CN112528311B - Data management method, device and terminal - Google Patents
Data management method, device and terminal Download PDFInfo
- Publication number
- CN112528311B CN112528311B CN202011545716.1A CN202011545716A CN112528311B CN 112528311 B CN112528311 B CN 112528311B CN 202011545716 A CN202011545716 A CN 202011545716A CN 112528311 B CN112528311 B CN 112528311B
- Authority
- CN
- China
- Prior art keywords
- sensitive data
- storage space
- terminal
- server
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000013523 data management Methods 0.000 title claims abstract description 46
- 230000008569 process Effects 0.000 claims abstract description 23
- 238000012795 verification Methods 0.000 claims description 58
- 230000004044 response Effects 0.000 claims description 39
- 230000015654 memory Effects 0.000 claims description 20
- 238000012545 processing Methods 0.000 abstract description 22
- 238000004590 computer program Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 11
- 230000002093 peripheral effect Effects 0.000 description 11
- 230000001133 acceleration Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 8
- 238000011084 recovery Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 239000000919 ceramic Substances 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 239000010409 thin film Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Quality & Reliability (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a data management method, a data management device and a terminal, and belongs to the technical field of data processing. The method comprises the following steps: receiving sensitive data sent by a server; the public key of the server is obtained, and the sensitive data is encrypted based on the public key of the server to obtain the backed-up sensitive data; and storing the sensitive data and the backed-up sensitive data into local equipment, wherein the sensitive data is used for the local equipment to process a service request, so that the sensitive data which should be backed up by a server is migrated to a terminal, and the local equipment is used for realizing data backup, thereby solving the problem of higher storage pressure of the server caused by the fact that the server needs to backup the sensitive data of a plurality of local equipment, and reducing the storage pressure of the server.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data management method, device, and terminal.
Background
In the terminal, sensitive data such as driver information, vehicle information, etc. of some vehicles are stored, and the terminal can process service requests through the sensitive data. When the service request is processed, if the sensitive data stored in the terminal is tampered by a malicious person, an error occurs in the result of service processing, so that the sensitive data in the terminal needs to be recovered.
In the related art, in order to improve the security of data, sensitive data is generally stored in a terminal and backed up in a server. When the sensitive data stored in the terminal is tampered, the backed-up sensitive data can be obtained from the server.
In the related art, since a server is required to serve a plurality of terminals, the server needs to store sensitive data of the plurality of terminals, resulting in a large storage pressure of the server.
Disclosure of Invention
The embodiment of the application provides a data management method, a data management device and a terminal, which can reduce the storage pressure of a server. The technical scheme is as follows:
in one aspect, a data management method is provided, the method including:
receiving sensitive data sent by a server;
the public key of the server is obtained, and the sensitive data is encrypted based on the public key of the server to obtain the backed-up sensitive data;
storing the sensitive data and the backed-up sensitive data into a local device, wherein the sensitive data is used for processing a service request by the local device.
In one possible implementation, the method further includes:
the private key of the local equipment is obtained, the sensitive data is signed based on the private key of the local equipment, signature information is obtained, and the signature information is used for checking whether the sensitive data is tampered or not;
Associating the signature information with the sensitive data, and storing the signature information in the local device.
In one possible implementation, the local device includes a first storage space and a second storage space; the storing the sensitive data and the backed-up sensitive data in the local device includes:
storing the sensitive data into the first storage space, and backing up the backed-up sensitive data into the second storage space;
and the sensitive data in the first storage space is used for the local equipment to process the service request, and the backed-up sensitive data in the second storage space is used for recovering the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the sensitive data in the first storage space fails to check the signature of the local equipment.
In another aspect, a data management method is provided, the method including:
responding to failure of verification of sensitive data in a first storage space of local equipment, and acquiring backup sensitive data from a second storage space of the local equipment, wherein the backup sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
The backup sensitive data is sent to the server, and the server is used for decrypting the backup sensitive data based on the private key of the server to obtain decrypted sensitive data;
and receiving the decrypted sensitive data sent by the server, and storing the decrypted sensitive data in the first storage space, wherein the sensitive data in the first storage space is used for processing a service request by the local equipment.
In one possible implementation, the method further includes:
receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and checking labels of the sensitive data in the first storage space; or,
responding to the starting of the local equipment, and checking the sensitive data in the first storage space; or,
responding to the initialization of the local equipment, and checking labels of sensitive data in the first storage space; or alternatively;
and in response to the signing verification period being reached, signing the sensitive data in the first storage space.
In one possible implementation manner, the signing the sensitive data in the first storage space includes:
Acquiring signature information associated with the sensitive data;
and based on the signature information, checking the signature of the sensitive data in the first storage space.
In one possible implementation, the sending the backup sensitive data to the server includes:
in response to the data length of the backed-up sensitive data being greater than a preset threshold value, slicing the backed-up sensitive data to obtain a plurality of data packets, and sending the data packets to the server;
and sending the backed-up sensitive data to the server in response to the data length of the backed-up sensitive data not being greater than the preset threshold.
In another aspect, there is provided a data management apparatus, the apparatus comprising:
the first receiving module is used for receiving the sensitive data sent by the server;
the first acquisition module is used for acquiring the public key of the server, encrypting the sensitive data based on the public key of the server, and obtaining the backed-up sensitive data;
and the first storage module is used for storing the sensitive data and the backed-up sensitive data into local equipment, wherein the sensitive data is used for processing a service request by the local equipment.
In one possible implementation, the apparatus further includes:
the second acquisition module is used for acquiring the private key of the local equipment, signing the sensitive data based on the private key of the local equipment to obtain signature information, and the signature information is used for checking whether the sensitive data is tampered or not;
and the second storage module is used for associating the signature information with the sensitive data and storing the signature information into the local equipment.
In one possible implementation, the local device includes a first storage space and a second storage space; the first storage module is used for storing the sensitive data into the first storage space and backing up the backed-up sensitive data into the second storage space; and the sensitive data in the first storage space is used for the local equipment to process the service request, and the backed-up sensitive data in the second storage space is used for recovering the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the sensitive data in the first storage space fails to check the signature of the local equipment.
In another aspect, there is provided a data management apparatus, the apparatus comprising:
The third acquisition module is used for responding to the failure of signature verification of the sensitive data in the first storage space of the local equipment and acquiring backup sensitive data from the second storage space of the local equipment, wherein the backup sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
the sending module is used for sending the backed-up sensitive data to the server, and the server is used for decrypting the backed-up sensitive data based on the private key of the server to obtain decrypted sensitive data;
and the third storage module is used for receiving the decrypted sensitive data sent by the server, storing the decrypted sensitive data in the first storage space, and the sensitive data in the first storage space is used for the local equipment to process a service request.
In one possible implementation, the apparatus further includes:
the signature verification module is used for receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and verifying the sensitive data in the first storage space; or,
the signature verification module is further used for responding to the starting of the local equipment and verifying the sensitive data in the first storage space; or,
The signature verification module is further used for responding to the initialization of the local equipment and verifying the sensitive data in the first storage space; or alternatively;
the signature verification module is further used for verifying the sensitive data in the first storage space in response to the signature verification period.
In one possible implementation manner, the signature verification module is configured to obtain signature information associated with the sensitive data; and based on the signature information, checking the signature of the sensitive data in the first storage space.
In a possible implementation manner, the sending module is configured to, in response to a data length of the backed-up sensitive data being greater than a preset threshold, segment the backed-up sensitive data to obtain a plurality of data packets, and send the plurality of data packets to the server; and sending the backed-up sensitive data to the server in response to the data length of the backed-up sensitive data not being greater than the preset threshold.
In another aspect, a terminal is provided, the terminal including a processor and a memory, the memory storing at least one program code, the at least one program code loaded and executed by the processor to implement operations performed by the data management method described above.
In another aspect, a computer readable storage medium having at least one program code stored therein is provided, the at least one program code loaded and executed by a processor to implement the operations performed by the data management method described above.
In another aspect, a computer program product or a computer program is provided, the computer program product or the computer program comprising computer program code, the computer program code being stored in a computer readable storage medium. The computer program code is read from the computer readable storage medium by a processor of the terminal, which executes the computer program code such that the terminal performs the operations performed by the data management method described above.
In the embodiment of the application, since the sensitive data backed up by the local equipment is encrypted by using the public key of the server, the encryption key of the backed up sensitive data is not easy to be broken, and the safety of the sensitive data backed up by the local equipment can be ensured, so that the sensitive data which should be backed up by the server can be migrated to the terminal, the data backup is realized by the local equipment, the problem that the storage pressure of the server is high because the sensitive data of a plurality of local equipment need to be backed up by the server is solved, and the storage pressure of the server is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic illustration of an implementation environment provided by embodiments of the present application;
FIG. 2 is a flow chart of a method for data management provided in an embodiment of the present application;
FIG. 3 is a flow chart of a method for data management according to an embodiment of the present application;
FIG. 4 is a flow chart of a method for data management provided in an embodiment of the present application;
FIG. 5 is a schematic diagram of a data management method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a data management method according to an embodiment of the present application;
FIG. 7 is a flow chart of a method for data management provided in an embodiment of the present application;
FIG. 8 is a schematic diagram of a data management method according to an embodiment of the present disclosure;
FIG. 9 is a schematic diagram of a data management method according to an embodiment of the present application;
FIG. 10 is a block diagram of a data management apparatus provided in an embodiment of the present application;
FIG. 11 is a block diagram of a data management apparatus provided in an embodiment of the present application;
fig. 12 is a block diagram of a terminal provided in an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The terms "first," "second," "third," and "fourth" and the like in the description and in the claims of this application and in the drawings, are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprising," "including," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
FIG. 1 is a schematic diagram of an implementation environment provided by embodiments of the present application. Referring to fig. 1, the implementation environment includes a local device 10 and a server 20. The local device 10 is connected to the server 20 via a wireless network.
Wherein the local device 10 is a local device for use by a vehicle owner on any vehicle. The local device 10 comprises a first storage space 101, a second storage space 102 and a data management component 103. The first storage space 101 is a main storage space for storing sensitive data, which is sensitive data that is not encrypted. The second storage space 102 is a backup storage space for storing backed-up sensitive data. The data management component 103 is configured to interact with the server 20 and perform read/write operations on the first storage space 101 and the second storage space 102.
Wherein, the backed-up sensitive data is encrypted based on the public key of the server 20, and after the sensitive data in the subsequent first storage space 101 is tampered, the local device 10 may request the server 20 to decrypt the backed-up sensitive data in the second storage space 102; therefore, the server 20 may be a decryption server or an encryption/decryption server functionally. In the embodiment of the present application, the server 20 may be a server, a server cluster formed by a plurality of servers, or a cloud computing service center, which is not specifically limited in this application.
Note that, in the embodiment of the present application, the local device 10 is taken as an example of a terminal.
In the embodiment of the present application, the advantage of the independent memory of the local device 10 is fully utilized, the sensitive data to be backed up is encrypted and stored in the second storage space 102 different from the storage space of the unencrypted sensitive data, so that the security of storing the sensitive data is ensured, and meanwhile, the sensitive data does not need to be stored in the server 20, thereby reducing the storage pressure of the server 20 on the sensitive data of a plurality of local devices 10.
Fig. 2 is a flowchart of a data management method according to an embodiment of the present application. In the embodiment of the present application, a local device is taken as an example of a terminal, and description is made. Referring to fig. 2, this embodiment includes:
step 201: the terminal receives sensitive data sent by a server;
step 202: the terminal acquires the public key of the server, encrypts the sensitive data based on the public key of the server, and obtains the backed-up sensitive data;
step 203: the terminal stores the sensitive data and the backed-up sensitive data in a local area, wherein the sensitive data is used for the terminal to process a service request.
In one possible implementation, the method further includes:
The private key of the terminal is obtained, the sensitive data is signed based on the private key of the terminal, signature information is obtained, and the signature information is used for checking whether the sensitive data is tampered or not;
associating the signature information with the sensitive data, and storing the signature information in the terminal.
In one possible implementation, the terminal includes a first storage space and a second storage space; the storing the sensitive data and the backed-up sensitive data in the terminal includes:
storing the sensitive data into the first storage space, and backing up the backed-up sensitive data into the second storage space;
the sensitive data in the first storage space is used for the terminal to process the service request, and the backed-up sensitive data in the second storage space is used for recovering the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the terminal fails to check the sensitive data in the first storage space.
In the embodiment of the application, since the local backup sensitive data of the terminal is encrypted by using the public key of the server, the encryption key of the backup sensitive data is not easy to be broken, and the safety of the local backup sensitive data can be ensured, so that the sensitive data which should be backed up by the server can be migrated to the terminal, the terminal can realize data backup, the problem that the storage pressure of the server is higher because the server needs to backup the sensitive data of a plurality of terminals is solved, and the storage pressure of the server is reduced.
Fig. 3 is a flowchart of a data management method according to an embodiment of the present application. In the embodiment of the present application, a local device is taken as an example of a terminal, and description is made. Referring to fig. 3, this embodiment includes:
step 301: the terminal responds to the failure of verification of the sensitive data in the first storage space of the terminal, and acquires backup sensitive data from the second storage space of the terminal, wherein the backup sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
step 302: the terminal sends the backed-up sensitive data to the server, and the server is used for decrypting the backed-up sensitive data based on the private key of the server to obtain decrypted sensitive data;
step 303: the terminal receives the decrypted sensitive data sent by the server, stores the decrypted sensitive data in the first storage space, and the sensitive data in the first storage space is used for the terminal to process a service request.
In one possible implementation, the method further includes:
receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and checking labels of the sensitive data in the first storage space; or,
Responding to the starting of the terminal, and checking the sensitive data in the first storage space; or,
responding to the initialization of the terminal, and checking the sensitive data in the first storage space; or alternatively;
and in response to reaching the signature verification period, carrying out signature verification on the sensitive data in the first storage space.
In one possible implementation, the signing the sensitive data in the first storage space includes:
acquiring signature information associated with the sensitive data;
and based on the signature information, checking the sensitive data in the first storage space.
In one possible implementation, the sending the backed-up sensitive data to the server includes:
in response to the data length of the backed-up sensitive data being greater than a preset threshold value, slicing the backed-up sensitive data to obtain a plurality of data packets, and sending the data packets to the server;
and sending the backed-up sensitive data to the server in response to the data length of the backed-up sensitive data not being greater than the preset threshold.
In the embodiment of the application, if the verification of the sensitive data in the first storage space of the terminal fails, the server decrypts the backed-up sensitive data in the second storage space, so that the encryption operation and the decryption operation of the sensitive data are completed by different devices, namely, the recovery of the sensitive data is realized by utilizing an asymmetric encryption and decryption technology, and the security of the data recovery process of the sensitive data is further improved.
Fig. 4 is a flowchart of a data management method provided in an embodiment of the present application, where in the embodiment of the present application, a local device is taken as a terminal and a terminal is taken as an example to perform data backup. As shown in fig. 4, the data management method includes the steps of:
step 401: and the terminal receives the sensitive data sent by the server.
The sensitive data is original sensitive data, namely sensitive data which is not encrypted. For example, the sensitive data may include at least one of driver information of the vehicle, vehicle information, and the like; wherein the vehicle information includes at least one of vehicle violation information, vehicle annual inspection information, and license plate information. In one possible implementation, the server sends updated sensitive data to the terminal in response to the sensitive data update.
Before the server sends the sensitive data to the terminal, the server and the terminal negotiate a key pair, which is called a first key pair for convenience of distinction, wherein the first key pair comprises a first public key and a first private key of the terminal; the server stores the first public key and the terminal stores the first private key. Accordingly, the steps may be:
the server encrypts the sensitive data through a first public key to obtain encrypted sensitive data, and sends the encrypted sensitive data to the terminal; the terminal receives the encrypted sensitive data sent by the server, acquires a first private key, and decrypts the encrypted sensitive data through the first private key to obtain the sensitive data.
Step 402: the terminal acquires the public key of the server, encrypts the sensitive data based on the public key of the server, and obtains the backed-up sensitive data.
Before the server sends the sensitive data to the terminal, the server and the terminal negotiate a key pair, which for ease of distinction will be referred to as a second key pair, comprising a second public key and a second private key, the second private key being stored in the server and the second public key being stored in the terminal. In this step, the terminal obtains the stored second public key directly from the local. Correspondingly, the terminal encrypts the sensitive data based on the second public key to obtain the backed-up sensitive data.
Step 403: the terminal includes a first storage space into which the terminal stores the sensitive data.
Wherein the sensitive data is used for the terminal to process the service request. In this step, the terminal stores the sensitive data in the first storage space, so that the terminal can call the sensitive data from the first storage space when processing the service request.
Step 404: the terminal also comprises a second storage space, and the terminal backs up the backed-up sensitive data to the second storage space.
And the backed-up sensitive data is used for recovering the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the terminal fails in checking the sensitive data in the first storage space.
Referring to fig. 5, the implementation of step 404 may be:
in one possible implementation, the data in the second storage space is empty, and the terminal directly stores the backed-up sensitive data in the second storage space. In another possible implementation manner, the data in the second storage space is non-empty, and the terminal compares the backed-up sensitive data with the data in the second storage space to obtain a comparison result; and the terminal determines whether to store the backed-up sensitive data in the second storage space or not based on the comparison result.
Wherein the comparison result includes one of the same or different. The terminal responds to the comparison result to be the same, and keeps the data in the second storage space unchanged; and the terminal deletes the data in the second storage space and stores the backed-up sensitive data in the second storage space in response to the difference of the comparison result.
In the embodiment of the application, if the backed-up sensitive data is consistent with the data in the second storage space, the encrypted data does not need to be stored in the second storage space, so that the operation steps of the terminal are reduced, and the backup efficiency of the sensitive data is improved.
In the embodiment of the application, since the sensitive data and the backed-up sensitive data are respectively stored in different storage spaces of the terminal, when the terminal processes the service request, the operation of calling the sensitive data does not affect the storage of the backed-up sensitive data, and even if the sensitive data fails to verify the signature, the data recovery can be performed through the backed-up sensitive data, so that the security of data storage is improved.
In the embodiment of the application, the terminal can also store the signature information of the sensitive data into the terminal; accordingly, this step is achieved by the following steps (1) - (2):
(1) The terminal acquires a private key of the terminal, signs the sensitive data based on the private key of the terminal, and obtains signature information, wherein the signature information is used for checking whether the sensitive data is tampered.
In this step, the terminal signs the sensitive data based on the private key of the terminal, and the implementation manner of obtaining the signature information is implemented by the following steps A1-A2:
a1: the terminal determines a first characteristic value of the sensitive data.
The first characteristic value is a digital digest, and the digital digest is a hash value obtained by operating the sensitive data through a hash function. For example, the first eigenvalue is 0.
A2: and the terminal signs the first characteristic value based on the private key of the terminal to obtain the signature information.
In this step, the terminal stores a key pair in advance, and for convenience of distinction, the key pair is referred to as a third key pair, and the third key pair includes a third private key and a third public key of the terminal. The third key pair stored in the terminal may be generated by the terminal itself or by a server. The third key pair may be the same as the first key pair or may be different from the first key pair.
The signature information is a digital signature, that is, the digital signature is obtained by encrypting the first characteristic value through a private key of the terminal. Referring to fig. 6, the terminal performs hash operation on the sensitive data to obtain the first feature value, and signs the first feature value through a private key of the terminal to obtain the signature information.
(2) The terminal associates the signature information with the sensitive data and stores the signature information in the terminal.
The implementation manner of associating the signature information with the sensitive data by the terminal may be: the terminal can splice the signature information and the sensitive data to obtain spliced sensitive data. In this step, the terminal may store the signature information in the first storage space; correspondingly, the terminal stores the spliced sensitive data into the first storage space.
In the embodiment of the application, the signature information of the sensitive data is determined, and the signature information is associated with the sensitive data stored in the first storage space, so that the terminal can confirm whether the sensitive data is tampered by malicious personnel or not according to the signature information, and further data support is provided for security verification of the sensitive data.
It should be noted that, the step 403 and the steps 402 and 404 do not have strict time sequence, the sensitive data may be stored in the first storage space first, then the sensitive data is encrypted and backed up in the second storage space, that is, the step 403 is executed first, and then the steps 402 and 404 are executed; the sensitive data may be encrypted and backed up in the second storage space, and then stored in the first storage space, that is, steps 402 and 404 are performed first, and step 403 is performed.
In the embodiment of the application, since the local backup sensitive data of the terminal is encrypted by using the public key of the server, the encryption key of the backup sensitive data is not easy to be broken, and the safety of the local backup sensitive data can be ensured, so that the sensitive data which should be backed up by the server can be migrated to the terminal, the terminal can realize data backup, the problem that the storage pressure of the server is higher because the server needs to backup the sensitive data of a plurality of terminals is solved, and the storage pressure of the server is reduced.
Fig. 7 is a flowchart of a data management method provided in an embodiment of the present application, where in the embodiment of the present application, a terminal is taken as a terminal and data recovery is taken as an example. As shown in fig. 7, the data management method includes the steps of:
step 701: and the terminal responds to the failure of verification of the sensitive data in the first storage space of the terminal, and acquires backup sensitive data from the second storage space of the terminal, wherein the backup sensitive data is obtained by encrypting the sensitive data by using the public key of the server.
Wherein the sensitive data includes at least one of driver information, vehicle information, and the like. The content of the sensitive data may be set and modified as needed, which is not particularly limited in the embodiments of the present application.
In this step, the terminal needs to check the sensitive data in the first storage space of the terminal to obtain a check result. The signature verification result comprises one of a signature verification success and a signature verification failure. And the terminal responds to the signature verification result as the signature verification failure and executes the operation of the step 701.
Correspondingly, the implementation mode of the terminal for signing the sensitive data in the first storage space comprises the following steps (1) - (2):
(1) The terminal obtains the signature information associated with the sensitive data.
The signature information is obtained by signing the first characteristic value by the terminal based on the private key of the terminal. In this step, the terminal acquires the signature information from the first storage space.
(2) And the terminal performs signature verification on the sensitive data in the first storage space based on the signature information.
The implementation mode of the step comprises the following steps A1-A3:
a1: the terminal determines a second characteristic value of the sensitive data.
Referring to fig. 8, the terminal obtains the sensitive data from the first storage space, and performs a hash operation on the sensitive data to obtain the second feature value.
A2: and the terminal decrypts the signature information through the public key of the terminal to obtain a first characteristic value.
With continued reference to fig. 8, since the signature information is encrypted based on the second private key of the terminal, the terminal decrypts the signature information by using the second public key to obtain the first feature value.
A3: responding to the second characteristic value and the first characteristic value to be different, and determining that the signature verification of the sensitive data in the first storage space fails by the terminal; and responding to the second characteristic value being the same as the first characteristic value, and determining that the signature verification of the sensitive data in the first storage space is successful by the terminal.
For example, the first characteristic value of the sensitive data is 0, the first characteristic value obtained after decryption is 0', and the second characteristic value is 1, and it can be seen that the first characteristic value obtained after decryption is different from the second characteristic value, and the terminal determines that the verification of the sensitive data fails.
In the embodiment of the application, since the signature information of the sensitive data is stored in the first storage space, the terminal can verify the correctness of the sensitive data based on the signature information, so that the occurrence of failure in processing the service request caused by calling wrong sensitive data when the service request is processed later is avoided, and the efficiency of processing the service request is further improved.
In the step, the terminal responds to the received signature verification request, and the step of verifying the sensitive data in the first storage space of the terminal is executed. Accordingly, the steps may be:
in one possible implementation, a terminal receives a service request, where the service request is used to invoke sensitive data from the first storage space, and signs the sensitive data in the first storage space.
For example, in response to the sensitive data including driver information, the service request may be to conduct at least one of a query for a status of credentials, a query for remaining credits of driver's credentials, a query for accumulated credits of driver's credentials, and the like based on the driver information. For another example, in response to the sensitive data including vehicle information, the service request may be at least one of a vehicle violation query, a vehicle annual inspection query, a vehicle license plate query, and the like based on the vehicle information.
In another possible implementation, the terminal performs a signature verification on the sensitive data in the first storage space in response to the terminal being started.
In another possible implementation, the terminal performs a signature verification on the sensitive data in the first storage space in response to the terminal initialization.
In another possible implementation, the terminal performs a signature verification on the sensitive data in the first storage space in response to reaching a signature verification period.
The signature verification period can be set and changed according to requirements, and the embodiment of the application is not particularly limited to the setting and changing; for example, the signature verification period may be 24 hours.
It should be noted that, when the terminal receives the service request, the implementation manner of calling the sensitive data from the first storage space includes the following several manners:
in the first case, the terminal directly calls the sensitive data from the first storage space. That is, the terminal does not sign the sensitive data in the first storage space, and directly invokes the sensitive data.
In the second case, the terminal performs signature verification on the sensitive data in the first storage space, and calls the sensitive data from the first storage space based on the sensitive data obtained after the signature verification.
And in the third case, the terminal calls the sensitive data from the first storage space based on the time of the last signature verification operation.
The last signing operation may be triggered by any triggering mode of the last terminal receiving the service request, terminal starting, terminal initializing or reaching a signing period. Accordingly, this step may be: the terminal acquires the time of the last signature verification operation, and responds to the fact that the difference between the time and the current time is not greater than the preset duration, the terminal directly calls sensitive data from the first storage space; and responding to the difference between the time and the current time is greater than the preset duration, checking the sensitive data in the first storage space by the terminal, and calling the sensitive data from the first storage space based on the sensitive data obtained after checking the signature.
In the embodiment of the application, the terminal can be triggered to check the sensitive data in the first storage space based on different modes, so that the terminal does not need to check the signature every time when processing the service request, the operation time for processing the service request is further shortened, and the service processing efficiency is improved.
Since the backed-up sensitive data in the second storage space is encrypted based on the first public key of the server, the terminal needs to decrypt the backed-up sensitive data by means of the server, and accordingly, step 701 is performed, and step 702 is performed.
Step 702: and the terminal sends the backed-up sensitive data to the server, and the server is used for decrypting the backed-up sensitive data based on the private key of the server to obtain decrypted sensitive data.
The terminal can send the backed-up sensitive data to the server based on the data length of the backed-up sensitive data; correspondingly, the method comprises the following two implementation modes:
first: and the terminal fragments the backed-up sensitive data to obtain a plurality of data packets and sends the data packets to the server in response to the fact that the data length of the backed-up sensitive data is larger than a preset threshold value.
The terminal performs data transmission with the server through a wireless network. The preset threshold is the maximum transmission unit of the network link of the wireless network. Referring to fig. 9, in response to the data length of the backed-up sensitive data D0 being greater than the maximum transmission unit, the terminal slices the backed-up sensitive data D0 to obtain a plurality of data packets, namely, slices 1, 2, … …, n.
Second,: and the terminal responds to the fact that the data length of the backed-up sensitive data is not larger than the preset threshold value, and sends the backed-up sensitive data to the server.
For example, in response to the data length of the backed-up sensitive data D0 being not greater than the maximum transmission unit of the network link, the terminal directly transmits D0 to the server.
In this step, the implementation manner of the server to receive the backed-up sensitive data may be: in one possible implementation, in response to the backed up sensitive data not being fragmented, the server directly receives the backed up sensitive data sent by the terminal. In another possible implementation, in response to the backed up sensitive data being fragmented into a plurality of data packets, the server concatenates the plurality of data packets to obtain the backed up sensitive data.
Wherein the server needs to decrypt the backed up sensitive data. Correspondingly, the server decrypts the backed-up sensitive data through the first private key of the server to obtain decrypted sensitive data, and sends the decrypted sensitive data to the terminal.
In one possible implementation manner, after decrypting the backed-up sensitive data through the first private key, the server performs correctness verification on the decrypted sensitive data, and after the verification is passed, the decrypted sensitive data is sent to the terminal. The process of verifying the correctness of the decrypted sensitive data by the server is as follows:
The server can store the third characteristic value of the sensitive data in advance, and after the server acquires the decrypted sensitive data, the fourth characteristic value of the decrypted sensitive data is determined; in response to the third characteristic value and the fourth characteristic value being the same, the server determines that the decrypted sensitive data is correct; in response to the third characteristic value and the fourth characteristic value being the same, the server determines that the decrypted sensitive data is incorrect.
In another possible implementation, the server decrypts the backed-up sensitive data directly by the first private key; and responding to successful decryption of the backup sensitive data by the server through the first private key of the server, determining that the sensitive data is correct sensitive data, and sending the decrypted sensitive data to the terminal.
In this step, the implementation manner of the server sending the decrypted sensitive data to the terminal may be: in one possible implementation manner, the server segments the decrypted sensitive data to obtain a plurality of data packets in response to the data length of the decrypted sensitive data being greater than a preset threshold, and sends the plurality of data packets to the terminal. In another possible implementation manner, the server sends the decrypted sensitive data to the terminal in response to the data length of the sensitive data not being greater than the preset threshold.
It should be noted that, when the server sends the decrypted sensitive data to the terminal, the server encrypts the decrypted sensitive data through the public key of the terminal, so as to ensure the security of the data in the data transmission process.
In the embodiment of the application, when the data length of the backed-up sensitive data is large, the backed-up sensitive data is fragmented, and when the data length of the backed-up sensitive data is small, the backed-up sensitive data is directly sent to the server, so that the mode of sending the backed-up sensitive data to the server is flexibly set, and the diversity of the mode of sending the data to the server is further improved.
Step 703: the terminal receives the decrypted sensitive data sent by the server, stores the decrypted sensitive data in the first storage space, and the sensitive data in the first storage space is used for the terminal to process a service request.
In this step, the implementation manner of the terminal to receive the decrypted sensitive data sent by the server may be: in one possible implementation, in response to the decrypted sensitive data not being fragmented, the terminal directly receives the decrypted sensitive data sent by the server. In another possible implementation manner, in response to the decrypted sensitive data being fragmented into a plurality of data packets, the terminal concatenates the plurality of data packets to obtain the decrypted sensitive data.
It should be noted that, since the server encrypts the decrypted sensitive data through the public key of the terminal, the terminal needs to decrypt the decrypted sensitive data through the private key of the terminal when receiving the decrypted sensitive data, so as to ensure the security of the data in the data transmission process.
In this step, the implementation manner of storing the decrypted sensitive data in the first storage space by the terminal includes: and the terminal replaces the sensitive data in the first storage space with the decrypted sensitive data.
For example, if the decrypted sensitive data is ZX11XXX and the sensitive data is YX11XXX, the terminal replaces YX11XXX in the first storage space with ZX11XXX.
In the embodiment of the application, the decrypted sensitive data in the first storage space is replaced by the decrypted sensitive data, so that the data in the first storage space is the correct sensitive data, further, when the service request is processed later, the terminal can call the correct sensitive data, and further, the service request processing failure caused by untimely updating of the sensitive data is avoided.
In this embodiment of the present application, the terminal processes the service request based on the decrypted sensitive data, for example, the service request is a query of the remaining credit of the driver's license, then the decrypted sensitive data is driver information, the terminal extracts the remaining credit of the driver's license from the driver information, and sends the remaining credit of the driver's license to the service website.
In the embodiment of the application, if the verification of the sensitive data in the first storage space of the terminal fails, the server decrypts the backed-up sensitive data in the second storage space, so that the encryption operation and the decryption operation of the sensitive data are completed by different devices, namely, the recovery of the sensitive data is realized by utilizing an asymmetric encryption and decryption technology, and the security of the data recovery process of the sensitive data is further improved.
Fig. 10 is a block diagram of a data management apparatus provided in an embodiment of the present application. Referring to fig. 10, the apparatus includes: a first receiving module 1001, a first obtaining module 1002 and a first storing module 1003.
A first receiving module 1001, configured to receive sensitive data sent by a server;
a first obtaining module 1002, configured to obtain a public key of the server, encrypt the sensitive data based on the public key of the server, and obtain backed-up sensitive data;
a first storage module 1003, configured to store the sensitive data and the backed up sensitive data in a local device, where the sensitive data is used for the local device to process a service request.
In one possible implementation, the apparatus further includes:
the second acquisition module is used for acquiring the private key of the local equipment, signing the sensitive data based on the private key of the local equipment to obtain signature information, and the signature information is used for checking whether the sensitive data is tampered or not;
And the second storage module is used for associating the signature information with the sensitive data and storing the signature information into the local equipment.
In one possible implementation, the local device includes a first storage space and a second storage space; the first storage module 1003 is configured to store the sensitive data in the first storage space, and backup the backed-up sensitive data in the second storage space; and the sensitive data in the first storage space is used for the local equipment to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the sensitive data in the first storage space fails to check the signature by the local equipment.
In the embodiment of the application, since the local backup sensitive data of the terminal is encrypted by using the public key of the server, the encryption key of the backup sensitive data is not easy to be broken, and the safety of the local backup sensitive data can be ensured, so that the sensitive data which should be backed up by the server can be migrated to the terminal, the terminal can realize data backup, the problem that the storage pressure of the server is higher because the server needs to backup the sensitive data of a plurality of terminals is solved, and the storage pressure of the server is reduced.
Fig. 11 is a block diagram of a data management apparatus provided in an embodiment of the present application. Referring to fig. 11, the apparatus includes: a third acquisition module 1101, a transmission module 1102 and a third storage module 1103.
A third obtaining module 1101, configured to obtain, in response to a failure in signing verification of the sensitive data in the first storage space of the local device, backed up sensitive data from the second storage space of the local device, where the backed up sensitive data is obtained by encrypting the sensitive data using a public key of the server;
a sending module 1102, configured to send the backed-up sensitive data to the server, where the server is configured to decrypt the backed-up sensitive data based on a private key of the server, to obtain decrypted sensitive data;
and a third storage module 1103, configured to receive the decrypted sensitive data sent by the server, store the decrypted sensitive data in the first storage space, where the sensitive data in the first storage space is used for the local device to process a service request.
In one possible implementation, the apparatus further includes:
the signature verification module is used for receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and carrying out signature verification on the sensitive data in the first storage space; or,
The signature verification module is further used for responding to the starting of the local equipment and verifying the sensitive data in the first storage space; or,
the signature verification module is further used for responding to the initialization of the local equipment and verifying the sensitive data in the first storage space; or alternatively;
the signature verification module is further used for verifying the sensitive data in the first storage space in response to the signature verification period.
In one possible implementation manner, the signature verification module is used for acquiring signature information associated with the sensitive data; and based on the signature information, checking the sensitive data in the first storage space.
In a possible implementation manner, the sending module 1102 is configured to, in response to the data length of the backed-up sensitive data being greater than a preset threshold, segment the backed-up sensitive data to obtain a plurality of data packets, and send the plurality of data packets to the server; and sending the backed-up sensitive data to the server in response to the data length of the backed-up sensitive data not being greater than the preset threshold.
In the embodiment of the application, if the verification of the sensitive data in the first storage space of the terminal fails, the server decrypts the backed-up sensitive data in the second storage space, so that the encryption operation and the decryption operation of the sensitive data are completed by different devices, namely, the recovery of the sensitive data is realized by utilizing an asymmetric encryption and decryption technology, and the security of the data recovery process of the sensitive data is further improved.
It should be noted that: in the data management device provided in the above embodiment, only the division of the above functional modules is used for illustration, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the terminal is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data management device and the data management method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the data management device and the data management method are detailed in the method embodiments and are not repeated herein.
In the embodiment of the present application, the local device 10 may be provided as a terminal; fig. 12 is a block diagram of a terminal 120 provided in an embodiment of the present application. In general, the terminal 120 includes: a processor 1201 and a memory 1202.
In one possible implementation, processor 1201 includes one or more processing cores, such as a 4-core processor, an 8-core processor, or the like. In one possible implementation, the processor 1201 is implemented in at least one hardware form of a DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). In one possible implementation, the processor 1201 also includes a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In one possible implementation, the processor 1201 is integrated with a GPU (Graphics Processing Unit, image processor) for taking care of rendering and drawing of the content that the display screen is required to display. In some embodiments, the processor 1201 also includes an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
In one possible implementation, the memory 1202 includes one or more computer-readable storage media that are non-transitory. In one possible implementation, the memory 1202 also includes high-speed random access memory, as well as non-volatile memory, such as one or more disk storage devices, flash memory storage devices. In one possible implementation, a non-transitory computer readable storage medium in memory 1202 is used to store at least one instruction for execution by processor 1201 to implement the data management methods provided by the method embodiments herein.
The first storage space 121 and the second storage space 122 may be different memories 1202, or may be different storage areas in the same memory 1202.
In one possible implementation, the terminal 12 may further optionally include: a peripheral interface 1203, and at least one peripheral. In one possible implementation, the processor 1201, the memory 1202, and the peripheral interface 1203 are connected by a bus or signal lines. In one possible implementation, each peripheral device is connected to peripheral device interface 1203 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1204, a display 1205, a camera assembly 1206, audio circuitry 1207, a positioning assembly 1208, and a power supply 1209.
The peripheral interface 1203 may be used to connect at least one peripheral device associated with an I/O (Input/Output) to the processor 1201 and the memory 1202. In one possible implementation, the processor 1201, the memory 1202, and the peripheral interface 1203 are integrated on the same chip or circuit board; in some other embodiments, any one or both of the processor 1201, the memory 1202, and the peripheral interface 1203 are implemented on separate chips or circuit boards, which is not limited in this embodiment.
The data management component 123 includes, among other things, a processor 1201 and a peripheral interface 1203.
The Radio Frequency circuit 1204 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuit 1204 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 1204 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. In one possible implementation, the radio frequency circuit 1204 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. In one possible implementation, the radio frequency circuit 1204 communicates with other terminals via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: the world wide web, metropolitan area networks, intranets, generation mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In one possible implementation, the radio frequency circuit 1204 further includes NFC (Near Field Communication ) related circuitry, which is not limited in this application.
The display 1205 is used to display a UI (User Interface). In one possible implementation, the UI includes graphics, text, icons, video, and any combination thereof. When the display 1205 is a touch display, the display 1205 also has the ability to collect touch signals at or above the surface of the display 1205. In one possible implementation, the touch signal is input as a control signal to the processor 1201 for processing. At this time, the display 1205 is also used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In one possible implementation, the display 1205 is one and is disposed on a front panel of the terminal 12; in other embodiments, the display 1205 is at least two, respectively disposed on different surfaces of the terminal 12 or in a folded design; in other embodiments, the display 1205 is a flexible display disposed on a curved surface or a folded surface of the terminal 12. Even more, the display 1205 is also arranged in an irregular pattern that is not rectangular, i.e., a shaped screen. In one possible implementation, the display 1205 is made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode), or other materials.
The camera assembly 1206 is used to capture images or video. In one possible implementation, the camera assembly 1206 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In one possible implementation manner, the number of the rear cameras is at least two, and the rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera respectively, so that the main camera and the depth camera are fused to realize a background blurring function, the main camera and the wide-angle camera are fused to realize a panoramic shooting function and a Virtual Reality (VR) shooting function or other fusion shooting functions. In one possible implementation, the camera assembly 1206 also includes a flash. In one possible implementation, the flash is a single-color temperature flash, and in one possible implementation, the flash is a dual-color temperature flash. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and is used for light compensation under different color temperatures.
In one possible implementation, the audio circuitry 1207 includes a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 1201 for processing, or inputting the electric signals to the radio frequency circuit 1204 for voice communication. For stereo acquisition or noise reduction purposes, in one possible implementation, a plurality of microphones are provided at different locations of the terminal 12, respectively. In one possible implementation, the microphone is an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 1201 or the radio frequency circuit 1204 into sound waves. In one possible implementation, the speaker is a conventional thin film speaker, and in one possible implementation, the speaker is a piezoceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only an electric signal but also an acoustic wave audible to humans can be converted into an acoustic wave inaudible to humans for ranging and other purposes. In one possible implementation, the audio circuitry 1207 also includes a headphone jack.
The positioning component 1208 is used to locate the current geographic location of the terminal 12 for navigation or LBS (Location Based Service, location-based services). In one possible implementation, the positioning component 1207 is a positioning component based on the united states GPS (Global Positioning System ), the beidou system of china, or the galileo system of russia.
The power supply 1209 is used to power the various components in the terminal 12. In one possible implementation, the power source 1209 is an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power source 1209 includes a rechargeable battery, the rechargeable battery is a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery is also used to support fast charge technology.
In one possible implementation, the terminal 12 also includes one or more sensors 1212. The one or more sensors 1212 include, but are not limited to: acceleration sensor 1211, gyroscope sensor 1210, pressure sensor 1213, fingerprint sensor 1214, optical sensor 1215, and proximity sensor 1216.
In one possible implementation, the acceleration sensor 1211 detects the magnitude of acceleration on three coordinate axes of the coordinate system established with the terminal 12. For example, the acceleration sensor 1211 is used to detect components of gravitational acceleration on three coordinate axes. In one possible implementation, the processor 1201 controls the display screen 1205 to display a user interface in a landscape view or a portrait view based on the gravitational acceleration signal acquired by the acceleration sensor 1211. In one possible implementation, the acceleration sensor 1211 is also used for the acquisition of motion data of a game or user.
In one possible implementation, the gyro sensor 1210 detects the body direction and the rotation angle of the terminal 12, and the gyro sensor 1210 and the acceleration sensor 1211 cooperate to collect 3D actions of the user on the terminal 12. The processor 1201 can realize the following functions according to the data acquired by the gyro sensor 1210: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.
In one possible implementation, the pressure sensor 1213 is positioned at a side frame of the terminal 12 and/or at an underlying layer of the display 1205. When the pressure sensor 1213 is disposed at the side frame of the terminal 12, a grip signal of the user to the terminal 12 can be detected, and the processor 1201 performs a left-right hand recognition or a shortcut operation according to the grip signal collected by the pressure sensor 1213. When the pressure sensor 1213 is disposed at the lower layer of the display 1205, the processor 1201 controls the operability control on the UI interface according to the pressure operation of the user on the display 1205. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.
The fingerprint sensor 1214 is used to collect a fingerprint of the user, and the processor 1201 identifies the identity of the user based on the fingerprint collected by the fingerprint sensor 1214, or the fingerprint sensor 1214 identifies the identity of the user based on the fingerprint collected. Upon recognizing that the user's identity is a trusted identity, the processor 1201 authorizes the user to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. In one possible implementation, the fingerprint sensor 1214 is disposed on the front, back, or side of the terminal 12. When a physical key or vendor Logo is provided on the terminal 12, the fingerprint sensor 1214 is integrated with the physical key or vendor Logo.
The optical sensor 1215 is used to collect the ambient light intensity. In one embodiment, processor 1201 controls the display brightness of display 1205 based on the intensity of ambient light collected by optical sensor 1215. Specifically, when the intensity of the ambient light is high, the display brightness of the display screen 1205 is turned up; when the ambient light intensity is low, the display brightness of the display screen 1205 is turned down. In another embodiment, processor 1201 also dynamically adjusts the shooting parameters of camera assembly 1206 based on the intensity of ambient light collected by optical sensor 1215.
A proximity sensor 1216, also referred to as a distance sensor, is typically provided on the front panel of the terminal 12. The proximity sensor 1216 is used to collect the distance between the user and the front of the terminal 12. In one embodiment, when the proximity sensor 1216 detects that the distance between the user and the front face of the terminal 12 gradually decreases, the processor 1201 controls the display 1205 to switch from the bright screen state to the off screen state; when the proximity sensor 1216 detects that the distance between the user and the front face of the terminal 12 gradually increases, the processor 1201 controls the display 1205 to switch from the off-screen state to the on-screen state.
Those skilled in the art will appreciate that the structure shown in fig. 12 is not limiting of the terminal 12 and can include more or fewer components than shown, or certain components may be combined, or a different arrangement of components may be employed.
In an embodiment of the present application, there is further provided a computer readable storage medium, in which at least one program code is stored, the at least one program code causing a processor to load and execute the program code to implement the operations performed by the data management method in the above embodiment. The computer readable storage medium may be a memory. For example, the computer readable storage medium may be a ROM (Read-Only Memory), a RAM (Random Access Memory ), a CD-ROM (Compact Disc Read-Only Memory), a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an embodiment of the present application, there is also provided a computer program product or a computer program comprising computer program code, the computer program code being stored in a computer readable storage medium. The computer program code is read from the computer readable storage medium by a processor of the terminal, which executes the computer program code such that the terminal performs the operations performed by the data management method described above.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing description of the preferred embodiments is merely exemplary in nature and is in no way intended to limit the invention, since it is intended that all modifications, equivalents, improvements, etc. that fall within the spirit and scope of the invention.
Claims (11)
1. A data management method, performed by a terminal, the terminal comprising a first storage space and a second storage space, the method comprising:
Receiving sensitive data sent by a server;
the public key of the server is obtained, and the sensitive data is encrypted based on the public key of the server to obtain the backed-up sensitive data;
storing the sensitive data into the first storage space, and backing up the backed-up sensitive data into the second storage space; sensitive data in the first storage space is used for the terminal to process a service request;
responding to the failure of verification of the sensitive data in the first storage space, and acquiring the backed-up sensitive data from the second storage space;
the backup sensitive data is sent to the server, so that the server decrypts the backup sensitive data through a private key of the server, the correctness of the decrypted sensitive data is verified, and after the verification is passed, the decrypted sensitive data is sent to the terminal; the process of verifying the correctness of the decrypted sensitive data by the server is as follows: determining a fourth characteristic value of the decrypted sensitive data, and determining that the decrypted sensitive data is correct in response to the fourth characteristic value being the same as a prestored third characteristic value of the sensitive data;
And receiving the decrypted sensitive data sent by the server, and storing the decrypted sensitive data in the first storage space.
2. The method according to claim 1, wherein the method further comprises:
the private key of the terminal is obtained, the sensitive data is signed based on the private key of the terminal, signature information is obtained, and the signature information is used for checking whether the sensitive data is tampered or not;
associating the signature information with the sensitive data, and storing the signature information in the first storage space.
3. The method according to claim 1, wherein the method further comprises:
receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and checking labels of the sensitive data in the first storage space; or,
responding to the starting of the terminal, and checking the sensitive data in the first storage space; or,
responding to the terminal initialization, and checking the sensitive data in the first storage space; or alternatively;
and in response to the signing verification period being reached, signing the sensitive data in the first storage space.
4. A method according to claim 3, wherein said signing sensitive data in said first storage space comprises:
acquiring signature information associated with the sensitive data;
and based on the signature information, checking the signature of the sensitive data in the first storage space.
5. The method of claim 1, wherein the sending the backed-up sensitive data to the server comprises:
in response to the data length of the backed-up sensitive data being greater than a preset threshold value, slicing the backed-up sensitive data to obtain a plurality of data packets, and sending the data packets to the server;
and sending the backed-up sensitive data to the server in response to the data length of the backed-up sensitive data not being greater than the preset threshold.
6. A data management apparatus, characterized by being executed by a terminal comprising a first storage space and a second storage space, the apparatus comprising:
the first receiving module is used for receiving the sensitive data sent by the server;
the first acquisition module is used for acquiring the public key of the server, encrypting the sensitive data based on the public key of the server, and obtaining the backed-up sensitive data;
The first storage module is used for storing the sensitive data into the first storage space and backing up the backed-up sensitive data into the second storage space; sensitive data in the first storage space is used for the terminal to process a service request;
the third acquisition module is used for responding to the failure of verification of the sensitive data in the first storage space and acquiring the backed-up sensitive data from the second storage space;
the sending module is used for sending the backed-up sensitive data to the server, decrypting the backed-up sensitive data by the server through a private key of the server, verifying the correctness of the decrypted sensitive data, and sending the decrypted sensitive data to the terminal after the verification is passed; the process of verifying the correctness of the decrypted sensitive data by the server is as follows: determining a fourth characteristic value of the decrypted sensitive data, and determining that the decrypted sensitive data is correct in response to the fourth characteristic value being the same as a prestored third characteristic value of the sensitive data;
and the third storage module is used for receiving the decrypted sensitive data sent by the server and storing the decrypted sensitive data in the first storage space.
7. The apparatus of claim 6, wherein the apparatus further comprises:
the second acquisition module is used for acquiring the private key of the terminal, signing the sensitive data based on the private key of the terminal to obtain signature information, and the signature information is used for checking whether the sensitive data is tampered or not;
and the second storage module is used for associating the signature information with the sensitive data and storing the signature information into the first storage space.
8. The apparatus of claim 6, wherein the apparatus further comprises:
the signature verification module is used for receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and verifying the sensitive data in the first storage space; or,
the signature verification module is further used for responding to the starting of the terminal and verifying the sensitive data in the first storage space; or,
the signature verification module is further used for responding to the terminal initialization and verifying the sensitive data in the first storage space; or alternatively;
the signature verification module is further used for verifying the sensitive data in the first storage space in response to the signature verification period.
9. The apparatus of claim 8, wherein the signature verification module is configured to obtain signature information associated with the sensitive data; and based on the signature information, checking the signature of the sensitive data in the first storage space.
10. The apparatus of claim 6, wherein the sending module is configured to, in response to a data length of the backed-up sensitive data being greater than a preset threshold, segment the backed-up sensitive data to obtain a plurality of data packets, and send the plurality of data packets to the server; and sending the backed-up sensitive data to the server in response to the data length of the backed-up sensitive data not being greater than the preset threshold.
11. A terminal comprising a processor and a memory, wherein the memory has stored therein at least one program code that is loaded and executed by the processor to implement the data management method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011545716.1A CN112528311B (en) | 2020-12-23 | 2020-12-23 | Data management method, device and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011545716.1A CN112528311B (en) | 2020-12-23 | 2020-12-23 | Data management method, device and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112528311A CN112528311A (en) | 2021-03-19 |
| CN112528311B true CN112528311B (en) | 2024-02-20 |
Family
ID=74976160
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011545716.1A Active CN112528311B (en) | 2020-12-23 | 2020-12-23 | Data management method, device and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112528311B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114499954B (en) * | 2021-12-21 | 2024-05-10 | 海光信息技术股份有限公司 | Management device and method for sensitive data |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101908024A (en) * | 2010-08-17 | 2010-12-08 | 湖南源科高新技术有限公司 | Encrypting method, device and hard disk |
| CN104699559A (en) * | 2013-12-04 | 2015-06-10 | 腾讯科技(深圳)有限公司 | Distributed data backup method and system |
| US9594652B1 (en) * | 2013-12-19 | 2017-03-14 | Veritas Technologies | Systems and methods for decreasing RAID rebuilding time |
| CN108133150A (en) * | 2018-02-05 | 2018-06-08 | 北京公共交通控股(集团)有限公司 | Safety management system, storage medium and electric terminal based on contract dataset |
| CN109510860A (en) * | 2018-08-31 | 2019-03-22 | 深圳市元征科技股份有限公司 | A kind of data processing method, relevant device and system |
| CN109525989A (en) * | 2017-09-19 | 2019-03-26 | 阿里巴巴集团控股有限公司 | Data processing, identity identifying method and system, terminal |
| CN110086609A (en) * | 2019-03-27 | 2019-08-02 | 华为技术有限公司 | The method and electronic equipment of data safety backup and security recovery |
| CN110138749A (en) * | 2019-04-23 | 2019-08-16 | 华为技术有限公司 | Data security protection method and related equipment |
| CN111368328A (en) * | 2020-02-27 | 2020-07-03 | 北京三快在线科技有限公司 | Data storage method and device, computer readable storage medium and electronic equipment |
| CN111625396A (en) * | 2019-02-27 | 2020-09-04 | 阿里巴巴集团控股有限公司 | Backup data verification method, server and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI436372B (en) * | 2010-01-28 | 2014-05-01 | Phison Electronics Corp | Flash memory storage system, and controller and method for anti-falsifying data thereof |
-
2020
- 2020-12-23 CN CN202011545716.1A patent/CN112528311B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101908024A (en) * | 2010-08-17 | 2010-12-08 | 湖南源科高新技术有限公司 | Encrypting method, device and hard disk |
| CN104699559A (en) * | 2013-12-04 | 2015-06-10 | 腾讯科技(深圳)有限公司 | Distributed data backup method and system |
| US9594652B1 (en) * | 2013-12-19 | 2017-03-14 | Veritas Technologies | Systems and methods for decreasing RAID rebuilding time |
| CN109525989A (en) * | 2017-09-19 | 2019-03-26 | 阿里巴巴集团控股有限公司 | Data processing, identity identifying method and system, terminal |
| CN108133150A (en) * | 2018-02-05 | 2018-06-08 | 北京公共交通控股(集团)有限公司 | Safety management system, storage medium and electric terminal based on contract dataset |
| CN109510860A (en) * | 2018-08-31 | 2019-03-22 | 深圳市元征科技股份有限公司 | A kind of data processing method, relevant device and system |
| CN111625396A (en) * | 2019-02-27 | 2020-09-04 | 阿里巴巴集团控股有限公司 | Backup data verification method, server and storage medium |
| CN110086609A (en) * | 2019-03-27 | 2019-08-02 | 华为技术有限公司 | The method and electronic equipment of data safety backup and security recovery |
| CN110138749A (en) * | 2019-04-23 | 2019-08-16 | 华为技术有限公司 | Data security protection method and related equipment |
| CN111368328A (en) * | 2020-02-27 | 2020-07-03 | 北京三快在线科技有限公司 | Data storage method and device, computer readable storage medium and electronic equipment |
Non-Patent Citations (5)
| Title |
|---|
| Privacy preserving security using biometrics in cloud computing;Santosh Kumar 等;Multimed Tools Appl (2018);第77卷;第11017–11039页 * |
| 一种大数据平台敏感数据安全共享的框架;董新华;李瑞轩;何亨;周湾湾;薛正元;王聪;;科技导报(第34期);第49-54页 * |
| 中国人民银行移动支付技术标准课题研究组.中国移动支付技术标准体系研究报告.中国金融出版社,2012,(第ISBN978-7-5049-6402-1/F.5962版),第32-44页. * |
| 大数据背景下链路网络敏感数据防窃取方法;孟小冬;西安工程大学学报;第2卷(第33期);第212-217页 * |
| 董新华 ; 李瑞轩 ; 何亨 ; 周湾湾 ; 薛正元 ; 王聪 ; .一种大数据平台敏感数据安全共享的框架.科技导报.2014,(第34期),第49-54页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112528311A (en) | 2021-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111444528B (en) | Data security protection method, device and storage medium | |
| CN108833607B (en) | Physical address acquisition method, device and readable medium | |
| CN109547495B (en) | Sensitive operation processing method, device, server, terminal and storage medium | |
| CN107959727B (en) | Method and device for communication between webpage and client | |
| CN112256320B (en) | Version number generation method, device, terminal and storage medium | |
| CN110365501B (en) | Method and device for group joining processing based on graphic code | |
| CN111062323A (en) | Face image transmission method, numerical value transfer method, device and electronic equipment | |
| CN111241499A (en) | Application program login method, device, terminal and storage medium | |
| CN111831385B (en) | Service trusted information processing method, device, equipment and storage medium | |
| CN111193702B (en) | Method and device for data encryption transmission | |
| CN111062725B (en) | Face payment method, device and system and computer readable storage medium | |
| CN110677262B (en) | Information notarization method, device and system based on blockchain | |
| CN111523878A (en) | Service processing method, device, system and storage medium | |
| CN112528311B (en) | Data management method, device and terminal | |
| CN111881423B (en) | Method, device and system for authorizing restricted function use | |
| CN107948174A (en) | The method and apparatus that completeness check is carried out when transmitting data | |
| CN114386066A (en) | Application reinforcement method and device | |
| CN110971692B (en) | Method and device for opening service and computer storage medium | |
| CN111131619B (en) | Account switching processing method, device and system | |
| CN112764824B (en) | Method, device, equipment and storage medium for triggering identity verification in application program | |
| CN108683684B (en) | Method, device and system for logging in target instant messaging application | |
| CN110555924B (en) | Method and device for unlocking processing | |
| CN114124405A (en) | Business processing method, system, computer equipment and computer readable storage medium | |
| CN112995159B (en) | Information processing method, device, terminal and computer readable storage medium | |
| CN113688379B (en) | Platform registration method and device and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |