CN113065163A - Big data oriented security data desensitization output method - Google Patents

Big data oriented security data desensitization output method Download PDF

Info

Publication number
CN113065163A
CN113065163A CN202110464310.9A CN202110464310A CN113065163A CN 113065163 A CN113065163 A CN 113065163A CN 202110464310 A CN202110464310 A CN 202110464310A CN 113065163 A CN113065163 A CN 113065163A
Authority
CN
China
Prior art keywords
desensitization
data
service
big
data access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110464310.9A
Other languages
Chinese (zh)
Other versions
CN113065163B (en
Inventor
汤文巍
章智云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vhs Shanghai Health Technology Co ltd
Original Assignee
Vhs Shanghai Health Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vhs Shanghai Health Technology Co ltd filed Critical Vhs Shanghai Health Technology Co ltd
Priority to CN202110464310.9A priority Critical patent/CN113065163B/en
Publication of CN113065163A publication Critical patent/CN113065163A/en
Application granted granted Critical
Publication of CN113065163B publication Critical patent/CN113065163B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a big data oriented security data desensitization output method, which comprises the following steps: performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a desensitization model according to the unique identity identification code; performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed; outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer; performing post-desensitization on the service data subjected to the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters; and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service. The invention can realize the decoupling of the service layer and the desensitization treatment.

Description

Big data oriented security data desensitization output method
Technical Field
The invention relates to the technical field of big data processing and application, in particular to a big data oriented security data desensitization output method.
Background
Data desensitization refers to data deformation of some sensitive information through desensitization rules, and reliable protection of sensitive private data is achieved. Under the condition of relating to client security data or some business sensitive data, the real data is modified and provided for test use under the condition of not violating system rules, and data desensitization is required to be carried out on personal information such as identification numbers, mobile phone numbers, card numbers, client numbers and the like.
Existing big data applications typically use hash desensitization, mask desensitization, replacement desensitization, transform desensitization, encryption desensitization, shuffle desensitization. In addition, data desensitization is usually performed on the service layer in the existing big data application, so that the security of the service layer is greatly reduced, and a novel desensitization mode is needed to improve the situation.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a big data oriented security data desensitization output method, which intercepts data needing desensitization at a gateway layer, reduces intrusion to a service layer, and realizes decoupling of the service layer and desensitization processing.
The technical scheme adopted by the invention for solving the technical problems is as follows: the big data oriented safety data desensitization output method comprises the following steps:
step (1): performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a corresponding desensitization model according to the unique identity identification code;
step (2): performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed;
and (3): outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer;
and (4): performing post-desensitization on the service data subjected to the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters;
and (5): and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service.
The step (1) is also preceded by: and carrying out parameter configuration on the desensitization model.
The basic desensitization in the step (2) is specifically as follows: and carrying out irreversible desensitization treatment on the personal information in the data processed by the service.
The attribute of base desensitization in step (2) comprises a first set comprising a first set of fields requiring desensitization and a first set of algorithms.
The property of pre-desensitization in step (2) comprises a second set comprising a second set of fields requiring desensitization and a second set of algorithms.
The step (4) is specifically as follows:
carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
generating corresponding digital salt codes for the postposition service data by adopting a random segmentation interception algorithm, and rearranging the postposition service data according to the ascending sequence of the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key.
The generating of the symmetric encryption key specifically comprises: MD5 encryption of the unique identification code using the digital salt code generates a symmetric encryption key.
The property of post-desensitization in step (4) comprises a third set comprising a third set of fields requiring desensitization and a third set of algorithms.
The placement position of the digital salt code in the step (5) is determined by a constant value in a return header in the data packet.
Advantageous effects
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects: the invention intercepts the data needing desensitization at the gateway layer, reduces the invasion to the service layer and effectively realizes the decoupling of the service layer and desensitization treatment; the invention can perform pre-desensitization on the service data before service processing, and can shield some sensitive information from the source; after the business processing, different desensitization processing can be carried out for each field, and flexible configuration and application can be realized; the method intercepts data based on a random segmentation interception algorithm, divides and rearranges the data, generates corresponding digital salt codes, and generates a symmetric encryption key required by service data desensitization based on the unique identification code of the digital salt codes, so that the data confidentiality is stronger; according to the invention, desensitization processing is carried out on the service data on the output result, and after the service calling party obtains the data packet, the service data can be obtained by backstepping according to the algorithm, so that the safety of the data is effectively ensured.
Drawings
FIG. 1 is a process flow diagram of an embodiment of the present invention.
Detailed Description
The invention will be further illustrated with reference to the following specific examples. It should be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Further, it should be understood that various changes or modifications of the present invention may be made by those skilled in the art after reading the teaching of the present invention, and such equivalents may fall within the scope of the present invention as defined in the appended claims.
The embodiment of the invention relates to a big data oriented secure data desensitization output method, which is shown in figure 1 and comprises the following steps:
the method comprises the following steps: a system administrator configures a corresponding desensitization model in advance and binds the corresponding model for a service caller;
desensitization factory properties: key unique identifier, value desensitization model;
desensitization model attributes: beforMix (pre desensitization), afterMix (post desensitization), baseMix (basal desensitization);
basic desensitization properties: a first set consisting of fields1 (a first set of fields requiring desensitization) and algs1 (a first set of algorithms), for irreversible desensitization of personal information in the data;
pre-desensitization properties: a second set consisting of fields2 (second set of fields requiring desensitization) and algs2 (second set of algorithms);
postdesensitization property: a third set consisting of fields3 (a third set of fields requiring desensitization) and algs3 (a third set of algorithms).
Step (1): according to the data access request, identity authentication is carried out on a data access party based on an upstream safety data access trace audit service system for big data, a unique identity code is obtained after the identity authentication is passed, and the step (1a) is carried out to obtain a corresponding desensitization model according to a desensitization model factory with the unique identity code.
Step (2): and (3) carrying out data access authority verification on the identity of the data access party confirmed in the step (1) based on the data access authority definition of the service, after the verification is passed, carrying out basic desensitization on the service data processed by the service through the step (2a), and carrying out front desensitization on the service data processed by the service through the step (2 b).
And (3): and (3) outputting parameters to a gateway layer after performing basic desensitization and prepositive desensitization on the service data according to the data access request passing the data access authority verification in the step (2), and uniformly intercepting the operation to be subjected to postpositive desensitization by the gateway layer.
And (4): performing data desensitization on the service data subjected to the basic desensitization and the preposed desensitization in a gateway layer according to the obtained parameters;
the step (4a) includes:
1. post-processing: carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
2. data desensitization: generating corresponding 6-bit (the number of bits is determined by configuration items) digital salt codes for the postpositional service data by adopting a random segmentation interception algorithm, rearranging the postpositional service data according to the ascending sequence of the digital salt codes, and performing MD5 encryption on the unique identification code of the data request party on a white list by using the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key. And after the post-desensitization is finished, constructing a data packet with the digital salt code.
Further, the digital salt code will be randomly placed in the data packet, with the specific location determined by the constant in the return header.
And (5): and (4) recording the desensitized salt code digital information, the data requester information and the like for tracing.
And (6): and (4) transmitting the data packet and the output reference stream in the step (4) to a data encryption rule, and finally outputting the data packet and the output reference stream to a data access party to complete one-time complete data access service.
Furthermore, after the service calling party obtains the data packet, service data can be obtained through backstepping according to an algorithm, and the safety of the data is effectively guaranteed.
Therefore, the invention intercepts the data needing desensitization in the gateway layer, reduces the invasion to the service layer and effectively realizes the decoupling of the service layer and desensitization treatment; the invention can perform pre-desensitization on the service data before service processing, and can shield some sensitive information from the source; after the business processing, different desensitization processing can be carried out aiming at each field, and flexible configuration and application can be realized.

Claims (9)

1. A big data oriented secure data desensitization output method is characterized by comprising the following steps:
step (1): performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a corresponding desensitization model according to the unique identity identification code;
step (2): performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed;
and (3): outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer;
and (4): performing post-desensitization on the service data subjected to the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters;
and (5): and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service.
2. Big-data-oriented secure data desensitization output method according to claim 1, characterized in that said step (1) is preceded by the further steps of: and carrying out parameter configuration on the desensitization model.
3. The big-data-oriented secure data desensitization output method according to claim 1, wherein the performing of the basic desensitization in the step (2) is specifically: and carrying out irreversible desensitization treatment on the personal information in the data processed by the service.
4. Big-data-oriented secure data desensitization outputting method according to claim 1, characterized in that said basic desensitization attributes of step (2) comprise a first set comprising a first set of fields requiring desensitization and a first set of algorithms.
5. Big-data-oriented secure data desensitization outputting method according to claim 1, characterized in that said pre-desensitization attributes of step (2) comprise a second set comprising a second set of fields requiring desensitization and a second set of algorithms.
6. Big-data-oriented secure data desensitization output method according to claim 1, characterized in that said step (4) is in particular:
carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
generating corresponding digital salt codes for the postposition service data by adopting a random segmentation interception algorithm, and rearranging the postposition service data according to the ascending sequence of the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key.
7. The big-data-oriented secure data desensitization output method according to claim 6, wherein the generating of the symmetric encryption key is specifically: MD5 encryption of the unique identification code using the digital salt code generates a symmetric encryption key.
8. Big-data-oriented secure data desensitization outputting method according to claim 1, characterized in that said properties of post-desensitization in step (4) comprise a third set comprising a third set of fields requiring desensitization and a third set of algorithms.
9. Big-data oriented secure data desensitization exporting method according to claim 1, wherein the placement of the digital salt code in said step (5) is determined by the return header internal constants in the data packets.
CN202110464310.9A 2021-04-26 2021-04-26 Big data oriented security data desensitization output method Active CN113065163B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110464310.9A CN113065163B (en) 2021-04-26 2021-04-26 Big data oriented security data desensitization output method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110464310.9A CN113065163B (en) 2021-04-26 2021-04-26 Big data oriented security data desensitization output method

Publications (2)

Publication Number Publication Date
CN113065163A true CN113065163A (en) 2021-07-02
CN113065163B CN113065163B (en) 2022-12-23

Family

ID=76567937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110464310.9A Active CN113065163B (en) 2021-04-26 2021-04-26 Big data oriented security data desensitization output method

Country Status (1)

Country Link
CN (1) CN113065163B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150098377A1 (en) * 2013-10-09 2015-04-09 Netgear, Inc. Wireless router or residential gateway capable of distinguishing power-sensitive wireless sensors and providing separate treatment thereto
CN106407843A (en) * 2016-10-17 2017-02-15 深圳中兴网信科技有限公司 Data desensitization method and data desensitization device
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN110427769A (en) * 2019-08-12 2019-11-08 重庆大学 Based on intelligent safeguard system user oriented activity pattern secret protection implementation method
CN111597578A (en) * 2020-04-23 2020-08-28 国网湖北省电力有限公司信息通信公司 Customer sensitive information desensitization system of electric power marketing system
CN112231747A (en) * 2020-09-25 2021-01-15 中国建设银行股份有限公司 Data desensitization method, data desensitization apparatus, and computer readable medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150098377A1 (en) * 2013-10-09 2015-04-09 Netgear, Inc. Wireless router or residential gateway capable of distinguishing power-sensitive wireless sensors and providing separate treatment thereto
CN106407843A (en) * 2016-10-17 2017-02-15 深圳中兴网信科技有限公司 Data desensitization method and data desensitization device
CN109063511A (en) * 2018-08-16 2018-12-21 深圳云安宝科技有限公司 Data access control method, device, proxy server and medium based on Web API
CN110427769A (en) * 2019-08-12 2019-11-08 重庆大学 Based on intelligent safeguard system user oriented activity pattern secret protection implementation method
CN111597578A (en) * 2020-04-23 2020-08-28 国网湖北省电力有限公司信息通信公司 Customer sensitive information desensitization system of electric power marketing system
CN112231747A (en) * 2020-09-25 2021-01-15 中国建设银行股份有限公司 Data desensitization method, data desensitization apparatus, and computer readable medium

Also Published As

Publication number Publication date
CN113065163B (en) 2022-12-23

Similar Documents

Publication Publication Date Title
CN111027086B (en) Private data protection method and system
CN107749848B (en) Internet of things data processing method and device and Internet of things system
CN110915183B (en) Block chain authentication via hard/soft token validation
CN111324911B (en) Privacy data protection method, system and device
CN111010367B (en) Data storage method and device, computer equipment and storage medium
US20210377258A1 (en) Attributed network enabled by search and retreival of privity data from a registry and packaging of the privity data into a digital registration certificate for attributing the data of the attributed network
CN108776936A (en) Settlement of insurance claim method, apparatus, computer equipment and storage medium
CN110569658A (en) User information processing method and device based on block chain network, electronic equipment and storage medium
CN109829333B (en) OpenID-based key information protection method and system
TWI776404B (en) Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium
CN114257376B (en) Digital certificate updating method, device, computer equipment and storage medium
US11323489B1 (en) Scalable auditability of monitoring process using public ledgers
CN109600232A (en) For attack verifying, means of defence and the device of SM2 signature algorithm
CN112069263A (en) Process data auditing method, system and medium based on block chain
CN115982769A (en) Data processing method, device, equipment and storage medium
US20120311338A1 (en) Secure authentication of identification for computing devices
CN113918977A (en) User information transmission device based on Internet of things and big data analysis
CN113065163B (en) Big data oriented security data desensitization output method
CN110995661B (en) Network card platform
CN116467731A (en) Sensitive information processing method, device, equipment and storage medium
CN117040765A (en) Smart grid terminal authentication method and device, storage medium and computer equipment
Sombatruang et al. Internet Service Providers' and Individuals' Attitudes, Barriers, and Incentives to Secure {IoT}
CN111083135A (en) Method for processing data by gateway and security gateway
CN115329359A (en) Secret query method and system
CN113489669B (en) User data protection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant