CN112597481A - Sensitive data access method and device, computer equipment and storage medium - Google Patents

Sensitive data access method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN112597481A
CN112597481A CN202011604677.8A CN202011604677A CN112597481A CN 112597481 A CN112597481 A CN 112597481A CN 202011604677 A CN202011604677 A CN 202011604677A CN 112597481 A CN112597481 A CN 112597481A
Authority
CN
China
Prior art keywords
password
verification
data
sensitive data
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011604677.8A
Other languages
Chinese (zh)
Inventor
张明洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Bank Co Ltd
Original Assignee
Ping An Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Bank Co Ltd filed Critical Ping An Bank Co Ltd
Priority to CN202011604677.8A priority Critical patent/CN112597481A/en
Publication of CN112597481A publication Critical patent/CN112597481A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a sensitive data access method, a sensitive data access device, computer equipment and a storage medium. The method comprises the following steps: receiving a data access request sent by a service terminal, wherein the data access request comprises a user account and a data access index; determining an access data type based on the data access index; if the access data type is a sensitive data type, sending a database password acquisition instruction to the service terminal, and receiving a current verification password; acquiring a target data storage area and a dynamic login password corresponding to a user account based on the user account; performing database authority verification based on the dynamic login password and the current verification password to obtain an authority verification result; and if the permission verification result is that the data access index passes the verification, acquiring target sensitive data corresponding to the data access index from the target data storage area and sending the target sensitive data to the service terminal. The method can guarantee the security of the sensitive data access process, avoid the risk of divulgence caused by key leakage, and reduce the burden brought by a large number of key management.

Description

Sensitive data access method and device, computer equipment and storage medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a sensitive data access method and apparatus, a computer device, and a storage medium.
Background
With the development of internet technology and the enhancement of people's awareness of information security, the technology of encrypting and verifying data is more and more widely applied to the internet. In the prior art, various data encryption algorithms are adopted to encrypt sensitive data needing to be kept secret, so that the safety of the sensitive data in the data access process is guaranteed. Generally, when an encryption algorithm is used for encrypting sensitive data, a sender and a receiver need to agree and store a key, and when the key is lost, the risk of disclosure of the sensitive data is high, so that the risk of disclosure of the sensitive data is easy to exist; moreover, when each set of the sender and the receiver uses the key algorithm, different keys are required to be used, which results in a huge number of keys owned by the sender and the receiver, and thus the key management becomes a burden for both parties.
Disclosure of Invention
The embodiment of the invention provides a sensitive data access method, a sensitive data access device, computer equipment and a storage medium, and aims to solve the problems that the security cannot be guaranteed and the management burden is large in the sensitive data access process.
A sensitive data access method, comprising:
receiving a data access request sent by a service terminal, wherein the data access request comprises a user account and a data access index;
determining an access data type based on the data access index;
if the access data type is a sensitive data type, sending a database password acquisition instruction to the service terminal, and receiving a current verification password sent by the service terminal;
acquiring a target data storage area and a dynamic login password corresponding to the user account on the basis of the user account;
performing database authority verification based on the dynamic login password and the current verification password to obtain an authority verification result;
and if the permission verification result is that the permission verification is passed, acquiring target sensitive data corresponding to the data access index from the target data storage area, and sending the target sensitive data to the service terminal.
A sensitive data access apparatus, comprising:
the data access request receiving module is used for receiving a data access request sent by a service terminal, wherein the data access request comprises a user account and a data access index;
the access data type determining module is used for determining the type of the access data based on the data access index;
the current verification password receiving module is used for sending a database password acquisition instruction to the service terminal and receiving a current verification password sent by the service terminal if the access data type is a sensitive data type;
the user account inquiry module is used for acquiring a target data storage area and a dynamic login password corresponding to the user account based on the user account;
the authority verification result acquisition module is used for carrying out database authority verification based on the dynamic login password and the current verification password to acquire an authority verification result;
and the target sensitive data sending module is used for acquiring the target sensitive data corresponding to the data access index from the target data storage area and sending the target sensitive data to the service terminal if the permission verification result is that the permission verification passes.
A computer device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, said processor implementing the above sensitive data access method when executing said computer program.
A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the above-mentioned sensitive data access method.
According to the sensitive data access method, the sensitive data access device, the computer equipment and the storage medium, when the access data type is a sensitive data type, a current verification password needs to be acquired, database permission verification is carried out based on the current verification password and the dynamic login password so as to determine whether a user corresponding to a user account has permission to access a target data storage area, only when the permission verification result is that the verification is passed, target sensitive data corresponding to a data access index are sent to a service terminal, and therefore the dynamic login password is utilized to carry out safe verification on the sensitive data in the target data storage area, the risk of sensitive data leakage caused by key leakage does not exist in the verification process, and the burden brought by a large amount of key management can be effectively avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a diagram of an application environment of a sensitive data access method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a sensitive data access method in one embodiment of the present invention;
FIG. 3 is another flow chart of a method of sensitive data access in one embodiment of the invention;
FIG. 4 is another flow chart of a method of sensitive data access in one embodiment of the invention;
FIG. 5 is another flow chart of a method of sensitive data access in one embodiment of the invention;
FIG. 6 is another flow chart of a method of sensitive data access in an embodiment of the invention;
FIG. 7 is another flow chart of a method of sensitive data access in one embodiment of the invention;
FIG. 8 is another flow chart of a method of sensitive data access in one embodiment of the invention;
FIG. 9 is a schematic diagram of a sensitive data access device in accordance with an embodiment of the present invention;
FIG. 10 is a schematic diagram of a computer device according to an embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The sensitive data access method provided by the embodiment of the invention can be applied to the application environment shown in fig. 1. Specifically, the sensitive data access method is applied to a data access system, the data access system includes a service terminal and a server as shown in fig. 1, the service terminal and the server communicate through a network for implementing sensitive data access, which can not only ensure the security of sensitive data, but also be beneficial to reducing the risk of key leakage of sensitive data encryption, and avoid the burden of key management. The service terminal is also called a user terminal, and refers to a program corresponding to the server and providing local services for the client. The service terminal may be installed on, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. The server may be implemented as a stand-alone server or as a server cluster consisting of a plurality of servers.
In an embodiment, as shown in fig. 2, a method for accessing sensitive data is provided, which is described by taking the method as an example applied to the server in fig. 1, and includes the following steps:
s201: and receiving a data access request sent by the service terminal, wherein the data access request comprises a user account and a data access index.
Wherein the data access request is a request for triggering access to data in the system database. The user account number is the personal account of the user that triggered the request. The data access index is an index for pointing to data that needs to be accessed.
As an example, a user may log in a system through a service terminal, input a data access index on a data access interface after logging in the system to obtain a data access request, and send the data access request to a server, so that the server receives the data access request sent by the service terminal. The data access index may be understood as a search field of the data to be accessed,
s202: based on the data access index, an access data type is determined.
Wherein the access data type is an access type used to evaluate whether sensitive data is contained. As an example, after receiving a data access request, a server may identify a data access index in the data access request, and then match the data access index with a sensitive word in a sensitive word bank by using a string matching algorithm or other matching algorithms; if the sensitive words in the sensitive word bank are matched, the access data type is determined to be the sensitive data type; and if the sensitive words in the sensitive word bank are not matched, determining that the access data type is a non-sensitive data type.
S203: and if the access data type is the sensitive data type, sending a database password acquisition instruction to the service terminal, and receiving the current verification password sent by the service terminal.
The database password acquisition instruction is used for instructing a user to input a current verification password through the service terminal. The current authentication password is a login password which is input by a user after receiving a database password acquisition instruction and is used for accessing a target data storage area in the system database. The target data storage area refers to an organization data storage area which needs to be accessed by a user, and the organization data storage area is an area which is divided from a system database and is specially used for storing decryption sensitive data corresponding to a certain business organization.
As an example, when determining that the access data type is a sensitive data type, the server needs to send a database password acquisition instruction to the service terminal, so that the service terminal displays a password input box, and acquires a current authentication password input by the user on the password input box of the service terminal, so as to perform login authentication based on the current authentication password. It can be understood that, when the access data type is the non-sensitive data type, the mechanism data storage area dedicated for storing the decryption sensitive data does not need to be accessed, but only the general data storage area for storing the non-sensitive data needs to be accessed, and therefore, the target non-sensitive data corresponding to the data access index is directly acquired from the general data storage area without executing the steps S203 to S206, and the target non-sensitive data is sent to the service terminal, so that the service terminal displays the target non-sensitive data.
In general, when the dynamic login password corresponding to each organization data storage area in the system database is updated, the server sends password update information to the service terminal corresponding to the original organization identifier, wherein the password update information comprises the original organization identifier and the dynamic login password, and can also comprise the password validity period, so that the service terminal corresponding to the original organization identifier can display the corresponding password update information, and further all users under the service organization corresponding to the original organization identifier can know the password update information. In this example, the server sends a database password acquisition instruction to the service terminal, so that the service terminal displays a password input box, so that a user corresponding to the user account can input a current authentication password identical to the dynamic login password in the password input box, and the server receives the current authentication password input by the service terminal.
S204: and acquiring a target data storage area and a dynamic login password corresponding to the user account on the basis of the user account.
The dynamic login password is a password which is randomly generated by a dynamic code generation tool and used for accessing the target data storage area.
As an example, the server may query the system database based on the user account, query the target data storage area corresponding to the user account from the system database, and then obtain the dynamic login password corresponding to the target data storage area from the system database, where the dynamic login password may be understood as a password that can be logged into the target data storage area at the current time, so as to perform database permission verification on the decrypted sensitive data stored in the login target data storage area.
S205: and performing database authority verification based on the dynamic login password and the current verification password to obtain an authority verification result.
As an example, the server may perform database permission verification based on the dynamically generated dynamic login password and the current verification password, that is, determine whether the dynamic login password and the current verification password are consistent; if the dynamic login password is consistent with the current verification password, acquiring a permission verification result of passing the verification; and if the dynamic login password is inconsistent with the current verification password, acquiring the authority verification result of which the verification fails.
S206: and if the permission verification result is that the data access index passes the verification, acquiring target sensitive data corresponding to the data access index from the target data storage area, and sending the target sensitive data to the service terminal.
The target sensitive data is sensitive data corresponding to the data access index, namely sensitive data which a user corresponding to the user account wants to access.
As an example, when the authorization verification result is that the authorization verification passes, it indicates that the user corresponding to the user account has authorization to access the target data storage area, the target data storage area may be queried based on the data access index, the target sensitive data corresponding to the data access index is acquired from the target data storage area, and then the target sensitive data is sent to the service terminal corresponding to the user account, so that the service terminal displays the target sensitive data.
In the sensitive data access method provided by this embodiment, when the access data type is a sensitive data type, a current verification password needs to be acquired, and database permission verification is performed based on the current verification password and a dynamic login password to determine whether a user corresponding to a user account has permission to access a target data storage area, and only when the permission verification result is that the verification is passed, target sensitive data corresponding to a data access index is sent to a service terminal, so that the sensitive data in the target data storage area is safely verified by using the dynamic login password, and the risk of sensitive data leakage caused by key leakage does not exist in the verification process, and the burden caused by a large amount of key management can be effectively avoided.
In one embodiment, as shown in fig. 3, in step S203, acquiring a target data storage area and a dynamic login password corresponding to a user account based on the user account includes:
s301: and inquiring a system database based on the user account to acquire target user information corresponding to the user account.
S302: and acquiring a target mechanism identifier corresponding to the user account from the target user information.
S303: and determining the mechanism data storage area corresponding to the target mechanism identification as a target data storage area corresponding to the user account.
S304: and inquiring the dynamic password information table based on the target mechanism identification to acquire a dynamic login password corresponding to the user account.
The target user information refers to user information which is stored in a system database in advance and corresponds to a user account.
As an example, in step S301, the server may form a query instruction based on the user account, execute the query instruction to obtain target user information corresponding to the user account from the system database, where the target user information may be understood as information related to the user identity stored in the system database in advance, for example, information such as a name, a contact address, and an affiliated institution corresponding to the user account.
Wherein the target institution identification is an identification for uniquely identifying the target institution.
As an example, in step S302, after acquiring the target user information, the server may determine an organization to which the server belongs from the target user information, acquire an identifier corresponding to the organization to which the server belongs, and determine the organization to be the target organization identifier.
The target data storage area refers to an organization data storage area which needs to be accessed by a user, and the organization data storage area is an area which is divided from a system database and is specially used for storing decryption sensitive data corresponding to a certain business organization.
As an example, in step S303, the system database stores mechanism data storage areas corresponding to a plurality of original mechanism identifiers, and after the server acquires the target mechanism identifier, the server determines the mechanism data storage area corresponding to the original mechanism identifier that is the same as the target mechanism identifier as the target data storage area, so as to uniquely determine, according to the target mechanism identifier corresponding to the user account, the decrypted sensitive data corresponding to the target data storage area that the server has access to. The original mechanism identification is a mechanism identification used for uniquely identifying the mechanism data storage area. The decrypted sensitive data is formed by decrypting the encrypted sensitive data which needs to be imported into the mechanism data storage area, so that the sensitive data does not need to be decrypted additionally in the subsequent access process.
The dynamic password information table is a data table used for storing relevant information of dynamic login passwords corresponding to different mechanism data storage areas. In this example, at least one piece of dynamic password information is stored in the dynamic password information table, where each piece of dynamic password information includes an original organization identifier and a dynamic login password, and may further include a password validity period corresponding to the dynamic login password.
As an example, in step S304, the server queries the dynamic password information table based on the target institution identification, and determines the dynamic login password of the original institution identification corresponding to the target institution identification as the dynamic login password corresponding to the user account, so as to perform database permission verification based on the dynamic login password.
In one embodiment, the dynamic login password comprises a current dynamic password and a historical dynamic password; as shown in fig. 4, in step S205, performing database permission verification based on the dynamic login password and the current verification password, and obtaining a permission verification result, the method includes:
s401: and judging whether the current dynamic password is consistent with the current verification password.
S402: and if the current dynamic password is consistent with the current verification password, acquiring a permission verification result passing the verification.
S403: and if the current dynamic password is not consistent with the current verification password, judging whether the historical dynamic password is consistent with the current verification password.
S404: and if the historical dynamic password is consistent with the current verification password, sending update prompt information to the service terminal, and waiting for receiving the update verification password which is sent by the service terminal and corresponds to the current dynamic password within the verification waiting time.
S405: and if the updated verification password is received within the verification waiting time, acquiring a right verification result passing the verification.
S406: and if the historical dynamic password is not consistent with the current verification password or the updated verification password is not received within the verification waiting time, acquiring the permission verification result of which the verification fails.
In this example, at least one piece of dynamic password information is recorded in a dynamic password information table stored in the system database, and each piece of dynamic password information includes an original organization identifier and a dynamic login password, and may further include a password validity period corresponding to the dynamic login password. And determining the dynamic login password corresponding to the password validity period to which the current time of the system belongs as the current dynamic password, namely determining the current dynamic password as the password in the valid state at present. Accordingly, the dynamic login password formed last before the current dynamic password is determined as the historical dynamic password, and can be understood as the dynamic login password currently in the disabled state. That is, at least two dynamic login passwords corresponding to the same original mechanism identifier, namely the current dynamic password and the historical dynamic password, are recorded in the dynamic password information table.
The update prompting information is used for prompting that the dynamic login password corresponding to the target data storage area is updated, and the update prompting information includes, but is not limited to, a target organization identifier and password update time. Understandably, the password update time can be understood as the generation time of the current dynamic password. The authentication waiting time is a preset time waiting for receiving the updated authentication password input by the user. The update verification password refers to a password for accessing the target data storage area in the system database, which is input by the user after receiving the update prompt information.
As an example, in step S402, after obtaining the current verification password, the server needs to first determine whether the current dynamic password is consistent with the current verification password, and if the current dynamic password is consistent with the current verification password, the server determines that the current verification password is the current dynamic password currently in a valid state, and can directly obtain the right verification result that passes the verification.
As an example, in step S403, after obtaining the current verification password, the server needs to first determine whether the current dynamic password is consistent with the current verification password, and if the current dynamic password is not consistent with the current verification password, the server determines that the current verification password is not the current dynamic password currently in a valid state, and at this time, whether the historical dynamic password is consistent with the current verification password needs to be verified to determine whether the current verification password is the dynamic login password currently in a disabled state.
As an example, in step S404, when the historical dynamic password is consistent with the current verification password, the server may form an update prompt message based on the generation time of the current dynamic password, send the update prompt message to the service terminal, so that the service terminal displays the update prompt message and displays a new password input box to remind the user that the dynamic login password of the target data storage area has been updated, and prompt the user to input the update verification password in the new password input box. In this example, in order to ensure timeliness of database permission verification, verification waiting time is set, and a receiving service terminal waits for receiving an updated verification password corresponding to a current dynamic password.
As an example, in step S405, during the authentication waiting time after the server transmits the update prompt message, if the server receives the update authentication password corresponding to the current dynamic password, it indicates that the user can obtain the latest dynamic login password during the authentication waiting time, and therefore, the right authentication result that the authentication passes can be obtained. The update prompt information is used for reminding the user when the current dynamic password is updated, so that the user is prompted to search password update information which is obtained by a service terminal corresponding to the original mechanism identifier in advance, the latest updated dynamic login password (namely the current dynamic password) is determined, the update verification password is input in the new password input box for re-verification, and the situation that the user cannot access the target data storage area due to the fact that the user cannot timely notice the password update information in the process of replacing the historical dynamic password and the current dynamic password is avoided.
For example, if the dynamic login password for the target data storage area is 12: 30, updating the historical dynamic password K1 to the current dynamic password K2, sends password updating information T1 to the service terminal corresponding to the original organization identifier. User UM1 is at 12: 29 logs in to the target data storage area with the current authentication password corresponding to K1, and when no password update information is concerned, at 12: 31 logging in the target data storage area again by using the current verification password corresponding to K1, displaying an update prompt message T2 to prompt the user to determine the current dynamic password K2 according to the password update message T1, and inputting the update verification password corresponding to K2 to log in the target data storage area.
As an example, in step S406, during the authentication waiting time after the server transmits the update prompting message, if the update authentication password corresponding to the current dynamic password is not received, it indicates that the user cannot obtain the latest dynamic login password during the authentication waiting time, and therefore, the right authentication result that the authentication fails may be obtained.
As an example, in step S406, the current dynamic password and the current verification password are not consistent, and the historical dynamic password and the current verification password are not consistent, which indicates that the user cannot obtain the dynamic login password corresponding to the target data storage area, and therefore, the authorization verification result indicating that the verification fails may be obtained.
In one embodiment, as shown in fig. 5, in step S206, acquiring the target sensitive data corresponding to the data access index from the target data storage area includes:
s501: and acquiring original sensitive data corresponding to the data access index from the target data storage area, wherein the original sensitive data comprises field data corresponding to at least one index field.
S502: and carrying out format verification on the field data corresponding to the index field by adopting format verification logic corresponding to the index field to obtain a format verification result corresponding to the index field.
S503: and if the format verification results corresponding to all the index fields are verified, determining the original sensitive data as the target sensitive data.
S504: and if the format verification result corresponding to at least one index field is that the verification fails, adopting a format adaptation program corresponding to the index field to perform format conversion on the field data corresponding to the index field to acquire the target sensitive data.
The original sensitive data refers to the sensitive data corresponding to the data access index acquired from the target data storage area. The index field is the field name in the original sensitive data. The field data refers to a specific numerical value corresponding to the index field. For example, the index field is name, and the index data corresponding to the index field is XXX.
As an example, in step S501, when the right verification result is verification pass, the server may form a database query instruction based on the data access index, execute the database query instruction, and quickly query original sensitive data corresponding to the data access index from the target data storage area, where the original sensitive data includes field data corresponding to at least one index field.
The format check logic is processing logic for performing format check on field data corresponding to the index field.
As an example, in step S502, after the server obtains the field data corresponding to at least one index field in the original sensitive data, it needs to adopt the format check logic corresponding to the index field to perform format check on the field data corresponding to the index field, and determine whether the field data corresponding to the index field matches the standard format corresponding to the format check logic, so as to obtain the format check result corresponding to the index field. When the field data corresponding to the index field is matched with the standard format of the index field, acquiring a format verification result passing the verification; and when the field data corresponding to the index field is not matched with the standard format of the index field, acquiring a format verification result which is not verified. In this example, the format check logic may be a check logic formed by processing a standard format using a regular matching algorithm. For example, when the index field is the identification card number, the standard format is 18-bit data set according to the identification card coding rule, and if the field data is not 18-bit data or does not accord with the identification card coding rule, the format verification result that the verification fails is obtained.
As an example, in step S503, if the format verification results corresponding to all the index fields in the original sensitive data are verified, the original sensitive data are directly determined as the target sensitive data that the user needs to access, so as to ensure that the user accesses the target sensitive data meeting the standard format, thereby avoiding feeding back wrong target sensitive data to a certain extent, and ensuring data security.
The format adaptation program refers to a program which is configured in advance and used for realizing format adaptation.
As an example, in step S504, if the format verification result corresponding to at least one index field in the original sensitive data is that the verification fails, a format adaptation program corresponding to the index field that fails to be verified is required to be used to perform format conversion on the field data corresponding to the index field, and the target sensitive data is determined according to the field data after the format conversion. For example, the standard format corresponding to the date field is XXXX-YY-ZZ, if the field data corresponding to the date field in the original sensitive data is XXXX yearly YY month ZZ date or XXXX/YY/ZZ, a format adaptation program corresponding to the date field needs to be adopted to convert the field data into field data corresponding to the standard format, and finally, the target sensitive data is formed based on all field data which does not need format conversion or field data which is subjected to format conversion, so that a user is guaranteed to access the target sensitive data conforming to the standard format.
Generally, when the format verification result is that the verification fails, and format conversion is performed by adopting a format adaptation program, if a situation that the format conversion is unsuccessful exists, a conversion failure message can be fed back to the background terminal to remind a target data storage area that original sensitive data which cannot be subjected to format adaptation exists, so that a background manager corresponding to the background terminal can perform investigation, thereby avoiding feeding back wrong target sensitive data to a certain extent and ensuring data security.
In an embodiment, as shown in fig. 6, receiving a data access request sent by a service terminal includes:
s601: and receiving a system login request sent by a service terminal, wherein the system login request comprises a user account and login verification information.
S602: and inquiring a system database based on the user account to acquire the registration verification information corresponding to the user account.
S603: and verifying the login verification information by adopting the login verification information to obtain a login verification result.
S604: and if the login verification result is that the verification is passed, controlling the service terminal to enter a data access interface, and receiving a data access request which is sent by the service terminal and formed based on the data access interface.
Wherein the system login request is a request for triggering login to the system. The user account number is the personal account of the user that triggered the request. The login authentication information refers to information which is input by a user in a login process and used for authenticating a user account, and the login authentication information includes but is not limited to a currently acquired digital password to be authenticated, a gesture password to be authenticated, fingerprint information to be authenticated and voiceprint information to be authenticated. The registration verification information refers to information collected by the system before the current time for verifying the user account, and includes but is not limited to a registration digital password, a registration gesture password, registration fingerprint information and registration voiceprint information.
As an example, when a user logs in a system through a service terminal, the user may input a user account and login authentication information on a system login page to form a system login request, and the system login request is sent to a server so that the server receives the system login request. Then, the server can identify the user account and the login verification information in the system login request, inquire a system database based on the user account, and acquire the registration verification information corresponding to the user account from the system database. Then, the server adopts the login authentication information to authenticate the login authentication information, and a login authentication result is obtained. For example, if the digital password to be verified is consistent with the registered digital password, or the gesture password to be verified is consistent with the registered gesture password, or the similarity between the fingerprint information to be verified and the registered fingerprint information reaches a fingerprint similarity threshold, or the similarity between the voiceprint information to be verified and the registered voiceprint information reaches a voiceprint similarity threshold, acquiring a login verification result passing verification; otherwise, the login authentication result that the authentication fails is obtained. And finally, when the login verification result is that the login verification passes, the server can control the service terminal to enter a data access interface and receive a data access request which is sent by the service terminal and formed on the basis of the data access interface. Understandably, before triggering the data access request, the data access request needs to be verified based on the login verification information and the registration verification information, and the data access request can be triggered only when the login verification result is that the data access request passes the verification, so that only a user passing the login verification result can access the system, and the access security of the decryption sensitive data stored in the system database is further ensured.
In an embodiment, as shown in fig. 7, before step S201, that is, before receiving a data access request sent by a service terminal, the sensitive data access method further includes the following steps:
s701: and receiving encrypted sensitive data which is sent by the service system and carries the system identification.
S702: and acquiring a target decryption algorithm corresponding to the system identifier based on the system identifier, and decrypting the encrypted sensitive data by adopting the target decryption algorithm to acquire decrypted sensitive data.
S703: and identifying an original mechanism identification corresponding to the decrypted sensitive data.
S704: and storing the decrypted sensitive data into an organization data storage area corresponding to the original organization identifier in the system database, and triggering and executing a database password updating program corresponding to the original organization identifier.
Wherein the business system is a system for generating source data. The source data is unencrypted data formed by the business system. The encrypted sensitive data refers to data formed by encrypting source data in advance in a service system. The system identifier is an identifier for uniquely identifying a certain service system.
As an example, in step S701, before the service system needs to send the source data to the data access system, the service system first detects the source data, and determines whether the source data includes client sensitive information; if the source data comprises client sensitive information, encrypting by adopting a target encryption algorithm preset by the service system and the data access system to form encrypted sensitive data, and then sending the encrypted sensitive data to the data access system, so that the data access system can receive the encrypted sensitive data which is sent by the service system and carries a system identifier, and the data security of the source data in the process of being transmitted from the service system to the data access system is ensured. The target encryption algorithm is an encryption algorithm which is predetermined by the service system and the data access system, and the encryption algorithm can be updated in real time or at regular time. The client sensitive information refers to information containing client privacy, and specifically can be client name, certificate type, certificate number and other uniquely identified data.
The target decryption algorithm is a decryption algorithm predetermined by the service system and the data access system, and is matched with the target encryption algorithm.
As an example, in step 702, after acquiring the system identifier carried by the encrypted sensitive data, the server needs to acquire a target decryption algorithm corresponding to the system identifier based on a system identifier query. And then, decrypting the encrypted sensitive data by adopting a target decryption algorithm to obtain decrypted sensitive data. In this example, after the server obtains the decrypted sensitive data, the encrypted sensitive data may be stored in the data retention area, so that data tracing or other processing may be performed subsequently according to the decrypted sensitive data in the data retention area.
The original organization identifier is an identifier for uniquely identifying a certain business organization. A business entity refers to an entity that forms source data corresponding to encrypted sensitive data. For example, the service system a includes a plurality of service organizations a1/a2/A3/a4, and the source data formed by each service organization carries a corresponding original organization identifier, so as to use the original organization identifier to identify the data of different service organizations.
As an example, in step S703, after the server identifies the decrypted sensitive data, it needs to use a string matching algorithm or other algorithms to identify its corresponding original mechanism identifier from the decrypted sensitive data, so as to determine a data source corresponding to the decrypted sensitive data.
The mechanism data storage area is an area which is divided from the system database and is specially used for storing decryption sensitive data corresponding to a certain service mechanism. The database password update program corresponding to the original organization id refers to a program for a dynamic login password for the organization data storage area corresponding to the original organization id.
As an example, in step S704, when the server identifies the original mechanism identifier of the decrypted sensitive data, the server stores the decrypted sensitive data in a mechanism data storage area corresponding to the original mechanism identifier in the system database, so as to implement classified storage and separate monitoring on the decrypted sensitive data corresponding to the original mechanism identifier, so as to ensure security of subsequent data access. And after the decrypted sensitive data are stored in the mechanism data storage area, a database password updating program corresponding to the original mechanism identification is needed, so that the security of the decrypted sensitive data stored in the mechanism data storage area is guaranteed in a manner of updating the database password.
In one embodiment, as shown in fig. 8, the triggering step S703 of executing the database password updating procedure corresponding to the original organization identifier includes:
s801: and monitoring the current system event corresponding to the original mechanism identification in real time by adopting an event monitoring tool, and judging whether the current system event meets the password updating condition or not.
S802: and if the current event of the system meets the password updating condition, triggering to execute a password updating task, and generating a dynamic login password by adopting a dynamic code generation tool.
S803: and storing the original organization identification and the dynamic login password in a dynamic password information table in an associated manner, generating password updating information, and sending the password updating information to the service terminal corresponding to the original organization identification.
Wherein, the event monitoring tool is a tool which is configured in advance and used for monitoring the current event of the system. The current event of the system is a pre-configured event which needs to be monitored and is used for judging whether the password needs to be updated or not. The password updating condition is a preset condition needing to update the password.
As an example, the server needs to adopt an event monitoring tool to monitor a system current event corresponding to the original mechanism identifier in real time to determine whether the system current event meets a preconfigured password updating condition; when the password updating condition is met, the password updating task is triggered to be executed, and the dynamic login password is generated by adopting a dynamic code generation tool so as to ensure the real-time performance of the dynamic login password and ensure the safety of the decrypted sensitive data stored in the mechanism data storage area corresponding to the original mechanism identification by utilizing the dynamic login password.
For example, the password update condition may be that a timed update time corresponding to the original organization identifier is reached at the current time of the system, and the timed update time is a preset time for updating the database password. At the moment, the server adopts an event monitoring tool to monitor the current system event, namely the current system time in real time, and when the current system time reaches the timing updating time, the server triggers to execute a password updating task and adopts a dynamic code generating tool to generate a dynamic login password.
For another example, the password update condition may be that the access amount of data in the organization data storage area reaches an access amount threshold. At this time, the server may adopt an event monitoring tool to monitor the current event of the system, i.e. the data access amount corresponding to the original mechanism identifier in real time, and when the data access amount reaches the access amount threshold, the server triggers execution of a password update task, and adopts a dynamic code generation tool to generate a dynamic login password.
For another example, the password update condition may be an organization user change corresponding to the original organization identification. At this time, the server may use an event monitoring tool to monitor the system current event of the current state corresponding to the user account in the mechanism user information table corresponding to the original mechanism identifier in real time. The mechanism user information table comprises user accounts and corresponding current states, and the current states comprise on-duty states and off-duty states. If the event monitoring tool monitors that the mechanism user information table corresponding to the original mechanism identification has a user account which is changed from the on-duty state to the off-duty state, the password updating task is triggered to be executed, and a dynamic code generation tool is adopted to generate a dynamic login password so as to avoid sensitive data divulgence in the mechanism data storage area caused by user off-duty.
As an example, in step S803, the server may store the dynamic login password and the original organization identifier in association with each other in a dynamic password information table of the system database, so as to determine whether the organization data storage area corresponding to the original organization identifier is authorized to be accessed by querying the dynamic password information table in the subsequent data access process, thereby ensuring the security of the decrypted sensitive data in the organization data storage area.
Further, after the server generates the dynamic login password, according to the generation time of the dynamic login password and the password survival time agreed by the service system, the server determines the password validity period after the generation time of the dynamic login password as the password validity period corresponding to the dynamic login password, and stores the dynamic login password, the password validity period and the original organization identifier in a dynamic password information table of a system database in an associated manner.
As an example, in step S804, the server further needs to form password update information based on the dynamic login password, and send the password update information to the service terminal corresponding to the original organization identifier, so that all users under the service organization corresponding to the original organization identifier can obtain the dynamic login password, so that in the subsequent data access process, a current authentication password corresponding to the dynamic login password is input, login authentication is performed on the current authentication password by using the dynamic login password, and it is determined whether there is authority to access the organization data storage area corresponding to the original organization identifier, thereby ensuring security of decrypted sensitive data in the organization data storage area.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In one embodiment, a sensitive data access device is provided, and the sensitive data access device corresponds to the sensitive data access method in the above embodiments one to one. As shown in fig. 9, the sensitive data access apparatus includes the following functional modules, which are described in detail as follows:
a data access request receiving module 901, configured to receive a data access request sent by a service terminal, where the data access request includes a user account and a data access index.
An access data type determining module 902, configured to determine an access data type based on the data access index.
And a current verification password receiving module 903, configured to send a database password acquisition instruction to the service terminal if the access data type is a sensitive data type, and receive a current verification password sent by the service terminal.
And a user account query module 904, configured to obtain, based on the user account, a target data storage area and a dynamic login password corresponding to the user account.
And the permission verification result obtaining module 905 is configured to perform database permission verification based on the dynamic login password and the current verification password, and obtain a permission verification result.
And the target sensitive data sending module 906 is configured to, if the permission verification result is that the permission verification is passed, obtain target sensitive data corresponding to the data access index from the target data storage area, and send the target sensitive data to the service terminal.
Preferably, the user account querying module 904 comprises:
and the target user information acquisition unit is used for inquiring the system database based on the user account to acquire the target user information corresponding to the user account.
And the target mechanism identification acquisition unit is used for acquiring the target mechanism identification corresponding to the user account from the target user information.
And the target data storage area determining unit is used for determining the mechanism data storage area corresponding to the target mechanism identification as the target data storage area corresponding to the user account.
And the dynamic login password acquisition module is used for inquiring the dynamic password information table based on the target mechanism identification and acquiring the dynamic login password corresponding to the user account.
Preferably, the dynamic login password comprises a current dynamic password and a historical dynamic password.
The permission verification result obtaining module 905 includes:
and the first password judgment unit is used for judging whether the current dynamic password is consistent with the current verification password.
And the first passing result acquiring unit is used for acquiring the authority verification result passing the verification if the current dynamic password is consistent with the current verification password.
And the second password judgment unit is used for judging whether the historical dynamic password is consistent with the current verification password or not if the current dynamic password is inconsistent with the current verification password.
And the update prompt processing unit is used for sending update prompt information to the service terminal if the historical dynamic password is consistent with the current verification password, and waiting for receiving the update verification password which is sent by the service terminal and corresponds to the current dynamic password within the verification waiting time.
And the second pass result acquisition unit is used for acquiring the authority verification result passing the verification if the updated verification password is received within the verification waiting time.
And the non-passing result acquiring unit is used for acquiring the authority verification result of which the verification is not passed if the historical dynamic password is not consistent with the current verification password or the updated verification password is not received within the verification waiting time.
Preferably, the target sensitive data sending module 906 includes:
and the original sensitive data acquisition unit is used for acquiring original sensitive data corresponding to the data access index from the target data storage area, wherein the original sensitive data comprises field data corresponding to at least one index field.
And the format check result acquisition unit is used for carrying out format check on the field data corresponding to the index field by adopting the format check logic corresponding to the index field to acquire the format check result corresponding to the index field.
And the target sensitive data acquisition unit is used for determining the original sensitive data as the target sensitive data if the format verification results corresponding to all the index fields are verification pass.
And the target sensitive data acquisition unit is used for converting the format of the field data corresponding to the index field by adopting a format adaptation program corresponding to the index field to acquire the target sensitive data if the format verification result corresponding to at least one index field is that the verification fails.
Preferably, the data access request receiving module 901 includes:
and the system login request receiving unit is used for receiving a system login request sent by the service terminal, wherein the system login request comprises a user account and login verification information.
And the registration verification information acquisition unit is used for inquiring the system database based on the user account to acquire the registration verification information corresponding to the user account.
And the login authentication result acquisition unit is used for authenticating the login authentication information by adopting the login authentication information to acquire a login authentication result.
And the data access request acquisition unit is used for controlling the service terminal to enter a data access interface and receiving a data access request which is sent by the service terminal and formed based on the data access interface if the login verification result is that the login verification passes.
Preferably, the sensitive data access device further comprises:
and the encrypted sensitive data receiving module is used for receiving encrypted sensitive data which is sent by the service system and carries the system identification.
And the decryption sensitive data acquisition module is used for acquiring a target decryption algorithm corresponding to the system identifier based on the system identifier, and decrypting the encrypted sensitive data by adopting the target decryption algorithm to acquire the decrypted sensitive data.
And the original mechanism identification acquisition module is used for identifying the original mechanism identification corresponding to the decrypted sensitive data.
And the password updating program executing module is used for storing the decrypted sensitive data into an organization data storage area corresponding to the original organization identifier in the system database and triggering and executing the database password updating program corresponding to the original organization identifier.
Preferably, the password updating program executing module includes:
and the event monitoring unit is used for monitoring the current system event corresponding to the original mechanism identifier in real time by adopting an event monitoring tool and judging whether the current system event meets the password updating condition or not.
And the dynamic login password generation unit is used for triggering execution of a password updating task if the current event of the system meets the password updating condition, and generating a dynamic login password by adopting a dynamic code generation tool.
And the password updating information sending unit is used for storing the original mechanism identification and the dynamic login password in a dynamic password information table in an associated manner, generating password updating information and sending the password updating information to the service terminal corresponding to the original mechanism identification.
For specific limitations of the sensitive data access device, reference may be made to the above limitations of the sensitive data access method, which are not described herein again. The various modules in the sensitive data access device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 10. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for data adopted or generated during the sensitive data access method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a sensitive data access method.
In an embodiment, a computer device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the method for accessing sensitive data in the foregoing embodiments is implemented, for example, S201 to S206 shown in fig. 2, or shown in fig. 3 to fig. 8, which is not described herein again to avoid repetition. Alternatively, the processor implements the functions of each module/unit in the embodiment of the sensitive data access apparatus when executing the computer program, for example, the functions of each functional module shown in fig. 9, and are not described here again to avoid repetition.
In an embodiment, a computer-readable storage medium is provided, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the method for accessing sensitive data in the foregoing embodiments is implemented, for example, S201 to S206 shown in fig. 2, or shown in fig. 3 to fig. 8, which is not described herein again to avoid repetition. Alternatively, the computer program, when executed by the processor, implements functions of each module/unit in the embodiment of the sensitive data access apparatus, for example, functions of each functional module shown in fig. 9, and is not described here again to avoid repetition.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.

Claims (10)

1. A method for sensitive data access, comprising:
receiving a data access request sent by a service terminal, wherein the data access request comprises a user account and a data access index;
determining an access data type based on the data access index;
if the access data type is a sensitive data type, sending a database password acquisition instruction to the service terminal, and receiving a current verification password sent by the service terminal;
acquiring a target data storage area and a dynamic login password corresponding to the user account on the basis of the user account;
performing database authority verification based on the dynamic login password and the current verification password to obtain an authority verification result;
and if the permission verification result is that the permission verification is passed, acquiring target sensitive data corresponding to the data access index from the target data storage area, and sending the target sensitive data to the service terminal.
2. The sensitive data access method of claim 1, wherein the obtaining a target data storage area and a dynamic login password corresponding to the user account based on the user account comprises:
inquiring a system database based on the user account to acquire target user information corresponding to the user account;
acquiring a target mechanism identifier corresponding to the user account from the target user information;
determining the mechanism data storage area corresponding to the target mechanism identification as a target data storage area corresponding to the user account;
and inquiring a dynamic password information table based on the target mechanism identification to acquire a dynamic login password corresponding to the user account.
3. The sensitive data access method of claim 1, wherein the dynamic login password comprises a current dynamic password and a historical dynamic password;
the database authority verification based on the dynamic login password and the current verification password to obtain an authority verification result comprises the following steps:
judging whether the current dynamic password is consistent with the current verification password;
if the current dynamic password is consistent with the current verification password, acquiring a permission verification result of passing the verification;
if the current dynamic password is not consistent with the current verification password, judging whether the historical dynamic password is consistent with the current verification password;
if the historical dynamic password is consistent with the current verification password, sending update prompt information to the service terminal, and waiting for receiving an update verification password which is sent by the service terminal and corresponds to the current dynamic password within verification waiting time;
if the updated verification password is received within the verification waiting time, acquiring a permission verification result of passing the verification;
and if the historical dynamic password is not consistent with the current verification password or the updated verification password is not received within the verification waiting time, acquiring an authority verification result of which the verification is not passed.
4. The sensitive data accessing method of claim 1, wherein the obtaining target sensitive data corresponding to the data access index from the target data store comprises:
acquiring original sensitive data corresponding to the data access index from the target data storage area, wherein the original sensitive data comprises field data corresponding to at least one index field;
adopting format check logic corresponding to the index field to perform format check on field data corresponding to the index field, and acquiring a format check result corresponding to the index field;
if the format verification results corresponding to all the index fields are verified, determining the original sensitive data as target sensitive data;
and if at least one format verification result corresponding to the index field is that the verification is not passed, adopting a format adaptation program corresponding to the index field to perform format conversion on the field data corresponding to the index field to acquire target sensitive data.
5. The sensitive data access method of claim 1, wherein the receiving a data access request sent by a service terminal comprises:
receiving a system login request sent by a service terminal, wherein the system login request comprises a user account and login verification information;
inquiring a system database based on the user account to acquire registration verification information corresponding to the user account;
verifying the login verification information by adopting the login verification information to obtain a login verification result;
and if the login verification result is that the verification is passed, controlling the service terminal to enter a data access interface, and receiving a data access request which is sent by the service terminal and formed based on the data access interface.
6. The sensitive data access method of claim 1, wherein prior to receiving the data access request sent by the service terminal, the sensitive data access method further comprises:
receiving encrypted sensitive data which is sent by a service system and carries a system identifier;
based on the system identification, acquiring a target decryption algorithm corresponding to the system identification, and decrypting the encrypted sensitive data by adopting the target decryption algorithm to acquire decrypted sensitive data;
identifying an original mechanism identification corresponding to the decrypted sensitive data;
and storing the decrypted sensitive data into an organization data storage area corresponding to the original organization identifier in a system database, and triggering and executing a database password updating program corresponding to the original organization identifier.
7. The sensitive data access method of claim 1, wherein the triggering execution of the database password update procedure corresponding to the original organization identification comprises:
adopting an event monitoring tool to monitor the system current event corresponding to the original mechanism identification in real time and judge whether the system current event meets the password updating condition;
if the current event of the system meets the password updating condition, triggering to execute a password updating task, and generating a dynamic login password by adopting a dynamic code generation tool;
and storing the original organization identification and the dynamic login password in a dynamic password information table in an associated manner, generating password updating information, and sending the password updating information to a service terminal corresponding to the original organization identification.
8. A sensitive data access apparatus, comprising:
the data access request receiving module is used for receiving a data access request sent by a service terminal, wherein the data access request comprises a user account and a data access index;
the access data type determining module is used for determining the type of the access data based on the data access index;
the current verification password receiving module is used for sending a database password acquisition instruction to the service terminal and receiving a current verification password sent by the service terminal if the access data type is a sensitive data type;
the user account inquiry module is used for acquiring a target data storage area and a dynamic login password corresponding to the user account based on the user account;
the authority verification result acquisition module is used for carrying out database authority verification based on the dynamic login password and the current verification password to acquire an authority verification result;
and the target sensitive data sending module is used for acquiring the target sensitive data corresponding to the data access index from the target data storage area and sending the target sensitive data to the service terminal if the permission verification result is that the permission verification passes.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the sensitive data access method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the sensitive data access method according to any one of claims 1 to 7.
CN202011604677.8A 2020-12-29 2020-12-29 Sensitive data access method and device, computer equipment and storage medium Pending CN112597481A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011604677.8A CN112597481A (en) 2020-12-29 2020-12-29 Sensitive data access method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011604677.8A CN112597481A (en) 2020-12-29 2020-12-29 Sensitive data access method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112597481A true CN112597481A (en) 2021-04-02

Family

ID=75204028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011604677.8A Pending CN112597481A (en) 2020-12-29 2020-12-29 Sensitive data access method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112597481A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113378225A (en) * 2021-06-24 2021-09-10 平安普惠企业管理有限公司 Online sensitive data acquisition method and device, electronic equipment and storage medium
CN113408006A (en) * 2021-06-17 2021-09-17 深圳市九洲电器有限公司 Monitoring data access method and device, indoor monitoring system and storage medium
CN113806702A (en) * 2021-11-19 2021-12-17 北京明略昭辉科技有限公司 Method and device for opening authority, electronic equipment and storage medium
CN114048230A (en) * 2021-11-29 2022-02-15 平安科技(深圳)有限公司 Service data processing method, device, equipment and storage medium
CN114239015A (en) * 2021-12-15 2022-03-25 成都飞机工业(集团)有限责任公司 Data security management method and device, data cloud platform and storage medium
CN114417276A (en) * 2021-12-30 2022-04-29 珠海大横琴科技发展有限公司 Security verification method and device
CN114697084A (en) * 2022-03-14 2022-07-01 浙江大豪科技有限公司 Data access method for sewing equipment
CN114785611A (en) * 2022-05-10 2022-07-22 山东高速信息集团有限公司 Communication protocol configuration method, equipment and medium for intelligent monitoring terminal
CN116208426A (en) * 2023-04-26 2023-06-02 浙江达古科技有限公司 Data hierarchical authorization query control system and method
CN116595573A (en) * 2023-04-14 2023-08-15 敦源信息科技(广州)有限公司 Data security reinforcement method and device for traffic management information system
CN116702110A (en) * 2023-06-15 2023-09-05 深圳千岸科技股份有限公司 Method, device, equipment and storage medium for sharing big data of supply chain
CN116723042A (en) * 2023-07-12 2023-09-08 北汽蓝谷信息技术有限公司 Data packet security protection method and system
CN117573390A (en) * 2023-11-20 2024-02-20 航天信息(广东)有限公司 Data processing method, cloud, client and data processing system
CN114239015B (en) * 2021-12-15 2024-06-07 成都飞机工业(集团)有限责任公司 Data security management method and device, data cloud platform and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101887532A (en) * 2009-05-15 2010-11-17 涂晓倩 Financial management system
CN104079409A (en) * 2014-06-10 2014-10-01 百度在线网络技术(北京)有限公司 Account login method and device
CN104391874A (en) * 2014-10-29 2015-03-04 中国建设银行股份有限公司 Database password management method and system
CN109857766A (en) * 2018-12-22 2019-06-07 深圳市珍爱捷云信息技术有限公司 User information verification method, device, computer equipment and computer storage medium
CN109902456A (en) * 2017-12-08 2019-06-18 桂唯 A kind of financial data access method and system
WO2019149261A1 (en) * 2018-02-01 2019-08-08 中兴通讯股份有限公司 File storage method for distributed file system and distributed file system
CN111104691A (en) * 2019-11-28 2020-05-05 贝壳技术有限公司 Sensitive information processing method and device, storage medium and equipment
US20200293681A1 (en) * 2019-03-15 2020-09-17 ZenPayroll, Inc. Tagging and auditing sensitive information in a database environment
CN111935094A (en) * 2020-07-14 2020-11-13 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101887532A (en) * 2009-05-15 2010-11-17 涂晓倩 Financial management system
CN104079409A (en) * 2014-06-10 2014-10-01 百度在线网络技术(北京)有限公司 Account login method and device
CN104391874A (en) * 2014-10-29 2015-03-04 中国建设银行股份有限公司 Database password management method and system
CN109902456A (en) * 2017-12-08 2019-06-18 桂唯 A kind of financial data access method and system
WO2019149261A1 (en) * 2018-02-01 2019-08-08 中兴通讯股份有限公司 File storage method for distributed file system and distributed file system
CN109857766A (en) * 2018-12-22 2019-06-07 深圳市珍爱捷云信息技术有限公司 User information verification method, device, computer equipment and computer storage medium
US20200293681A1 (en) * 2019-03-15 2020-09-17 ZenPayroll, Inc. Tagging and auditing sensitive information in a database environment
CN111104691A (en) * 2019-11-28 2020-05-05 贝壳技术有限公司 Sensitive information processing method and device, storage medium and equipment
CN111935094A (en) * 2020-07-14 2020-11-13 北京金山云网络技术有限公司 Database access method, device, system and computer readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
辛锐;: "ERP系统敏感信息访问控制与审计", 今日科苑, no. 12, pages 0104 - 0107 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113408006A (en) * 2021-06-17 2021-09-17 深圳市九洲电器有限公司 Monitoring data access method and device, indoor monitoring system and storage medium
CN113378225A (en) * 2021-06-24 2021-09-10 平安普惠企业管理有限公司 Online sensitive data acquisition method and device, electronic equipment and storage medium
CN113806702A (en) * 2021-11-19 2021-12-17 北京明略昭辉科技有限公司 Method and device for opening authority, electronic equipment and storage medium
CN114048230A (en) * 2021-11-29 2022-02-15 平安科技(深圳)有限公司 Service data processing method, device, equipment and storage medium
CN114048230B (en) * 2021-11-29 2024-05-07 平安科技(深圳)有限公司 Service data processing method, device, equipment and storage medium
CN114239015A (en) * 2021-12-15 2022-03-25 成都飞机工业(集团)有限责任公司 Data security management method and device, data cloud platform and storage medium
CN114239015B (en) * 2021-12-15 2024-06-07 成都飞机工业(集团)有限责任公司 Data security management method and device, data cloud platform and storage medium
CN114417276A (en) * 2021-12-30 2022-04-29 珠海大横琴科技发展有限公司 Security verification method and device
CN114697084A (en) * 2022-03-14 2022-07-01 浙江大豪科技有限公司 Data access method for sewing equipment
CN114697084B (en) * 2022-03-14 2024-03-26 浙江大豪科技有限公司 Sewing equipment data access method
CN114785611A (en) * 2022-05-10 2022-07-22 山东高速信息集团有限公司 Communication protocol configuration method, equipment and medium for intelligent monitoring terminal
CN114785611B (en) * 2022-05-10 2024-05-07 山东高速信息集团有限公司 Communication protocol configuration method, equipment and medium for intelligent monitoring terminal
CN116595573B (en) * 2023-04-14 2024-01-19 敦源信息科技(广州)有限公司 Data security reinforcement method and device for traffic management information system
CN116595573A (en) * 2023-04-14 2023-08-15 敦源信息科技(广州)有限公司 Data security reinforcement method and device for traffic management information system
CN116208426A (en) * 2023-04-26 2023-06-02 浙江达古科技有限公司 Data hierarchical authorization query control system and method
CN116702110A (en) * 2023-06-15 2023-09-05 深圳千岸科技股份有限公司 Method, device, equipment and storage medium for sharing big data of supply chain
CN116723042B (en) * 2023-07-12 2024-01-26 北汽蓝谷信息技术有限公司 Data packet security protection method and system
CN116723042A (en) * 2023-07-12 2023-09-08 北汽蓝谷信息技术有限公司 Data packet security protection method and system
CN117573390A (en) * 2023-11-20 2024-02-20 航天信息(广东)有限公司 Data processing method, cloud, client and data processing system

Similar Documents

Publication Publication Date Title
CN112597481A (en) Sensitive data access method and device, computer equipment and storage medium
CN108768664B (en) Key management method, device, system, storage medium and computer equipment
US11451544B2 (en) Systems and methods for secure online credential authentication
CN109325342B (en) Identity information management method, device, computer equipment and storage medium
CN109361669B (en) Identity authentication method, device and equipment of communication equipment
US8788836B1 (en) Method and apparatus for providing identity claim validation
CN111488598A (en) Access control method, device, computer equipment and storage medium
CN109600377B (en) Method and device for preventing unauthorized use computer device and storage medium
CN112632581A (en) User data processing method and device, computer equipment and storage medium
CN112825520B (en) User privacy data processing method, device, system and storage medium
CN107733933B (en) Method and system for double-factor identity authentication based on biological recognition technology
CN114024710A (en) Data transmission method, device, system and equipment
CN111241555B (en) Access method and device for simulating user login, computer equipment and storage medium
WO2021003977A1 (en) Default information query method and apparatus, and computer device and storage medium
CN109768979B (en) Data encryption transmission method and device, computer equipment and storage medium
CN110310392B (en) Vehicle unlocking method and device, computer equipment and storage medium
US20180083773A1 (en) Information security device and information security method using accessibility
CN113434889A (en) Service data access method, device, equipment and storage medium
CN112836206A (en) Login method, device, storage medium and computer equipment
CN112528268B (en) Cross-channel applet login management method and device and related equipment
CN111917711B (en) Data access method and device, computer equipment and storage medium
CN111259363B (en) Service access information processing method, system, device, equipment and storage medium
CN112948857A (en) Document processing method and device
US11936651B2 (en) Automated account recovery using trusted devices
US11502840B2 (en) Password management system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination