarity between each element in the contract element set and the representative keyword of each preset category, and classifying each element into the preset category corresponding to the maximum similarity.
Taking the weight of the preset category corresponding to each element as the weight of the element to form an element weight set
Figure 974269DEST_PATH_IMAGE050
Wherein
Figure 804821DEST_PATH_IMAGE051
the weight corresponding to the element, and n is the number of weights. For example:
Figure 109901DEST_PATH_IMAGE052
is composed of
Figure 709509DEST_PATH_IMAGE053
The weight of,
Figure 441842DEST_PATH_IMAGE054
Is composed of
Figure 759691DEST_PATH_IMAGE055
The weight of,
Figure 743827DEST_PATH_IMAGE056
Is composed of
Figure 824041DEST_PATH_IMAGE057
The weight of,
Figure 868220DEST_PATH_IMAGE058
Is composed of
Figure 673365DEST_PATH_IMAGE059
The weight of (c).
Set of constituents according to a contract
Figure 320247DEST_PATH_IMAGE060
And element weight set
Figure 894448DEST_PATH_IMAGE061
And selecting an expression model of the intelligent contract from a pre-created intelligent contract expression model library. Specifically, the model selection index is calculated according to the following formula:
Figure 843950DEST_PATH_IMAGE062
wherein, W is a model selection index,
Figure 995445DEST_PATH_IMAGE063
for an element in a request for sensitive data,
Figure 586964DEST_PATH_IMAGE064
is composed of
Figure 750092DEST_PATH_IMAGE065
The weight of (a) is determined,
Figure 260707DEST_PATH_IMAGE066
is the number of elements in the set. Selecting an index according to a model
Figure 774865DEST_PATH_IMAGE067
And selecting an expression model of the intelligent contract from a pre-created intelligent contract expression model library.
And adding each element extracted from the sensitive data application request to the intelligent contract expression model so as to form the intelligent contract. Specifically, the formed intelligent contract describes a data user, a permitted data use scene, a data deformation method, a data encryption method, a data destruction method and the like.
In response to generating the intelligent contract, data sandbox module 224 constructs a data sandbox specific to the intelligent contract and saves the intelligent contract into the data sandbox.
A data sandbox is a system for storing data, each of which is an independent operating environment that allows for the manipulation and computation of data within the data sandbox. In the present application, in response to generating an intelligent contract, meaning that sensitive data needs to be provided to a user pursuant to the intelligent contract, a data sandbox needs to be downloaded and assigned and only to the intelligent contract so that the data sandbox is specific to the intelligent contract, which is then saved in the data sandbox.
A secure channel is established between the data sandbox and the big data center, and sensitive data of the big data center is transmitted to the data sandbox through the secure channel. Specifically, a multilayer security guarantee data transmission channel is established between the data sandbox and the sensitive data management platform by means of an asymmetric encryption protocol and a security transmission protocol. And transmitting the sensitive data of the big data center from the big data center to the data sandbox through the established safe channel.
The data transformation module 225 performs data processing on sensitive data moved from the big data center to the data sandbox in the data sandbox according to the intelligent contract.
Specifically, the intelligent contract comprises a data deformation algorithm, and sensitive data are deformed according to the data deformation algorithm to obtain deformed data. For example: the deformation data is calculated according to the following formula:
Figure 904495DEST_PATH_IMAGE068
wherein,
Figure 545299DEST_PATH_IMAGE069
for the purpose of identity information in the sensitive data,
Figure 367761DEST_PATH_IMAGE070
as identity information
Figure 228270DEST_PATH_IMAGE071
The number of the characters of (a) is,
Figure 161591DEST_PATH_IMAGE072
is not more than
Figure 299311DEST_PATH_IMAGE073
The largest integer part of (a) is,
Figure 151730DEST_PATH_IMAGE074
to be driven from
Figure 640480DEST_PATH_IMAGE075
X characters from the leftmost character of the characters of (a),
Figure 111912DEST_PATH_IMAGE076
to be driven from
Figure 228773DEST_PATH_IMAGE077
The rightmost character of the characters is selected
Figure 393038DEST_PATH_IMAGE078
The number of the characters is one,
Figure 837926DEST_PATH_IMAGE079
in order to generate the random number(s),
Figure 739148DEST_PATH_IMAGE080
is a tunable factor, 0<k<1, k is gradually changed from 1 to 0 to realize smooth splicing of the overlapped area
Figure 117040DEST_PATH_IMAGE081
Character of and
Figure 921048DEST_PATH_IMAGE082
is a character and
Figure 509024DEST_PATH_IMAGE083
character of and
Figure 322259DEST_PATH_IMAGE084
let k = d1/(d1+ d2), where d1 denotes the character in the overlap region to
Figure 289078DEST_PATH_IMAGE085
D2 represents the average left distance of the leftmost character of the characters to
Figure 388621DEST_PATH_IMAGE086
The average of the rightmost of the characters of (a) has a distance.
In addition, the deformed data or the sensitive data are encrypted according to an encryption mode specified by the intelligent contract. Specifically, the obtained deformed data or sensitive data may be encrypted by a private key recorded in the smart contract. Furthermore, authentication identifiers can be added to the deformed data or the sensitive data, such as: adding a watermark to the picture data.
The data acquisition module 212 provides the data-processed sensitive data to the user. After the sensitive data is processed in the data sandbox, the processed sensitive data is sent to the user through the data acquisition module 212.
On the basis, when the use of the sensitive data reaches a preset destroying rule, the sensitive data stored in the data sandbox is destroyed according to the destroying rule. Wherein the destruction rules include: timeliness, number of visits or frequency of visits, and combinations of timeliness, number of visits, frequency of visits. Such as: the shared sensitive data stored in the data sandbox is allowed to be used for only one week, and the data of the data sandbox is destroyed immediately after exceeding one week, so that the sensitive data is prevented from being used indefinitely in an uncontrolled state, and data leakage is prevented.
According to the method and the device, the intelligent contract is generated according to the sensitive data application request, the data sandbox is generated according to the intelligent contract, and the sensitive data of the intelligent contract and the sensitive data of the big data center are stored in the data sandbox, so that the sensitive data in the data sandbox can be shared in a certain range, and the security of the sensitive data can be effectively guaranteed.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.

Claims (10)

1. A controllable sharing method for sensitive data is characterized by comprising the following steps:
step S110, verifying the sensitive data application request, if the sensitive data application request is qualified, performing step S120, and if the sensitive data application request is unqualified, ending the process;
step S120, generating an intelligent contract according to the sensitive data application request;
step S130, responding to the generation of the intelligent contract, constructing a data sandbox special for the intelligent contract, and saving the intelligent contract into the data sandbox;
step S140, a safety channel is established between the data sandbox and the big data center, and sensitive data of the big data center are transmitted to the data sandbox through the safety channel;
s150, performing data processing on the sensitive data in the data sandbox according to the intelligent contract;
and step S160, providing the sensitive data after data processing to a user.
2. The method for controllable sharing of sensitive data according to claim 1, further comprising the following steps before step S110:
s106, inquiring the sensitive data catalogues according to the browsing command to obtain the relevant information of the sensitive data;
and S108, generating a sensitive data application request according to the obtained relevant information of the sensitive data.
3. The method for controllable sharing of sensitive data according to claim 2, further comprising the following steps before step S106:
step S102, receiving a registration request and verifying the registration request;
and step S104, pre-storing the user identity information after the registration request is verified to be qualified.
4. A method for controllable sharing of sensitive data according to any of claims 1-3, characterized in that upon request for sensitive data, an intelligent contract is generated, comprising the following sub-steps:
extracting each element in the sensitive data application request to form a contract constituent element set;
respectively calculating the similarity between each element in the contract element set and the representative keyword of each preset category, and classifying each element into the preset category corresponding to the maximum similarity;
taking the weight of the preset category corresponding to each element as the weight of the element to form an element weight set;
selecting an expression model of an intelligent contract from a pre-established intelligent contract expression model library according to a contract constituent element set and an element weight set;
and adding each element extracted from the sensitive data application request into an intelligent contract expression model to form an intelligent contract.
5. The controllable sharing method of sensitive data according to any one of claims 1 to 3, wherein the intelligent contract comprises a data deformation algorithm, and the sensitive data is deformed according to the data deformation algorithm to obtain deformed data.
6. A sensitive data controlled sharing system, comprising: the system comprises a data application layer, a sensitive data processing layer and a big data center;
the data application layer comprises: a data acquisition module;
the sensitive data processing layer comprises: the system comprises a security guarantee module, an intelligent contract generation module, a data sandbox module and a data deformation module;
verifying the sensitive data application request of the security guarantee module;
after the sensitive data application request is verified to be qualified, the intelligent contract generating module generates an intelligent contract according to the sensitive data application request;
in response to generating an intelligent contract, a data sandbox module constructs a data sandbox specific to the intelligent contract and saves the intelligent contract into the data sandbox;
the data deformation module carries out data processing on the sensitive data moved from the big data center to the data sandbox in the data sandbox according to the intelligent contract;
and the data acquisition module provides the sensitive data after data processing for a user.
7. The sensitive data controllable sharing system according to claim 6, wherein the data application layer comprises: the data application module, the sensitive data processing layer includes: a sensitive data cataloging module;
the sensitive data cataloging module queries the sensitive data cataloging according to the browsing command to obtain the relevant information of the sensitive data;
and the data application module generates a sensitive data application request according to the obtained relevant information of the sensitive data.
8. The sensitive data controllable sharing system according to claim 7, wherein the data application layer further comprises: register the module, the safety guarantee module includes: a platform registration submodule and an identity information storage submodule;
the registration module generates a registration request according to the identity information of the applicant;
and the platform registration submodule receives the registration request, verifies the registration request, and prestores the registration request to the identity information storage submodule after verifying that the registration request is qualified.
9. The sensitive data controllable sharing system according to any one of claims 6 to 8, wherein the intelligent contract generating module extracts each element in the sensitive data application request to form a contract constituent element set; respectively calculating the similarity between each element in the contract element set and the representative keyword of each preset category, and classifying each element into the preset category corresponding to the maximum similarity; taking the weight of the preset category corresponding to each element as the weight of the element to form an element weight set; selecting an expression model of an intelligent contract from a pre-established intelligent contract expression model library according to a contract constituent element set and an element weight set; and adding each element extracted from the sensitive data application request into an intelligent contract expression model to form an intelligent contract.
10. The sensitive data controllable sharing system according to any one of claims 6 to 8, wherein the intelligent contract comprises a data deformation algorithm, and the sensitive data is deformed according to the data deformation algorithm to obtain deformed data.
CN202110010440.5A 2021-01-06 2021-01-06 Sensitive data controllable sharing system and method Active CN112329007B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110010440.5A CN112329007B (en) 2021-01-06 2021-01-06 Sensitive data controllable sharing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110010440.5A CN112329007B (en) 2021-01-06 2021-01-06 Sensitive data controllable sharing system and method

Publications (2)

Publication Number Publication Date
CN112329007A true CN112329007A (en) 2021-02-05
CN112329007B CN112329007B (en) 2021-04-13

Family

ID=74302494

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110010440.5A Active CN112329007B (en) 2021-01-06 2021-01-06 Sensitive data controllable sharing system and method

Country Status (1)

Country Link
CN (1) CN112329007B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800473A (en) * 2021-03-17 2021-05-14 好人生(上海)健康科技有限公司 Data processing method based on big data safety house
CN113177790A (en) * 2021-04-27 2021-07-27 北京海泰方圆科技股份有限公司 Block chain-based car booking method, device, equipment and medium for Internet of vehicles
CN115659383A (en) * 2022-12-29 2023-01-31 中信天津金融科技服务有限公司 Electronic file secure sharing method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797415A (en) * 2020-06-30 2020-10-20 远光软件股份有限公司 Block chain based data sharing method, electronic device and storage medium
CN111901432A (en) * 2020-07-31 2020-11-06 广东尚恒智汇科技发展有限公司 Block chain-based safety data exchange method
CN112000679A (en) * 2020-08-22 2020-11-27 杭州烽顺科技信息服务有限公司 Block chain data processing method and device with separated business operation and data operation
CN112003886A (en) * 2020-07-03 2020-11-27 北京工业大学 Block chain-based Internet of things data sharing system and method
CN112148280A (en) * 2020-09-21 2020-12-29 中国电子科技网络信息安全有限公司 Block chain-based data evidence storage service templated development method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111797415A (en) * 2020-06-30 2020-10-20 远光软件股份有限公司 Block chain based data sharing method, electronic device and storage medium
CN112003886A (en) * 2020-07-03 2020-11-27 北京工业大学 Block chain-based Internet of things data sharing system and method
CN111901432A (en) * 2020-07-31 2020-11-06 广东尚恒智汇科技发展有限公司 Block chain-based safety data exchange method
CN112000679A (en) * 2020-08-22 2020-11-27 杭州烽顺科技信息服务有限公司 Block chain data processing method and device with separated business operation and data operation
CN112148280A (en) * 2020-09-21 2020-12-29 中国电子科技网络信息安全有限公司 Block chain-based data evidence storage service templated development method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800473A (en) * 2021-03-17 2021-05-14 好人生(上海)健康科技有限公司 Data processing method based on big data safety house
CN113177790A (en) * 2021-04-27 2021-07-27 北京海泰方圆科技股份有限公司 Block chain-based car booking method, device, equipment and medium for Internet of vehicles
CN115659383A (en) * 2022-12-29 2023-01-31 中信天津金融科技服务有限公司 Electronic file secure sharing method and system

Also Published As

Publication number Publication date
CN112329007B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
CN112329007B (en) Sensitive data controllable sharing system and method
CN110060162B (en) Data authorization and query method and device based on block chain
CN107689869B (en) User password management method and server
US10574693B2 (en) Password breach registry
JP6626095B2 (en) Confidential information processing method, apparatus, server, and security determination system
EP1701283B1 (en) Method and System for Asymmetric Key Security
Jajodia et al. Provisional authorizations
US8977857B1 (en) System and method for granting access to protected information on a remote server
JPH10308733A (en) Method for providing secure communication, and device for providing secure directory service
CN110611563A (en) Equipment identification code distribution method and device and Internet of things equipment
US8055898B2 (en) Tag authentication system
Park et al. Combined authentication-based multilevel access control in mobile application for DailyLifeService
CN113742764B (en) Trusted data secure storage method, retrieval method and equipment based on block chain
US9223949B1 (en) Secure transformable password generation
CN107040520B (en) Cloud computing data sharing system and method
KR20200115019A (en) Method, apparatus and storage medium for processing ethereum-based falsified transaction
CN111414647A (en) Tamper-proof data sharing system and method based on block chain technology
CN111368196A (en) Model parameter updating method, device, equipment and readable storage medium
WO2022242572A1 (en) Personal digital identity management system and method
US20060200667A1 (en) Method and system for consistent recognition of ongoing digital relationships
CN114398623A (en) Method for determining security policy
CN1303778C (en) Method and apparatus for secure distribution of authentication credentials to roaming users
US8904508B2 (en) System and method for real time secure image based key generation using partial polygons assembled into a master composite image
CN108920971A (en) The method of data encryption, the method for verification, the device of encryption and verification device
NL2025496B1 (en) System for processing digital asset that is to be authenticated

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant