CN113065163B - Big data oriented security data desensitization output method - Google Patents
Big data oriented security data desensitization output method Download PDFInfo
- Publication number
- CN113065163B CN113065163B CN202110464310.9A CN202110464310A CN113065163B CN 113065163 B CN113065163 B CN 113065163B CN 202110464310 A CN202110464310 A CN 202110464310A CN 113065163 B CN113065163 B CN 113065163B
- Authority
- CN
- China
- Prior art keywords
- desensitization
- data
- service
- data access
- basic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a big data oriented security data desensitization output method, which comprises the following steps: performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a desensitization model according to the unique identity identification code; performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed; outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer; performing post-desensitization on the service data after the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters; and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service. The invention can realize the decoupling of the service layer and the desensitization treatment.
Description
Technical Field
The invention relates to the technical field of big data processing and application, in particular to a big data oriented security data desensitization output method.
Background
Data desensitization refers to that certain sensitive information is subjected to data deformation through desensitization rules, so that the reliable protection of sensitive private data is realized. Under the condition of relating to client security data or some business sensitive data, the real data is modified and provided for test use under the condition of not violating system rules, and data desensitization is required to be carried out on personal information such as identification numbers, mobile phone numbers, card numbers, client numbers and the like.
Existing big data applications typically use hash desensitization, mask desensitization, replacement desensitization, transform desensitization, encryption desensitization, shuffle desensitization. In addition, data desensitization is usually performed in the service layer in the existing big data application, so that the security of the service layer is greatly reduced, and a novel desensitization mode is required to improve the situation.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a big data oriented security data desensitization output method, which intercepts data needing desensitization at a gateway layer, reduces intrusion to a service layer, and realizes decoupling of the service layer and desensitization processing.
The technical scheme adopted by the invention for solving the technical problems is as follows: the big data oriented safety data desensitization output method comprises the following steps:
step (1): performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a corresponding desensitization model according to the unique identity identification code;
step (2): performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed;
and (3): outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer;
and (4): performing post-desensitization on the service data after the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters;
and (5): and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and output reference to a data access party after a data encryption rule, and completing a data access service.
The step (1) is also preceded by: and performing parameter configuration on the desensitization model.
The basic desensitization in the step (2) is specifically as follows: and carrying out irreversible desensitization treatment on the personal information in the data processed by the service.
The attribute of base desensitization in said step (2) comprises a first set comprising a first set of fields requiring desensitization and a first set of algorithms.
The property of pre-desensitization in step (2) comprises a second set comprising a second set of fields requiring desensitization and a second set of algorithms.
The step (4) is specifically as follows:
carrying out postposition on the service data after the basic desensitization and the prepositive desensitization in a gateway layer according to the obtained parameters;
generating corresponding digital salt codes for the postposition service data by adopting a random segmentation interception algorithm, and rearranging the postposition service data according to the ascending sequence of the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key.
The generating of the symmetric encryption key specifically comprises: and performing MD5 encryption on the unique identification code by using the digital salt code to generate a symmetric encryption key.
The property of post-desensitization in step (4) comprises a third set comprising a third set of fields requiring desensitization and a third set of algorithms.
The placement position of the digital salt code in the step (5) is determined by a constant value in a return header in the data packet.
Advantageous effects
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects: the invention intercepts the data needing desensitization at the gateway layer, reduces the invasion to the service layer and effectively realizes the decoupling of the service layer and desensitization treatment; the invention can perform prepositive desensitization on the service data before service processing, and can shield some sensitive information from the source; after the business processing, different desensitization processing can be carried out for each field, and flexible configuration and application can be realized; the method intercepts data based on a random segmentation interception algorithm, divides and rearranges the data, generates corresponding digital salt codes, and generates a symmetric encryption key required by service data desensitization based on the unique identification code of the digital salt codes, so that the data confidentiality is stronger; according to the invention, desensitization processing is carried out on the service data on the output result, and the service data can be acquired by backstepping according to an algorithm after a service calling party takes the data packet, so that the safety of the data is effectively ensured.
Drawings
FIG. 1 is a process flow diagram of an embodiment of the present invention.
Detailed Description
The invention will be further illustrated with reference to the following specific examples. It should be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Further, it should be understood that various changes or modifications of the present invention may be made by those skilled in the art after reading the teaching of the present invention, and such equivalents may fall within the scope of the present invention as defined in the appended claims.
The embodiment of the invention relates to a big data oriented secure data desensitization output method, which is shown in figure 1 and comprises the following steps:
a pre-positioning step: a system administrator configures a corresponding desensitization model in advance and binds the corresponding model for a service caller;
desensitization factory properties: key unique identifier, value desensitization model;
desensitization model attributes: beforMix (pre desensitization), afterMix (post desensitization), baseMix (basal desensitization);
basic desensitization properties: a first set consisting of fields1 (a first field set needing desensitization) and algs1 (a first algorithm set), and performing irreversible desensitization processing on personal information in the data;
pre-desensitization property: a second set consisting of fields2 (second set of fields requiring desensitization) and algs2 (second set of algorithms);
postdesensitization property: a third set consisting of fields3 (a third set of fields requiring desensitization) and algs3 (a third set of algorithms).
Step (1): according to the data access request, identity authentication is carried out on a data access party based on the upstream safety data access trace audit service system of big data, a unique identity identification code is obtained after the identity authentication is passed, and in the step (1 a), a corresponding desensitization model is obtained in a desensitization model removing factory according to the unique identity identification code.
Step (2): and (2) based on the definition of the data access authority of the service, performing data access authority verification on the identity of the data access party confirmed in the step (1), after the verification is passed, performing basic desensitization on the service data processed by the service at this time through the step (2 a), and performing front desensitization on the service data processed by the service at this time through the step (2 b).
And (3): and (3) after basic desensitization and prepositive desensitization are carried out on the service data for the data access request passing the data access authority verification in the step (2), outputting parameters to a gateway layer, and uniformly intercepting the operation to be subjected to postpositive desensitization by the gateway layer.
And (4): performing data desensitization on the service data subjected to the basic desensitization and the preposed desensitization in a gateway layer according to the obtained parameters;
the step (4 a) includes:
1. post-treatment: according to the obtained parameters, the service data after the basic desensitization and the prepositive desensitization are postpositioned in a gateway layer;
2. data desensitization: generating corresponding 6-bit (the number of bits is determined by configuration items) digital salt codes for the postpositional service data by adopting a random segmentation interception algorithm, rearranging the postpositional service data according to the ascending sequence of the digital salt codes, and performing MD5 encryption on the unique identification code of the data request party on a white list by using the digital salt codes to generate a symmetric encryption key; and desensitizing the rearranged service data based on the symmetric encryption key. And after the post-desensitization is finished, constructing a data packet with the digital salt code.
Further, the digital salt code will be randomly placed in the data packet, with the specific location determined by the constant in the return header.
And (5): and (5) recording the salt code digital information after desensitization in the step (4), data requester information and the like for tracing.
And (6): and (5) transmitting the data packet and the output reference stream in the step (4) to a data encryption rule, and finally outputting the data packet and the output reference stream to a data access party to complete one-time complete data access service.
Furthermore, after the service calling party obtains the data packet, service data can be obtained through backstepping according to an algorithm, and the safety of the data is effectively guaranteed.
Therefore, the invention intercepts the data needing desensitization in the gateway layer, reduces the invasion to the service layer and effectively realizes the decoupling of the service layer and desensitization treatment; the invention can perform pre-desensitization on the service data before service processing, and can shield some sensitive information from the source; after the business processing, different desensitization processing can be carried out aiming at each field, and flexible configuration and application can be realized.
Claims (4)
1. A big data oriented secure data desensitization output method is characterized by comprising the following steps:
step (1): performing identity authentication on a data access party according to the data access request, obtaining a unique identity identification code after the identity authentication is passed, and obtaining a corresponding desensitization model according to the unique identity identification code;
step (2): performing data access authority verification on the identity of the data access party according to the data access request, and performing basic desensitization and prepositive desensitization on the service data processed by the service through the desensitization model after the verification is passed;
the attribute of base desensitization in step (2) comprises a first set comprising a first set of fields requiring desensitization and a first set of algorithms;
the attribute of pre-desensitization in step (2) comprises a second set comprising a second set of fields requiring desensitization and a second set of algorithms;
and (3): outputting the output parameters to a gateway layer, and intercepting the output parameters uniformly through the gateway layer;
and (4): performing post-desensitization on the service data after the basic desensitization and the pre-desensitization in a gateway layer according to the obtained parameters;
the step (4) is specifically as follows:
according to the obtained parameters, the service data after the basic desensitization and the prepositive desensitization are postpositioned in a gateway layer;
generating corresponding digital salt codes for the postposition service data by adopting a random segmentation interception algorithm, and rearranging the postposition service data according to the ascending sequence of the digital salt codes to generate a symmetric encryption key; desensitizing the rearranged service data based on the symmetric encryption key;
the generating of the symmetric encryption key specifically comprises: performing MD5 encryption on the unique identification code by using the digital salt code to generate a symmetric encryption key;
the attribute of post-desensitization in step (4) comprises a third set comprising a third set of fields requiring desensitization and a third set of algorithms;
and (5): and constructing a data packet with a digital salt code according to the service data after the post-desensitization is completed, outputting the data packet and the output reference to a data access party after a data encryption rule, and completing a data access service.
2. Big-data-oriented secure data desensitization output method according to claim 1, characterized in that said step (1) is preceded by the further steps of: and carrying out parameter configuration on the desensitization model.
3. The big-data-oriented secure data desensitization output method according to claim 1, wherein the performing of the basic desensitization in the step (2) is specifically: and carrying out irreversible desensitization treatment on the personal information in the data processed by the service.
4. Big-data oriented secure data desensitization output method according to claim 1, characterized in that the placement of the digital salt codes in said step (5) is determined by constants in the return header in the data packets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110464310.9A CN113065163B (en) | 2021-04-26 | 2021-04-26 | Big data oriented security data desensitization output method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110464310.9A CN113065163B (en) | 2021-04-26 | 2021-04-26 | Big data oriented security data desensitization output method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113065163A CN113065163A (en) | 2021-07-02 |
| CN113065163B true CN113065163B (en) | 2022-12-23 |
Family
ID=76567937
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110464310.9A Active CN113065163B (en) | 2021-04-26 | 2021-04-26 | Big data oriented security data desensitization output method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113065163B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109063511A (en) * | 2018-08-16 | 2018-12-21 | 深圳云安宝科技有限公司 | Data access control method, device, proxy server and medium based on Web API |
| CN110427769A (en) * | 2019-08-12 | 2019-11-08 | 重庆大学 | Based on intelligent safeguard system user oriented activity pattern secret protection implementation method |
| CN111597578A (en) * | 2020-04-23 | 2020-08-28 | 国网湖北省电力有限公司信息通信公司 | Customer sensitive information desensitization system of electric power marketing system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9204385B2 (en) * | 2013-10-09 | 2015-12-01 | Netgear, Inc. | Wireless router or residential gateway capable of distinguishing power-sensitive wireless sensors and providing separate treatment thereto |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN112231747A (en) * | 2020-09-25 | 2021-01-15 | 中国建设银行股份有限公司 | Data desensitization method, data desensitization apparatus, and computer readable medium |
-
2021
- 2021-04-26 CN CN202110464310.9A patent/CN113065163B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109063511A (en) * | 2018-08-16 | 2018-12-21 | 深圳云安宝科技有限公司 | Data access control method, device, proxy server and medium based on Web API |
| CN110427769A (en) * | 2019-08-12 | 2019-11-08 | 重庆大学 | Based on intelligent safeguard system user oriented activity pattern secret protection implementation method |
| CN111597578A (en) * | 2020-04-23 | 2020-08-28 | 国网湖北省电力有限公司信息通信公司 | Customer sensitive information desensitization system of electric power marketing system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113065163A (en) | 2021-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110915183B (en) | Block chain authentication via hard/soft token validation | |
| CN107749848B (en) | Internet of things data processing method and device and Internet of things system | |
| CN110569658B (en) | User information processing method and device based on blockchain network, electronic equipment and storage medium | |
| JP4113274B2 (en) | Authentication apparatus and method | |
| CN111010367B (en) | Data storage method and device, computer equipment and storage medium | |
| CN111027086A (en) | Private data protection method and system | |
| CN111324911B (en) | Privacy data protection method, system and device | |
| US20210377258A1 (en) | Attributed network enabled by search and retreival of privity data from a registry and packaging of the privity data into a digital registration certificate for attributing the data of the attributed network | |
| CN111914293B (en) | Data access right verification method and device, computer equipment and storage medium | |
| TWI776404B (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
| CN103560883A (en) | Safety identification method, between android application programs, based on user right | |
| US11323489B1 (en) | Scalable auditability of monitoring process using public ledgers | |
| CN109600232A (en) | For attack verifying, means of defence and the device of SM2 signature algorithm | |
| CN112069263A (en) | Process data auditing method, system and medium based on block chain | |
| CN115982769A (en) | Data processing method, device, equipment and storage medium | |
| CN108737383B (en) | Anonymous authentication method capable of confusing | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| CN113918977A (en) | User information transmission device based on Internet of things and big data analysis | |
| CN113065163B (en) | Big data oriented security data desensitization output method | |
| KR20130085492A (en) | Authentication system and method by use of non-fixed user id | |
| CN116467731A (en) | Sensitive information processing method, device, equipment and storage medium | |
| Sombatruang et al. | Internet Service Providers' and Individuals' Attitudes, Barriers, and Incentives to Secure {IoT} | |
| TWI688898B (en) | Multi-factor dynamic quick response code authentication system and method | |
| CN114331648A (en) | Bid file processing method, device, equipment and storage medium | |
| CN113868628A (en) | Signature verification method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |