CN113065163A - Big data oriented security data desensitization output method - Google Patents
Big data oriented security data desensitization output method Download PDFInfo
- Publication number
- CN113065163A CN113065163A CN202110464310.9A CN202110464310A CN113065163A CN 113065163 A CN113065163 A CN 113065163A CN 202110464310 A CN202110464310 A CN 202110464310A CN 113065163 A CN113065163 A CN 113065163A
- Authority
- CN
- China
- Prior art keywords
- desensitization
- data
- service
- big
- data access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a big data oriented security data desensitization output method, which comprises the following steps: performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a desensitization model according to the unique identity identification code; performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed; outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer; performing post-desensitization on the service data subjected to the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters; and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service. The invention can realize the decoupling of the service layer and the desensitization treatment.
Description
Technical Field
The invention relates to the technical field of big data processing and application, in particular to a big data oriented security data desensitization output method.
Background
Data desensitization refers to data deformation of some sensitive information through desensitization rules, and reliable protection of sensitive private data is achieved. Under the condition of relating to client security data or some business sensitive data, the real data is modified and provided for test use under the condition of not violating system rules, and data desensitization is required to be carried out on personal information such as identification numbers, mobile phone numbers, card numbers, client numbers and the like.
Existing big data applications typically use hash desensitization, mask desensitization, replacement desensitization, transform desensitization, encryption desensitization, shuffle desensitization. In addition, data desensitization is usually performed on the service layer in the existing big data application, so that the security of the service layer is greatly reduced, and a novel desensitization mode is needed to improve the situation.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a big data oriented security data desensitization output method, which intercepts data needing desensitization at a gateway layer, reduces intrusion to a service layer, and realizes decoupling of the service layer and desensitization processing.
The technical scheme adopted by the invention for solving the technical problems is as follows: the big data oriented safety data desensitization output method comprises the following steps:
step (1): performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a corresponding desensitization model according to the unique identity identification code;
step (2): performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed;
and (3): outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer;
and (4): performing post-desensitization on the service data subjected to the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters;
and (5): and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service.
The step (1) is also preceded by: and carrying out parameter configuration on the desensitization model.
The basic desensitization in the step (2) is specifically as follows: and carrying out irreversible desensitization treatment on the personal information in the data processed by the service.
The attribute of base desensitization in step (2) comprises a first set comprising a first set of fields requiring desensitization and a first set of algorithms.
The property of pre-desensitization in step (2) comprises a second set comprising a second set of fields requiring desensitization and a second set of algorithms.
The step (4) is specifically as follows:
carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
generating corresponding digital salt codes for the postposition service data by adopting a random segmentation interception algorithm, and rearranging the postposition service data according to the ascending sequence of the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key.
The generating of the symmetric encryption key specifically comprises: MD5 encryption of the unique identification code using the digital salt code generates a symmetric encryption key.
The property of post-desensitization in step (4) comprises a third set comprising a third set of fields requiring desensitization and a third set of algorithms.
The placement position of the digital salt code in the step (5) is determined by a constant value in a return header in the data packet.
Advantageous effects
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects: the invention intercepts the data needing desensitization at the gateway layer, reduces the invasion to the service layer and effectively realizes the decoupling of the service layer and desensitization treatment; the invention can perform pre-desensitization on the service data before service processing, and can shield some sensitive information from the source; after the business processing, different desensitization processing can be carried out for each field, and flexible configuration and application can be realized; the method intercepts data based on a random segmentation interception algorithm, divides and rearranges the data, generates corresponding digital salt codes, and generates a symmetric encryption key required by service data desensitization based on the unique identification code of the digital salt codes, so that the data confidentiality is stronger; according to the invention, desensitization processing is carried out on the service data on the output result, and after the service calling party obtains the data packet, the service data can be obtained by backstepping according to the algorithm, so that the safety of the data is effectively ensured.
Drawings
FIG. 1 is a process flow diagram of an embodiment of the present invention.
Detailed Description
The invention will be further illustrated with reference to the following specific examples. It should be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Further, it should be understood that various changes or modifications of the present invention may be made by those skilled in the art after reading the teaching of the present invention, and such equivalents may fall within the scope of the present invention as defined in the appended claims.
The embodiment of the invention relates to a big data oriented secure data desensitization output method, which is shown in figure 1 and comprises the following steps:
the method comprises the following steps: a system administrator configures a corresponding desensitization model in advance and binds the corresponding model for a service caller;
desensitization factory properties: key unique identifier, value desensitization model;
desensitization model attributes: beforMix (pre desensitization), afterMix (post desensitization), baseMix (basal desensitization);
basic desensitization properties: a first set consisting of fields1 (a first set of fields requiring desensitization) and algs1 (a first set of algorithms), for irreversible desensitization of personal information in the data;
pre-desensitization properties: a second set consisting of fields2 (second set of fields requiring desensitization) and algs2 (second set of algorithms);
postdesensitization property: a third set consisting of fields3 (a third set of fields requiring desensitization) and algs3 (a third set of algorithms).
Step (1): according to the data access request, identity authentication is carried out on a data access party based on an upstream safety data access trace audit service system for big data, a unique identity code is obtained after the identity authentication is passed, and the step (1a) is carried out to obtain a corresponding desensitization model according to a desensitization model factory with the unique identity code.
Step (2): and (3) carrying out data access authority verification on the identity of the data access party confirmed in the step (1) based on the data access authority definition of the service, after the verification is passed, carrying out basic desensitization on the service data processed by the service through the step (2a), and carrying out front desensitization on the service data processed by the service through the step (2 b).
And (3): and (3) outputting parameters to a gateway layer after performing basic desensitization and prepositive desensitization on the service data according to the data access request passing the data access authority verification in the step (2), and uniformly intercepting the operation to be subjected to postpositive desensitization by the gateway layer.
And (4): performing data desensitization on the service data subjected to the basic desensitization and the preposed desensitization in a gateway layer according to the obtained parameters;
the step (4a) includes:
1. post-processing: carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
2. data desensitization: generating corresponding 6-bit (the number of bits is determined by configuration items) digital salt codes for the postpositional service data by adopting a random segmentation interception algorithm, rearranging the postpositional service data according to the ascending sequence of the digital salt codes, and performing MD5 encryption on the unique identification code of the data request party on a white list by using the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key. And after the post-desensitization is finished, constructing a data packet with the digital salt code.
Further, the digital salt code will be randomly placed in the data packet, with the specific location determined by the constant in the return header.
And (5): and (4) recording the desensitized salt code digital information, the data requester information and the like for tracing.
And (6): and (4) transmitting the data packet and the output reference stream in the step (4) to a data encryption rule, and finally outputting the data packet and the output reference stream to a data access party to complete one-time complete data access service.
Furthermore, after the service calling party obtains the data packet, service data can be obtained through backstepping according to an algorithm, and the safety of the data is effectively guaranteed.
Therefore, the invention intercepts the data needing desensitization in the gateway layer, reduces the invasion to the service layer and effectively realizes the decoupling of the service layer and desensitization treatment; the invention can perform pre-desensitization on the service data before service processing, and can shield some sensitive information from the source; after the business processing, different desensitization processing can be carried out aiming at each field, and flexible configuration and application can be realized.
Claims (9)
1. A big data oriented secure data desensitization output method is characterized by comprising the following steps:
step (1): performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a corresponding desensitization model according to the unique identity identification code;
step (2): performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed;
and (3): outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer;
and (4): performing post-desensitization on the service data subjected to the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters;
and (5): and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service.
2. Big-data-oriented secure data desensitization output method according to claim 1, characterized in that said step (1) is preceded by the further steps of: and carrying out parameter configuration on the desensitization model.
3. The big-data-oriented secure data desensitization output method according to claim 1, wherein the performing of the basic desensitization in the step (2) is specifically: and carrying out irreversible desensitization treatment on the personal information in the data processed by the service.
4. Big-data-oriented secure data desensitization outputting method according to claim 1, characterized in that said basic desensitization attributes of step (2) comprise a first set comprising a first set of fields requiring desensitization and a first set of algorithms.
5. Big-data-oriented secure data desensitization outputting method according to claim 1, characterized in that said pre-desensitization attributes of step (2) comprise a second set comprising a second set of fields requiring desensitization and a second set of algorithms.
6. Big-data-oriented secure data desensitization output method according to claim 1, characterized in that said step (4) is in particular:
carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
generating corresponding digital salt codes for the postposition service data by adopting a random segmentation interception algorithm, and rearranging the postposition service data according to the ascending sequence of the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key.
7. The big-data-oriented secure data desensitization output method according to claim 6, wherein the generating of the symmetric encryption key is specifically: MD5 encryption of the unique identification code using the digital salt code generates a symmetric encryption key.
8. Big-data-oriented secure data desensitization outputting method according to claim 1, characterized in that said properties of post-desensitization in step (4) comprise a third set comprising a third set of fields requiring desensitization and a third set of algorithms.
9. Big-data oriented secure data desensitization exporting method according to claim 1, wherein the placement of the digital salt code in said step (5) is determined by the return header internal constants in the data packets.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110464310.9A CN113065163B (en) | 2021-04-26 | 2021-04-26 | Big data oriented security data desensitization output method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110464310.9A CN113065163B (en) | 2021-04-26 | 2021-04-26 | Big data oriented security data desensitization output method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113065163A true CN113065163A (en) | 2021-07-02 |
CN113065163B CN113065163B (en) | 2022-12-23 |
Family
ID=76567937
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110464310.9A Active CN113065163B (en) | 2021-04-26 | 2021-04-26 | Big data oriented security data desensitization output method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113065163B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150098377A1 (en) * | 2013-10-09 | 2015-04-09 | Netgear, Inc. | Wireless router or residential gateway capable of distinguishing power-sensitive wireless sensors and providing separate treatment thereto |
CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
CN109063511A (en) * | 2018-08-16 | 2018-12-21 | 深圳云安宝科技有限公司 | Data access control method, device, proxy server and medium based on Web API |
CN110427769A (en) * | 2019-08-12 | 2019-11-08 | 重庆大学 | Based on intelligent safeguard system user oriented activity pattern secret protection implementation method |
CN111597578A (en) * | 2020-04-23 | 2020-08-28 | 国网湖北省电力有限公司信息通信公司 | Customer sensitive information desensitization system of electric power marketing system |
CN112231747A (en) * | 2020-09-25 | 2021-01-15 | 中国建设银行股份有限公司 | Data desensitization method, data desensitization apparatus, and computer readable medium |
-
2021
- 2021-04-26 CN CN202110464310.9A patent/CN113065163B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150098377A1 (en) * | 2013-10-09 | 2015-04-09 | Netgear, Inc. | Wireless router or residential gateway capable of distinguishing power-sensitive wireless sensors and providing separate treatment thereto |
CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
CN109063511A (en) * | 2018-08-16 | 2018-12-21 | 深圳云安宝科技有限公司 | Data access control method, device, proxy server and medium based on Web API |
CN110427769A (en) * | 2019-08-12 | 2019-11-08 | 重庆大学 | Based on intelligent safeguard system user oriented activity pattern secret protection implementation method |
CN111597578A (en) * | 2020-04-23 | 2020-08-28 | 国网湖北省电力有限公司信息通信公司 | Customer sensitive information desensitization system of electric power marketing system |
CN112231747A (en) * | 2020-09-25 | 2021-01-15 | 中国建设银行股份有限公司 | Data desensitization method, data desensitization apparatus, and computer readable medium |
Also Published As
Publication number | Publication date |
---|---|
CN113065163B (en) | 2022-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111027086B (en) | Private data protection method and system | |
CN107749848B (en) | Internet of things data processing method and device and Internet of things system | |
CN110569658B (en) | User information processing method and device based on blockchain network, electronic equipment and storage medium | |
CN111324911B (en) | Privacy data protection method, system and device | |
CN112507391B (en) | Block chain-based electronic signature method, system, device and readable storage medium | |
CN111010367B (en) | Data storage method and device, computer equipment and storage medium | |
US10893038B2 (en) | Attributed network enabled by search and retrieval of privity data from a registry and packaging of the privity data into a digital registration certificate for attributing the data of the attributed network | |
TWI776404B (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
CN109829333B (en) | OpenID-based key information protection method and system | |
US11323489B1 (en) | Scalable auditability of monitoring process using public ledgers | |
CN109600232A (en) | For attack verifying, means of defence and the device of SM2 signature algorithm | |
CN112069263A (en) | Process data auditing method, system and medium based on block chain | |
CN110995661B (en) | Network card platform | |
CN111083135A (en) | Method for processing data by gateway and security gateway | |
CN108737383B (en) | Anonymous authentication method capable of confusing | |
CN113918977A (en) | User information transmission device based on Internet of things and big data analysis | |
CN113065163B (en) | Big data oriented security data desensitization output method | |
CN116467731A (en) | Sensitive information processing method, device, equipment and storage medium | |
Sombatruang et al. | Internet Service Providers' and Individuals' Attitudes, Barriers, and Incentives to Secure {IoT} | |
CN111092734A (en) | Product activation authentication method based on ad hoc network communication | |
CN115329359A (en) | Secret query method and system | |
CN113489669B (en) | User data protection method and device | |
CN114331648A (en) | Bid file processing method, device, equipment and storage medium | |
CN113868628A (en) | Signature verification method and device, computer equipment and storage medium | |
CN113326527A (en) | Credible digital signature system and method based on block chain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |